802.1X dynamic VLAN with DSA config

Hi, for some time I am using the configuration described here: https://openwrt.org/docs/guide-user/network/wifi/wireless.security.8021x for setting up dynamic VLAN assignments to wireless clients. It is working pretty well and I am more or less happy with this approach.

Right now, I´ve got my hands on a new router, that is using DSA instead of the legacy switch. Could anyone help me with how should I set up the DSA or alter the config for the dynamic VLAN assignment? For now, according to the tutorial from KB article, I´ve created new bridge called br-vlan, enable VLAN filtering and define the VLANs. But this is creating only one bridge and multiple VLAN (802.1q) devices.

For comparsion, screenshot from the legacy switch config:

and from DSA based router:

Could anyone help me, how should I alter the wifi config to achieve the same functionality on the new device?

Thx.

Have you found a solution for dynamic vlan assignment on DSA?

I also would like to see if anyone can comment on this as I have a device that is moving from switch config to DSA and this is stopping me from moving forwards.

I just got one, and am migrating from swconfig too. Will put config snippets here. Working, although I need to have a closer look still at FT.

—- update —-
FT just works as with swconfig. DSA migration seems rather straightforward.

...
config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan'
        option ipv6 '0'

config interface 'lan'
        option proto 'dhcp'
        option device 'br-lan.1'
...
config bridge-vlan
        option device 'br-lan'
        option vlan 'redacted'
        list ports 'lan:u*'
...
config bridge-vlan
        option device 'br-lan'
        option vlan '172'
        list ports 'lan:t'
...
config bridge-vlan
        option device 'br-lan'
        option vlan '1723'
        list ports 'lan:t'

config interface 'VLAN172'
        option proto 'none'
        option type 'bridge'
        option device 'br-vlan172'

config device
        option type 'bridge'
        option name 'br-vlan172'
        option mtu '1500'
        option ipv6 '0'
        option macaddr 'D8:07:B6:4D:38:D2'
        option txqueuelen '1000'
        list ports 'br-lan.172'

config device
        option type 'bridge'
        option name 'br-vlan1723'
        option mtu '1500'
        option macaddr 'D8:07:B6:4D:38:D2'
        option txqueuelen '1000'
        option ipv6 '0'
        list ports 'br-lan.1723'

config interface 'VLAN1723'
        option proto 'none'
        option device 'br-vlan1723'

config wifi-device 'radio1'
        option type 'mac80211'
        option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
        option channel '36'
        option band '5g'
        option htmode 'VHT80'
        option cell_density '0'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option mode 'ap'
        option encryption 'wpa2'
        option auth_port '1812'
        option auth_secret 'redacted'
        option auth_server 'redacted'
        option dynamic_vlan '2'
        option vlan_tagged_interface 'eth0'
        option vlan_bridge 'br-vlan'
        option vlan_naming '0'
...
        option reassociation_deadline '20000'
        option dtim_period '5'
        option wpa_group_rekey '72000'
        option max_inactivity '15'
        option rsn_preauth '1'
        option ssid 'redacted'
        option network 'VLAN172'

Both RADIUS server and router are external. The RADIUS server supplied the VLAN ID tag, which is set to either 172 or 1723, but can be extended arbitrarily (to the applicable vlan limit)

Thanks for the snippets. That was really helpful. I got my setup ALMOST working. If the RADIUS supplies a vlan id, the user ends up in the correct vlan.

However if the server doesn't, then I would the user still like to end up in a network. With a config analogous to the one here, I get
"DHCP packet received on wlan0-1 which has no address."

Not quiet sure if this is working in this case but I use this for unknown stations... But I'm doing wpa2 psk and use it only to assign the Vlan and ignore the whole bunch of wpa2 enterprise security stuff.

DEFAULT Cleartext-Password := "%{User-Name}"
        Tunnel-Type = "VLAN",
        Tunnel-Medium-Type = "IEEE-802",
        Tunnel-Private-Group-Id = <guest Vlan>

I use fallthrough:

ash-4.3# more vlan-assignment
if (LDAP-Group == "<redacted>") {
        update reply {
                Tunnel-Type := "VLAN",
                        Tunnel-Medium-Type := "IEEE-802",
                        Tunnel-Private-Group-Id := "<redacted private VLAN>",
                        Reply-Message := "Welcome to the Priviliged WLAN"
        }
} else {
        update reply {
                Tunnel-Type := "VLAN",
                        Tunnel-Medium-Type := "IEEE-802",
                        Tunnel-Private-Group-Id := "<redacted Guest VLAN>",
                        Reply-Message := "Welcome to the Guest WLAN %{User-Name} %{LDAP-Group}"
        }
}

how are you doing wpa2 psk but only using it to assign vlan?

As soon as I add the radius info it goes into wpa2 EAP mode and it asks for all the enterprise info when I try to connect.

I'm doing this on a Netgear WAX218

It's been about 10 years since I last toyed with openwrt, so please forgive my lack of recent knowledge.

Configure wpa2 and set the radius server and password... Nothing fancy

I think you are misinterpreting things. Basically, you cannot combine radius auth and PSK. PSK is validated locally on the device, contrary to WPA2-Enterprise, where username and password (or certificate) is required. There are tons of threads on the internet, i. e. this one.

But, vendors are implementing their specific ways, how to fulfill what you are asking for. I know that Ubiquity has a feature, where SSID is configured as PSK but MAC is validated against radius (using MAC address as username and password). This is basically dynamic MAC filtering. Another way is IPSK from Meraki, but I´ve never touched that thing, so I cannot tell if dynamic VLAN assignment is possible. And it is definitely not possible with OpenWrt. If you want to stick with it, you have to choose either WPA2-Enterprise, where username and password will be required, or configure PSK and forget about dynamic VLAN. Or use both, WPA2-Enterprise for devices like phones, tablets etc., and separate SSID with PSK (and ideally VLAN) for IoT devices, that probably doesn´t support WPA2-Enterprise. By the way, this is how I have my home wifi configured.

Yes exactly this.

Someone in another thread is doing it with a local file.

I'm trying this first before I try to do via radius. Seems there may be a way. But I'm learning this is more related to hostapd and not openwrt specifically

It is. I have submitted the patch that a user can configure psk AND radius to get the Vlan assignment from radius.

https://github.com/openwrt/openwrt/pull/9255 got merged in June 2022

Ou, I wasn´t aware of that. Thank you for this info. So then I agree with you, nothing fancy about this anymore.

Thanks for the help here, I had to deal with another project for a few days, back on this now.

Made some progress tonight but the issue I'm running into now.

With the linked solution it works great if the device is single port or legacy without a switch chip.

But if it has a switch, it uses the DSA config.

Many of these devices (including one i am testing, EAP615) have severe vlan limitations in the switch.

If I have say 32 total possible vlans, I can't pre-configure all 32 in the network file(well I can, but it won't work). With the non-dsa config, preconfiguring every vlan wasn't necessary, the interfaces are created on-the-fly by hostapd.

I understand all 32 couldn't be active simultaneously, but ~15 (switch limitation) should be able to.

Any direction on how this should be setup in a DSA config?

Do you have a sample config. I am trying to set this up but it's not working.

Summary:
You need a wireless config, a "hostapd vlan file", then you need to configure freeradius3:
a) the "clients", these are the APs allowed to connect to the radius server
b) you need to enable use_tunneled_reply (but please don't ask why I've done this two times
c) the inner-tunnel [1] and
d) the end-user devices in authorize

My setup still runs on 21.02 with freeradius3 - 3_0_21-2.

# /etc/config/wireless
...
config wifi-iface
    option  disabled    '0'
    option  ifname      'wl2-8021x'
    option  device      'radio0'
    option  mode        'ap'
    option  ssid        '802.1x'
    option  encryption  'psk2+tkip+ccmp'
    option  key         'testing123'
    option  auth_server '192.168.16.1'
    option  auth_secret 'testing123'
    option  dynamic_vlan '2'
    option  vlan_bridge 'br-vlan'
    option  vlan_naming '0'
    option  vlan_file   '/etc/config/hostapd-wl2-8021x.vlan'
...

# /etc/config/hostapd-wl2-8021x.vlan
1       wl2-8021x.1     br-vlan1

65      wl2-8021x.65    br-vlan65
66      wl2-8021x.66    br-vlan66
67      wl2-8021x.67    br-vlan67

*       wl2-8021x.#     br-vlan#

# /etc/freeradius3/clients.conf.patch
268a269,282
>
> client net.mgmt.home.arpa_inet {
>       ipaddr          = 192.168.16.0/24
>       secret          = testing123
>       nas_type        = other
>       require_message_authenticator   = no
> }
> client net.mgmt.home.arpa_inet6 {
>       ipv6addr        = fde6:a09a:b373::/56
>       secret          = testing123
>       nas_type        = other
>       require_message_authenticator   = no
> }
>

# /etc/freeradius3/mods-available/eap.patch
739c739
<               use_tunneled_reply = no
---
>               use_tunneled_reply = yes
844c844
<               use_tunneled_reply = no
---
>               use_tunneled_reply = yes

# /etc/freeradius3/mods-config/files/authorize

# Example of a "known station"
"f8adcb207931" Cleartext-Password := "f8adcb207931"
        Tunnel-Type = "VLAN",
        Tunnel-Medium-Type = "IEEE-802",
        Tunnel-Private-Group-Id = 65

# All "unknown stations"
DEFAULT Cleartext-Password := "%{User-Name}"
        Tunnel-Type = "VLAN",
        Tunnel-Medium-Type = "IEEE-802",
        Tunnel-Private-Group-Id = 67

# /etc/freeradius3/sites-available/inner-tunnel.patch
336c336
<       if (0) {
---
>       if (1) {

ln  -s  /etc/freeradius3/mods-config/files/authorize /etc/freeradius3/users

[1] Again I have no ****ing clue what I have done. Half of this was copy/pasted from various source till it somehow worked.

Thanks for providing the configs.
I setup freeradius on my Archer A7v5 running Openwrt following the official instructions here
In those instructions, it asked me to disable 'pap' protocol. Due to that i was getting this error:

(0) eap: No EAP-Message, not doing EAP
(0)     [eap] = noop
(0) files: users: Matched entry 5ad882695ad9 at line 1
(0)     [files] = ok
(0)     [expiration] = noop
(0)     [logintime] = noop
(0)   } # authorize = ok
(0) WARNING: No module configured to handle comparisons with &control:Cleartext-Password
(0) WARNING: Add pap or chap to the authorize { ... } and authenticate { ... } sections of this virtual server to handle this "known good" password type
(0) ERROR: No Auth-Type found: rejecting the user via Post-Auth-Type = Reject
(0) Failed to authenticate the user
(0) Using Post-Auth-Type Reject

In addition to the official instructions, i just enabled 'pap' again by uncommenting the 'pap' block which i commented out in the first place, and everything started working fine.
The eap.patch and inner-tunnel.patch that you mentioned, i didn't apply them, cause they weren't in the official docs, and it's working fine for me without those.
I also had to add

option ppsk '1'

to wireless config. WIthout that, i was getting PSK mismatch error, even though Tunnel-Password was specified in radius server.
Also i had to manually add r0kh and r1kh keys to get roaming working.

Here's my final config,
I have 4 Archer A7v5 (1 router, 3 as dumb AP's hardwired)
5 Vlans (WAN, LAN, GUEST, IOT, GAMING) (Guest has sqm 60Mbps, Gaming has 100Mbps).
I got 400Mbps down and up fiber to home.
2 SSID ( 1 with WPA2 Enterprise for lan devices, another with WPA2 PSK with dynamic vlans) (surprisingly, all my IOT devices works fine on this dynamic vlan ssid)
802.11k/v/r with DAWN is enabled on both SSID.

/etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'pci0000:00/0000:00:00.0'
        option band '5g'
        option cell_density '0'
        option country 'IN'
        option channel 'auto'
        option txpower '15'
        option htmode 'VHT80'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'Network'
        option ieee80211r '1'
        option reassociation_deadline '20000'
        option dtim_period '3'
        option disassoc_low_ack '0'
        option bss_transition '1'
        option wnm_sleep_mode '1'
        option time_advertisement '2'
        option time_zone 'IST-5:30'
        option ieee80211k '1'
        option encryption 'wpa2+ccmp'
        option auth_secret 'xx'
        option acct_secret 'xx'
        option auth_server '172.26.31.1'
        option acct_server '172.26.31.1'
        option ft_over_ds '0'
        option ft_psk_generate_local '0'
        option wnm_sleep_mode_no_keys '1'
        option proxy_arp '1'
        option rsn_preauth '1'
        option eap_reauth_period '0'
        option mbo '1'
        option ieee80211w '1'
        option mobility_domain '541d'
        option pmk_r1_push '1'
        option nasid '005f678051ec'
        option r1_key_holder '005f678051ec'
        list r0kh '00:5f:67:80:51:ec,005f678051ec,10309ceadb4262ab28037306aef34fbb'
        list r0kh '00:5f:67:80:51:ed,005f678051ed,10309ceadb4262ab28037306aef34fbb'
        list r0kh '5c:a6:e6:b8:7e:07,5ca6e6b87e07,10309ceadb4262ab28037306aef34fbb'
        list r0kh '5c:a6:e6:b8:7e:08,5ca6e6b87e08,10309ceadb4262ab28037306aef34fbb'
        list r0kh '5c:a6:e6:b8:7d:8c,5ca6e6b87d8c,10309ceadb4262ab28037306aef34fbb'
        list r0kh '5c:a6:e6:b8:7d:8d,5ca6e6b87d8d,10309ceadb4262ab28037306aef34fbb'
        list r0kh '3c:84:6a:ad:a3:e6,3c846aada3e6,10309ceadb4262ab28037306aef34fbb'
        list r0kh '3c:84:6a:ad:a3:e7,3c846aada3e7,10309ceadb4262ab28037306aef34fbb'
        list r1kh '00:5f:67:80:51:ec,00:5f:67:80:51:ec,10309ceadb4262ab28037306aef34fbb'
        list r1kh '00:5f:67:80:51:ed,00:5f:67:80:51:ed,10309ceadb4262ab28037306aef34fbb'
        list r1kh '5c:a6:e6:b8:7e:07,5c:a6:e6:b8:7e:07,10309ceadb4262ab28037306aef34fbb'
        list r1kh '5c:a6:e6:b8:7e:08,5c:a6:e6:b8:7e:08,10309ceadb4262ab28037306aef34fbb'
        list r1kh '5c:a6:e6:b8:7d:8c,5c:a6:e6:b8:7d:8c,10309ceadb4262ab28037306aef34fbb'
        list r1kh '5c:a6:e6:b8:7d:8d,5c:a6:e6:b8:7d:8d,10309ceadb4262ab28037306aef34fbb'
        list r1kh '3c:84:6a:ad:a3:e6,3c:84:6a:ad:a3:e6,10309ceadb4262ab28037306aef34fbb'
        list r1kh '3c:84:6a:ad:a3:e7,3c:84:6a:ad:a3:e7,10309ceadb4262ab28037306aef34fbb'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/ahb/18100000.wmac'
        option band '2g'
        option cell_density '0'
        option country 'IN'
        option channel 'auto'
        option txpower '15'
        option htmode 'HT40'
        option noscan '1'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'Network'
        option ieee80211r '1'
        option reassociation_deadline '20000'
        option dtim_period '3'
        option disassoc_low_ack '0'
        option bss_transition '1'
        option wnm_sleep_mode '1'
        option time_advertisement '2'
        option time_zone 'IST-5:30'
        option ieee80211k '1'
        option encryption 'wpa2+ccmp'
        option auth_server '172.26.31.1'
        option auth_secret 'xx'
        option acct_server '172.26.31.1'
        option acct_secret 'xx'
        option ft_over_ds '0'
        option ft_psk_generate_local '0'
        option wnm_sleep_mode_no_keys '1'
        option proxy_arp '1'
        option rsn_preauth '1'
        option eap_reauth_period '0'
        option mbo '1'
        option ieee80211w '1'
        option mobility_domain '541d'
        option pmk_r1_push '1'
        option nasid '005f678051ed'
        option r1_key_holder '005f678051ed'
        list r0kh '00:5f:67:80:51:ec,005f678051ec,10309ceadb4262ab28037306aef34fbb'
        list r0kh '00:5f:67:80:51:ed,005f678051ed,10309ceadb4262ab28037306aef34fbb'
        list r0kh '5c:a6:e6:b8:7e:07,5ca6e6b87e07,10309ceadb4262ab28037306aef34fbb'
        list r0kh '5c:a6:e6:b8:7e:08,5ca6e6b87e08,10309ceadb4262ab28037306aef34fbb'
        list r0kh '5c:a6:e6:b8:7d:8c,5ca6e6b87d8c,10309ceadb4262ab28037306aef34fbb'
        list r0kh '5c:a6:e6:b8:7d:8d,5ca6e6b87d8d,10309ceadb4262ab28037306aef34fbb'
        list r0kh '3c:84:6a:ad:a3:e6,3c846aada3e6,10309ceadb4262ab28037306aef34fbb'
        list r0kh '3c:84:6a:ad:a3:e7,3c846aada3e7,10309ceadb4262ab28037306aef34fbb'
        list r1kh '00:5f:67:80:51:ec,00:5f:67:80:51:ec,10309ceadb4262ab28037306aef34fbb'
        list r1kh '00:5f:67:80:51:ed,00:5f:67:80:51:ed,10309ceadb4262ab28037306aef34fbb'
        list r1kh '5c:a6:e6:b8:7e:07,5c:a6:e6:b8:7e:07,10309ceadb4262ab28037306aef34fbb'
        list r1kh '5c:a6:e6:b8:7e:08,5c:a6:e6:b8:7e:08,10309ceadb4262ab28037306aef34fbb'
        list r1kh '5c:a6:e6:b8:7d:8c,5c:a6:e6:b8:7d:8c,10309ceadb4262ab28037306aef34fbb'
        list r1kh '5c:a6:e6:b8:7d:8d,5c:a6:e6:b8:7d:8d,10309ceadb4262ab28037306aef34fbb'
        list r1kh '3c:84:6a:ad:a3:e6,3c:84:6a:ad:a3:e6,10309ceadb4262ab28037306aef34fbb'
        list r1kh '3c:84:6a:ad:a3:e7,3c:84:6a:ad:a3:e7,10309ceadb4262ab28037306aef34fbb'

config wifi-iface 'wifinet8'
        option device 'radio0'
        option mode 'ap'
        option ssid 'Network Home'
        option encryption 'psk2'
        option network 'GUEST'
        option auth_server '172.26.31.1'                                                
        option auth_secret 'xx'                                   
        option acct_server '172.26.31.1'                                                
        option acct_secret 'xx'
        option ppsk '1'
        option dynamic_vlan '2'
        option vlan_file '/etc/config/hostapd0.vlan'
        option vlan_naming '1'                                                          
        option vlan_tagged_interface 'eth0'                                             
        option vlan_bridge 'br-'
        option ieee80211r '1'
        option reassociation_deadline '20000'
        option dtim_period '3'
        option disassoc_low_ack '0'
        option bss_transition '1'
        option wnm_sleep_mode '1'
        option time_advertisement '2'
        option time_zone 'IST-5:30'
        option ieee80211k '1'
        option ft_over_ds '0'
        option ft_psk_generate_local '0'
        option wnm_sleep_mode_no_keys '1'
        option proxy_arp '1'
        option rsn_preauth '1'
        option eap_reauth_period '0'
        option ieee80211w '1'
        option mbo '1'
        option mobility_domain '6d7f'
        option pmk_r1_push '1'
        option nasid '025f678051ec'
        option r1_key_holder '025f678051ec'
        list r0kh '02:5f:67:80:51:ec,025f678051ec,e43e0dc9603a428feaefe1bb4d54dbd2'
        list r0kh '02:5f:67:80:51:ed,025f678051ed,e43e0dc9603a428feaefe1bb4d54dbd2'
        list r0kh '5e:a6:e6:b8:7e:07,5ea6e6b87e07,e43e0dc9603a428feaefe1bb4d54dbd2'
        list r0kh '5e:a6:e6:b8:7e:08,5ea6e6b87e08,e43e0dc9603a428feaefe1bb4d54dbd2'
        list r0kh '5e:a6:e6:b8:7d:8c,5ea6e6b87d8c,e43e0dc9603a428feaefe1bb4d54dbd2'
        list r0kh '5e:a6:e6:b8:7d:8d,5ea6e6b87d8d,e43e0dc9603a428feaefe1bb4d54dbd2'
        list r0kh '3e:84:6a:ad:a3:e6,3e846aada3e6,e43e0dc9603a428feaefe1bb4d54dbd2'
        list r0kh '3e:84:6a:ad:a3:e7,3e846aada3e7,e43e0dc9603a428feaefe1bb4d54dbd2'
        list r1kh '02:5f:67:80:51:ec,02:5f:67:80:51:ec,e43e0dc9603a428feaefe1bb4d54dbd2'
        list r1kh '02:5f:67:80:51:ed,02:5f:67:80:51:ed,e43e0dc9603a428feaefe1bb4d54dbd2'
        list r1kh '5e:a6:e6:b8:7e:07,5e:a6:e6:b8:7e:07,e43e0dc9603a428feaefe1bb4d54dbd2'
        list r1kh '5e:a6:e6:b8:7e:08,5e:a6:e6:b8:7e:08,e43e0dc9603a428feaefe1bb4d54dbd2'
        list r1kh '5e:a6:e6:b8:7d:8c,5e:a6:e6:b8:7d:8c,e43e0dc9603a428feaefe1bb4d54dbd2'
        list r1kh '5e:a6:e6:b8:7d:8d,5e:a6:e6:b8:7d:8d,e43e0dc9603a428feaefe1bb4d54dbd2'
        list r1kh '3e:84:6a:ad:a3:e6,3e:84:6a:ad:a3:e6,e43e0dc9603a428feaefe1bb4d54dbd2'
        list r1kh '3e:84:6a:ad:a3:e7,3e:84:6a:ad:a3:e7,e43e0dc9603a428feaefe1bb4d54dbd2'

config wifi-iface 'wifinet10'
        option device 'radio1'
        option mode 'ap'
        option ssid 'Network Home'
        option encryption 'psk2'
        option network 'GUEST'
        option auth_server '172.26.31.1'                                                
        option auth_secret 'xx'                                   
        option acct_server '172.26.31.1'                                                
        option acct_secret 'xx'
        option ppsk '1'
        option dynamic_vlan '2'
        option vlan_file '/etc/config/hostapd1.vlan'
        option vlan_naming '1'                                                          
        option vlan_tagged_interface 'eth0'                                             
        option vlan_bridge 'br-'
        option ieee80211r '1'
        option reassociation_deadline '20000'
        option dtim_period '3'
        option disassoc_low_ack '0'
        option bss_transition '1'
        option wnm_sleep_mode '1'
        option time_advertisement '2'
        option time_zone 'IST-5:30'
        option ieee80211k '1'
        option ft_over_ds '0'
        option ft_psk_generate_local '0'
        option wnm_sleep_mode_no_keys '1'
        option proxy_arp '1'
        option rsn_preauth '1'
        option eap_reauth_period '0'
        option ieee80211w '1'
        option mbo '1'
        option mobility_domain '6d7f'
        option pmk_r1_push '1'
        option nasid '025f678051ed'
        option r1_key_holder '025f678051ed'
        list r0kh '02:5f:67:80:51:ec,025f678051ec,e43e0dc9603a428feaefe1bb4d54dbd2'
        list r0kh '02:5f:67:80:51:ed,025f678051ed,e43e0dc9603a428feaefe1bb4d54dbd2'
        list r0kh '5e:a6:e6:b8:7e:07,5ea6e6b87e07,e43e0dc9603a428feaefe1bb4d54dbd2'
        list r0kh '5e:a6:e6:b8:7e:08,5ea6e6b87e08,e43e0dc9603a428feaefe1bb4d54dbd2'
        list r0kh '5e:a6:e6:b8:7d:8c,5ea6e6b87d8c,e43e0dc9603a428feaefe1bb4d54dbd2'
        list r0kh '5e:a6:e6:b8:7d:8d,5ea6e6b87d8d,e43e0dc9603a428feaefe1bb4d54dbd2'
        list r0kh '3e:84:6a:ad:a3:e6,3e846aada3e6,e43e0dc9603a428feaefe1bb4d54dbd2'
        list r0kh '3e:84:6a:ad:a3:e7,3e846aada3e7,e43e0dc9603a428feaefe1bb4d54dbd2'
        list r1kh '02:5f:67:80:51:ec,02:5f:67:80:51:ec,e43e0dc9603a428feaefe1bb4d54dbd2'
        list r1kh '02:5f:67:80:51:ed,02:5f:67:80:51:ed,e43e0dc9603a428feaefe1bb4d54dbd2'
        list r1kh '5e:a6:e6:b8:7e:07,5e:a6:e6:b8:7e:07,e43e0dc9603a428feaefe1bb4d54dbd2'
        list r1kh '5e:a6:e6:b8:7e:08,5e:a6:e6:b8:7e:08,e43e0dc9603a428feaefe1bb4d54dbd2'
        list r1kh '5e:a6:e6:b8:7d:8c,5e:a6:e6:b8:7d:8c,e43e0dc9603a428feaefe1bb4d54dbd2'
        list r1kh '5e:a6:e6:b8:7d:8d,5e:a6:e6:b8:7d:8d,e43e0dc9603a428feaefe1bb4d54dbd2'
        list r1kh '3e:84:6a:ad:a3:e6,3e:84:6a:ad:a3:e6,e43e0dc9603a428feaefe1bb4d54dbd2'
        list r1kh '3e:84:6a:ad:a3:e7,3e:84:6a:ad:a3:e7,e43e0dc9603a428feaefe1bb4d54dbd2'

/etc/config/hostapd0.vlan

1 wlan0.1 br-lan
3 wlan0.3 br-iot
4 wlan0.4 br-guest
5 wlan0.5 br-gaming

/etc/config/hostapd1.vlan

1 wlan1.1 br-lan
3 wlan1.3 br-iot
4 wlan1.4 br-guest
5 wlan1.5 br-gaming

/etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0.1'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '172.26.31.1'
        option delegate '0'
        option ipv6 '0'

config device
        option name 'eth0.2'
        option macaddr '00:5f:67:80:51:ee'

config interface 'wan'
        option device 'eth0.2'
        option proto 'static'
        option ipaddr '172.26.1.50'
        option netmask '255.255.255.0'
        option gateway '172.26.1.1'
        list dns '1.1.1.2'
        list dns '1.0.0.2'
        option ipv6 '0'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0t 2t 3 4'
        option vid '1'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0t 1'
        option vid '2'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option ports '0t 2t'
        option vid '3'

config switch_vlan
        option device 'switch0'
        option vlan '4'
        option ports '0t 2t'
        option vid '4'

config device
        option type 'bridge'
        option name 'br-guest'
        list ports 'eth0.4'

config device
        option type 'bridge'
        option name 'br-iot'
        list ports 'eth0.3'

config interface 'GUEST'
        option proto 'static'
        option device 'br-guest'
        option ipaddr '172.26.30.1'
        option netmask '255.255.255.0'
        option ipv6 '0'

config interface 'IOT'
        option proto 'static'
        option device 'br-iot'
        option ipaddr '172.26.32.1'
        option netmask '255.255.255.0'
        option ipv6 '0'

config switch_vlan
        option device 'switch0'
        option vlan '5'
        option ports '0t 2t'
        option vid '5'

config device
        option type 'bridge'
        option name 'br-gaming'
        list ports 'eth0.5'

config interface 'GAMING'
        option proto 'static'
        option device 'br-gaming'
        option ipaddr '172.26.33.1'
        option netmask '255.255.255.0'
        option ipv6 '0'

/etc/config/dawn

config local
        option loglevel '0'

config network
        option broadcast_ip '172.26.31.255'
        option broadcast_port '1025'
        option tcp_port '1026'
        option network_option '2'
        option shared_key 'Niiiiiiiiiiiiick'
        option iv 'Niiiiiiiiiiiiick'
        option use_symm_enc '0'
        option collision_domain '-1'
        option bandwidth '-1'

config hostapd
        option hostapd_dir '/var/run/hostapd'

config times
        option update_client '10'
        option remove_client '15'
        option remove_probe '30'
        option remove_ap '460'
        option update_hostapd '10'
        option update_tcp_con '10'
        option update_chan_util '5'
        option update_beacon_reports '20'
        option con_timeout '60'


config metric 'global'
        option min_probe_count '3'
        option bandwidth_threshold '100' #changed
        option use_station_count '0'
        option max_station_diff '1'
        option eval_probe_req '0'
        option eval_auth_req '0'
        option eval_assoc_req '0'
        option kicking '1' #changed
        option kicking_threshold '20'
        option deny_auth_reason '1'
        option deny_assoc_reason '17'
        option min_number_to_kick '2' #changed
        option chan_util_avg_period '3'
        option set_hostapd_nr '2' #changed
        option duration '120'
        option rrm_mode 'tap'

config metric '802_11g'
        option initial_score '55' #changed
        option ht_support '5'
        option vht_support '5'
        option no_ht_support '0'
        option no_vht_support '0'
        option rssi '15'
        option rssi_val '-60'
        option low_rssi_val '-80'
        option low_rssi '-15'
        option chan_util '0'
        option chan_util_val '140'
        option max_chan_util '-15'
        option max_chan_util_val '170'
        option rssi_weight '4' #changed
        option rssi_center '-70'

config metric '802_11a'
        option initial_score '100'
        option ht_support '7' #changed
        option vht_support '7' #changed
        option no_ht_support '0'
        option no_vht_support '0'
        option rssi '15'
        option rssi_val '-60'
        option low_rssi_val '-80'
        option low_rssi '-15'
        option chan_util '0'
        option chan_util_val '140'
        option max_chan_util '-15'
        option max_chan_util_val '170'
        option rssi_weight '4' #changed
        option rssi_center '-70'

These configs are for the router. Setting SQM on eth0.5 to limit my VLan 5's bandwidth was not working since traffic is going straight to WAN interface.
So i had to put SQM on dynamic wlan0.5 and wlan1.5 interface and add a cronjob to restart SQM and DAWN after about 5 min after i reboot router. I reboot all my 4 Archer's every morning to let it auto negotiate optimal wifi channel.

I have added my IOT devices like so in /etc/freeradius3/mods-config/files/authorize

"607ea461118b"  Cleartext-Password := "607ea461118b" #iot1
        Tunnel-Type = VLAN,
        Tunnel-Medium-Type = IEEE-802,
        Tunnel-Private-Group-Id = 3,
        Tunnel-Password = network@iot123
"607ea4611bda"  Cleartext-Password := "607ea4611bda" #iot2
        Tunnel-Type = VLAN,
        Tunnel-Medium-Type = IEEE-802,
        Tunnel-Private-Group-Id = 3,
        Tunnel-Password = network@iot123
user@gmail.com Cleartext-Password := "xyz"
        Reply-Message = "Hi user. Welcome to my Network."
DEFAULT Cleartext-Password := "%{User-Name}" #GUEST Users
        Tunnel-Type = VLAN,
        Tunnel-Medium-Type = IEEE-802,
        Tunnel-Private-Group-ID = 4,
        Tunnel-Password = xyz #guest

The last DEFAULT block is for guest users which can have any mac address. I then use this script to auto-rotate the guest password every week.

#!/bin/ash

password=`cat /dev/urandom | env LC_CTYPE=C tr -dc _ABCDEFGHJKLMNPQRSTUVWXYZabcdefghjklmnpqrstuvwxyz23456789- | head -c 12; echo;`

one="const gpass = '${password}';"
two="export default gpass;"
file="${one}"$'\n'"${two}"

content=$(echo "${file}" | base64)

curl -i -X PUT -H 'Authorization: token xyz' -d "{\"path\": \"/xyz/guest.js\", \
\"message\": \"update guest password\", \"content\": \"${content}\", \"branch\": \"main\",\
\"sha\": $(curl -X GET https://api.github.com/repos/xyz/guest-qr/contents/xyz/guest.js | jq .sha)}" \
https://api.github.com/repos/xyz/guest-qr/contents/xyz/guest.js

ssid='Network Home'
security=WPA2
qrencode -t SVG -o /www/wifi.svg "WIFI:S:${ssid};T:${security};P:${password};;" 

sed -i 's/Tunnel-Password = .* #guest/Tunnel-Password = '"${password}"' #guest/' /etc/freeradius3/mods-config/files/authorize
/etc/init.d/radiusd restart

This script also uploads the generated password to my github repo which generates a QR code for it, for which i have a static URL that anyone can open and join.
I use this repo for that.

Also, something neat i found. This command sets the AQL TX limits to a bit lower on myArcher A7v5, which improves latency a lot but with max bandwidth tradeoff

for ac in 1 2 3; do echo $ac 1000 2000 > /sys/kernel/debug/ieee80211/phy0/aql_txq_limit; done && echo 0 1000 1000 > /sys/kernel/debug/ieee80211/phy0/aql_txq_limit && for ac in 1 2 3; do echo $ac 1000 2000 > /sys/kernel/debug/ieee80211/phy1/aql_txq_limit; done && echo 0 1000 1000 > /sys/kernel/debug/ieee80211/phy1/aql_txq_limit

I get around 270Mbps down and 300Mbps up on 5Ghz wifi which is far enough for me. I'll probably downgrade to a 300Mbps connection soon.

Note: Can someone explain to me what "Reply-Message = " option of radius server does exactly? I thought i would get sort of a message on client devices, but it's not working. Maybe it's not implemented by any android devices? I don't know much about radius server.

Hope these findings and configs help someone.

I really do appreciate your effort on providing your full setup and steps you undertook! Thanks.