Yet another VLAN setup question

Hi again @psherman once again, I appreciate you weighing in on this. I missed it above but dhcpd was disabled as well.

My goal is to have one SSID and multi-vlan attached to it. As mentioned above, I use Ubiquiti hardware at work (and interestingly enough, the AP's [UAP-AC-LR] we have are based on OpenWrt, there's even bits of it still on the filesystem which is why I chose OpenWrt for this task) and I can have multi-vlan on the device including isolated guest. Not sure what the secret sauce is, but it works.

I did test the vlan1/pvid1 for br-lan.1 as well but didn't think to just tag lan1 itself.

Not sure I understand why to drop the vlan statements, aren't they needed?

If I can only attach one network to one SSID, that means this was doomed from the start, I'll never be able to achieve what I'm looking for based on what you're saying.

EDIT:

So I'm at work and took a look at one of the AP's, pretty interesting stuff. I think I can reverse-engineer this to fit my use-case now that I have a working example to look at:

$ cat /etc/openwrt_version 
r3979-2252731af4

$ cat /etc/openwrt_release 
DISTRIB_ID='LEDE'
DISTRIB_RELEASE='17.01.6'
DISTRIB_REVISION='r3979-2252731af4'
DISTRIB_CODENAME='reboot'
DISTRIB_TARGET='ar71xx/ubnt'
DISTRIB_ARCH='mips_24kc'
DISTRIB_DESCRIPTION='LEDE Reboot 17.01.6 r3979-2252731af4'
DISTRIB_TAINTS='no-all mklibs busybox'

$ brctl show

bridge name     bridge id               STP enabled     interfaces
br0             ffff.788a20f3b41e       no              eth0
                                                        ath3.1
                                                        ath1.1
br0.90          ffff.788a20f3b41e       no              ath0
                                                        ath2
                                                        eth0.90
br0.57          ffff.788a20f3b41e       no              ath1
                                                        ath3
                                                        eth0.57
br0.65          ffff.788a20f3b41e       no              eth0.65
                                                        ath1.65
br0.60          ffff.788a20f3b41e       no              eth0.60
                                                        ath1.60
br0.70          ffff.788a20f3b41e       no              eth0.70
br0.30          ffff.788a20f3b41e       no              eth0.30

$ ls -la /etc/hostapd/
drwxr-xr-x    2 ILMAT root             0 Feb 22 19:58 .
drwxr-xr-x   24 ILMAT root             0 Feb 22 19:59 ..
-rw-r--r--    1 ILMAT root           676 Feb 22 19:59 ath0.cfg
-rw-r--r--    1 ILMAT root           961 Feb 22 19:58 ath1.cfg
-rw-r--r--    1 ILMAT root            37 Feb 22 19:58 ath1.vlan
-rw-r--r--    1 ILMAT root           676 Feb 22 19:59 ath2.cfg
-rw-r--r--    1 ILMAT root           961 Feb 22 19:58 ath3.cfg
-rw-r--r--    1 ILMAT root            37 Feb 22 19:58 ath3.vlan
-rw-r--r--    1 ILMAT root           454 Feb 22 04:48 ath4.cfg
-rw-r--r--    1 ILMAT root           739 Feb 22 04:48 ath5.cfg
-rw-r--r--    1 ILMAT root            37 Dec 31  1969 ath5.vlan
-rw-r--r--    1 ILMAT root           442 Feb 22 04:48 vwire2.cfg
-rw-r--r--    1 ILMAT root           442 Feb 22 04:48 vwire6.cfg

# cat ath0.cfg
interface=ath0
ctrl_interface=/var/run/hostapd
driver=atheros
nas_identifier=$bssid
mobility_domain=e39a
rkh_pos_timeout=10000
reassociation_deadline=3000
pmk_r1_push=1
ft_over_ds=0
r0kh=ff:ff:ff:ff:ff:ff * <redacted>
r1kh=00:00:00:00:00:00 00:00:00:00:00:00 <redacted>
ssid=GUEST
wpa_group_rekey=3600
wpa_group_update_count=4
wpa_gmk_rekey=86400
wpa_passphrase=<redacted>
bridge=br0.90
wpa=2
eapol_version=2
ieee80211w=1
wpa_pairwise=CCMP
wpa_key_mgmt=WPA-PSK FT-PSK
disable_pmksa_caching=1
bss_transition=1
logger_syslog=-1
logger_syslog_level=2
wlan_id=e39a
iapp_key=<redacted>

# cat /etc/hostapd/ath1.vlan 
*       ath1.#
1       ath1.1  br0
57      ath1    br0.57

# cat /etc/hostapd/ath1.cfg 
interface=ath1
ctrl_interface=/var/run/hostapd
driver=atheros
nas_identifier=$bssid
mobility_domain=f0f0
rkh_pos_timeout=10000
reassociation_deadline=3000
pmk_r1_push=1
ft_over_ds=0
r0kh=ff:ff:ff:ff:ff:ff * <redacted>
r1kh=00:00:00:00:00:00 00:00:00:00:00:00 <redacted>
ssid=<redacted>
wpa_group_rekey=3600
wpa_group_update_count=4
wpa_gmk_rekey=86400
wpa_passphrase=<redacted>
auth_server_addr=<redacted>
auth_server_port=1812
auth_server_shared_secret=<redacted>
macaddr_acl=2
macaddr_format=%.2X%.2X%.2X%.2X%.2X%.2X
mac_acl_empty_passwd=0
dynamic_vlan=1
vlan_tagged_interface=eth0
vlan_naming=1
vlan_bridge=br0.
vlan_file=/etc/hostapd/ath1.vlan
wpa=2
eapol_version=2
ieee80211w=1
wpa_pairwise=CCMP
wpa_key_mgmt=WPA-PSK FT-PSK
country_code=CA
ieee80211d=1
disable_pmksa_caching=1
bss_transition=1
logger_syslog=-1
logger_syslog_level=2
wlan_id=f0f0
iapp_key=<redacted>
own_ip_addr=<redacted>

# ps | grep hostapd
 3530 ILMAT  6592 S    /usr/sbin/hostapd -P /var/run/hostapd/ath3.pid /etc/hostapd/ath3.cfg
 3533 ILMAT  6672 S    /usr/sbin/hostapd -l 5 -P /var/run/hostapd/ath1.pid /etc/hostapd/ath1.cfg
 3574 ILMAT     0 Z    [hostapd]
 3883 ILMAT     0 Z    [hostapd]
 4761 ILMAT  6596 S    /usr/sbin/hostapd -l 5 -P /var/run/hostapd/ath0.pid /etc/hostapd/ath0.cfg
 4762 ILMAT  6572 S    /usr/sbin/hostapd -P /var/run/hostapd/ath2.pid /etc/hostapd/ath2.cfg
 7221 ILMAT     0 Z    [hostapd]
18615 ILMAT  1212 S    grep hostapd
26130 ILMAT     0 Z    [hostapd]

# ifconfig -a
ath0      Link encap:Ethernet  HWaddr 78:8A:20:F4:B4:1E  
          inet6 addr: fe80::7a8a:20ff:fef4:b41e/64 Scope:Link
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:2598103 errors:1285 dropped:1285 overruns:0 frame:0
          TX packets:5539746 errors:0 dropped:2 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:467944197 (446.2 MiB)  TX bytes:7769674493 (7.2 GiB)

ath1      Link encap:Ethernet  HWaddr 7E:8A:20:F4:B4:1E  
          inet6 addr: fe80::7c8a:20ff:fef4:b41e/64 Scope:Link
          UP BROADCAST RUNNING PROMISC ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:2876056 errors:6767 dropped:6771 overruns:0 frame:0
          TX packets:8022183 errors:0 dropped:114 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:617262518 (588.6 MiB)  TX bytes:7517523178 (7.0 GiB)

ath1.1    Link encap:Ethernet  HWaddr 7E:8A:20:F4:B4:1E  
          inet6 addr: fe80::7c8a:20ff:fef4:b41e/64 Scope:Link
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6596094 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:1205689590 (1.1 GiB)

ath1.60   Link encap:Ethernet  HWaddr 7E:8A:20:F4:B4:1E  
          inet6 addr: fe80::7c8a:20ff:fef4:b41e/64 Scope:Link
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:5575 errors:0 dropped:0 overruns:0 frame:0
          TX packets:19165 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:732345 (715.1 KiB)  TX bytes:2866941 (2.7 MiB)

ath1.65   Link encap:Ethernet  HWaddr 7E:8A:20:F4:B4:1E  
          inet6 addr: fe80::7c8a:20ff:fef4:b41e/64 Scope:Link
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:3446 errors:0 dropped:0 overruns:0 frame:0
          TX packets:39783 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:183077 (178.7 KiB)  TX bytes:4262148 (4.0 MiB)

ath2      Link encap:Ethernet  HWaddr 78:8A:20:F5:B4:1E  
          inet6 addr: fe80::7a8a:20ff:fef5:b41e/64 Scope:Link
          UP BROADCAST RUNNING PROMISC ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:1386976 errors:1414 dropped:1414 overruns:0 frame:0
          TX packets:1968095 errors:96795 dropped:2 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:210846194 (201.0 MiB)  TX bytes:2612893202 (2.4 GiB)

ath3      Link encap:Ethernet  HWaddr 7E:8A:20:F5:B4:1E  
          inet6 addr: fe80::7c8a:20ff:fef5:b41e/64 Scope:Link
          UP BROADCAST RUNNING PROMISC ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:2454965 errors:12799 dropped:16334 overruns:0 frame:0
          TX packets:4667504 errors:425635 dropped:2 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:1046161692 (997.6 MiB)  TX bytes:3975901779 (3.7 GiB)

ath3.1    Link encap:Ethernet  HWaddr 7E:8A:20:F5:B4:1E  
          inet6 addr: fe80::7c8a:20ff:fef5:b41e/64 Scope:Link
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6596141 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:1205697486 (1.1 GiB)

br0       Link encap:Ethernet  HWaddr 78:8A:20:F3:B4:1E  
          inet addr:<redacted>  Bcast: x.x.x.255  Mask:255.255.255.0
          inet6 addr: fe80::7a8a:20ff:fef3:b41e/64 Scope:Link
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:5894326 errors:0 dropped:336264 overruns:0 frame:0
          TX packets:736782 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:1000726220 (954.3 MiB)  TX bytes:242332218 (231.1 MiB)

br0.30    Link encap:Ethernet  HWaddr 78:8A:20:F3:B4:1E  
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:296900 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:26089189 (24.8 MiB)  TX bytes:0 (0.0 B)

br0.57    Link encap:Ethernet  HWaddr 78:8A:20:F3:B4:1E  
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:748986 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:126076970 (120.2 MiB)  TX bytes:0 (0.0 B)

br0.60    Link encap:Ethernet  HWaddr 78:8A:20:F3:B4:1E  
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:589364 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:77377797 (73.7 MiB)  TX bytes:0 (0.0 B)

br0.65    Link encap:Ethernet  HWaddr 78:8A:20:F3:B4:1E  
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:469762 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:51516677 (49.1 MiB)  TX bytes:0 (0.0 B)

br0.70    Link encap:Ethernet  HWaddr 78:8A:20:F3:B4:1E  
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:67549 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:5230986 (4.9 MiB)  TX bytes:0 (0.0 B)

br0.90    Link encap:Ethernet  HWaddr 78:8A:20:F3:B4:1E  
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:128974 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:9158219 (8.7 MiB)  TX bytes:0 (0.0 B)

eth0      Link encap:Ethernet  HWaddr 78:8A:20:F3:B4:1E  
          inet6 addr: fe80::7a8a:20ff:fef3:b41e/64 Scope:Link
          UP BROADCAST RUNNING PROMISC ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:31634907 errors:0 dropped:4 overruns:15 frame:0
          TX packets:11236926 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:301576697 (287.6 MiB)  TX bytes:2433631943 (2.2 GiB)
          Interrupt:4 

eth0.30   Link encap:Ethernet  HWaddr 78:8A:20:F3:B4:1E  
          inet6 addr: fe80::7a8a:20ff:fef3:b41e/64 Scope:Link
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:1753253 errors:0 dropped:0 overruns:0 frame:0
          TX packets:874134 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:1403366713 (1.3 GiB)  TX bytes:59153759 (56.4 MiB)

eth0.57   Link encap:Ethernet  HWaddr 78:8A:20:F3:B4:1E  
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:8793126 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3593869 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:9065257551 (8.4 GiB)  TX bytes:1027681935 (980.0 MiB)

eth0.60   Link encap:Ethernet  HWaddr 78:8A:20:F3:B4:1E  
          inet6 addr: fe80::7a8a:20ff:fef3:b41e/64 Scope:Link
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:867698 errors:0 dropped:0 overruns:0 frame:0
          TX packets:387979 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:146954393 (140.1 MiB)  TX bytes:69490121 (66.2 MiB)

eth0.65   Link encap:Ethernet  HWaddr 78:8A:20:F3:B4:1E  
          inet6 addr: fe80::7a8a:20ff:fef3:b41e/64 Scope:Link
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:486980 errors:0 dropped:0 overruns:0 frame:0
          TX packets:13929 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:53434731 (50.9 MiB)  TX bytes:1058057 (1.0 MiB)

eth0.70   Link encap:Ethernet  HWaddr 78:8A:20:F3:B4:1E  
          inet6 addr: fe80::7a8a:20ff:fef3:b41e/64 Scope:Link
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:129743 errors:0 dropped:0 overruns:0 frame:0
          TX packets:95000 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:13431641 (12.8 MiB)  TX bytes:7860376 (7.4 MiB)

eth0.90   Link encap:Ethernet  HWaddr 78:8A:20:F3:B4:1E  
          UP BROADCAST RUNNING ALLMULTI MULTICAST  MTU:1500  Metric:1
          RX packets:7735607 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3956348 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:10430371307 (9.7 GiB)  TX bytes:615907078 (587.3 MiB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:7156 errors:0 dropped:0 overruns:0 frame:0
          TX packets:7156 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1 
          RX bytes:942426 (920.3 KiB)  TX bytes:942426 (920.3 KiB)

teql0     Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          NOARP  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

wifi0     Link encap:UNSPEC  HWaddr 78-8A-20-F4-B4-1E-00-00-00-00-00-00-00-00-00-00  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:104474881 errors:7884747 dropped:0 overruns:0 frame:7884747
          TX packets:64196659 errors:4304801 dropped:37316 overruns:0 carrier:0
          collisions:0 txqueuelen:539 
          RX bytes:28590639475 (26.6 GiB)  TX bytes:37323503239 (34.7 GiB)
          Interrupt:47 Memory:b8100000-b8120000 

wifi1     Link encap:UNSPEC  HWaddr 78-8A-20-F5-B4-1E-00-00-00-00-00-00-00-00-00-00  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:3961224 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6636438 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:539 
          RX bytes:1295585261 (1.2 GiB)  TX bytes:6589048709 (6.1 GiB)
          Interrupt:40

So I should probably bow out of this part because I don't actually know the specifics of setting up a dumb AP in the context of 802.1x/radius based authentication... hopefully someone else can help on that front.

The Unifi firmware is indeed based on OpenWrt, but it is extremely highly customized and barely resembles OpenWrt at this point (it's also based on a very old version and was forked a long time ago).

Ubiquiti added a lot of 'secret sauce' to Unifi. Some of it is different on the APs themselves, other parts are simply in the way that the devices are provisioned and managed.

I'm actually not sure why they exist as an option, because the kernel correctly interprets the vlans (br-lan.x) without the need for a separate 802.1q device configuration stanza. Maybe someone else can answer why they are there there and when they are useful.

No... but as I said above, I'm probably not the one to get you over the goalposts at this point. I had actually forgotten that you were using authentication to direct the VLAN assignments (I was focusing on VLANs over the trunk). My apologies if I have ended up wasting any time or effort here.

How much time do you want to invest? It really isn't OpenWrt anymore for any practical purposes... there's lots of secret sauce in there.

It would seem it's natively supported and perhaps I'm just really overcomplicating things. Currently going through here: https://openwrt.org/docs/guide-user/network/wifi/wireless.security.8021x#x_dynamic_vlans_on_an_openwrt_router

Seems hostapd is where this magic happens based on the guide, it definitely seems possible to accomplish, there's even specific naming conventions to use.

Worth a shot to me

I would say the functionality is available in OpenWrt, but I wouldn't call it native per-se because it requires additinoal configurations and things like a RADIUS server are not installed by default (so you would need to install it or have it installed elsewhere).

I can't speak to the details of that wiki article, but yes, that looks like a good one to be reading.

Yup! I'm pretty sure it can be done... I'm just not the expert here.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.