openwrt dynamic vlan assignment

RADIUS dynamic VLAN

@anon50098793 - I think you were last to edit this wiki

One question regarding this part:

Now that we have a guest network functioning on the router we can modify our wireless configuration to support 802.1X dynamic vlans. To do this modify the SSID setup in your /etc/config/wireless file and remove the network option and add the dynamic_vlan and vlan_tagged_interface options. An example based on the basic 802.1X setup found above would be: .

But the example above talks about vlan 3. Earlier, however, is mentioned:

Was this intentional or just a mistake? Docs say default is "0" so just making sure it's not some boolean value.

howdy, not sure what i've modified on that page, but it would have been something very minor... (likely non-technical > probably the config-network-device infobox)

unable to offer any evidence-based technical input on this... however, checking the hostapd help pages... the value of 2 for dynamic_vlan relates to negotiation mode... and does not represent local vlan numbers...

https://wireless.wiki.kernel.org/en/users/documentation/hostapd

A value of 0 disables dynamic VLAN tagging, a value of 1 allows dynamic VLAN tagging and a value of 2 will reject the authentication if the RADIUS server does not provide the appropriate tunnel attributes.

client vlan mappings are (hopefully) passed from the radius server

Ah, OK, thanks. I got the impression from reading that we were somehow passing the VLAN number here. The setting didn't specify what data-type it takes.

Perhaps this information could be added to this stub, and/or wifi settings . Information capture is important... Are you the right person to ask? Or is that someone called @dansan on the wiki?

edit away... that page seems to be limping along on the input of many... (and can use constant improvement/clarification)

the wifi param page itself follows a stricter structure i'm unfamilar with, but can see benefit stating that this is (currently) a 'tri-state?' parameter...

Yeah word. I was attempting to capture the elements into a PR for extending the GUI. I think I got it.

I can't remember whether I have a wiki account....

I think you do, I see a "systemcrash" in the wiki account list

RADIUSdesk WiFi Hotspot Manager and GUI for FreeRADIUS MESHdesk Streamlined Mesh Controller

Table of Contents

What is vlans, the case of tunnel-private-group-id, dynamic vlan support on wifi, enabling dynamic vlan support, dynamic vlan support on openwrt.

• VLANs are supported by most modern switches used in the enterprise today.
• VLANs provide the functional equivalent to having separate switches but now running it all on one switch.
• Visitors VLAN
• Printers VLAN

What is dynamic VLANs

• Dynamic VLANs are typically used with 802.1x port based authentication.
• Before a user's device will be allowed Ethernet access on the network it has to be authenticated.
• This authentication happens on Layer2 and typically involves a RADIUS server.
• The RADIUS server can then specify in the Access-Accept reply the VLAN on which a user's device should be.
• Since RADIUSdesk is simply a front-end to FreeRADIUS it also includes this support.
• Tunnel-Type ⇒ VLAN
• Tunnel-Medium-Type ⇒ IEEE-802
• Tunnel-Private-Group-Id ⇒ This is the VLAN number / name that the connected device should be on.

If you are looking for a shrink-ed wrapped Network Access Controller (NAC) you can check out this Open Source product: http://www.packetfence.org

• The Tunnel-Private-Group-Id attribute takes a string value. (NOT an integer)
• Some Enterprise switches allows you to create a mapping between a human understandable name for a VLAN and the VLAN number.
• This allows you to specify the value of Tunnel-Private-Group-Id as a human understandable name instead of a number.
• It also allow you for instance to create Data VLAN and assign it to VLAN number 1000 on one switch while assigning it to VLAN number 2000 on another.
• In the response from the RADIUS server; you can then specify Data VLAN as the value of Tunnel-Private-Group-Id .
• The switch will then take care of the mapping and assignment when assessing the response from the RADIUS server.
• Some of the more primitive implementations like that on OpenWRT's hostapd program however only accepts a number.

Wouldn't it be nice if you could have one WiFi SSID and based on certain criteria determine a per connection VLAN dynamically for each user?

• Since OpenWRT 12.09 (Attitude Adjustment) support is included with the hostapd (full) package.

wpad or hostapd?

• OpenWRT includes wpad-mini by default.
• Wpad (full) or hostapd are however required for WPA2 Enterprise support.
• Wpad and hostapd contains basically the same binaries.

The only changes you have to make to enable Dynamic VLAN support is the following:

• Add /etc/config/hostapd.vlan with the following content:
• Replace the /lib/wifi/hostapd.sh with a file that includes support for dynamic VLANs
• Check out the modified hostapd.sh file:
• Copy it over to the /lib/wifi/ directory on the Access Point.
• The following options will enable Dynamic VLAN support:
• Here's a sample config for a SSID with WPA2 Enterprise security and Dynamic VLAN
• The radius_das_port and radius_das_client is settings that will allow COA POD packets from the RADIUSdesk server to the Access Point to disconnect a user.
• The acct_interval is also an optional option that will allow interim accounting updates.

Stack Exchange Network

Stack Exchange network consists of 181 Q&A communities including Stack Overflow , the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.

Server Fault is a question and answer site for system and network administrators. It only takes a minute to sign up.

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

OpenWRT Dynamic VLAN

I'm setting up an wireless AP with OpenWRT to support dynamic vlan's, provided by a RADIUS server.

I found a guide on OpenWRT.org which I followed, and with some extra research I'm almost there. The only thing not working is the dynamic vlan assignment. And I can't figure out why.

I'm running 15.05 chaos calmer on a TP-link Archer C7 in 'ap' mode. Firewall and DHCP are turned off, as they are provided by the network.

I can authenticate with the RADIUS server and login to both my internal and guest network if I manually bridge the SSID to the desired VLAN. Dynamic VLANs are not working though. FreeRadius is correctly transmitting the Tunnel-Type, Tunnel-Medium-Type and Tunnel-Private-Group-ID; as checked with wireshark. I'm not sure, but I think it might have something to do with hostapd not getting the right settings.

Any help would be greatly appreciated

My /etc/config/wireless looks as follows:

but I cannot find these vlan settings in the hostapd config file: /var/run/hostapd-phy1.conf

The hostapd -dd shows receiving the right AVP's but doesn't seem to care about any of it.

• freeradius2
• dynamic-vlan-assignment

4 Answers 4

I'd make a comment instead of an answer but I don't have enough reputation here for that. I literally wrote the HOWTO you linked to in your OP on using 802.1x Dynamic VLANs in OpenWRT as well as figured out and submitted the patches to get them working.

Some of what you're saying doesn't seem to make sense. In particular that option dynamic_vlan '1' works but option dynamic_vlan '2' doesn't even show up in the hostapd configuration file shouldn't be the case. The OpenWRT script which reads your /etc/config/wireless file and translates it into the hostapd config file just looks for the dynamic_vlan option and if it's there and has an integer value puts it into the hostapd file so if 1 shows up in the hostapd file, 2 should as well. Please check to see if it's showing up in your hostapd config file when you set dynamic_vlan to 1. That will give some more information to work with.

Quiet an old question, but the answer is not yet easy over web search. The How-to Guide helped me to narrow down the concept of working. Here is the last config for that worked for me..

1st of all, I'm on version OpenWRT 21.02.1 over the device EAP225v3.

• Remove wpad-basic* package and install wpad.
• The default hostapd have a problem of "Malformed Radius Packet" for working with WPA-EAP setup. Correct file /lib/netifd/hostapd.sh with help of GitCommit . And restart hostapd or reboot device.
• This is a sample for each VLAN within /etc/config/network
• And last, create an Wireless iface, like:

• This sort of configuration has been working for me. One thing to note, I also have a bridge-vlan device configured as well, using tagged 802.1q ports: config bridge-vlan option device 'br-lan' option vlan '172' list ports 'lan1:t' list ports 'lan2:t' list ports 'lan3:t' list ports 'lan4:t' –  Brain2000 Jan 30 at 17:35

did not seem to work, once altered to

everything worked as it should.

This does pose a security risk.

I think not everything worked as it should. You are just automatically falling back to NO dynamic vlan (or option dynamic_vlan '0' ). Perhaps your hostapd, doesn't support dynamic vlans (like if you are using hostapd-mini or hostapd-common ). You should install the full version

See more details here:

• Hi Flo, thanks for the follow up. I've just checked to be sure that hostapd is indeed installed correctly and not just hostapd-common; it is. But that's a nice script though. –  Frank Vermeulen Jan 25, 2017 at 14:38
• I actually think there is an implementation issue with the version I'm using: if I enter "dynamic_vlan 0" the property shows up in the running config /var/run/hostapd-phy1.conf. The same thing happens when I enter "dynamic_vlan 1". But as soon as I set it to "dynamic_vlan 2" the setting disappears in the running config. The same thing happens with 3, 4, aemlkjsdf and so on. I guess the value '2' is somewhere somehow not recognized by the Lua script. –  Frank Vermeulen Jan 25, 2017 at 14:41

Your Answer

Sign up or log in, post as a guest.

Required, but never shown

By clicking “Post Your Answer”, you agree to our terms of service , privacy policy and cookie policy

Not the answer you're looking for? Browse other questions tagged openwrt freeradius2 dynamic-vlan-assignment or ask your own question .

• The Overflow Blog
• How Intuit democratizes AI development across teams through reusability sponsored post
• The nature of simulating nature: A Q&A with IBM Quantum researcher Dr. Jamie...
• Featured on Meta
• We've added a "Necessary cookies only" option to the cookie consent popup

Hot Network Questions

• Where can I get custom size closet doors, or how do I make one?
• Rolling cube on an infinite chessboard
• Imtiaz Germain Primes
• Earn CC flight miles by paying rent?
• Extract raster value at each vertex from line, while keeping the line
• Google maps for Space exploration
• Counting Letters in a String
• Align vertically 2 circuits
• How or would these mechanical wings work?
• Are the plants animated by an Assassin Vine considered magical?
• How do/should administrators estimate the cost of producing an online introductory mathematics class?
• Why does it seem like I am losing IP addresses after subnetting with the subnet mask of 255.255.255.192/26?
• Is it bad that your characters don't have distinct voices or mannerisms?
• Why isn't light switch turning off the outlet?
• Displaying label if field contains 'X' or 'Y' value in QGIS
• Resistance depending on voltage - the chicken and the egg?
• Should I ask why they are interested in me in an interview for a faculty position?
• Sending a Soyuz ship interplanetary - a plausible option?
• How would I use the transfer function with Web3 JS to send ETH?
• how to replace the diminished chord in a key to write a good song without a diminished chord (for example e diminished to F)?
• Are demand and time deposit accounts really loans _to_ the bank?
• Skip Beat in a Measure
• Basic page layout program from the PrintMaster 2.0 era
• Quotients of number fields by certain prime powers

Your privacy

By clicking “Accept all cookies”, you agree Stack Exchange can store cookies on your device and disclose information in accordance with our Cookie Policy .

Enabling per-device traffic analysis with separate VLANs, 802.1x MAC based authentication, and OpenWRT

For analysing what devices do on a network - specifically the shared medium of a wireless LAN - just packet tracing based on IP address is often not sufficient. There are multicasts, the initial DHCP requests, and potentially other types of traffic not captured by that. Even MAC address based packet tracing is problematic given recent defaults of MAC address randomization e.g. on Android (default since Android 10, optional before). The best solution to capture a complete picture of all communication from a single device therefore seems to be a separate link. For wired Ethernet, network taps or switch mirror ports are the tool of choice, for WiFi the easiest solution seems to be assigning a separate VLAN on the access point for each device, which can then be traced individually on the central switch/router.

The point of this post is to set this up as automatically as possible. I use the excellent Turris Omnia access point / router running a custom version of OpenWRT ( TurrisOS uses a different image format and recompiled packages, but is highly compatible in terms of configuration), Freeradius 3, and 802.1x authentication of devices to assign separate VLANs. MAC based authentication is used for the devices that don’t directly support other 802.1x authentication methods (e.g. IoT devices that don’t have a sufficiently capable API to enter username/password or other credentials).

These notes are a summary of my setup, with most of the inspiration taken from the official OpenWRT documentation as well as this howto for Freeradius PEAP and this howto for exporting netflows . Please thank the OpenWRT project for making this fairly easy already, and all mistakes in here are mine alone.

The following assumes TurrisOS 5.0.0 (on HBS branch) or newer. It has not been tested with TurrisOS 4 at the time of this writing.

• opkg update

opkg install freeradius3-utils freeradius3-mod-sql-sqlite freeradius3-mod-sqlcounter freeradius3-mod-eap freeradius3-mod-eap-peap freeradius3-mod-eap-mschapv2 freeradius3-mod-eap-tls freeradius3-mod-pap freeradius3-democerts freeradius3-mod-files freeradius3-mod-preprocess freeradius3-mod-radutmp freeradius3-mod-attr-filter freeradius3-mod-always freeradius-mod-detail freeradius3-mod-expiration freeradius3-mod-logintime freeradius3-mod-expr

• For the default config without disabling any of the modules, optionally opkg install freeradius3-mod-eap-md5 freeradius3-mod-eap-leap freeradius3-mod-eap-gtc freeradius3-mod-eap-ttls freeradius3-mod-chap freeradius3-mod-digest freeradius3-mod-realm freeradius3-mod-detail freeradius3-mod-unix freeradius3-mod-exec

Enable the guest network in Foris (the TurrisOS web interface), but don’t enable the WiFi guest networks - these don’t seem to support dynamic VLAN tagging, though I have not managed to find out why in quite a few hours of digging. For the time being, we will change the main WiFi to use 802.1x.

Note: We can only use the 2.4GHz WiFi but not the 5GHz one because of a bug in the ath10k kernel driver . Until this is fixed, only use the 2.4GHz one ( wlan1 ). If you still try to enable the same options on wlan0 , you will see an error hostapd: Failed to create interface wlan0.<VLAN ID>: -95 (Not supported) in the system log.

Add the dynamic VLAN options for the 2.4GHz WiFi AP in /etc/config/wireless :

The option dynamic_vlan '2' requires that the Radius server send VLAN tags and will reject authentication otherwise, so make sure all users have a VLAN tag. Also create the file /etc/config/hostapd1.vlan with a single line:

This will cause new, tagged VLAN interfaces to be created with the dynamic name wlan1.<VLAN ID> and added to the single bridge br-guest_turris . That means all VLANs will be bridged together again instead of the default hostapd behavior of creating a new bridge for every VLAN ID.

Make sure there is a properly configured bridge interface with an IP subnet (which should have been set up by default by enabling the guest network option) in /etc/config/network :

Note that I keep a single IP subnet for all devices, even though they will be put in separate VLANs. That makes it a lot easier from the IP point of view (only a single address space and DHCP range configuration is necessary). Nonetheless, each device (assuming every device uses its own, separate 802.1x credentials) is assigned to a dynamic VLAN interface – which in turn is automatically added to the single bridge device – and can therefore easily be isolated to trace all of its network packets on that VLAN device.

Make sure that the DHCP server hands out IP addresses on this bridge network (which should have been set up by default by enabling the Wi-Fi guest option) in /etc/config/dhcp :

Configure Freeradius for PEAP-MSCHAPv2 support

a. In /etc/freeradius3/sites-available/default , most of the defaults already work. I just disabled the modules chap , digest , and suffix in block authorize because we don’t use them and didn’t install the respective modules.

NOTE : The important change from the default config for VLAN-based device separation with e.g. Android clients (using PEAP-MSCHAPv2 authentication) is required in /etc/freeradius3/mods-enabled/eap : in the inner block eap { ... peap { <IN HERE> } ... } change to the option use_tunneled_reply = yes . According to comments in this version of freeradius3, this is actually deprecated, but still works at the time of this writing. If you forget to turn this on, you will get an error IEEE 802.1X: authentication server did not include required VLAN ID in Access-Accept in the system log when clients actually try to authenticate to a WiFi interface configured with enforced VLAN tagging.

If you want to keep traffic counters, then enable the sql module in block accounting : This and this howtos are good references for configuring Freeradius 3 in itself and this one for setting up SQLite as a backend.

b. (Optional) Add a test client machine to execute radtest from in /etc/freeradius3/clients.conf :

c. (Optional) Add a test user in /etc/freeradius3/mods-config/files/authorize :

(optional) To export netflows from this guest network to a collector

a. opkg install softflowd

b. Modify /etc/config/softflowd to look like this:

(optional) Instead of just exporting flows, full analysis of packets (e.g. using Arkime ) can also be done by creating s virtual switch mirror/tap port. While there may be multiple ways to do that (including OpenVSwitch instead of tc filters or other tunnel types, or using specific user-space tap/mirror software like fluxcap ), the solution that turned out to be the first to actually work is the following.

Note : As GRETAP for a still unknown reason didn’t work (any packets sent into the gretap1 device simply vanished but were not encapsulated and sent out over the physical link), I instead set up an L2TP-Ethernet-over-UDP encapsulation tunnel (this has some overhead compared to GRETAP, but is still fairly fast due to its in-kernel support, at least compared to going through userspace as e.g. OpenVPN tunneling would):

a. Set up the l2tp-eth tunnel:

The first line is only necessary once, the other 3 on every reboot - I just put them into /etc/rc.local ( chmod +x to make it executable) as netifd doesn’t currently seem to properly support statically configured L2TP tunnels through /etc/config/network . If that changes in the future, it would be much cleaner.

b. Mirror traffic from the virtual VLAN tagged WiFi interfaces into that tunnel. The specific setup described here was heavily inspired by this post , and I learnt about the VLAN action from this paper :

opkg install kmod-sched-act-vlan to install the VLAN action module, and then set up mirroring for each VLAN individually to separate them:

This cascades 3 actions for each packet in- and outgoing on each of the specific wlan interfaces: add the respective VLAN tag, then mirror (copy) it to the virtual tunnel interface, and remove the VLAN tag again to allow local processing of the packet (i.e. forwarding through NAT to the external Internet). This is not as nice as bridging a single interface that has those tags already, but it is the only method that I found working right now (and it took me over a day to get there).

As the virtual devices are created dynamically when a client connects, hotplug scripts can be used to set up this mirroring upon the device appearing, e.g. /etc/hotplug.d/iface/30-local-mirror-traffic :

Note : On the current TurrisOS 5.1.4, the hotplug script doesn’t execute when hostapd activates the new network interface when a client connects, and I don’t yet know why. Until this is clear, I just trigger this whenever a new DHCP address is assigned for all currently existing interfaces with /etc/hotplug.d/dhcp/50-local-mirror-traffic :

c. To receive that traffic on another (e.g. virtual) machine, create the corresponding L2TP-Ethernet interface. On Debian, the easiest (and clean) way to do that is through /etc/network/interfaces :

Testing / Debugging

• If WLAN clients seem to be able to connect, but do not receive an IP address through DHCP or can’t communicate otherwise, verify the correct VLAN-interface-to-bridge assignment with brctl show . An example output should like br-guest_turris 7fff.04f021232181 no lan4 wlan1.101
• If freeradius doesn’t start, radiusd -f -X -C should give a reason why.

René Mayrhofer

Professor of networks and security & director of engineering at android platform security; pacifist, privacy fan, recovering hypocrite; generally here to question and learn.

• Search forums
• Wireless Networking
• ASUS Wireless
• Asuswrt-Merlin

Dynamic VLAN Support

• Thread starter deaders
• Start date Jun 17, 2017
• Tags 802.1q 802.1x dynamic vlan radius vlan

New Around Here

• Jun 17, 2017

Hello, I am considering buying an Asus RT-N66U to replace my current router. I have my network setup using WPA2-Enterprise, with a RADIUS server configured for dynamic VLAN assignment (as explained in OpenWRT's Introduction to 802.1X .) So, I have a single wireless network, and upon authentication, RADIUS tells the router in which VLAN that particular user should be placed. I was wondering whether either the stock firmware or Merlin support this setup. I could find some of Merlin's code on GitHub related to dynamic VLAN, but I didn't manage to find any information on whether this kind of setup is supported or not. The reason I'd like to use Merlin instead of OpenWRT or DD-WRT is performance. I do not mind having to perform a few manual steps in the command line. Thanks, UPDATE 18-Jun-2017: I did some more looking into the Merlin's code for hostapd (the piece of software running the AP), and it seems like this could be doable if enabling VLAN tagging and if hostapd is compiled with the CONFIG_FULL_DYNAMIC_VLAN option set. I'm trying to determine which options are used for hostapd now. If someone could verify for me whether the vlan_tagged_interface text string appears in the hostapd binary, it would be great help (this is a configuration option available only when full dynamic VLAN support is enabled.)  

Senior Member

• Jul 24, 2017

@deaders , Did you make any progress with setting up a dynamic VLAN ?​  

I found out that the `hostapd` binary included with Asuswrt-Merlin was not compiled with the necessary options to support dynamic VLANs. I ended up getting a TP-Link Archer C7 instead (because LEDE is well supported for that one, and I knew for certain dynamic VLANs would work.) However, I believe it should be possible to either build a custom image of Merlin with the CONFIG_FULL_DYNAMIC_VLAN constant enabled for hostapd, or to build a hostapd binary and use it with Merlin. It may also be possible to ask merlin (the developer) to include this as well.  

@deaders , Thanks for the follow-up.​  

• Aug 29, 2019

@RMerlin any reason to not enable CONFIG_FULL_DYNAMIC_VLAN by default?  

Asuswrt-Merlin dev

Matthias said: @RMerlin any reason to not enable CONFIG_FULL_DYNAMIC_VLAN by default? Click to expand...

Similar threads

• Started by TheLyppardMan
• Aug 8, 2022
• Started by omrij
• May 23, 2022
• Replies: 22
• Started by _Frank_
• Feb 9, 2023
• Started by rlh
• Feb 4, 2023
• Replies: 23
• Started by coldheat
• Jan 31, 2023
• Replies: 10
• Started by watergremlin0
• Jan 10, 2023
• Started by mrblack1134
• Jan 2, 2023

• Started by puremind
• Dec 22, 2022
• Started by Avi16000
• Dec 8, 2022
• Started by Jumpstarter
• Nov 19, 2022

Latest threads

• Started by JimbobJay
• 54 minutes ago
• Started by nickolasm5
• 57 minutes ago
• Started by dzemp
• Today at 12:59 AM
• Started by anaknipedro
• Yesterday at 10:27 PM
• Started by nedriv
• Yesterday at 9:45 PM

Sign Up For SNBForums Daily Digest

Members online.

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts , Ranker and plenty more!

• This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register. By continuing to use this site, you are consenting to our use of cookies. Accept Learn more…

• No suggested jump to results
• Notifications

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement . We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Regression: vlan_no_bridge default breaks hostapd dynamic VLANs joining bridges in 21.02+ #9944

prbluebottle commented May 25, 2022 • edited

No branches or pull requests