Raspberry Pi 4B WiFi using WPA-PSK2 failing to connect using VLANs - DSA

Installing and Using OpenWrt Network and Wireless Configuration
1

Hi Everyone,

The title says most of it, but to elaborate, this is my situation.

I'm testing out VLANs using DSA in OpenWrt 21.02.1 and have no problems creating VLANs using Bridge VLAN Filtering (egress untagged for one VLAN on each port, other VLAN does not participate). It works as expected when connecting to different ethernet ports based on the tagging (eg untagging or tagging, though I have not tested Port VLAN IDs for ingress / egress behavior).

Nonetheless, as noted in the DSA Mini Tutorial and Converting to DSA, I simply assign the network, to the interface created that has a bridged vlan device associated with it (such as br-lan.1).

However, when I do this as per documentation, it doesn't work. By that, I notice that my client attempts to connect, temporarily connects when looking at Wireless page, but then is disconnected and never gets an IP assigned. I repeat the process to only see it fail, as expected. I know I'm using the right password, and have ruled that out.

What I find interesting is that this does actually work (my wireless client connects and gets an IP address assigned under the DSA VLAN), when I change the network security to Open. The client also connects when I change the interface's device to wlan0 (from br-lan.1), but does not get assigned an IP address, even while still using WPA-PSK2 security.

So this is very strange to me, and I haven't been able to diagnose why I am seeing this behavior. For reference, refer to my configurations for /etc/config/network and /etc/config/wireless for the following scenarios.

All scenarios use LAN2 as the network.

Scenario 1: DSA VLAN on WiFi WPA-PSK2 -> Fails to authenticate

/etc/config/network 
config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd36:fe57:adcc::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'
        list ports 'eth1'

config interface 'lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option device 'br-lan.1'

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'eth0'

config bridge-vlan
        option device 'br-lan'
        option vlan '2'
        list ports 'eth1'

config interface 'lan2'
        option proto 'static'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'
        option device 'br-lan.2'
/etc/config/wireless 
config wifi-device 'radio0'
        option type 'mac80211'
        option channel 'auto'
        option hwmode '11a'
        option path 'platform/soc/fe300000.mmcnr/mmc_host/mmc1/mmc1:0001/mmc1:0001:1'
        option htmode 'VHT20'
        option cell_density '0'
        option country 'US'
        option log_level '1'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option mode 'ap'
        option ssid 'OpenWrt'
        option key 'dsatest456'
        option encryption 'psk2'
        option network 'lan2'
logread output 
Sun Oct 24 11:01:49 2021 daemon.info hostapd: wlan0: STA a1:b2:c3:d4:e5:f6 IEEE 802.11: associated
Sun Oct 24 11:01:49 2021 daemon.debug hostapd: wlan0: STA a1:b2:c3:d4:e5:f6 WPA: event 1 notification
Sun Oct 24 11:01:49 2021 daemon.debug hostapd: wlan0: STA a1:b2:c3:d4:e5:f6 WPA: start authentication
Sun Oct 24 11:01:49 2021 daemon.debug hostapd: wlan0: STA a1:b2:c3:d4:e5:f6 IEEE 802.1X: unauthorizing port
Sun Oct 24 11:01:49 2021 daemon.debug hostapd: wlan0: STA a1:b2:c3:d4:e5:f6 WPA: sending 1/4 msg of 4-Way Handshake
Sun Oct 24 11:01:50 2021 daemon.debug hostapd: wlan0: STA a1:b2:c3:d4:e5:f6 WPA: EAPOL-Key timeout
Sun Oct 24 11:01:50 2021 daemon.debug hostapd: wlan0: STA a1:b2:c3:d4:e5:f6 WPA: sending 1/4 msg of 4-Way Handshake
Sun Oct 24 11:01:51 2021 daemon.debug hostapd: wlan0: STA a1:b2:c3:d4:e5:f6 WPA: EAPOL-Key timeout
Sun Oct 24 11:01:51 2021 daemon.debug hostapd: wlan0: STA a1:b2:c3:d4:e5:f6 WPA: sending 1/4 msg of 4-Way Handshake
Sun Oct 24 11:01:52 2021 daemon.debug hostapd: wlan0: STA a1:b2:c3:d4:e5:f6 WPA: EAPOL-Key timeout
Sun Oct 24 11:01:52 2021 daemon.debug hostapd: wlan0: STA a1:b2:c3:d4:e5:f6 WPA: sending 1/4 msg of 4-Way Handshake
Sun Oct 24 11:01:53 2021 daemon.debug hostapd: wlan0: STA a1:b2:c3:d4:e5:f6 WPA: EAPOL-Key timeout
Sun Oct 24 11:01:53 2021 daemon.debug hostapd: wlan0: STA a1:b2:c3:d4:e5:f6 WPA: PTKSTART: Retry limit 4 reached
Sun Oct 24 11:01:53 2021 daemon.debug hostapd: wlan0: STA a1:b2:c3:d4:e5:f6 WPA: event 3 notification
Sun Oct 24 11:01:53 2021 daemon.debug hostapd: wlan0: STA a1:b2:c3:d4:e5:f6 IEEE 802.1X: unauthorizing port
Sun Oct 24 11:01:53 2021 daemon.debug hostapd: wlan0: STA a1:b2:c3:d4:e5:f6 MLME: MLME-DEAUTHENTICATE.indication(a1:b2:c3:d4:e5:f6, 15)
Sun Oct 24 11:01:53 2021 daemon.debug hostapd: wlan0: STA a1:b2:c3:d4:e5:f6 MLME: MLME-DELETEKEYS.request(a1:b2:c3:d4:e5:f6)
Sun Oct 24 11:01:53 2021 daemon.info hostapd: wlan0: STA a1:b2:c3:d4:e5:f6 IEEE 802.11: disassociated

Scenario 2: wlan0 on Interface lan2, WiFi WPA-PSK2 -> Authenticates, No IP Assigned

/etc/config/network 
config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd36:fe57:adcc::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'
        list ports 'eth1'

config interface 'lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option device 'br-lan.1'

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'eth0'

config bridge-vlan
        option device 'br-lan'
        option vlan '2'
        list ports 'eth1'

config interface 'lan2'
        option proto 'static'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'
        option device 'wlan0'
/etc/config/wireless 
config wifi-device 'radio0'
        option type 'mac80211'
        option channel 'auto'
        option hwmode '11a'
        option path 'platform/soc/fe300000.mmcnr/mmc_host/mmc1/mmc1:0001/mmc1:0001:1'
        option htmode 'VHT20'
        option cell_density '0'
        option country 'US'
        option log_level '1'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option mode 'ap'
        option ssid 'OpenWrt'
        option key 'dsatest456'
        option encryption 'psk2'
        option network 'lan2'
logread output 
Sun Oct 24 11:08:28 2021 daemon.info hostapd: wlan0: STA a1:b2:c3:d4:e5:f6 IEEE 802.11: associated
Sun Oct 24 11:08:28 2021 daemon.debug hostapd: wlan0: STA a1:b2:c3:d4:e5:f6 WPA: event 1 notification
Sun Oct 24 11:08:28 2021 daemon.debug hostapd: wlan0: STA a1:b2:c3:d4:e5:f6 WPA: start authentication
Sun Oct 24 11:08:28 2021 daemon.debug hostapd: wlan0: STA a1:b2:c3:d4:e5:f6 IEEE 802.1X: unauthorizing port
Sun Oct 24 11:08:28 2021 daemon.debug hostapd: wlan0: STA a1:b2:c3:d4:e5:f6 WPA: sending 1/4 msg of 4-Way Handshake
Sun Oct 24 11:08:28 2021 daemon.debug hostapd: wlan0: STA a1:b2:c3:d4:e5:f6 WPA: received EAPOL-Key frame (2/4 Pairwise)
Sun Oct 24 11:08:28 2021 daemon.debug hostapd: wlan0: STA a1:b2:c3:d4:e5:f6 WPA: sending 3/4 msg of 4-Way Handshake
Sun Oct 24 11:08:28 2021 daemon.debug hostapd: wlan0: STA a1:b2:c3:d4:e5:f6 WPA: received EAPOL-Key frame (4/4 Pairwise)
Sun Oct 24 11:08:28 2021 daemon.notice hostapd: wlan0: AP-STA-CONNECTED a1:b2:c3:d4:e5:f6
Sun Oct 24 11:08:28 2021 daemon.debug hostapd: wlan0: STA a1:b2:c3:d4:e5:f6 IEEE 802.1X: authorizing port
Sun Oct 24 11:08:28 2021 daemon.info hostapd: wlan0: STA a1:b2:c3:d4:e5:f6 WPA: pairwise key handshake completed (RSN)

Scenario 3: DSA VLAN, WiFi Open -> Assigned IP

/etc/config/network 
config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd36:fe57:adcc::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'
        list ports 'eth1'

config interface 'lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option device 'br-lan.1'

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'eth0'

config bridge-vlan
        option device 'br-lan'
        option vlan '2'
        list ports 'eth1'

config interface 'lan2'
        option proto 'static'
        option ipaddr '192.168.2.1'
        option netmask '255.255.255.0'
        option device 'br-lan.2'
/etc/config/wireless 
config wifi-device 'radio0'
        option type 'mac80211'
        option channel 'auto'
        option hwmode '11a'
        option path 'platform/soc/fe300000.mmcnr/mmc_host/mmc1/mmc1:0001/mmc1:0001:1'
        option htmode 'VHT20'
        option cell_density '0'
        option country 'US'
        option log_level '1'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option mode 'ap'
        option ssid 'OpenWrt'
        option key 'dsatest456'
        option network 'lan2'
        option encryption 'none'
logread output 
Sun Oct 24 11:14:48 2021 daemon.info hostapd: wlan0: STA a1:b2:c3:d4:e5:f6 IEEE 802.11: associated
Sun Oct 24 11:14:48 2021 daemon.notice hostapd: wlan0: AP-STA-CONNECTED a1:b2:c3:d4:e5:f6
Sun Oct 24 11:14:48 2021 daemon.info dnsmasq-dhcp[9440]: DHCPREQUEST(br-lan.2) 192.168.1.125 a1:b2:c3:d4:e5:f6
Sun Oct 24 11:14:48 2021 daemon.info dnsmasq-dhcp[9440]: DHCPNAK(br-lan.2) 192.168.1.125 a1:b2:c3:d4:e5:f6 wrong network
Sun Oct 24 11:14:52 2021 daemon.info dnsmasq-dhcp[9440]: DHCPDISCOVER(br-lan.2) a1:b2:c3:d4:e5:f6
Sun Oct 24 11:14:52 2021 daemon.info dnsmasq-dhcp[9440]: DHCPOFFER(br-lan.2) 192.168.2.125 a1:b2:c3:d4:e5:f6
Sun Oct 24 11:14:52 2021 daemon.info dnsmasq-dhcp[9440]: DHCPDISCOVER(br-lan.2) a1:b2:c3:d4:e5:f6
Sun Oct 24 11:14:52 2021 daemon.info dnsmasq-dhcp[9440]: DHCPOFFER(br-lan.2) 192.168.2.125 a1:b2:c3:d4:e5:f6
Sun Oct 24 11:14:53 2021 daemon.info dnsmasq-dhcp[9440]: DHCPREQUEST(br-lan.2) 192.168.2.125 a1:b2:c3:d4:e5:f6
Sun Oct 24 11:14:53 2021 daemon.info dnsmasq-dhcp[9440]: DHCPACK(br-lan.2) 192.168.2.125 a1:b2:c3:d4:e5:f6

So I'm not sure whats honestly going on, but this is all the information I could think of to gather. I see the EAPOL-Key timeout, but not sure why this is happening. I have had WiFi work without issue on WPA-PSK2 using the default configuration (br-lan interface with no Bridge VLAN filtering), just not with DSA VLANs just yet.

I'd like to get this working so I can document it in a video as well I'm preparing.

I hope I'm not missing anything glaringly obvious. Any help would be appreciated.

Thanks in advance!
Orest

2

The Pi does not have a hardware switch, so DSA is not applicable. To tag packets on a port, use the notation eth0.X within a regular bridge. Multiple bridges can be defined with the same port tagged a different VLAN in each one. The bridge itself is untagged. This is only applicable to devices with real independent CPU ports like the Pi and X86.

Also do not reference wifi devices within /etc/config/network. Connect wifi to networks with option network in /etc/config/wireless.

1 Like
3

It is also worth mentioning that while the Pi4 is an excellent performer in terms of the routing capabilities, the wifi on it is terrible. Range will be limited, and bandwidth will be poor (especially if you have multiple clients connecting) due to the PCB antenna and limited 1x1 radio architecture. You will be much happier with a proper wifi AP or all-in-one device used as a dumb AP.

4

@mk24

Thanks Mike! I'm not sure I completely understand. As of now I have set up Bridge VLAN Filtering, and I have had no problem with the VLANs working on both of my physical ports, eth0 and eth1 that have br-lan.1 and br-lan.2 VLANs on them, untagged, respectively. So should what I'm experiencing not actually work? I am aware of the other ways to create VLANs, and I have not tried it. Ideally I want to take in tagged ports on one port, acting as an upstream port, and then use the other port as a downstream, that would be untagged. So if I can accomplish this the same way, which is seems like I can, then I'd be fine with that.

Also do not reference wifi devices within /etc/config/network. Connect wifi to networks with option network in /etc/config/wireless.

Thanks and definitely. I know I'm not technically supposed to do that, rather I did it as a means of testing, probably a bad way at that. I have done that in all my wireless configs (referring to the network), I was just testing around to see how it would work. But yes referring to the network in the wireless config is the right way from my understanding too.

@psherman

Thanks Peter! That is definitely true, by no means do I recommend this as an Access Point. Given its paltry built in antenna, its only good enough to be a client, and really what it's designed for anyway. I merely am looking to prove the concept and show it off, so I use Raspberry Pis for testing and tinkering. I've never used one for production home WiFi, but for learning wireless concepts and different abilities, its a good teaching tool.

5

That would be done like this:

config device
        option name 'br-vlan10'
        option type 'bridge'
        list ports 'eth0.10'
        list ports 'eth1'

If you only want to move packets between two ports at layer 2, you still need to declare an interface of proto none with the bridge as its option device for the bridge to actually be created.

config interface 'vlan10'
        option device 'br-vlan10'
        option proto 'none'
6

Thanks, I understand that.

I was able to get it working using the config you shared. Here is the full config I tested this out with, using VLAN ID of 1.

  1. Create the VLAN Device (eth1.1), using the trunk port (eth1) as the VLAN base device

/etc/config/network

config device
        option type '8021q'
        option ifname 'eth1'
        option vid '1'
        option name 'eth1.1'
  1. Create the bridge, using the newly created VLAN Device (eth1.1) and a open (non trunk port) eth0.
config device
        option type 'bridge'
        option name 'br-vlan1'
        list ports 'eth1.1'
        list ports 'eth0'
  1. Then create the VLAN Interface (lan1), using the bridge (br-vlan1) as the interface device
config interface 'lan'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option device 'br-vlan.1' 
        option ipaddr '192.168.1.1'
  1. Then assign vlan1 as the network for the wireless (wlan0) interface
    /etc/config/wireless
config wifi-iface 'default_radio0'
        option device 'radio0'
        option mode 'ap'
        option ssid 'OpenWrt'
        option network 'vlan1'
        option encryption 'psk2'
        option key ‘Str0ngWiF1P4sswOrd’

When I connect to ethernet port eth0, and assuming DHCP is on, I get assigned an IP in the 192.168.1.1/24 range.
Also, when I connect to the OpenWrt WiFi, I get assigned an IP Address within the same 192.168.1.1/24 network. So looks like the vlan tags are being carried over from the trunk port to eth0 and wlan0 interfaces.

I appreciate the help! I'll be updating this post with my full configs to share with everyone for whom else might be interested.

7

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.