One SSID, multiple VLANs

Hello.

I'm trying the approach described here: Individual per-passphrase Wifi VLANs using wpa_psk_file (no RADIUS required) - #4 by takimata

The goal is to have one SSID that would dynamically assign a connected device to a VLAN based on the secret that device connects with.

Right now I have VLAN assignment implemented via multiple SSIDs like shown below (router: R4S, 23.05, AP: Zyxel NWA50AX, 23.05.05) and everything works just fine.

Router:

/etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fded:535b:e766::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth1'

config device
        option name 'eth1'
        option macaddr '<REDACTED>'

config interface 'lan'
        option device 'br-lan.2'
        option proto 'static'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option name 'eth0'
        option macaddr '<REDACTED>'

config interface 'wan'
        option device 'eth0'
        option proto 'dhcp'

config interface 'wan6'
        option device 'eth0'
        option proto 'dhcpv6'

config interface 'iot'
        option proto 'static'
        option device 'br-lan.44'
        option ipaddr '192.168.44.1'
        option netmask '255.255.255.0'

AP:

 /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd12:c027:ddae::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan.2'

config interface 'lan'
        option device 'br-lan'
        option proto 'dhcp'

config device
        option type 'bridge'
        option name 'br-iot'
        list ports 'lan.44'

config interface 'iot'
        option proto 'dhcp'
        option device 'br-iot'

/etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
        option channel '1'
        option band '2g'
        option htmode 'HE20'
        option disabled '1'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'none'
        option disabled '1'

config wifi-device 'radio1'
        option type 'mac80211'
        option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0+1'
        option channel '36'
        option band '5g'
        option htmode 'HE80'
        option cell_density '0'

config wifi-iface 'wifinet1'
        option device 'radio1'
        option mode 'ap'
        option ssid 'OpenWrt-l'
        option encryption 'psk2'
        option key '11111111'
        option network 'lan'

config wifi-iface 'wifinet2'
        option device 'radio1'
        option mode 'ap'
        option ssid 'OpenWrt-44'
        option encryption 'psk2'
        option key '11111111'
        option network 'iot'

Following the steps from the topic above, I've replaced the stock wpad package with wpad-wolfssl. But the moment I start adding the options to the /etc/config/wireless:

   option wpa_psk_file '/etc/hostapd.wpa_psk'
        option vlan_file '/etc/hostapd.vlan'
        option vlan_tagged_interface 'eth0'
        option vlan_bridge 'br-vlan'
        option dynamic_vlan '1'

Everything stops working - the AP stops broadcasting the configured SSIDs until I roll these changes back.

I'd appreciate if someone knowledgeable helped me implement the wpa_psk_file solution for the setup I gave my current (working) config for above..

I’m using OpenSSL or mbedtls, so cant comment on issues with wolfssl.

BTW there’s another way to do this. I havent checked what OpenWrt version is required, but on a recent SNAPSHOT I was able to use the following config:

config wifi-iface '2gi'
        option device 'radio0'
        option dtim_period '10'
        option encryption 'psk2+ccmp'
        option isolate '1'
        option key 'pass0'
        option mode 'ap'
        option network 'lan_50_iot'
        option ssid 'guest iot'

config wifi-vlan
        option iface '2gi'
        option vid '40'
        option name '2guest'
        option network 'lan_40_guest'

config wifi-station
        option iface '2gi'
        option vid '40'
        option key 'pass1'

config wifi-vlan
        option iface '2gi'
        option vid '50'
        option name '2iot'
        option network 'lan_50_iot'

config wifi-station
        option iface '2gi'
        option vid '50'
        option key 'pass2'

Thanks, I'll take a look if anything like that can be used on 23.05. Can you pls also share the /etc/config/network from your router (relevant parts only ) ?

This is probably not the culprit, but I wrote the "how-to" at a time when wolfssl was the default SSL library for 22.03. This has changed, the default SSL library for 23.05 is now mbedtls, accordingly you should install wpad-mbedtls.

Did you create the corresponding files, hostapd.wpa_psk, hostapd.vlan?

First of all, consult the system log. Unlike the stripped-down wpad-basic the full-blown wpad should at least give some hints as to what is going rwong.

I'm using GL-MT6000. lan5 is assigned to wan. eth1 and lan1 are connected to dumb APs.

config device
	option name 'lan1'

config device
	option name 'lan2'

config device
	option name 'lan3'

config device
	option name 'lan4'

config device
	option name 'lan5'

config device
	option name 'eth1'

config device
	option type 'bridge'
	option name 'br-lan'
	option bridge_empty '1'
	list ports 'eth1'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config bridge-vlan
	option device 'br-lan'
	option vlan '40'
	list ports 'eth1:t'
	list ports 'lan1:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '50'
	list ports 'eth1:t'
	list ports 'lan1:t'

config device
	option type 'bridge'
	option name 'br_40_guest'
	list ports 'br-lan.40'
	option bridge_empty '1'

config device
	option type 'bridge'
	option name 'br_50_iot'
	list ports 'br-lan.50'
	option bridge_empty '1'

config interface 'lan_40_guest'
	option proto 'static'
	option device 'br_40_guest'
	option ipaddr '192.168.xxx.1'
	option netmask '255.255.255.0'

config interface 'lan_50_iot'
	option proto 'static'
	option device 'br_50_iot'
	option ipaddr '192.168.yyy.1'
	option netmask '255.255.255.0'

Yes, I did. I'll swap the wpad-wolfssl for wpad-mbedtls and give it one more try.

Tried this on 23.05 and it worked! Also, for curious - found a commit adding that functionality: https://github.com/openwrt/openwrt/commit/5aa2ddd0d6b9759c62bbb7bb11b72a7f4269c16b

Thanks a lot, having it all in uci makes it all a lot more comprehensible!

Glad to hear that! Yeah I think I found it in source code by accident. It’d be great to have it documented in the wiki.

Happy that everything works for you now.

It does, the functionality is not exactly the same between the UCI-only wifi-vlan/wifi-station and the file based vlan_file/wpa_psk_file methods. But for a simple, static setup the former is probably easier to set up.

I actually never tried to mix and match, I can see an advantage of using wifi-vlan sections to define the vlans, but then use wpa_psk_file for the actual PSKs. My infrastructure is due for a teardown and rebuild anyway, I might just try that.

Got it. Thanks for the heads-up. I'll further explore the differences. But for my home setup it looks like the uci based config should be enough.

Would also be curious to learn about your findings if you get to do a write-up after you try

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.