R8000 + VLAN + WiFi encryption

Hi,
i'm using OpenWrt 22.03.5 r20134-5f15225c1e / LuCI openwrt-22.03 branch git-23.093.57104-ce20b4a with a Netgear R8000 (BCM4709) as a dump AP

I've setup few VLANs configuring the bridge vlan filtering and creating the related unmanaged interfaces.

I've also setup few different wifi networks. Everything works fine if I leave the wifi networks without encryption. I can connect each time to different VLANs with no problems.

If I configure the wifi networks with WPA2/WP3 mixed or single encryption I cannot connect to the wifi networks anymore.

Seems that @Mokuhi had a similar problem here: Netgear R8000 - how to configure VLANs - #7 by Mokuhi

@Mokuhi did you solved it somehow?

For instance with encryption setup if i try to connect to the wifi network with my laptop I get:

[ 6194.070541] wlo1: send auth to 3c:xxxx (try 1/3)
[ 6194.097534] wlo1: authenticated
[ 6194.102394] wlo1: associate with 3c:xxxx (try 1/3)
[ 6194.105557] wlo1: RX AssocResp from 3c:xxxx (capab=0x11 status=0 aid=1)
[ 6194.112097] wlo1: associated
[ 6194.112178] wlo1: deauthenticated from 3c:xxxx (Reason: 20=INVALID_AKMP)

removing the encryption everything works fine:

[ 6586.165505] wlo1: authenticate with 3c:xxxx
[ 6586.170613] wlo1: send auth to 3c:xxxx (try 1/3)
[ 6586.197114] wlo1: authenticated
[ 6586.200372] wlo1: associate with 3c:xxxx (try 1/3)
[ 6586.203413] wlo1: RX AssocResp from 3c:xxxx (capab=0x1 status=0 aid=1)
[ 6586.209391] wlo1: associated
[ 6586.212925] wlo1: Limiting TX power to 30 (30 - 0) dBm as advertised by 3c:xxxx
[ 6586.213571] IPv6: ADDRCONF(NETDEV_CHANGE): wlo1: link becomes ready

A

Wpa2/3 mixed mode doesn’t work very well for many devices (client side). You should use wpa3 or wpa2 and you’ll have better luck.

However, you seemed to indicate you’ve tried that. So let’s see your config and we may be able to identify the problem.

Please copy the output of the following commands and post it here using the "Preformatted text </> " button:
grafik
Remember to redact passwords, MAC addresses and any public IP addresses you may have:

cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

I don't think brcmfmac likes ieee802.11w too much either, which is a hard requirement for WPA3; try WPA2PSK/ CCMP without 802.11w.

This is the working config without wifi encryption

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'
	option ula_prefix 'fd46:73dd:7c9d::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'wan'

config device
	option name 'wan'
	option macaddr '3C:xx:xx:xx:xx:xx'

config interface 'MGMT'
	option device 'br-lan.10'
	option proto 'dhcp'
	option type 'bridge'

config interface 'GUEST'
	option proto 'none'
	option device 'br-lan.30'
	option type 'bridge'

config interface 'IOT'
	option proto 'none'
	option device 'br-lan.40'
	option type 'bridge'

config bridge-vlan
	option device 'br-lan'
	option vlan '40'
	list ports 'wan:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '10'
	list ports 'wan:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '30'
	list ports 'wan:t'

root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path '18000000.axi/bcma0:7/pci0000:00/0000:00:00.0/0000:01:00.0'
	option country 'US'
	option cell_density '0'
	option htmode 'VHT20'
	option band '5g'
	option channel '149'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option mode 'ap'
	option key '12345678'
	option network 'MGMT'
	option encryption 'none'
	option ssid 'mgmt'

config wifi-device 'radio1'
	option type 'mac80211'
	option path '18000000.axi/bcma0:8/pci0001:00/0001:00:00.0/0001:01:00.0/0001:02:01.0/0001:03:00.0'
	option channel '1'
	option band '2g'
	option htmode 'HT20'
	option cell_density '0'

config wifi-device 'radio2'
	option type 'mac80211'
	option path '18000000.axi/bcma0:8/pci0001:00/0001:00:00.0/0001:01:00.0/0001:02:02.0/0001:04:00.0'
	option band '5g'
	option htmode 'VHT80'
	option channel '48'
	option country 'US'
	option cell_density '0'

config wifi-iface 'default_radio2'
	option device 'radio2'
	option mode 'ap'
	option key '12345678'
	option encryption 'none'
	option ssid 'iot'
	option network 'IOT'

config wifi-iface 'wifinet3'
	option device 'radio1'
	option mode 'ap'
	option isolate '1'
	option network 'GUEST'
	option key '12345678'
	option ssid 'guest'
	option encryption 'none'
root@OpenWrt:~# cat /etc/config/dhcp

config dnsmasq
	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

root@OpenWrt:~# cat /etc/config/firewall 

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

And this is the NOT working config with WPA2/PSK encryption for the GUEST wifi network:

root@OpenWrt:~# cat /etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path '18000000.axi/bcma0:7/pci0000:00/0000:00:00.0/0000:01:00.0'
	option country 'US'
	option cell_density '0'
	option htmode 'VHT20'
	option band '5g'
	option channel '149'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option mode 'ap'
	option key '12345678'
	option network 'MGMT'
	option encryption 'none'
	option ssid 'mgmt'

config wifi-device 'radio1'
	option type 'mac80211'
	option path '18000000.axi/bcma0:8/pci0001:00/0001:00:00.0/0001:01:00.0/0001:02:01.0/0001:03:00.0'
	option channel '1'
	option band '2g'
	option htmode 'HT20'
	option cell_density '0'

config wifi-device 'radio2'
	option type 'mac80211'
	option path '18000000.axi/bcma0:8/pci0001:00/0001:00:00.0/0001:01:00.0/0001:02:02.0/0001:04:00.0'
	option band '5g'
	option htmode 'VHT80'
	option channel '48'
	option country 'US'
	option cell_density '0'

config wifi-iface 'default_radio2'
	option device 'radio2'
	option mode 'ap'
	option key '12345678'
	option encryption 'none'
	option ssid 'iot'
	option network 'IOT'

config wifi-iface 'wifinet3'
	option device 'radio1'
	option mode 'ap'
	option isolate '1'
	option network 'GUEST'
	option key '12345678'
	option ssid 'guest'
	option encryption 'psk2+ccmp'

I've tried that already without success

The interfaces must not contain the option type 'bridge' anymore -- that is old syntax that has been deprecated. Remove that line from all of your interfaces.

Try using simply psk2 as the encryption type...

Then reboot and try again.

I don't know if brcmfmac / available firmware support WPA3 at all.

You started with a complex setup: WPA2+WPA3, VLANs, multiple SSID.

Please start with checking if WPA2 encryption works for you in the basic scenario: wireless device with a single wireless interface. If that works, try adding your bits one by one. See when it fails.

Thanks for the replies.

As suggested by @rmilecki I've started clean from a factory reset forgetting about WPA3, setting up only few different SSID on the 3 radios available in the R8000 with WPA2 encryption and everything works correctly.

The things stop working as soon as I do these one shoot changes:

  • remove the default lan-bridge interface,
  • configure the br-lan device with vlan filtering
  • create the vlan related interface
  • associate a vlan interace to a wifi-iface
root@OpenWrt:~# cat /etc/config/network 

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'
	option ula_prefix 'fdf8:dd2d:b4c6::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'wan'

config bridge-vlan
	option device 'br-lan'
	option vlan '10'
	list ports 'wan:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '20'
	list ports 'wan:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '30'
	list ports 'wan:t'

config bridge-vlan
	option device 'br-lan'
	option vlan '40'
	list ports 'wan:t'

config interface 'MGMT'
	option device 'br-lan.10'
	option proto 'dhcp'

config interface 'GUEST'
	option proto 'none'
	option device 'br-lan.30'
root@OpenWrt:~# cat /etc/config/wireless 

config wifi-device 'radio0'
	option type 'mac80211'
	option path '18000000.axi/bcma0:7/pci0000:00/0000:00:00.0/0000:01:00.0'
	option htmode 'VHT20'
	option band '5g'
	option channel '149'
	option country 'US'
	option cell_density '0'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option mode 'ap'
	option ssid 'OpenWrt55'
	option encryption 'psk2'
	option key '12345678'

config wifi-device 'radio1'
	option type 'mac80211'
	option path '18000000.axi/bcma0:8/pci0001:00/0001:00:00.0/0001:01:00.0/0001:02:01.0/0001:03:00.0'
	option channel '1'
	option band '2g'
	option htmode 'HT20'
	option cell_density '0'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'psk2'
	option key '12345678'

config wifi-device 'radio2'
	option type 'mac80211'
	option path '18000000.axi/bcma0:8/pci0001:00/0001:00:00.0/0001:01:00.0/0001:02:02.0/0001:04:00.0'
	option band '5g'
	option htmode 'VHT80'
	option channel '48'
	option country 'US'
	option cell_density '0'

config wifi-iface 'default_radio2'
	option device 'radio2'
	option mode 'ap'
	option ssid 'OpenWrt5'
	option key '12345678'
	option encryption 'psk2'

config wifi-iface 'wifinet3'
	option device 'radio1'
	option mode 'ap'
	option ssid 'OpenWrtA'
	option encryption 'psk2'
	option key '12345678'
	option network 'MGMT'

config wifi-iface 'wifinet4'
	option device 'radio2'
	option mode 'ap'
	option ssid 'OpenWrt5A'
	option encryption 'psk2'
	option key '12345678'
	option network 'GUEST'

If I remove the encryption, I can connect without problems.