Individual per-passphrase Wifi VLANs using wpa_psk_file (no RADIUS required)

It still can. In case you need more then 2 vlan or ssid. It will not scale if you announce like 12 ssid. I think most wireless driver are limited to like 4 ssid. With wpa psk file, or radius private tunnel group id, you could, if you like, use all 2^12 - 2 vlan IDs on a single or even two ssid.

You're misunderstanding his goals here. He knows and already isolates his IoT and guests from his regular LAN. But he also wants IoT and guest devices isolated from each other. It's already established that client isolation cannot be done with wpa_psk_file:

I think I understand the request pretty well.
And I have explained all the various setup options well I would have thought.
Yes a single SSID with dynamic vlans can not have isolated clients on a per vlan basic because it's an SSID setting. So if the user needs both, the user could use one ssid without client isolation and dynamic vlans, and another ssid with client isolation and dynamic vlans.

1 Like

I was also looking into it, and similarly wanted client isolation. I see your point is bunching up LANs that need client isolation to single SSID to reduce the total number of SSIDs.

But what is that dynamic VLAN thing you mention? Could you point me to some docs?

We are talking here about dynamic vlan assignment the whole time, lol :wink:

Normally it's named 802.1x but this normally required a whole bunch of stuff, like RADIUS, and proper TLS certificates and yadda yadda yadda. But, hostapd can simply stuff a wireless client in a vlan by Mac address or in this case, by a defined PSK, preshared Key aka password on a SSID.

No I got that part. I assumed "dynamic VLAN" (from its name) to mean generating VLANs on the fly somehow. Guess not.

Yeah, the dynamic is just that you have no static / predefined vlan on a wireless or a switch port on an Ethernet network, but the client gets into a vlan either on an access point or switch based on the radius private tunnel group id with 802.1x and/or wpa2 enterprise.


sae_password or sae_password_file option for hostapd are indeed not converted by openwrt's hostapd script, therefore limiting VLAN ID assignment to psk2.


I'm testing this on a Unifi ac lite(OpenWrt 23.05.0, r23497-6637af95aa) and I'm finding if I have both radios with the same SSID it works until my phone decides to roam to the other band.
I then get a heap of errors in the logs where the vlan connection is created and then dumped. Has anyone got this working with dual radios and the same SSID?
I'm using the wildcard entry only in the vlans file

  • vlan#
1 Like

I just created a PR to resolve this limitation, I am now able to assign VLAN IDs to WAP3 clients :slight_smile:
Hopefully it'll get merge soon :crossed_fingers:


is there anyone here with mt7621/mt7615 devices using wpa_psk_file with vlan?
with re650 v1, ea7500 v2, ea8100 v1, if using vlan configuration sometimes the STA lost connection at all, no local ping, no internet connection.
the connection will be back after several minutes if i take no action.
reconnect to the wifi, brings back the connection.

tested on 21.02 - 22.03 - 23.05 - SNAPSHOTS

I'm running a Ubiquiti UniFi 6 Lite here (MT7621; WifI MT7603E & MT7615E) using the wpa_psk_file definitions. The only issue I have is in reconfiguring the settings via the uci config files. The changes aren't properly handled during a soft reload, so the networks go haywire until I do a full restart of wpad. I've had no issues with dropouts outside of the reconfiguration issues.

are you using vlanid param?
i have this symptom only if using vlan, even with RADIUS ppsk/ipsk.

my goal is using the same SSID for regular and guest user separated by vlan.

Yes I am, via the OpenWRT uci 'wifi-station' and 'wifi-vlan' config sections. I'm using a single SSID to provide service across three separate VLANs including regular, guest, and another untrusted network.

1 Like

Do you have 802.11r Fast Transition Enabled?
=> if so, can you re-verify without this option?

no, it's disabled.
the thing is, this only happened to mt7621/mt7615 as i mentioned before.
tried it with google onhub and engenius eap1200h both with ath10k, same setup, all working normally.
i am getting frustrated by keep trying.

@grauerfuchs thankyou for the answer

Try checking the system log and kernel log the next time you notice this happening. Are there any unusual entries there? This sounds to me like either a conflict or interference, or possibly something strange going on with the particular device. The log might show errors, certain types of interference (some drivers only), or an unexpected reboot.

As for radio-level interference possibilities, if a network on a DFS frequency detects certain levels and types of interference, it may shut down to avoid interfering with a priority service. Likewise, on the 2.4GHz band, a network may effectively be shut down by other nearby devices operating in the band (other WiFi networks? Microwave oven? Portable telephone?)

The different devices might operate differently based on a number of things including physical position, gain, antennas, radio susceptibility, etc.

no log indicates anything at all when it happened.
even with log_level set to debug.
2.4Ghz tested with 1, 6, 11 channel
5Ghz tested with 36,40,44,149,153,161 channel

the weird thing is this issue only happened with vlanid set in wpa_psk_file.
when only psk is set, without vlanid, all normal.
so i think it has nothing to do with interference, imho.

Understood. I haven't experienced the issue with a device on the same base chip, but we still have a relatively small sample size and so narrowing things down is difficult. Who knows; At this point, my device simply working may be the outlier and fluke of the whole thing.

The only next steps I could suggest at this point would require a lot of detailed analysis on inputs and outputs from the related devices. Given the extreme cost in hardware resources and time involved in tracking it down that way, I'm hoping we'll have other people chime in with experiences that could help further narrow down the issue.

After further testing, it appeared that I had seen successfull connection to separate VLAN due to a bug.

Above mentioned PR should add support for sae_password_file bss option but will not allow VLAN ID assignment for sae encryption mode. And this will likely not happen any time soon, as confirmed on hostap mailing list.