Individual per-passphrase Wifi VLANs using wpa_psk_file (no RADIUS required)

Can you resend me the fix, I honestly completely forgot about it


Sure, here you go


I had a really difficult time with the configuration of my router and I want to share my experience here. Firstly, it's about a 'covr-x1860' router, which is supposed to serve as a simple dump access point.

ubus call system board
        "kernel": "5.15.130",
        "hostname": "OpenWrt",
        "system": "MediaTek MT7621 ver:1 eco:3",
        "model": "D-Link COVR-X1860 A1",
        "board_name": "dlink,covr-x1860-a1",
        "rootfs_type": "squashfs",
        "release": {
                "distribution": "OpenWrt",
                "version": "23.05-SNAPSHOT",
                "revision": "r23444-7714fb72be",
                "target": "ramips/mt7621",
                "description": "OpenWrt 23.05-SNAPSHOT r23444-7714fb72be"

The problem I encountered may be more appropriate to discuss in this. After that, the question arises whether to enable 'bridge VLAN filtering' or configure it manually. So far, I've only managed to set up an /etc/network configuration manually through Luci.

Unfortunately, I couldn't enable '11r FT' with 'disabled Generate PMK locally' nor WPA3 encryption. So, my question is, has anyone managed to make it work with 'bridge VLAN filtering'? Is there a working wireless configuration with 11r FT that I can try out? And what about WPA3 encryption? From what I understand here, it seems to require setting it up through psk2 + file as a separate AP configuration. Am I getting this right?

I will post my configs later if that's desired.

Using and abusing wpa_psk_file I've made a package that generates PSKs on the fly based on the station MAC address and a master password, with support for VLANs too, based on the PSK used the station will get connected to the appropriate VLAN. This "stateless" nature is useful to me because it means I don't need to maintain a database with credentials and roaming between APs with the same master passwords configured works without any issues.

I'll leave the link here in case anyone is interested, this is a prototype at best and at worst it can be used to understand any configs of interest here.


Does anyone have this working with 2 SSID's ? It works fine with 1 but if I add another SSID (either different radio or additional SSID on original) the login to the new fails with 'incorrect password'

"brctl show" gives this

bridge name bridge id STP enabled interfaces
br-lan 7fff.a42bb0ad6a3c no phy0-ap1
br-vlan3 7fff.a42bb0ad6a3d no wifivlan.3

"hostapd.vlan" contains

1 wifivlan.1 br-lan
3 wifivlan.3 br-vlan3

"hostapd.wpa_psk" contains

vlanid=1 00:00:00:00:00:00 phrase1
vlanid=3 00:00:00:00:00:00 phrase3

wireless config contains

This is openwrt 23.05.0

In my case, it works with the settings of takimata.

opkg install wpad-wolfssl "OR" opkg install wpad-openssl
        option wpa_psk_file '/etc/hostapd.wpa_psk'
        option vlan_file '/etc/hostapd.vlan'
        option vlan_tagged_interface 'eth0' <- "Your device wich should be splittet in vlans OR no line if device is splittet"
        option vlan_bridge 'br-vlan' <- "Nonexisting name"
        option dynamic_vlan '1'

Hi robimarko, could you please post here when the fix is merged so I could try again with my AX3600?

I have not even sent it upstream yet, I just dont have the bandwidth to do currently


I was able to get 'Bridge VLAN Filtering' and '11r FT' to work using wpa_psk_file.

stupid question here: what is the advantage of this solution above having different ssid? i mean, in case of 2/3 ssid (not a ssid for each client..). Is it relevant in terms of performance? very cool solution, but i like having a "Iot", a "Guest" and a "Home" ssid with respective vlans :slight_smile:

I guess two or three SSIDs are no problem. You might want to read up on "wifi beacon" or "beacon frame". There's radio signals going on even if there's no traffic, even if there's no clients connected to an access point. As the number of SSIDs on a single radio increases, the number of beacon frames becomes a significnt portion of your airtime usage. The wikipedia article about beacon frames states 15 SSIDs as a limit. If you manage to have a single SSID for a lot of different networks, all those only need a single beacon frame, hence reduce the required overhead to make it work.

1 Like

One reason i can think of is to personalize it per invidual for example if you want to set time restriction on a certain network.

A other reason might be some people don't like a extra ssid for iot called iot or smart so per convience they can still isolate it via a vlan and different passphrase.

for me kinda both count heres a example from my topology:

The main reason i want to use multi psk is since i use a windows gaming handheld, i dont want it to be in iot but neither in the normal wifi so it gets its own personalized network via vlan, which also mean it can access some of my local services like a lancache for example.

Per convience the iot wifi which i had, i also put as multi psk.

Now i only got 2 ssids only for 5ghz and 2.4ghz for me its more for convience and abstraction visibility.

I'd really like to try this out, but I'm unclear on how this interacts with the wireless client isolation feature?

I currently use three SSIDs each assigned to a VLAN:

  • VLAN A - Trusted devices (no client isolation)
  • VLAN B - IOT devices (no client isolation)
  • VLAN C - External-only guest/IOT devices (client isolation enabled)

Devices in VLAN A/B can see other clients on the same SSID (but not other SSIDs); devices in VLAN C cannot see any other clients.

Can this be achieved using the wpa_psk_file approach?

Wifi client isolation is a per-BSS setting, all clients on the BSS would be isolated from each other, regardless of VLANs.

(As far as I understand it, the isolate option causes packets to be rejected if both the source and destination MAC are on the same BSS.)

As @takimata explained it already; the client isolation feature is a function on a single BSS. Therefor using wpa_psk_file (or RADIUS) to assign VLANs dynamically you have to choose to use client isolation or not.

So if I understand you correctly you have 2 options:

  1. Enable client isolation on the (single) SSID -- which uses wpa_psk_file to assign VLANs dynamicly -- and isolate all clients from each other.
  2. (VLANs are already separated layer-2 domains by definition.) Using "only" VLANs, and for clients which needs to be truly isolated, give them a dedicated VLAN, which could result in heavy config overhead.
  3. Bonus: Don't use client isolation at all. :person_shrugging: (Besides of public hot-spots I personally don't see a benefit in using client isolation, but maybe I'm biased.)
1 Like

Thanks both. It seems that I still need the multiple SSIDs for my use case, so there's little benefit in using per-passphrase VLANs as well.

A single SSID with client isolation breaks critical use cases (e.g. PC-to-PC network shares between trusted wireless devices).

A single SSID without client isolation is a security risk (e.g. a compromised guest/IOT device could be used to launch attacks against trusted wireless PCs etc. that would otherwise be totally isolated by VLAN+firewall rules).

I'm under the impression you did not understand both vlan and client isolation.

If your PC is on vlan 78 and you iot shit is on vlan 523 then they are on separate layer-2 domains!
If you use client isolation then clients on the same wireless layer 2 are not able to communicate on layer 2 directly.
If having a single ssid but with dynamic vlans then your PCs are on a different vlan then your iot shizzle. I do not understand your FUD.

1 Like

Can you explain how this can keep guests isolated from each other? I don't believe it is possible, but if you believe I do not understand it properly maybe I'm still missing something.

If client isolation is disabled, all wireless devices on a VLAN can see each other - so any guests can access each other. With client isolation, every individual device is isolated.

Using a single SSID without client isolation, I would need to create a unique passphrase+VLAN for every individual guest device before allowing them to connect.

Using a single SSID with client isolation, I would need to create a unique passphrase+VLAN for every trusted device, and set up firewall zones and rules to allow them to communicate with each other.

Using separate SSIDs, the guest SSID+passphrase can be made known and still be confident that any/all guests can only access the Internet - not any other wired/wireless devices, including other guests - without needing to do any per-client configuration.

You could setup two ssid. One for general trusted devices which don't need client isolation but individual vlan (lan, kids, work from home, etc) . And another ssid where both is required, individual vlan (CCTV, lights, etc) and client isolation?

Yes - that is my existing setup (one SSID for each group of devices that need to communicate with one another, plus an SSID for isolated clients). I was hoping this feature would eliminate the need for multiple SSIDs, but it doesn't for my use case.