802.11r VLAN multiple SSID

Hello,

i'd to use 802.11r with OpenWRT 22.03.06
I configured the settings with LUCI and tested with different settings.
No client use Fast Transistion on my wireless network (iPhone SE-2, Huawei P20Pro or Windows 10 Laptop with supported Intel Wifi Chip).

I have 3 different SSID Wifi Networks with 3 Network Vlan. Wifi works with no Problems.
Every Wifi Access Point get its own Nas Identifier and R0 Key Holder.

What is wrong in my setup? Is 802.11r supported with multiple SSID ?

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd71:7bdf:eb11::/48'



config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '101'
        option vid '1101'
        option ports '0t 5t'


config switch_vlan
        option device 'switch0'
        option vlan '102'
        option vid '1102'
        option ports '0t 5t'


config switch_vlan
        option device 'switch0'
        option vlan '103'
        option vid '1103'
        option ports '0t 5t'


config device
	option type '8021q'
	option ifname 'eth0'
	option vid '1101'
	option name 'vlan1101'


config device
        option type '8021q'
        option ifname 'eth0'
        option vid '1102'
        option name 'vlan1102'

config device
        option type '8021q'
        option ifname 'eth0'
        option vid '1103'
        option name 'vlan1103'




config interface 'lan1101'
	option type 'bridge'
	option ifname 'vlan1101'
	option proto 'static'
	option ipaddr '192.168.12.4'
	option netmask '255.255.255.0'
	option gateway '192.168.12.1'


config interface 'lan1102'
        option type 'bridge'
        option ifname 'vlan1102'
        option proto 'static'
        option ipaddr '192.168.13.4'
        option netmask '255.255.255.0'

config interface 'lan1103'
        option type 'bridge'
        option ifname 'vlan1103'
        option proto 'static'
        option ipaddr '192.168.14.4'
        option netmask '255.255.255.0'



config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'


/etc/config/wireless:


config wifi-device 'radio0'
	option type 'mac80211'
	option path 'platform/soc/a000000.wifi'
	option channel '5'
	option band '2g'
	option htmode 'HT20'
	option cell_density '0'
	option country 'US'
	option txpower '18'
	option log_level '1'
	option disabled '0'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'platform/soc/a800000.wifi'
	option band '5g'
	option htmode 'VHT40'
	option cell_density '0'
	option txpower '23'
	option country 'US'
	option channel '44'
	option disabled '0'

config wifi-iface 'wifinet1'
	option device 'radio0'
	option mode 'ap'
	option network 'lan1101'
	option ssid 'HOME'
	option encryption 'psk2+ccmp'
	option key '*************************'
	option rts '2347'
	option frag '2346'
	option disablecoext '1'
	option vht_11ng '0'

config wifi-iface 'wifinet2'
	option device 'radio0'
	option mode 'ap'
	option ssid 'HOME.1'
	option network 'lan1102'
	option disablecoext '1'
	option encryption 'psk2+ccmp'
	option key '*************************'
	option rts '2347'
	option frag '2346'
	option vht_11ng '0'
	option disabled '0'

config wifi-iface 'wifinet3'
	option device 'radio0'
	option mode 'ap'
	option ssid 'HOME.2'
	option network 'lan1103'
	option encryption 'psk2+ccmp'
	option rts '2347'
	option frag '2346'
	option disablecoext '1'
	option vht_11ng '0'
	option key '*************************'

 

config wifi-iface 'wifinet5'
	option device 'radio1'
	option mode 'ap'
	option network 'lan1101'
	option ssid 'HOME'
	option encryption 'psk2+ccmp'
	option key '*************************'
	option rts '2347'
	option frag '2346'
	option disablecoext '1'
	option vht_11ng '0'

config wifi-iface 'wifinet6'
	option device 'radio1'
	option mode 'ap'
	option ssid 'HOME.1'
	option network 'lan1102'
	option disablecoext '1'
	option encryption 'psk2+ccmp'
	option key '*************************'
	option rts '2347'
	option frag '2346'
	option vht_11ng '0'
	option disabled '0'

config wifi-iface 'wifinet7'
	option device 'radio1'
	option mode 'ap'
	option ssid 'HOME.2'
	option network 'lan1103'
	option encryption 'psk2+ccmp'
	option key '*************************'
	option rts '2347'
	option frag '2346'
	option disablecoext '1'
	option vht_11ng '0'
	option disabled '0'

in one case i got one message in the logs of openwrt:

hostapd: nl80211: kernel reports: key addition failed

What can i do?

Thank you very much in advice and thank you for your help

Hi, I suggest you upgrade to 23.05 as it has had improvements for 802.11r, including a new dedicated WLAN roaming tab on the wifi interface configuration page, which IIRC wasn't there on 22.03:

Screenshot_2023-12-31_18-29-441496×673 72 KB

That said, I'm not seeing 802.11r related configuration on your wifi interfaces, this is what I have on mine configured with the above tab (looking at a 22.03 backup this was there also):

option ieee80211w '1'
option ieee80211r '1'
option ft_over_ds '0'
option ft_psk_generate_local '1'
option mobility_domain 'abcd'

It works with multiple SSIDs, each with a different mobility domain.

What device is this?

ubus call system board

Hi, here is the result:

{
"kernel": "5.10.201",
"hostname": "WLANAccessPoint1",
"system": "ARMv7 Processor rev 5 (v7l)",
"model": "Compex WPJ419",
"board_name": "compex,wpj419",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "22.03.6",
"revision": "r20265-f85a79bcb4",
"target": "ipq40xx/generic",
"description": "OpenWrt 22.03.6 r20265-f85a79bcb4"
}
}

Hi, thank you for your replay.
Yes, it is correct. I deactiveted the 802.11r feature. I was not sure.

Thank you for your configuration. I'll try this in the next 12 hours.

Thank you Best regeards

It doesn't look like this device is supported in 23.05, so 22.03.6 is probably the end of the line in terms of OpenWrt supported versions.

That said, I see a bunch of things in your network config that just don't look quite right. If disabling 802.11r doesn't solve the problem, we should revisit your network config (I'd actually suggest resetting to defaults and then building back up -- this will be much easier than fixing the issues).

Hi, Thank you very much for your answer. I know, that 22. 03 is the last supported Version.

This network config was the only way, get tagged vlan based on 802.1q Standard working.
The Problem is the architecture of the Board. But all vlan are working perfect. Every interface is reachable

What is your recommendation for the network config?

Best regards Joerg

So one of the unusual things is here:

Typically the vlan is sequential (1, 2, 3...). If the vid is not specified, the VLAN ID will be the same. If a different VLAN ID is desired, that's when you use vid. What's unusual here is that you have non-sequential vlan and then a different vid -- this is true for all your VLANs.

Since you already have the switch config setup accordingly, you don't actually need the 802.1q stanzas.

The option type bridge should not be specified in the network interface stanza. Instead, it should be a seperate device definition like this:

config device
	option name 'br-vlan1101'
	option type 'bridge'
	list ports 'eth1.101'

config interface 'lan1101'
	option device 'br-vlan1101'
	option proto 'static'
	option ipaddr '192.168.12.4'
	option netmask '255.255.255.0'
	option gateway '192.168.12.1'

Also, for a dumb AP, it is best practice to only have an address on one interface -- that would be the one that is used to manage the device (i.e. a trusted lan or management network). The others should be unmanaged (note that I used the same br-vlanxxxx type device in the interface as I showed above):

config interface 'lan1103'
        option device 'br-vlan1103'
        option proto 'none'

WPJ419 is 'only' missing the DSA conversion, that should be doable - and coincidentally that would make VLANs on ipq40xx much easier…

Yes, the device currently is supported, but there is nothing fundamentally in the way of getting it supported again in the future, if someone with the device spends the development time needed on it to get it ported over to DSA. Yes, it needs works - and it needs work urgently, but it's not doomed.

Hello and happy new year,

i changed my network config and the network connection works fine with the board.

Every interface is up and available.

I tried the config example from @grifo . But there are no success using Fast Transition.

Thank you and Best regards

Hi, thank you for your comment. My VLANs working very good. I'dont tried out using DSA. My problem is using 802.11r with multiple acess points.

thank you and best regards

I don't recommend 802.11r in most cases. Take a look at this thread:

And specifically this post from another thread:

Hi @all, Thank you very much for all of your replies and Information.

I tried a lot of configurations but no success. I saw no valid log enties with valid fast bss roaming.

I disabled the 802. 11r now.

Thank you an Best regards

Could be related to client device, not to AP.
AFAIK to make roaming work, AP + Clients must be compatible.

Not all wifi devices support roaming.

Hello, Thank you for your Information. I tried this with iPhone se2 and supported Intel Client Wireless Chip. Apple and Intel support 802.11r

Best regards