Can't make VLAN to work + wifi assoc problem

jmaurin · November 6, 2024, 7:04pm

Hi!
I'm using openwrt build with NSS from AugustinLorenzo ( https://github.com/AgustinLorenzo/openwrt/releases/tag/ipq807x-nsswifi-2024-10-20-0030 ).

But I have two problems:

I can't make VLAN to work (even on stock/original openwrt firmware)
I can't connect any client using authentication (open network works fine).

I'm running on Xiaomi AX3600 and my wifi is set to dumb AP (since I already have an router doing DHCP + firewall). In my LAN, I have an 'untagged' vlan 289 (which is called just LAN) and tagged vlan 239, called 'guest'. My switch is managed and the port connected to router and wifi is the same way: 289 as untagged and 239 as tagged vlan in all ports.

What I did: in 'br-lan' bridge, I have activated vlan filtering and added VLAN's 289 and 239. After saving, openwrt create br-lan.289 and br-lan.239. Than I changed the "Device" from interface 'lan' from 'br-lan' to 'br-lan.289', and did the same in the guest vlan.
I can ping both VLAN's from and to router, so communication between router and wifi router is OK. The problem is on wifi clients......after connecting (using open network), they did not get IP address looks like the wifi network can't reach my router, even with 'guest' network assigned to wifi network.
What am I doing wrong here?

PS: I already asked this before, but I was using different version of firmware and BATMAN/MESH at that time.
Some logs:

root@OpenWrt:~# logread -f
Tue Nov  5 12:55:00 2024 daemon.info hostapd: phy2-ap1: STA ba:42:25:a3:01:00 IEEE 802.11: authenticated
Tue Nov  5 12:55:00 2024 daemon.info hostapd: phy2-ap1: STA ba:42:25:a3:01:00 IEEE 802.11: associated (aid 1)
Tue Nov  5 12:55:09 2024 daemon.info hostapd: phy2-ap1: STA ba:42:25:a3:01:00 IEEE 802.11: deauthenticated due to local deauth request
Tue Nov  5 12:55:15 2024 daemon.info hostapd: phy2-ap1: STA ba:42:25:a3:01:00 IEEE 802.11: authenticated
Tue Nov  5 12:55:15 2024 daemon.info hostapd: phy2-ap1: STA ba:42:25:a3:01:00 IEEE 802.11: associated (aid 1)
Tue Nov  5 12:55:23 2024 daemon.info hostapd: phy2-ap1: STA ba:42:25:a3:01:00 IEEE 802.11: deauthenticated due to local deauth request
Tue Nov  5 12:55:31 2024 kern.info kernel: [  456.326092] ath11k c000000.wifi phy2-ap1: left allmulticast mode
Tue Nov  5 12:55:31 2024 kern.info kernel: [  456.326156] ath11k c000000.wifi phy2-ap1: left promiscuous mode
Tue Nov  5 12:55:31 2024 kern.info kernel: [  456.331299] br-lan: port 4(phy2-ap1) entered disabled state
Tue Nov  5 12:55:32 2024 daemon.notice wpa_supplicant[2097]: Set new config for phy phy2
Tue Nov  5 12:55:32 2024 daemon.notice hostapd: Set new config for phy phy2: /var/run/hostapd-phy2.conf
Tue Nov  5 12:55:32 2024 daemon.notice hostapd: Remove bss 'phy2-ap1' on phy 'phy2'
Tue Nov  5 12:55:32 2024 daemon.notice hostapd: phy2-ap1: AP-DISABLED
Tue Nov  5 12:55:32 2024 daemon.notice hostapd: phy2-ap1: CTRL-EVENT-TERMINATING
Tue Nov  5 12:55:32 2024 daemon.err hostapd: rmdir[ctrl_interface=/var/run/hostapd]: Permission denied
Tue Nov  5 12:55:32 2024 daemon.notice ttyd[4090]: [2024/11/05 12:55:32:3288] N: rops_handle_POLLIN_netlink: DELADDR
Tue Nov  5 12:55:32 2024 daemon.notice hostapd: nl80211: Failed to remove interface phy2-ap1 from bridge br-lan: No such device
Tue Nov  5 12:55:32 2024 daemon.notice hostapd: Add bss phy2-ap1 on phy phy2
Tue Nov  5 12:55:32 2024 kern.info kernel: [  457.223940] br-lan: port 4(phy2-ap1) entered blocking state
Tue Nov  5 12:55:32 2024 kern.info kernel: [  457.223996] br-lan: port 4(phy2-ap1) entered disabled state
Tue Nov  5 12:55:32 2024 kern.info kernel: [  457.228598] ath11k c000000.wifi phy2-ap1: entered allmulticast mode
Tue Nov  5 12:55:32 2024 kern.info kernel: [  457.234226] ath11k c000000.wifi phy2-ap1: entered promiscuous mode
Tue Nov  5 12:55:32 2024 kern.info kernel: [  457.242377] br-lan: port 4(phy2-ap1) entered blocking state
Tue Nov  5 12:55:32 2024 kern.info kernel: [  457.246424] br-lan: port 4(phy2-ap1) entered forwarding state
Tue Nov  5 12:55:32 2024 daemon.notice hostapd: Reloaded settings for phy phy2
Tue Nov  5 12:55:32 2024 user.notice root: [ethtool] Disabling feature: rx-gro-list: disabled on (phy2-ap1)
Tue Nov  5 12:55:32 2024 daemon.notice netifd: Network device 'phy2-ap1' link is up
Tue Nov  5 12:55:32 2024 daemon.notice ttyd[4090]: [2024/11/05 12:55:32:5732] N: rops_handle_POLLIN_netlink: DELADDR
Tue Nov  5 12:55:32 2024 kern.info kernel: [  457.305737] ath11k c000000.wifi phy2-ap1: left allmulticast mode
Tue Nov  5 12:55:32 2024 kern.info kernel: [  457.305807] ath11k c000000.wifi phy2-ap1: left promiscuous mode
Tue Nov  5 12:55:32 2024 kern.info kernel: [  457.311333] br-lan: port 4(phy2-ap1) entered disabled state
Tue Nov  5 12:55:32 2024 daemon.notice netifd: Network device 'phy2-ap1' link is down
Tue Nov  5 12:55:32 2024 daemon.notice ttyd[4090]: [2024/11/05 12:55:32:6400] N: rops_handle_POLLIN_netlink: DELADDR
Tue Nov  5 12:55:32 2024 kern.info kernel: [  457.370766] br-lan: port 4(phy2-ap1) entered blocking state
Tue Nov  5 12:55:32 2024 kern.info kernel: [  457.370820] br-lan: port 4(phy2-ap1) entered disabled state
Tue Nov  5 12:55:32 2024 kern.info kernel: [  457.375215] ath11k c000000.wifi phy2-ap1: entered allmulticast mode
Tue Nov  5 12:55:32 2024 kern.info kernel: [  457.381237] ath11k c000000.wifi phy2-ap1: entered promiscuous mode
Tue Nov  5 12:55:32 2024 kern.info kernel: [  457.387241] br-lan: port 4(phy2-ap1) entered blocking state
Tue Nov  5 12:55:32 2024 kern.info kernel: [  457.393218] br-lan: port 4(phy2-ap1) entered forwarding state
Tue Nov  5 12:55:32 2024 daemon.notice netifd: Network device 'phy2-ap1' link is up
Tue Nov  5 12:55:32 2024 daemon.notice netifd: Wireless device 'radio2' is now up
Tue Nov  5 12:55:33 2024 daemon.info dnsmasq[1]: read /etc/hosts - 12 names
Tue Nov  5 12:55:33 2024 daemon.info dnsmasq[1]: read /tmp/hosts/dhcp.cfg01411c - 0 names
Tue Nov  5 12:55:49 2024 daemon.info hostapd: phy2-ap1: STA 12:14:1e:73:16:34 IEEE 802.11: authenticated
Tue Nov  5 12:55:49 2024 daemon.info hostapd: phy2-ap1: STA 12:14:1e:73:16:34 IEEE 802.11: associated (aid 1)
Tue Nov  5 12:55:49 2024 daemon.notice hostapd: phy2-ap1: AP-STA-CONNECTED 12:14:1e:73:16:34 auth_alg=open
Tue Nov  5 12:55:49 2024 daemon.info hostapd: phy2-ap1: STA 12:14:1e:73:16:34 RADIUS: starting accounting session 540E75D9BAD9E6DD
Tue Nov  5 12:56:07 2024 daemon.notice hostapd: phy2-ap1: AP-STA-DISCONNECTED 12:14:1e:73:16:34
Tue Nov  5 12:56:10 2024 daemon.info hostapd: phy2-ap1: STA 12:14:1e:73:16:34 IEEE 802.11: authenticated
Tue Nov  5 12:56:10 2024 daemon.info hostapd: phy2-ap1: STA 12:14:1e:73:16:34 IEEE 802.11: associated (aid 1)
Tue Nov  5 12:56:10 2024 daemon.notice hostapd: phy2-ap1: AP-STA-CONNECTED 12:14:1e:73:16:34 auth_alg=open
Tue Nov  5 12:56:10 2024 daemon.info hostapd: phy2-ap1: STA 12:14:1e:73:16:34 RADIUS: starting accounting session 55DF6DBB95DD4E30

Croot@OpenWrt:~# ubus call system board
{
        "kernel": "6.6.57",
        "hostname": "OpenWrt",
        "system": "ARMv8 Processor rev 4",
        "model": "Xiaomi AX3600",
        "board_name": "xiaomi,ax3600",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "SNAPSHOT",
                "revision": "r0-8aa431e",
                "target": "qualcommax/ipq807x",
                "description": "OpenWrt SNAPSHOT r0-8aa431e"
        }
}
root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd12:66e8:8554::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'

config interface 'lan'
        option device 'br-lan.289'
        option proto 'static'
        option ipaddr '172.16.40.28'
        option netmask '255.255.248.0'
        option ip6assign '60'
        option gateway '172.16.40.1'
        list dns '172.16.40.1'
        list dns '8.8.8.8'
        list dns '1.1.1.1'

config bridge-vlan
        option device 'br-lan'
        option vlan '289'
        list ports 'lan1:u*'
        list ports 'lan2:u*'
        list ports 'lan3:u*'

config bridge-vlan
        option device 'br-lan'
        option vlan '239'
        list ports 'lan1:t'
        list ports 'lan2:t'
        list ports 'lan3:t'

config interface 'guest'
        option proto 'static'
        option device 'br-lan.239'
        option ipaddr '10.107.205.240'
        option netmask '255.255.255.0'
        option gateway '10.107.205.1'
        option defaultroute '0'
        option delegate '0'

root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'soc@0/20000000.pci/pci0000:00/0000:00:00.0/0000:01:00.0'
        option band '5g'
        option channel '36'
        option htmode 'VHT80'
        option disabled '1'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'none'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/soc@0/c000000.wifi'
        option band '5g'
        option channel '40'
        option htmode 'HE80'
        option cell_density '0'
        option country 'BR'
        option disabled '1'

config wifi-device 'radio2'
        option type 'mac80211'
        option path 'platform/soc@0/c000000.wifi+1'
        option band '2g'
        option channel '6'
        option htmode 'HE20'
        option country 'BR'
        option cell_density '0'

config wifi-iface 'wifinet1'
        option device 'radio2'
        option mode 'ap'
        option ssid 'teste-lan'
        option encryption 'psk2'
        option key 'teste123teste123'
        option network 'lan'

config wifi-iface 'wifinet2'
        option device 'radio2'
        option mode 'ap'
        option ssid 'teste-guest'
        option encryption 'none'
        option network 'guest'
        option key 'teste123teste123'

root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option flow_offloading '0'
        option synflood_protect '1'

config include 'qcanssecm'
        option type 'script'
        option path '/etc/firewall.d/qca-nss-ecm'

psherman · November 6, 2024, 7:32pm

Because this is not from the official OpenWrt project, you will probably need to ask the maintainer of this build.

However...

Try editing the guest network so that it is unmanaged. Take this:

jmaurin:

config interface 'guest'
        option proto 'static'
        option device 'br-lan.239'
        option ipaddr '10.107.205.240'
        option netmask '255.255.255.0'
        option gateway '10.107.205.1'
        option defaultroute '0'
        option delegate '0'

... and make it look like this:

config interface 'guest'
        option proto 'none'
        option device 'br-lan.239'

Another thing I see is that you have encryption set to none on the guest network and yet there is still a key:

jmaurin:

config wifi-iface 'wifinet2'
        option device 'radio2'
        option mode 'ap'
        option ssid 'teste-guest'
        option encryption 'none'
        option network 'guest'
        option key 'teste123teste123'

I'm not sure what happens if this key is present, but I'd recommend just setting it to psk2 encryption.

Reboot and test again after fixing those things.

If it doesn't work, another thing you should do is make sure that the upstream connection has VLAN 239 working as expected. That usually means ensuring that your managed switch has a trunk to both the router and the AP, an then also creating an access port for each VLAN so that you can directly test via ethernet to make sure that your VLANs are working properly through the rest of the network infrastructure.

trendy · November 6, 2024, 7:50pm

More or less it looks correct. Some remarks:

config bridge-vlan
        option device 'br-lan'
        option vlan '239'
        list ports 'lan1:t'
        list ports 'lan2:t'
        list ports 'lan3:t'

Limit the vlan239 port to only the uplink.

jmaurin:

config interface 'guest'
        option proto 'static'
        option device 'br-lan.239'
        option ipaddr '10.107.205.240'
        option netmask '255.255.255.0'
        option gateway '10.107.205.1'
        option defaultroute '0'
        option delegate '0'

guest interface must be either unmanaged (No IP) or if you need to have an IP for some reason on the guest interface, use IP/MASK only.

Regarding the radio, from the ToH page, are you certain you are using the correct radio?

Qualcomm QCA9889, Qualcomm QCN5024, Qualcomm QCN5054
OFDMA + MU-MIMO, one 2.4GHz (QCN5024 2×2/40MHz ax), one 5GHz (QCN5054 4×4/80 or 2×2/160MHz ax), one AIoT (QCA9889 1×1 ac/n)

jmaurin · November 6, 2024, 9:17pm

I did all your sugestions, but still not working
Looks like wifi doesn't like anything that is not as bridge itself. From what I see, I'm setting an interface using 'software vlan', not a bridge itself.....therefore, wifi can't get IP from that network.
The problem is that I don't know how to solve this.

Also, I think that my association is related to this (client can't associate with wifi SSID). I'm thinking that this is the problem because if I factory reset and configure the same radio (but without using vlan's and using the factory configuration), the association works fine (using PSK2 password), so there's no radio problem and i think, not the firmware/build problem, since it works witrhout vlan configuration.

My other problem is that I can't get more information in logs about this assoc problem. I'm using logread -f. Is there any other more 'verbose' way?
I just got this while trying to connect (without success):

Tue Nov  5 13:06:28 2024 daemon.info hostapd: phy1-ap0: STA 3a:9f:8d:5d:66:0e IEEE 802.11: authenticated
Tue Nov  5 13:06:28 2024 daemon.info hostapd: phy1-ap0: STA 3a:9f:8d:5d:66:0e IEEE 802.11: associated (aid 1)
Tue Nov  5 13:06:36 2024 daemon.info hostapd: phy1-ap0: STA 3a:9f:8d:5d:66:0e IEEE 802.11: deauthenticated due to local deauth request

And this is when I configure anything in wifi radio and save:

Tue Nov  5 13:06:18 2024 daemon.notice wpa_supplicant[2101]: Set new config for phy phy1
Tue Nov  5 13:06:18 2024 daemon.notice hostapd: Set new config for phy phy1: /var/run/hostapd-phy1.conf
Tue Nov  5 13:06:18 2024 daemon.notice hostapd: Restart interface for phy phy1
Tue Nov  5 13:06:18 2024 daemon.notice hostapd: Remove interface 'phy1'
Tue Nov  5 13:06:18 2024 daemon.notice hostapd: phy1-ap0: interface state ENABLED->DISABLED
Tue Nov  5 13:06:18 2024 daemon.notice hostapd: phy1-ap0: AP-DISABLED
Tue Nov  5 13:06:18 2024 daemon.notice hostapd: phy1-ap0: CTRL-EVENT-TERMINATING
Tue Nov  5 13:06:18 2024 daemon.err hostapd: rmdir[ctrl_interface=/var/run/hostapd]: Permission denied
Tue Nov  5 13:06:18 2024 daemon.notice hostapd: nl80211: deinit ifname=phy1-ap0 disabled_11b_rates=0
Tue Nov  5 13:06:18 2024 kern.info kernel: [  258.616955] ath11k c000000.wifi phy1-ap0: left allmulticast mode
Tue Nov  5 13:06:18 2024 kern.info kernel: [  258.617011] ath11k c000000.wifi phy1-ap0: left promiscuous mode
Tue Nov  5 13:06:18 2024 kern.info kernel: [  258.622198] br-lan: port 4(phy1-ap0) entered disabled state
Tue Nov  5 13:06:18 2024 daemon.notice netifd: Network device 'phy1-ap0' link is down
Tue Nov  5 13:06:19 2024 daemon.notice hostapd: Configuration file: data: driver=nl80211 logger_syslog=127 logger_syslog_level=2 logger_stdout=127 logger_stdout_level=2 countr              y_code=BR ieee80211d=1 ieee80211h=1 hw_mode=a beacon_int=100 stationary_ap=1 chanlist=40 tx_queue_data2_burst=2.0 #num_global_macaddr=1 ieee80211n=1 ht_coex=0 ht_capab=[HT40-]              [LDPC][SHORT-GI-20][SHORT-GI-40][TX-STBC][RX-STBC1][MAX-AMSDU-7935][DSSS_CCK-40] ieee80211ac=1 vht_oper_chwidth=0 vht_oper_centr_freq_seg0_idx=38 vht_capab=[RXLDPC][SHORT-GI-8              0][TX-STBC-2BY1][SU-BEAMFORMER][SU-BEAMFORMEE][MU-BEAMFORMER][MU-BEAMFORMEE][RX-ANTENNA-PATTERN][TX-ANTENNA-PATTERN][RX-STBC-1][SOUNDING-DIMENSION-4][BF-ANTENNA-4][MAX-MPDU-11              454][MAX-A-MPDU-LEN-EXP7] ieee80211ax=1 he_oper_chwidth=0 he_oper_centr_freq_seg0_idx=38 he_su_beamformer=1 he_su_beamformee=1 he_mu_beamformer=1 he_bss_color=128 he_spr_sr_co              ntrol=3 he_default_pe_duration=4 he_rts_threshold=1023 he_mu_edca_qos_info_param_count=0 he_mu_edca_qos_info_q_ack=0 he_mu_edca_qos_info_queue_request=0 he_mu_edca_qos
Tue Nov  5 13:06:19 2024 daemon.notice netifd: Wireless device 'radio1' is now up
Tue Nov  5 13:06:19 2024 kern.info kernel: [  259.023899] br-lan: port 4(phy1-ap0) entered blocking state
Tue Nov  5 13:06:19 2024 kern.info kernel: [  259.023956] br-lan: port 4(phy1-ap0) entered disabled state
Tue Nov  5 13:06:19 2024 kern.info kernel: [  259.028543] ath11k c000000.wifi phy1-ap0: entered allmulticast mode
Tue Nov  5 13:06:19 2024 kern.info kernel: [  259.034266] ath11k c000000.wifi phy1-ap0: entered promiscuous mode
Tue Nov  5 13:06:19 2024 kern.info kernel: [  259.040333] br-lan: port 4(phy1-ap0) entered blocking state
Tue Nov  5 13:06:19 2024 kern.info kernel: [  259.046358] br-lan: port 4(phy1-ap0) entered forwarding state
Tue Nov  5 13:06:19 2024 daemon.notice hostapd: phy1-ap0: interface state UNINITIALIZED->COUNTRY_UPDATE
Tue Nov  5 13:06:19 2024 daemon.notice hostapd: phy1-ap0: interface state COUNTRY_UPDATE->HT_SCAN
Tue Nov  5 13:06:19 2024 user.notice root: [ethtool] Disabling feature: rx-gro-list: disabled on (phy1-ap0)
Tue Nov  5 13:06:19 2024 daemon.notice hostapd: Switch own primary and secondary channel to get secondary channel with no Beacons from other BSSes
Tue Nov  5 13:06:19 2024 daemon.notice netifd: Network device 'phy1-ap0' link is up
Tue Nov  5 13:06:19 2024 daemon.notice hostapd: phy1-ap0: interface state HT_SCAN->ENABLED
Tue Nov  5 13:06:19 2024 daemon.notice hostapd: phy1-ap0: AP-ENABLED
Tue Nov  5 13:06:20 2024 daemon.info dnsmasq[1]: read /etc/hosts - 12 names
Tue Nov  5 13:06:20 2024 daemon.info dnsmasq[1]: read /tmp/hosts/dhcp.cfg01411c - 0 names

psherman · November 6, 2024, 9:22pm

Have you verified the functioning of VLAN 239 using an ethernet connection to a computer?