Dynamic VLANs on my Netgear WAX220 are killing the network

radionaut · November 24, 2023, 10:56am

Hi there! I have a weird problem using EAP and dynamic VLANs on my WAX220.
Something is killing the whole network communication once users start logging in to the AP. It starts with occasional packet losses, e.g. pings to the firewall (pfsense with freeradius) get lost. And further also other internal devices become unreachable and the whole network becomes unusable.
The same setup on a Belkin RT3200 works flawlessly. At first glance I also could not see any suspicious packages and there is also no flooding.
Just using VLANs is also working as intended. It is only the combination of EAP and dynamic VLANs that is causing the problems.

Here are the settings for network:

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fda8:822c:9157::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'
        option ipv6 '0'
        option stp '1'
        option sendredirects '0'

config device
        option name 'eth0'
        option macaddr '94:18:65:43:7e:38'
        option mtu '1500'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option gateway '192.168.13.1'
        option netmask '255.255.255.0'
        option force_link '0'
        option defaultroute '0'
        option delegate '0'

config interface 'vlan1'
        option proto 'dhcp'
        option device 'br-vlan1'
        option hostname 'wifiap3'
        option defaultroute '0'
        option delegate '0'

config interface 'vlan8'
        option proto 'dhcp'
        option device 'br-vlan8'
        option hostname 'wifiap3-8'
        option defaultroute '0'
        option delegate '0'

config interface 'vlan16'
        option proto 'dhcp'
        option device 'br-vlan16'
        option hostname 'wifiap3-16'
        option defaultroute '0'
        option delegate '0'

config interface 'vlan32'
        option proto 'dhcp'
        option device 'br-vlan32'
        option hostname 'wifiap3-32'
        option defaultroute '0'
        option delegate '0'

config device
        option type 'bridge'
        option name 'br-vlan1'
        list ports 'br-lan.1'

config device
        option type 'bridge'
        option name 'br-vlan8'
        list ports 'br-lan.8'

config device
        option type 'bridge'
        option name 'br-vlan16'
        list ports 'br-lan.16'

config device
        option type 'bridge'
        option name 'br-vlan32'
        list ports 'br-lan.32'

and for wireless:

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'platform/soc/18000000.wifi'
        option channel 'auto'
        option band '2g'
        option htmode 'HE20'
        option cell_density '0'
        option disabled '1'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'vlan8'
        option mode 'ap'
        option ssid 'IOT NETWORK'
        option encryption 'sae-mixed'
        option key 'SecretSecret'
        option disabled '1'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'platform/soc/18000000.wifi+1'
        option channel 'auto'
        option band '5g'
        option htmode 'HE80'
        option cell_density '0'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option mode 'ap'
        option ssid 'IOT NETWORK 5G'
        option encryption 'sae-mixed'
        option key 'SecretSecret'
        option network 'vlan8'

config wifi-iface 'wifinet2'
        option device 'radio1'
        option mode 'ap'
        option ssid 'PRIVAT NETWORK TWO'
        option encryption 'wpa3-mixed+ccmp'
        option auth_server '192.168.13.1'
        option auth_secret 'confidential'
        option acct_server '192.168.13.1'
        option acct_secret 'confidential'
        option vlan_tagged_interface 'eth0'
        option ieee80211w '1'
        option dynamic_vlan '2'
        option vlan_bridge 'br-vlan'

Any idea where to look into is greatly appreciated! Because poking around in the settings had no effect so far. Thank you!

trendy · November 24, 2023, 12:56pm

Remove from lan interface.
Also I don't see why you need dhcp protocol for all the vlan interfaces. Change it to unmanaged.

radionaut · November 24, 2023, 3:42pm

Thanks! That was a big step forward It now seems to work with all VLANs but vlan1. This is my main VLAN so I sticked with dhcp enabled on that one to maintain reachability. Whenever clients connect to vlan1 it kills the network again
I tried with unmanaged vlan1 interface and a static IP on lan, but with this I could not get a connection to the AP via vlan1. Tweaking the vlan settings on the switch also did not help.
I will keep trying, but maybe you can share some more insights to the problem? Thank you!

trendy · November 24, 2023, 8:46pm

You really should keep just one interface for management of the Access Point. Every other interface doesn't need to have an IP address, hence it can be unmanaged.
One more thing to verify is the br-vlan* devices. The DSA tutorial is much more different. You need only one device with all the ports and one bridge-vlan for every vlan.

radionaut · November 25, 2023, 1:09pm

I got it up and running now! At least part of the problem was the default "lan-br" device. I boiled everything down to the essentials. Well, I should have done this from the beginning but was mentally stuck with the working configuration from the Belkin router (which has a switch integrated and not just a single lan interface).

For the record here is also my working network configuration for a mixed setup with dynamic and static VLANs. Thanks again!

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fda8:822c:9157::/48'

config device
	option name 'eth0'
	option macaddr '94:18:65:43:7e:38'
	option mtu '1500'

config interface 'fallback'
	option proto 'static'
	option device 'eth0'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'

config interface 'vlan1'
	option proto 'static'
	option device 'br-vlan1'
	option ipaddr '192.168.13.4'
	option netmask '255.255.255.0'
	option gateway '192.168.13.1'
	list dns '192.168.13.1'

config interface 'vlan8'
	option proto 'none'
	option device 'br-vlan8'
	option defaultroute '0'

config interface 'vlan16'
	option proto 'none'
	option device 'br-vlan16'
	option defaultroute '0'

config interface 'vlan32'
	option proto 'none'
	option device 'br-vlan32'
	option defaultroute '0'

config device
	option type 'bridge'
	option name 'br-vlan1'
	list ports 'eth0.1'
	option bridge_empty '1'

config device
	option type 'bridge'
	option name 'br-vlan8'
	list ports 'eth0.8'
	option bridge_empty '1'

config device
	option type 'bridge'
	option name 'br-vlan16'
	list ports 'eth0.16'
	option bridge_empty '1'

config device
	option type 'bridge'
	option name 'br-vlan32'
	list ports 'eth0.32'
	option bridge_empty '1'