Aruba AP-303H DSA is here and better dumb AP

Working on the AP-303H, without DSA, was a bit of a nightmare. And you may have discovered this. Those issues are not solved by DSA, but the testing results and solutions on this post are 100% necessary for the AP-303H running DSA firmware. I have not rolled back to non DSA firmware to retest and solve all those nightmare issues I ran into.

I am happy to report that with r21632 DSA is now released for the Aruba AP-303H.

There are some interesting discoveries on how to deploy on the AP-303H. This is a dedicated thread to document that, based on testing I completed. In case you are wondering how is the sausage made, the original work on this concluded on this post linked below and summarized on the final two comments.

This post is not for learning about general DSA or dumb AP concepts. The steps are more about the things that are missing and additive to OpenWRT's default. These principals are broadly transferable to any device though.

1. You cannot migrate your existing non DSA config, so make sure you reset.

2. If this is future you reading this post and are coming back to upgrade your DSA to a newer version, be aware, after the upgrade, LUCI will not be installed, firewall, DHCP and DNSmasq will be enabled, which could cause problems for your accessing the management IP or your network. The packages you installed will be gone so likely will need to make a list of those things you installed.

3. Serial access is so important on this device, so buy or make a cable. Do not proceed until you have that.

4. Using the current snapshot build, follow the install procedure outlined here: https://openwrt.org/toh/aruba/ap-303h

5. Once you have IP connectivity, e.g. e0/WAN has a DHCP address from your network you should proceed.

6. manually install luci. You can do this by SSH on the LAN side (e1-e3) or by console.

opkg update
opkg install luci

7. Change your theme to Bootstrap as there is an invisible font (white on white) bug using theme OpenWrt2020 and documented here https://github.com/openwrt/luci/issues/6177
   

   

   image1204×526 34.4 KB

8. Put your management IP on a 802.11q sub-interface, with non-zero VID and assign a unique mac address. This solves errors when e0/WAN interface receives packets with same source MAC. This scenario will occur if you do any kind of upstream VLAN bridging. Basically, any scenario where a packet is leaving and then coming back in to the AP. This has been informally reported and in the future there may be improvements on the MAC address assignments on OpenWRT. I was even able to crash the AP until finding this solution.

[60035.624371] br-lan: received packet on wan with own address as source address (addr:20:4c:03:a8:10:f2, vlan:0)
[60035.669116] br-lan: received packet on wan with own address as source address (addr:20:4c:03:a8:10:f2, vlan:0)
[60035.787266] br-lan: received packet on wan with own address as source address (addr:20:4c:03:a8:10:f2, vlan:0)
[60035.907041] br-lan: received packet on wan with own address as source address (addr:20:4c:03:a8:10:f2, vlan:0)
[60036.026828] br-lan: received packet on wan with own address as source address (addr:20:4c:03:a8:10:f2, vlan:0)
[60036.146608] br-lan: received packet on wan with own address as source address (addr:20:4c:03:a8:10:f2, vlan:0)
[60036.266399] br-lan: received packet on wan with own address as source address (addr:20:4c:03:a8:10:f2, vlan:0)
[60036.386187] br-lan: received packet on wan with own address as source address (addr:20:4c:03:a8:10:f2, vlan:0)
[60036.506015] br-lan: received packet on wan with own address as source address (addr:20:4c:03:a8:10:f2, vlan:0)
[60036.625833] br-lan: received packet on wan with own address as source address (addr:20:4c:03:a8:10:f2, vlan:0)

This diagram demonstrates the issue:

In my case the physical MAC addresses (formerly eth0 and eth1) were as follows:

20:4C:03:A8:10:F2
20:4C:03:A8:10:F3

So to increment the last octet to a unique value for the management IP is how I selected the new MAC
20:4C:03:A8:10:F4 But you need this on a dedicated sub-interface (not the parent br-lan) with a non zero VID.

Here is a sample config.

config device
        option type '8021q'
        option ifname 'br-lan'
        option vid '1'
        option name 'br-lan.1'
        option macaddr '20:4C:03:A8:10:F4'
        option ipv6 '0'

config interface 'lan'
        option proto 'static'
        option ipaddr '192.168.1.3'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option device 'br-lan.1'
        option gateway '192.168.1.254'
        list dns '192.168.1.254'
        list dns_search 'your.local.dns.zone.here'

9. Disable routing as is not used on a dumb AP

vi /etc/sysctl.conf

# Defaults are configured in /etc/sysctl.d/* and can be customized in this file
net.ipv4.ip_forward=0

10. stop and disable firewall, DHCP and DNSMASQ permanently (after your next sysupgrade you will need to repeat this step)
    

    

    image2112×633 59.2 KB

11. Delete firewall zones and set firewall to accept traffic as will be enabled after your 'next' sysupgrade. (You can test this by skipping this step. Enable your firewall and observe loss of access to the management IP from e0/WAN. Console access is always your friend in these situations. /etc/init.d/firewall stop|start)

vi /etc/config/firewall

config defaults
        option output 'ACCEPT'
        option synflood_protect '1'
        option input 'ACCEPT'
        option forward 'ACCEPT'

Or like this...

image1146×737 37 KB

12. You may also benefit from deleting or renaming the config dhcp 'lan' section of your DHCP config as is not needed, plus DHCP will be enable after a future sysupgrade.

vi /etc/config/dhcp
...
config dhcp 'lanx'
        option interface 'lanx'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        option ignore '1'
        option ra_slaac '0'
...

13. Unless you plan to build out your IPv6 config, disable everywhere except loopback.
    

You can verify on the CLI and then go disable that interface.

ifconfig | egrep 'Link|inet'
br-lan    Link encap:Ethernet  HWaddr 20:4C:03:A8:10:F2
br-lan.1  Link encap:Ethernet  HWaddr 20:4C:03:A8:10:F4     <----------------This MAC is unique and on non-zero VID
          inet addr:192.168.1.3  Bcast:192.168.1.255  Mask:255.255.255.0
br-lan.11 Link encap:Ethernet  HWaddr 20:4C:03:A8:10:F2
br-lan.31 Link encap:Ethernet  HWaddr 20:4C:03:A8:10:F2
br-lan.4  Link encap:Ethernet  HWaddr 20:4C:03:A8:10:F2
br-lan.5  Link encap:Ethernet  HWaddr 20:4C:03:A8:10:F2
eth0      Link encap:Ethernet  HWaddr 20:4C:03:A8:10:F2
lan1      Link encap:Ethernet  HWaddr 20:4C:03:A8:10:F2
lan2      Link encap:Ethernet  HWaddr 20:4C:03:A8:10:F2
lan3      Link encap:Ethernet  HWaddr 20:4C:03:A8:10:F2
lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
phy0-ap0  Link encap:Ethernet  HWaddr 20:4C:03:A8:10:F2
phy1-ap0  Link encap:Ethernet  HWaddr 20:4C:03:A8:10:F3
wan       Link encap:Ethernet  HWaddr 20:4C:03:A8:10:F2

You can pretty much role out your standard dumb AP config and VLANs.

Here is a final config:

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd53:befa:5dae::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'wan'
        option ipv6 '0'

config interface 'lan'
        option proto 'static'
        option ipaddr '192.168.1.3'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option device 'br-lan.1'
        option gateway '192.168.1.254'
        list dns '192.168.1.254'
        list dns_search 'your.local.dns.zone.here'

config device
        option type '8021q'
        option ifname 'br-lan'
        option vid '1'
        option name 'br-lan.1'
        option macaddr '20:4C:03:A8:10:F4'
        option ipv6 '0'

config bridge-vlan
        option device 'br-lan'
        option vlan '1'
        list ports 'lan1'
        list ports 'lan2'
        list ports 'lan3'
        list ports 'wan:u*'

config bridge-vlan
        option device 'br-lan'
        option vlan '3'
        list ports 'wan:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '4'
        list ports 'wan:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '5'
        list ports 'wan:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '11'
        list ports 'wan:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '31'
        list ports 'lan1:u*'
        list ports 'wan:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '32'
        list ports 'lan2:u*'
        list ports 'wan:t'

config bridge-vlan
        option device 'br-lan'
        option vlan '33'
        list ports 'lan3:u*'
        list ports 'wan:t'

config device
        option name 'eth0'
        option ipv6 '0'

config device
        option name 'br-lan.5'
        option type '8021q'
        option ifname 'br-lan'
        option vid '5'
        option ipv6 '0'

config device
        option name 'br-lan.4'
        option type '8021q'
        option ifname 'br-lan'
        option vid '4'
        option ipv6 '0'

config device
        option name 'br-lan.11'
        option type '8021q'
        option ifname 'br-lan'
        option vid '11'
        option ipv6 '0'

config device
        option name 'br-lan.31'
        option type '8021q'
        option ifname 'br-lan'
        option vid '31'
        option ipv6 '0'

config device
        option name 'br-lan.32'
        option type '8021q'
        option ifname 'br-lan'
        option vid '32'
        option ipv6 '0'

config device
        option name 'br-lan.33'
        option type '8021q'
        option ifname 'br-lan'
        option vid '33'
        option ipv6 '0'

config device
        option name 'phy0-ap0'
        option ipv6 '0'

config device
        option name 'phy1-ap0'
        option ipv6 '0'

image2003×1276 191 KB

image1998×1666 226 KB

Issues:
2.4Ghz performance does not seem to match other Access Points. this can be seen in same room and edge of coverage area. More work to understand this needed.
5Ghz frequencies limited to those that don't require DFS radar detection. More work to understand this needed.

image1920×622 118 KB

Tagging some folks that might be interested in this post:
@Feighery @kroon040 @psherman

Hi,

Here my comparing between the stock firmware (Instant version 8.11.0.1), and the openwrt build. I did the test with an laptop with linux (hp elitebook X360 with an intel wifi AX200). I have 2 Aruba AP-303H, both an an POE+ swtich

First the result of the 5ghz stock firmware

[richard@HP-X360 ~]$ iperf3 -c 192.168.180.5
Connecting to host 192.168.180.5, port 5201
[  5] local 192.168.180.100 port 56062 connected to 192.168.180.5 port 5201
[ ID] Interval           Transfer     Bitrate         Retr  Cwnd
[  5]   0.00-1.00   sec  52.9 MBytes   443 Mbits/sec    0   2.63 MBytes
[  5]   1.00-2.00   sec  55.0 MBytes   462 Mbits/sec    0   3.15 MBytes
[  5]   2.00-3.00   sec  53.8 MBytes   451 Mbits/sec    0   3.15 MBytes
[  5]   3.00-4.00   sec  46.2 MBytes   388 Mbits/sec    0   3.15 MBytes
[  5]   4.00-5.00   sec  41.2 MBytes   346 Mbits/sec    0   3.15 MBytes
[  5]   5.00-6.00   sec  56.2 MBytes   472 Mbits/sec    0   3.15 MBytes
[  5]   6.00-7.00   sec  60.0 MBytes   503 Mbits/sec    0   3.15 MBytes
[  5]   7.00-8.00   sec  58.8 MBytes   493 Mbits/sec    0   3.15 MBytes
[  5]   8.00-9.00   sec  60.0 MBytes   504 Mbits/sec    0   3.15 MBytes
[  5]   9.00-10.00  sec  55.0 MBytes   461 Mbits/sec    0   3.15 MBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-10.00  sec   539 MBytes   452 Mbits/sec    0             sender
[  5]   0.00-10.05  sec   536 MBytes   447 Mbits/sec                  receiver

5GHz with the Openwrt firmware

[richard@HP-X360 ~]$ iperf3 -c 192.168.180.5
Connecting to host 192.168.180.5, port 5201
[  5] local 192.168.180.100 port 32966 connected to 192.168.180.5 port 5201
[ ID] Interval           Transfer     Bitrate         Retr  Cwnd
[  5]   0.00-1.00   sec  53.2 MBytes   447 Mbits/sec    0   2.60 MBytes
[  5]   1.00-2.00   sec  56.2 MBytes   472 Mbits/sec    0   3.16 MBytes
[  5]   2.00-3.00   sec  48.8 MBytes   409 Mbits/sec    0   3.16 MBytes
[  5]   3.00-4.00   sec  55.0 MBytes   461 Mbits/sec    0   3.16 MBytes
[  5]   4.00-5.00   sec  55.0 MBytes   461 Mbits/sec    0   3.16 MBytes
[  5]   5.00-6.00   sec  56.2 MBytes   472 Mbits/sec    0   3.16 MBytes
[  5]   6.00-7.00   sec  56.2 MBytes   472 Mbits/sec    0   3.16 MBytes
[  5]   7.00-8.00   sec  53.8 MBytes   451 Mbits/sec    1   3.16 MBytes
[  5]   8.00-9.00   sec  55.0 MBytes   461 Mbits/sec    0   3.16 MBytes
[  5]   9.00-10.00  sec  52.5 MBytes   440 Mbits/sec    0   3.16 MBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-10.00  sec   542 MBytes   455 Mbits/sec    1             sender
[  5]   0.00-10.08  sec   542 MBytes   451 Mbits/sec                  receiver

2.4ghz on stock firmware

[richard@HP-X360 ~]$ iperf3 -c 192.168.180.5
Connecting to host 192.168.180.5, port 5201
[  5] local 192.168.180.100 port 58950 connected to 192.168.180.5 port 5201
[ ID] Interval           Transfer     Bitrate         Retr  Cwnd
[  5]   0.00-1.00   sec  12.5 MBytes   105 Mbits/sec    0    519 KBytes
[  5]   1.00-2.00   sec  7.01 MBytes  58.8 Mbits/sec    0    611 KBytes
[  5]   2.00-3.00   sec  7.38 MBytes  61.9 Mbits/sec    0    642 KBytes
[  5]   3.00-4.00   sec  6.25 MBytes  52.4 Mbits/sec    0    675 KBytes
[  5]   4.00-5.00   sec  8.75 MBytes  73.4 Mbits/sec    0    714 KBytes
[  5]   5.00-6.00   sec  11.2 MBytes  94.4 Mbits/sec    0    748 KBytes
[  5]   6.00-7.00   sec  10.0 MBytes  83.9 Mbits/sec    0    748 KBytes
[  5]   7.00-8.00   sec  10.0 MBytes  83.9 Mbits/sec    0    748 KBytes
[  5]   8.00-9.00   sec  10.0 MBytes  83.9 Mbits/sec    0    748 KBytes
[  5]   9.00-10.00  sec  10.0 MBytes  83.9 Mbits/sec    0    748 KBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-10.00  sec  93.1 MBytes  78.1 Mbits/sec    0             sender
[  5]   0.00-10.05  sec  90.7 MBytes  75.7 Mbits/sec                  receiver

2.4ghz on openwrt firmware

[richard@HP-X360 ~]$ iperf3 -c 192.168.180.5
Connecting to host 192.168.180.5, port 5201
[  5] local 192.168.180.100 port 39692 connected to 192.168.180.5 port 5201
[ ID] Interval           Transfer     Bitrate         Retr  Cwnd
[  5]   0.00-1.00   sec  11.9 MBytes  99.8 Mbits/sec    0    578 KBytes
[  5]   1.00-2.00   sec  9.85 MBytes  82.7 Mbits/sec    0    697 KBytes
[  5]   2.00-3.00   sec  6.25 MBytes  52.4 Mbits/sec    0    881 KBytes
[  5]   3.00-4.00   sec  7.50 MBytes  62.9 Mbits/sec    0    933 KBytes
[  5]   4.00-5.00   sec  6.25 MBytes  52.4 Mbits/sec    0    988 KBytes
[  5]   5.00-6.00   sec  7.50 MBytes  62.9 Mbits/sec    0   1.03 MBytes
[  5]   6.00-7.00   sec  7.50 MBytes  62.9 Mbits/sec    0   1.03 MBytes
[  5]   7.00-8.00   sec  8.75 MBytes  73.4 Mbits/sec    0   1.03 MBytes
[  5]   8.00-9.00   sec  10.0 MBytes  83.9 Mbits/sec    0   1.09 MBytes
[  5]   9.00-10.00  sec  8.75 MBytes  73.4 Mbits/sec    0   1.24 MBytes
- - - - - - - - - - - - - - - - - - - - - - - - -
[ ID] Interval           Transfer     Bitrate         Retr
[  5]   0.00-10.00  sec  84.2 MBytes  70.7 Mbits/sec    0             sender
[  5]   0.00-10.05  sec  81.3 MBytes  67.9 Mbits/sec                  receiver

For the USB I have placed it on POE+ swtich. I don't know it the AP-303H takes the POE+.

I also have posted a couple of days the question:

But I have not find a right pacage, only found something for a Hub.

Also should it be nice to also have POEenabled on ETH3. This is possible when powered with POE+. On stock firmware it works, now hopefully to find if it's possible for openwrt. I think I first need to identify the POE controller chip.

Awesome post @kroon040 and thank you! I have some more tests I need to do, but not home right now.

The Aruba spec sheet states that USB and PoE (e3) require PoE+, and can only support one or the other. So unless confirming the device is operating in PoE+ mode, it is safe to say it will not provide that power.

If you look at your stock vs OpenWRT do you see any difference in the LED colors? The LED color may indicate if the device is using PoE or PoE+. I'll check but that might be green (PoE+) vs yellow/amber (PoE). I ask as a number of years ago, I learned this while working on the 3COM hardware, later rebranded to hp-intellijack-gigabit-switch-nj2000g (https://ninoavila.tumblr.com/post/98151097109/hp-intellijack-gigabit-switch-nj2000g-full-specs). The 303H in some ways 'looks' similar to for the port configuration.

On the 3COM hardware, there was some upstream switch config dependency too as otherwise the device would only boot in PoE mode. This was a bug related to LLDP. If we assume that was firmware related, it is safe to say likely not present in the stock firmware on the AP-303H, but possibly some work to address on the OpenWRT firmware.

@kroon040 I did not look into or test this method yet, but may be useful to explore.

We don't have this gpio number . On the AP-303H, we only have

root@AP-303H:/sys/class/gpio# ls
export       gpiochip412  unexport
root@AP-303H:/sys/class/gpio# cd gpiochip412/
root@AP-303H:/sys/devices/platform/soc/1000000.pinctrl/gpio/gpiochip412# ls
base       device     label      ngpio      subsystem  uevent
root@AP-303H:/sys/devices/platform/soc/1000000.pinctrl/gpio/gpiochip412#

@kroon040 Did you run your test on the DSA firmware? Also, thoughts on my reply re. LED color / is the device running in PoE+ mode?

The led is green , and yes I was running the tests with the DSA firmware.

I found in the dmesg, boot log that it should be active....

[ 0.026087] gpio-435 (USB-power): hogged as output/high

I don't know if it that also should be in the /sys/class/gpio......

Given it is either USB or PoE out, there would be some unique value for each. And on stock USB default is on and PoE off (I think). And if I speculate, with these being mutually exclusive, might be the same variable with multiple values, e.g. 0, 1, 2 to control those three states.

I the other posts I already have, I'm hoping to solve it.

I also want to enabe bluetooth, looking at the dts file it is a texas instruments... but installing bluetooth didn't work yet

+&blsp1_uart2 {
+	/* Texas Instruments CC2540T BLE radio */
+	pinctrl-0 = <&serial_1_pins>;
+	pinctrl-names = "default";
+	status = "okay";
+};
+

Yes. I can control (enable/disable) the POE on port 3.

first find the gpio base

cat /sys/class/gpio/gpiochip*/base | head -n1
that is 412.

in the dts file I found this:

+&tlmm {
+	/*
+	 * In addition to the Pins listed below,
+	 * the following GPIOs have "features":
+	 * 39 - out - active low to force HW reset
+	 * 32 - out - active low to reset TPM
+	 * 43 - out - active low to reset BLE radio
+	 * 41 - out - pulse to set warm reset status
+	 * 34 - out - active low to enable PSE port
+	 * 22 - in  - active low when 802.3at powered
+	 * 29 - in  - active high when DC powered
+	 * 40 - in  - active low when reset due to cold HW reset
+	 * 30 - in  - active low when USB overcurrent detected
+	 * 35 - in  - interrupt line for power monitor chip
+	 * 31 - in  - active low when PSE port active

so 34 is the value. You must create and gpio 412+34=446

echo "446" > /sys/class/gpio/export
echo "out" > /sys/class/gpio/gpio446/direction

echo "0" > /sys/class/gpio/gpio446/value Turns it on
echo "1" > /sys/class/gpio/gpio446/value Turns it off

Wow, well done!

@jjwATmyself , have you tried usb already. I think it should work, but noting happens here.

I checked bluetooth, and it looks like a little the same as the Cisco Meraki MR33 (also IPQ4029 and also the Texas Instruments CC2540T attached to ttyMSM1 for bluetooth.,

I found this on and older page

the hciattach /dev/ttyMSM1 any 1500000 flow, works but gives errors......

I didn't but remember PoE out and USB are mutually exclusive. Spec for stock reads as follows. So I believe you need to disable PoE out in order to test USB.

Power over Ethernet (PoE): 48 Vdc (nominal) 802.3af/802.3at compliant source

Unrestricted functionality with direct DC power.

When using an 802.3af PoE source, the PoE out (PSE) capability of the 303H is always disabled.

Without IPM, both the USB port and PoE out (PSE) capability are disabled when the AP is powered by an 802.3af PoE source, and either the USB port or the PoE out (PSE) capability is disabled when powered by an 802.3at PoE source (PSE capability is disabled by default).

When using IPM, the AP may enter power-save mode with reduced functionality when powered by a PoE source (see details on Intelligent Power Monitoring elsewhere in this datasheet)