Individual per-passphrase Wifi VLANs using wpa_psk_file (no RADIUS required)

kawog45017 · 2025-02-25T13:31:25.260Z

no, it's two networks. I don't know from which sample this came from, but never got that ipv6 stuff to work.. but that's besides the point of this thread, the network itself works, though I'm struggling with the /etc/hostapd.wpa_psk part. One device works, all others say wrong password, even though I rebooted the router in between...
And the OpenWRT router prints many repeats of this line for all but that one working client device...

daemon.notice hostapd: phy0-ap4: AP-STA-POSSIBLE-PSK-MISMATCH

UPDATE: Now I found that none of the below actually reloads the /etc/hostapd.wpa_psk file, only rebooting the router makes changes take effect..:

reload_config
wifi reload
hostapd_cli interface phy1-ap3 reload_wpa_psk
hostapd_cli interface phy1-ap4 reload_wpa_psk
hostapd_cli interface phy0-ap3 reload_wpa_psk
hostapd_cli interface phy0-ap4 reload_wpa_psk

takimata · 2025-02-25T13:47:19.626Z

Phew, there's an anthill's worth of configuration going on there. I know it sounds tedious, but my approach would be to tear it all down and rebuild the wifi interfaces from scratch, one iface at a time, testing and confirming operation of every step before the next.

kawog45017 · 2025-02-25T14:14:25.902Z

my plan was to remove all the old networks once the new ones work as intended and I've brought over all the clients to that new ssid with the unique per client keys.

takimata · 2025-02-25T14:50:10.359Z

I realize that. I can't shake the feeling, though, that the old networks are interfering with the new ones. I actually never tried mixing "regular" wifi networks with wpa_psk_key ones, maybe that's the problem, they don't work together? I really don't know.

kawog45017 · 2025-02-25T15:55:25.096Z

Well. it does work, at least the non-vlan stuff. It's only that changes to /etc/hostapd.wpa_psk don't take effect until I reboot the router. That's annoying, but at the moment for me this doesn't justify the effort it would take to start my home router configs fresh from a blank state...

_bernd · 2025-02-25T17:40:56.352Z

How do you restart or reload the wireless config? (Which did not worked for you.)

kawog45017 · 2025-02-25T19:02:00.292Z

I tried lots of things. I tried via ssh = cli:

reload_config
wifi reload
hostapd_cli interface phy1-ap3 reload_wpa_psk
hostapd_cli interface phy1-ap4 reload_wpa_psk
hostapd_cli interface phy0-ap3 reload_wpa_psk
hostapd_cli interface phy0-ap4 reload_wpa_psk

And via the LuCI website I tried:

disabling and re-enabling the wifi network
using the "restart" button for the wifi device hosting the network

but nothing but rebooting works.

_bernd · 2025-02-25T19:29:00.938Z

Afaik reload only reloads. You need wifi to restart wireless. Or just restart networking and wifi gets restarted too...

kawog45017 · 2025-03-02T09:14:02.734Z

I'm trying to replace my separate guest wifi with a vlanid=4 00:00:00:00:00:00 myguestpassword entry in /etc/hostapd.wpa_psk. My /etc/hostapd.vlan reads 4 wan.4. Trying to connect a client with that password fails with those lines in the log:

Sun Mar  2 10:06:13 2025 daemon.info hostapd: phy1-ap1: STA xx:xx:xx:xx:xx:xx IEEE 802.11: authenticated
Sun Mar  2 10:06:13 2025 daemon.info hostapd: phy1-ap1: STA xx:xx:xx:xx:xx:xx IEEE 802.11: associated (aid 1)
Sun Mar  2 10:06:13 2025 daemon.notice hostapd: Assigned VLAN ID 4 from wpa_psk_file to xx:xx:xx:xx:xx:xx
Sun Mar  2 10:06:13 2025 daemon.err hostapd: nl80211: NL80211_ATTR_STA_VLAN (addr=xx:xx:xx:xx:xx:xx ifname=wan.4 vlan_id=4) failed: -22 (Invalid argument)
Sun Mar  2 10:06:18 2025 daemon.info hostapd: phy1-ap1: STA xx:xx:xx:xx:xx:xx IEEE 802.11: deauthenticated due to local deauth request

Can somebody help me? What do I need to do, to make this work?

UPDATE: just found that @saxy had the same error message last month but says it works on 2ghz for them. I'm gonna force my client to 2GHz to verify if it's the same for me. Did you solve your issue with 5GHz @saxy?

saxy · 2025-03-03T08:09:20.997Z

hy,
i needed to create 2 seperate vlan files, because they create virtual interfaces.
on a dual radio ap, it can't create two times the same interface.
the problem with 5ghz is solved for me

I have a new problem, the management IP on VLAN 11 replys very short during boot up. after 1 minute of operation it does not replay anymore.
192.168.11.14
it has todo with individual psk/vlans and bridges. but I don't know how to solve it. I have access over 192.168.1.1 untagged but this is no solution only a fix.

root@OpenWrt:~# cat /etc/hostapd.vlan2
11 wlan0.11 br-lan.vlan11
22 wlan0.22 br-lan.vlan22
33 wlan0.33 br-lan.vlan33

root@OpenWrt:~# cat /etc/hostapd.vlan5
11 wlan1.11 br-lan.vlan11
22 wlan1.22 br-lan.vlan22
33 wlan1.33 br-lan.vlan33
root@OpenWrt:~# cat /etc/hostapd.wpa_psk
vlanid=11 00:00:00:00:00:00 secret11
vlanid=22 00:00:00:00:00:00 secret22
vlanid=33 00:00:00:00:00:00 secret33
root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd70:1574:e9fe::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan.1'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'mgmt'
        option proto 'static'
        option device 'eth1'
        option ipaddr '192.168.95.1'
        option netmask '255.255.255.0'

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'eth0'

config bridge-vlan
        option device 'br-lan'
        option vlan '11'
        list ports 'eth0:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '22'
        list ports 'eth0:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '33'
        list ports 'eth0:t'

config interface 'vlan11'
        option proto 'static'
        option device 'br-lan.11'
        option ipaddr '192.168.11.14'
        option netmask '255.255.255.0'
        option gateway '192.168.11.1'
        list dns '192.168.11.1'

config interface 'vlan22'
        option proto 'none'
        option device 'br-lan.22'

config interface 'vlan33'
        option proto 'none'
        option device 'br-lan.33'

root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'soc/1b700000.pci/pci0001:00/0001:00:00.0/0001:01:00.0'
        option band '2g'
        option channel '1'
        option htmode 'VHT20'
        option disabled '0'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'soc/1b500000.pci/pci0000:00/0000:00:00.0/0000:01:00.0'
        option band '5g'
        option channel '36'
        option htmode 'VHT80'
        option disabled '0'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid '127-O-O-5-X'
        option encryption 'psk2'
        option key 'secret11'
        option wpa_psk_file '/etc/hostapd.wpa_psk'
        option vlan_file '/etc/hostapd.vlan'
        option vlan_tagged_interface 'eth0'
        option vlan_bridge 'br-vlan'
        option dynamic_vlan '1'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid '127-O-O-2-X'
        option encryption 'psk2'
        option key 'secret11'
        option wpa_psk_file '/etc/hostapd.wpa_psk'
        option vlan_file '/etc/hostapd.vlan'
        option vlan_tagged_interface 'eth0'
        option vlan_bridge 'br-vlan'
        option dynamic_vlan '1'
root@OpenWrt:~#```

kawog45017 · 2025-03-04T07:34:38.615Z

Thank you for your reply! I don't know the solution to your problem, but maybe you could try the option bridge_empty '1' in your config device sections of /etc/config/network in the option type 'bridge' blocks.

I've made it work for my by removing all the vlan config from the individual ssid configs in /etc/config/wireless (only using the option wpa_psk_file option) & not using /etc/hostapd.vlan files, but instead using a separate vlan block (in /etc/config/wireless):

config wifi-vlan
        option vid '4'
        option network 'guest4'
        option name 'guest4'

while also having this in /etc/config/network:


config device
        option type '8021q'
        option ifname 'eth0'
        option vid '4'
        option name 'eth0.4'

config device
        option type 'bridge'
        option name 'br-4'
        option bridge_empty '1'
        list ports 'eth0.4'

config interface 'guest4'
        option proto 'dhcp'
        option device 'br-4'
        option defaultroute '0'

Sylvan · 2025-03-04T12:54:18.348Z

Has anyone ever managed to get the password VLAN mapping to work on a Xiaomi Redmi AX3600?

It works fine on a Xiaomi Redmi AC2100. I simply used the variant via UCI with the “wifi-vlan” and “wifi-station” and it works straight away.

When I did the similar configuration on an AX3600, no client could connect and I found the following entries in logread:

Tue Mar 4 13:20:14 2025 daemon.err hostapd: Failed to create interface vlan3: -95 (Not supported)
Tue Mar 4 13:20:14 2025 daemon.err hostapd: VLAN: Could not add VLAN vlan3: No such device
Tue Mar 4 13:20:14 2025 daemon.err hostapd: VLAN initialization failed.
Tue Mar 4 13:20:15 2025 daemon.err hostapd: Interface initialization failed

So I thought to myself, obviously it doesn't seem to be able to create interfaces itself. So I tried the manual method via hostapd.vlan and hostapd.wpa_psk. But this also failed with similar entries in logread.

I have brought my configuration files with me. Maybe someone will see the mistake I made.

Specifically, I would like to achieve the following: If the client logs on with "myLANPassword", its packets should be forwarded as untagged (i.e. implicitly VLAN 1). The client should therefore end up in the "lan" network.
However, if a client logs on with "myguestpassword", it should end up in the "guest" network and its packets should therefore be tagged with VLAN ID 3. The access point is a dumb AP. This means no DNS, DHCP, firewall etc.

/etc/config/network


config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config device
	option name 'br-lan'
	option type 'bridge'
	option vlan_filtering '1'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'wan'

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'lan1:u*'
	list ports 'lan2:u*'
	list ports 'lan3:u*'
	list ports 'wan:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '3'
	list ports 'lan1:t'
	list ports 'lan2:t'
	list ports 'lan3:t'
	list ports 'wan:t'

config interface 'lan'
	option broadcast '192.168.0.255'
	option device 'br-lan.1'
	option gateway '192.168.0.2'
	option ip6assign '60'
	option ip6ifaceid '::B'
	option ipaddr '192.168.0.11'
	option metric '5'
	option netmask '255.255.255.0'
	option proto 'static'
	list dns '192.168.0.2'
	list dns_search 'lan'

config interface 'lan6'
	option delegate '0'
	option proto 'dhcpv6'
	option ifname '@lan'
	option reqprefix 'no'
	option reqaddress 'try'
	option metric '5'

config interface 'guest'
	list dns '192.168.3.2'
	option delegate '0'
	option device 'br-lan.3'
	option force_link '0'
	option gateway '192.168.3.2'
	option ip6assign '64'
	option ipaddr '192.168.3.11'
	option netmask '255.255.255.0'
	option proto 'static'
	option metric '20'

/etc/config/wireless


# Another problem: additional Wifi interfaces, which come from the standard configuration. These are not used by me.
config wifi-device 'radio0'
	option type 'mac80211'
	option path 'soc@0/20000000.pci/pci0000:00/0000:00:00.0/0000:01:00.0'
	option band '5g'
	option channel '36'
	option htmode 'VHT80'
	option disabled '1'

# Another problem: additional Wifi interfaces, which come from the standard configuration. These are not used by me.
config wifi-device 'radio1'
	option type 'mac80211'
	option path 'platform/soc@0/c000000.wifi'
	option band '5g'
	option channel '36'
	option htmode 'HE80'
	option disabled '1'

# IoT device: i don`t use it
config wifi-device 'dev_24_iot'
	option type 'mac80211'
	option path 'platform/soc@0/c000000.wifi+1'
	option band '2g'
	option channel '1'
	option htmode 'HE20'
	option disabled '1'

# Another problem: additional Wifi interfaces, which come from the standard configuration. These are not used by me.
config wifi-device 'radio3'
	option type 'mac80211'
	option path 'soc@0/20000000.pci/pci0000:00/0000:00:00.0/0000:01:00.0'
	option channel '36'
	option band '5g'
	option htmode 'VHT80'
	option disabled '1'

# my wifi 5 Ghz device
config wifi-device 'dev_wifi_5Ghz'
	option type 'mac80211'
	option path 'platform/soc@0/c000000.wifi'
	option channel '60'
	option band '5g'
	option htmode 'HE80'
	option cell_density '2'
	option country 'DE'

# my wifi 2.4 Ghz device
config wifi-device 'dev_wifi_2_4Ghz'
	option type 'mac80211'
	option path 'platform/soc@0/c000000.wifi+1'
	option channel '1'
	option band '2g'
	option htmode 'HE20'
	option cell_density '2'
	option country 'DE'

config wifi-iface 'If_Wifi_5'
	option bss_transition '1'
	option device 'dev_wifi_5Ghz'
	option encryption 'psk2+ccmp'
	option key 'myLANPassword'
	option mode 'ap'
	option network 'lan'
	option ssid 'MyLAN'
	option wpa_psk_file '/etc/hostapd.wpa_psk'
	option vlan_file '/etc/hostapd.vlan'
	option dynamic_vlan '1'
	option vlan_tagged_interface 'lan3' # my physical uplink port (br-lan also don`t work here)
	option vlan_bridge 'br-vlan' # don`t know what to insert here, from my unterstanding it`s an prefix for created interfaces

config wifi-iface 'If_Wifi_24'
	option bss_transition '1'
	option device 'dev_wifi_2_4Ghz'
	option encryption 'psk2+ccmp'
	option key 'myLANPassword'
	option mode 'ap'
	option network 'lan'
	option ssid 'MyLAN'
	option wpa_psk_file '/etc/hostapd.wpa_psk'
	option vlan_file '/etc/hostapd.vlan'
	option dynamic_vlan '1'
	option vlan_tagged_interface 'lan3' # my physical uplink port (br-lan also don`t work here)
	option vlan_bridge 'br-vlan' # don`t know what to insert here, from my unterstanding it`s an prefix for created interfaces

/etc/hostapd.vlan

3 vlan3 br-lan.3

/etc/hostapd.wpa_psk

vlanid=3 00:00:00:00:00:00 myguestpassword

Both - the AX3600 and the AC2100 runs on v24.10.0 and use wpad-mbedtls.

Edit: I have now discovered that there is a patch for ath11k which has not yet been included in OpenWRT (see >>here<<).
This means you have to build your own image.
I did that and integrated the patch.
Now it works wonderfully even with the simple version with "wifi-vlan" and "wifi-station".

So that others can understand this and since I am still untrained in this, I will briefly explain the command sequence with which I created the image:

# before: set up an OpenWRT build environment
git clone https://git.openwrt.org/openwrt/openwrt.git
cd openwrt
git branch -a
git tag
# use the current release
git checkout v24.10.0
# add the patch to the specific folder
cd package/kernel/mac80211/patches/ath11k
curl -O https://raw.githubusercontent.com/gtxaspec/openwrt-mx4300/b0fb8508f099a1339e87f8ccc1b5fdd59b0347fb/package/kernel/mac80211/patches/ath11k/906-ath11k-add-support-for-dynamic-vlan.patch
cd -
./scripts/feeds update -a
./scripts/feeds install -a
# download the standard configuration for that target
curl -o .config https://downloads.openwrt.org/releases/24.10.0/targets/qualcommax/ipq807x/config.buildinfo
# configure as you wish. Select packages in particular - here in particular switch to wpad-mbedtls (instead of basic)
make menuconfig
# build
make -j4

If someone gives me a hint where I could upload the file best, then I could also share the built image.

mattimat · 2025-03-10T22:44:52.424Z

Let's be calm, maybe somreone like marco takes the bite

monotux · 2025-03-21T09:46:24.249Z

Yes, but that's mainly because I want to assign ports to one of the bridges manually. I guess I could try something else but if I mess something up the UART is a hassle to reach...

Rafal9184 · 2025-03-25T23:28:32.345Z

Does anyone have a working configuration of WLAN Roaming setup related to our use case?
And can share which options should be enabled to allow fast transitioning?

In previous posts, I found that "Generate PMK Locally" (or "ft_psk_generate local" in CLI) should be disabled, but there is no more information beyond that. Is it still correct?

Thanks in advance.

trevormcooper · 2025-03-28T20:54:13.313Z

does anyone have a simple setup with just the main lan and guest lan setup that would be willing to share config files,

im running a MT6000 which has a 2.4 and 5ghz radio, i want to have one wifi ssid named waypoint with a primary lan and a guest lan, guest lan would not have access to primary lan, i think im starting to understand the config but im not sure how to setup the guest portion to include the wifi psk portion.

remlei · 2025-03-30T01:37:55.208Z

unfortunately, PPSK/DPSK/WPA_PSK_FILE in nature dont work well with fast roaming (802.11r/k/v). This issue is not only found on openwrt but on other system as well like OMADA, Unifi and Ruckus with all 3 of them just outright deauth you when you roam hop to one AP to another and force a 4-way handshake.

With that, disabling the Generate PMK locally basically do the same thing as other systems dealing with wifi roaming and PPSK/DPSK.

ayanna · 2025-04-01T06:06:11.097Z

Hi, on two APs with psk2 keys, I left "ft_psk_generate local" enabled and just directly attached the wifi interface to my main lan network, while the other (like work, iot, guest) are APVLANs. By doing this it seems FT works correctly even if only on one network. On the other (APVLAN netoworks) the stations try FT but get attached firstly to the main phy0-ap0 device, after that they immediately do a complete 4 way handshake again to be "routed" to the correct VLAN. One could go on with this setup if can accept broken FT on the other VLANs or ... wait for a better solution.

bahtsiz_bedevi · 2025-04-09T23:00:57.527Z

There's no way to limit concurrent use of a psk key, right?

takimata · 2025-04-09T23:05:00.872Z

bahtsiz_bedevi:

There's no way to limit concurrent use of a psk key, right?

Right. This is not a captive portal management mechanism. It is an elaboration on the regular PSK authentication mechanism, which also does not limit concurrent use(r)s of a single key.