802.11r FT issues between BPI-R4 and GL-MT6000 - Clients locked out after failed roam

aLiArLa · January 24, 2026, 10:52pm

Environment:

Node A (Main): Banana Pi BPI-R4 (MediaTek MT7986 / Filogic 880).
Node B (AP): GL.iNet GL-MT6000 / Flint 2 (Filogic 830).
Software: OpenWrt 25.10.0-rc3 (Custom build, same on both).
WPAD: Full wpad-mbedtls included at build time. All wpad-basic-xxx packages were explicitly deselected/removed during compilation. (Also tested with full wpad-openssl build).
Topology: Dedicated Ethernet Backhaul via SFP+ switch.

Wireless Configuration:

802.11r: FT over DS, PMK R1 Push enabled.
Mobility Domain: eaea (Identical on all radios across both routers).
NAS ID: Set to Radio MAC (Hex format, no colons) for each AP.
R1 Key Holder: Set to Radio MAC (Hex format, no colons) for each AP.
Security: Tested WPA2/WPA3-Mixed, Pure WPA2-PSK, and Pure WPA3-SAE. Results are consistent across all encryption modes.

The Issue: Fast Transition (FT) is extremely unstable and behaves asymmetrically.

Direction Flint 2 -> BPI-R4: Occasionally works (auth_alg=ft), but often drops after 4 seconds and falls back to a full handshake. Connecting manually to Node A always works.
Direction BPI-R4 -> Flint 2: Consistently fails. Critical: after a failed roam attempt to the Flint 2, the client is completely locked out from that node. Manual connection attempts to the Flint 2 return a "Connection Error" indefinitely. I have to wait several minutes or reboot Node B to regain access. This "lock-out" never happens on the BPI-R4 side.

Anonymized Logs (BPI-R4 perspective):

Station: AA:BB:CC:11:22:33

Bash

# FT Success followed by immediate drop:
23:31:10 daemon.notice hostapd: phy0.1-ap0: AP-STA-CONNECTED AA:BB:CC:11:22:33 auth_alg=ft
23:31:14 daemon.notice hostapd: phy0.1-ap0: AP-STA-DISCONNECTED AA:BB:CC:11:22:33
23:31:14 user.info usteer: station AA:BB:CC:11:22:33 disconnected from node hostapd.phy0.1-ap0

# Driver errors seen during transition:
23:31:09 daemon.err hostapd: phy0.0-ap0: nl80211: kernel reports: key addition failed

Troubleshooting performed:

Encryption: Tested Pure WPA2, Pure WPA3, and Mixed. The "Connection Error" on the Flint 2 persists in all modes after a failed FT roam.
Steering: I am currently using usteer. Both routers and all APs are correctly visible in the usteer status/mesh. However, I previously tested without usteer (compiled without it) and the results were identical.
WPAD: Only full versions are present in the custom build.
Config: Verified Mobility Domain and NAS ID consistency across 6 APs (3 per router).

Questions for the community:

Has anyone successfully configured an Ethernet Backhaul roaming setup between these Filogic devices?
Why would a failed FT attempt lock out a client from manual connection only on the Flint 2 (Node B)? Could this be a hostapd state issue or a PMK caching bug specific to the Filogic 830 driver?
Are there known regressions in the mt7915 / mt7986 drivers for this RC version regarding nl80211: key addition failed?

Update / Additional Info: I also have WED (Wireless Ethernet Dispatcher) enabled on both routers, along with Hardware Flow Offloading (HNA) in the firewall settings.

I tried disabling WED and HNA to see if that would fix it, but it didn't work either. Now I've re-enabled it on both routers. I wanted to mention this in case there are any known regressions with WED + FT on Filogic 830/880.

psherman · January 24, 2026, 11:15pm

The most important thing you can do is to set the channels (non-overlapping) and power levels (almost always reduced from their max) and, to the degree possible, the physical positioning of the devices such that you optimize the roaming performance without needing 802.11r (or k/v).

Have you done this??

aLiArLa · January 24, 2026, 11:28pm

I didn't mention it, but I did try it. I set different channels for each AP and also reduced the power by half on each AP of each router.

psherman · January 24, 2026, 11:30pm

I'd recommend turning off 802.11r (and k/v if you have those enabled), and observing the roaming behavior. FWIW, 802.11k/v/r can actually cause more harm than good in many situations.

aLiArLa · January 24, 2026, 11:34pm

If I disable all roaming options, then I can manually switch from one AP to another without any problems. But I would like it to happen automatically, when it detects that one signal is stronger than the other.

psherman · January 24, 2026, 11:42pm

What do you mean “manually”?

aLiArLa · January 24, 2026, 11:48pm

I turn off the Wi-Fi on my phone and turn it back on, and it picks up the AP from the router again and works fine. It also works automatically if I wait a while and the phone connects itself when it can't get a signal from the other one.

psherman · January 25, 2026, 12:05am

That is not a proper test of roaming.

Roaming should happen automatically when your device decides that it needs to look for better signal quality from another AP.

psherman · January 25, 2026, 12:33am

Let's take a look at the config from both devices to see if there might be config issues.

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button (red circle; this works best in the 'Markdown' composer view in the blue oval):

Remember to redact passwords, VPN keys, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

aLiArLa · January 25, 2026, 8:16am

I think there was a misunderstanding. My previous test (disabling 802.11r) was just to confirm that the hardware and basic Wi-Fi are stable. Without 802.11r, clients can connect to both APs perfectly. The 'Connection Error' and the lockout on the Flint 2 only happen when 802.11r is enabled.

brada4 · January 25, 2026, 8:18am

this is a red herring, happens when you roam back to the radio that has your key already.

psherman · January 25, 2026, 8:19am

I see.

Well, this generally goes along with my general advice: avoid 802.11r (as well as k/v) unless there is a demonstrated need to use these standards.

As I said before, these standards can cause problems with certain client devices and have little real-world benefit in most environments.

brada4 · January 25, 2026, 8:28am

Normal approach would be to check if device ever roams from 2.4 to 5 by itself and will not gain from KV
11R is useful with eg IP phones where it matters that you re-connect to other radio in 0.3s in place of typical ~1s

Forced roaming (KV) comes into play when you wish to re-balance hundreds of clients, even there is a simple trick to just stop broadcasting "full" access point.

aLiArLa · January 25, 2026, 8:51am

I have attempted to anonymize the router configuration as much as possible and remove elements that are not useful:

BPI->


**System Information:**
root@bpi-r4:~# ubus call system board
{
        "kernel": "6.12.66",
        "hostname": "bpi-r4",
        "system": "ARMv8 Processor rev 0",
        "model": "Banana Pi BPI-R4 (2x SFP+)",
        "board_name": "bananapi,bpi-r4",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "25.12.0-rc3",
                "firmware_url": "https://downloads.openwrt.org/",
                "revision": "r32486-30527a4c34",
                "target": "mediatek/filogic",
                "description": "OpenWrt 25.12.0-rc3 r32486-30527a4c34",
                "builddate": "1768954854"
        }
}

**1. /etc/config/network**
root@bpi-r4:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        list ipaddr '127.0.0.1/8'

config globals 'globals'
	option ula_prefix 'fd60:...'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'sfp-lan' # Downlink to Flint 2

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	list ipaddr '192.168.200.1/24'
	option ip6assign '60'

config device
	option name 'br-wan'
	option type 'bridge'
	list ports 'wan'
	list ports 'sfp-wan'

config interface 'wan'
	option device 'br-wan'
	option proto 'static'
	option ipaddr '192.168.1.3'
	option netmask '255.255.255.0'
	option gateway '192.168.1.1'

config interface 'wan6'
	option device 'br-wan'
	option proto 'dhcpv6'

config device
	option type 'bridge'
	option name 'br-guest'
	option ipv6 '0'

config interface 'guest'
	option proto 'static'
	option device 'br-guest'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'
	list dns '8.8.8.8'
	list dns '8.8.4.4'

**2. /etc/config/wireless**
# Note: MACs and NASIDs are anonymized but strictly preserve the logic (NASID == MAC Hex).
# BPI-R4 (Self): 10:00:00:00:00:XX
# Flint 2 (Neighbor): 20:00:00:00:00:XX

# --- RADIO 0 (2.4GHz) ---
config wifi-device 'radio0'
	option type 'mac80211'
	option path 'soc/11300000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
	option radio '0'
	option band '2g'
	option channel '1'
	option htmode 'HT40'
	option country 'ES'
	option cell_density '0'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'MySSID'
	option encryption 'sae-mixed'
	option key '[REDACTED]'
	option ieee80211k '1'
	option wnm_sleep_mode '1'
	option wnm_sleep_mode_no_keys '1'
	option bss_transition '1'
	option proxy_arp '1'
	# 802.11r Config
	option ieee80211r '1'
	option nasid '100000000001'
	option mobility_domain '1234'
	option pmk_r1_push '1'
	option ft_over_ds '1'
	# Neighbor List (Self + Flint 2 Radio 0)
	list r0kh '10:00:00:00:00:01,100000000001,9e1234567890abcdef1234567890abcdef'
	list r0kh '20:00:00:00:00:01,200000000001,9e1234567890abcdef1234567890abcdef'
	list r1kh '10:00:00:00:00:01,10:00:00:00:00:01,9e1234567890abcdef1234567890abcdef'
	list r1kh '20:00:00:00:00:01,20:00:00:00:00:01,9e1234567890abcdef1234567890abcdef'

# --- RADIO 1 (5GHz) ---
config wifi-device 'radio1'
	option type 'mac80211'
	option path 'soc/11300000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
	option radio '1'
	option band '5g'
	option channel '36'
	option htmode 'HE160'
	option country 'ES'
	option cell_density '0'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'MySSID_5G'
	option encryption 'sae-mixed'
	option key '[REDACTED]'
	option ieee80211k '1'
	option wnm_sleep_mode '1'
	option wnm_sleep_mode_no_keys '1'
	option bss_transition '1'
	option proxy_arp '1'
	# 802.11r Config
	option ieee80211r '1'
	option nasid '100000000002'
	option mobility_domain '1234'
	option pmk_r1_push '1'
	option ft_over_ds '1'
	# Neighbor List (Self + Flint 2 Radio 1)
	list r0kh '10:00:00:00:00:02,100000000002,9e1234567890abcdef1234567890abcdef'
	list r0kh '20:00:00:00:00:02,200000000002,9e1234567890abcdef1234567890abcdef'
	list r1kh '10:00:00:00:00:02,10:00:00:00:00:02,9e1234567890abcdef1234567890abcdef'
	list r1kh '20:00:00:00:00:02,20:00:00:00:00:02,9e1234567890abcdef1234567890abcdef'

# --- GUEST (On Radio 1) ---
config wifi-iface 'wifinet3'
	option device 'radio1'
	option mode 'ap'
	option ssid 'MySSID_Guest'
	option encryption 'sae-mixed'
	option key '[REDACTED]'
	option network 'guest'
	option isolate '1'
	option ieee80211k '1'
	option wnm_sleep_mode '1'
	option wnm_sleep_mode_no_keys '1'
	option bss_transition '1'
	option proxy_arp '1'
	# 802.11r Config
	option ieee80211r '1'
	option nasid '100000000003'
	option mobility_domain '1234'
	option pmk_r1_push '1'
	option ft_over_ds '1'
	# Neighbor List (Self + Flint 2 Guest)
	list r0kh '10:00:00:00:00:03,100000000003,9e1234567890abcdef1234567890abcdef'
	list r0kh '20:00:00:00:00:03,200000000003,9e1234567890abcdef1234567890abcdef'
	list r1kh '10:00:00:00:00:03,10:00:00:00:00:03,9e1234567890abcdef1234567890abcdef'
	list r1kh '20:00:00:00:00:03,20:00:00:00:00:03,9e1234567890abcdef1234567890abcdef'

# --- RADIO 2 (6GHz - No Roaming configured yet) ---
config wifi-device 'radio2'
	option type 'mac80211'
	option radio '2'
	option band '6g'
	option channel '1'
	option htmode 'EHT320'
	option country 'ES'

config wifi-iface 'default_radio2'
	option device 'radio2'
	option network 'lan'
	option mode 'ap'
	option ssid 'MySSID_6G'
	option encryption 'sae'
	option key '[REDACTED]'

**3. /etc/config/dhcp**
config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option ra 'server'
	option ra_default '1'
	option dhcpv6 'server'
	list dhcp_option '6,192.168.200.1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config dhcp 'guest'
	option interface 'guest'
	option start '100'
	option limit '150'
	option leasetime '12h'

**4. /etc/config/firewall**
config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
	option flow_offloading '1'
	option flow_offloading_hw '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'DROP'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

# Standard Rules
config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

# Guest Zone & Rules
config zone
	option name 'guest_fw'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'guest'

config forwarding
	option src 'guest_fw'
	option dest 'wan'

config rule
	option src 'guest_fw'
	option name 'guest-rule'
	option dest_port '67 68 53'
	option target 'ACCEPT'

# Usteer & DAWN
config rule
	option name 'Allow-DAWN'
	option src 'lan'
	option dest_port '1025 1026'
	option proto 'udp tcp'
	option target 'ACCEPT'

config rule
	option name 'Allow-Usteer'
	option src 'lan'
	option proto 'udp'
	option dest_port '6113'
	option target 'ACCEPT'
type or paste code here

FLINT2->

### Node B: Flint 2 (Access Point / Mesh Node) Configuration

**System Information:**
root@Flint2:~# ubus call system board
{
        "kernel": "6.12.66",
        "hostname": "Flint2",
        "system": "ARMv8 Processor rev 4",
        "model": "GL.iNet GL-MT6000",
        "board_name": "glinet,gl-mt6000",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "25.12.0-rc3",
                "firmware_url": "https://downloads.openwrt.org/",
                "revision": "r32486-30527a4c34",
                "target": "mediatek/filogic",
                "description": "OpenWrt 25.12.0-rc3 r32486-30527a4c34",
                "builddate": "1768954854"
        }
}

**1. /etc/config/network**

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	list ipaddr '127.0.0.1/8'

config globals 'globals'
	option ula_prefix 'fdfa:...'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'lan5'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	list ipaddr '192.168.200.2/24'
	option ip6assign '60'
	option gateway '192.168.200.1'
	list dns '192.168.200.1'

config interface 'wan'
	option device 'eth1'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth1'
	option proto 'dhcpv6'

config device
	option type 'bridge'
	option name 'br-guest'
	option ipv6 '0'

config interface 'guest'
	option proto 'static'
	option device 'br-guest'
	option ipaddr '192.168.2.2'
	option netmask '255.255.255.0'

**2. /etc/config/wireless**
# Note: Flint 2 (Self): 20:00:00:00:00:XX | BPI-R4 (Neighbor): 10:00:00:00:00:XX

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'platform/soc/18000000.wifi'
	option band '2g'
	option channel '6'
	option htmode 'HE40'
	option country 'ES'
	option cell_density '0'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'MySSID'
	option encryption 'sae-mixed'
	option key '[REDACTED]'
	option ieee80211k '1'
	option wnm_sleep_mode '1'
	option wnm_sleep_mode_no_keys '1'
	option bss_transition '1'
	option proxy_arp '1'
	option ieee80211r '1'
	option nasid '200000000001'
	option mobility_domain '1234'
	option pmk_r1_push '1'
	option ft_over_ds '1'
	list r0kh '20:00:00:00:00:01,200000000001,9e1234567890abcdef1234567890abcdef'
	list r0kh '10:00:00:00:00:01,100000000001,9e1234567890abcdef1234567890abcdef'
	list r1kh '20:00:00:00:00:01,20:00:00:00:00:01,9e1234567890abcdef1234567890abcdef'
	list r1kh '10:00:00:00:00:01,10:00:00:00:00:01,9e1234567890abcdef1234567890abcdef'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'platform/soc/18000000.wifi+1'
	option band '5g'
	option channel '44'
	option htmode 'HE160'
	option country 'ES'
	option cell_density '0'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'MySSID_5G'
	option encryption 'sae-mixed'
	option key '[REDACTED]'
	option ieee80211k '1'
	option wnm_sleep_mode '1'
	option wnm_sleep_mode_no_keys '1'
	option bss_transition '1'
	option proxy_arp '1'
	option ieee80211r '1'
	option nasid '200000000002'
	option mobility_domain '1234'
	option pmk_r1_push '1'
	option ft_over_ds '1'
	list r0kh '20:00:00:00:00:02,200000000002,9e1234567890abcdef1234567890abcdef'
	list r0kh '10:00:00:00:00:02,100000000002,9e1234567890abcdef1234567890abcdef'
	list r1kh '20:00:00:00:00:02,20:00:00:00:00:02,9e1234567890abcdef1234567890abcdef'
	list r1kh '10:00:00:00:00:02,10:00:00:00:00:02,9e1234567890abcdef1234567890abcdef'

config wifi-iface 'wifinet2'
	option device 'radio1'
	option mode 'ap'
	option ssid 'MySSID_Guest'
	option encryption 'sae-mixed'
	option key '[REDACTED]'
	option network 'lan'
	option isolate '1'
	option ieee80211k '1'
	option wnm_sleep_mode '1'
	option wnm_sleep_mode_no_keys '1'
	option bss_transition '1'
	option proxy_arp '1'
	option ieee80211r '1'
	option nasid '200000000003'
	option mobility_domain '1234'
	option pmk_r1_push '1'
	option ft_over_ds '1'
	list r0kh '20:00:00:00:00:03,200000000003,9e1234567890abcdef1234567890abcdef'
	list r0kh '10:00:00:00:00:03,100000000003,9e1234567890abcdef1234567890abcdef'
	list r1kh '20:00:00:00:00:03,20:00:00:00:00:03,9e1234567890abcdef1234567890abcdef'
	list r1kh '10:00:00:00:00:03,10:00:00:00:00:03,9e1234567890abcdef1234567890abcdef'

**3. /etc/config/dhcp**
config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'

config dhcp 'lan'
	option interface 'lan'
	option ignore '1'

**4. /etc/config/firewall**
config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
	option flow_offloading '1'
	option flow_offloading_hw '1'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'DROP'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config zone
	option name 'guest_fw'
	list network 'guest'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'

config forwarding
	option src 'guest_fw'
	option dest 'wan'

config rule
	option name 'Allow-DAWN'
	option src 'lan'
	option dest_port '1025 1026'
	option proto 'udp tcp'
	option target 'ACCEPT'

config rule
	option name 'Allow-Usteer'
	option src 'lan'
	option proto 'udp'
	option dest_port '6113'
	option target 'ACCEPT'

brada4 · January 25, 2026, 8:53am

firewall hardware flow offload completely prevents any roaming. (60s in place of 1s to roam)

timur.davletshin · January 25, 2026, 8:53am

I use two AX3200 with Ethernet backhaul and usteer. Currently fourth day on RC3. So far so good.

aLiArLa · January 25, 2026, 9:23am

I tried disabling hardware and software acceleration on both routers, but it still didn't work. Now I've left it disabled on both routers, following your advice.

aLiArLa · January 25, 2026, 9:26am

Thanks for the replies.

I've been doing some testing to narrow this down. Although it wasn't explicitly requested, I tried a simplified configuration without manual r0kh/r1kh tables to rule out any derivation errors. I manually added option ft_psk_generate_local '1' via CLI, as the checkbox is missing in LuCI despite me having the full wpad-mbedtls package installed on this 25.12.0-rc3 build.

Even with this simplified setup, 802.11r is not working. The logs show the client performs a full SAE authentication every time:

Sun Jan 25 10:08:06 2026 daemon.notice hostapd: phy1-ap0: AP-STA-DISCONNECTED ac:c0:48:65:36:17
Sun Jan 25 10:08:07 2026 daemon.notice hostapd: phy0-ap0: AP-STA-CONNECTED ac:c0:48:65:36:17 auth_alg=sae
Sun Jan 25 10:08:07 2026 daemon.info hostapd: phy0-ap0: STA ac:c0:48:65:36:17 WPA: pairwise key handshake completed (RSN)

For testing purposes, I have now disabled hardware acceleration in the firewall.

If it is known that HWA prevents roaming or interferes with hostapd's ability to handle FT frames in this RC, is this a confirmed regression for the Filogic platform in RC3?

brada4 · January 25, 2026, 9:31am

You have to be more specific than that..... If nothing worked you would not be able to change configuration.

brada4 · January 25, 2026, 9:33am

Hardware offload uses physical interface ID-s and ignores arp,fdb (mac to (wifi)port mapping) and routing tables, that is well documented in upstream kernel. Since forever, same with most proprietary sdks.