B.A.T.M.A.N. Advanced Mesh on version 23.05

I am posting this for anyone who wants to set up a mesh using either the kmod-batman-adv or the luci-proto-batman-adv software package.

OneMarcFifty (https://www.youtube.com/watch?v=t4A0kfg2olo)
and https://cgomesu.com/blog/Mesh-networking-openwrt-batman/
explain how to configure a B.A.T.M.A.N. advanced mesh for OpenWrt version 22 but I initially found it difficult to use these guides for the current version 23.05. Access points would disappear for random periods and they would eventually become impossible to access by IP address and could not be managed using Luci or ssh.

After a lot of trial and error, I now have a solid working mesh on 23.05.3 but there are a few important differences from the setup under 22.03:

  1. do not disable dnsmasq on any router but, on all routers except the DNS server, tick the DHCP Server -> Ignore interface option for each interface in Network->Interfaces (e.g. lan, Guest, IOT),

  2. set "Use default gateway" on the lan interface on 'dumb access points' (but not on other network interfaces such as Guest and IOT),

(points 1 and 2 make sure that dumb access points will always be available for Luci and ssh access and that they will also be able to access the internet so that NTP runs when they are rebooted)

  1. use BATMAN_V for the bat0 interface as it works fine and seems to be faster and easier to inspect with batctl than BATMAN_IV (this is set on the Mesh Routing tab, Routing Algorithm),

  2. don't try changing the MTU (any attempt to change it has always ended in a system reset for me and fragmentation doesn't seem to be an issue when I run "batctl s" to view statistics),

  3. the bat0 Gateway Mode (under the Mesh Routing tab in Luci) should be left unset for all routers including the internet gateway unless your network contains more than one internet gateway.

I use three Asus RT-AX53U and one Asus RT-AX54 in my mesh and with these changes to the installation, the mesh and its VLANs are 100% reliable for months without any reboots. And, for these router models, OpenWrt can easily be installed using mtd write (please see the OpenWrt documentation for these models).

2 Likes

Hi did u managed to create vlan if yes can you please share configuration?

Also are u able to see luci-proto-batman-adv package as it seems to have diappeared.

Thanks

I would like to clarify some of the points you have stated:

do not disable dnsmasq on any router but,

this goes against general convention for configuring dumb APs. It is not a required service in dumb AP mode and it complicates troubleshooting which is why most disable the service for all dumb APs in the network. The same goes for DHCP and firewall.

the bat0 Gateway Mode

batman needs to calculate the shortest path to get to the gateway regardless of the number of actual gateways you have so in practice it needs to be set. Your setup may not utilize this parameter so doesn't require it to be set.

don't try changing the MTU

the recommended MTU setting is 2403 but I think this is just a general guideline and you can look at modifying this setting. But in your case if you are experiencing resets I doubt it has anything to do with the MTU and it's somewhere else in your setup that is causing you to experience resets.

network for the router that connects to the internet (I chose to use Google's DNS servers 8.8.8.8 and 8.8.4.4, but I don't know if that's a sensible choice!)

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdd2:3e14:24b8::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'
	list ports 'bat0.99'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.4'
	option netmask '255.255.255.0'
	option ip6assign '60'
	list dns '8.8.8.8'
	list dns '8.8.4.4'
	option defaultroute '0'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'

config interface 'wan6'
	option device 'wan'
	option proto 'dhcpv6'

config interface 'bat0'
	option proto 'batadv'
	option routing_algo 'BATMAN_V'
	option bridge_loop_avoidance '1'
	option gw_mode 'off'
	option hop_penalty '30'

config interface 'batmesh'
	option proto 'batadv_hardif'
	option master 'bat0'

config interface 'iot'
	option proto 'static'
	option ipaddr '10.21.1.1'
	option netmask '255.255.255.0'
	option device 'br-iot'
	list dns '8.8.8.8'
	list dns '8.8.4.4'
	option defaultroute '0'

config interface 'guest'
	option proto 'static'
	option ipaddr '10.20.30.40'
	option netmask '255.255.255.0'
	option device 'br-guest'
	list dns '8.8.8.8'
	list dns '8.8.4.4'
	option defaultroute '0'

config device
	option type 'bridge'
	option name 'br-guest'
	list ports 'bat0.4'

config device
	option type 'bridge'
	option name 'br-iot'
	list ports 'bat0.3'

network for other access points

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fda3:7ea0:9cf0::/48'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'wan'
	list ports 'bat0.99'

config interface 'lan'
	option device 'br-lan'
	option proto 'dhcp'

config interface 'bat0'
	option proto 'batadv'
	option routing_algo 'BATMAN_V'
	option bridge_loop_avoidance '1'
	option gw_mode 'off'
	option hop_penalty '30'

config interface 'batMesh'
	option proto 'batadv_hardif'
	option master 'bat0'

config device
	option type 'bridge'
	option name 'br-guest'
	list ports 'bat0.4'

config interface 'guest'
	option proto 'dhcp'
	option device 'br-guest'
	option defaultroute '0'

config device
	option type 'bridge'
	option name 'br-iot'
	list ports 'bat0.3'

config interface 'iot'
	option proto 'dhcp'
	option device 'br-iot'
	option defaultroute '0'

wireless (I use 2.4GHz for the mesh and 5GHz for access points - make sure every device uses the same passwords and mobility domains but the 5GHz access points should be the same channel for each SSID on a router but different channels on different routers)

config wifi-device 'radio0'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0'
	option channel '1'
	option band '2g'
	option htmode 'HE20'
	option country 'SG'
	option cell_density '0'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'batMesh'
	option mode 'mesh'
	option encryption 'sae'
	option mesh_id 'Mesh SSID for routers'
	option mesh_fwding '0'
	option mesh_rssi_threshold '0'
	option key 'Secret Mesh Password for routers'

config wifi-device 'radio1'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0+1'
	option channel '56'
	option band '5g'
	option htmode 'HE40'
	option country 'SG'
	option cell_density '0'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'Your Access Point SSID'
	option encryption 'psk2'
	option key 'Access Point Password'
	option ieee80211r '1'
	option mobility_domain 'fade'
	option reassociation_deadline '20000'
	option ft_over_ds '0'
	option ft_psk_generate_local '1'

config wifi-iface 'wifinet3'
	option device 'radio1'
	option mode 'ap'
	option ssid 'Your Guest SSID'
	option encryption 'psk2'
	option key 'Guest Password'
	option ieee80211r '1'
	option mobility_domain 'fad4'
	option reassociation_deadline '20000'
	option ft_over_ds '0'
	option ft_psk_generate_local '1'
	option network 'guest'

config wifi-iface 'wifinet4'
	option device 'radio1'
	option mode 'ap'
	option ssid 'Your IOT SSID'
	option encryption 'psk2'
	option network 'iot'
	option key 'IOT Password'
	option ieee80211r '1'
	option mobility_domain 'fad3'
	option reassociation_deadline '20000'
	option ft_over_ds '0'
	option ft_psk_generate_local '1'

firewall (only for the router that connects to the internet)

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'
	option flow_offloading '1'
	option flow_offloading_hw '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'GuestZone'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'guest'

config zone
	option name 'IOTZone'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	list network 'iot'

config forwarding
	option src 'lan'
	option dest 'IOTZone'

config forwarding
	option src 'GuestZone'
	option dest 'wan'

config rule
	option name 'Guest DHCP and DNS'
	option src 'GuestZone'
	option dest_port '53 67 68'
	option target 'ACCEPT'

config rule
	option name 'IOT DHCP and DNS'
	option src 'IOTZone'
	option dest_port '67 68'
	option target 'ACCEPT'

dhcp (only for the router that connects to the internet)

config dnsmasq
	option domainneeded '1'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option cachesize '1000'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option localservice '1'
	option ednspacket_max '1232'
	option logqueries '1'
	option logdhcp '1'
	option serversfile '/var/run/adblock-fast/dnsmasq.servers'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

config dhcp 'guest'
	option interface 'guest'
	option start '100'
	option limit '150'
	option leasetime '12h'

config dhcp 'iot'
	option interface 'iot'
	option start '100'
	option limit '150'
	option leasetime '12h'

I can still see the software package luci-proto-batman-adv and I am using that, wpad-mesh-mbedtls and batctl-full.

I agree that you should be able to disable dnsmasq and you could use a mesh with version 22.03 with it disabled but, in practice, you cannot for 23.05. If you have a working mesh using 23.05 with dnsmasq disabled, please let us know how!

The gateway mode isn't, as I understand it, to determine the shortest path but to find the most appropriate gateway. See https://www.open-mesh.org/projects/batman-adv/wiki/Gateways and https://downloads.open-mesh.org/batman/manpages/batctl.8.html if you want to try doing this.

For my case, I only have one gateway so this setting is irrelevant.

Regarding the MTU and fragmentation, perhaps it's because I use 'Hardware flow offloading' or the hardware I use cannot support larger MTU values but, when I check the mesh network statistics with batctl s, the amount of fragmentation isn't very large so I haven't investigated this fully.

I have just posted the config files below. Please take a look and let us know how your mesh is working out.

Good luck!

I have been running b.a.t ... with 23.05 as long as it has been avalatble. In my dump access points i run this in local startutp.


 for i in firewall dnsmasq odhcpd; do
  if /etc/init.d/"$i" enabled; then
    /etc/init.d/"$i" disable
    /etc/init.d/"$i" stop
  fi
done

I also have always modified the MTU (1536) in interfaces where the batman is active. No problems at all. Our configurations are almost identical (same source).

I have a WDS network setup now with batman-adv running on dumb APs without any dnsmasq installed on the remote APs. I am only using the tunneling feature of batman-adv and not any of its meshing features and all config settings are at default.

Upgraded to 23.05.4 and now I can change the MTU

network file, interface batMesh
option mtu '1532'

and there is now no fragmentation when I run
batctl s