# IPFW tag/tagged/untag



## Ofloo (Mar 5, 2018)

I want to tag specific mac addresses to specific vlan, .. from what I gather this can be accomplished with ipfw. Although I'm not quite sure on the syntax does anyone have any syntax sample for this?


----------



## SirDice (Mar 5, 2018)

I think you're misunderstanding IPFW and/or VLANs. Tagging within IPFW has to do with queues (traffic shaping) and general filtering, it has nothing to do with VLAN tagging. 

In order to prevent an XY problem, what are you trying to accomplish?


----------



## Ofloo (Mar 5, 2018)

I've setup WP2+TLS AP and I'm trying to put specific wireless clients into a specific vlan. Since I can't figur out how to make hostapd work with dynamic vlan on freebsd, I figured I'd try macvlan, tagging specific mac addresses into a specific vlan.

What I basically want is to add a vlan tag to specific clients.


----------



## SirDice (Mar 5, 2018)

Does the rest of you network support VLANs? I mean, your switch has to support VLANs too. Most of the "simple" unmanaged SOHO switches don't support VLANs. You will need a trunk and a couple of vlan(4) interfaces in order for this to work at all.


----------



## Ofloo (Mar 5, 2018)

Yes it is, it's a cheap T2600G-28TS but it is a managed switch.


----------



## SirDice (Mar 5, 2018)

I don't think you can put individual hosts in a VLAN. It's more common to see a whole Wifi network put behind a VLAN. So you would need to create more Wifi networks, each on their own VLAN. So, SSID1 is on VLAN1, SSID2 is on VLAN2, etc. That's the way it's done on my LAPAC1750Pro for example.


----------



## Ofloo (Mar 5, 2018)

sure you can https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf


```
# Dynamic VLAN mode; allow RADIUS authentication server to decide which VLAN
# is used for the stations. This information is parsed from following RADIUS
# attributes based on RFC 3580 and RFC 2868: Tunnel-Type (value 13 = VLAN),
# Tunnel-Medium-Type (value 6 = IEEE 802), Tunnel-Private-Group-ID (value
# VLANID as a string). Optionally, the local MAC ACL list (accept_mac_file) can
# be used to set static client MAC address to VLAN ID mapping.
# 0 = disabled (default)
# 1 = option; use default interface if RADIUS server does not include VLAN ID
# 2 = required; reject authentication if RADIUS server does not include VLAN ID
#dynamic_vlan=0
```



> Enterprise Wi-Fi authentication also enables advanced features such asputting users dynamically into a specific VLAN (e.g. separate guest andstaff logins into different IP networks even though being on the sameSSID), and dynamic ACLs



http://wiki.freeradius.org/guide/Enterprise WiFi

of course you don't leave it default otherwise it's easier to just bridge.

```
DEFAULT NAS-Port-Type == Wireless-802.11
        Tunnel-Type = 13,
        Tunnel-Medium-Type = 6,
        Tunnel-Private-Group-Id = "700"
```

And it tries to do so only it can't create the vlan on the wlan interface.



output hostapd


```
wlan0: RADIUS Received 186 bytes from RADIUS server
wlan0: RADIUS Received RADIUS message
wlan0: STA cc:fa:00:x:x:x RADIUS: Received RADIUS packet matched with a pending request, round trip time 0.00 sec
RADIUS packet matching with station cc:fa:00:x:x:x
wlan0: STA cc:fa:00:x:x:x RADIUS: VLAN ID 700
VLAN: vlan_add_dynamic(vlan_id=700 ifname=wlan0.#)
wlan0: STA cc:fa:00:x:x:x IEEE 802.11: could not add dynamic VLAN interface for vlan_id=700
wlan0: STA cc:fa:00:x:x:x IEEE 802.1X: decapsulated EAP packet (code=3 id=87 len=4) from RADIUS server: EAP Success
EAP: EAP entering state AAA_RESPONSE
EAP: getId: id=87
EAP: EAP entering state SEND_REQUEST2
EAP: EAP entering state IDLE2
EAP: retransmit timeout 3 seconds (from dynamic back off; retransCount=0)
IEEE 802.1X: cc:fa:00:x:x:x BE_AUTH entering state REQUEST
wlan0: STA cc:fa:00:x:x:x IEEE 802.1X: Sending EAP Packet (identifier 87)
IEEE 802.1X: cc:fa:00:x:x:x - (EAP) retransWhile --> 0
EAP: EAP entering state RETRANSMIT2
EAP: EAP entering state IDLE2
EAP: retransmit timeout 6 seconds (from dynamic back off; retransCount=1)
IEEE 802.1X: cc:fa:00:x:x:x BE_AUTH entering state REQUEST
wlan0: STA cc:fa:00:x:x:x IEEE 802.1X: Sending EAP Packet (identifier 87)
```


----------



## SirDice (Mar 5, 2018)

Argh, confusing, hostapd(8) and net/hostapd are named the same but are completely different. I was thinking about hostapd(8).



Ofloo said:


> And it tries to do so only it can't create the vlan on the wlan interface.


If I understood things correctly the VLAN tagging should happen on the LAN interface, not the WLAN interface.


----------



## SirDice (Mar 5, 2018)

Not sure if this is all you need to set but looking through the config you posted I noticed this:

```
# Interface where 802.1q tagged packets should appear when a RADIUS server is
# used to determine which VLAN a station is on.  hostapd creates a bridge for
# each VLAN.  Then hostapd adds a VLAN interface (associated with the interface
# indicated by 'vlan_tagged_interface') and the appropriate wireless interface
# to the bridge.
#vlan_tagged_interface=eth0
```
That should be set to your LAN interface, or whatever interface is trunked to your network.


----------



## Ofloo (Mar 5, 2018)

I'll look into it but at first sight, ..

```
Line 975: unknown configuration item 'vlan_tagged_interface'
1 errors found in configuration file '/etc/hostapd.conf'
```


even when i do manipulate it to be vr0 with /etc/hostapd.vlan


```
VLAN: vlan_add_dynamic(vlan_id=700 ifname=vr0.700)
wlan0: STA cc:fa:00:x:x:x IEEE 802.11: could not add dynamic VLAN interface for vlan_id=700
wlan0: STA cc:fa:00:x:x:x IEEE 802.1X: decapsulated EAP packet (code=3 id=87 len=4) from RADIUS server: EAP Success
```


```
VLAN: vlan_add_dynamic(vlan_id=700 ifname=vr0)
wlan0: STA cc:fa:00:x:x:x IEEE 802.11: could not add dynamic VLAN interface for vlan_id=700
wlan0: STA cc:fa:00:x:x:x IEEE 802.1X: decapsulated EAP packet (code=3 id=87 len=4) from RADIUS server: EAP Success
```


----------



## SirDice (Mar 5, 2018)

Ofloo said:


> ```
> Line 975: unknown configuration item 'vlan_tagged_interface'
> 1 errors found in configuration file '/etc/hostapd.conf'
> ```


This is part of the hostapd(8) (/usr/sbin/hostapd) and net/hostapd (/usr/local/sbin/hostapd) confusion.


----------



## Ofloo (Mar 6, 2018)

not quite sure what you mean by that both `/usr/local/sbin/hostapd` and `/usr/sbin/hostapd` have this error.


```
# /usr/local/sbin/hostapd -d /etc/hostapd.conf
Configuration file: /etc/hostapd.conf
ctrl_interface_group=0
Line 975: unknown configuration item 'vlan_tagged_interface'
1 errors found in configuration file '/etc/hostapd.conf'
Failed to set up interface with /etc/hostapd.conf
hostapd_init: free iface 0x2882c000
Failed to initialize interface
```


```
# /usr/sbin/hostapd -d /etc/hostapd.conf
Configuration file: /etc/hostapd.conf
ctrl_interface_group=0
Line 975: unknown configuration item 'vlan_tagged_interface'
1 errors found in configuration file '/etc/hostapd.conf'
Failed to set up interface with /etc/hostapd.conf
hostapd_init: free iface 0x28829000
Failed to initialize interface
```


----------



## SirDice (Mar 6, 2018)

Ports _never_ use configuration files in /etc/, ports _always_ use /usr/local/etc/.

hostapd(8) uses /etc/hostapd.conf, net/hostapd uses /usr/local/etc/hostapd.conf.


----------



## phoenix (Mar 8, 2018)

I think what SirDice is trying to get at is that you need to use the port version of hostapd, configure it in /usr/local/etc, and disable the built-in version of hostapd.

Use the RC script installed under /usr/local/etc/rc.d to start/stop it.

Ignore everything hostapd-related from /etc.


----------



## Ofloo (Mar 12, 2018)

It seems that for the time being it is impossible, .. since it requires the wlan interface to able to generate vlans as well. I installed openwrt just to see how it is done there, and openwrt creates a tagged interface on eth0 as well as on wlan0.

I tried doing this on freebsd using ifconfig vlan create however then the mtu changes and not sure why but that doesn't seem to work.


----------

