Hostapd and 802.1q vlan tagging with DSA devices

For Developers
6

Here's a working example, this DSA device has 5 wired ethernet ports (named lan1 through lan4, plus a wan) and 3 internal radios. It's setup as a dumb AP to do the following:

  • wan is a vlan trunk back to the rest of the network.
  • lan1 and lan2 are untagged on vlan 10.
  • lan3 and lan4 are untagged on vlan 20.
  • all 3 radios have SSID called TEST that connect clients to either vlan 10 or 20 based on password used.
  • there is an interface on vlan 99 for access to the device itself (ssh, luci, etc)

Network settings:

# cat /etc/config/network
config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd95:1234:5678::/48'

config device
	option name 'br-switch'
	option type 'bridge'
	option igmp_snooping '1'
	option stp '1'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'wan'

config device
	option name 'wan'
	option macaddr '12:34:56:78:00:00'

config device
	option name 'lan1'
	option macaddr '12:34:56:78:00:01'

config device
	option name 'lan2'
	option macaddr '12:34:56:78:00:02'

config device
	option name 'lan3'
	option macaddr '12:34:56:78:00:03'

config device
	option name 'lan4'
	option macaddr '12:34:56:78:00:04'

config bridge-vlan
	option device 'br-switch'
	option vlan '10'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'wan:t'

config bridge-vlan
	option device 'br-switch'
	option vlan '20'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'wan:t'

config bridge-vlan
	option device 'br-switch'
	option vlan '99'
	list ports 'wan:t'

config device
	option name 'br-switch.10'
	option type '8021q'
	option ifname 'br-switch'
	option vid '10'
	option macaddr '12:34:56:78:00:10'

config device
	option name 'br-switch.20'
	option type '8021q'
	option ifname 'br-switch'
	option vid '20'
	option macaddr '12:34:45:78:00:20'

config device
	option name 'br-switch.99'
	option type '8021q'
	option ifname 'br-switch'
	option vid '99'
	option macaddr '12:34:45:78:00:99'

config interface 'vlan10'
	option device 'br-switch.10'
	option proto 'none'
	option delegate '0'

config interface 'vlan20'
	option device 'br-switch.20'
	option proto 'none'
	option delegate '0'

config interface 'manage'
	option device 'br-switch.99'
	option proto 'dhcp'
	option delegate '0'

Wireless settings:

# cat /etc/config/wireless
config wifi-device 'radio0'
	option type 'mac80211'
	option path 'soc/40000000.pci/pci0000:00/0000:00:00.0/0000:01:00.0'
	option channel '144'
	option band '5g'
	option htmode 'VHT80'
	option cell_density '0'
	option country 'US'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'platform/soc/a000000.wifi'
	option channel '11'
	option band '2g'
	option htmode 'HT20'
	option cell_density '0'
	option country 'US'

config wifi-device 'radio2'
	option type 'mac80211'
	option path 'platform/soc/a800000.wifi'
	option channel '64'
	option band '5g'
	option htmode 'VHT80'
	option cell_density '0'
	option country 'US'

config wifi-iface 'wifinet0'
	option device 'radio0'
	option mode 'ap'
	option ssid 'TEST'
	option encryption 'psk2+ccmp'
	option key 'donotuse'
	option ifname 'wlan0'
	option multicast_to_unicast_all '1'

config wifi-iface 'wifinet1'
	option device 'radio1'
	option mode 'ap'
	option ssid 'TEST'
	option encryption 'psk2+ccmp'
	option key 'donotuse'
	option ifname 'wlan1'
	option multicast_to_unicast_all '1'

config wifi-iface 'wifinet2'
	option device 'radio2'
	option mode 'ap'
	option ssid 'TEST'
	option encryption 'psk2+ccmp'
	option key 'donotuse'
	option ifname 'wlan2'
	option multicast_to_unicast_all '1'

config wifi-vlan
	option name 'vlan10'
	option network 'vlan10'
	option vid '10'

config wifi-station
	option key 'secret10'
	option vid '10'

config wifi-vlan
	option name 'vlan20'
	option network 'vlan20'
	option vid '20'

config wifi-station
	option key 'secret20'
	option vid '20'

That's all that is needed. Device has the following bridge setup:

# bridge vlan show
port              vlan-id  
lan1              10 PVID Egress Untagged
lan2              10 PVID Egress Untagged
lan3              20 PVID Egress Untagged
lan4              20 PVID Egress Untagged
wan               10
                  20
                  99
br-switch         10
                  20
                  99
wlan1-vlan20      20 PVID Egress Untagged
wlan1-vlan10      10 PVID Egress Untagged
wlan0-vlan20      20 PVID Egress Untagged
wlan0-vlan10      10 PVID Egress Untagged
wlan2-vlan20      20 PVID Egress Untagged
wlan2-vlan10      10 PVID Egress Untagged

Results

  1. All vlans pass up/down the trunk on the wan port as tagged traffic.
  2. Can plug in a cable to any of the lan ports and those devices will be connected to the corresponding vlan as untagged traffic. They get (from upstream) a dhcp lease for ipv4 and see RA for ipv6.
  3. Have a single SSID of "TEST" on 3 different frequencies, and clients using secret10 are connected to vlan 10, those using secret20 on vlan 20. Again, as untagged traffic. These get (from upstream) a dhcp lease for ipv4 and see RA for ipv6.
  4. Can remotely communicate with this device over vlan 99 for ssh, luci, etc.

Edit

To get ipv6 RA events working on the radios I needed to add option multicast_to_unicast_all '1' to each. Not entirely sure why.

3 Likes