Individual per-passphrase Wifi VLANs using wpa_psk_file (no RADIUS required)

Can you resend me the fix, I honestly completely forgot about it


Sure, here you go


I had a really difficult time with the configuration of my router and I want to share my experience here. Firstly, it's about a 'covr-x1860' router, which is supposed to serve as a simple dump access point.

ubus call system board
        "kernel": "5.15.130",
        "hostname": "OpenWrt",
        "system": "MediaTek MT7621 ver:1 eco:3",
        "model": "D-Link COVR-X1860 A1",
        "board_name": "dlink,covr-x1860-a1",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05-SNAPSHOT",
                "revision": "r23444-7714fb72be",
                "target": "ramips/mt7621",
                "description": "OpenWrt 23.05-SNAPSHOT r23444-7714fb72be"

The problem I encountered may be more appropriate to discuss in this. After that, the question arises whether to enable 'bridge VLAN filtering' or configure it manually. So far, I've only managed to set up an /etc/network configuration manually through Luci.

Unfortunately, I couldn't enable '11r FT' with 'disabled Generate PMK locally' nor WPA3 encryption. So, my question is, has anyone managed to make it work with 'bridge VLAN filtering'? Is there a working wireless configuration with 11r FT that I can try out? And what about WPA3 encryption? From what I understand here, it seems to require setting it up through psk2 + file as a separate AP configuration. Am I getting this right?

I will post my configs later if that's desired.

Using and abusing wpa_psk_file I've made a package that generates PSKs on the fly based on the station MAC address and a master password, with support for VLANs too, based on the PSK used the station will get connected to the appropriate VLAN. This "stateless" nature is useful to me because it means I don't need to maintain a database with credentials and roaming between APs with the same master passwords configured works without any issues.

I'll leave the link here in case anyone is interested, this is a prototype at best and at worst it can be used to understand any configs of interest here.


Does anyone have this working with 2 SSID's ? It works fine with 1 but if I add another SSID (either different radio or additional SSID on original) the login to the new fails with 'incorrect password'

"brctl show" gives this

bridge name bridge id STP enabled interfaces
br-lan 7fff.a42bb0ad6a3c no phy0-ap1
br-vlan3 7fff.a42bb0ad6a3d no wifivlan.3

"hostapd.vlan" contains

1 wifivlan.1 br-lan
3 wifivlan.3 br-vlan3

"hostapd.wpa_psk" contains

vlanid=1 00:00:00:00:00:00 phrase1
vlanid=3 00:00:00:00:00:00 phrase3

wireless config contains

This is openwrt 23.05.0

In my case, it works with the settings of takimata.

opkg install wpad-wolfssl "OR" opkg install wpad-openssl
        option wpa_psk_file '/etc/hostapd.wpa_psk'
        option vlan_file '/etc/hostapd.vlan'
        option vlan_tagged_interface 'eth0' <- "Your device wich should be splittet in vlans OR no line if device is splittet"
        option vlan_bridge 'br-vlan' <- "Nonexisting name"
        option dynamic_vlan '1'

Hi robimarko, could you please post here when the fix is merged so I could try again with my AX3600?

I have not even sent it upstream yet, I just dont have the bandwidth to do currently


I was able to get 'Bridge VLAN Filtering' and '11r FT' to work using wpa_psk_file.

stupid question here: what is the advantage of this solution above having different ssid? i mean, in case of 2/3 ssid (not a ssid for each client..). Is it relevant in terms of performance? very cool solution, but i like having a "Iot", a "Guest" and a "Home" ssid with respective vlans :slight_smile:

I guess two or three SSIDs are no problem. You might want to read up on "wifi beacon" or "beacon frame". There's radio signals going on even if there's no traffic, even if there's no clients connected to an access point. As the number of SSIDs on a single radio increases, the number of beacon frames becomes a significnt portion of your airtime usage. The wikipedia article about beacon frames states 15 SSIDs as a limit. If you manage to have a single SSID for a lot of different networks, all those only need a single beacon frame, hence reduce the required overhead to make it work.

1 Like

One reason i can think of is to personalize it per invidual for example if you want to set time restriction on a certain network.

A other reason might be some people don't like a extra ssid for iot called iot or smart so per convience they can still isolate it via a vlan and different passphrase.

for me kinda both count heres a example from my topology:

The main reason i want to use multi psk is since i use a windows gaming handheld, i dont want it to be in iot but neither in the normal wifi so it gets its own personalized network via vlan, which also mean it can access some of my local services like a lancache for example.

Per convience the iot wifi which i had, i also put as multi psk.

Now i only got 2 ssids only for 5ghz and 2.4ghz for me its more for convience and abstraction visibility.