802.1X with dynamic VLANs, 5Ghz and mDNS strange behaviour

I have two SSIDs on each radio, that makes four total. The first SSID is WPA2/PSK and the second one is WPA2 Enterprise (802.1x) with Radius Authentication. Configuration is the same for both radios.
The behavior I experience is that when my clients connect to the 5Ghz 8021.x SSID, they seem to experience multicast problems. Some of the multicast services running in my home network, for example a Homebridge server and an Airplay server, are not discovered by my clients. When they switch to any other SSID in any radio, everything works fine.
I also find it strange that multicast in 802.1x 2.4 radio is also working fine. Dynamic VLAN assigned via Radius is VLAN 1, it's the same VLAN configured in the WPA/PSK configs.
So the problem occurs ONLY when my clients connect to a 5Ghz 8021.x SSID.
What could be causing this?

config wifi-device 'radio0'
        option type 'mac80211'
        option channel '11'
        option hwmode '11g'
        option path 'pci0000:00/0000:00:01.0/0000:02:00.0'
        option htmode 'HT20'
        option legacy_rates '1'
        option country 'GR'

config wifi-iface 'wifinet0'
        option device 'radio0'
        option mode 'ap'
        option ssid 'home2'
        option key 'XXXX'
        option network 'vlan1'
        option encryption 'psk2'

config wifi-iface 'wifinet1'
        option device 'radio0'
        option mode 'ap'
        option encryption 'wpa2'
        option auth_secret 'XXXX'
        option dynamic_vlan '2'
        option vlan_tagged_interface 'eth0'
        option vlan_bridge 'br-vlan'
        option vlan_naming '0'
        option auth_server '127.0.0.1'
        option ssid '8021x'

config wifi-device 'radio1'
        option type 'mac80211'
        option hwmode '11a'
        option path 'pci0000:00/0000:00:00.0/0000:01:00.0'
        option htmode 'VHT80'
        option country 'GR'
        option channel 'auto'

config wifi-iface 'wifinet2'
        option device 'radio1'
        option mode 'ap'
        option ssid 'home2'
        option key 'XXXX'
        option network 'vlan1'
        option encryption 'psk2'

config wifi-iface 'wifinet3'
        option device 'radio1'
        option mode 'ap'
        option encryption 'wpa2'
        option auth_secret 'XXXX'
        option dynamic_vlan '2'
        option vlan_tagged_interface 'eth0'
        option vlan_bridge 'br-vlan'
        option vlan_naming '0'
        option auth_server '127.0.0.1'
        option ssid '8021x'

Hi, I am experiencing the very same issue. I have Archer C6 v2 device, bridges are set up with IGMP snooping configuration. Once the interface (bridge) is fixed for the SSID, then the mDNS is working fine. It doesn´t matter if the auth is WPA2-PSK or WPA2-Enterprise. I can stream to AirPlay devices etc. But once I´ve changed the config for the very same SSID to the dynamic vlan (same config like @meresgr posted), then the mDNS is not working and I cannot find any AirPlay targets nor other services using mDNS or IGMP. I can confirm, that after switching to dynamic vlan, the same client device ends up in the same bridge. The only difference is, that the bridge is not assigned statically in the SSID config, but rather dynamically from the RADIUS server.

I´ve investigated the traffic on the bridge via tcpdump and it looks the same in both configurations. Even with the dynamic vlan, I can see the broadcast requests from the wireless client and resposes from the targets on the bridge, but probably they are not propagated to the dynamically associated wlans.

I can see the same behaviour on 2.4 GHz, 5 GHz and also on v19 and v20 rc3 versions of OpenWrt. Can anybody help us or point us somewhere to raise this issue?

I experienced similar behaviour with Archer C7 v2. Dynamic VLAN caused issues with Airplay/mdns . Switching to the regular (non-ct) firmware fixed the issue for me on 22.0 .

… update, same holds true for 23.0

I have the same issue in a Xiaomi AX3600, is there any general guidlines to fix this, or I have to invastigate it throught the dedicated forums?

Maybe try setting option legacy_rates '0' in /etc/config/wireless for radio1?

If you don't have any 802.11b clients, it's also recommended to set that same option for radio0 to avoid WiFi throughput issues with multicast. This can be seen in the config option description:

0 = Disallow legacy 802.11b data rates,
1 = Allow legacy 802.11b data rates.

Legacy or badly behaving devices may require legacy 802.11b rates to interoperate. Airtime efficiency may be significantly reduced where these are used. It is recommended to not allow 802.11b rates where possible. The basic_rate and supported_rates options overrides this option.

Also the same issue is mentioned in the following Wiki page:
OpenWrt: Wireless Access Point (aka "Dumb" Access Point) - Multicast

One last thing: If you're using any multicast streaming applications (e.g. IPTV, Dante, AES67), then it's recommended to enable igmp_snooping to avoid flooding the network with multicast packets where they are not needed. For this, set option igmp_snooping '1' in /etc/config/network underneath the heading: "config interface 'lan'".

The option can be turned on also in the kernel via the /sys filesystem interface: echo '1' > /sys/class/net/br-lan/bridge/multicast_snooping

EDIT: I'm not familiar with the "Dynamic VLAN" configuration mentioned, but it could be related. Are these VLANs created with separated subnets? Maybe multicast isn't being passed across these? :person_shrugging:t2:

Regarding the "Dynamic VLAN" configuration, it is a mechanism where WiFi clients are assigned a VLAN according to Radius config depending for example on their username.
Network wise, that should not make a difference, each VLAN has its own subnet, and the problem metioned in the topic exists within the same subnet/VLAN.

Thanx for the tips, I have changed my setup since, but I will give it a try sometime

I understood this 5GHz to be a driver issue. It’s not present @2.4 GHz. Swapping driver to non-ct fixes it instantly.

1 Like