When you enable the hotspot mode on a interface,
the communication traffic between access points and thre ASG itself is also dropped.
This makes it impossible to have a hotspt configured on the same LAN segment, where the APs are conencted to - which is normal if you have "bridge to AP LAN" mode for an SSID.
iptables mangle chain "HOTSPOT_CUTOFF_PRE" ist discarding the packets on port 2712 without notification/logging, because of a missing implicit allow rule.
I suggest you you also make the restricteveness of the HOTSPOT_CUTOFF_PRE rules a bit looser. You even cannot ping the central ASG for testing purposes...
the communication traffic between access points and thre ASG itself is also dropped.
This makes it impossible to have a hotspt configured on the same LAN segment, where the APs are conencted to - which is normal if you have "bridge to AP LAN" mode for an SSID.
iptables mangle chain "HOTSPOT_CUTOFF_PRE" ist discarding the packets on port 2712 without notification/logging, because of a missing implicit allow rule.
I suggest you you also make the restricteveness of the HOTSPOT_CUTOFF_PRE rules a bit looser. You even cannot ping the central ASG for testing purposes...