1. Can any one here help me understand what mac80211 "AP/VLAN" mode is and how
it's used? I googled and could not find a good document on this.
2. If it's meant for VLAN interface for multiple-SSID, how is the VLAN ID
configured?
3. In my AP with proprietary driver, there's multiple-SSID over the same BSSID.
(Meaning they share the same MAC address.) Each SSID is mapped to one VLAN.
Broadcasting SSID is disabled.
On receiving packet from clients, AP adds VLAN tag per SSID client associates.
On transmitting packet to clients, AP remove VLAN tag.
Is it possible to achieve the above functionality through existing open source
software(mac80211, iw, hostapd, radio driver, etc)?
Thanks in advance.
The following is my experiment on AP/VLAN interface.
On "iw list" command, my system shows that it supports AP/VLAN type interface
=========iw list screen shot, (part) begin ============================
Supported interface modes:
* IBSS
* managed
* AP
* AP/VLAN
* monitor
* mesh point
========iw list screen shot, (part) end =========================
And it does allow me to add such kind of interface by command "iw phy phy0
interface add vlan2 type __ap_vlan"
===========================screen shot begin =============================
root@mini-dell:~/hostapd-conf# iw phy phy0 interface add vlan2 type __ap_vlan
root@mini-dell:~/hostapd-conf# iw vlan2 info
Interface vlan2
ifindex 10
type AP/VLAN
root@mini-dell:~/hostapd-conf# iwconfig vlan2
vlan2 IEEE 802.11abgn Mode:Secondary Tx-Power=17 dBm
Retry long limit:7 RTS thr:off Fragment thr:off
Power Management:off
===========================screen shot ends =============================
Now, how do I use this vlan interface "vlan2"? I tried to run hostapd over vlan2
interface with no success. Here is my hostapd.conf and screenshot.
===========================screen shot begin =============================
root@mini-dell:~/hostapd-conf# hostapd -dd hostapd.conf
Configuration file: hostapd.conf
ctrl_interface_group=0
nl80211: Register Action command failed: ret=-95 (Operation not supported)
nl80211: Register Action match - hexdump(len=1): 06
nl80211: Failed to register Action frame processing - ignore for now
nl80211: Add own interface ifindex 10
nl80211: Failed to set interface 10 to mode 3: -95 (Operation not supported)
nl80211: Failed to set interface 10 to mode 3: -95 (Operation not supported)
Could not set interface vlan2 flags: Link has been severed
nl80211: Interface mode change to 3 from 0 failed
nl80211: Failed to set interface vlan2 into AP mode
nl80211 driver initialization failed.
rmdir[ctrl_interface]: No such file or directory
ELOOP: remaining socket: sock=4 eloop_data=0x80a7870 user_data=0x80a94f8
handler=0x8072070
ELOOP: remaining socket: sock=6 eloop_data=0x80aaf38 user_data=(nil)
handler=0x807ab20
root@mini-dell:~/hostapd-conf#
===========================screen shot ends =============================
------------------hostapd.conf begin ------------------
interface=vlan2
#bridge=brg0
driver=nl80211
logger_syslog=-1
logger_syslog_level=0
logger_stdout=-1
logger_stdout_level=0
dump_file=/tmp/hostapd.dump
ctrl_interface=/var/run/hostapd
ctrl_interface_group=0
##### IEEE 802.11 related configuration #######################################
ssid=bypass
country_code=US
ieee80211d=1
hw_mode=a
channel=36
beacon_int=100
dtim_period=2
max_num_sta=255
rts_threshold=2347
fragm_threshold=2346
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0
------------------hostapd.conf end------------------
On Thu, Oct 21, 2010 at 03:54:30PM +0000, Chaoxing wrote:
> 1. Can any one here help me understand what mac80211 "AP/VLAN" mode is and how
> it's used? I googled and could not find a good document on this.
See dynamic-VLAN configuration in hostapd.conf.
> 2. If it's meant for VLAN interface for multiple-SSID, how is the VLAN ID
> configured?
In theory, it could be used with multiple-SSID (i.e., mapping from SSID
to VLAN), but there is no support for that in hostapd. The main use for
this AP/VLAN interface is to get VLAN ID from a RADIUS server (or for
more limited testing, from a local text file based on the station MAC
address).
> 3. In my AP with proprietary driver, there's multiple-SSID over the same BSSID.
> (Meaning they share the same MAC address.) Each SSID is mapped to one VLAN.
> Broadcasting SSID is disabled.
> On receiving packet from clients, AP adds VLAN tag per SSID client associates.
> On transmitting packet to clients, AP remove VLAN tag.
> Is it possible to achieve the above functionality through existing open source
> software(mac80211, iw, hostapd, radio driver, etc)?
You can do similar setup with RADIUS-based VLAN ID allocation. Though,
mac80211 will leave the VLAN tagging or other upper layer configuration
to other parts of the networking stack (VLAN, bridge, IP routing).
hostapd can set that up for the bridge and WLAN interfaces and if
desired, you can then bind those to tagged ethernet interface.
Since we support multi-BSSID configuration (which is superior to
multi-SSID for most cases), I haven't seen enough justification to work
with multi-SSID functionality. Do you have a use case that would need it
or would the RADIUS-based VLAN ID allocation or multi-BSSID support
address your needs?
--
Jouni Malinen PGP id EFC895FA
On Fri, Oct 22, 2010 at 01:43:07PM -0400, Chaoxing Lin wrote:
> CLIN: I saw that dynamic-VLAN section. And did not quite understand how
> to setup. Is there any further documentation on dynamica-VLAN?
I don't know, but Google search for the configuration field names in
hostapd.conf will likely give you some hits (no guarantees of usefulness
of those, though).
> Must the interface in /etc/hostapd.vlan be type of __ap_vlan? Or it can
> be any AP interface specified in "bss=xxx" in multi-BSSID case?
You should not create them manually; hostapd will create these for you..
Sure, the type will be NL80211_IFTYPE_AP_VLAN, but you should not need
to know that ;-).
> CLIN: Getting VLAN ID from Radius server means all VLANs must use 802.1x
> way for authentication.
No, it doesn't. But the only other option is to use station MAC address
to VLAN ID mapping, so yes, this has some limitations.
> 1. Most of the time multi-BSSID is superior to multi-SSID. But
> multi-BSSID uses multiple MAC addresses and each radio actually has only
> reserved one MAC address. Meaning, all other MAC addresses used are
> actually reserved by other radio/Ethernet adapter, etc. When product
> like this goes on market, it's bound to have MAC address conflict,
> unless vendor reserves enough MAC for its product. It's kind of a waste
> to reserve 32 (in my case) MAC addresses per radio since most of the
> time multi-BSSID won't be used in SOHO.
There are costs involved with it, but then again, so there are with
multi-SSID.. I would just refuse to depend on multi-SSID myself because
of interop issues and limitations on what kind of security policies can
be used between the networks sharing the same BSSID.
You can get pretty good results with use of locally administered
addresses, but sure, there is always a possibility of conflict, even if
very unlikely with good address allocation strategy.
> 2. The other thing regarding hostapd dynamic VLAN is that it creates a
> bridge for each VLAN and tag is only added at a certain interface e.g.
> "vlan_tagged_interface=eth0". There are a few problems with this design.
> a. One bridge for each VLAN overloads system unnecessarily. It
> means that all protocols over bridge have to run multiple copies, one
> per bridge. This is expensive for embedded devices.
Keep in mind that CONFIG_FULL_DYNAMIC_VLAN is optional functionality..
If you don't want it, don't enable it.
> b. In case there multiple interfaces need vlan tag, does hostapd
> allow me to put multiple interfaces in "vlan_tagged_interface=xxx"
> option? Even if it allows that, it's still inconvenient if the interface
> list is dynamic. My current product has one bridge which encloses
> one Ethernet port,
> AP/VLAN interface,
> and multiple(dynamic, auto detect by proprietary app) WDS interfaces.
I would assume that you can simulate something similar by providing a
some scripts for managing how the interfaces get linked together and not
using hostapd to manage the VLAN interfaces at all.
> Only AP/VLAN interface adds/removes/checks VLAN tag per SSID, while all
> other interfaces in the bridge pass packet as is (In other words, they
> behave as VLAN trunk ports). Eventually, it's up to the VLAN switch
> attached at the Ethernet port to distribute packet per VLAN rules. It
> seems hard for me to use current (mac80211, hostapd, iw, etc) to achieve
> what I need.
I'm not sure whether I would fully agree with that, but sure, it may not
currently provide everything you need. Anyway, it should be possible to
extend this as needed..
--
Jouni Malinen PGP id EFC895FA
Thanks Jouni. I appreciate your response. My comments/discussion are
below interleaved in email.
-----Original Message-----
From: Jouni Malinen [mailto:[email protected]]
Sent: Friday, October 22, 2010 11:28 AM
To: Chaoxing Lin
Cc: [email protected]
Subject: Re: Help: Guidance on "AP/VLAN" mode
On Thu, Oct 21, 2010 at 03:54:30PM +0000, Chaoxing wrote:
> 1. Can any one here help me understand what mac80211 "AP/VLAN" mode is
and how
> it's used? I googled and could not find a good document on this.
See dynamic-VLAN configuration in hostapd.conf.
CLIN: I saw that dynamic-VLAN section. And did not quite understand how
to setup. Is there any further documentation on dynamica-VLAN?
Must the interface in /etc/hostapd.vlan be type of __ap_vlan? Or it can
be any AP interface specified in "bss=xxx" in multi-BSSID case?
> 2. If it's meant for VLAN interface for multiple-SSID, how is the VLAN
ID
> configured?
In theory, it could be used with multiple-SSID (i.e., mapping from SSID
to VLAN), but there is no support for that in hostapd. The main use for
this AP/VLAN interface is to get VLAN ID from a RADIUS server (or for
more limited testing, from a local text file based on the station MAC
address).
CLIN: Getting VLAN ID from Radius server means all VLANs must use 802.1x
way for authentication. This limits the flexibility of multiple-SSID. My
current AP with proprietary driver&app allow different VLAN to use any
authentication/encryption. Although hostapd provide build-in radius
server, it's kind of a hack to use it just to add VLAN ID for clients
using WEP/WPA-PSK
> 3. In my AP with proprietary driver, there's multiple-SSID over the
same BSSID.
> (Meaning they share the same MAC address.) Each SSID is mapped to one
VLAN.
> Broadcasting SSID is disabled.
> On receiving packet from clients, AP adds VLAN tag per SSID client
associates.
> On transmitting packet to clients, AP remove VLAN tag.
> Is it possible to achieve the above functionality through existing
open source
> software(mac80211, iw, hostapd, radio driver, etc)?
You can do similar setup with RADIUS-based VLAN ID allocation. Though,
mac80211 will leave the VLAN tagging or other upper layer configuration
to other parts of the networking stack (VLAN, bridge, IP routing).
hostapd can set that up for the bridge and WLAN interfaces and if
desired, you can then bind those to tagged ethernet interface.
Since we support multi-BSSID configuration (which is superior to
multi-SSID for most cases), I haven't seen enough justification to work
with multi-SSID functionality. Do you have a use case that would need it
or would the RADIUS-based VLAN ID allocation or multi-BSSID support
address your needs?
CLIN:
1. Most of the time multi-BSSID is superior to multi-SSID. But
multi-BSSID uses multiple MAC addresses and each radio actually has only
reserved one MAC address. Meaning, all other MAC addresses used are
actually reserved by other radio/Ethernet adapter, etc. When product
like this goes on market, it's bound to have MAC address conflict,
unless vendor reserves enough MAC for its product. It's kind of a waste
to reserve 32 (in my case) MAC addresses per radio since most of the
time multi-BSSID won't be used in SOHO.
2. The other thing regarding hostapd dynamic VLAN is that it creates a
bridge for each VLAN and tag is only added at a certain interface e.g.
"vlan_tagged_interface=eth0". There are a few problems with this design.
a. One bridge for each VLAN overloads system unnecessarily. It
means that all protocols over bridge have to run multiple copies, one
per bridge. This is expensive for embedded devices.
b. In case there multiple interfaces need vlan tag, does hostapd
allow me to put multiple interfaces in "vlan_tagged_interface=xxx"
option? Even if it allows that, it's still inconvenient if the interface
list is dynamic. My current product has one bridge which encloses
one Ethernet port,
AP/VLAN interface,
and multiple(dynamic, auto detect by proprietary app) WDS interfaces.
Only AP/VLAN interface adds/removes/checks VLAN tag per SSID, while all
other interfaces in the bridge pass packet as is (In other words, they
behave as VLAN trunk ports). Eventually, it's up to the VLAN switch
attached at the Ethernet port to distribute packet per VLAN rules. It
seems hard for me to use current (mac80211, hostapd, iw, etc) to achieve
what I need.
--
Jouni Malinen PGP id EFC895FA