Individual per-passphrase Wifi VLANs using wpa_psk_file (no RADIUS required)

Thank you for your reply! I don't know the solution to your problem, but maybe you could try the option bridge_empty '1' in your config device sections of /etc/config/network in the option type 'bridge' blocks.

I've made it work for my by removing all the vlan config from the individual ssid configs in /etc/config/wireless (only using the option wpa_psk_file option) & not using /etc/hostapd.vlan files, but instead using a separate vlan block (in /etc/config/wireless):

config wifi-vlan
        option vid '4'
        option network 'guest4'
        option name 'guest4'

while also having this in /etc/config/network:

config device
        option type '8021q'
        option ifname 'eth0'
        option vid '4'
        option name 'eth0.4'

config device
        option type 'bridge'
        option name 'br-4'
        option bridge_empty '1'
        list ports 'eth0.4'

config interface 'guest4'
        option proto 'dhcp'
        option device 'br-4'
        option defaultroute '0'

Has anyone ever managed to get the password VLAN mapping to work on a Xiaomi Redmi AX3600?

Tue Mar 4 13:20:14 2025 daemon.err hostapd: Failed to create interface vlan3: -95 (Not supported)
Tue Mar 4 13:20:14 2025 daemon.err hostapd: VLAN: Could not add VLAN vlan3: No such device
Tue Mar 4 13:20:14 2025 daemon.err hostapd: VLAN initialization failed.
Tue Mar 4 13:20:15 2025 daemon.err hostapd: Interface initialization failed

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config device
	option name 'br-lan'
	option type 'bridge'
	option vlan_filtering '1'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'wan'

config bridge-vlan
	option device 'br-lan'
	option vlan '1'
	list ports 'lan1:u*'
	list ports 'lan2:u*'
	list ports 'lan3:u*'
	list ports 'wan:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '3'
	list ports 'lan1:t'
	list ports 'lan2:t'
	list ports 'lan3:t'
	list ports 'wan:t'

config interface 'lan'
	option broadcast '192.168.0.255'
	option device 'br-lan.1'
	option gateway '192.168.0.2'
	option ip6assign '60'
	option ip6ifaceid '::B'
	option ipaddr '192.168.0.11'
	option metric '5'
	option netmask '255.255.255.0'
	option proto 'static'
	list dns '192.168.0.2'
	list dns_search 'lan'

config interface 'lan6'
	option delegate '0'
	option proto 'dhcpv6'
	option ifname '@lan'
	option reqprefix 'no'
	option reqaddress 'try'
	option metric '5'

config interface 'guest'
	list dns '192.168.3.2'
	option delegate '0'
	option device 'br-lan.3'
	option force_link '0'
	option gateway '192.168.3.2'
	option ip6assign '64'
	option ipaddr '192.168.3.11'
	option netmask '255.255.255.0'
	option proto 'static'
	option metric '20'

# Another problem: additional Wifi interfaces, which come from the standard configuration. These are not used by me.
config wifi-device 'radio0'
	option type 'mac80211'
	option path 'soc@0/20000000.pci/pci0000:00/0000:00:00.0/0000:01:00.0'
	option band '5g'
	option channel '36'
	option htmode 'VHT80'
	option disabled '1'

# Another problem: additional Wifi interfaces, which come from the standard configuration. These are not used by me.
config wifi-device 'radio1'
	option type 'mac80211'
	option path 'platform/soc@0/c000000.wifi'
	option band '5g'
	option channel '36'
	option htmode 'HE80'
	option disabled '1'

# IoT device: i don`t use it
config wifi-device 'dev_24_iot'
	option type 'mac80211'
	option path 'platform/soc@0/c000000.wifi+1'
	option band '2g'
	option channel '1'
	option htmode 'HE20'
	option disabled '1'

# Another problem: additional Wifi interfaces, which come from the standard configuration. These are not used by me.
config wifi-device 'radio3'
	option type 'mac80211'
	option path 'soc@0/20000000.pci/pci0000:00/0000:00:00.0/0000:01:00.0'
	option channel '36'
	option band '5g'
	option htmode 'VHT80'
	option disabled '1'

# my wifi 5 Ghz device
config wifi-device 'dev_wifi_5Ghz'
	option type 'mac80211'
	option path 'platform/soc@0/c000000.wifi'
	option channel '60'
	option band '5g'
	option htmode 'HE80'
	option cell_density '2'
	option country 'DE'

# my wifi 2.4 Ghz device
config wifi-device 'dev_wifi_2_4Ghz'
	option type 'mac80211'
	option path 'platform/soc@0/c000000.wifi+1'
	option channel '1'
	option band '2g'
	option htmode 'HE20'
	option cell_density '2'
	option country 'DE'

config wifi-iface 'If_Wifi_5'
	option bss_transition '1'
	option device 'dev_wifi_5Ghz'
	option encryption 'psk2+ccmp'
	option key 'myLANPassword'
	option mode 'ap'
	option network 'lan'
	option ssid 'MyLAN'
	option wpa_psk_file '/etc/hostapd.wpa_psk'
	option vlan_file '/etc/hostapd.vlan'
	option dynamic_vlan '1'
	option vlan_tagged_interface 'lan3' # my physical uplink port (br-lan also don`t work here)
	option vlan_bridge 'br-vlan' # don`t know what to insert here, from my unterstanding it`s an prefix for created interfaces

config wifi-iface 'If_Wifi_24'
	option bss_transition '1'
	option device 'dev_wifi_2_4Ghz'
	option encryption 'psk2+ccmp'
	option key 'myLANPassword'
	option mode 'ap'
	option network 'lan'
	option ssid 'MyLAN'
	option wpa_psk_file '/etc/hostapd.wpa_psk'
	option vlan_file '/etc/hostapd.vlan'
	option dynamic_vlan '1'
	option vlan_tagged_interface 'lan3' # my physical uplink port (br-lan also don`t work here)
	option vlan_bridge 'br-vlan' # don`t know what to insert here, from my unterstanding it`s an prefix for created interfaces

3 vlan3 br-lan.3

vlanid=3 00:00:00:00:00:00 myguestpassword

Edit: I have now discovered that there is a patch for ath11k which has not yet been included in OpenWRT (see >>here<<).
This means you have to build your own image.
I did that and integrated the patch.
Now it works wonderfully even with the simple version with "wifi-vlan" and "wifi-station".

So that others can understand this and since I am still untrained in this, I will briefly explain the command sequence with which I created the image:

# before: set up an OpenWRT build environment
git clone https://git.openwrt.org/openwrt/openwrt.git
cd openwrt
git branch -a
git tag
# use the current release
git checkout v24.10.0
# add the patch to the specific folder
cd package/kernel/mac80211/patches/ath11k
curl -O https://raw.githubusercontent.com/gtxaspec/openwrt-mx4300/b0fb8508f099a1339e87f8ccc1b5fdd59b0347fb/package/kernel/mac80211/patches/ath11k/906-ath11k-add-support-for-dynamic-vlan.patch
cd -
./scripts/feeds update -a
./scripts/feeds install -a
# download the standard configuration for that target
curl -o .config https://downloads.openwrt.org/releases/24.10.0/targets/qualcommax/ipq807x/config.buildinfo
# configure as you wish. Select packages in particular - here in particular switch to wpad-mbedtls (instead of basic)
make menuconfig
# build
make -j4

If someone gives me a hint where I could upload the file best, then I could also share the built image.

Let's be calm, maybe somreone like marco takes the bite

Yes, but that's mainly because I want to assign ports to one of the bridges manually. I guess I could try something else but if I mess something up the UART is a hassle to reach...

Does anyone have a working configuration of WLAN Roaming setup related to our use case?
And can share which options should be enabled to allow fast transitioning?

In previous posts, I found that "Generate PMK Locally" (or "ft_psk_generate local" in CLI) should be disabled, but there is no more information beyond that. Is it still correct?

Thanks in advance.

does anyone have a simple setup with just the main lan and guest lan setup that would be willing to share config files,

im running a MT6000 which has a 2.4 and 5ghz radio, i want to have one wifi ssid named waypoint with a primary lan and a guest lan, guest lan would not have access to primary lan, i think im starting to understand the config but im not sure how to setup the guest portion to include the wifi psk portion.

unfortunately, PPSK/DPSK/WPA_PSK_FILE in nature dont work well with fast roaming (802.11r/k/v). This issue is not only found on openwrt but on other system as well like OMADA, Unifi and Ruckus with all 3 of them just outright deauth you when you roam hop to one AP to another and force a 4-way handshake.

With that, disabling the Generate PMK locally basically do the same thing as other systems dealing with wifi roaming and PPSK/DPSK.

Hi, on two APs with psk2 keys, I left "ft_psk_generate local" enabled and just directly attached the wifi interface to my main lan network, while the other (like work, iot, guest) are APVLANs. By doing this it seems FT works correctly even if only on one network. On the other (APVLAN netoworks) the stations try FT but get attached firstly to the main phy0-ap0 device, after that they immediately do a complete 4 way handshake again to be "routed" to the correct VLAN. One could go on with this setup if can accept broken FT on the other VLANs or ... wait for a better solution.

There's no way to limit concurrent use of a psk key, right?

Right. This is not a captive portal management mechanism. It is an elaboration on the regular PSK authentication mechanism, which also does not limit concurrent use(r)s of a single key.