Authentication fails on guest SSID connected to a bridge other than br0

[lalley2ka]

I have an unusual situation where an app I am using to control certain devices remotely has to be in the same broadcast domain as those devices. I do this by accessing a remote OpenVPN TAP (not TUN) server installed on a router on the remote end with a client installed on my router. The client is connected to its own internal bridge, which is in turn connected to a dedicated virtual wireless interface with its own unique SSID. When I connect to that ID, it is as if I am locally connected to the subnet and broadcast domain on the far end. I have all this working perfectly with Fresh Tomato on my local router.

I also am able to get it working with Merlin as long as the virtual wireless (a guest SSID) is set up for open authentication. The data flow works just great. But if I turn on WPA2-Personal, I always get a "Can't connect to this network" error. No messages of any kind are logged in the syslog.

I am thinking I might be missing some critical authentication configuration somewhere.

This is how I have it set up: with a custom script tat runs at startup I create a new bridge (br11). I delete my special guest virtual wireless interface (wl1.2) from br0, and add it to br11. I give br11 a statically assigned address consistent with the far end of the TAP VPN, and bring it up with ifconfig. When the TAP client connects, I run a script that deletes the client interface (tap11) from br0 and assigns it to br11. As I say, everything works great except for the authention. As soon as I change it from Open to WPA2-Personal, I get the "Can't connect" error.

Am I missing something somewhere, or is there a reason this just can't work?

 

[lalley2ka]

I finally solved this myself. If you add a bridge, or change interfaces assigned to a bridge, you need to properly set the NVRAM variables that eapd (the daemon that handles wifi authentication) looks at, and then restart eapd. Here is what worked for me:

# set the nvram settings that are used by eapd, otherwise
# autentication won't work

# delete our guest interface from lan and br0
nvram set lan_ifnames="vlan1 eth1 eth2 wl1.3"
nvram set br0_ifnames="vlan1 eth1 eth2 wl1.3"
# set up our guest interface on lan1 and br11
nvram set lan1_ifname="br11" (This is the name of my new bridge)
nvram set lan1_ifnames="wl1.2" (This is my guest interface I am adding to br11)
nvram set br11_ifnames="wl1.2"
# set addresses for our new lan
nvram set lan1_hwaddr=D4:5D:64:E9:B4:96 (Note put MAC address if the guest interface here)
nvram set lan1_ipaddr=192.168.1.203 (And the IP address here)

# now restart eapd and dnsmasq
killall eapd
killall dnsmasq
service restart_dnsmasq
eapd