Help: Guidance on "AP/VLAN" mode

Discussion:

Chaoxing

2010-10-21 15:54:30 UTC

1. Can any one here help me understand what mac80211 "AP/VLAN" mode is and how
it's used? I googled and could not find a good document on this.

2. If it's meant for VLAN interface for multiple-SSID, how is the VLAN ID
configured?

3. In my AP with proprietary driver, there's multiple-SSID over the same BSSID.
(Meaning they share the same MAC address.) Each SSID is mapped to one VLAN.
Broadcasting SSID is disabled.
On receiving packet from clients, AP adds VLAN tag per SSID client associates.
On transmitting packet to clients, AP remove VLAN tag.
Is it possible to achieve the above functionality through existing open source
software(mac80211, iw, hostapd, radio driver, etc)?

Thanks in advance.

The following is my experiment on AP/VLAN interface.

On "iw list" command, my system shows that it supports AP/VLAN type interface

=========iw list screen shot, (part) begin ============================

Supported interface modes:
* IBSS
* managed
* AP
* AP/VLAN
* monitor
* mesh point
========iw list screen shot, (part) end =========================

And it does allow me to add such kind of interface by command "iw phy phy0
interface add vlan2 type __ap_vlan"

===========================screen shot begin =============================
***@mini-dell:~/hostapd-conf# iw phy phy0 interface add vlan2 type __ap_vlan
***@mini-dell:~/hostapd-conf# iw vlan2 info
Interface vlan2
ifindex 10
type AP/VLAN
***@mini-dell:~/hostapd-conf# iwconfig vlan2
vlan2 IEEE 802.11abgn Mode:Secondary Tx-Power=17 dBm
Retry long limit:7 RTS thr:off Fragment thr:off
Power Management:off
===========================screen shot ends =============================

Now, how do I use this vlan interface "vlan2"? I tried to run hostapd over vlan2
interface with no success. Here is my hostapd.conf and screenshot.

===========================screen shot begin =============================
***@mini-dell:~/hostapd-conf# hostapd -dd hostapd.conf
Configuration file: hostapd.conf
ctrl_interface_group=0
nl80211: Register Action command failed: ret=-95 (Operation not supported)
nl80211: Register Action match - hexdump(len=1): 06
nl80211: Failed to register Action frame processing - ignore for now
nl80211: Add own interface ifindex 10
nl80211: Failed to set interface 10 to mode 3: -95 (Operation not supported)
nl80211: Failed to set interface 10 to mode 3: -95 (Operation not supported)
Could not set interface vlan2 flags: Link has been severed
nl80211: Interface mode change to 3 from 0 failed
nl80211: Failed to set interface vlan2 into AP mode
nl80211 driver initialization failed.
rmdir[ctrl_interface]: No such file or directory
ELOOP: remaining socket: sock=4 eloop_data=0x80a7870 user_data=0x80a94f8
handler=0x8072070
ELOOP: remaining socket: sock=6 eloop_data=0x80aaf38 user_data=(nil)
handler=0x807ab20
***@mini-dell:~/hostapd-conf#
===========================screen shot ends =============================

------------------hostapd.conf begin ------------------
interface=vlan2
#bridge=brg0
driver=nl80211
logger_syslog=-1
logger_syslog_level=0
logger_stdout=-1
logger_stdout_level=0
dump_file=/tmp/hostapd.dump
ctrl_interface=/var/run/hostapd
ctrl_interface_group=0

##### IEEE 802.11 related configuration #######################################
ssid=bypass
country_code=US
ieee80211d=1
hw_mode=a
channel=36
beacon_int=100
dtim_period=2
max_num_sta=255
rts_threshold=2347
fragm_threshold=2346
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0
------------------hostapd.conf end------------------

--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo-***@public.gmane.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

jpo234

2010-10-22 11:45:58 UTC

Permalink

Post by Chaoxing
1. Can any one here help me understand what mac80211 "AP/VLAN" mode is and how
it's used? I googled and could not find a good document on this.

I think it's not what you think it is. My understanding is, that this is a
special AP mode that allows one to bridge traffic through the AP *AND* the
client. For this to work the 802.11 frames have to carry 4 addresses instead
of the normal 3.

Post by Chaoxing
2. If it's meant for VLAN interface for multiple-SSID, how is the VLAN ID
configured?

I think it's not, see above.

Post by Chaoxing
3. In my AP with proprietary driver, there's multiple-SSID over the same BSSID.
(Meaning they share the same MAC address.) Each SSID is mapped to one VLAN.
Broadcasting SSID is disabled.
On receiving packet from clients, AP adds VLAN tag per SSID client associates.
On transmitting packet to clients, AP remove VLAN tag.
Is it possible to achieve the above functionality through existing open source
software(mac80211, iw, hostapd, radio driver, etc)?

I have not done this, but since nobody else replied I'll explain what I think
you have to do:

Lets say you have two VLANs, tagged with 5 and 6.

1) create two VAP interfaces with iw:
iw phy phy0 interface add vap5 type managed
iw phy phy0 interface add vap6 type managed
(I think managed is ok, hostapd will change this to ap)
2) run hostapd on each of the VAP interfaces, use different SSIDs
3) create VLAN interfaces on top of your VLAN trunk interface (e.g. where you
get the tagged frames). Use either vconfig or ip to do this.
vconfig add eth0 5
vconfig add eth0 6
this will create the VLAN interfaces eth0.5 and eth0.6
4) create bridges to connect the AP interfaces with the VLANs
brctl addbr "br5"
brctl addbr "br6"
5) connect the APs with the corresponding VLANs
brctl addif br5 eth0.5
brctl addif br5 vap5
brctl addif br6 eth0.6
brctl addif br6 vap6

Now the *untagged* traffic from VLAN 5 should be bridged to vap5 and from
VLAN 6 to vap6.

Once again, this is untested! This is just how I think this could be done.

Regards
Joerg

--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo-***@public.gmane.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Johannes Berg

2010-10-25 08:50:00 UTC

Permalink

Post by jpo234
I think it's not what you think it is. My understanding is, that this is a
special AP mode that allows one to bridge traffic through the AP *AND* the
client. For this to work the 802.11 frames have to carry 4 addresses instead
of the normal 3.

Err, no, we just use the AP/VLAN interfaces in 4addr mode for this,
don't get confused :-)

johannes

--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo-***@public.gmane.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Jouni Malinen

2010-10-22 15:27:53 UTC

Permalink

Post by Chaoxing
1. Can any one here help me understand what mac80211 "AP/VLAN" mode is and how
it's used? I googled and could not find a good document on this.

See dynamic-VLAN configuration in hostapd.conf.

Post by Chaoxing
2. If it's meant for VLAN interface for multiple-SSID, how is the VLAN ID
configured?

In theory, it could be used with multiple-SSID (i.e., mapping from SSID
to VLAN), but there is no support for that in hostapd. The main use for
this AP/VLAN interface is to get VLAN ID from a RADIUS server (or for
more limited testing, from a local text file based on the station MAC
address).

You can do similar setup with RADIUS-based VLAN ID allocation. Though,
mac80211 will leave the VLAN tagging or other upper layer configuration
to other parts of the networking stack (VLAN, bridge, IP routing).
hostapd can set that up for the bridge and WLAN interfaces and if
desired, you can then bind those to tagged ethernet interface.

Since we support multi-BSSID configuration (which is superior to
multi-SSID for most cases), I haven't seen enough justification to work
with multi-SSID functionality. Do you have a use case that would need it
or would the RADIUS-based VLAN ID allocation or multi-BSSID support
address your needs?

--
Jouni Malinen PGP id EFC895FA
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo-***@public.gmane.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

Chaoxing Lin

2010-10-22 17:43:07 UTC

Permalink

This post might be inappropriate. Click to display it.

Jouni Malinen

2010-10-22 18:27:24 UTC

Permalink

Post by Chaoxing Lin
CLIN: I saw that dynamic-VLAN section. And did not quite understand how
to setup. Is there any further documentation on dynamica-VLAN?

I don't know, but Google search for the configuration field names in
hostapd.conf will likely give you some hits (no guarantees of usefulness
of those, though).

Post by Chaoxing Lin
Must the interface in /etc/hostapd.vlan be type of __ap_vlan? Or it can
be any AP interface specified in "bss=xxx" in multi-BSSID case?

You should not create them manually; hostapd will create these for you..
Sure, the type will be NL80211_IFTYPE_AP_VLAN, but you should not need
to know that ;-).

Post by Chaoxing Lin
CLIN: Getting VLAN ID from Radius server means all VLANs must use 802.1x
way for authentication.

No, it doesn't. But the only other option is to use station MAC address
to VLAN ID mapping, so yes, this has some limitations.

Post by Chaoxing Lin
1. Most of the time multi-BSSID is superior to multi-SSID. But
multi-BSSID uses multiple MAC addresses and each radio actually has only
reserved one MAC address. Meaning, all other MAC addresses used are
actually reserved by other radio/Ethernet adapter, etc. When product
like this goes on market, it's bound to have MAC address conflict,
unless vendor reserves enough MAC for its product. It's kind of a waste
to reserve 32 (in my case) MAC addresses per radio since most of the
time multi-BSSID won't be used in SOHO.

There are costs involved with it, but then again, so there are with
multi-SSID.. I would just refuse to depend on multi-SSID myself because
of interop issues and limitations on what kind of security policies can
be used between the networks sharing the same BSSID.

You can get pretty good results with use of locally administered
addresses, but sure, there is always a possibility of conflict, even if
very unlikely with good address allocation strategy.

Post by Chaoxing Lin
2. The other thing regarding hostapd dynamic VLAN is that it creates a
bridge for each VLAN and tag is only added at a certain interface e.g.
"vlan_tagged_interface=eth0". There are a few problems with this design.
a. One bridge for each VLAN overloads system unnecessarily. It
means that all protocols over bridge have to run multiple copies, one
per bridge. This is expensive for embedded devices.

Keep in mind that CONFIG_FULL_DYNAMIC_VLAN is optional functionality..
If you don't want it, don't enable it.

Post by Chaoxing Lin
b. In case there multiple interfaces need vlan tag, does hostapd
allow me to put multiple interfaces in "vlan_tagged_interface=xxx"
option? Even if it allows that, it's still inconvenient if the interface
list is dynamic. My current product has one bridge which encloses
one Ethernet port,
AP/VLAN interface,
and multiple(dynamic, auto detect by proprietary app) WDS interfaces.

I would assume that you can simulate something similar by providing a
some scripts for managing how the interfaces get linked together and not
using hostapd to manage the VLAN interfaces at all.

Post by Chaoxing Lin
Only AP/VLAN interface adds/removes/checks VLAN tag per SSID, while all
other interfaces in the bridge pass packet as is (In other words, they
behave as VLAN trunk ports). Eventually, it's up to the VLAN switch
attached at the Ethernet port to distribute packet per VLAN rules. It
seems hard for me to use current (mac80211, hostapd, iw, etc) to achieve
what I need.

I'm not sure whether I would fully agree with that, but sure, it may not
currently provide everything you need. Anyway, it should be possible to
extend this as needed..