Thanks, interesting read and the Ars Technica bit at least validated where I'm placing my Dumb APS.
I have no delusions of trying to mesh a bunch of WRT3200s... Fast Roaming (802.11r) is working really well for me with a couple of small tweaks (DTIM) to make the Apple devices happy.
After years of running DD-WRT, I came to OpenWRT with 7 "wants". I've got 5 of them running just fine, Fast Roaming being one of them. If I can get this Guest network on 2.4Ghz radios with a VLAN feed that'll be 6 and the 7th will fall in place. But after reading the stuff you sent, I may back out the fast roaming and see if that has any impact on the needs of the Guest network. Fortunately I have plenty of similar hardware to test this outside of the devices "in production" so I don't fall into the cartoon at the end of that read.
Bill, glad you brought up the Mesh vs. Fast Roaming. I have fast roaming working on my "in use" Dumb APs. Working well, actually. So, I also configured it on this test machine.
On one of the Bullet Points above, I noted
If I disable Fast Roaming (802.11r) on the native SSID but still have the 2nd SSID active, the logon to the Native completes, quickly. No more "unable to connect".
I know Eduardo Perez said this is not a driver issue, but it is certainly looking like it is at least part of the issue.
While typing the above, I had a thought regarding multiple SSIDs on a single radio. If one SSID is running 802.11r do all SSIDs on that radio need to run 802.11r. Apparently, yes.
By enabling Fast Roaming on both SSIDs, and configuring them the same... I no longer encounter an issue with the native SSID going to "Unable to connect". It gets a completed logon even with a second SSID present. The Guest account on a different network still doesn't get a completed logon. Step in the right direction.
So does ANYONE know: If you have 802.11r running on multiple SSIDs but on the same radio, should they be on the same "Mobility Domain" or a different one?
More research and a stop at a Maker hangout to chat with the WizKids. Others have encountered the same issues I'm seeing where a second device on a separate network VLAN ID will not complete logon and assign an ID even though the interface can get an IP address from the VLAN. There is a fix in the DD-WRT community from @RedHawk. Has anyone tried the RedHawk patch on the mwlwifi driver in OpenWRT?
Just wanted to drop an update and report this has been resolved, sort of. I kind of ran out of help and suggestions here so, since I was using pfSense to start the VLAN and DHCP for this issue I took this problem to the "off topic" section of the pfSense forum and fortunately a couple of top folks tied into my discussion, one of them a Netgate support person. If anyone is interested, I can link that discussion here. Anyway, after much testing we came down to something being broken in the OpenWRT code for the WRT3200ACM. I don't know if there was some Dev to Dev connection made or if it was just pure coincidence, but the fix was in the June 5 or 6 Snapshot. In reading more of the DSA information than I had ever intended, it is still not 100% functional in the autocreation/config of devices... so... I manually added the needed 802.1q devices for VLAN 1 and 10, then set the filtering tag/untag elements. This required moving the LAN interface to the br-lan.1 device and all is well. The Guest network rides the single cable connection as VLAN 10, the interface is on a separate network and any logons to the Guest nework get an IP address on the separate network. I will add, it also required (not sure why) that the cut-down native WPAD (wolf-ssl?) be removed and the full featured WPAD be installed. Also, found that the package ip-bridge is super useful when troubleshooting these issues.
I still have a couple of loose ends to tie up. This is not imperative at this time as 802.11r seems to be missing from the Snapshot (don't know why), but does anyone know: If you have multiple SSIDs that are running 802.11r, should they all be on the same mobility domain or should each SSID have it's own?
Hopefully there will be a 21.02.4 out with this fix (for WRT3200ACM) or maybe it will be a 22 stable soon so I can push this feature to my whole network.
Anyway, thanks to those here who helped get this started. I'm not going to push this solution to my working Dumb APs until the fix is in a "stable release" but at least I know that OpenWRT will handle the need for a guest network by VLAN under DSA.
Just another quick update on this while waiting on a response from one of the Devs. I went ahead and tested this on the WRT3200ACM and the fix from the June 6 snapshot is in the 22.03.0 rc4 package. It works there just fine with the manual creation of the 802.1q devices before you apply VLAN filtering. So hopefully we'll see a stable 22.03.x release here soon.
...and a partridge in an OpenWrt tree