Archer C7 (ath10k) Mesh

Hi folks,

fist of all: mesh is basically working, I already replaced the firmware/kmod.
I just struggle a bit with understanding mesh.

My Goal is to have 3 SSIDs, each on a different vlan be repeated through a second Archer C7, sadly I cant hard wire it, so it has to be over air.

How can I accomplish this setup?
I guess without VLANs it is just setting up a mesh network and bridging the SSIDs to it.

Current setup is 3 SSIDs on each frequency (2,4 & 5) bridged to their vlan interfaces, works great on the first archer.

Do I need a mesh for every VLAN?

Greetings

If you use BATMAN for the mesh you can simply carry more VLANs on the same mesh using the notation bat0.n where n is a VLAN number.

Hey!

My Goal is to have 3 SSIDs, each on a different vlan be repeated through a second Archer C7, sadly I cant hard wire it, so it has to be over air.

Just to be the pendant: There is no "repeat" on mesh. Just layer2 forwarding. :wink:

If you like to listen to me: Disable mesh forwarding on the mesh interface and let batman-adv handle that for you!

I guess without VLANs it is just setting up a mesh network and bridging the SSIDs to it.

In case of using batman-adv, you will attach the bat0.<vni>, eth0.<vni> and one wireless ap interface to a bridge br-vlan<vni>

How do you configure this? Please read on....

For each VLAN you will have an config interface stanza with type bridge, where you attach the linux network devices to, using list ports eth0.<vni> and list ports bat0.<vni>

I can share my config, or the relevant parts of it...

To recap my setup:
I have 3 devices; 1 acting as a router, and 2 dump-aps.

Router uses dnsmasq-full exclusively for DHCP and DHCPv6, and for RA. I have odhcpd6 removed from my image. (Otherwise you/I get no proper working DNS for ipv6 addresses.)
dnsmasq serves each vlan with its own domain and a bunch of dhcp/dhcpv6 options....

I will copy/paste only the stuff, I assume essential. If you need more or explanation please say so.

Some site notes:

  • I get a /56 from my provider, so I make use of it.
  • I use vlan16 as "network management" and vlan17 for ipmi server management interfaces. So dump-ap is using dhcp and dhcpv6 to request addresses. But not on any other vlans.
  • I copy/paste only vlan16 and vlan17 as an example...

Router

wireless

....
config wifi-iface 'mesh0'
    option  device      'radio0'
    option  ifname      'mesh0'
    option  network     'bat0_hardif_mesh0'
    option  mode        'mesh'
    option  mesh_fwding '0'
    option  mesh_id     '...'
    option  encryption  'psk2+ccmp'
    option  key         '...'

config wifi-iface 'mesh1'
    option  device      'radio1'
    option  ifname      'mesh1'
    option  network     'bat0_hardif_mesh1'
    option  mode        'mesh'
    option  mesh_fwding '0'
    option  mesh_id     '...'
    option  encryption  'psk2+ccmp'
    option  key         '...'

...

network

I checked and compared the doc/guide in the wiki and came to the conclusion that just everything is default. So there was no need for me to set anything "special" anyway. Feel free to check https://www.open-mesh.org/doc/batman-adv/Batman-adv-openwrt-config.html and/or https://downloads.open-mesh.org/batman/manpages/batctl.8.html

Do not wonder. In the following vlan config, The VLAN is only tagged on the CPU Port (0t). If you want to use the VLAN tagged or untagged on a LAN port you would need to add it!

...
config interface 'bat0'
    option  proto           'batadv'
    option  routing_algo    'BATMAN_IV'

config interface 'bat0_hardif_mesh0'
    option  proto           'batadv_hardif'
    option  master          'bat0'
    option  mtu             '2304'

config interface 'bat0_hardif_mesh1'
    option  proto           'batadv_hardif'
    option  master          'bat0'
    option  mtu             '2304'

...

# VLAN 16 / net.mgmt / network management
config switch_vlan
    option  device          'switch0'
    option  ports           '0t'
    option  vlan            '16'

config device
    option  name            'br-vlan16'
    option  type            'bridge'
    list    ports           'eth0.16'
    list    ports           'bat0.16'

config interface            'vlan16'
    option  device          'br-vlan16'
    option  bridge_empty    '1'
    option  igmp_snooping   '1'
    option  proto           'static'
    option  ipaddr          '192.168.16.1/24'
    list    ip6ifaceid      '::1'
    list    ip6ifaceid      'eui64'
    option  ip6assign       '64'
    option  ip6hint         '10'

# VLAN 17 / srv.mgmt / server management
config switch_vlan
    option  device          'switch0'
    option  ports           '0t'
    option  vlan            '17'

config device
    option  name            'br-vlan17'
    option  type            'bridge'
    list    ports           'eth0.17'
    list    ports           'bat0.17'

config interface            'vlan17'
    option  device          'br-vlan17'
    option  bridge_empty    '1'
    option  igmp_snooping   '1'
    option  proto           'static'
    option  ipaddr          '192.168.17.1/24'
    list    ip6ifaceid      '::1'
    list    ip6ifaceid      'eui64'
    option  ip6assign       '64'
    option  ip6hint         '11'

dhcp

All vlan dhcp configs are identical so I just show one here.

# VLAN 16
config dhcp                     'vlan16'
    option  interface           'vlan16'
    option  domain              'net.mgmt.home.arpa'
    option  start               '32'
    option  limit               '215'
    option  leasetime           '12h'
    option  dhcpv4              'server'
    list    dhcp_option         'option:dns-server, 192.168.0.1'
    list    dhcp_option         'option:domain-name, net.mgmt.home.arpa.'
    list    dhcp_option         'option:ntp-server, 192.53.103.103'
    list    dhcp_option         '100,UTC'  # PCode
    list    dhcp_option         '101,UTC'  # TCode
    list    dhcp_option         'option:domain-search, net.mgmt.home.arpa.'
    list    dhcp_option         'option:classless-static-route, 192.168.0.0/16,192.168.16.1'
    option  dhcpv6              'server'
    list    dhcp_option         'option6:dns-server, [<myula>::1]'
    list    dhcp_option         'option6:domain-search, net.mgmt.home.arpa.'
    list    dhcp_option         'option6:ntp-server, de.pool.ntp.org.'
    option  ra                  'server'
    option  ra_slaac            '1'
    list    ra_flags            'managed-config'
    list    ra_flags            'other-config'
# /etc/dnsmasq.conf
dhcp-client-update
dhcp-fqdn
conf-file=/etc/dnsmasq.conf.domains
# /etc/dnsmasq.conf.domains
...
domain=net.mgmt.home.arpa,192.168.16.0/24,local
domain=net.mgmt.home.arpa,<myula>:10::/64,local

domain=srv.mgmt.home.arpa,192.168.17.0/24,local
domain=srv.mgmt.home.arpa,<myula>:11::/64,local
...

Dump AP

network

As I mentioned on vlan16 the dump-ap is using dhcp/dhcpv6 but on all other interfaces there is proto none used.

...
# VLAN 16 / net.mgmt / network management
config switch_vlan
    option  device          'switch0'
    option  ports           '0t'
    option  vlan            '16'

config device
    option  name            'br-vlan16'
    option  type            'bridge'
    list    ports           'eth0.16'
    list    ports           'bat0.16'

config interface            'vlan16'
    option  device          'br-vlan16'
    option  bridge_empty    '1'
    option  igmp_snooping   '1'
    option  proto           'dhcp'

config interface            'vlan16_v6'
    option  device          'br-vlan16'
    option  proto           'dhcpv6'
    option  reqaddress      'try'
    option  reqprefix       'no'

# VLAN 17 / srv.mgmt / server management
config switch_vlan
    option  device          'switch0'
    option  ports           '0t'
    option  vlan            '17'

config device
    option  name            'br-vlan17'
    option  type            'bridge'
    list    ports           'eth0.17'
    list    ports           'bat0.17'

config interface            'vlan17'
    option  device          'br-vlan17'
    option  bridge_empty    '1'
    option  igmp_snooping   '1'
    option  proto           'none'

I spare the firewall config for now...

In the end you get something like,

ip -br link | sort -V
bat0             UNKNOWN        66:08:8d:f4:b4:ae <BROADCAST,MULTICAST,UP,LOWER_UP> 
...
bat0.16@bat0     UP             66:08:8d:f4:b4:ae <BROADCAST,MULTICAST,UP,LOWER_UP> 
bat0.17@bat0     UP             66:08:8d:f4:b4:ae <BROADCAST,MULTICAST,UP,LOWER_UP> 
...
br-vlan16        UP             ................. <BROADCAST,MULTICAST,UP,LOWER_UP> 
br-vlan16        UP             ................. <BROADCAST,MULTICAST,UP,LOWER_UP> 
...
eth0.16@eth0     UP             ................. <BROADCAST,MULTICAST,UP,LOWER_UP> 
eth0.17@eth0     UP             ................. <BROADCAST,MULTICAST,UP,LOWER_UP> 
....
mesh0            UP             ................. <BROADCAST,MULTICAST,UP,LOWER_UP> 
mesh1            UP             ................. <BROADCAST,MULTICAST,UP,LOWER_UP> 


batctl if
mesh1: active
mesh0: active


brctl show
...
br-vlan16               7fff..................       no              eth0.16
                                                                bat0.16

I hope this helps you. If not, please ask. But it's late, I'm going to bed now.

Edit:
And of course.... Attaching the wireless AP...

# example
config wifi-iface 'default_radio0'                        
    option  device      'radio0'                          
    option  network     'vlan16'                             
    option  mode        'ap'                              
    option  ssid        'The vlan16 SSID'
    option  encryption  'psk2+ccmp'                       
    option  key         '...

holy heck, thats a lot, thanks!
I dont know if I will manage to try this out today - but you cleared a lot of things up for me.

will try that once i find the time!

Glad to here that.

A friend of mine had a similar request/wish a few weeks ago, and even for me with some years of experience I had my struggles and needed a couple of days and reading far to much till it made click for me. And even with the preparation for my friend we needed a few evenings and several hours of video call till we had everything together for his setup. My advise, don't rush :wink:

PS: If you have the space on your devices, just use wpad-openssl. hostapd-utils and iwinfo are useful to have too. Same goes for ip-full and ip-bridge and batctl-full. With these tools, debugging issues should be far easier. As your 802.11s mesh is already running, I do not expect you run into hard road blocks.... Trickiest part is proper switch config for vlans and bits and pieces for the interfaces in /etc/config/network. Good luck! :slight_smile:
PPS: And do not forget to configure your firewall :smiley:

Hey,
great to hear - those projects are the most fun.

wpad-openssl is already installed as I need wpa3 regardless of mesh.
The other debug tools are a good suggestion.

I prop. wont have to bother with dhcp/firewall at all, that's on the opnsense.
The archer is just for bridging its WiFi to the vlan interfaces, everything else the switch after it or the opnsense does.

Archer internal Switch >should< already be good to go, because wifis and vlans already work - just standalone without mesh or a second device.