HaP AC2 (ipq4018) + hostapd dynamic vlans

Installing and Using OpenWrt Network and Wireless Configuration
1

Hi

i like to set up passphrase based auth/vlan dumb AP on HaP AC2
DSA is working well
ports are correctly tagged/untagged (tested)

but wireless is not working
i could connect to AP with various passwords, and WIFI interfaces are added to bridge with correct PVID
but clients newer got IP from dhcp server

i tried with CT and nonCT wifi drivers
same result

any idea how to solve this ???
edit: distro info

DISTRIB_RELEASE='SNAPSHOT'
DISTRIB_REVISION='r23827-ef76b6ff3e'
DISTRIB_TARGET='ipq40xx/mikrotik'
DISTRIB_ARCH='arm_cortex-a7_neon-vfpv4'
DISTRIB_DESCRIPTION='OpenWrt SNAPSHOT r23827-ef76b6ff3e'

here is relevant info

bridge vlan show
port              vlan-id  
lan4              255 PVID Egress Untagged
lan3              200 PVID Egress Untagged
lan2              100 PVID Egress Untagged
lan1              2 PVID Egress Untagged
wan               1 PVID Egress Untagged
                  2
                  100
                  200
                  255
switch            1
                  2
                  100
                  200
                  255
wlan1-vlan255     255 PVID Egress Untagged
wlan1-vlan200     200 PVID Egress Untagged
wlan1-vlan100     100 PVID Egress Untagged
wlan1-vlan2       2 PVID Egress Untagged
wlan1-vlan1       1 PVID Egress Untagged
wlan0-vlan255     255 PVID Egress Untagged
wlan0-vlan200     200 PVID Egress Untagged
wlan0-vlan100     100 PVID Egress Untagged
wlan0-vlan2       2 PVID Egress Untagged
wlan0-vlan1       1 PVID Egress Untagged

brctl show
bridge name     bridge id               STP enabled     interfaces
switch          7fff.0855317e66ff       no              wlan1-vlan1
                                                        wlan0-vlan2
                                                        wlan0-vlan200
                                                        lan4
                                                        lan2
                                                        wlan0-vlan255
                                                        wlan1-vlan2
                                                        wan
                                                        wlan1-vlan200
                                                        wlan0-vlan100
                                                        wlan1-vlan255
                                                        wlan0-vlan1
                                                        lan3
                                                        wlan1-vlan100
                                                        lan1

config wifi-iface 'wifinet0'
        option device 'radio0'
        option mode 'ap'
        option ssid 't-WIFI'
        option encryption 'psk2+aes'
        option wmm '1'
        option short_preamble '1'
        option disassoc_low_ack '0'
        option max_inactivity '120'
        option isolate '1'
        option disabled '0'
        option key 'SomeUnusedPass'
        option ifname 'wlan0'
        option macaddr '0e:01:99:00:01:99'

config wifi-iface 'wifinet1'
        option device 'radio1'
        option mode 'ap'
        option ssid 't5-WIFI'
        option encryption 'psk2+aes'
        option wmm '1'
        option short_preamble '1'
        option disassoc_low_ack '0'
        option max_inactivity '120'
        option isolate '1'
        option disabled '0'
        option key 'SomeUnusedPass'
        option ifname 'wlan1'
        option macaddr '0e:01:99:01:01:99'

config wifi-vlan
        option name 'vlan1'
        option network 'vlan1'
        option vid '1'

config wifi-station
        option key 'tst1-vlan1'
        option vid '1'

config wifi-vlan
        option name 'vlan2'
        option network 'vlan2'
        option vid '2'

config wifi-station
        option key 'tst2-guest'
        option vid '2'

config wifi-vlan
        option name 'vlan100'
        option network 'vlan100'
        option vid '100'

config wifi-station
        option key 'tst100-prn'
        option vid '100'

config wifi-vlan
        option name 'vlan200'
        option network 'vlan200'
        option vid '200'

config wifi-station
        option key 'tst200-lan'
        option vid '200'

config wifi-vlan
        option name 'vlan255'
        option network 'vlan255'
        option vid '255'

config wifi-station
        option key 'tst255-vlan255'
        option vid '255'

config device
        option type 'bridge'
        option name 'switch'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'lan4'
        list ports 'wan'

config bridge-vlan
        option device 'switch'
        option vlan '1'
        list ports 'wan:u*'

config bridge-vlan
        option device 'switch'
        option vlan '2'
        list ports 'lan1:u*'
        list ports 'wan:t'

config bridge-vlan
        option device 'switch'
        option vlan '100'
        list ports 'lan2:u*'
        list ports 'wan:t'

config bridge-vlan
        option device 'switch'
        option vlan '200'
        list ports 'lan3:u*'
        list ports 'wan:t'

config bridge-vlan
        option device 'switch'
        option vlan '255'
        list ports 'lan4:u*'
        list ports 'wan:t'

config interface 'vlan1'
        option device 'switch.1'
        option proto 'none'

config interface 'vlan2'
        option proto 'none'
        option device 'switch.2'

config interface 'vlan100'
        option proto 'none'
        option device 'switch.100'

config interface 'vlan200'
        option proto 'none'
        option device 'switch.200'

config interface 'vlan255'
        option proto 'static'
        option device 'switch.255'
        option ipaddr '169.254.1.199'
        option netmask '255.255.255.0'
        option gateway '169.254.1.1'
        option dns '169.254.1.1'

edit2: wifi log

Mon Sep  4 15:59:06 2023 daemon.info hostapd: wlan0: STA 38:fb:14:81:a2:0f IEEE 802.11: authenticated
Mon Sep  4 15:59:06 2023 daemon.info hostapd: wlan0: STA 38:fb:14:81:a2:0f IEEE 802.11: associated (aid 1)
Mon Sep  4 15:59:06 2023 daemon.notice hostapd: Assigned VLAN ID 100 from wpa_psk_file to 38:fb:14:81:a2:0f
Mon Sep  4 15:59:06 2023 daemon.notice hostapd: wlan0: AP-STA-CONNECTED 38:fb:14:81:a2:0f auth_alg=open
Mon Sep  4 15:59:06 2023 daemon.info hostapd: wlan0: STA 38:fb:14:81:a2:0f RADIUS: starting accounting session 01E9E84997870D25
Mon Sep  4 15:59:06 2023 daemon.info hostapd: wlan0: STA 38:fb:14:81:a2:0f WPA: pairwise key handshake completed (RSN)
Mon Sep  4 15:59:06 2023 daemon.notice hostapd: wlan0: EAPOL-4WAY-HS-COMPLETED 38:fb:14:81:a2:0f
3

The same in wired connection works?

EDIT: wan interface is mixing tagged and untagged, some guru's (not me) will say is "dangerous".

4

Hi @Klingon

don't worry, it is working on wired side
as i wrote above, tested

DSA is working well
ports are correctly tagged/untagged (tested)

5

Ok

further investigation:
looks like it is working with static v4 IPs
but v4 DHCP and SLAAC/ND v6 does not over WIFI!!!!

on ethernet access ports in vlan100/200 everyting is OK, DHCP & SLAAC working
inet6 2a00:ad00:2000:3200:5267:be02:ec75:7e4b/64 scope global dynamic mngtmpaddr noprefixroute

so, looks like hostapd->DSA tagging->ath10k work correctly but broadcast/multicast have problem, that is a reason why static v4 work, and DHCP&SLAAC does not work over WIFI

VLAN200, static v4

Sat Sep  9 05:47:58 2023 daemon.notice hostapd: Assigned VLAN ID 200 from wpa_psk_file to e8:94:f6:1c:de:ba
Sat Sep  9 05:47:58 2023 daemon.notice hostapd: wlan0: AP-STA-CONNECTED e8:94:f6:1c:de:ba auth_alg=open
Sat Sep  9 05:47:58 2023 daemon.info hostapd: wlan0: STA e8:94:f6:1c:de:ba RADIUS: starting accounting session 819C10AC2E499916
Sat Sep  9 05:47:58 2023 daemon.info hostapd: wlan0: STA e8:94:f6:1c:de:ba WPA: pairwise key handshake completed (RSN)
Sat Sep  9 05:47:58 2023 daemon.notice hostapd: wlan0: EAPOL-4WAY-HS-COMPLETED e8:94:f6:1c:de:ba
Sat Sep  9 05:48:12 2023 daemon.info hostapd: wlan0: STA e8:94:f6:1c:de:ba IEEE 802.11: authenticated
Sat Sep  9 05:48:12 2023 daemon.info hostapd: wlan0: STA e8:94:f6:1c:de:ba IEEE 802.11: associated (aid 1)

ping 192.168.200.1
PING 192.168.200.1 (192.168.200.1) 56(84) bytes of data.
64 bytes from 192.168.200.1: icmp_seq=1 ttl=64 time=489 ms
ping 192.168.200.102
PING 192.168.200.102 (192.168.200.102) 56(84) bytes of data.
64 bytes from 192.168.200.102: icmp_seq=1 ttl=64 time=1020 ms

arp -an
? (192.168.200.1) at 06:00:00:00:02:01 [ether] on wlan0
? (192.168.200.102) at 98:3b:8f:b2:66:b9 [ether] on wlan0
? (192.168.200.254) at 06:01:03:00:01:02 [ether] on wlan0

VLAN100, static v4

Sat Sep  9 05:48:12 2023 daemon.notice hostapd: Assigned VLAN ID 100 from wpa_psk_file to e8:94:f6:1c:de:ba
Sat Sep  9 05:48:12 2023 daemon.notice hostapd: wlan0: AP-STA-CONNECTED e8:94:f6:1c:de:ba auth_alg=open
Sat Sep  9 05:48:12 2023 daemon.info hostapd: wlan0: STA e8:94:f6:1c:de:ba RADIUS: starting accounting session 819C10AC2E499916
Sat Sep  9 05:48:12 2023 daemon.info hostapd: wlan0: STA e8:94:f6:1c:de:ba WPA: pairwise key handshake completed (RSN)
Sat Sep  9 05:48:12 2023 daemon.notice hostapd: wlan0: EAPOL-4WAY-HS-COMPLETED e8:94:f6:1c:de:ba

ping 192.168.100.100
PING 192.168.100.100 (192.168.100.100) 56(84) bytes of data.
64 bytes from 192.168.100.100: icmp_seq=1 ttl=255 time=8.38 ms

ping 192.168.100.101
PING 192.168.100.101 (192.168.100.101) 56(84) bytes of data.
64 bytes from 192.168.100.101: icmp_seq=1 ttl=255 time=8.55 ms

arp -an
? (192.168.100.101) at 00:14:38:e6:a4:29 [ether] on wlan0
? (192.168.100.100) at 84:2a:fd:f1:9a:d2 [ether] on wlan0

EDIT:

Linux wr99.netdev.ele 5.15.131 #0 SMP Sat Sep 9 00:15:15 2023 armv7l GNU/Linux
DISTRIB_ARCH='arm_cortex-a7_neon-vfpv4'
DISTRIB_DESCRIPTION='OpenWrt SNAPSHOT r23899-5294b358aa'

EDIT2:

 lsmod 
ath                    24576  1 ath10k_core
ath10k_core           307200  1 ath10k_pci
ath10k_pci             40960  0 
cfg80211              512000  3 ath10k_core,ath,mac80211
cmac                   16384  0 
compat                 16384  3 ath10k_pci,mac80211,cfg80211
crc_ccitt              16384  0 
crc32c_generic         16384  1 
dwc3                   45056  0 
dwc3_qcom              16384  0 
ghash_arm_ce           20480  0 
gpio_button_hotplug    16384  0 
leds_gpio              16384  0 
libcrc32c              16384  0 
mac80211              610304  1 ath10k_core
sha512_arm             24576  0 
xhci_hcd              139264  2 xhci_plat_hcd,xhci_pci
xhci_pci               16384  0 
xhci_plat_hcd          16384  0
6

I had not seen wifi-vlan before. You might need to use network_vlan, rather than vid for the wifi-vlan property: Have a look at the netifd source here: https://lxr.openwrt.org/source/netifd/wireless.c#L76
If that does not help, I would suggest querying uci to check that OpenWrt has (loaded) the config you are expecting.

7

Hi @johnth

tnx for reply

same config is working on nonDSA device
and as you could see in my OP, bridge & vlans are properly assigned to wifi intrfaces

but, to check again

16: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 0e:01:99:00:01:99 brd ff:ff:ff:ff:ff:ff
17: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP qlen 1000
    link/ether 0e:01:99:01:01:99 brd ff:ff:ff:ff:ff:ff
18: wlan1-vl200: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master switch state UP qlen 1000
    link/ether 0e:01:99:01:01:99 brd ff:ff:ff:ff:ff:ff
19: wlan1-vl100: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master switch state UP qlen 1000
    link/ether 0e:01:99:01:01:99 brd ff:ff:ff:ff:ff:ff
20: wlan1-vl2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master switch state UP qlen 1000
    link/ether 0e:01:99:01:01:99 brd ff:ff:ff:ff:ff:ff
21: wlan0-vl200: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master switch state UP qlen 1000
    link/ether 0e:01:99:00:01:99 brd ff:ff:ff:ff:ff:ff
22: wlan0-vl100: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master switch state UP qlen 1000
    link/ether 0e:01:99:00:01:99 brd ff:ff:ff:ff:ff:ff
23: wlan0-vl2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master switch state UP qlen 1000
    link/ether 0e:01:99:00:01:99 brd ff:ff:ff:ff:ff:ff

bridge vlan show
port              vlan-id  
lan4              255 PVID Egress Untagged
lan3              200 PVID Egress Untagged
lan2              100 PVID Egress Untagged
lan1              2 PVID Egress Untagged
wan               1 PVID Egress Untagged
                  2
                  100
                  200
                  255
switch            1
                  2
                  100
                  200
                  255
wlan1-vl200       200 PVID Egress Untagged
wlan1-vl100       100 PVID Egress Untagged
wlan1-vl2         2 PVID Egress Untagged
wlan0-vl200       200 PVID Egress Untagged
wlan0-vl100       100 PVID Egress Untagged
wlan0-vl2         2 PVID Egress Untagged

ok, will try later

8

Ok

i tried

config wifi-vlan
        option name 'vl2'
        option network 'vlan2'
        option network_vlan '2'

Sat Sep  9 08:57:23 2023 daemon.err hostapd: Invalid VLAN ID at line 1 in '/var/run/hostapd-wlan0.vlan'
Sat Sep  9 08:57:23 2023 daemon.err hostapd: Line 48: failed to read VLAN file '/var/run/hostapd-wlan0.vlan'
Sat Sep  9 08:57:23 2023 daemon.err hostapd: 1 errors found in configuration file '<inline>'

so, it is not working

and tried with

config wifi-station
        option key 'test-vlan2'
        option network_vlan '2'

but no, not working, KEY is not assigned to VID2, so wifi passphrase is invalid

so, as i wrote before
OP config is working in nonDSA
OP config is partially working on ipq4018 DSA (only static ipv4, ho DHCP no SLAAC)

9

Did you try with WDS mode?

10

No i did not

my main problem is that i have too many devices, all dumbAPs, and it is crowded environment, 2.4GHz is catastrophic ...
but, i need to distribute, lets say 10pcs of VLANs over WIFI to users
guest, lan1, lan2, printers, iot, protected_lab, etc ...
it could be solved with one SSID per VLAN
but, in this case, 10 SSID x 20AP in crowded environment will be suicide
so my main idea was to have single SSID and per passphrase vlan
so only 20AP x 1 SSID ... much better
every type of user will have its own password
printers, iot, guest ... and according to password, VLAN will be assigned

so in this scenario, dumbAPs , i don't understand how WDS will help ?
or maybe i am wrong ?

11

I'm no expert here, but I had some situations in the past where I've had trouble with vlans and wifi and option wds '1' helped here.
I guess it's necessary to bridge over wifi.

12

tried, but same

ok, facts again

22.03.05 / ramips / swconfig -> ethernet ports correctly (un)tagged, WIFI correctly assign VLANS
22.03.05 / ath79 / swconfig -> ethernet ports correctly (un)tagged, WIFI correctly assign VLANS
SNAPSHOT -> ipq4018 / dsa -> ethernet ports correctly (un)tagged, WIFI correctly assign VLANS but any type of broadcast/multicast does not work on WIFI (maybe i am wrong) so only static IPv4 work, arp v4 work, no v4 DHCP, no v6 SLAAC

13

Ok
here is wireshark screenshot from wlan / vlan100 taken on OpenWRT

wlan100
wlan100990×1038 203 KB

and it is always "offering"
on ethernet port, same vlan, it is one round only: discover->ack

14

...and dumping on DSA bridge
request and response is correctly tagged with ID=100

switch
switch962×1024 208 KB

15

and, lastly
wireshark on PC / wifi adapter
it is clear that PC send Discover
OWRT hear this discover, send it to DHCP server, it goes back to OWRT, but ATH10K will newer pass trough 255.255.255.255 to Client PC

pc
pc961×921 118 KB

16

@psherman
as it is clear now that problem is in DSA/ATH10K, could you move this thread to Developer section ?

17

Sorry, yes, the hostapd service does use vid: https://github.com/openwrt/openwrt/blob/7f54d9ba1aa9796e218b554633a4e05906a9ac7f/package/network/services/hostapd/files/hostapd.sh#L392

network_vlan is for extra vlans…: https://github.com/openwrt/netifd/commit/40fad91eb5be5959783d7bb06dcfcfb56bbbb9bd, can ignore it here.

Sorry, that should have been ubus. Wanted to check the vlans section in ubus -v call network.wireless status, to check that the config loaded into netifd is what we are expecting, but the linux level bridge vlans look fine.

Does your working device also work with a current snapshot? hostapd ucode changes started going in in August.

wifi-vlan initial support:

netifd wireless getting support for disabling per-VIF and per VLAN mcast-to-ucast: https://github.com/openwrt/netifd/commit/a2e8cd75dbf6196f9408165e2e5f56c84fa37ca3. There is a difference between hostapd level mcast-to-ucast, and bridge level: https://github.com/openwrt/openwrt/commit/09ea1db93b53d2c1e4a081f20fbbddd4bffd451d
To check: find /sys -iname multicast_to_unicast -exec echo {} \; -exec cat {} \; my */phy*-ap*/brport/multi* are 1 by default.

Some hostapd vlan management is done through netifd: https://github.com/openwrt/openwrt/blob/main/package/network/services/hostapd/patches/710-vlan_no_bridge.patch

18

Hi @johnth
tnx for your reply
i opened the bug report here, it is clear that multicast does not get passed to client PC, only unicast

about versions:
tried with 21.02.x, 22.03.x, 23.05 with this modified patch applied to get rid of doomed eth1(WAN) so i could use WAN port as tagged/trunk
ESS EDMA patches
same situation
ipq4018 + swconfig + dynamic vlans + ath10k (CT/nonCT)
only static ipv4/arp is working
brctl show correct wifi interface bonding with br-vlanX
ethernet/swconfig side is working as expected, i could freely tag/untag any VLAN on any port, v4/v6 working

looks like it will be some relation with hostapd->ath10k, because situation is same with swconfig and DSA on ipq4018

later today i will try with some Cudy 8/64 ramips device and report back
at least, all ramips/ath79 swconfig devices i tried work as expected on 19.07.x, 21.02.x, 22.03.x,

19

This looks similar (Qcom FW bugs no multi TX using dynamic vlans): https://lore.kernel.org/ath10k/268706864.fOQeQAt3TZ@ripper/T/#mb2e79e787678469af15ee9cc06036df540ff1be8. They did find a version that worked.

Edit:
Might also find some hints on ath10k-ct github issues: https://github.com/greearb/ath10k-ct

20

Hi @johnth

yes, Cudy WR1000, latest snapshot, hostapd v2.11-devel, wifi work as expected

yes, exactly as my issue

For Ben Greear's firmware, the only workaround which I found until now was to
set NL80211_ATTR_MULTICAST_TO_UNICAST_ENABLED to 1 to force mac80211 to send multicast as unicast.

so, this info get me to
option multicast_to_unicast '1'
and .. fail agan :frowning:
then, google and ...
rename option multicast_to_unicast, oooo sh*t damn it :frowning:
hostapd.sh source
similar bug report as mine
and try again with
option multicast_to_unicast_all '1'
yesss, things are working as expected. 2.4 / 5GHz, v4 DHCP, v6 SLAAC

so, currently running with
ath10k-CT-SB and QCA-ATH10K 10.4b-ct-4019-fW-13-5ae337bb1 FW

i tried few combination with CT drivers and 2 different ATH10K FW but still no luck
option multicast_to_unicast_all '1' is mandatory

i have no more patience to try different CT/nonCT plain/smallbuffer & FW combinations so i will mark this answer as solution for now

but from my point of view, it is far from solution, it is workaround :frowning:
anyway, thank you for help and pointers

p.s. is it worth to raise issue on @greearb GIT ?

21

Yes, I think worth asking Ben if this did get tested and addressed as the last mail in that thread planned.

Testing wlan firmware you should be able to drop in the replacement /lib/firmware/ath10k/QCA4019/hw1.0/firmware-5.bin file, then reload ath10k: rmmod ath10k_pci && rmmod ath10k_core && modprobe ath10k_pci. Less clear switching between -ct and upstream firmwares.
In the netdev mail, Sven found three non-ct firmwares (available from https://github.com/kvalo/ath10k-firmware/tree/master/QCA4019/hw1.0) that worked for their config. This included the current (2018) linux-firmware blob, which should be available in OpenWrt as ath10k-firmware-qca4019, and installed with the non-ct kmod-ath10k. There are also significantly newer firmware blobs around in QSDK packages (plenty on Github) like qca-wifi-fw-IPQ4019_hw_1-WLAN.BL.3.15-00023-S-1.tar.bz2

firmware blob                                 | works | PER_PACKET_SW_ENCRYPT
3.5.3/firmware-5.bin_10.4-3.5.3-00057         | Y     | Y
3.5.3/firmware-5.bin_10.4-3.5.3-00078         | Y     | Y
3.6/firmware-5.bin_10.4-3.6-00140             | Y     | Y

Qualcomm seem to consistently leave things partially functional.