Wifi client's ports not available/available at random

Hi,

I have strange problem when accessing wifi client’s tcp (not only) server ports (e.g. 3d printer connected over wifi, service exposed on laptop connected over wifi) over wifi connected clients.

There is no problem when accessing the services from LAN (or router itself) or there is no problem when connecting to LAN connected servers.

It started with v7, but I thought it’s the bad implementation on the 3d printer. Now I realised, when started to use more raspberry pis connected over wifi, that I have (sometimes - most of the times) problem connecting to those machines.

There is no problem to connect, when tunneling over the router (turris Omnia).

Don’t know/not sure howto investigate/troubleshoot this.

firewall

config interface 'loopback'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'
	option device 'lo'

config globals 'globals'
	option ula_prefix 'fd7c:1b31:03c5::/48'

config interface 'lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option _turris_mode 'managed'
	option ipaddr '192.168.33.1'
	option device 'br-lan'

config interface 'wan'
	option proto 'dhcp'
	option device 'eth2.102'
	option ipv6 '1'
	list dns '193.17.47.1'
	list dns '185.43.135.1'
	option peerdns '0'

config interface 'wan6'
	option proto 'dhcpv6'
	option device '@wan'
	option reqaddress 'try'
	option reqprefix 'auto'

config interface 'guest_turris'
	option enabled '1'
	option proto 'static'
	option ipaddr '10.111.222.1'
	option netmask '255.255.255.0'
	option ip6assign '64'
	option device 'br-guest-turris'

config interface 'wg0'
	option proto 'wireguard'
	option private_key ''
	option listen_port '1234'
	list addresses '10.2.3.1/24'

config wireguard_wg0
	option persistent_keepalive '25'
	list allowed_ips '10.2.3.2/32'
	option description 'macbook'
	option public_key 'ULJDofe8izd8eNdfQ/JoPCDFP3JP3silh6TwJnvuOAE='

config interface 'vpn_turris'
	option enabled '1'
	option proto 'none'
	option auto '1'
	option device 'tun_turris'

config interface 'wg1'
	option proto 'wireguard'
	list addresses '10.250.11.2/24'
	option private_key ''

config wireguard_wg1
	option persistent_keepalive '25'
	option public_key '+2CX87R/WXxw6i/cw4a9YAaImGZiofOEBYqVbOUtuQI='
	option endpoint_host 'vpn.dratar.cz'
	list allowed_ips '10.250.11.0/24'

config device 'br_lan'
	option name 'br-lan'
	option bridge_empty '1'
	list ports 'lan0'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	option type 'bridge'

config device 'br_guest_turris'
	option bridge_empty '1'
	option type 'bridge'
	option name 'br-guest-turris'

config route
	option netmask '255.255.255.0'
	option interface 'lan'
	option target '192.168.135.0'
	option gateway '192.168.33.149'

config device 'dev_wan'
	option name 'eth2.102'

network:

config interface 'loopback'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'
	option device 'lo'

config globals 'globals'
	option ula_prefix 'fd7c:1b31:03c5::/48'

config interface 'lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option _turris_mode 'managed'
	option ipaddr '192.168.33.1'
	option device 'br-lan'

config interface 'wan'
	option proto 'dhcp'
	option device 'eth2.102'
	option ipv6 '1'
	list dns '193.17.47.1'
	list dns '185.43.135.1'
	option peerdns '0'

config interface 'wan6'
	option proto 'dhcpv6'
	option device '@wan'
	option reqaddress 'try'
	option reqprefix 'auto'

config interface 'guest_turris'
	option enabled '1'
	option proto 'static'
	option ipaddr '10.111.222.1'
	option netmask '255.255.255.0'
	option ip6assign '64'
	option device 'br-guest-turris'

config interface 'wg0'
	option proto 'wireguard'
	option private_key ''
	option listen_port '1234'
	list addresses '10.2.3.1/24'

config wireguard_wg0
	option persistent_keepalive '25'
	list allowed_ips '10.2.3.2/32'
	option description 'macbook'
	option public_key 'ULJDofe8izd8eNdfQ/JoPCDFP3JP3silh6TwJnvuOAE='

config interface 'vpn_turris'
	option enabled '1'
	option proto 'none'
	option auto '1'
	option device 'tun_turris'

config interface 'wg1'
	option proto 'wireguard'
	list addresses '10.250.11.2/24'
	option private_key ''

config wireguard_wg1
	option persistent_keepalive '25'
	option public_key '+2CX87R/WXxw6i/cw4a9YAaImGZiofOEBYqVbOUtuQI='
	option endpoint_host 'vpn.dratar.cz'
	list allowed_ips '10.250.11.0/24'

config device 'br_lan'
	option name 'br-lan'
	option bridge_empty '1'
	list ports 'lan0'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	option type 'bridge'

config device 'br_guest_turris'
	option bridge_empty '1'
	option type 'bridge'
	option name 'br-guest-turris'

config route
	option netmask '255.255.255.0'
	option interface 'lan'
	option target '192.168.135.0'
	option gateway '192.168.33.149'

config device 'dev_wan'
	option name 'eth2.102'

wireless:

config wifi-device 'radio0'
	option type 'mac80211'
	option hwmode '11a'
	option macaddr 'xxx'
	option htmode 'VHT80'
	option disabled '0'
	option country 'CZ'
	option channel '64'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option disabled '0'
	option ssid 'Pacakovi'
	option encryption 'psk2+ccmp'
	option wpa_group_rekey '86400'
	option key 'xxx'
	option hidden '0'

config wifi-device 'radio1'
	option type 'mac80211'
	option macaddr 'xxx'
	option htmode 'HT20'
	option disabled '0'
	option country 'CZ'
	option band '2g'
	option channel '7'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option disabled '0'
	option ssid 'Pacakovi'
	option encryption 'psk2+ccmp'
	option wpa_group_rekey '86400'
	option key 'xxx'
	option hidden '0'

config wifi-iface 'guest_iface_0'
	option disabled '0'
	option device 'radio0'
	option mode 'ap'
	option ssid 'Pacakovi-guest'
	option network 'guest_turris'
	option encryption 'psk2+ccmp'
	option wpa_group_rekey '86400'
	option key 'heslicko'
	option ifname 'guest_turris_0'
	option isolate '1'

config wifi-iface 'guest_iface_1'
	option disabled '0'
	option device 'radio1'
	option mode 'ap'
	option ssid 'Pacakovi-guest'
	option network 'guest_turris'
	option encryption 'psk2+ccmp'
	option wpa_group_rekey '86400'
	option key 'heslicko'
	option ifname 'guest_turris_1'
	option isolate '1'

config wifi-device 'radio2'
	option type 'mac80211'
	option path 'soc/soc:pcie/pci0000:00/0000:00:02.0/0000:02:00.0'
	option band '5g'
	option disabled '0'
	option country 'CZ'
	option channel '64'
	option cell_density '0'
	option htmode 'HE80'

config wifi-iface 'default_radio2'
	option device 'radio2'
	option network 'lan'
	option mode 'ap'
	option disabled '0'
	option encryption 'sae-mixed'
	option wpa_group_rekey '86400'
	option key 'xxx'
	option ssid 'Pacakovi_5G'

config wifi-iface 'guest_iface_2'
	option device 'radio2'
	option disabled '0'
	option mode 'ap'
	option network 'guest_turris'
	option encryption 'sae-mixed'
	option wpa_group_rekey '86400'
	option key 'xxx'
	option ifname 'guest_turris_2'
	option isolate '1'
	option ssid 'Pacakovi-guest_5G'