Hostapd and 802.1q vlan tagging with DSA devices

For Developers
1

Hi,

I'm running 23.05.0 on a Linksys EA8300 that's setup with a single vlan_filtering enabled bridge containing all physical lan ports with 802.1q interfaces setup for each vlan. The new DSA style. Works fine to tag / untag individual wired ports and traffic flows as expected.

By default adding a wireless AP adds a phyX-apY to the bridge with the corresponding vlan untagged (I see /tmp/run/hostapd-phyX.conf has snoop_iface set to the 802.1q interface from above). Also works as expected, however you need one AP per vlan, which doesn't scale well.

According to the docs one can set hostapd to use dynamic vlans, and this will allow one to create a new device per vlan and add it to a bridge all via a single AP.

The problem there's no way that I can see to set the tagging on the bridge.

Example:

[/etc/config/wireless section]

config wifi-iface 'wifinet0'
        option device 'radio0'
        option mode 'ap'
        option ssid 'TEST'
        option encryption 'psk2'
        option wpa_psk_file '/etc/hostapd.wpa_psk'
        option vlan_file '/etc/hostapd.vlan'
        option vlan_bridge 'br-switch'
        option dynamic_vlan '1'
        ...

# cat /etc/hostapd.wpa_psk
vlanid=10 00:00:00:00:00:00 foosecret
vlanid=20 00:00:00:00:00:00 barsecret

# cat /etc/hostapd.vlan
10 wlan.10 br-switch
20 wlan.20 br-switch

This creates a wlan.10 device on the bridge, however it is tagged for vlan 1.

# bridge vlan show | grep wlan
wlan.10           1 PVID Egress Untagged

This can be modified with a hotplug script, but that's suboptimal.

My question does anyone know where the code that adds the dynamic AP device to the bridge resides? (Or even better if one can control the vlan tagging when that happens.)

2

I'm not familiar with this topic, but I stumbled upon the following thread yesterday:

I know that it doesn't fully cover your problem, but maybe you can find a hint on the solution there? At first glance, I would try to add the options

vlan_tagged_interface 'br-switch'
vlan_naming '1'

to your wifi-iface section as explained in the wpa_psk_file section of the documentation.

3

You may be able to setup something like this from OpenWrt wireless config (without modifying hostapd config files), with wifi-vlan and wifi-station stanzas, example: HaP AC2 (ipq4018) + hostapd dynamic vlans, source: https://lxr.openwrt.org/source/netifd/wireless.c, https://github.com/openwrt/openwrt/blob/1998027d7cbb9d8f3986964bbdae070296bdce56/package/network/services/hostapd/files/hostapd.sh#L392, but have seen bugs in ath10k firmware around this.

3 Likes
4

Thanks! These wifi-vlan and wifi-station settings worked and provided exactly what I wanted.

1 Like
5

Hi this is very interesting. The info is scattered in quite many threads. Could you share the working solution revealing the necessary files, /etc/config/wireless, /etc/hostapd.wpa_psk and /etc/hostapd.vlan for a single working dynamic vlan. Would really appreciate.

6

Here's a working example, this DSA device has 5 wired ethernet ports (named lan1 through lan4, plus a wan) and 3 internal radios. It's setup as a dumb AP to do the following:

  • wan is a vlan trunk back to the rest of the network.
  • lan1 and lan2 are untagged on vlan 10.
  • lan3 and lan4 are untagged on vlan 20.
  • all 3 radios have SSID called TEST that connect clients to either vlan 10 or 20 based on password used.
  • there is an interface on vlan 99 for access to the device itself (ssh, luci, etc)

Network settings:

# cat /etc/config/network
config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd95:1234:5678::/48'

config device
	option name 'br-switch'
	option type 'bridge'
	option igmp_snooping '1'
	option stp '1'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'wan'

config device
	option name 'wan'
	option macaddr '12:34:56:78:00:00'

config device
	option name 'lan1'
	option macaddr '12:34:56:78:00:01'

config device
	option name 'lan2'
	option macaddr '12:34:56:78:00:02'

config device
	option name 'lan3'
	option macaddr '12:34:56:78:00:03'

config device
	option name 'lan4'
	option macaddr '12:34:56:78:00:04'

config bridge-vlan
	option device 'br-switch'
	option vlan '10'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'wan:t'

config bridge-vlan
	option device 'br-switch'
	option vlan '20'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'wan:t'

config bridge-vlan
	option device 'br-switch'
	option vlan '99'
	list ports 'wan:t'

config device
	option name 'br-switch.10'
	option type '8021q'
	option ifname 'br-switch'
	option vid '10'
	option macaddr '12:34:56:78:00:10'

config device
	option name 'br-switch.20'
	option type '8021q'
	option ifname 'br-switch'
	option vid '20'
	option macaddr '12:34:45:78:00:20'

config device
	option name 'br-switch.99'
	option type '8021q'
	option ifname 'br-switch'
	option vid '99'
	option macaddr '12:34:45:78:00:99'

config interface 'vlan10'
	option device 'br-switch.10'
	option proto 'none'
	option delegate '0'

config interface 'vlan20'
	option device 'br-switch.20'
	option proto 'none'
	option delegate '0'

config interface 'manage'
	option device 'br-switch.99'
	option proto 'dhcp'
	option delegate '0'

Wireless settings:

# cat /etc/config/wireless
config wifi-device 'radio0'
	option type 'mac80211'
	option path 'soc/40000000.pci/pci0000:00/0000:00:00.0/0000:01:00.0'
	option channel '144'
	option band '5g'
	option htmode 'VHT80'
	option cell_density '0'
	option country 'US'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'platform/soc/a000000.wifi'
	option channel '11'
	option band '2g'
	option htmode 'HT20'
	option cell_density '0'
	option country 'US'

config wifi-device 'radio2'
	option type 'mac80211'
	option path 'platform/soc/a800000.wifi'
	option channel '64'
	option band '5g'
	option htmode 'VHT80'
	option cell_density '0'
	option country 'US'

config wifi-iface 'wifinet0'
	option device 'radio0'
	option mode 'ap'
	option ssid 'TEST'
	option encryption 'psk2+ccmp'
	option key 'donotuse'
	option ifname 'wlan0'
	option multicast_to_unicast_all '1'

config wifi-iface 'wifinet1'
	option device 'radio1'
	option mode 'ap'
	option ssid 'TEST'
	option encryption 'psk2+ccmp'
	option key 'donotuse'
	option ifname 'wlan1'
	option multicast_to_unicast_all '1'

config wifi-iface 'wifinet2'
	option device 'radio2'
	option mode 'ap'
	option ssid 'TEST'
	option encryption 'psk2+ccmp'
	option key 'donotuse'
	option ifname 'wlan2'
	option multicast_to_unicast_all '1'

config wifi-vlan
	option name 'vlan10'
	option network 'vlan10'
	option vid '10'

config wifi-station
	option key 'secret10'
	option vid '10'

config wifi-vlan
	option name 'vlan20'
	option network 'vlan20'
	option vid '20'

config wifi-station
	option key 'secret20'
	option vid '20'

That's all that is needed. Device has the following bridge setup:

# bridge vlan show
port              vlan-id  
lan1              10 PVID Egress Untagged
lan2              10 PVID Egress Untagged
lan3              20 PVID Egress Untagged
lan4              20 PVID Egress Untagged
wan               10
                  20
                  99
br-switch         10
                  20
                  99
wlan1-vlan20      20 PVID Egress Untagged
wlan1-vlan10      10 PVID Egress Untagged
wlan0-vlan20      20 PVID Egress Untagged
wlan0-vlan10      10 PVID Egress Untagged
wlan2-vlan20      20 PVID Egress Untagged
wlan2-vlan10      10 PVID Egress Untagged

Results

  1. All vlans pass up/down the trunk on the wan port as tagged traffic.
  2. Can plug in a cable to any of the lan ports and those devices will be connected to the corresponding vlan as untagged traffic. They get (from upstream) a dhcp lease for ipv4 and see RA for ipv6.
  3. Have a single SSID of "TEST" on 3 different frequencies, and clients using secret10 are connected to vlan 10, those using secret20 on vlan 20. Again, as untagged traffic. These get (from upstream) a dhcp lease for ipv4 and see RA for ipv6.
  4. Can remotely communicate with this device over vlan 99 for ssh, luci, etc.

Edit

To get ipv6 RA events working on the radios I needed to add option multicast_to_unicast_all '1' to each. Not entirely sure why.

3 Likes
7

Thanks a million, I can adapt this easily to my cluttered hassle :wink:

1 Like
8

@chill Many thanks for the write up. I notice the wifi-iface definitions specify a key but not an explicit network. What happens if a client attempts to associate using psk donotuse?

9

Nothing much. They associate with the AP but have no connectivity.

10

This config works fine with my netgear wax 206 (mt7622). Now I'm struggling to get it working in xiaomi ax9000 (IPQ8074) Exactly same config seems to work with the QCA9887 radio in same router.

Mon Oct 30 11:53:20 2023 daemon.notice netifd: radio2 (8233): WARNING: Variable 'data' does not exist or is not an array/object

Mon Oct 30 11:53:20 2023 daemon.err hostapd: Failed to create interface phy2-ap0-vlan3: -95 (Not supported)
Mon Oct 30 11:53:20 2023 daemon.err hostapd: VLAN: Could not add VLAN phy2-ap0-vlan3: No such device
Mon Oct 30 11:53:20 2023 daemon.err hostapd: VLAN initialization failed.

Any Ideas ?

11

Guessing ipq8074 is using an ath11k device, and that driver does not support the needed config (again guessing, that would be AP/VLAN), check iw phy on devices that do and do not work.
If it is AP/VLAN, this sadly seems pretty typical of Qualcomm: There is a reviewed patch that was not followed up:

1 Like
12

Looks like the problem is rekated to ath11k. I have no Idea how to deploy the mentioned patch :wink:

13

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.