DUMB AP Vlan Setup Roaming Issue

timfischbach · February 6, 2025, 8:44am

Hi,
I have a problem with my current AP setup. I installed two Xiaomi AX3000T into my home, running OpenWRT. I searched multiple hours for a solution in this forum, but I couldn't find it yet.

I've set up different VLANs for different SSIDs. The Problem [Tested with Android 14 and Linux Mint 22]: When leaving an AP and moving to the next one or if I disconnect the device via LUCI, the device can't reconnect for the next 3 Minutes. No Error Messages on the Android device.

Setup:

OPNSENSE > OpenWRT AP1 and 2

What I tried:

Upgrading OpenWRT from 23.04 to 24.10-rc6 -> Issue persists
Disabling MFP and changed to WPA2 -> Issue persists
Changed WiFi channels of same named SSIDs to be different -> Issue persists
Delete DHCP lease after disconnect in OPNSENSE -> Issue persists
Reboot AP after device disconnection -> Instantly connects again and solves Issue till next disconnection
Set Bridge MAC ageing to 5 Seconds -> Issue persists

I really don't know how to solve this issue. Any help is appeciated!

AP Logs:

Fri Jan 31 00:24:15 2025 daemon.notice hostapd: phy1-ap0: AP-STA-DISCONNECTED 72:e6:3a:26:13:9f
Fri Jan 31 00:24:16 2025 daemon.info hostapd: phy1-ap0: STA 72:e6:3a:26:13:9f IEEE 802.11: authenticated
Fri Jan 31 00:24:16 2025 daemon.info hostapd: phy1-ap0: STA 72:e6:3a:26:13:9f IEEE 802.11: associated (aid 1)
Fri Jan 31 00:24:16 2025 daemon.notice hostapd: phy1-ap0: AP-STA-CONNECTED 72:e6:3a:26:13:9f auth_alg=open
Fri Jan 31 00:24:16 2025 daemon.info hostapd: phy1-ap0: STA 72:e6:3a:26:13:9f WPA: pairwise key handshake completed (RSN)
Fri Jan 31 00:24:16 2025 daemon.notice hostapd: phy1-ap0: EAPOL-4WAY-HS-COMPLETED 72:e6:3a:26:13:9f
Fri Jan 31 00:24:21 2025 daemon.notice hostapd: phy1-ap0: AP-STA-DISCONNECTED 72:e6:3a:26:13:9f
Fri Jan 31 00:24:21 2025 daemon.info hostapd: phy1-ap0: STA 72:e6:3a:26:13:9f IEEE 802.11: disassociated
Fri Jan 31 00:24:22 2025 daemon.info hostapd: phy1-ap0: STA 72:e6:3a:26:13:9f IEEE 802.11: deauthenticated due to inactivity (timer DEAUTH/REMOVE)
Fri Jan 31 00:24:27 2025 daemon.info hostapd: phy1-ap0: STA 72:e6:3a:26:13:9f IEEE 802.11: authenticated
Fri Jan 31 00:24:27 2025 daemon.info hostapd: phy1-ap0: STA 72:e6:3a:26:13:9f IEEE 802.11: associated (aid 1)
Fri Jan 31 00:24:27 2025 daemon.notice hostapd: phy1-ap0: AP-STA-CONNECTED 72:e6:3a:26:13:9f auth_alg=open
Fri Jan 31 00:24:27 2025 daemon.info hostapd: phy1-ap0: STA 72:e6:3a:26:13:9f WPA: pairwise key handshake completed (RSN)
Fri Jan 31 00:24:27 2025 daemon.notice hostapd: phy1-ap0: EAPOL-4WAY-HS-COMPLETED 72:e6:3a:26:13:9f
Fri Jan 31 00:24:45 2025 daemon.notice hostapd: phy1-ap0: AP-STA-DISCONNECTED 72:e6:3a:26:13:9f
Fri Jan 31 00:24:45 2025 daemon.info hostapd: phy1-ap0: STA 72:e6:3a:26:13:9f IEEE 802.11: disassociated
Fri Jan 31 00:24:46 2025 daemon.info hostapd: phy1-ap0: STA 72:e6:3a:26:13:9f IEEE 802.11: deauthenticated due to inactivity (timer DEAUTH/REMOVE)
Fri Jan 31 00:24:48 2025 daemon.info hostapd: phy1-ap0: STA 72:e6:3a:26:13:9f IEEE 802.11: authenticated
Fri Jan 31 00:24:48 2025 daemon.info hostapd: phy1-ap0: STA 72:e6:3a:26:13:9f IEEE 802.11: associated (aid 1)
Fri Jan 31 00:24:49 2025 daemon.notice hostapd: phy1-ap0: AP-STA-CONNECTED 72:e6:3a:26:13:9f auth_alg=open
Fri Jan 31 00:24:49 2025 daemon.info hostapd: phy1-ap0: STA 72:e6:3a:26:13:9f WPA: pairwise key handshake completed (RSN)
Fri Jan 31 00:24:49 2025 daemon.notice hostapd: phy1-ap0: EAPOL-4WAY-HS-COMPLETED 72:e6:3a:26:13:9f
Fri Jan 31 00:25:07 2025 daemon.notice hostapd: phy1-ap0: AP-STA-DISCONNECTED 72:e6:3a:26:13:9f

Fri Jan 31 00:23:10 2025 daemon.err hostapd: nl80211: kernel reports: key addition failed
Fri Jan 31 00:23:10 2025 daemon.info hostapd: phy1-ap0: STA 72:e6:3a:26:13:9f IEEE 802.11: associated (aid 1)
Fri Jan 31 00:23:10 2025 daemon.notice hostapd: phy1-ap0: AP-STA-CONNECTED 72:e6:3a:26:13:9f auth_alg=ft
Fri Jan 31 00:23:25 2025 daemon.notice hostapd: phy1-ap0: AP-STA-DISCONNECTED 72:e6:3a:26:13:9f
Fri Jan 31 00:23:25 2025 daemon.info hostapd: phy1-ap0: STA 72:e6:3a:26:13:9f IEEE 802.11: disassociated
Fri Jan 31 00:23:26 2025 daemon.info hostapd: phy1-ap0: STA 72:e6:3a:26:13:9f IEEE 802.11: deauthenticated due to inactivity (timer DEAUTH/REMOVE)
Fri Jan 31 00:23:28 2025 daemon.info hostapd: phy1-ap0: STA 72:e6:3a:26:13:9f IEEE 802.11: authenticated
Fri Jan 31 00:23:28 2025 daemon.info hostapd: phy1-ap0: STA 72:e6:3a:26:13:9f IEEE 802.11: associated (aid 1)
Fri Jan 31 00:23:28 2025 daemon.notice hostapd: phy1-ap0: AP-STA-CONNECTED 72:e6:3a:26:13:9f auth_alg=open
Fri Jan 31 00:23:28 2025 daemon.info hostapd: phy1-ap0: STA 72:e6:3a:26:13:9f WPA: pairwise key handshake completed (RSN)
Fri Jan 31 00:23:28 2025 daemon.notice hostapd: phy1-ap0: EAPOL-4WAY-HS-COMPLETED 72:e6:3a:26:13:9f
Fri Jan 31 00:23:38 2025 daemon.notice hostapd: phy1-ap0: AP-STA-DISCONNECTED 72:e6:3a:26:13:9f
Fri Jan 31 00:23:38 2025 daemon.info hostapd: phy1-ap0: STA 72:e6:3a:26:13:9f IEEE 802.11: disassociated
Fri Jan 31 00:23:39 2025 daemon.info hostapd: phy1-ap0: STA 72:e6:3a:26:13:9f IEEE 802.11: deauthenticated due to inactivity (timer DEAUTH/REMOVE)
Fri Jan 31 00:23:47 2025 daemon.info hostapd: phy1-ap0: STA 72:e6:3a:26:13:9f IEEE 802.11: authenticated
Fri Jan 31 00:23:47 2025 daemon.info hostapd: phy1-ap0: STA 72:e6:3a:26:13:9f IEEE 802.11: associated (aid 1)
Fri Jan 31 00:23:47 2025 daemon.notice hostapd: phy1-ap0: AP-STA-CONNECTED 72:e6:3a:26:13:9f auth_alg=open
Fri Jan 31 00:23:47 2025 daemon.info hostapd: phy1-ap0: STA 72:e6:3a:26:13:9f WPA: pairwise key handshake completed (RSN)
Fri Jan 31 00:23:47 2025 daemon.notice hostapd: phy1-ap0: EAPOL-4WAY-HS-COMPLETED 72:e6:3a:26:13:9f
Fri Jan 31 00:24:05 2025 daemon.notice hostapd: phy1-ap0: AP-STA-DISCONNECTED 72:e6:3a:26:13:9f

AP Config (identical on both APs, except WiFi channels):

BusyBox v1.36.1 (2025-01-22 19:52:54 UTC) built-in shell (ash)

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt 24.10.0-rc6, r28388-58d0057481
 -----------------------------------------------------
root@OpenWrt-ANKLEIDEZIMMER:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd5d:****:****::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'VLAN.10'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.10.250'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option gateway '192.168.10.254'

config device
	option type 'bridge'
	option name 'VLAN'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'wan'

config bridge-vlan
	option device 'VLAN'
	option vlan '10'
	list ports 'wan:u*'

config bridge-vlan
	option device 'VLAN'
	option vlan '40'
	list ports 'wan:t'

config bridge-vlan
	option device 'VLAN'
	option vlan '50'
	list ports 'wan:t'

config bridge-vlan
	option device 'VLAN'
	option vlan '60'
	list ports 'wan:t'

config bridge-vlan
	option device 'VLAN'
	option vlan '70'
	list ports 'wan:t'

config device
	option type 'bridge'
	option name 'ADMINCLIENT'
	list ports 'VLAN.40'

config interface 'ADMINCLIENT_40'
	option proto 'dhcp'
	option device 'ADMINCLIENT'

config device
	option type 'bridge'
	option name 'CLIENT'
	list ports 'VLAN.50'

config interface 'CLIENT_50'
	option proto 'dhcp'
	option device 'CLIENT'

config device
	option type 'bridge'
	option name 'GUEST'
	list ports 'VLAN.60'

config device
	option type 'bridge'
	option name 'SMARTHOME'
	list ports 'VLAN.70'

config interface 'GUEST_60'
	option proto 'dhcp'
	option device 'GUEST'

config interface 'SMARTHOME_70'
	option proto 'dhcp'
	option device 'SMARTHOME'

config device
	option type 'bridge'
	option name 'MGMT'
	list ports 'VLAN.10'
	option ipv6 '0'


root@OpenWrt-ANKLEIDEZIMMER:~# cat /etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'platform/soc/18000000.wifi'
	option channel '9'
	option band '2g'
	option htmode 'HE40'
	option cell_density '0'
	option txpower '20'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'platform/soc/18000000.wifi+1'
	option channel '44'
	option band '5g'
	option htmode 'HE80'
	option cell_density '0'
	option txpower '20'
	option country 'DE'

config wifi-iface 'wifinet0'
	option device 'radio1'
	option mode 'ap'
	option encryption 'psk2'
	option key '*************************'
	option network 'ADMINCLIENT_40'
	option ssid '*************************'
	option ieee80211r '1'
	option mobility_domain '1111'
	option ft_over_ds '0'
	option ieee80211w '0'
	option ft_psk_generate_local '1'
	option disassoc_low_ack '0'
	option auth_restrict '0'

config wifi-iface 'wifinet1'
	option device 'radio1'
	option mode 'ap'
	option encryption 'psk2'
	option network 'CLIENT_50'
	option key '*************************'
	option ssid '*************************'
	option disassoc_low_ack '0'
	option ieee80211r '1'
	option mobility_domain '1111'
	option ft_over_ds '0'
	option ft_psk_generate_local '1'
	option disabled '1'

config wifi-iface 'wifinet2'
	option device 'radio0'
	option mode 'ap'
	option ssid '*************************'
	option encryption 'psk2'
	option key '*************************'
	option network 'SMARTHOME_70'
	option disassoc_low_ack '0'
	option ieee80211r '1'
	option mobility_domain '1111'
	option ft_over_ds '0'
	option ft_psk_generate_local '1'

config wifi-iface 'wifinet3'
	option device 'radio0'
	option mode 'ap'
	option encryption 'psk2'
	option key '*************************'
	option network 'GUEST_60'
	option ssid '*************************'
	option disassoc_low_ack '0'
	option ieee80211r '1'
	option mobility_domain '1111'
	option ft_over_ds '0'
	option ft_psk_generate_local '1'
	option disabled '1'

pavelgl · February 6, 2025, 10:01am

I don't know if this will solve your problem because (despite your comment) it really seems like an aging time issue, but the network configuration doesn't look right.

You only need one bridge device. Then set the vlan IDs and port membership in the bridge-vlan sections and use the dot notation to define the devices in the interface sections.

Also, if you insist on using dhcp protocol for the other interfaces, set metrics to avoid the confusion with multiple gateways.

Example:

...

config device
	    option type 'bridge'
	    option name 'VLAN'
	    list ports 'lan2'
	    list ports 'lan3'
	    list ports 'lan4'
	    list ports 'wan'

config bridge-vlan
	    option device 'VLAN'
	    option vlan '10'
	    list ports 'wan'

config bridge-vlan
	    option device 'VLAN'
	    option vlan '40'
	    list ports 'wan:t'

config interface 'lan'
	    option device 'static'
	    option proto 'VLAN.10'
	    option ipaddr '192.168.10.250'
	    option netmask '255.255.255.0'
	    option gateway '192.168.10.254'

config interface 'ADMINCLIENT_40'
	    option proto 'dhcp'
	    option device 'VLAN.40'
	    option metric '40'

...

timfischbach · February 6, 2025, 10:28am

Thank you for your time! I already planned setting all VLAN networks to unspecified, except the vlan10 (static for luci access). I'll change the config, will do some further testing and will report any new behaviors

system · February 21, 2025, 4:17pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.