What limits VAPs/multi-ssid on hardware?

Hi there, new to openwrt; I just got it working on my Pi 4B and I've learned that the hardware doesn't support VAPs, which means I can't do multi ssid.

What things do I need to consider if my goal is to have many multi ssid? More than buying hardware that supports VAPs, what if I wanted to have 20 ssids running off a single piece of hardware? Are there any limits that aren't necessarily hardware related (eg: artificial software limits)?

As for a use case, I would like to have several IoT networks (some of these IoT devices have poor security, others I am testing out and monitoring). I also want my own networks, guest networks, work from home networks, etc.

It's a Bad Idea™

Each added stacked SSID adds a certain amount of overhead. So you are multiplying overhead by the number of stacked SSIDs. Worse than that, though, clients on a network know not to transmit during regular beacon transmissions. But clients on separate stacked SSIDs don't and can't know the exact time for a different stacked SSID's beacon transmissions. Each added stacked SSID adds potential for clients of that stacked SSID to step on the AP's beacon for a different stacked SSID. The same for acknowledgement frames.

Judicious use of client isolation, VLANs, VPNs, and a couple separate frequencies can reduce or eliminate your use of stacked SSIDs.

But there is a need for this multi-SSID sometimes, for example to get better security you would use WPA3, or if you have radius auth then you can have WPA2 Enterprise, but these kind of security might not apply to IoT devices (at least almost none of mine has WPA3 support), then there is a need to have separate SSID for those IoT.

1 Like

That's why You buy better hw when want to go this way, i have 4 vap with vlans on my network , nor problem at all. Performance is the same .

I know that multiple SSIDs broadcasting on the same frequency is less than the optimal single SSID in a barn on a 100 acre farm, or single SSID in a suburban home with a decent plot size.

Do multi SSID on the same channel somehow [significantly] stagger the broadcast signal that this is an issue? I'm really asking, I'm quite ignorant on how all of this works. My assumption, for a populated multi-story apartment, was that everything was sending signals at their own pace; therefore timing wasn't really any sort of issue, since everything was assumed to be a wild-west of signals.

If I could, I'd like to assign a vlan to each device, but at this moment I'm not confident that any device won't scan+spoof a mac address. I've looked into radius, but many IoT and other simple devices (printers) don't support it

This is exactly my current issue. Radius seems secure, but not all my hardware supports it. And, afaik, radius has a certain latency that would effect any 'gaming' devices.

I'd love to buy better hw, but as I understand it, that can get pretty pricey damn fast! I guess this post is me trying to understand what hardware specs I need to pay attention to if I want to go the correct route.

I don't fundamentally understand how a lot of these bare-metal hardware stuff work, so I'm not sure what to look for in good/bad hardware. I've seen a lot of 2x2 or 3x3 mimo, but afaik it's different than the wifi spec broadcast.

Can I ask, what hw are you running?

ps: sorry for 3x posts, not sure how to respond to 3x people in a single reply, new to this forumn

You can highlight from people's message then click "quote"

The Netgear WAX202 is originally advertised as multi-SSID capable office AP which is not expensive, the WAX206 is the better one but still in snapshot, so I believe this should fit your purpose at least.
The 2x2/3x3 are just talking about the TX/RX spatial stream, not directly related to the topic, however routers with like 4x4 or above tend to have better hardware to handle multi-SSID even it's not an advertised feature (some might advertise "guest WiFi" which is similar thing) so those might be considered as well.

When You type #iw list - it will spit some usefull information of the hw of wlan modules and there will be listed max vap number.

If using Radius for initial Layer2 ethernet access authentication at link up only, then I don't see why Radius would lead to additional latency during Layer3+ IP communication?

I suggest answering your question by test. Keep adding WiFi SSID's and see what happens to your throughput and latency. Until you detect a drop off, don't worry and be happy. I suspect you'll find you can add quite a few SSID's without a noticeable performance drop.

Some years ago, Revolution WiFi put together a spreadsheet that computes WiFi overhead as a function of number of SSID's and number of other AP's using the same channel.

With an 802.11b beacon data rate of 1Mbps, that spreadsheet presents a grim picture of crushing overhead from which one might logically conclude more than a single SSID is a terrible idea.

However, bump the data rate up to 802.11a 54 Mbps in the same spreadsheet, and it presents quite a different picture. Unsurprisingly, overhead becomes a much smaller fraction of total throughput as the data rate increases. Combinations of number of SSID's on a channel and number of other AP's on the channel (SSID's/AP) within 10/8, 7/12, 5/17, 3/29, and 2/44 are all in the "green" zone of less than 10% overhead.

Time has moved on and WiFi throughput has gotten quite a bit faster since the Revolution WiFi spreadsheet was promulgated. FWIW, I've not experienced noticeable throughput or latency degradation increasing the number of SSID's up to 4 on the same channel in our home, and I would not hesitate at all to add a few more if I needed them.

Devices can be authenticated with individual PSKs (no WPA Enterprise, no RADIUS needed).


It is possible to have multiple passwords for a single SSID and assign clients to VLANs based on which password they connect with using the wpa_psk_file option. This is supported by openwrt but not LuCI so you'd have to use the CLI to configure it. From the client's point of view this would be the same as any other WPA2-Personal connection and thus doesn't have any compatibility issues like WPA2-Enterprise.

Example hostapd.wpa_psk

Note that I have not tried this solution myself.

UPDATE: @takimata has tried it: