802.1X Dynamic VLANs not working

So, I have been trying to get this to work for what feels like forever, and yet it's still not working as expected. And yes, I have trolled the internet high and low to no avail.

The go to link appears to be:

Introduction to 802.1X
[OpenWrt Wiki] Introduction to 802.1X

Which I have read and reread. However, this is for swconfig and it appears my router has moved across to DSA.

What I have working currently:
I have created two SSIDs linked to each of the VLAN networks created, and when connected to each, would get the correct IP range from that VLAN.
When creating a SSID based on EAP, can see in the packetfence logs that the AP is reaching out authenticating correctly, being sent the correct vlan ID back to the AP, however, it would either now get an IP at all or would only get an IP of one or the other vlan regardless of which user is authenticated.

Yes, I have installed, wpad-openssl and hostapd-openssl to support dynamic vlans.

Questions I'm not sure about:

Under the wireless setup, do I need to specify the "Network" and I'm assuming from the examples I have seem, option network would be present, which its' not. So currently it's unspecified.
Under the interfaces setup, for the br-lan device, for bridge vlan filtering, does vlan id need to be tagged and is primary, or just tagged? Or untagged?

vi /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'soc@0/20000000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
        option band '5g'
        option channel '36'
        option htmode 'VHT80'
        option disabled '1'
        option country 'US'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/soc@0/c000000.wifi'
        option band '5g'
        option channel '36'
        option htmode 'HE160'
        option country 'AU'
        option cell_density '0'
        option txpower '23'

config wifi-device 'radio2'
        option type 'mac80211'
        option path 'platform/soc@0/c000000.wifi+1'
        option band '2g'
        option channel '1'
        option htmode 'HE20'
        option disabled '0'
        option country 'US'

config wifi-iface 'wifinet0'
        option device 'radio1'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'wpa3-mixed'
        option auth_server '192.168.0.224'
        option auth_secret 'mysecret'
        option acct_server '192.168.0.224'
        option acct_secret 'mysecret'
        option dynamic_vlan '2'
        option vlan_tagged_interface 'br-lan'
        option vlan_bridge 'br-vlan'
        option ocv '0'

config wifi-iface 'wifinet1'
        option device 'radio1'
        option mode 'ap'
        option ssid 'OpenWrt40'
        option encryption 'sae-mixed'
        option key 'mykey'
        option ocv '0'
        option network 'vlan40'

config wifi-iface 'wifinet2'
        option device 'radio1'
        option mode 'ap'
        option ssid 'OpenWrt1'
        option encryption 'psk-mixed'
        option key 'mykey'
        option network 'vlan1'

/etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        list ipaddr '127.0.0.1/8'

config globals 'globals'
        option ula_prefix 'fd09:d615:9a10::/48'
        option packet_steering '0'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'wan'

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'lan1:t*'
        list ports 'lan2:t*'
        list ports 'lan3:t*'
        list ports 'wan:t*'

config bridge-vlan
        option device 'br-lan'
        option vlan '40'
        list ports 'lan1:t'
        list ports 'lan2:t'
        list ports 'lan3:t'
        list ports 'wan:t'

config interface 'vlan40'
        option proto 'static'
        option device 'br-vlan40'
        option ipaddr '192.168.40.5'
        option netmask '255.255.255.0'

config interface 'vlan1'
        option proto 'static'
        option device 'br-vlan1'
        option ipaddr '192.168.0.5'
        option netmask '255.255.255.0'
        option gateway '192.168.0.1'
        list dns '192.168.0.1'
        list dns_search 'techco.net.au'

config device
        option type 'bridge'
        option name 'br-vlan1'
        list ports 'br-lan.1'

config device
        option type 'bridge'
        option name 'br-vlan40'
        list ports 'br-lan.40'

So I managed to get a little further, now can confirm that when I attempt to connect to
the AP, that running: brctl show during the connection process, can see that a new interface phy1-ap2.1 is created and attaches itself to the correct BR-vlan1 and if I change the VLAN assigned to that user, then it attaches to the other br-vlan40 bridge, however in neither, once connected no IP is obtained?

Seems like packetfence already has use_tunneled_reply enabled so now not sure where to go from here.

I might use my freeradius server which was originally used for testing to link to and remove packetfence and see.

Switched the AP to point to freeradius and confirmed that there still is a problem it appears on the openwrt side as with or without use_tunneled_reply enabled, the logs still show login ok, but connecting to the AP times out with no IP given.

Just seems weird as setting up an AP connected to the network of each of the bridges separately works, when connecting to one with dynamic vlans enabled, can see that the AP is attaching to the correct bridge so should be the same as the separate ones. Really not sure what to do currently, as this is the last piece to a much better project and I can't proceed without this working.

Fri Jul  4 10:45:25 2025 daemon.err hostapd: VLAN: ifconfig_helper: ioctl(SIOCSIFFLAGS) failed for interface phy1-ap2.40 (up=1): Invalid argument
Fri Jul  4 10:45:25 2025 daemon.err hostapd: WPA initialization for VLAN 40 failed (-1)
Fri Jul  4 10:45:25 2025 daemon.err hostapd: WPA deinit of phy1-ap2.40 failed
Fri Jul  4 10:45:25 2025 kern.warn kernel: [51491.963379] ath11k c000000.wifi: failed to allocate nss ext vdev
Fri Jul  4 10:45:25 2025 kern.warn kernel: [51491.963433] ath11k c000000.wifi: failed to create ext vdev {redacted}

So, it's definitely on the openwrt side.

Any insights would be greatly apricated.

When I looked at these logs noticed "nss" even though these logs didn't mean much to me, when I saw this, thought it might be due to the fact I'm using the modded NSS version of OpenWRT.

Installing the stock openwrt, installing wpad not results in a new error:

daemon.err hostapd: Failed to create interface phy1-ap0.1: -95 (Not supported)

That it can't even create the new interface.

Hostapd and 802.1q vlan tagging with DSA devices - For Developers - OpenWrt Forum

Okay so, the new error is because I'm using a ath11k device which doesn't support this config.......

There are patches to add this......:

• https://lore.kernel.org/ath11k/1641786090-10232-1-git-send-email-quic_seevalam@quicinc.com/
• https://lore.kernel.org/ath11k/?q=NL80211_IFTYPE_AP_VLAN

Now needing to learn how to apply this......

Okay, so before learning to apply the patch mentioned before, I ran command:

iw phy

What I searched for was vlan, for this to work you need to find:

• AP/VLAN
  Under: Supported interface modes

To my surprise, this was only listed under Wiphy phy0 and I was created APs on Wiphy phy1

So, created the same AP on phy0 and now everything is working........FML

Will be reverting to the NSS build and seeing if this might have been my issue all along and post back....At the end of all this I will create a full set up and things to check as from the searching I have done, you have to piece all this together from so many disjoined pieces.

Okay so, fundamentally all the issues I have been having appear to be linked to the fact the router:

Xiaomi AIoT Router AX3600

Has a Qualcomm chipset.

On the stock firmware, only the Qualcomm Atheros QCA9887 802.11ac/b/g/n has the required ap/vlan option and this is limited to 802.11n even when 802.11ac is available.

Other NSS firmware don't seem to have this patch, and when tested fail.

Found this:

Individual per-passphrase/per-MAC Wifi VLANs using wpa_psk_file (no RADIUS required) - Installing and Using OpenWrt - OpenWrt Forum

Created a build enviroment and in the process of compiling. When attempting to do so with the NSS firmware of the 3 I found, they never complete compiling. So, will just start with the basic stock firmware and level up from there.

If anyone is wanting to know, this is for Xiaomi AX3600 but should work for amy ath11K chipset router.

Will post an update once I have a successfully compiled firmware to test.

So, at the end of it all, I compiled my own firmware and managed to connect via 802.11ac and have dynamic VLANs working as expected.

So, all in all, I wasn't fighting a misconfiguration, but a Qualcomm ath11k driver limitation.

As the patch I have applied was from 2022 and have since found a more up to date patch. Will attempt this and see. Then move onto either requesting this patch to be included in the NSS builds, or work out how to build them myself.

I have posted my thought process and all links to the material to be able to recreate what I have done to resolve this. Will continue to post developments here for my personal record and hopefully the benefit of anyone else who wishes to implement dynamic vlan allocation to wifi clients using a ath11k chipset router, aka Xiaomi ax3600 in my case.

Okay so an NSS build appears to be a lost cause as from:

qosmio/openwrt-ipq: NSS Fork of OpenWrt targeting Qualcomm IPQ807x/6018

This is still broken in the NSS driver.

I will continue troubleshooting the main OpenWRT branch and include the required patches to see if I can have a stable build.

So, for now, I have a 24.10.0 build which supports dynamic vlan allocation to wireless clients. Still troubleshooting this build as randomly upon connecting the router will crash. The underlying issue is the ath11k driver and the lack of upstream support.