Batman-adv Wireless Encryption Problem

I have 4 device cpe210v3, Recently I want to configure a mesh network to all of that, but when I starting configure one of them using batman-adv in https://openwrt.org/docs/guide-user/network/wifi/mesh/batman, with psk2+ccmp encryption and sae_password in wireless configuration

the wireless mesh is up, but why when I want to connect it, it's somehow shown not encrypted, so my phone can't connect to it,
anyone can pinpoint my problem?
here is the config :

/etc/config/wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option channel '11'
	option hwmode '11g'
	option path 'platform/qca953x_wmac'
	option htmode 'HT20'

config wifi-iface 'mesh0'
        option device 'radio0'
        option ifname 'mesh0'
        option network 'nwi_mesh0'
        option mode 'mesh'
        option mesh_fwding '0'
        option mesh_id 'panah'
        option encryption 'psk2+ccmp'
        option sae_password 'panah123'

/etc/config/network

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd7a:1b8b:7f53::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0 bat0'
	option proto 'dhcp'

config interface 'nwi_mesh0'
        option ifname 'mesh0'
        option proto 'batadv'
        option mesh 'bat0'
        option mtu '2304'

/etc/config/batman-adv

config 'mesh' 'bat0'
	option 'aggregated_ogms'
	option 'ap_isolation'
	option 'bonding'
	option 'fragmentation'
	option 'gw_bandwidth'
	option 'gw_mode'
	option 'gw_sel_class'
	option 'log_level'
	option 'orig_interval'
	option 'bridge_loop_avoidance'
	option 'distributed_arp_table'
	option 'multicast_mode'
	option 'network_coding'
	option 'hop_penalty'
	option 'isolation_mark'

# yet another batX instance
# config 'mesh' 'bat5'
#	option 'interfaces' 'second_mesh'

I disable dhcp n firewall in my cpe210v3, I connect it to c7v5 to have dhcp and internet connection,

please pinpoint my problem, thanks

Phones can't connect to a mesh either encrypted or not. You need to set up a regular AP interface for the user devices.

if I want to high avability for one ssid, it's better use dump ap or relayd?

One SSID, true Layer 2 bridging across APs -- relayd, at least in my opinion is a hack, and doesn't work for IPv6 at all (in fact).

It's not really a "dumb AP" any more, as you'll be running some sort of Layer 2-aware routing protocol rather than bridging over Ethernet.

relayd not working for IPv6, I just knew it, thanks,

so, what's the right name for it, and how to do it?

Not sure there's a name for it -- "dumb AP" just sort of stuck as appropriate for the common, wireless-to-Ethernet bridge config.

How to do it is basically:

• Some underlying mesh; ad-hoc or 802.11s (with routing disabled) are common choices
• Some routing protocol running on that mesh; B.A.T.M.A.N. and OSLR are popular choices
• On a different SSID from the mesh, "normal" APs for the clients
• Attach the client APs to VLANs
• Bridge those VLANs over the routing protocol over the mesh

If i'm using batman-adv, I have to configure 2 AP? AP for mesh (AP_Mesh) and AP for client (AP_Client)?
and then create VLAN for the AP_Client, bridge those VLAN to Mesh Network (AP_Mesh), it's like that?
I will try it, thanks for your knowledge,

The mesh wifi interfaces are not AP's (mode AP), they are mesh points (mode mesh). They have some properties of an AP, such as identifying themselves by broadcasting beacon packets, but are not APs that a non-mesh device such as a smartphone can connect to. So you need separate regular APs for the end user devices. The mesh is for inter-router links.

I don't think sae_password in /etc/config/wireless is actually used, I think it requires "key".

When I tried setting up an encrypted 802.11s mesh I found if I didn't set the password with option key, the "sae_password" in /var/run/wpa_supplicant-mesh0.conf would be empty.

Still not sure if encryption was working properly or not:- Setting up authenticated mesh with wpad-mesh - #49 by mjs

yups, thanks,
I tried it before, and it's work...

yes, I actually pondering this too...