Wifi VLANs via wpa_psk_file not adding to bridge

Installing and Using OpenWrt
1

Hi, I tried to set an SSID to do a VLAN per passphrase (as detailed here) however clients can connect but get no connectivity.

I see the following errors in the log:

Sat Oct 21 14:53:20 2023 daemon.err hostapd: VLAN: br_addif: ioctl[SIOCDEVPRIVATE,BRCTL_ADD_IF] failed for br_name=br-switch.20 if_name=wlan.20: Not supported
Sat Oct 21 14:53:20 2023 daemon.err hostapd: VLAN: br_addif: ioctl[SIOCDEVPRIVATE,BRCTL_ADD_IF] failed for br_name=br-switch.10 if_name=wlan.10: Not supported

Also the following

Sat Oct 21 15:14:43 2023 kern.warn kernel: [ 1384.583479] ------------[ cut here ]------------
Sat Oct 21 15:14:43 2023 kern.warn kernel: [ 1384.583795] WARNING: CPU: 3 PID: 1130 at backports-6.1.24/net/mac80211/driver-ops.h:611 0xbf1233ac [mac80211@5b630eb6+0x7f000]
Sat Oct 21 15:14:43 2023 kern.warn kernel: [ 1384.587484] wlan.20: Failed check-sdata-in-driver check, flags: 0x0
Sat Oct 21 15:14:43 2023 kern.warn kernel: [ 1384.599126] Modules linked in: pppoe ppp_async nft_fib_inet nf_flow_table_ipv6 nf_flow_table_ipv4 nf_flow_table_inet ath10k_pci ath10k_core ath pppox ppp_generic nft_reject_ipv6 nft_reject_ipv4 nft_reject_inet nft_reject nft_redir nft_quota nft_objref nft_numgen nft_nat nft_masq nft_log nft_limit nft_hash nft_flow_offload nft_fib_ipv6 nft_fib_ipv4 nft_fib nft_ct nft_counter nft_chain_nat nf_tables nf_nat nf_flow_table nf_conntrack mac80211 cfg80211 slhc nfnetlink nf_reject_ipv6 nf_reject_ipv4 nf_log_syslog nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c hwmon crc_ccitt compat ledtrig_usbport sha512_arm ghash_arm_ce cmac leds_gpio xhci_plat_hcd xhci_pci xhci_hcd dwc3 dwc3_qcom gpio_button_hotplug crc32c_generic
Sat Oct 21 15:14:43 2023 kern.warn kernel: [ 1384.644747] CPU: 3 PID: 1130 Comm: hostapd Not tainted 5.15.134 #0
Sat Oct 21 15:14:43 2023 kern.warn kernel: [ 1384.666901] Hardware name: Generic DT based system
Sat Oct 21 15:14:43 2023 kern.warn kernel: [ 1384.673157] Function entered at [<c030d3a8>] from [<c0309784>]
Sat Oct 21 15:14:43 2023 kern.warn kernel: [ 1384.677928] Function entered at [<c0309784>] from [<c060cd64>]
Sat Oct 21 15:14:43 2023 kern.warn kernel: [ 1384.683744] Function entered at [<c060cd64>] from [<c0322744>]
Sat Oct 21 15:14:43 2023 kern.warn kernel: [ 1384.689559] Function entered at [<c0322744>] from [<c0322820>]
Sat Oct 21 15:14:43 2023 kern.warn kernel: [ 1384.695375] Function entered at [<c0322820>] from [<bf1233ac>]
Sat Oct 21 15:14:43 2023 kern.warn kernel: [ 1384.701208] Function entered at [<bf1233ac>] from [<bf0ef10c>]
Sat Oct 21 15:14:43 2023 kern.warn kernel: [ 1384.707010] Function entered at [<bf0ef10c>] from [<bf0ef474>]
Sat Oct 21 15:14:43 2023 kern.warn kernel: [ 1384.712825] Function entered at [<bf0ef474>] from [<bf0b30b4>]
Sat Oct 21 15:14:43 2023 kern.warn kernel: [ 1384.718643] Function entered at [<bf0b30b4>] from [<c084cd78>]
Sat Oct 21 15:14:43 2023 kern.warn kernel: [ 1384.724456] Function entered at [<c084cd78>] from [<c084be48>]
Sat Oct 21 15:14:43 2023 kern.warn kernel: [ 1384.730273] Function entered at [<c084be48>] from [<c084c484>]
Sat Oct 21 15:14:43 2023 kern.warn kernel: [ 1384.736086] Function entered at [<c084c484>] from [<c084b510>]
Sat Oct 21 15:14:43 2023 kern.warn kernel: [ 1384.741902] Function entered at [<c084b510>] from [<c084b7e4>]
Sat Oct 21 15:14:43 2023 kern.warn kernel: [ 1384.747718] Function entered at [<c084b7e4>] from [<c07b5918>]
Sat Oct 21 15:14:43 2023 kern.warn kernel: [ 1384.753536] Function entered at [<c07b5918>] from [<c07b74ec>]
Sat Oct 21 15:14:43 2023 kern.warn kernel: [ 1384.759352] Function entered at [<c07b74ec>] from [<c07b7654>]
Sat Oct 21 15:14:43 2023 kern.warn kernel: [ 1384.765167] Function entered at [<c07b7654>] from [<c0300040>]
Sat Oct 21 15:14:43 2023 kern.warn kernel: [ 1384.770981] Exception stack(0xc3151fa8 to 0xc3151ff0)
Sat Oct 21 15:14:43 2023 kern.warn kernel: [ 1384.776803] 1fa0:                   00000000 00000000 0000000e bec0e138 00000000 00000000
Sat Oct 21 15:14:43 2023 kern.warn kernel: [ 1384.781930] 1fc0: 00000000 00000000 01d02d78 00000128 00000004 bec0e180 00000001 00000000
Sat Oct 21 15:14:43 2023 kern.warn kernel: [ 1384.790085] 1fe0: bec0e0e0 bec0e0d0 b6f1cb9c b6f1c00c
Sat Oct 21 15:14:43 2023 kern.warn kernel: [ 1384.798330] ---[ end trace 867636191caed713 ]---

Network config is as follows:

config device                                                                                                           
        option name 'br-switch'                                                                                         
        option type 'bridge'                                                                                            
        option igmp_snooping '1'                                                                                        
        list ports 'lan1'                                                                                               
        list ports 'lan2'                                                                                               
        list ports 'lan3'                                                                                               
        list ports 'lan4'                                                                                               
        list ports 'wan'                                                                                                

config interface 'foo'                                                                                                  
        option device 'br-switch.10'                                                                                    
        option proto 'dhcp'                                                                                             
        option delegate '0'                                                                                             
                                                                                                                        
config interface 'bar'                                                                                                  
        option device 'br-switch.20'                                                                                    
        option proto 'dhcp'                                                                                             
        option delegate '0'                                                                                             

config bridge-vlan
        option device 'br-switch'
        option vlan '10'
        list ports 'lan1:u'
        list ports 'lan2:u'
        list ports 'wan:t'

config bridge-vlan
        option device 'br-switch'
        option vlan '20'
        list ports 'lan3:u'
        list ports 'lan4:u'
        list ports 'wan:t'

Wired connectivity works fine, and I can see traffic over the two VLANs, and brctl shows the bridge and the 'lan' ports.

Now the Wireless interface part.

config wifi-iface 'wifinet0'
        option device 'radio2'
        option mode 'ap'
        option ssid 'TEST'
        option encryption 'psk2'
        option wpa_psk_file '/etc/hostapd.wpa_psk'
        option vlan_file '/etc/hostapd.vlan'
        option vlan_bridge 'null'
        option dynamic_vlan '1'

with corresponding /etc/hostapd.vlan:

10 wlan.10 br-switch.10
20 wlan.20 br-switch.20

and /etc/hostapd.wpa_psk:

vlanid=10 00:00:00:00:00:00 foosecret
vlanid=20 00:00:00:00:00:00 barsecret

Device is a Linksys EA8300 running OpenWrt 23.05.0 r23497-6637af95aa with wpad-wolfssl installed instead of wpad-basic-mbedtls.

Any thoughts what's going wrong?

2

did you checked the option to keep bridge up ?

if it still does it I think it has to be a driver issue since it throws a stacktrace.

oh and this:

make sure it is br-switch :slight_smile:

3

Ok, some progress. Changing /etc/hostapd.vlan to be

10 wlan.10 br-switch
20 wlan.20 br-switch

I can see wlan.10 and wlan.20 on br-switch, and no errors in the logs. However no traffic can pass and I can't see what VLAN is associated (ip -d link doesn't work with busybox).

Setting it as 'null' was just a placeholder as it's being overridden by the above config, but this makes me wonder, does one need a dedicated bridge per vlan to make this work (the old way one had to do things in Linux)??

Setting option vlan_bridge 'br-switch' and removing the bridge from each line in /etc/hostapd.vlan ends up with three bridges

root@openwrt1:~# brctl show
bridge name     bridge id               STP enabled     interfaces
br-switch               7fff.149182ad14b9       no             lan4
                                                        lan2
                                                        wan
                                                        lan3
                                                        lan1
br-switch20             8000.1a9182ad14ba       no              wlan.20
br-switch10             8000.1a9182ad14ba       no              wlan.10

Which also doesn't allow traffic to pass from wifi (and phy2-ap0 is now dropped)

4

So I got the multiple bridge model above to work if I manually added the vlan interface via brctl addif br-switch10 br-switch.10 and same for 20, however this is lost on reboot.

# cat /etc/hostapd.vlan 
* wlan.#

# brctl show br-switch10
bridge name     bridge id               STP enabled     interfaces
br-switch10             8000.149182ad1440       no              wlan.10
                                                        br-switch.10

Feels like I'm doing it all wrong though as there should be no need for a per-vlan bridge in 2023...

5

hmm when I look to this again I think what this translates to:

wlan.10 is the tagged vlan on wlan that is correct, br-switch.10 is incorrect, it should be br-switch because this overrides the bridge interface and br-switch.10 is not a bridge device but vlan device.

With other words it tags vlan device from wlan with id 10 to the overridden bridge on br-switch.

2 Likes
7

From what I can see by default with DSA this device has a single bridge that contains all the physical ethernet lan devices (1 through 4 for me). This bridge (that I have named br-switch above) has vlan filtering enabled, and several 802.1q devices created and named as interfaces with IP addresses (e.g. br-switch.10 named foo), tagged back to the respective physical ethernet ports. All this works.

Now for hostapd.

Using Luci to create an SSID called TEST and assigning it to the "network" foo uses option network 'foo' in the config and adds a phy2-ap0 device to the bridge, and I see in /tmp/run/hostapd-phy2.conf it has snoop_iface=br-switch.10 set, (which I presume is how it is sending wireless traffic to the vlan..? This also all works, however I need one SSID per vlan, which is messy (and the bridge has many radio phyN-apM devices created per SSID, per radio).

Now to the subject of this thread!

If instead I change the wireless config to use option vlan_file, vlan_bridge, etc and use a value of "10 wlan.10" in /etc/hostapd.vlan this has hostapd make dedicated bridges per vlan (e.g. br-switch10) that contain no other devices, and so traffic goes nowhere? Seems I need to manually add my 802.1q devices from earlier to these bridges somehow?

If I set /etc/hostapd.vlan to override the bridge with a line of "10 wlan.10 br-switch" I get the wlan.10 device on br-switch just like the phy2-ap0 used to reside, however there's no snoop_iface setting and so I guess no traffic flows?

tl;dr it doesn't seem possible to make use of the single vlan aware bridge.

1 Like
9

Yes, so I can control which bridge the wlan.x interfaces(?) are added to:

a) "10 wlan.10" adds it to a bridge per vlan, here br-switch10.
b) "10 wlan.10 br-switch" adds it to the existing br-switch.
c) "10 wlan.10 br-switch.10" fails (as br-switch.10 is not a bridge, and gives the error shown at the very top of this thread).

What I have observed is that (a) works, however I need to add my vlan interfaces to the respective per-vlan bridges manually. Whereas (b) seems to be what I want, however I suspect that the wlan.10 traffic is missing the 802.1q vlan tags and so is filtered out of reaching any destination by the bridge.

I'm thinking I need a way to dump out exactly what wlan.10 is sending...?

Also there's no bridge command, nor ip -d link available to easily dump out the vlan membership details of everything.

Edit - another thought, perhaps I need to make a wlan interface for hostapd to sit its wlan.x interfaces on top of, and then I don't need to override the bridge part..?

10

Install ip-full. I can not recall from memory if there was also a dedicated bridge package or if it is included in ip-full. bridge is the modern brctl but booth are useful.
Sadly I'm unable to comment on your other questions...

1 Like
11

What I'm doing for Multi-PSK setup is:

/etc/config/wireless:


config wifi-device 'radio0'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:00.0/0000:01:00.0'
	option channel '1'
	option band '2g'
	option cell_density '0'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'Startup'
	option encryption 'psk2+ccmp'
	option disassoc_low_ack '0'
	option key 'Abcd'
	option ieee80211r '1'
	option mobility_domain '000f'
	option reassociation_deadline '20000'
	option ft_over_ds '0'
	option ft_psk_generate_local '0'
	option pmk_r1_push '1'
	option wpa_psk_file '/etc/hostapd.wpa_psk'
	option dynamic_vlan '1'
	option vlan_naming '1'


config wifi-device 'radio1'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
	option channel '52'
	option band '5g'
	option htmode 'VHT80'
	option cell_density '0'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'Abcd'
	option encryption 'psk2+ccmp'
	option key '12345678'
	option ieee80211r '1'
	option mobility_domain '000f'
	option reassociation_deadline '20000'
	option ft_over_ds '0'
	option ft_psk_generate_local '0'
	option wpa_psk_file '/etc/hostapd.wpa_psk'
	option dynamic_vlan '1'
	option vlan_naming '1'

And then create a new hotplug script:

/etc/hotplug.d/net/20-wifi-vlans

#!/bin/sh

[ "$ACTION" = add -a "$SUBSYSTEM" = net -a "$DEVTYPE" = wlan ] && {
	wanted_pvid=${INTERFACE#*.}
	if [ "$wanted_pvid" -ge "0" ] 2>/dev/null
	then
		ip link set "$INTERFACE" master br-switch
		bridge link set dev "$INTERFACE" hairpin on mcast_to_unicast on
		bridge vlan del vid 1 dev "$INTERFACE"
		bridge vlan add vid $wanted_pvid dev "$INTERFACE" pvid untagged
	fi
}

This skips creating additional bridge interfaces and just sets the vlan membership / pvid on the main DSA bridge with VLAN filtering.

1 Like
12

OK, mystery solved I think. Having hostapd add a wlan.10 device doesn't tag it with the correct vlan on the bridge.

# bridge vlan show | grep wlan
wlan.10           1 PVID Egress Untagged

This can be fixed manually with:

bridge vlan del vid  1 dev wlan.10
bridge vlan add vid 10 dev wlan.10 pvid untagged

Perhaps a hotplug script similar to as shown above is the only way to go if one is using DSA and vlan filtering?

N.B. I installed the ip-bridge package to get these commands available, as mentioned earlier in the thread.

13

This is speculation and untested (I don't use wpa_psk_file with bridges, my APs are single-port devices), but I'm going out on a limb and guess it fails because br-switch.10 is not a bridge yet. It is defined, but it is not brought up because it contains no interfaces, and if hostapd is told to latch onto a pre-existing bridge, it will not bring it up on its own.

If I'm correct, this can be solved by pro-forma defining a proto-less interface in your network config:

config interface 'vlan10'
        option device 'br-switch.10'
        option proto 'none'

And if I'm not correct, this post will vanish again and I'll hold my peace :slight_smile:

14

From another thread I had open I seem to have found a (better?) solution here.

in /etc/config/network I added

config interface 'vlan10'
	option device 'br-switch.10'
	option proto 'none'

config interface 'vlan20'
	option device 'br-switch.20'
	option proto 'none'

And in /etc/config/wireless

config wifi-iface 'wifinet0'
	option device 'radio0'
	option mode 'ap'
	option ssid 'TEST'
	option encryption 'psk2+ccmp'
	option key 'notused'
	option ifname 'wlan0'
	option multicast_to_unicast_all '1'

config wifi-vlan
	option name 'vlan10'
	option network 'vlan10'
	option vid '10'

config wifi-station
	option key 'foosecret'
	option vid '10'

config wifi-vlan
	option name 'vlan20'
	option network 'vlan20'
	option vid '20'

config wifi-station
	option key 'barsecret'
	option vid '20'

No need for any /etc/hostapd.* files either.

Bridge looks as follows:

# bridge vlan show | grep wlan
wlan0-vlan20      20 PVID Egress Untagged
wlan0-vlan10      10 PVID Egress Untagged

Only caveat that I'm aware of is there are some ath10k bugs reported, so we will see how I get along with this.

3 Likes
15

So I was actually on the right track with the uninitialized bridge subdevice and the workaround to add a proto-less interface. Good to know, not just in this case.

1 Like
16

So no vlan aware bridge setup?
And don't we then need bridge_empty in this case?

17

The bridge is vlan aware. Demo config from my other thread.

1 Like
18

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.