Enabling encryption in 802.11s

alexrebell · June 3, 2022, 10:12am

Hi!
I set up communication between two RPi 4B using 802.11s mode by specifying the same Mesh Id.
a screenshot of my setup for the mesh network:

as can be seen from the mesh status, the network is working.
The question is, how do I encrypt this connection with a password?
on the Wireless Security tab I'm trying to choose at least some Encryption, but apart from WPA3-SAE (strong security), I can't choose anything,I get an approximate error: The selected 802.11s mode is incompatible with WPA2-PSK (strong security) encryption.

As a result, choosing WPA3-SAE (strong security) encryption on all RPi and specifying the same password - after that, the mesh network no longer works.

Tell me, please, what am I doing wrong? how to set it up correctly?
Thank you very much!

anon69880279 · June 3, 2022, 11:00am

For WPA3 test with:

opkg remove wpad-mini
opkg remove wpad-basic
opkg remove wpad-basic-wolfssl

opkg install wpad-mesh-openssl # or wpad-mesh-wolfssl

alexrebell · June 3, 2022, 11:40am

Yes, it turned out to be implemented.
I deleted these 3 packages, but some were not, and installed wpad-mesh-openssl
but, there is one catch, I also have a WI-Fi adapter setup on the RPi, which is configured as a Master (Access Point) and all this is combined into a bridge, i.e. mesh and AP in the bridge, in order to have access to the Intranet. But now the AP is not working, what could it be? can I install some additional package?

mk24 · June 3, 2022, 11:56am

The Pi built in radio is a little Broadcom chip intended for low-end smartphones. The open source driver is very limited in what it supports. I don't think that WPA3 is possible, nor are most multiple interfaces.

alexrebell · June 3, 2022, 12:06pm

I'm using a Wi-Fi adapter.
I use drivers for it
``kmod-rt2800-lib kmod-rt2800-usb kmod-rt2x00-lib kmod-rt2x00-usb`

The fact is that before enabling encryption, everything worked, apparently some fine-tuning is required.

Borromini · June 3, 2022, 12:12pm

That's some old hardware as well (802.11bgn?). Very probably the driver lacks support for 802.11w which is mandatory for WPA3.

bluewavenet · June 3, 2022, 12:43pm

Show the output of:
iw list

This will probably show information about both the onboard wireless and the usb wireless.

alexrebell · June 3, 2022, 2:35pm

I have wireless networks set up like this:

my physical interface combines it all into a common bridge

2022-06-03_17-11-25

this is done so that connected clients to Wi-Fi (1st Wi-Fi adapter) can transmit packets via a mesh network (2nd Wi-Fi adapter) to a gateway that also has a mesh network and is bridged by a physical network interface eth0.
If you turn off encryption in 802.11s, then everything will work, but the bridge does not work with encryption...
forgive me if I don't explain well.

alexrebell · June 3, 2022, 2:45pm

root@OpenWrt:~# iw list
Wiphy phy2
        wiphy index: 2
        max # scan SSIDs: 4
        max scan IEs length: 2257 bytes
        max # sched scan SSIDs: 0
        max # match sets: 0
        Retry short long limit: 2
        Coverage class: 0 (up to 0m)
        Available Antennas: TX 0 RX 0
        Supported interface modes:
                 * IBSS
                 * managed
                 * AP
                 * AP/VLAN
                 * monitor
                 * mesh point
        Band 1:
                Capabilities: 0x17e
                        HT20/HT40
                        SM Power Save disabled
                        RX Greenfield
                        RX HT20 SGI
                        RX HT40 SGI
                        RX STBC 1-stream
                        Max AMSDU length: 3839 bytes
                        No DSSS/CCK HT40
                Maximum RX AMPDU length 32767 bytes (exponent: 0x002)
                Minimum RX AMPDU time spacing: 2 usec (0x04)
                HT TX/RX MCS rate indexes supported: 0-7, 32
                Frequencies:
                        * 2412 MHz [1] (20.0 dBm)
                        * 2417 MHz [2] (20.0 dBm)
                        * 2422 MHz [3] (20.0 dBm)
                        * 2427 MHz [4] (20.0 dBm)
                        * 2432 MHz [5] (20.0 dBm)
                        * 2437 MHz [6] (20.0 dBm)
                        * 2442 MHz [7] (20.0 dBm)
                        * 2447 MHz [8] (20.0 dBm)
                        * 2452 MHz [9] (20.0 dBm)
                        * 2457 MHz [10] (20.0 dBm)
                        * 2462 MHz [11] (20.0 dBm)
                        * 2467 MHz [12] (20.0 dBm) (no IR)
                        * 2472 MHz [13] (20.0 dBm) (no IR)
                        * 2484 MHz [14] (20.0 dBm) (no IR)
        valid interface combinations:
                 * #{ managed, AP, mesh point } <= 8,
                   total <= 8, #channels <= 1
        HT Capability overrides:
                 * MCS: ff ff ff ff ff ff ff ff ff ff
                 * maximum A-MSDU length
                 * supported channel width
                 * short GI for 40 MHz
                 * max A-MPDU length exponent
                 * min MPDU start spacing
        max # scan plans: 1
        max scan plan interval: -1
        max scan plan iterations: 0
        Supported extended features:
                * [ RRM ]: RRM
                * [ CQM_RSSI_LIST ]: multiple CQM_RSSI_THOLD records
                * [ CONTROL_PORT_OVER_NL80211 ]: control port over nl80211
                * [ SCAN_RANDOM_SN ]: use random sequence numbers in scans
                * [ SCAN_MIN_PREQ_CONTENT ]: use probe request with only rate IEs in scans
                * [ CONTROL_PORT_NO_PREAUTH ]: disable pre-auth over nl80211 control port support
                * [ DEL_IBSS_STA ]: deletion of IBSS station support
                * [ SCAN_FREQ_KHZ ]: scan on kHz frequency support
                * [ CONTROL_PORT_OVER_NL80211_TX_STATUS ]: tx status for nl80211 control port support
Wiphy phy1
        wiphy index: 1
        max # scan SSIDs: 4
        max scan IEs length: 2257 bytes
        max # sched scan SSIDs: 0
        max # match sets: 0
        Retry short long limit: 2
        Coverage class: 0 (up to 0m)
        Available Antennas: TX 0 RX 0
        Supported interface modes:
                 * IBSS
                 * managed
                 * AP
                 * AP/VLAN
                 * monitor
                 * mesh point
        Band 1:
                Capabilities: 0x17e
                        HT20/HT40
                        SM Power Save disabled
                        RX Greenfield
                        RX HT20 SGI
                        RX HT40 SGI
                        RX STBC 1-stream
                        Max AMSDU length: 3839 bytes
                        No DSSS/CCK HT40
                Maximum RX AMPDU length 32767 bytes (exponent: 0x002)
                Minimum RX AMPDU time spacing: 2 usec (0x04)
                HT TX/RX MCS rate indexes supported: 0-7, 32
                Frequencies:
                        * 2412 MHz [1] (20.0 dBm)
                        * 2417 MHz [2] (20.0 dBm)
                        * 2422 MHz [3] (20.0 dBm)
                        * 2427 MHz [4] (20.0 dBm)
                        * 2432 MHz [5] (20.0 dBm)
                        * 2437 MHz [6] (20.0 dBm)
                        * 2442 MHz [7] (20.0 dBm)
                        * 2447 MHz [8] (20.0 dBm)
                        * 2452 MHz [9] (20.0 dBm)
                        * 2457 MHz [10] (20.0 dBm)
                        * 2462 MHz [11] (20.0 dBm)
                        * 2467 MHz [12] (20.0 dBm) (no IR)
                        * 2472 MHz [13] (20.0 dBm) (no IR)
                        * 2484 MHz [14] (20.0 dBm) (no IR)
        valid interface combinations:
                 * #{ managed, AP, mesh point } <= 8,
                   total <= 8, #channels <= 1
        HT Capability overrides:
                 * MCS: ff ff ff ff ff ff ff ff ff ff
                 * maximum A-MSDU length
                 * supported channel width
                 * short GI for 40 MHz
                 * max A-MPDU length exponent
                 * min MPDU start spacing
        max # scan plans: 1
        max scan plan interval: -1
        max scan plan iterations: 0
        Supported extended features:
                * [ RRM ]: RRM
                * [ CQM_RSSI_LIST ]: multiple CQM_RSSI_THOLD records
                * [ CONTROL_PORT_OVER_NL80211 ]: control port over nl80211
                * [ SCAN_RANDOM_SN ]: use random sequence numbers in scans
                * [ SCAN_MIN_PREQ_CONTENT ]: use probe request with only rate IEs in scans
                * [ CONTROL_PORT_NO_PREAUTH ]: disable pre-auth over nl80211 control port support
                * [ DEL_IBSS_STA ]: deletion of IBSS station support
                * [ SCAN_FREQ_KHZ ]: scan on kHz frequency support
                * [ CONTROL_PORT_OVER_NL80211_TX_STATUS ]: tx status for nl80211 control port support

alexrebell · June 3, 2022, 2:54pm

I think it has something to do with the non-installed wpad packages, since right now I only have wpad-mesh-openssl installed

bluewavenet · June 3, 2022, 4:35pm

Neither of the two adaptors report "Maximum associated stations in AP mode". This usually means the drivers do not properly support AP mode and very likely only one or two stations can be attached - not much use.
Also as @Borromini said, it is also unlikely that WPA3 is supported and that is needed for mesh encryption.

If I was you, I would sell the Rpi4Bs on Ebay for more than you paid for them and buy a couple of low cost travel routers to do your mesh - seriously.....

Borromini · June 3, 2022, 4:42pm

I don't think the older Ralink radios were ever intended to be used as access points. Had a USB adapter that worked with rt2x00 drivers on Linux, in the olden days.

anon69880279 · June 3, 2022, 8:46pm

For me this config run ok on each box :


config wifi-device 'radio1'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0+1'
	option band '5g'
	option htmode 'HE80'
	option cell_density '0'
	option channel '36'
	option country 'FR'

config wifi-iface 'wifinet1'
	option device 'radio1'
	option mode 'ap'
	option ssid 'OPENWRT_MESH'
	option encryption 'psk2'
	option key '1234567890'
	option wpa_disable_eapol_key_retries '1'
	option network 'lan'

config wifi-iface 'wifinet3'
	option device 'radio1'
	option mode 'mesh'
	option mesh_fwding '1'
	option mesh_rssi_threshold '0'
	option network 'lan'
	option encryption 'sae'
	option key 'a1234567890'
	option mesh_id 'mesh_123456789'

Borromini · June 3, 2022, 8:52pm

Why are you sharing settings for an 802.11ax radio? Topic starter has an 802.11n chip.

anon69880279 · June 3, 2022, 9:02pm

Why , ...

as the wifi configuration file was not given... , i will just have to look at the encodings and the names of the wifis and see to do the same with the WIFI N

as:


config wifi-device 'radio0'
	option type 'mac80211'
	option path '1e140000.pcie/pci0000:00/0000:00:01.0/0000:02:00.0+1'
	option band '2.4g'
	option htmode 'HE80'
	option cell_density '0'
	option channel '2'
	option country 'FR'

config wifi-iface 'wifinet0'
	option device 'radio0'
	option mode 'ap'
	option ssid 'OPENWRT_MESH'
	option encryption 'psk2'
	option key '1234567890'
	option wpa_disable_eapol_key_retries '1'
	option network 'lan'

config wifi-iface 'wifinet3'
	option device 'radio0'
	option mode 'mesh'
	option mesh_fwding '1'
	option mesh_rssi_threshold '0'
	option network 'lan'
	option encryption 'sae'
	option key 'a1234567890'
	option mesh_id 'mesh_123456789'

alexrebell · June 6, 2022, 11:31am

Can you please tell me which wpad packages do you have installed?

anon69880279 · June 6, 2022, 5:09pm

opkg install wpad-mesh-openssl # or wpad-mesh-wolfssl

Check if by chance your two boxes do not have the same MAC address for the WIFI.
I saw yesterday on the forum someone who had this problem and obviously it prevents the mesh from working

I had the problem before with two KuWfi Tenbay WR1800K WIFI-6 boxes
Since a patch has been integrated into the latest versions of Openwrt

alexrebell · June 6, 2022, 6:48pm

I would like to clarify my situation:
I have two wifi adapters on RPi.
the first adapter is configured for communication over the 802.11s (mesh) protocol, the second adapter is configured as a wireless access point, these adapters are connected to the bridge interface. There is also an RPi, which has these two wifi adapters and a network interface combined into a network bridge. This is done so that if the client connects to one of the RPi (the second adapter is configured as an AP), then it is connected by a bridge and the whole thing goes to the router and the client has access to the Internet. And I could access the OpenWRT web interface of any RPi without any problems, roughly speaking, access via mesh.
So, this scheme works without any problems if I don't turn on WPA3-SAE (strong security) encryption, but as soon as I turn on encryption, this scheme no longer works and I can't even get remote access to the RPi web interface.

Can I assume that this is a problem solely in my Wi-Fi adapters?

my adapters: GWF-3S03 chipset Ralink RT5370

anon69880279 · June 6, 2022, 10:28pm

Look carefully at the wifi I indicated
The files of each box must be identical
The mesh connection is only used for connections between boxes
AP's must be used to connect devices

Borromini · June 7, 2022, 5:45am

Did you read the topic I linked to in my earlier post?

You're running in circles.