Wifi client to LAN resource

I have an issue on my network that I cannot explain. Somehow, wifi clients connected to the network cannot access some wired resources on the same network while they can access others. The wifi client and the wired resource are both on the “trusted” network, which uses the default VLAN. The wifi clients get IPs in the same range as the wired resources that they cannot connect to.

On the trusted LAN network I have a wired printer and a wired Synology NAS. With my iPhone, when connected to the trusted Wifi, I can use the printer. But I cannot approach the NAS. Not through a dedicated app (DS File) and not through the browser. Nothing happens. There’s no evidence any traffic from the iPhone ever arrives at the NAS. After a while, the connection attempt times out. But printing from the iPhone works…

The firewall on the NAS is disabled. The logs on the NAS show no evidence of something trying to get in.
The firewall on the Balance One is enabled. But, I would not expect this traffic to be subject to the firewall: all traffic is on the same network. The Default rule is any to any allowed. Just for fun I configured a “trusted network to trusted network” firewall rule, all traffic allowed and logged. But nothing shows in the logs.
The wifi has no client isolation, at least, not configured through the GUI. “Block all private IP” is not ticked.

What am I missing? What could be causing this? Since I do not see anything happen on the NAS I suspect that the router must be blocking the traffic, or misrouting it. But why? And how to debug this?

I downloaded a network tools app on the iPhone. I can ping google.com allright but cannot ping any internal resource, not the printer and not even the router itself.

Since its the same VLAN we’re talking about traffic management at Layer 2. Can you share a screenshot of your SSID config - the only layer 2 management I am aware of is on that page.

Do you have any managed switches in play with traffic management enabled perhaps?

Yes I have a managed switch, however, I am not using its management capabilities. Please see the included network topology: the managed switch is only hosting the default VLAN.
Here are my SSID settings:
[edit:removed]
And here’s my network topology:
[edit:removed]

Today I have removed my access point, so all wifi traffic is on the Peplink only. And I have factory reset my switch: now it is just a dumb switch, standard, no vlans. Still, I cannot access my NAS from my iPhone even when connected to the same VLAN, and I still can use the printer which is on precisely the same network. In Dutch we say in a situation like this: “very special”. So I am going to file a support ticket.

Not every device responds to ping. Does the NAS respond to pings from other devices? From other WiFi devices?

I would not worry about the Synology iOS app for now as we don’t know what its doing. Focus first on browser access to the NAS from the iOS device.

Do you have more than one iOS device? If so, is the problem on all of them?

I suggest trying the Fing app, its a LAN scanner and lets see if it sees the NAS from the iOS device(s).

Please post the full details of your SSID definition. And, try it again with iOS not using a private MAC address. That became the default fairly recently.

The good news is that this can definitely be explained, eventually. Your router can log all the bits on the LAN and anyone familiar with WireShark can review that and see exactly what is happening.

The NAS responds to pings, at least from my iMac. From other wifi devices I do not know. From my iPhone it doesn’t, although Fing finds it and says it is online.

Yes, the problem is on all iPhones. In fact, it is on all wifi clients. My iMac, on which it (wired) works, cannot connect to the NAS anymore over wifi. And not using a private MAC address does not make a difference: in both cases I cannot open the NAS on the iPhone, not using the DS File app and not through the browser.

This is my SSID definition:

Can I capture the network traffic with the Balance One? How could I log all the bits on the LAN that are relevant?

@Michael234 Please see my reply to your queries above. And furthermore, I found the following information on the Synology community when browsing for a solution to this issue:

If you wish to access DS file with your IP address or DDNS, you must forward port 5000 and 5001 on your router to your Synology NAS, failing to do so may result in you unable connect or login.

NOTE: If you wish to access DS file away from your home network, the IP address you entered must be an external IP address of your network, NOT the internal IP address of your Synology such as 192.168.x.x or 10.x.x.x.

This seems strange to me. I mean, when you want to access the NAS from outside of your home network, then I understand the port forwarding bit. But I am talking about internal wifi to lan routing here, no need nor desire to access the NAS from outside of my network. What could this mean? I did not find an internal port forwarding option in the Balance One. To use port forwarding, I have to select a WAN link which I do not want to do.

Did some more testing and found the offending setting. It is the custom subnet range, which I populated with the same range as the default VLAN. I did that because initially I found that clients did not get an IP in the desired range without that setting. Now I have removed it, and access to the NAS works immediately after apply.