I wanted to setup Radius (FreeRadius3 in OpenWRT / Luci), but then I read about WPA3 with PPSK (Private Pre-Shared Key), which claims each device connecting to the wi-fi access point can have an unique password. I searched the faqs & tutorials, and this forum, but I did not find instructions on how to set the personal passphrases in the Admin Panel.
Main main goals are to control who gets on my small business wi-fi (no sharing of the passphrase) , and with the problem of Randomized MAC Addresses, I assumed this method would allow me to properly label each wireless connected device based on the private PSK.
Are my assumptions correct?
Can this be done on a Flint2?
Can it be done in the GL-iNet Admin Panel? Or does it require SSH access to OpenWRT?
The stock GL.iNet firmware does not support PPSK, so you would need to install the OpenWrt 24 (op24) firmware on the Flint 2.
PPSK is configured via SSH and UCI rather than the GL.iNet Admin Panel. You can follow this guide for reference:
Please note that PPSK typically associates individual PSKs with client MAC addresses. Because many devices use randomized MAC addresses, this approach may not fully meet your requirement for reliably identifying and labeling client devices.
FreeRADIUS may be a more appropriate solution.
The MT6000's GL.iNet stock firmware is developed based on the MTK SDK, so its OpenWRT version may differ from the one built on open-source firmware (commonly referred to as op24, etc.).
The gl sdk is older on the op24, but it will use a more recent version of OpenWrt rather than the MTK SDK.
Short brief what this means:
GL-iNet creates multiple routers, and based on the cpu soc they use a developement kit from that vendor as base, this often means that it is using a ancient version of OpenWrt but with the propertairy drivers of the vendor (i e Mediatek, Qualcomm, SiFlower) which never would be accepted in OpenWrt due to licenses, the Vendor maintains this base and not OpenWrt, OpenWrt however uses their own unique wireless driver.
^ as a example take a tp-link router, if you had shell access I'm pretty confident its using Qsdk, which is also using a ancient version of OpenWrt.
On top of that GL-iNet adds their own code base on top of this base and call it GL-SDK.
This also means these vendor based firmwares often have boosted settings too, but often are very scarce in the features you could use within the luci implementation, mostly only for the basic things.
Op24 means it is using a version of OpenWrt 24 as base, and on top they added the gl ui.
On some router models the gl sdk does not walk parallel with features perse, but I know with the Flint 2 it is, so you can expect a bit older gl feature set, but a newer OpenWrt.
i appreciate you explaining all that, but i’m as dumb as a barbie doll.
I wish to know, should I install the newest stable version of OpenWrt from the OpenWRT website, since I think that will make the FreeRadius software package work the best? When I tried to install and then run FreeRadius, it has too many errors to start, and when I researched, I learned my MT6000 openwrt version is old compared to the openwrt website latest stable version, so I am thinking that if I upgrade, the install might work better, and at least i will have the latest version of OpenWrt.
Unless I do not undesrtand well enough, are you saying I can’t install the OpenWRT website version, because the MT6000 requires the customized GL.Inet version to function correctly? thank you.
the firmware of gl-inet provided by dl.gl-inet.com which is the OP24 version, is one of the releases of Openwrt.
not the newest, but not neccesary for freeradius, on the MTK SDK which is the factory firmware of GL-iNet the Openwrt backhaul is too old, only the gl part is newer.
anyway, since i don’t understand this and i don’t want to break the device, I won’t do any upgrades from the OpenWRT website, I will stick with the upgrades provided by Gl.inet
With the backhaul I mean the OpenWrt version which runs in the background of the gl firmware.
If you visit https://dl.gl-inet.com, select your router model, if you look carefully you see tabs, and you want OP24 this will fully support the free radius.
Choose the sysupgrade images.
The standard firmware is limited for this use case, but the OP24 one is not, OP24 stands for OpenWrt 24.
Make sure to not keep settings when uploading the firmware.
@will.qiu this is great. Looking at the Radius Desk/hostapd link that you shared, I think that implementing the Special MAC address 00:00:00:00:00:00 combined with VLAN ID prefixes will be sufficient for my purposes. Basically, I just want to establish multiple passwords on my Flint 2 guest network, and depending on the password a client uses to sign on will direct them to a specific VLAN created via VLAN bridge filtering--which I can then apply firewall rules to.
In the Radius Desk link you shared, the PPSK without Radius setup relies on /etc/psk.list file.
This file does not appear to be present in the OpenWRT 24 installed on the the Flint 2.
The Flint2 with OpenWRT 24 currently has hostapd-common installed.
What do I need to change to be able to access and edit the /etc/psk.list file?
OpenWRT 24 comes pre-installed with wpad-openssl, which is supposed to contain a full instance of hostapd. According to the "more information" link, this should contain sufficient features to support PPSK VLAN.
However, this requires making edits to files '/etc/hostapd.wpa_psk' and '/etc/hostapd.vlan'
My problem is that the entire /etc/hostapd directory does not exist. I have tried uninstalling wpad, and reinstalling wpad-wolfssl, wpad-mdbtls using both UCI and LUCI. Multiple reboots and firmware resets. The directory does not create itself with package installation.
Looking at running processes, I do see both hostapd and wpa_supplicant running. Hostapd has files in both '/usr/sbin/hostapd' and '/var/run/hostapd'
From what I know is that you need to create those things yourself.
For your interest please visit the wiki for the config /etc/config/wireless
As you can see you can specify option wpa_psk_file '<path of the file you need to create yourself'
The path is a file you can create which specifies further the vlan data and mac wildcard.
There is also an less documented one and very recent:
sae_password_file
Honestly I don't know much about this one.
There is also wifi-vlan and wifi-station which are newer config variations which do the same as the wpa_psk_file.
Note for wpa_psk_file you need wpa2, depending how far this OpenWrt version goes you may be able to use wpa3, but it is required to use macs and in very recent OpenWrts it also has been turned into a list for wifi-station, I would advise to stay on wpa2 for now also because of config stanza changes which could put you in more work for nothing, WPA2 is the only one which does not enforce the requirement of listing client mac addresses to a vlan password, WPA3 is and that is according the specification.
The problem with this version of OP24 is that it isn't the most newest version of OP24 from the gl firmware, the last direct OpenWrt is op25 which there is no gl firmware for.
I wrote a cli command script for wifi-station and wifi-vlan.
Personally wifi-station and wifi-vlans are better because these automatically get preserved when upgrading firmware when keeping the settings, when using wpa_psk_file the file location does not get preseverd but it is possible by adding it to /etc/sysupgrade.conf so it gets tracked.
Is there a guide for properly creating the necessary files in '/etc/hostapd'?
Interesting comment. about the persistence of wpa_psk_file. When you say "adding it to /etc/sysupgrade.conf', which files specifically should be added there? Just the wpa_psk file, or all the config files?
I tried googling wifi station and wifi vlans-can you clarify what you mean here? Does your script create multiple SSIDs?
This implementation is on a single Flint 2 acting as a 4-in-1 combo unit (access point+switch+router+firewall), to which multiple clients need to connect. I want to create 8 wifi vlans for network segregation, but I don't want 8 SSIDs. (management, trusted devices, work devices, gaming devices, guests, shared printer, IoT with WAN access, and IoT w/o WAN access).
The config option option wpa_psk_file '<somepath>' is only a reference for hostapd, the file you need to create yourself with vim or nano, or with a custom editor through scp (ftp like protocol but then over ssh), the wiki shows a thorough example how it can be defined, this is the only file needed, if you go with the wifi-station and wifi-vlan stanza the wpa_psk_file is not needed, it will do the same in the background, wpa_psk_file was first a raw option from hostapd, but the wifi-station does this logic in the background including the hostapd file.
There is also vlan_bridge to specify the correct bridge it gets tagged to, and for dumbaps you have vlan_tagged_interface where you can define the 'wan' port.
No. Multi psk gives you the ability to sent based on specific passwords a client to a vlan, which is nice because it can even eliminate extra ssid.
--
Currently I use this feature quite extensive, the only thing what does not work out of the box is the combination of fast roaming and multi psk, hostapd has a bug which requires special patching in OpenWrt, I have been testing this and it works but currently there is no news or PR for this patch, my guess is that they are waiting for changes on the wi.fi repo.
A simply config:
config wifi-vlan
option iface 'default_radio0' # if line removed it listens on both 2.4ghz and 5ghz, now it listens on 2.4ghz only
option vid '178'
option name 'aqnet'
option network 'aqaranet'
config wifi-station
option iface 'default_radio0' # if line removed both bands
option vid '178'
option mac '12:34:56:78:90:00' # only required for wpa3, wpa2+wpa3 is invalid, wpa2 is for mac wildcard (per passphrase vlan), in very recent versions of OpenWrt likely OP25 the word option gets replaced by list, so: list mac 'onemac' 'anothermac'
option key 'hunter12' # the wifi password
^ this assumes vlans are automaticly attaching to br-lan
not having fast-roaming in this scenario is acceptable.
Ok! This is starting to make sense.
For each password-vlan assignment I want to create, I should add a "config wifi-station" section to /etc/config/wireless. If I want any device with the correct password to be able to connect, I can just use all zeros for the 'option mac." Devices connecting using this password would be assigned to the VLAN indicated in 'option vid'
For each VLAN, I would create that by adding a 'config wifi-vlan' section to /etc/config/wireless.
Using this method, I do not see any SSID assignments. When a client logs onto a WiFi network, they have to select a SSID, then input a password. In this wifi-station/wifi-vlan method---is it that a client can connect to ANY SSID on a particular radio, and still get assigned to a VLAN?
Should I activate Bridge VLAN filtering on br-lan? Or how to get the vlans to automatically attach?
Correct, and also an wifi-vlan they are a bit doable but deff needed, my script basicly does that for you.
In this case we speak only for the wifi-station config stanza, then no, it automaticly wildcards for you so that line can technically be removed, but only if the cipher was set to wpa2, if wpa3 mac addresses are required and wildcarding is not a option even with the wpa_psk_file wildcard 00:00:00:00:00:00
If I'm correct it works per band, or atleast the underlying device default_radio1 or default_radio0, when I create another ssid I see it creates a new node called wifinet2 but with the same wifi-iface property as default_radio0, or default_radio1, so it can work.
Likely yes, I would test what the output is with brctl show
It should look like:
root@X-SDK-Central:~# brctl show
bridge name bridge id STP enabled interfaces
br-lan 0000.16eb8469f8bc yes phy1-ap0-aya
phy0-ap0-aqnet
lan4
phy0-ap0-beta
lan2
phy1-ap0-beta
phy1-ap0-wlan0
lan5
phy0-ap0-wlan1
lan3
phy0-ap0-sma
lan1
phy0-ap0-iot
phy0-ap0-hwnet
But my guess is that it tags, so you may have to tag it in br-lan, so vlan filtering might be required on my setup I have but that is also because of wired segments, but you have to test, very interested to hear if it works without it, hostapd always requires a bridge anyway so.
Likely if it was only for wireless, I would think of adding the litteral phy0 namings as dsa devices for some reason they are hidden from view by OpenWrt, they need to be tagged then in vlan filtering so you still get a br-lan.vlanannotation but only tags to phy0-xx.
Ok thanks! I'm going to give it a try. I don't understand how your script works, but I do understand vim - copy/paste and edit
In my current setup, I have the default GL-iNet interfaces 'br-lan' and 'br-guest' and well as a 'br-IoT' interface that I setup (which is basically a clone of the 'br-guest'). In Luci, I am able create firewall rules and then assign firewall rules to interfaces. How do you assign firewall rules to the individual vlans created using your wifi-station/wifi-vlan method?
Well this is simple, you create network interface containing the new vlan through either br-lan.xx or in br-iot.xx these devices get visible due to vlan bridge filtering, however if you want hostapd to add their devices to the right bridge, you want to use option bridge_vlan 'br-iot'.
In this network interface you can assign firewall zones.
I have tried several routes to creates interfaces associated with VLANs, and every method I've tried so far results in the VLAN associated interface not being able to connect to the internet. I am able to use the wifi-station/wifi-vlan code you shared to enable logging onto a single SSID with multiple passwords, but internet access is blocked. I have tried this with no firewall rules applied, and I have tried it with fully accepting firewall rules applied.
The methods I have attempted:
enable bridge vlan filtering on br-guest, and create vlan IDs. Turning bridge vlan filtering on and off, turns internet access on and off for the guest network.
create a separate br-VLAN assigned to LAN port 4 (required in OpenWRT). create a VLAN interface assigned to br-VLAN. assign a wireless SSID to br-VLAN. Confirm wifi and internet connection. Confirm ability to apply firewall rules to VLAN interface. Then enable bridge VLAN filtering on br-VLAN. Same thing happed as with the guest network, enabling bridge vlan filtering somehow blocks internet access.
create a separate 802.1q VLAN1 device associated with a wired LAN port (OpenWRT requirement). Then create a separate br-VLAN device associated with the 802.1q VLAN1. Then under Interfaces, create a VLAN1 interface. Then under wireless, create a new SSID and assign it to the br-VLAN device.
In all methods, I am able to login to the SSID network using the password set in the LUCI gui, and also using the passwords set in the wifi-station/wifi-vlan UCI. None of the password logins are able to access the internet.
@xize11 How did you set yours up? Any idea what I'm doing wrong?
