Unable to authenticate using WPA2 when VLANs are configured

I have this weird issue where my wifi stops working as soon as I configure VLANs. It seems like authentication fails. My laptop gives an error message like "4-way handshake failed" when I try to connect to the VLAN configured wifi network. When I disabled WPA2 on my wifi network, things start to work (authentication succeeds and I get an IP). However I don't really want to run my wifi network unsecured. I am using a Netgear R8000 router and OpenWrt version 22.03.5. Here is my config:

/etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	option vlan_filtering '1'

config interface 'lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.0.1'
	option delegate '0'
	option device 'br-lan.100'

config device
	option name 'wan'
	option macaddr '2C:30:33:59:B9:65'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'
	option hostname '*'

config device
	option type '8021q'
	option ifname 'br-lan'
	option vid '100'
	option name 'br-lan.100'

config device
	option type '8021q'
	option ifname 'br-lan'
	option vid '200'
	option name 'br-lan.200'

config bridge-vlan
	option device 'br-lan'
	option vlan '100'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'

config bridge-vlan
	option device 'br-lan'
	option vlan '200'
	list ports 'lan4'

config interface 'dmz'
	option proto 'static'
	option device 'br-lan.200'
	option ipaddr '10.0.0.254'
	option netmask '255.255.255.0'
	option auto '1'

/etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path '18000000.axi/bcma0:7/pci0000:00/0000:00:00.0/0000:01:00.0'
	option cell_density '0'
	option band '5g'
	option country 'US'
	option htmode 'VHT80'
	option channel '149'
	option txpower '20'

config wifi-device 'radio1'
	option type 'mac80211'
	option path '18000000.axi/bcma0:8/pci0001:00/0001:00:00.0/0001:01:00.0/0001:02:01.0/0001:03:00.0'
	option band '2g'
	option htmode 'HT20'
	option channel 'auto'
	option cell_density '0'

config wifi-device 'radio2'
	option type 'mac80211'
	option path '18000000.axi/bcma0:8/pci0001:00/0001:00:00.0/0001:01:00.0/0001:02:02.0/0001:04:00.0'
	option band '5g'
	option htmode 'VHT80'
	option cell_density '0'
	option txpower '20'
	option channel 'auto'

config wifi-iface 'wifinet0'
	option device 'radio0'
	option mode 'ap'
	option ssid 'lan'
	option key '<redacted>'
	option disassoc_low_ack '0'
	option encryption 'psk2'
	option wpa_disable_eapol_key_retries '1'
	option network 'lan'

Hi

wait ...
there is no need for this when using bridge vlan filtering

try this config

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	option vlan_filtering '1'

config device
	option name 'wan'
	option macaddr '2C:30:33:59:B9:65'

config bridge-vlan
    option device 'br-lan'
    option vlan '100'
    list ports 'lan1:u*'
    list ports 'lan2:u*'
    list ports 'lan3:u*'

config bridge-vlan
    option device 'br-lan'
    option vlan '200'
    list ports 'lan4:u*'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'
	option hostname '*'

config interface 'lan'
	option device 'br-lan.100'
    option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.0.1'
	option delegate '0'
	
config interface 'dmz'
	option device 'br-lan.200'
    option proto 'static'
	option ipaddr '10.0.0.254'
	option netmask '255.255.255.0'
	option auto '1'

edit:

this is proper way to config vlans

config bridge-vlan
    option device 'br-lan'
    option vlan '200'    <- VLAN ID
    list ports 'lan4:u*'   <- Port: LAN4 Untagged

Thank you for your reply. I will try it, however it's not clear to me how I would assign my "dmz" interface/network to VLAN 200 if I remove the VLAN 200 device.

it is there :slight_smile:

on old fashion configs with swconfig, there was a bridge for this purpose, but with DSA things are changed

Thanks, it seems that the br-lan.<VLAN ID> interfaces are created implicitly now. However, the issue I described in the OP still persists. My config is now this:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.0.1'
	option delegate '0'
	option device 'br-lan.100'

config device
	option name 'wan'
	option macaddr '2C:30:33:59:B9:65'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'
	option hostname '*'

config bridge-vlan
	option device 'br-lan'
	option vlan '100'
	list ports 'lan1:u*'
	list ports 'lan2:u*'
	list ports 'lan3:u*'

config bridge-vlan
	option device 'br-lan'
	option vlan '200'
	list ports 'lan4:u*'

config interface 'dmz'
	option proto 'static'
	option device 'br-lan.200'
	option ipaddr '10.0.0.254'
	option netmask '255.255.255.0'

did you tried 2g radio also ? to sort out 5g issues

Yes I have. The only thing that seemed to resolve the issue was disabling wifi security.

Ok

which image you use? official or self compiled ?

I use the official image.