Topic: Dynamic VLAN assignment and guest WLAN/VLAN

The content of this topic has been archived on 21 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Page 1 of 1

Post #1

pekyntosh

1 Dec 2014, 18:26

Hi everyone,
I'm trying to configure a TL-WA701ND for deploying two separated SSID.

The first should get a Radius authentication and a dynamic VLAN assignment (and a dynamic interfaces creation).
The second should offer a guest WLAN routed on a separated VLAN.

Each one works fine, but when I try to work with the two interfaces toghether I can't understand why the dynamic bridged interface is not correctly created.

vlan.20 = guest VLAN
vlan.21 = dynamic assigned VLAN

/etc/config/wireless

config wifi-device 'radio0'
    option type 'mac80211'
    option hwmode '11g'
    option htmode 'HT20'
    option txpower '30'
    option country 'US'
    option channel '11'

# wlan0
config wifi-iface
    option device 'radio0'
    option mode 'ap'
    option ssid 'WiFi'
    option encryption 'wpa2'
    option auth_server '192.168.33.2'
    option auth_port '1812'
    option auth_secret 'test'
    option dynamic_vlan '2'
    option vlan_file '/etc/config/hostapd.vlan'
    option vlan_tagged_interface 'eth0'
    option network 'lan'

# wlan0-1
config wifi-iface
    option device 'radio0'
    option mode 'ap'
    option ssid 'WiFi_Guest'
    option encryption 'psk2'
    option key 'guestwifi'
    option isolate '1'
    option network 'vlan20'

/etc/config/network

config interface 'loopback'
    option ifname 'lo'
    option proto 'static'
    option ipaddr '127.0.0.1'
    option netmask '255.0.0.0'

config interface 'lan'
    option ifname 'eth0'
    option force_link '1'
    option type 'bridge'
    option proto 'static'
    option ipaddr '192.168.33.30'
    option netmask '255.255.255.0'
    option gateway '192.168.33.1'
    option dns '192.168.10.1'

# used by wlan0-1
config interface 'vlan20'
    option type 'bridge'
    option proto 'none'
    option ifname 'eth0.20'

FIRST TEST
wlan0 disabled, wlan0-1 enabled

When I try to connect to wlan0-1 (WiFi_Guest), everything works fine. The client is directed to the right vlan (guest / eth0.20).

As you can see the interfaces are correctly bridged.

root@OpenWrt:~# brctl show
bridge name    bridge id        STP enabled    interfaces
br-lan        7fff.74ea3aeed241    no        eth0 wlan0
br-vlan20        7fff.74ea3aeed241    no        eth0.20    wlan0-1

SECOND TEST
wlan0 enabled, wlan0-1 disabled

When I try to connect to wlan0 (WiFi), everything works fine.
Automatically hostapd communicates with the Radius server and creates the right interfaces that the client needs. Perfect.

As you can see the interfaces are correctly bridged.

root@OpenWrt:/etc/config# brctl show
bridge name    bridge id        STP enabled    interfaces
br-lan        7fff.74ea3aeed241    no        eth0 wlan0
breth0.21        8000.74ea3aeed241    no        eth0.21    wlan0.21

THIRD TEST
When I try to use toghether wlan0 and wlan0-1, something wrong happens.
As you can see the dynamic bridged interface breth0.21 don't contains the right interfaces (where is eth0.21?).

root@OpenWrt:~# brctl show
bridge name    bridge id        STP enabled    interfaces
br-lan        7fff.74ea3aeed241    no        eth0 wlan0
br-vlan20        7fff.74ea3aeed241    no        eth0.20    wlan0-1
breth0.21        8000.74ea3aeed241    no        wlan0.21

Could I use this manual command?

brctl addif breth0.21 eth0.21

But I can't manage breth0.21 if is up. And I don't know if it should solve the problem...
And I need dynamic vlan assignment! (I have like 10 different WLAN VLAN).

Can anyone give me some advice?
Thanks!

Post #2

BenFranske

1 Dec 2014, 23:50

How are your bridges getting created with different naming styles? breth0.20 vs. br-vlan20? These bridges should be automatically created by hostapd and so should have similar naming schemes.

Post #3

pekyntosh

2 Dec 2014, 00:26

You are right. I can see a different naming.

The "breth" naming is used by hostapd to automatically translate the Radius profile (Tunnel-Private-Group-ID) into a vlan interface with the same id.
So, in my case, is created breth0.21 as bridge between eth0.21 and wlan0.21 (eth0.21 and wlan0.21 are created automatically too).

The "br-vlan" naming is used by Luci to create a bridge interface between the main local interface and the vlan interface.
So, in my case, through Luci I have created manually eth0.20 and then br-vlan20 as bridge of wlan0-1 and eth0.20.
In Luci we can't change the 'br-vlan' naming.

But I think this is just a labels problem, and not the real problem.

Maybe this post give us more info, but I can't understand very well if can provide a solution for the problem.

https://forum.openwrt.org/viewtopic.php?id=26752

If you have one bridge containing the "parent" interface, e.g. br-lan over eth0 and another bridge containign a vlan interface, e.g. br-vlan over eth0.1, the bridge containing the parent will eat all frames, also the tagged ones, thus the bridge over the vlan iface sees no traffic.
You can try to make the vlan interface on top of the bridge, e.g. br-lan over eth0 and then vconfig add br-lan 1 to get a br-lan.1 .

Thanks!

Post #4

mk24

2 Dec 2014, 01:26

It seems to be saying that you should have a wlan0-2 for the RADIUS client so it can get only that traffic, and guest will still be directed to wlan0-1. wlan0 itself shouldn't be connected to anything.

Post #5

BenFranske

2 Dec 2014, 02:13

It's a bit complicated to explain but in some situations it is important that hostapd add the WLAN interface for each VLAN to the existing bridge interface rather than create a new bridge of it's own naming. In CC r43473 I modified the hostapd config script to allow you some control over the bridge naming which hostapd will connect to using the vlan_bridge parameter. This change will be included in future Chaos Calmer releases.

In the meantime you can effect this change by updating your hostapd.sh script on your device (IIRC it is located in /lib/netifd/ ?) to the new one at here which should work in BB as well as in CC though you will want to confirm that the change is actually modifying the effective hostapd config (in /tmp).

You'll also want to review the hostapd configuration details, specifically the vlan_bridge option and will need to setup eth0.21 as a bridged interface in UCI that hostapd will add the wlan interface to rather than hostapd creating a completely new bridge.

Or you can wait for future builds of CC and my documentation effort of advanced RADIUS configurations...but that could be a while. Hopefully I've given you enough hints to go on.

Post #6

pekyntosh

2 Dec 2014, 14:52

You are a genius!!!
With your patch now everything is working properly!

This is my configuration. Maybe it will help someone else too.

/etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd13:7ab9:3ad6::/48'

config interface 'lan'
        option ifname 'eth0'
        option force_link '1'
        option type 'bridge'
        option proto 'static'
        option ipaddr '192.168.33.10'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option gateway '192.168.33.1'
        option dns '192.168.10.1'

config interface 'vlan20'
        option ifname 'eth0.20'
        option type 'bridge'
        option proto 'none'
        option auto '1'

config interface 'vlan21'
        option type 'bridge'
        option proto 'none'
        option auto '1'
        option ifname 'eth0.21'

/etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option channel '11'
        option hwmode '11g'
        option path 'pci0000:00/0000:00:00.0'
        option htmode 'HT20'
        option txpower '30'
        option country 'US'

# wlan0 (dynamic VLAN assignment by Radius)
config wifi-iface
        option device 'radio0'
        option mode 'ap'
        option ssid 'BalducciWiFi'
        option encryption 'wpa2'
        option auth_server '192.168.33.2'
        option auth_port '1812'
        option auth_secret 'test'
        option dynamic_vlan '2'

# yes, this is the magic option :)
# the naming is the same that uci use
        option vlan_bridge 'br-vlan'        

# I don't need more these options
#       option vlan_file '/etc/config/hostapd.vlan'
#       option vlan_tagged_interface 'eth0'

# wlan0-1 (simple wpa authentication)
config wifi-iface
        option device 'radio0'
        option mode 'ap'
        option ssid 'WiFi_Guest'
        option key 'guestwifi'
        option isolate '1'
        option network 'vlan20'
        option encryption 'psk-mixed'

root@OpenWrt:~# ifconfig
br-lan    Link encap:Ethernet  HWaddr 74:EA:3A:EE:D2:41  
          inet addr:192.168.33.10  Bcast:192.168.33.255  Mask:255.255.255.0
          inet6 addr: fe80::76ea:3aff:feee:d241/64 Scope:Link
          inet6 addr: fd13:7ab9:3ad6::1/60 Scope:Global
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:222 errors:0 dropped:0 overruns:0 frame:0
          TX packets:210 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:26424 (25.8 KiB)  TX bytes:45730 (44.6 KiB)

br-vlan20 Link encap:Ethernet  HWaddr 74:EA:3A:EE:D2:41  
          inet6 addr: fe80::76ea:3aff:feee:d241/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:70 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:3794 (3.7 KiB)  TX bytes:408 (408.0 B)

br-vlan21 Link encap:Ethernet  HWaddr 74:EA:3A:EE:D2:41  
          inet6 addr: fe80::76ea:3aff:feee:d241/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:8 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:368 (368.0 B)  TX bytes:408 (408.0 B)

eth0      Link encap:Ethernet  HWaddr 74:EA:3A:EE:D2:41  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:358 errors:0 dropped:3 overruns:0 frame:0
          TX packets:229 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:40290 (39.3 KiB)  TX bytes:47468 (46.3 KiB)
          Interrupt:5 

eth0.20   Link encap:Ethernet  HWaddr 74:EA:3A:EE:D2:41  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:108 errors:0 dropped:0 overruns:0 frame:0
          TX packets:9 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:6372 (6.2 KiB)  TX bytes:798 (798.0 B)

eth0.21   Link encap:Ethernet  HWaddr 74:EA:3A:EE:D2:41  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:8 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:368 (368.0 B)  TX bytes:454 (454.0 B)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

wlan0     Link encap:Ethernet  HWaddr 74:EA:3A:EE:D2:41  
          inet6 addr: fe80::76ea:3aff:feee:d241/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:480 (480.0 B)

wlan0-1   Link encap:Ethernet  HWaddr 76:EA:3A:EE:D2:41  
          inet6 addr: fe80::74ea:3aff:feee:d241/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:48 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:4064 (3.9 KiB)

root@OpenWrt:~# brctl show
bridge name    bridge id        STP enabled    interfaces
br-lan        7fff.74ea3aeed241    no        eth0
br-vlan20        7fff.74ea3aeed241    no        eth0.20    wlan0-1
br-vlan21        7fff.74ea3aeed241    no        eth0.21

*** FIRST TEST
I can correctly connect to SSID 'WiFi_Guest' (wlan0-1 / vlan20).

*** SECOND TEST
I can correctly connect to SSID 'WiFi' (wlan0 / vlan21).
Hostapd gets the right VLAN radius profile (radiusTunnelPrivateGroupId 21) and dynamically create this new interface.

wlan0.21  Link encap:Ethernet  HWaddr 74:EA:3A:EE:D2:41  
          inet6 addr: fe80::76ea:3aff:feee:d241/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:194 errors:0 dropped:0 overruns:0 frame:0
          TX packets:378 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:18411 (17.9 KiB)  TX bytes:42719 (41.7 KiB)

Now the hostapd magic option (option vlan_bridge 'br-vlan') adds the new interface wlan0.21 to the already present br-vlan21 bridge.

root@OpenWrt:~# brctl show
bridge name    bridge id        STP enabled    interfaces
br-lan        7fff.74ea3aeed241    no        eth0
br-vlan20        7fff.74ea3aeed241    no        eth0.20 wlan0-1
br-vlan21        7fff.74ea3aeed241    no        eth0.21 wlan0.21

And everything works fine!!! No breth0.* interfaces are now created.

Remains only one problem.
I have 20 APs and 10 VLAN (with very different privileges on the network), now I have to create 10 bridge interfaces on each AP.
I tryed to remove 'br-vlan21' hoping that hostpad would it create by itself, but nothing happened.

BenFranske,
your patch is wonderful,
thank you very much!!!

Post #7

BenFranske

2 Dec 2014, 18:38

If you are just using the devices as simple APs and NOT as routers it is possible to make it work without the patch, you just will be unable to access the device itself, the traffic has to flow out through a tagged switch port instead. I don't have a sample config handy, but I set it up that way for a client site last spring without the patch. I believe you do still need to create the VLANs on the switch though so it does involve touching every AP whenever you want to add or remove a vlan. If I get some time to try and improve that to make it more viable for enterprise use I would like to do so.

Post #8

BenFranske

12 Apr 2015, 21:47

I have been working on improving documentation on the wireless 802.1x capabilities of OpenWRT and now have some information on the wiki about dynamic vlan support which may be of assistance to someone reading this thread. http://wiki.openwrt.org/doc/howto/wirel … rity.8021x There will be additional enhancements to the page over time too.

The discussion might have continued from here.

Page 1 of 1