@anon50098793 - I think you were last to edit this wiki

One question regarding this part:

Now that we have a guest network functioning on the router we can modify our wireless configuration to support 802.1X dynamic vlans. To do this modify the SSID setup in your /etc/config/wireless file and remove the network option and add the dynamic_vlan and vlan_tagged_interface options. An example based on the basic 802.1X setup found above would be: .

But the example above talks about vlan 3. Earlier, however, is mentioned:

Was this intentional or just a mistake? Docs say default is "0" so just making sure it's not some boolean value.

howdy, not sure what i've modified on that page, but it would have been something very minor... (likely non-technical > probably the config-network-device infobox)

unable to offer any evidence-based technical input on this... however, checking the hostapd help pages... the value of 2 for dynamic_vlan relates to negotiation mode... and does not represent local vlan numbers...


A value of 0 disables dynamic VLAN tagging, a value of 1 allows dynamic VLAN tagging and a value of 2 will reject the authentication if the RADIUS server does not provide the appropriate tunnel attributes.

client vlan mappings are (hopefully) passed from the radius server

Ah, OK, thanks. I got the impression from reading that we were somehow passing the VLAN number here. The setting didn't specify what data-type it takes.

Perhaps this information could be added to this stub, and/or wifi settings . Information capture is important... Are you the right person to ask? Or is that someone called @dansan on the wiki?

edit away... that page seems to be limping along on the input of many... (and can use constant improvement/clarification)

the wifi param page itself follows a stricter structure i'm unfamilar with, but can see benefit stating that this is (currently) a 'tri-state?' parameter...

Yeah word. I was attempting to capture the elements into a PR for extending the GUI. I think I got it.

I can't remember whether I have a wiki account....

I think you do, I see a "systemcrash" in the wiki account list


RADIUSdesk WiFi Hotspot Manager and GUI for FreeRADIUS MESHdesk Streamlined Mesh Controller

Table of Contents

What is vlans, the case of tunnel-private-group-id, dynamic vlan support on wifi, enabling dynamic vlan support, dynamic vlan support on openwrt.

What is dynamic VLANs

If you are looking for a shrink-ed wrapped Network Access Controller (NAC) you can check out this Open Source product: http://www.packetfence.org

Wouldn't it be nice if you could have one WiFi SSID and based on certain criteria determine a per connection VLAN dynamically for each user?

wpad or hostapd?

The only changes you have to make to enable Dynamic VLAN support is the following:

openwrt dynamic vlan assignment

Stack Exchange Network

Stack Exchange network consists of 181 Q&A communities including Stack Overflow , the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.

Server Fault is a question and answer site for system and network administrators. It only takes a minute to sign up.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

OpenWRT Dynamic VLAN

I'm setting up an wireless AP with OpenWRT to support dynamic vlan's, provided by a RADIUS server.

I found a guide on OpenWRT.org which I followed, and with some extra research I'm almost there. The only thing not working is the dynamic vlan assignment. And I can't figure out why.

I'm running 15.05 chaos calmer on a TP-link Archer C7 in 'ap' mode. Firewall and DHCP are turned off, as they are provided by the network.

I can authenticate with the RADIUS server and login to both my internal and guest network if I manually bridge the SSID to the desired VLAN. Dynamic VLANs are not working though. FreeRadius is correctly transmitting the Tunnel-Type, Tunnel-Medium-Type and Tunnel-Private-Group-ID; as checked with wireshark. I'm not sure, but I think it might have something to do with hostapd not getting the right settings.

Any help would be greatly appreciated

My /etc/config/wireless looks as follows:

but I cannot find these vlan settings in the hostapd config file: /var/run/hostapd-phy1.conf

The hostapd -dd shows receiving the right AVP's but doesn't seem to care about any of it.

Frank Vermeulen's user avatar

4 Answers 4

I'd make a comment instead of an answer but I don't have enough reputation here for that. I literally wrote the HOWTO you linked to in your OP on using 802.1x Dynamic VLANs in OpenWRT as well as figured out and submitted the patches to get them working.

Some of what you're saying doesn't seem to make sense. In particular that option dynamic_vlan '1' works but option dynamic_vlan '2' doesn't even show up in the hostapd configuration file shouldn't be the case. The OpenWRT script which reads your /etc/config/wireless file and translates it into the hostapd config file just looks for the dynamic_vlan option and if it's there and has an integer value puts it into the hostapd file so if 1 shows up in the hostapd file, 2 should as well. Please check to see if it's showing up in your hostapd config file when you set dynamic_vlan to 1. That will give some more information to work with.

Ben Franske's user avatar

Quiet an old question, but the answer is not yet easy over web search. The How-to Guide helped me to narrow down the concept of working. Here is the last config for that worked for me..

1st of all, I'm on version OpenWRT 21.02.1 over the device EAP225v3.

amlanhldr's user avatar

did not seem to work, once altered to

everything worked as it should.

This does pose a security risk.

I think not everything worked as it should. You are just automatically falling back to NO dynamic vlan (or option dynamic_vlan '0' ). Perhaps your hostapd, doesn't support dynamic vlans (like if you are using hostapd-mini or hostapd-common ). You should install the full version

See more details here:

473183469's user avatar

Your Answer

Sign up or log in, post as a guest.

Required, but never shown

By clicking “Post Your Answer”, you agree to our terms of service , privacy policy and cookie policy

Not the answer you're looking for? Browse other questions tagged openwrt freeradius2 dynamic-vlan-assignment or ask your own question .

Hot Network Questions

openwrt dynamic vlan assignment

Your privacy

By clicking “Accept all cookies”, you agree Stack Exchange can store cookies on your device and disclose information in accordance with our Cookie Policy .

Enabling per-device traffic analysis with separate VLANs, 802.1x MAC based authentication, and OpenWRT

For analysing what devices do on a network - specifically the shared medium of a wireless LAN - just packet tracing based on IP address is often not sufficient. There are multicasts, the initial DHCP requests, and potentially other types of traffic not captured by that. Even MAC address based packet tracing is problematic given recent defaults of MAC address randomization e.g. on Android (default since Android 10, optional before). The best solution to capture a complete picture of all communication from a single device therefore seems to be a separate link. For wired Ethernet, network taps or switch mirror ports are the tool of choice, for WiFi the easiest solution seems to be assigning a separate VLAN on the access point for each device, which can then be traced individually on the central switch/router.

The point of this post is to set this up as automatically as possible. I use the excellent Turris Omnia access point / router running a custom version of OpenWRT ( TurrisOS uses a different image format and recompiled packages, but is highly compatible in terms of configuration), Freeradius 3, and 802.1x authentication of devices to assign separate VLANs. MAC based authentication is used for the devices that don’t directly support other 802.1x authentication methods (e.g. IoT devices that don’t have a sufficiently capable API to enter username/password or other credentials).

These notes are a summary of my setup, with most of the inspiration taken from the official OpenWRT documentation as well as this howto for Freeradius PEAP and this howto for exporting netflows . Please thank the OpenWRT project for making this fairly easy already, and all mistakes in here are mine alone.

The following assumes TurrisOS 5.0.0 (on HBS branch) or newer. It has not been tested with TurrisOS 4 at the time of this writing.

opkg install freeradius3-utils freeradius3-mod-sql-sqlite freeradius3-mod-sqlcounter freeradius3-mod-eap freeradius3-mod-eap-peap freeradius3-mod-eap-mschapv2 freeradius3-mod-eap-tls freeradius3-mod-pap freeradius3-democerts freeradius3-mod-files freeradius3-mod-preprocess freeradius3-mod-radutmp freeradius3-mod-attr-filter freeradius3-mod-always freeradius-mod-detail freeradius3-mod-expiration freeradius3-mod-logintime freeradius3-mod-expr

Enable the guest network in Foris (the TurrisOS web interface), but don’t enable the WiFi guest networks - these don’t seem to support dynamic VLAN tagging, though I have not managed to find out why in quite a few hours of digging. For the time being, we will change the main WiFi to use 802.1x.

Note: We can only use the 2.4GHz WiFi but not the 5GHz one because of a bug in the ath10k kernel driver . Until this is fixed, only use the 2.4GHz one ( wlan1 ). If you still try to enable the same options on wlan0 , you will see an error hostapd: Failed to create interface wlan0.<VLAN ID>: -95 (Not supported) in the system log.

Add the dynamic VLAN options for the 2.4GHz WiFi AP in /etc/config/wireless :

The option dynamic_vlan '2' requires that the Radius server send VLAN tags and will reject authentication otherwise, so make sure all users have a VLAN tag. Also create the file /etc/config/hostapd1.vlan with a single line:

This will cause new, tagged VLAN interfaces to be created with the dynamic name wlan1.<VLAN ID> and added to the single bridge br-guest_turris . That means all VLANs will be bridged together again instead of the default hostapd behavior of creating a new bridge for every VLAN ID.

Make sure there is a properly configured bridge interface with an IP subnet (which should have been set up by default by enabling the guest network option) in /etc/config/network :

Note that I keep a single IP subnet for all devices, even though they will be put in separate VLANs. That makes it a lot easier from the IP point of view (only a single address space and DHCP range configuration is necessary). Nonetheless, each device (assuming every device uses its own, separate 802.1x credentials) is assigned to a dynamic VLAN interface – which in turn is automatically added to the single bridge device – and can therefore easily be isolated to trace all of its network packets on that VLAN device.

Make sure that the DHCP server hands out IP addresses on this bridge network (which should have been set up by default by enabling the Wi-Fi guest option) in /etc/config/dhcp :

Configure Freeradius for PEAP-MSCHAPv2 support

a. In /etc/freeradius3/sites-available/default , most of the defaults already work. I just disabled the modules chap , digest , and suffix in block authorize because we don’t use them and didn’t install the respective modules.

NOTE : The important change from the default config for VLAN-based device separation with e.g. Android clients (using PEAP-MSCHAPv2 authentication) is required in /etc/freeradius3/mods-enabled/eap : in the inner block eap { ... peap { <IN HERE> } ... } change to the option use_tunneled_reply = yes . According to comments in this version of freeradius3, this is actually deprecated, but still works at the time of this writing. If you forget to turn this on, you will get an error IEEE 802.1X: authentication server did not include required VLAN ID in Access-Accept in the system log when clients actually try to authenticate to a WiFi interface configured with enforced VLAN tagging.

If you want to keep traffic counters, then enable the sql module in block accounting : This and this howtos are good references for configuring Freeradius 3 in itself and this one for setting up SQLite as a backend.

b. (Optional) Add a test client machine to execute radtest from in /etc/freeradius3/clients.conf :

c. (Optional) Add a test user in /etc/freeradius3/mods-config/files/authorize :

(optional) To export netflows from this guest network to a collector

a. opkg install softflowd

b. Modify /etc/config/softflowd to look like this:

(optional) Instead of just exporting flows, full analysis of packets (e.g. using Arkime ) can also be done by creating s virtual switch mirror/tap port. While there may be multiple ways to do that (including OpenVSwitch instead of tc filters or other tunnel types, or using specific user-space tap/mirror software like fluxcap ), the solution that turned out to be the first to actually work is the following.

Note : As GRETAP for a still unknown reason didn’t work (any packets sent into the gretap1 device simply vanished but were not encapsulated and sent out over the physical link), I instead set up an L2TP-Ethernet-over-UDP encapsulation tunnel (this has some overhead compared to GRETAP, but is still fairly fast due to its in-kernel support, at least compared to going through userspace as e.g. OpenVPN tunneling would):

a. Set up the l2tp-eth tunnel:

The first line is only necessary once, the other 3 on every reboot - I just put them into /etc/rc.local ( chmod +x to make it executable) as netifd doesn’t currently seem to properly support statically configured L2TP tunnels through /etc/config/network . If that changes in the future, it would be much cleaner.

b. Mirror traffic from the virtual VLAN tagged WiFi interfaces into that tunnel. The specific setup described here was heavily inspired by this post , and I learnt about the VLAN action from this paper :

opkg install kmod-sched-act-vlan to install the VLAN action module, and then set up mirroring for each VLAN individually to separate them:

This cascades 3 actions for each packet in- and outgoing on each of the specific wlan interfaces: add the respective VLAN tag, then mirror (copy) it to the virtual tunnel interface, and remove the VLAN tag again to allow local processing of the packet (i.e. forwarding through NAT to the external Internet). This is not as nice as bridging a single interface that has those tags already, but it is the only method that I found working right now (and it took me over a day to get there).

As the virtual devices are created dynamically when a client connects, hotplug scripts can be used to set up this mirroring upon the device appearing, e.g. /etc/hotplug.d/iface/30-local-mirror-traffic :

Note : On the current TurrisOS 5.1.4, the hotplug script doesn’t execute when hostapd activates the new network interface when a client connects, and I don’t yet know why. Until this is clear, I just trigger this whenever a new DHCP address is assigned for all currently existing interfaces with /etc/hotplug.d/dhcp/50-local-mirror-traffic :

c. To receive that traffic on another (e.g. virtual) machine, create the corresponding L2TP-Ethernet interface. On Debian, the easiest (and clean) way to do that is through /etc/network/interfaces :

Testing / Debugging

René Mayrhofer

Professor of networks and security & director of engineering at android platform security; pacifist, privacy fan, recovering hypocrite; generally here to question and learn.

SmallNetBuilder Forums

Dynamic VLAN Support

New Around Here

Hello, I am considering buying an Asus RT-N66U to replace my current router. I have my network setup using WPA2-Enterprise, with a RADIUS server configured for dynamic VLAN assignment (as explained in OpenWRT's Introduction to 802.1X .) So, I have a single wireless network, and upon authentication, RADIUS tells the router in which VLAN that particular user should be placed. I was wondering whether either the stock firmware or Merlin support this setup. I could find some of Merlin's code on GitHub related to dynamic VLAN, but I didn't manage to find any information on whether this kind of setup is supported or not. The reason I'd like to use Merlin instead of OpenWRT or DD-WRT is performance. I do not mind having to perform a few manual steps in the command line. Thanks, UPDATE 18-Jun-2017: I did some more looking into the Merlin's code for hostapd (the piece of software running the AP), and it seems like this could be doable if enabling VLAN tagging and if hostapd is compiled with the CONFIG_FULL_DYNAMIC_VLAN option set. I'm trying to determine which options are used for hostapd now. If someone could verify for me whether the vlan_tagged_interface text string appears in the hostapd binary, it would be great help (this is a configuration option available only when full dynamic VLAN support is enabled.)  

Senior Member

@deaders , Did you make any progress with setting up a dynamic VLAN ?​  

I found out that the `hostapd` binary included with Asuswrt-Merlin was not compiled with the necessary options to support dynamic VLANs. I ended up getting a TP-Link Archer C7 instead (because LEDE is well supported for that one, and I knew for certain dynamic VLANs would work.) However, I believe it should be possible to either build a custom image of Merlin with the CONFIG_FULL_DYNAMIC_VLAN constant enabled for hostapd, or to build a hostapd binary and use it with Merlin. It may also be possible to ask merlin (the developer) to include this as well.  

@deaders , Thanks for the follow-up.​  

@RMerlin any reason to not enable CONFIG_FULL_DYNAMIC_VLAN by default?  


Asuswrt-Merlin dev

Matthias said: @RMerlin any reason to not enable CONFIG_FULL_DYNAMIC_VLAN by default? Click to expand...

Similar threads



Latest threads

Sign Up For SNBForums Daily Digest

Members online.

openwrt dynamic vlan assignment

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts , Ranker and plenty more!

openwrt dynamic vlan assignment

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement . We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Regression: vlan_no_bridge default breaks hostapd dynamic VLANs joining bridges in 21.02+ #9944


prbluebottle commented May 25, 2022 • edited


No branches or pull requests



  1. Linux Archives

    openwrt dynamic vlan assignment

  2. How to Create a VLAN

    openwrt dynamic vlan assignment

  3. Davide Gironi: OpenWrt Guest Routed AP using VLAN with unmanaged switch

    openwrt dynamic vlan assignment

  4. OpenWrt VLAN configuration with a Managed Switch

    openwrt dynamic vlan assignment

  5. Can use OpenWrt as a managed Switch?

    openwrt dynamic vlan assignment

  6. How to setup VLANs on OpenWrt for Linksys WRT1900AC

    openwrt dynamic vlan assignment


  1. VLAN Interface

  2. murang Vlan set up short discussion

  3. MAP OpenWRT test (was demoed at CiscoLive 2013 Orlando)


  5. 24 VLAN config

  6. 9 Native VLAN


  1. 802.1X dynamic VLAN with DSA config

    Could anyone help me with how should I set up the DSA or alter the config for the dynamic VLAN assignment? For now, according to the

  2. [OpenWrt Wiki] Introduction to 802.1X

    802.1X Dynamic VLANs on an OpenWrt Router. Introduction. In the following example we'll extend our previous 802.1X wireless network

  3. RADIUS dynamic VLAN

    Now that we have a guest network functioning on the router we can modify our wireless configuration to support 802.1X dynamic vlans.

  4. Dynamic VLAN support on OpenWRT

    In the response from the RADIUS server; you can then specify Data VLAN as the value of Tunnel-Private-Group-Id. The switch will then take care of the mapping

  5. OpenWRT Dynamic VLAN

    The only thing not working is the dynamic vlan assignment. And I can't figure out why. I'm running 15.05 chaos calmer on a TP-link Archer C7 in

  6. Enabling per-device traffic analysis with separate VLANs, 802.1x

    ... with separate VLANs, 802.1x MAC based authentication, and OpenWRT ... and 802.1x authentication of devices to assign separate VLANs.

  7. 802.1x dynamic vlan assignment on unifi AP

    I've been using 802.1x dynamic vlan assignment with radius+sql with openwrt in the last 5 years. It has been working brilliantly on almost all of my dodgy

  8. Dynamic VLAN Tagging

    Radio starts tagging that client's traffic with said VLAN - 1 VLAN for single client ... I can do this with OpenWRT.

  9. Dynamic VLAN Support

    I have my network setup using WPA2-Enterprise, with a RADIUS server configured for dynamic VLAN assignment (as explained in OpenWRT's

  10. vlan_no_bridge default breaks hostapd dynamic VLANs joining

    Sponsor openwrt/openwrt ... Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and

  11. OpenWrt CHAOS CALMER 15.05 with hostapd Quick Integration

    Step 2: Dynamic VLAN Configuration. Connect using SSH to the AP and create the file : /etc/config/hostapd.vlan. * wlan0.#. Step 3: Hostapd configuration.