Still fighting Guest account on Dumb AP with VLAN

After working with several others, I still haven't come up with a fix on having a VLAN on a back-haul connection to a Dumb AP that will allow a good logon.

I worked with Marc (onemarcfifty) on this issue and it seemed to be another "driver" issue with Marvell. He suggested I contact Eduardo Perez here on the forum.

I did and Eduardo is certain this is not a Marvell Driver issue as he has multiple SSIDs running on VLAN connections on the same units as primary router, Dumb AP and Downstream AP. I'm just trying to bring up one. He suggested I post more information here and see if anyone could help.

I can log onto both the native wireless SSIDs (5 & 2.4Ghz) which I have separated by name just for testing purposes. I'm trying to put the Guest account on the 2.4Ghz radio but as soon as I put the Guest (calling it GuestTest for now) on radio 1 as the second SSID, I lose the ability to logon to the first SSID (OpenWRT). If I delete the Guest account, OpenWRT SSID works fine again. I am not using Radio 3 (3rd radio)

My primary router is pfSense and I'm pretty sure the VLAN is configured correctly there and in the switch as when I use DHCP on the Guest interface, it is getting an IP and it is from the correct network.

Network

config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'

config globals 'globals'

config device
option name 'br-lan'
option type 'bridge'
option ipv6 '0'
option bridge_empty '1'
list ports 'lan1'
list ports 'lan2'
list ports 'lan3'
list ports 'lan4'
list ports 'wan'

config interface 'lan'
option device 'br-lan'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option gateway '192.168.1.1'
list dns '192.168.1.1'
option ipaddr '192.168.1.6'
option delegate '0'

config device
option name 'wan'
option ipv6 '0'

config device
option name 'wlan1-1'
option ipv6 '0'

config device
option name 'wlan0'
option ipv6 '0'

config device
option name 'wlan1'
option ipv6 '0'

config device
option name 'eth0'
option ipv6 '0'

config device
option type '8021q'
option ifname 'br-lan'
option vid '10'
option name 'br-lan.10'
option ipv6 '0'
option macaddr '60:38:e0:BB:c6:68'

config interface 'GuestTest'
option device 'br-lan.10'
option proto 'dhcp'
option delegate '0'

WIRELESS

config wifi-device 'radio0'
option type 'mac80211'
option path 'soc/soc:pcie/pci0000:00/0000:00:01.0/0000:01:00.0'
option band '5g'
option htmode 'VHT80'
option country 'US'
option cell_density '0'
option channel '44'

config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
option dtim_period '3'
option ieee80211r '1'
option mobility_domain '123F'
option ft_over_ds '0'
option ft_psk_generate_local '1'
option encryption 'psk2'
option ssid 'OpenWRT5'
option key ''
option max_inactivity '14400'

config wifi-device 'radio1'
option type 'mac80211'
option path 'soc/soc:pcie/pci0000:00/0000:00:02.0/0000:02:00.0'
option band '2g'
option htmode 'HT20'
option country 'US'
option cell_density '0'
option channel '10'

config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
option ieee80211r '1'
option mobility_domain '123F'
option ft_over_ds '0'
option ft_psk_generate_local '1'
option dtim_period '3'
option encryption 'psk2'
option ssid 'OpenWRT'
option key ''
option max_inactivity '14400'
option disassoc_low_ack '0'

config wifi-device 'radio2'
option type 'mac80211'
option path 'platform/soc/soc:internal-regs/f10d8000.sdhci/mmc_host/mmc0/mmc0:0001/mmc0:0001:1'
option channel '34'
option band '5g'
option htmode 'VHT80'
option disabled '1'

config wifi-iface 'default_radio2'
option device 'radio2'
option network 'lan'
option mode 'ap'
option ssid 'OpenWrt'
option encryption 'none'

config wifi-iface 'wifinet3'
option device 'radio1'
option mode 'ap'
option key ''
option ssid 'GuestTest'
option dtim_period '3'
option encryption 'psk2'
option network 'GuestTest'
option disassoc_low_ack '0'

One concern I do have is that under devices, I see the Guest device (br-lan.10) and the Lan (br-lan) are on the same MAC address. Is this an issue?

I intend to use a static IP on the Guest interface, but putting it up as DHCP for now allows me to confirm the VLAN 10 coming from the upstream router and the managed switch config for the ports in use.
The Lan ports on the Dumb AP do get the PVID network 192.168.1.0

GuestTest is on 172.16.10.0 network
Lan is on the 192.168.1.0 network

Matching MAC Addresses

Generally speaking, you don't need the router to have an address on the guest network. Typically, this should be proto none / unmanaged.

If you do that, does your guest wifi work?

I'll give it a try.

No, unfortunately, it doesn't work. I see no packet increment on the Guest Interface and cannot log onto the Guest WiFi.
If you use "unmanaged" does the VLAN 10 tag bring in the alternative network?

Here is what I get from a failed Guest logon and a successful logon to the 5Ghz radio

Guest:

root@Testbed_OpenWrt:~# logread -f
Thu May 19 18:57:05 2022 daemon.notice hostapd: wlan1-1: AP-STA-DISCONNECTED 76:71:a2:88:98:13
Thu May 19 18:57:05 2022 kern.debug kernel: [13330.264009] ieee80211 phy1: staid 1 deleted
Thu May 19 18:57:05 2022 daemon.info hostapd: wlan1-1: STA 76:71:a2:88:98:13 IEEE 802.11: associated (aid 1)
Thu May 19 18:57:05 2022 daemon.notice hostapd: wlan1-1: AP-STA-CONNECTED 76:71:a2:88:98:13
Thu May 19 18:57:05 2022 daemon.info hostapd: wlan1-1: STA 76:71:a2:88:98:13 WPA: pairwise key handshake completed (RSN)
Thu May 19 18:57:07 2022 daemon.info hostapd: wlan1-1: STA 76:71:a2:88:98:13 IEEE 802.11: authenticated
Thu May 19 19:01:25 2022 daemon.notice hostapd: wlan1-1: AP-STA-DISCONNECTED 76:71:a2:88:98:13
Thu May 19 19:01:26 2022 daemon.info hostapd: wlan1-1: STA 76:71:a2:88:98:13 IEEE 802.11: disassociated
Thu May 19 19:01:26 2022 kern.debug kernel: [13591.290602] ieee80211 phy1: staid 1 deleted
Thu May 19 19:01:26 2022 daemon.info hostapd: wlan1-1: STA 76:71:a2:88:98:13 IEEE 802.11: disassociated
Thu May 19 19:01:27 2022 daemon.info hostapd: wlan1-1: STA 76:71:a2:88:98:13 IEEE 802.11: deauthenticated due to inactivity (timer DEAUTH/REMOVE)

OpenWRT5:

root@Testbed_OpenWrt:~# logread -f
Thu May 19 19:03:10 2022 daemon.info hostapd: wlan0: STA 52:6f:76:fd:73:27 IEEE 802.11: associated (aid 2)
Thu May 19 19:03:11 2022 daemon.notice hostapd: wlan0: AP-STA-CONNECTED 52:6f:76:fd:73:27
Thu May 19 19:03:11 2022 daemon.info hostapd: wlan0: STA 52:6f:76:fd:73:27 WPA: pairwise key handshake completed (RSN)
Thu May 19 19:03:15 2022 daemon.info hostapd: wlan0: STA 52:6f:76:fd:73:27 IEEE 802.11: authenticated

The radios should not be defined in the network file. All you need to do is define a bridge interface for the network itself, then connect the network to the radios in the wireless config file.

1 Like

Logs and configs are much easier to read when you post them using preformatted text...by using the icon highlighted in red -

OpenWRT Posting Icons

1 Like

Can you explain that in more detail? I just am not getting some concept.

Delete the sections I called out in my previous response. They shouldn't be included in that network file.

1 Like

So I have removed those items you called out... I understood that, I know I caused it by unchecking "Enable IPv6" on the device. Thank you, I have corrected it. I just didn't or don't see the impact of that on the problem with multiple SSIDs. Which I still have.

  • If I only run with one SSID on each of the two wireless radios 5 & 2.4Ghz. All is well

  • When I add a second SSID to the 2.4Ghz radio (radio 1) any connection to the original SSID then returns an "unable to connect to OpenWRT".

  • If I attempt a logon to the Guest account with the wrong password (intentionally) I get a response indicating a bad password

  • If I attempt a logon to the Guest account with the right password, it just sits, no error, never fully connects.

  • If I delete the Guest account, and attempt a logon to the native SSID, it works again.

  • This is the scenario I get whether the Guest Interface has a static IP on the network I am trying to use it on, a DHCP address from that network, or unmanaged.

I worked on this with OneMarcFifty and we got to a point monitoring logread that suggested (not confirmed) this was a Marvell driver problem. Eduardo Perez says this is not a driver issue as he is running up to 5 SSIDs on one radio. I'm obviously doing something wrong, I'd just like to find out what it is.
I'm still a newb on this platform so I do have some learning to do in cross connecting the config files to LuCi.
I guess it would help to see a config that is working, or LuCI screen shots of it.

Thanks, P

If I need to post anything else, please don't hesitate to ask.

SSH in to the router and run cat /etc/config/wireless.

Redact the passwords in the option key sections.

Post the results in preformatted text, by using the icon highlighted in red...

Screenshot 2022-05-20 011120

This is a decent video on setting up guest/IoT networks.

You might recheck your steps with that.

I'm not a VLAN person, but this is what I do...

Each guest is on its own subnet.

Example -

Guest1      192.168.2.1

Guest2      192.168.3.1

The Zones are set as follows -

Guest1 ==> wan    Input - Drop   Output - Accept   Forward - Drop

Guest2 ==> wan    Input - Drop   Output - Accept   Forward - Drop

Each has their own DHCP and DNS traffic rules.

Each guest wireless interface is set to Isolate clients, so that clients can't talk to each other on the same subnet.

The Zone rules prevents guests from talking to each other on different subnets, and with the main network.

For testing you could create multiple APs with different SSIDs, all of them in the default lan bridge. This has little practical application other than showing that the wifi driver can handle it. But that's an important thing to find out.

Besides that, it would be best to reset to defaults and start over here.

Always set your country code-- on each radio-- for best wifi results.

1 Like

Thanks, Jim.
Here you go. I don't do any rules, DNS or DHCP on these WAPs. They are just Dumb APs on a back haul. My main router is pfSense so all the network, VLAN, DHCP and DNS comes pfSense. I was using DHCP as the protocol on the Guest interface so I could at least verify that the VLAN 10 did travel to the WAP and it was picking up the prescribed network and an IP address from pfSense. The primary network on the back haul is 192.168.1.0 and VLAN 10 brings in 172.16.10.0. That seems to be working as the Guest interface picks up an IP on the 172 network and I see packet increment. Marc brought up the "Isolate clients" but I was going to hold that until I had the guest account running correctly.

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'soc/soc:pcie/pci0000:00/0000:00:01.0/0000:01:00.0'
        option band '5g'
        option htmode 'VHT80'
        option country 'US'
        option cell_density '0'
        option channel '44'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option dtim_period '3'
        option ieee80211r '1'
        option mobility_domain '123F'
        option ft_over_ds '0'
        option ft_psk_generate_local '1'
        option encryption 'psk2'
        option ssid 'OpenWRT5'
        option key 'xxxxxxxx'
        option max_inactivity '14400'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'soc/soc:pcie/pci0000:00/0000:00:02.0/0000:02:00.0'
        option band '2g'
        option htmode 'HT20'
        option country 'US'
        option cell_density '0'
        option channel '10'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ieee80211r '1'
        option mobility_domain '123F'
        option ft_over_ds '0'
        option ft_psk_generate_local '1'
        option dtim_period '3'
        option encryption 'psk2'
        option ssid 'OpenWRT'
        option key 'xxxxxxxx'
        option max_inactivity '14400'
        option disassoc_low_ack '0'

config wifi-device 'radio2'
        option type 'mac80211'
        option path 'platform/soc/soc:internal-regs/f10d8000.sdhci/mmc_host/mmc0/mmc0:0001/mmc0:0001:1'
        option channel '34'
        option band '5g'
        option htmode 'VHT80'
        option cell_density '0'
        option disabled '1'

config wifi-iface 'wifinet3'
        option device 'radio1'
        option mode 'ap'
        option key 'Daisy2000'
        option ssid 'xxxxxxxx'
        option dtim_period '3'
        option encryption 'psk2'
        option network 'GuestTest'
        option disassoc_low_ack '0'

config wifi-iface 'wifinet4'
        option device 'radio2'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'none'
        option disabled '1'

At 80 MHz channel width, channel 44 overlaps with 6 other channels.

Thanks Mike, This is just a test rig. I have 4 others working minus the guest network. So this one gets reset/rebuilt often. I'm waiting on a response from Marc then I'll reset and give the multiple SSIDs on the default bridge a run. Others have recommended setting the country code, and I have. But reading an older post on multiple SSIDs on a WRT3200acm, Eduardo had recommended not setting them. I've been scratching my head?

So do you have a recommendation on what it should be? This is on the 5Ghz channel and I pretty much leave it alone (defaults) with just one SSID. I'm doing all the Guest work on the 2.4Ghz radio as I'm more concerned with range than speed.

I would try 40, then 20.

I would do a plain-vanilla guest setup...no VLANs.

I use the US country code, and have no issues.

Use one of the non-overlapping 2.4 channels = 1, 6, or 11.

You will likely have a lower limit on 2.4 on the number of SSIDs you can have.

Run iw list and post.

See the valid interface combinations section for each radio.

I have a maximum of 8 on 2.4 on my device.

Example:

valid interface combinations:
#{ managed } <= 2048, #{ AP, mesh point } <= 8, #{ P2P-client, P2P-GO } <= 1, #{ IBSS } <= 1,

If you have any AP's or mesh points, they count against the total.

Same deal on 5.

Thanks for catching the option channel '10'. I fat fingered that on the number pad. It should be 11 and is now.
I have a large (long) house spread out across a mountain side. For my "production" WAPs, I use 1, 6 and 11. I repeat the 6 up at my pool house (higher up the mountain) as they are the two farthest points... this test machine is under the house in my TE closet, so it's shielded from other radios.

root@Testbed_OpenWrt:/etc/config# iw list

Wiphy phy2
        wiphy index: 2
        max # scan SSIDs: 10
        max scan IEs length: 256 bytes
        max # sched scan SSIDs: 10
        max # match sets: 10
        Fragmentation threshold: 2346
        RTS threshold: 2347
        Retry short limit: 9
        Retry long limit: 4
        Coverage class: 0 (up to 0m)
        Device supports AP-side u-APSD.
        Device supports T-DLS.
        Available Antennas: TX 0x1 RX 0x1
        Configured Antennas: TX 0x1 RX 0x1
        Supported interface modes:
                 * managed
                 * AP
                 * P2P-client
                 * P2P-GO
        Band 1:
                Capabilities: 0x17f
                        RX LDPC
                        HT20/HT40
                        SM Power Save disabled
                        RX Greenfield
                        RX HT20 SGI
                        RX HT40 SGI
                        RX STBC 1-stream
                        Max AMSDU length: 3839 bytes
                        No DSSS/CCK HT40
                Maximum RX AMPDU length 65535 bytes (exponent: 0x003)
                Minimum RX AMPDU time spacing: No restriction (0x00)
                HT TX/RX MCS rate indexes supported: 0-7, 32
                VHT Capabilities (0x33c07130):
                        Max MPDU length: 3895
                        Supported Channel Width: neither 160 nor 80+80
                        RX LDPC
                        short GI (80 MHz)
                        SU Beamformee
                        +HTC-VHT
                        RX antenna pattern consistency
                        TX antenna pattern consistency
                VHT RX MCS set:
                        1 streams: MCS 0-9
                        2 streams: not supported
                        3 streams: not supported
                        4 streams: not supported
                        5 streams: not supported
                        6 streams: not supported
                        7 streams: not supported
                        8 streams: not supported
                VHT RX highest supported: 0 Mbps
                VHT TX MCS set:
                        1 streams: MCS 0-9
                        2 streams: not supported
                        3 streams: not supported
                        4 streams: not supported
                        5 streams: not supported
                        6 streams: not supported
                        7 streams: not supported
                        8 streams: not supported
                VHT TX highest supported: 0 Mbps
                Frequencies:
                        * 2412 MHz [1] (30.0 dBm)
                        * 2417 MHz [2] (30.0 dBm)
                        * 2422 MHz [3] (30.0 dBm)
                        * 2427 MHz [4] (30.0 dBm)
                        * 2432 MHz [5] (30.0 dBm)
                        * 2437 MHz [6] (30.0 dBm)
                        * 2442 MHz [7] (30.0 dBm)
                        * 2447 MHz [8] (30.0 dBm)
                        * 2452 MHz [9] (30.0 dBm)
                        * 2457 MHz [10] (30.0 dBm)
                        * 2462 MHz [11] (30.0 dBm)
                        * 2467 MHz [12] (disabled)
                        * 2472 MHz [13] (disabled)
                        * 2484 MHz [14] (disabled)
        Band 2:
                Capabilities: 0x17f
                        RX LDPC
                        HT20/HT40
                        SM Power Save disabled
                        RX Greenfield
                        RX HT20 SGI
                        RX HT40 SGI
                        RX STBC 1-stream
                        Max AMSDU length: 3839 bytes
                        No DSSS/CCK HT40
                Maximum RX AMPDU length 65535 bytes (exponent: 0x003)
                Minimum RX AMPDU time spacing: No restriction (0x00)
                HT TX/RX MCS rate indexes supported: 0-7, 32
                VHT Capabilities (0x33c07130):
                        Max MPDU length: 3895
                        Supported Channel Width: neither 160 nor 80+80
                        RX LDPC
                        short GI (80 MHz)
                        SU Beamformee
                        +HTC-VHT
                        RX antenna pattern consistency
                        TX antenna pattern consistency
                VHT RX MCS set:
                        1 streams: MCS 0-9
                        2 streams: not supported
                        3 streams: not supported
                        4 streams: not supported
                        5 streams: not supported
                        6 streams: not supported
                        7 streams: not supported
                        8 streams: not supported
                VHT RX highest supported: 0 Mbps
                VHT TX MCS set:
                        1 streams: MCS 0-9
                        2 streams: not supported
                        3 streams: not supported
                        4 streams: not supported
                        5 streams: not supported
                        6 streams: not supported
                        7 streams: not supported
                        8 streams: not supported
                VHT TX highest supported: 0 Mbps
                Frequencies:
                        * 5040 MHz [8] (disabled)
                        * 5060 MHz [12] (disabled)
                        * 5080 MHz [16] (disabled)
                        * 5170 MHz [34] (23.0 dBm)
                        * 5190 MHz [38] (23.0 dBm)
                        * 5210 MHz [42] (23.0 dBm)
                        * 5230 MHz [46] (23.0 dBm)
                        * 5180 MHz [36] (23.0 dBm)
                        * 5200 MHz [40] (23.0 dBm)
                        * 5220 MHz [44] (23.0 dBm)
                        * 5240 MHz [48] (23.0 dBm)
                        * 5260 MHz [52] (23.0 dBm) (no IR, radar detection)
                        * 5280 MHz [56] (23.0 dBm) (no IR, radar detection)
                        * 5300 MHz [60] (23.0 dBm) (no IR, radar detection)
                        * 5320 MHz [64] (23.0 dBm) (no IR, radar detection)
                        * 5500 MHz [100] (23.0 dBm) (no IR, radar detection)
                        * 5520 MHz [104] (23.0 dBm) (no IR, radar detection)
                        * 5540 MHz [108] (23.0 dBm) (no IR, radar detection)
                        * 5560 MHz [112] (23.0 dBm) (no IR, radar detection)
                        * 5580 MHz [116] (23.0 dBm) (no IR, radar detection)
                        * 5600 MHz [120] (23.0 dBm) (no IR, radar detection)
                        * 5620 MHz [124] (23.0 dBm) (no IR, radar detection)
                        * 5640 MHz [128] (23.0 dBm) (no IR, radar detection)
                        * 5660 MHz [132] (23.0 dBm) (no IR, radar detection)
                        * 5680 MHz [136] (23.0 dBm) (no IR, radar detection)
                        * 5700 MHz [140] (23.0 dBm) (no IR, radar detection)
                        * 5745 MHz [149] (30.0 dBm)
                        * 5765 MHz [153] (30.0 dBm)
                        * 5785 MHz [157] (30.0 dBm)
                        * 5805 MHz [161] (30.0 dBm)
                        * 5825 MHz [165] (30.0 dBm)
        valid interface combinations:
                 * #{ managed, AP, P2P-client, P2P-GO } <= 3,
                   total <= 3, #channels <= 1, STA/AP BI must match, radar detect widths: { 20 MHz (no HT), 20 MHz, 40 MHz, 80 MHz }

        max # scan plans: 1
        max scan plan interval: -1
        max scan plan iterations: 0
        Coalesce support:
                 * Maximum 8 coalesce rules supported
                 * Each rule contains upto 4 patterns of 1-40 bytes,
                   maximum packet offset 100 bytes
                 * Maximum supported coalescing delay 100 msecs
        Supported extended features:
Wiphy phy1
        wiphy index: 1
        max # scan SSIDs: 4
        max scan IEs length: 2242 bytes
        max # sched scan SSIDs: 0
        max # match sets: 0
        Retry short limit: 7
        Retry long limit: 4
        Coverage class: 0 (up to 0m)
        Device supports AP-side u-APSD.
        Device supports T-DLS.
        Available Antennas: TX 0 RX 0
        Supported interface modes:
                 * managed
                 * AP
                 * AP/VLAN
                 * monitor
                 * mesh point
        Band 1:
                Capabilities: 0x186f
                        RX LDPC
                        HT20/HT40
                        SM Power Save disabled
                        RX HT20 SGI
                        RX HT40 SGI
                        No RX STBC
                        Max AMSDU length: 7935 bytes
                        DSSS/CCK HT40
                Maximum RX AMPDU length 65535 bytes (exponent: 0x003)
                Minimum RX AMPDU time spacing: 4 usec (0x05)
                HT TX/RX MCS rate indexes supported: 0-23, 32
                VHT Capabilities (0x339b7976):
                        Max MPDU length: 11454
                        Supported Channel Width: 160 MHz
                        RX LDPC
                        short GI (80 MHz)
                        short GI (160/80+80 MHz)
                        SU Beamformer
                        SU Beamformee
                        MU Beamformer
                        MU Beamformee
                        RX antenna pattern consistency
                        TX antenna pattern consistency
                VHT RX MCS set:
                        1 streams: MCS 0-9
                        2 streams: MCS 0-9
                        3 streams: MCS 0-9
                        4 streams: not supported
                        5 streams: not supported
                        6 streams: not supported
                        7 streams: not supported
                        8 streams: not supported
                VHT RX highest supported: 0 Mbps
                VHT TX MCS set:
                        1 streams: MCS 0-9
                        2 streams: MCS 0-9
                        3 streams: MCS 0-9
                        4 streams: not supported
                        5 streams: not supported
                        6 streams: not supported
                        7 streams: not supported
                        8 streams: not supported
                VHT TX highest supported: 0 Mbps
                Frequencies:
                        * 2412 MHz [1] (30.0 dBm)
                        * 2417 MHz [2] (30.0 dBm)
                        * 2422 MHz [3] (30.0 dBm)
                        * 2427 MHz [4] (30.0 dBm)
                        * 2432 MHz [5] (30.0 dBm)
                        * 2437 MHz [6] (30.0 dBm)
                        * 2442 MHz [7] (30.0 dBm)
                        * 2447 MHz [8] (30.0 dBm)
                        * 2452 MHz [9] (30.0 dBm)
                        * 2457 MHz [10] (30.0 dBm)
                        * 2462 MHz [11] (30.0 dBm)
                        * 2467 MHz [12] (disabled)
                        * 2472 MHz [13] (disabled)
                        * 2484 MHz [14] (disabled)
        valid interface combinations:
                 * #{ AP } <= 16, #{ mesh point } <= 1, #{ managed } <= 1,
                   total <= 16, #channels <= 1, radar detect widths: { 20 MHz (no HT), 20 MHz, 40 MHz, 80 MHz, 160 MHz }

        HT Capability overrides:
                 * MCS: ff ff ff ff ff ff ff ff ff ff
                 * maximum A-MSDU length
                 * supported channel width
                 * short GI for 40 MHz
                 * max A-MPDU length exponent
                 * min MPDU start spacing
        max # scan plans: 1
        max scan plan interval: -1
        max scan plan iterations: 0
        Supported extended features:
                * [ RRM ]: RRM
                * [ CONTROL_PORT_OVER_NL80211 ]: control port over nl80211
                * [ SCAN_RANDOM_SN ]: use random sequence numbers in scans
                * [ SCAN_MIN_PREQ_CONTENT ]: use probe request with only rate IEs in scans
                * [ CONTROL_PORT_NO_PREAUTH ]: disable pre-auth over nl80211 control port support
                * [ SCAN_FREQ_KHZ ]: scan on kHz frequency support
                * [ CONTROL_PORT_OVER_NL80211_TX_STATUS ]: tx status for nl80211 control port support
Wiphy phy0
        wiphy index: 0
        max # scan SSIDs: 4
        max scan IEs length: 2247 bytes
        max # sched scan SSIDs: 0
        max # match sets: 0
        Retry short limit: 7
        Retry long limit: 4
        Coverage class: 0 (up to 0m)
        Device supports AP-side u-APSD.
        Device supports T-DLS.
        Available Antennas: TX 0 RX 0
        Supported interface modes:
                 * managed
                 * AP
                 * AP/VLAN
                 * monitor
                 * mesh point
        Band 2:
                Capabilities: 0x186f
                        RX LDPC
                        HT20/HT40
                        SM Power Save disabled
                        RX HT20 SGI
                        RX HT40 SGI
                        No RX STBC
                        Max AMSDU length: 7935 bytes
                        DSSS/CCK HT40
                Maximum RX AMPDU length 65535 bytes (exponent: 0x003)
                Minimum RX AMPDU time spacing: 4 usec (0x05)
                HT TX/RX MCS rate indexes supported: 0-23, 32
                VHT Capabilities (0x339b7976):
                        Max MPDU length: 11454
                        Supported Channel Width: 160 MHz
                        RX LDPC
                        short GI (80 MHz)
                        short GI (160/80+80 MHz)
                        SU Beamformer
                        SU Beamformee
                        MU Beamformer
                        MU Beamformee
                        RX antenna pattern consistency
                        TX antenna pattern consistency
                VHT RX MCS set:
                        1 streams: MCS 0-9
                        2 streams: MCS 0-9
                        3 streams: MCS 0-9
                        4 streams: not supported
                        5 streams: not supported
                        6 streams: not supported
                        7 streams: not supported
                        8 streams: not supported
                VHT RX highest supported: 0 Mbps
                VHT TX MCS set:
                        1 streams: MCS 0-9
                        2 streams: MCS 0-9
                        3 streams: MCS 0-9
                        4 streams: not supported
                        5 streams: not supported
                        6 streams: not supported
                        7 streams: not supported
                        8 streams: not supported
                VHT TX highest supported: 0 Mbps
                Frequencies:
                        * 5180 MHz [36] (23.0 dBm)
                        * 5200 MHz [40] (23.0 dBm)
                        * 5220 MHz [44] (23.0 dBm)
                        * 5240 MHz [48] (23.0 dBm)
                        * 5260 MHz [52] (23.0 dBm) (radar detection)
                        * 5280 MHz [56] (23.0 dBm) (radar detection)
                        * 5300 MHz [60] (23.0 dBm) (radar detection)
                        * 5320 MHz [64] (23.0 dBm) (radar detection)
                        * 5500 MHz [100] (23.0 dBm) (radar detection)
                        * 5520 MHz [104] (23.0 dBm) (radar detection)
                        * 5540 MHz [108] (23.0 dBm) (radar detection)
                        * 5560 MHz [112] (23.0 dBm) (radar detection)
                        * 5580 MHz [116] (23.0 dBm) (radar detection)
                        * 5600 MHz [120] (23.0 dBm) (radar detection)
                        * 5620 MHz [124] (23.0 dBm) (radar detection)
                        * 5640 MHz [128] (23.0 dBm) (radar detection)
                        * 5660 MHz [132] (23.0 dBm) (radar detection)
                        * 5680 MHz [136] (23.0 dBm) (radar detection)
                        * 5700 MHz [140] (23.0 dBm) (radar detection)
                        * 5720 MHz [144] (23.0 dBm) (radar detection)
                        * 5745 MHz [149] (30.0 dBm)
                        * 5765 MHz [153] (30.0 dBm)
                        * 5785 MHz [157] (30.0 dBm)
                        * 5805 MHz [161] (30.0 dBm)
        valid interface combinations:
                 * #{ AP } <= 16, #{ mesh point } <= 1, #{ managed } <= 1,
                   total <= 16, #channels <= 1, radar detect widths: { 20 MHz (no HT), 20 MHz, 40 MHz, 80 MHz, 160 MHz }

        HT Capability overrides:
                 * MCS: ff ff ff ff ff ff ff ff ff ff
                 * maximum A-MSDU length
                 * supported channel width
                 * short GI for 40 MHz
                 * max A-MPDU length exponent
                 * min MPDU start spacing
        max # scan plans: 1
        max scan plan interval: -1
        max scan plan iterations: 0
        Supported extended features:
                * [ RRM ]: RRM
                * [ CONTROL_PORT_OVER_NL80211 ]: control port over nl80211
                * [ SCAN_RANDOM_SN ]: use random sequence numbers in scans
                * [ SCAN_MIN_PREQ_CONTENT ]: use probe request with only rate IEs in scans
                * [ CONTROL_PORT_NO_PREAUTH ]: disable pre-auth over nl80211 control port support
                * [ SCAN_FREQ_KHZ ]: scan on kHz frequency support
                * [ CONTROL_PORT_OVER_NL80211_TX_STATUS ]: tx status for nl80211 control port support

Mike, I did go back through my progress notes and I had tried that early on... but before I had a known working VLAN path. So I repeated that test as I think you made a great point

With both the native SSID and my Guest SSID on the br-lan network. Guest logon is fast and complete. So the driver does handle multiple SSIDs on the same network, but is it the driver or the network causing issues with the multiple SSIDs on separate networks?
Hopefully some better minds (than mine) here can help me wring this thing out.

Side note: I was in a local thrift store yesterday and was able to pickup a Netgear R7800 on the cheap (people speak highly of them here). I was hoping to do a parallel build and see if it worked... Sadly, the R7800 does not yet have DSA in 21.02.3, so it's apples and oranges.

Hey Richard, you've been tasked with a full plate of troubleshooting and I was wondering if some side reading might give you some insights.

Disclaimer: I don't use the wifi in OpenWrt as it is handled by (Fresh)Tomato. But the concept is the same, for "Roaming".