Do I need wpad if I install hostapd

my device is linksys 1200ac.
why the default package for my router is wpad-mini?
why do I need wpa_supplicant? isn't that for connecting from device to a wifi access point?
why would my router that is itself a wifi access point need to the wpa_supplicant?
wpa_supplicant is for clients right?

Unless you have very specific needs, I'd always recommend to use the wpad variants (which combine both hostapd and wpa_supplicant in a single multi-call binary) instead of the individual hostapd and wpa_supplicant packages, e.g. wpad-openssl which should cover most potential uses.

Yes, in theory wpa_supplicant is only needed for client setups, but the definitions are floating - and wpad covers it all.

ok.
I ask because I use image builder to create images with my needed packages and I add and remove packages based on my need.
what is the difference between wpad-openssl and wpad?

another questions: do I get wpa3 with openwrt 19.07?

and also another noob question:
I have two SSID from my ruoter (n and ac) can I actually add 3rd one in software ?
or is that impossible because my hardware cant do that?

via wpad-openssl or wpad-wolfssl, that's why I'm usually recommending these over the plain wpad package; WPA3 currently requires linking wpad (well, hostapd) against a full tls library, like e.g. openssl or wolfssl (no support for mbedtls yet).

That depends on the wireless hardware, namely the interface combinations (run iw list on your router) supported by hardware/ firmware and driver.

Wiphy phy1
        max # scan SSIDs: 4
        max scan IEs length: 2242 bytes
        max # sched scan SSIDs: 0
        max # match sets: 0
        max # scan plans: 1
        max scan plan interval: -1
        max scan plan iterations: 0
        Retry short limit: 7
        Retry long limit: 4
        Coverage class: 0 (up to 0m)
        Device supports AP-side u-APSD.
        Device supports T-DLS.
        Available Antennas: TX 0 RX 0
        Supported interface modes:
                 * managed
                 * AP
                 * AP/VLAN
                 * monitor
                 * mesh point
        Band 1:
                Capabilities: 0x106f
                        RX LDPC
                        HT20/HT40
                        SM Power Save disabled
                        RX HT20 SGI
                        RX HT40 SGI
                        No RX STBC
                        Max AMSDU length: 3839 bytes
                        DSSS/CCK HT40
                Maximum RX AMPDU length 65535 bytes (exponent: 0x003)
                Minimum RX AMPDU time spacing: 4 usec (0x05)
                HT TX/RX MCS rate indexes supported: 0-15, 32
                VHT Capabilities (0x33813930):
                        Max MPDU length: 3895
                        Supported Channel Width: neither 160 nor 80+80
                        RX LDPC
                        short GI (80 MHz)
                        SU Beamformer
                        SU Beamformee
                        RX antenna pattern consistency
                        TX antenna pattern consistency
                VHT RX MCS set:
                        1 streams: MCS 0-9
                        2 streams: MCS 0-9
                        3 streams: not supported
                        4 streams: not supported
                        5 streams: not supported
                        6 streams: not supported
                        7 streams: not supported
                        8 streams: not supported
                VHT RX highest supported: 0 Mbps
                VHT TX MCS set:
                        1 streams: MCS 0-9
                        2 streams: MCS 0-9
                        3 streams: not supported
                        4 streams: not supported
                        5 streams: not supported
                        6 streams: not supported
                        7 streams: not supported
                        8 streams: not supported
                VHT TX highest supported: 0 Mbps
                Frequencies:
                        * 2412 MHz [1] (20.0 dBm)
                        * 2417 MHz [2] (20.0 dBm)
                        * 2422 MHz [3] (20.0 dBm)
                        * 2427 MHz [4] (20.0 dBm)
                        * 2432 MHz [5] (20.0 dBm)
                        * 2437 MHz [6] (20.0 dBm)
                        * 2442 MHz [7] (20.0 dBm)
                        * 2447 MHz [8] (20.0 dBm)
                        * 2452 MHz [9] (20.0 dBm)
                        * 2457 MHz [10] (20.0 dBm)
                        * 2462 MHz [11] (20.0 dBm)
                        * 2467 MHz [12] (20.0 dBm) (no IR)
                        * 2472 MHz [13] (20.0 dBm) (no IR)
                        * 2484 MHz [14] (20.0 dBm) (no IR)
        valid interface combinations:
                 * #{ AP } <= 16, #{ mesh point } <= 1, #{ managed } <= 1,
                   total <= 16, #channels <= 1, radar detect widths: { 20 MHz (no HT), 20 MHz, 40 MHz, 80 MHz, 160 MHz }

        HT Capability overrides:
                 * MCS: ff ff ff ff ff ff ff ff ff ff
                 * maximum A-MSDU length
                 * supported channel width
                 * short GI for 40 MHz
                 * max A-MPDU length exponent
                 * min MPDU start spacing
Wiphy phy0
        max # scan SSIDs: 4
        max scan IEs length: 2247 bytes
        max # sched scan SSIDs: 0
        max # match sets: 0
        max # scan plans: 1
        max scan plan interval: -1
        max scan plan iterations: 0
        Retry short limit: 7
        Retry long limit: 4
        Coverage class: 0 (up to 0m)
        Device supports AP-side u-APSD.
        Device supports T-DLS.
        Available Antennas: TX 0 RX 0
        Supported interface modes:
                 * managed
                 * AP
                 * AP/VLAN
                 * monitor
                 * mesh point
        Band 2:
                Capabilities: 0x106f
                        RX LDPC
                        HT20/HT40
                        SM Power Save disabled
                        RX HT20 SGI
                        RX HT40 SGI
                        No RX STBC
                        Max AMSDU length: 3839 bytes
                        DSSS/CCK HT40
                Maximum RX AMPDU length 65535 bytes (exponent: 0x003)
                Minimum RX AMPDU time spacing: 4 usec (0x05)
                HT TX/RX MCS rate indexes supported: 0-15, 32
                VHT Capabilities (0x33813930):
                        Max MPDU length: 3895
                        Supported Channel Width: neither 160 nor 80+80
                        RX LDPC
                        short GI (80 MHz)
                        SU Beamformer
                        SU Beamformee
                        RX antenna pattern consistency
                        TX antenna pattern consistency
                VHT RX MCS set:
                        1 streams: MCS 0-9
                        2 streams: MCS 0-9
                        3 streams: not supported
                        4 streams: not supported
                        5 streams: not supported
                        6 streams: not supported
                        7 streams: not supported
                        8 streams: not supported
                VHT RX highest supported: 0 Mbps
                VHT TX MCS set:
                        1 streams: MCS 0-9
                        2 streams: MCS 0-9
                        3 streams: not supported
                        4 streams: not supported
                        5 streams: not supported
                        6 streams: not supported
                        7 streams: not supported
                        8 streams: not supported
                VHT TX highest supported: 0 Mbps
                Frequencies:
                        * 5180 MHz [36] (20.0 dBm)
                        * 5200 MHz [40] (20.0 dBm)
                        * 5220 MHz [44] (20.0 dBm)
                        * 5240 MHz [48] (20.0 dBm)
                        * 5260 MHz [52] (20.0 dBm) (no IR, radar detection)
                        * 5280 MHz [56] (20.0 dBm) (no IR, radar detection)
                        * 5300 MHz [60] (20.0 dBm) (no IR, radar detection)
                        * 5320 MHz [64] (20.0 dBm) (no IR, radar detection)
                        * 5500 MHz [100] (20.0 dBm) (no IR, radar detection)
                        * 5520 MHz [104] (20.0 dBm) (no IR, radar detection)
                        * 5540 MHz [108] (20.0 dBm) (no IR, radar detection)
                        * 5560 MHz [112] (20.0 dBm) (no IR, radar detection)
                        * 5580 MHz [116] (20.0 dBm) (no IR, radar detection)
                        * 5600 MHz [120] (20.0 dBm) (no IR, radar detection)
                        * 5620 MHz [124] (20.0 dBm) (no IR, radar detection)
                        * 5640 MHz [128] (20.0 dBm) (no IR, radar detection)
                        * 5660 MHz [132] (20.0 dBm) (no IR, radar detection)
                        * 5680 MHz [136] (20.0 dBm) (no IR, radar detection)
                        * 5700 MHz [140] (20.0 dBm) (no IR, radar detection)
                        * 5720 MHz [144] (20.0 dBm) (no IR, radar detection)
                        * 5745 MHz [149] (20.0 dBm) (no IR)
                        * 5765 MHz [153] (20.0 dBm) (no IR)
                        * 5785 MHz [157] (20.0 dBm) (no IR)
                        * 5805 MHz [161] (20.0 dBm) (no IR)
        valid interface combinations:
                 * #{ AP } <= 16, #{ mesh point } <= 1, #{ managed } <= 1,
                   total <= 16, #channels <= 1, radar detect widths: { 20 MHz (no HT), 20 MHz, 40 MHz, 80 MHz, 160 MHz }

        HT Capability overrides:
                 * MCS: ff ff ff ff ff ff ff ff ff ff
                 * maximum A-MSDU length
                 * supported channel width
                 * short GI for 40 MHz
                 * max A-MPDU length exponent
                 * min MPDU start spacing

also can you explain in simple terms the difference between embedtls and openssl and wolf and so on?
is it important for a end user like me?
does openwrt have a preferred one?
can I use openssl one everywhere and be sure that it wont cuase problems?
is it because of openssl bugs or memory size?

So basically, up to 16 AP interfaces should be possible (on both WLAN cards) - in practice you don't want to max this out (due to airtime concurrency).

They are competing libraries implementing ssl/ tls functionality, some of which are required to support WPA3 in wpad/ hostapd:

For size reasons, you usually want to standardize on a single ssl/ tls implementation (so either, or), but dependencies might force you otherwise (especially if you restrict yourself to prebuilt binary packages/ imagebuilder, rather than building directly from source).

The primary reason for OpenWrt usually preferring mbedtls, where supported, is for (flash-)size reasons.

3 Likes

thanks for all the good answers.
so I can, if I want to, add another ac ssid access ponint and use wpa3 on that?

Yes, both need to share the same channel ( #channels <= 1) though (and you can only pick a single of them for WDS-AP purposes (#{ managed } <= 1,)).

Keep in mind that WPA2-PSK/WPA3-SAE Mixed Mode would be an option as well.

2 Likes

I dont understand the channel part.
does that mess with them and degrade them that much or is it not important to me?

if wds is wha t is explained in wikipedia then I dont think I need it for my home use.

btw that 16 ap is for each one or together?
and the channel thing is also for each ap separately yes?

A single WLAN card can only tune to a single channel at a time, so if you want to run multiple AP interfaces they will all share the same channel and airtime.

So in your particular case (two WLAN cards), e.g.

radio1:

  • WPA2PSK on channel 6, ESSID "foo"
  • WPA3SAE on channel 6, ESSID "bar"

radio0:

  • WPA2PSK on channel 36, ESSID "foo"
  • WPA3SAE on channel 36, ESSID "bar"
1 Like

and this degrades the signal for them a bit at least right?

The "signal", no (neither quality nor range should be affected) - the "performance", yes (you're still restricted to the capabilities of a single radio, which now has to serve two AP interfaces plus overhead, with more beacons, etc.).

1 Like

thanks.
I will use your answer for my next wpa3 if it is supported in 19.07
have a good day.

Disclaimer: I don't have personal experience with mvebu/ mwlwifi hardware and can't vouch for its support of WPA3, but I have (and still am) successfully used WPA3SAE on ath5k, ath9k and ath10k hardware.

any advice or guide for setting it up?

LuCI will guide you, the only important advice to take - WPA3 doesn't support hexadecimal representation for the PSK, so make sure to use an ASCII key (8-63 characters).

And be aware that client support for WPA3 is still dire, unless you're running a linux distribution with wpa_supplicant >= v2.7 (better >= v2.8) on your client(s), your chances for success are low

? doesnt wpa3 use sae instead of psk?
or is it just a name for passowrd?

Yes, same difference (in practice, from a user's perspective) though.

1 Like