Still fighting Guest account on Dumb AP with VLAN

anon89577378 · May 21, 2022, 9:47pm

SSH in to the router and run cat /etc/config/wireless.

Redact the passwords in the option key sections.

Post the results in preformatted text, by using the icon highlighted in red...

This is a decent video on setting up guest/IoT networks.

You might recheck your steps with that.

I'm not a VLAN person, but this is what I do...

Each guest is on its own subnet.

Example -

Guest1      192.168.2.1

Guest2      192.168.3.1

The Zones are set as follows -

Guest1 ==> wan    Input - Drop   Output - Accept   Forward - Drop

Guest2 ==> wan    Input - Drop   Output - Accept   Forward - Drop

Each has their own DHCP and DNS traffic rules.

Each guest wireless interface is set to Isolate clients, so that clients can't talk to each other on the same subnet.

The Zone rules prevents guests from talking to each other on different subnets, and with the main network.

mk24 · May 21, 2022, 10:01pm

For testing you could create multiple APs with different SSIDs, all of them in the default lan bridge. This has little practical application other than showing that the wifi driver can handle it. But that's an important thing to find out.

Besides that, it would be best to reset to defaults and start over here.

Always set your country code-- on each radio-- for best wifi results.

Cosmo · May 21, 2022, 11:14pm

Thanks, Jim.
Here you go. I don't do any rules, DNS or DHCP on these WAPs. They are just Dumb APs on a back haul. My main router is pfSense so all the network, VLAN, DHCP and DNS comes pfSense. I was using DHCP as the protocol on the Guest interface so I could at least verify that the VLAN 10 did travel to the WAP and it was picking up the prescribed network and an IP address from pfSense. The primary network on the back haul is 192.168.1.0 and VLAN 10 brings in 172.16.10.0. That seems to be working as the Guest interface picks up an IP on the 172 network and I see packet increment. Marc brought up the "Isolate clients" but I was going to hold that until I had the guest account running correctly.

config wifi-device 'radio0'
        option type 'mac80211'
        option path 'soc/soc:pcie/pci0000:00/0000:00:01.0/0000:01:00.0'
        option band '5g'
        option htmode 'VHT80'
        option country 'US'
        option cell_density '0'
        option channel '44'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option dtim_period '3'
        option ieee80211r '1'
        option mobility_domain '123F'
        option ft_over_ds '0'
        option ft_psk_generate_local '1'
        option encryption 'psk2'
        option ssid 'OpenWRT5'
        option key 'xxxxxxxx'
        option max_inactivity '14400'

config wifi-device 'radio1'
        option type 'mac80211'
        option path 'soc/soc:pcie/pci0000:00/0000:00:02.0/0000:02:00.0'
        option band '2g'
        option htmode 'HT20'
        option country 'US'
        option cell_density '0'
        option channel '10'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ieee80211r '1'
        option mobility_domain '123F'
        option ft_over_ds '0'
        option ft_psk_generate_local '1'
        option dtim_period '3'
        option encryption 'psk2'
        option ssid 'OpenWRT'
        option key 'xxxxxxxx'
        option max_inactivity '14400'
        option disassoc_low_ack '0'

config wifi-device 'radio2'
        option type 'mac80211'
        option path 'platform/soc/soc:internal-regs/f10d8000.sdhci/mmc_host/mmc0/mmc0:0001/mmc0:0001:1'
        option channel '34'
        option band '5g'
        option htmode 'VHT80'
        option cell_density '0'
        option disabled '1'

config wifi-iface 'wifinet3'
        option device 'radio1'
        option mode 'ap'
        option key 'Daisy2000'
        option ssid 'xxxxxxxx'
        option dtim_period '3'
        option encryption 'psk2'
        option network 'GuestTest'
        option disassoc_low_ack '0'

config wifi-iface 'wifinet4'
        option device 'radio2'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'none'
        option disabled '1'

anon89577378 · May 21, 2022, 11:18pm

At 80 MHz channel width, channel 44 overlaps with 6 other channels.

Cosmo · May 21, 2022, 11:21pm

Thanks Mike, This is just a test rig. I have 4 others working minus the guest network. So this one gets reset/rebuilt often. I'm waiting on a response from Marc then I'll reset and give the multiple SSIDs on the default bridge a run. Others have recommended setting the country code, and I have. But reading an older post on multiple SSIDs on a WRT3200acm, Eduardo had recommended not setting them. I've been scratching my head?

Cosmo · May 21, 2022, 11:25pm

So do you have a recommendation on what it should be? This is on the 5Ghz channel and I pretty much leave it alone (defaults) with just one SSID. I'm doing all the Guest work on the 2.4Ghz radio as I'm more concerned with range than speed.

anon89577378 · May 21, 2022, 11:30pm

I would try 40, then 20.

I would do a plain-vanilla guest setup...no VLANs.

I use the US country code, and have no issues.

Use one of the non-overlapping 2.4 channels = 1, 6, or 11.

You will likely have a lower limit on 2.4 on the number of SSIDs you can have.

Run iw list and post.

See the valid interface combinations section for each radio.

I have a maximum of 8 on 2.4 on my device.

Example:

valid interface combinations:
#{ managed } <= 2048, #{ AP, mesh point } <= 8, #{ P2P-client, P2P-GO } <= 1, #{ IBSS } <= 1,

If you have any AP's or mesh points, they count against the total.

Same deal on 5.

Cosmo · May 21, 2022, 11:58pm

Thanks for catching the option channel '10'. I fat fingered that on the number pad. It should be 11 and is now.
I have a large (long) house spread out across a mountain side. For my "production" WAPs, I use 1, 6 and 11. I repeat the 6 up at my pool house (higher up the mountain) as they are the two farthest points... this test machine is under the house in my TE closet, so it's shielded from other radios.

root@Testbed_OpenWrt:/etc/config# iw list

Wiphy phy2
        wiphy index: 2
        max # scan SSIDs: 10
        max scan IEs length: 256 bytes
        max # sched scan SSIDs: 10
        max # match sets: 10
        Fragmentation threshold: 2346
        RTS threshold: 2347
        Retry short limit: 9
        Retry long limit: 4
        Coverage class: 0 (up to 0m)
        Device supports AP-side u-APSD.
        Device supports T-DLS.
        Available Antennas: TX 0x1 RX 0x1
        Configured Antennas: TX 0x1 RX 0x1
        Supported interface modes:
                 * managed
                 * AP
                 * P2P-client
                 * P2P-GO
        Band 1:
                Capabilities: 0x17f
                        RX LDPC
                        HT20/HT40
                        SM Power Save disabled
                        RX Greenfield
                        RX HT20 SGI
                        RX HT40 SGI
                        RX STBC 1-stream
                        Max AMSDU length: 3839 bytes
                        No DSSS/CCK HT40
                Maximum RX AMPDU length 65535 bytes (exponent: 0x003)
                Minimum RX AMPDU time spacing: No restriction (0x00)
                HT TX/RX MCS rate indexes supported: 0-7, 32
                VHT Capabilities (0x33c07130):
                        Max MPDU length: 3895
                        Supported Channel Width: neither 160 nor 80+80
                        RX LDPC
                        short GI (80 MHz)
                        SU Beamformee
                        +HTC-VHT
                        RX antenna pattern consistency
                        TX antenna pattern consistency
                VHT RX MCS set:
                        1 streams: MCS 0-9
                        2 streams: not supported
                        3 streams: not supported
                        4 streams: not supported
                        5 streams: not supported
                        6 streams: not supported
                        7 streams: not supported
                        8 streams: not supported
                VHT RX highest supported: 0 Mbps
                VHT TX MCS set:
                        1 streams: MCS 0-9
                        2 streams: not supported
                        3 streams: not supported
                        4 streams: not supported
                        5 streams: not supported
                        6 streams: not supported
                        7 streams: not supported
                        8 streams: not supported
                VHT TX highest supported: 0 Mbps
                Frequencies:
                        * 2412 MHz [1] (30.0 dBm)
                        * 2417 MHz [2] (30.0 dBm)
                        * 2422 MHz [3] (30.0 dBm)
                        * 2427 MHz [4] (30.0 dBm)
                        * 2432 MHz [5] (30.0 dBm)
                        * 2437 MHz [6] (30.0 dBm)
                        * 2442 MHz [7] (30.0 dBm)
                        * 2447 MHz [8] (30.0 dBm)
                        * 2452 MHz [9] (30.0 dBm)
                        * 2457 MHz [10] (30.0 dBm)
                        * 2462 MHz [11] (30.0 dBm)
                        * 2467 MHz [12] (disabled)
                        * 2472 MHz [13] (disabled)
                        * 2484 MHz [14] (disabled)
        Band 2:
                Capabilities: 0x17f
                        RX LDPC
                        HT20/HT40
                        SM Power Save disabled
                        RX Greenfield
                        RX HT20 SGI
                        RX HT40 SGI
                        RX STBC 1-stream
                        Max AMSDU length: 3839 bytes
                        No DSSS/CCK HT40
                Maximum RX AMPDU length 65535 bytes (exponent: 0x003)
                Minimum RX AMPDU time spacing: No restriction (0x00)
                HT TX/RX MCS rate indexes supported: 0-7, 32
                VHT Capabilities (0x33c07130):
                        Max MPDU length: 3895
                        Supported Channel Width: neither 160 nor 80+80
                        RX LDPC
                        short GI (80 MHz)
                        SU Beamformee
                        +HTC-VHT
                        RX antenna pattern consistency
                        TX antenna pattern consistency
                VHT RX MCS set:
                        1 streams: MCS 0-9
                        2 streams: not supported
                        3 streams: not supported
                        4 streams: not supported
                        5 streams: not supported
                        6 streams: not supported
                        7 streams: not supported
                        8 streams: not supported
                VHT RX highest supported: 0 Mbps
                VHT TX MCS set:
                        1 streams: MCS 0-9
                        2 streams: not supported
                        3 streams: not supported
                        4 streams: not supported
                        5 streams: not supported
                        6 streams: not supported
                        7 streams: not supported
                        8 streams: not supported
                VHT TX highest supported: 0 Mbps
                Frequencies:
                        * 5040 MHz [8] (disabled)
                        * 5060 MHz [12] (disabled)
                        * 5080 MHz [16] (disabled)
                        * 5170 MHz [34] (23.0 dBm)
                        * 5190 MHz [38] (23.0 dBm)
                        * 5210 MHz [42] (23.0 dBm)
                        * 5230 MHz [46] (23.0 dBm)
                        * 5180 MHz [36] (23.0 dBm)
                        * 5200 MHz [40] (23.0 dBm)
                        * 5220 MHz [44] (23.0 dBm)
                        * 5240 MHz [48] (23.0 dBm)
                        * 5260 MHz [52] (23.0 dBm) (no IR, radar detection)
                        * 5280 MHz [56] (23.0 dBm) (no IR, radar detection)
                        * 5300 MHz [60] (23.0 dBm) (no IR, radar detection)
                        * 5320 MHz [64] (23.0 dBm) (no IR, radar detection)
                        * 5500 MHz [100] (23.0 dBm) (no IR, radar detection)
                        * 5520 MHz [104] (23.0 dBm) (no IR, radar detection)
                        * 5540 MHz [108] (23.0 dBm) (no IR, radar detection)
                        * 5560 MHz [112] (23.0 dBm) (no IR, radar detection)
                        * 5580 MHz [116] (23.0 dBm) (no IR, radar detection)
                        * 5600 MHz [120] (23.0 dBm) (no IR, radar detection)
                        * 5620 MHz [124] (23.0 dBm) (no IR, radar detection)
                        * 5640 MHz [128] (23.0 dBm) (no IR, radar detection)
                        * 5660 MHz [132] (23.0 dBm) (no IR, radar detection)
                        * 5680 MHz [136] (23.0 dBm) (no IR, radar detection)
                        * 5700 MHz [140] (23.0 dBm) (no IR, radar detection)
                        * 5745 MHz [149] (30.0 dBm)
                        * 5765 MHz [153] (30.0 dBm)
                        * 5785 MHz [157] (30.0 dBm)
                        * 5805 MHz [161] (30.0 dBm)
                        * 5825 MHz [165] (30.0 dBm)
        valid interface combinations:
                 * #{ managed, AP, P2P-client, P2P-GO } <= 3,
                   total <= 3, #channels <= 1, STA/AP BI must match, radar detect widths: { 20 MHz (no HT), 20 MHz, 40 MHz, 80 MHz }

        max # scan plans: 1
        max scan plan interval: -1
        max scan plan iterations: 0
        Coalesce support:
                 * Maximum 8 coalesce rules supported
                 * Each rule contains upto 4 patterns of 1-40 bytes,
                   maximum packet offset 100 bytes
                 * Maximum supported coalescing delay 100 msecs
        Supported extended features:
Wiphy phy1
        wiphy index: 1
        max # scan SSIDs: 4
        max scan IEs length: 2242 bytes
        max # sched scan SSIDs: 0
        max # match sets: 0
        Retry short limit: 7
        Retry long limit: 4
        Coverage class: 0 (up to 0m)
        Device supports AP-side u-APSD.
        Device supports T-DLS.
        Available Antennas: TX 0 RX 0
        Supported interface modes:
                 * managed
                 * AP
                 * AP/VLAN
                 * monitor
                 * mesh point
        Band 1:
                Capabilities: 0x186f
                        RX LDPC
                        HT20/HT40
                        SM Power Save disabled
                        RX HT20 SGI
                        RX HT40 SGI
                        No RX STBC
                        Max AMSDU length: 7935 bytes
                        DSSS/CCK HT40
                Maximum RX AMPDU length 65535 bytes (exponent: 0x003)
                Minimum RX AMPDU time spacing: 4 usec (0x05)
                HT TX/RX MCS rate indexes supported: 0-23, 32
                VHT Capabilities (0x339b7976):
                        Max MPDU length: 11454
                        Supported Channel Width: 160 MHz
                        RX LDPC
                        short GI (80 MHz)
                        short GI (160/80+80 MHz)
                        SU Beamformer
                        SU Beamformee
                        MU Beamformer
                        MU Beamformee
                        RX antenna pattern consistency
                        TX antenna pattern consistency
                VHT RX MCS set:
                        1 streams: MCS 0-9
                        2 streams: MCS 0-9
                        3 streams: MCS 0-9
                        4 streams: not supported
                        5 streams: not supported
                        6 streams: not supported
                        7 streams: not supported
                        8 streams: not supported
                VHT RX highest supported: 0 Mbps
                VHT TX MCS set:
                        1 streams: MCS 0-9
                        2 streams: MCS 0-9
                        3 streams: MCS 0-9
                        4 streams: not supported
                        5 streams: not supported
                        6 streams: not supported
                        7 streams: not supported
                        8 streams: not supported
                VHT TX highest supported: 0 Mbps
                Frequencies:
                        * 2412 MHz [1] (30.0 dBm)
                        * 2417 MHz [2] (30.0 dBm)
                        * 2422 MHz [3] (30.0 dBm)
                        * 2427 MHz [4] (30.0 dBm)
                        * 2432 MHz [5] (30.0 dBm)
                        * 2437 MHz [6] (30.0 dBm)
                        * 2442 MHz [7] (30.0 dBm)
                        * 2447 MHz [8] (30.0 dBm)
                        * 2452 MHz [9] (30.0 dBm)
                        * 2457 MHz [10] (30.0 dBm)
                        * 2462 MHz [11] (30.0 dBm)
                        * 2467 MHz [12] (disabled)
                        * 2472 MHz [13] (disabled)
                        * 2484 MHz [14] (disabled)
        valid interface combinations:
                 * #{ AP } <= 16, #{ mesh point } <= 1, #{ managed } <= 1,
                   total <= 16, #channels <= 1, radar detect widths: { 20 MHz (no HT), 20 MHz, 40 MHz, 80 MHz, 160 MHz }

        HT Capability overrides:
                 * MCS: ff ff ff ff ff ff ff ff ff ff
                 * maximum A-MSDU length
                 * supported channel width
                 * short GI for 40 MHz
                 * max A-MPDU length exponent
                 * min MPDU start spacing
        max # scan plans: 1
        max scan plan interval: -1
        max scan plan iterations: 0
        Supported extended features:
                * [ RRM ]: RRM
                * [ CONTROL_PORT_OVER_NL80211 ]: control port over nl80211
                * [ SCAN_RANDOM_SN ]: use random sequence numbers in scans
                * [ SCAN_MIN_PREQ_CONTENT ]: use probe request with only rate IEs in scans
                * [ CONTROL_PORT_NO_PREAUTH ]: disable pre-auth over nl80211 control port support
                * [ SCAN_FREQ_KHZ ]: scan on kHz frequency support
                * [ CONTROL_PORT_OVER_NL80211_TX_STATUS ]: tx status for nl80211 control port support
Wiphy phy0
        wiphy index: 0
        max # scan SSIDs: 4
        max scan IEs length: 2247 bytes
        max # sched scan SSIDs: 0
        max # match sets: 0
        Retry short limit: 7
        Retry long limit: 4
        Coverage class: 0 (up to 0m)
        Device supports AP-side u-APSD.
        Device supports T-DLS.
        Available Antennas: TX 0 RX 0
        Supported interface modes:
                 * managed
                 * AP
                 * AP/VLAN
                 * monitor
                 * mesh point
        Band 2:
                Capabilities: 0x186f
                        RX LDPC
                        HT20/HT40
                        SM Power Save disabled
                        RX HT20 SGI
                        RX HT40 SGI
                        No RX STBC
                        Max AMSDU length: 7935 bytes
                        DSSS/CCK HT40
                Maximum RX AMPDU length 65535 bytes (exponent: 0x003)
                Minimum RX AMPDU time spacing: 4 usec (0x05)
                HT TX/RX MCS rate indexes supported: 0-23, 32
                VHT Capabilities (0x339b7976):
                        Max MPDU length: 11454
                        Supported Channel Width: 160 MHz
                        RX LDPC
                        short GI (80 MHz)
                        short GI (160/80+80 MHz)
                        SU Beamformer
                        SU Beamformee
                        MU Beamformer
                        MU Beamformee
                        RX antenna pattern consistency
                        TX antenna pattern consistency
                VHT RX MCS set:
                        1 streams: MCS 0-9
                        2 streams: MCS 0-9
                        3 streams: MCS 0-9
                        4 streams: not supported
                        5 streams: not supported
                        6 streams: not supported
                        7 streams: not supported
                        8 streams: not supported
                VHT RX highest supported: 0 Mbps
                VHT TX MCS set:
                        1 streams: MCS 0-9
                        2 streams: MCS 0-9
                        3 streams: MCS 0-9
                        4 streams: not supported
                        5 streams: not supported
                        6 streams: not supported
                        7 streams: not supported
                        8 streams: not supported
                VHT TX highest supported: 0 Mbps
                Frequencies:
                        * 5180 MHz [36] (23.0 dBm)
                        * 5200 MHz [40] (23.0 dBm)
                        * 5220 MHz [44] (23.0 dBm)
                        * 5240 MHz [48] (23.0 dBm)
                        * 5260 MHz [52] (23.0 dBm) (radar detection)
                        * 5280 MHz [56] (23.0 dBm) (radar detection)
                        * 5300 MHz [60] (23.0 dBm) (radar detection)
                        * 5320 MHz [64] (23.0 dBm) (radar detection)
                        * 5500 MHz [100] (23.0 dBm) (radar detection)
                        * 5520 MHz [104] (23.0 dBm) (radar detection)
                        * 5540 MHz [108] (23.0 dBm) (radar detection)
                        * 5560 MHz [112] (23.0 dBm) (radar detection)
                        * 5580 MHz [116] (23.0 dBm) (radar detection)
                        * 5600 MHz [120] (23.0 dBm) (radar detection)
                        * 5620 MHz [124] (23.0 dBm) (radar detection)
                        * 5640 MHz [128] (23.0 dBm) (radar detection)
                        * 5660 MHz [132] (23.0 dBm) (radar detection)
                        * 5680 MHz [136] (23.0 dBm) (radar detection)
                        * 5700 MHz [140] (23.0 dBm) (radar detection)
                        * 5720 MHz [144] (23.0 dBm) (radar detection)
                        * 5745 MHz [149] (30.0 dBm)
                        * 5765 MHz [153] (30.0 dBm)
                        * 5785 MHz [157] (30.0 dBm)
                        * 5805 MHz [161] (30.0 dBm)
        valid interface combinations:
                 * #{ AP } <= 16, #{ mesh point } <= 1, #{ managed } <= 1,
                   total <= 16, #channels <= 1, radar detect widths: { 20 MHz (no HT), 20 MHz, 40 MHz, 80 MHz, 160 MHz }

        HT Capability overrides:
                 * MCS: ff ff ff ff ff ff ff ff ff ff
                 * maximum A-MSDU length
                 * supported channel width
                 * short GI for 40 MHz
                 * max A-MPDU length exponent
                 * min MPDU start spacing
        max # scan plans: 1
        max scan plan interval: -1
        max scan plan iterations: 0
        Supported extended features:
                * [ RRM ]: RRM
                * [ CONTROL_PORT_OVER_NL80211 ]: control port over nl80211
                * [ SCAN_RANDOM_SN ]: use random sequence numbers in scans
                * [ SCAN_MIN_PREQ_CONTENT ]: use probe request with only rate IEs in scans
                * [ CONTROL_PORT_NO_PREAUTH ]: disable pre-auth over nl80211 control port support
                * [ SCAN_FREQ_KHZ ]: scan on kHz frequency support
                * [ CONTROL_PORT_OVER_NL80211_TX_STATUS ]: tx status for nl80211 control port support

Cosmo · May 22, 2022, 3:16pm

Mike, I did go back through my progress notes and I had tried that early on... but before I had a known working VLAN path. So I repeated that test as I think you made a great point

With both the native SSID and my Guest SSID on the br-lan network. Guest logon is fast and complete. So the driver does handle multiple SSIDs on the same network, but is it the driver or the network causing issues with the multiple SSIDs on separate networks?
Hopefully some better minds (than mine) here can help me wring this thing out.

Side note: I was in a local thrift store yesterday and was able to pickup a Netgear R7800 on the cheap (people speak highly of them here). I was hoping to do a parallel build and see if it worked... Sadly, the R7800 does not yet have DSA in 21.02.3, so it's apples and oranges.

Bill · May 22, 2022, 6:06pm

Hey Richard, you've been tasked with a full plate of troubleshooting and I was wondering if some side reading might give you some insights.

Disclaimer: I don't use the wifi in OpenWrt as it is handled by (Fresh)Tomato. But the concept is the same, for "Roaming".

Cosmo · May 22, 2022, 8:56pm

Thanks, interesting read and the Ars Technica bit at least validated where I'm placing my Dumb APS.

I have no delusions of trying to mesh a bunch of WRT3200s... Fast Roaming (802.11r) is working really well for me with a couple of small tweaks (DTIM) to make the Apple devices happy.

After years of running DD-WRT, I came to OpenWRT with 7 "wants". I've got 5 of them running just fine, Fast Roaming being one of them. If I can get this Guest network on 2.4Ghz radios with a VLAN feed that'll be 6 and the 7th will fall in place. But after reading the stuff you sent, I may back out the fast roaming and see if that has any impact on the needs of the Guest network. Fortunately I have plenty of similar hardware to test this outside of the devices "in production" so I don't fall into the cartoon at the end of that read.

Bill · May 22, 2022, 9:02pm

I bet @mercygroundabyss has a bag full of them..

I remember someone once telling me "No more tasks after 11:00 PM!!"

Cosmo · May 23, 2022, 12:52am

Bill, glad you brought up the Mesh vs. Fast Roaming. I have fast roaming working on my "in use" Dumb APs. Working well, actually. So, I also configured it on this test machine.

On one of the Bullet Points above, I noted

If I disable Fast Roaming (802.11r) on the native SSID but still have the 2nd SSID active, the logon to the Native completes, quickly. No more "unable to connect".

I know Eduardo Perez said this is not a driver issue, but it is certainly looking like it is at least part of the issue.

Bill · May 23, 2022, 1:04am

Richard, I'm reading this as you're back to: 5

5 ~ Fast Roaming (on most)
6 ~ Guest network on 2.4Ghz (w/o Fast Roaming ~ similar hardware)
7 ~ 2.4Ghz radios with a VLAN feed

...and a partridge in an OpenWrt tree

Cosmo · May 23, 2022, 1:47am

Close:

1 ~ assign WAN port to LAN and use for Back Haul to 4 Dumb APs
5 ~ Fast Roaming on primary wireless network, 4 Dumb APs 5 & 2.4Ghz radios
6 ~ Guest WiFi Network on at least 2 Dumb APs on Back Haul via VLAN 10
7 ~ IOT WiFi Network to 4 Dumb APs. Tie 1 LAN port to Dumb AP in Garage all via VLAN 12

But I'm not giving up yet.

Cosmo · May 23, 2022, 1:58am

While typing the above, I had a thought regarding multiple SSIDs on a single radio. If one SSID is running 802.11r do all SSIDs on that radio need to run 802.11r. Apparently, yes.

By enabling Fast Roaming on both SSIDs, and configuring them the same... I no longer encounter an issue with the native SSID going to "Unable to connect". It gets a completed logon even with a second SSID present. The Guest account on a different network still doesn't get a completed logon. Step in the right direction.

So does ANYONE know: If you have 802.11r running on multiple SSIDs but on the same radio, should they be on the same "Mobility Domain" or a different one?

Cosmo · May 27, 2022, 2:31am

More research and a stop at a Maker hangout to chat with the WizKids. Others have encountered the same issues I'm seeing where a second device on a separate network VLAN ID will not complete logon and assign an ID even though the interface can get an IP address from the VLAN. There is a fix in the DD-WRT community from @RedHawk. Has anyone tried the RedHawk patch on the mwlwifi driver in OpenWRT?

Cosmo · June 11, 2022, 2:30pm

Just wanted to drop an update and report this has been resolved, sort of. I kind of ran out of help and suggestions here so, since I was using pfSense to start the VLAN and DHCP for this issue I took this problem to the "off topic" section of the pfSense forum and fortunately a couple of top folks tied into my discussion, one of them a Netgate support person. If anyone is interested, I can link that discussion here. Anyway, after much testing we came down to something being broken in the OpenWRT code for the WRT3200ACM. I don't know if there was some Dev to Dev connection made or if it was just pure coincidence, but the fix was in the June 5 or 6 Snapshot. In reading more of the DSA information than I had ever intended, it is still not 100% functional in the autocreation/config of devices... so... I manually added the needed 802.1q devices for VLAN 1 and 10, then set the filtering tag/untag elements. This required moving the LAN interface to the br-lan.1 device and all is well. The Guest network rides the single cable connection as VLAN 10, the interface is on a separate network and any logons to the Guest nework get an IP address on the separate network. I will add, it also required (not sure why) that the cut-down native WPAD (wolf-ssl?) be removed and the full featured WPAD be installed. Also, found that the package ip-bridge is super useful when troubleshooting these issues.

root@Testbed_OpenWrt:~# bridge vlan
port              vlan-id
lan4              1 PVID Egress Untagged
lan3              1 PVID Egress Untagged
lan2              1 PVID Egress Untagged
lan1              1 PVID Egress Untagged
wan               1 PVID Egress Untagged
                  10
                  20
br-lan            1
                  10
                  20
wlan1             1 PVID Egress Untagged
wlan0             1 PVID Egress Untagged
wlan1-1           10 PVID Egress Untagged

I still have a couple of loose ends to tie up. This is not imperative at this time as 802.11r seems to be missing from the Snapshot (don't know why), but does anyone know: If you have multiple SSIDs that are running 802.11r, should they all be on the same mobility domain or should each SSID have it's own?

Hopefully there will be a 21.02.4 out with this fix (for WRT3200ACM) or maybe it will be a 22 stable soon so I can push this feature to my whole network.

Anyway, thanks to those here who helped get this started. I'm not going to push this solution to my working Dumb APs until the fix is in a "stable release" but at least I know that OpenWRT will handle the need for a guest network by VLAN under DSA.

Cosmo · June 21, 2022, 1:11am

Just another quick update on this while waiting on a response from one of the Devs. I went ahead and tested this on the WRT3200ACM and the fix from the June 6 snapshot is in the 22.03.0 rc4 package. It works there just fine with the manual creation of the 802.1q devices before you apply VLAN filtering. So hopefully we'll see a stable 22.03.x release here soon.

system · July 1, 2022, 1:11am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.