guest-wifi (wl0.1) on a newly created bridge (br1), clients can't connect

[JensM]

Hi,

my goal is to create a vlan for "some devices" which are wired and wireless devices.
I've already created a bridge (br1), a vlan (vlan9) and assigned port4 to vlan9.
I've also set up some iptable rules so the port4 device is working in it's own subnet without being able to access the other devices.

The problem I'm facing now seems to be different: When I try to assign one guest-wifi (I've removed all others for testing, only wl0.1 exists) to the new bridge it stops working. I cannot connect with wifi-clients. Instead they seem to timeout. When wl0.1 is assigned to br0 everything works, so I can say that it is not another thing on clients site that prevents establishing the wireless connection.

This is how my bridge looks in my preferred solution:

bridge name     STP enabled     interfaces
br0             yes             vlan1
                                eth1
                                eth2
br1             no              wl0.1
                                vlan9

One thing I already thought about is, that I maybe need to have eth1 also on br1. Maybe I cannot split away just a guestwifi because they are just the same thing physically. But I couldn't find information about that yet.

But still weird things happen when I move around wifis between bridges, so any advice or experience from others would be helpful.

 

[airwoflsnb]

Interestingly enough, I have a question here about guest network and separate bridge, where clients can connect but actually end up being connected to br0 despite wl0.1 being in br1 which confuses me terribly. Have a look at the commands I run and see if you get the same results as me?

 

[JensM]

Interestingly enough, I have a question here about guest network and separate bridge, where clients can connect but actually end up being connected to br0 despite wl0.1 being in br1 which confuses me terribly. Have a look at the commands I run and see if you get the same results as me?

Found out that this seems to be my issue:
http://www.snbforums.com/threads/wap-guest-ssid-port-based-vlan.12750/page-2#post-192794
http://www.snbforums.com/threads/works-perfectly-if-i-disable-all-authentication.12281/#post-77954

But this doesn't solve the issue for me! I set those nvram variables lan and lan1 to my vlans and wl0.1 but still no authentication with wpa2 possible on wl0.1.
Restarted and retried everything so often, but nothing helps, as soon as wl0.1 is on br1 it timeouts when clients try to connect. This is so frustration since there is no output or anything, everything looks nice but I cannot connect to this wifi.

 

[airwoflsnb]

Sorry to hear.

Assume you are running a later or latest version given the auth issue is solved in later versions? Because I can get auth working, but accesses the wrong bridge.

Will give the nvram settings a go for my problem.

P.

 

[JensM]

I've tested a lot of stuff but from what I understood so far even this minimal config should work, but it doesn't, it breaks wpa2 on wl0.1:

robocfg vlan 1 ports "1 2 3 8t"
robocfg vlan 3 ports "4 8t"
vconfig add eth0 3
ifconfig vlan3 up

brctl addbr br1
brctl delif br0 wl0.1
brctl addif br1 wl0.1
brctl addif br1 vlan3
ifconfig br1 192.168.3.1 netmask 255.255.255.0
ifconfig br1 up

nvram set lan_ifnames="vlan1 eth1 eth2"
nvram set lan_ifname="br0"

nvram set lan1_ifnames="vlan3 wl0.1"
nvram set lan1_ifname="br1"

killall eapd
eapd

 

[airwoflsnb]

I have read that vlans below 5 might cause conflicting issues so am going to give say vlan10 a go.

I've tested a lot of stuff but from what I understood so far even this minimal config should work, but it doesn't, it breaks wpa2 on wl0.1:

 

[airwoflsnb]

vlan10 didn't work. Am giving up on these devices to make it work for me. I think the Broadcom / Quantenna combination of using one physical interface is part of the issue.

Think I am going to bite the bullet and write off the money I spent on these and get a couple of TP-Link AC2600s that have separate physical linux interfaces per radio in OpenWRT and can do the separation / guest roaming I require.

 

[JensM]

vlan10 didn't work. Am giving up on these devices to make it work for me. I think the Broadcom / Quantenna combination of using one physical interface is part of the issue.

Think I am going to bite the bullet and write off the money I spent on these and get a couple of TP-Link AC2600s that have separate physical linux interfaces per radio in OpenWRT and can do the separation / guest roaming I require.

Hi,

wanted to let you know that i had success for my project. Your's sound somewhat more complicated since you are using tagged vlans so your issues seem to be a bit different than my. For me the only remaining issue were the WPA2 authentication failure on bridge1.

For me the already found links:
http://www.snbforums.com/threads/wap-guest-ssid-port-based-vlan.12750/page-2#post-192794
http://www.snbforums.com/threads/works-perfectly-if-i-disable-all-authentication.12281/#post-77954
did work. I don't know why they didn't on my first test but after waiting some weeks and start from scratch it worked. Just by placing those nvram variables (and reastarting eapd) the WPA2-authentication on bridge1 works fine.