I have been doing a bit of a test with two aps one is a nanoHD and the other new tplink eap620hd (ipq6018). I feel that on a basic 802.11r enablement it is not fully functional.
I have matched mobility domains on ssids, usteer is running with default 2 params per the updated wiki.
Iperf3 test in roaming event doesnt transfer data at all and then eventually network on client fails.
[ 5] 37.00-38.00 sec 62.0 MBytes 520 Mbits/sec 0 3.68 MBytes
[ 5] 38.00-39.00 sec 60.1 MBytes 505 Mbits/sec 0 3.68 MBytes
[ 5] 39.00-40.00 sec 50.5 MBytes 424 Mbits/sec 0 3.68 MBytes
[ 5] 40.00-41.00 sec 52.0 MBytes 436 Mbits/sec 0 3.68 MBytes
[ 5] 41.00-42.00 sec 55.1 MBytes 462 Mbits/sec 0 3.68 MBytes
[ 5] 42.00-43.00 sec 50.8 MBytes 426 Mbits/sec 0 3.68 MBytes
[ 5] 43.00-44.00 sec 55.0 MBytes 461 Mbits/sec 0 3.68 MBytes
[ 5] 44.00-45.00 sec 68.4 MBytes 574 Mbits/sec 0 3.68 MBytes
[ 5] 45.00-46.00 sec 71.1 MBytes 596 Mbits/sec 0 3.68 MBytes
[ 5] 46.00-47.00 sec 71.6 MBytes 601 Mbits/sec 0 3.68 MBytes
[ 5] 47.00-48.00 sec 69.2 MBytes 581 Mbits/sec 0 3.68 MBytes
[ 5] 48.00-49.00 sec 52.4 MBytes 439 Mbits/sec 0 3.68 MBytes
[ 5] 49.00-50.00 sec 44.2 MBytes 371 Mbits/sec 0 3.68 MBytes
[ 5] 50.00-51.00 sec 29.0 MBytes 243 Mbits/sec 1 3.68 MBytes
[ 5] 51.00-52.00 sec 17.9 MBytes 150 Mbits/sec 0 6.62 MBytes
[ 5] 52.00-53.00 sec 24.8 MBytes 208 Mbits/sec 0 6.62 MBytes
[ 5] 53.00-54.00 sec 24.4 MBytes 205 Mbits/sec 0 6.62 MBytes
[ 5] 54.00-55.00 sec 24.8 MBytes 208 Mbits/sec 0 6.62 MBytes
[ 5] 55.00-56.00 sec 0.00 Bytes 0.00 bits/sec 1 1.41 KBytes
[ 5] 56.00-57.00 sec 0.00 Bytes 0.00 bits/sec 0 1.41 KBytes
[ 5] 57.00-58.00 sec 0.00 Bytes 0.00 bits/sec 1 1.41 KBytes
[ 5] 58.00-59.00 sec 0.00 Bytes 0.00 bits/sec 0 1.41 KBytes
[ 5] 59.00-60.00 sec 0.00 Bytes 0.00 bits/sec 0 1.41 KBytes
[ 5] 60.00-61.00 sec 0.00 Bytes 0.00 bits/sec 0 1.41 KBytes
[ 5] 61.00-62.00 sec 0.00 Bytes 0.00 bits/sec 1 1.41 KBytes
[ 5] 62.00-63.00 sec 0.00 Bytes 0.00 bits/sec 0 1.41 KBytes
[ 5] 63.00-64.00 sec 0.00 Bytes 0.00 bits/sec 0 1.41 KBytes
[ 5] 64.00-65.00 sec 0.00 Bytes 0.00 bits/sec 1 1.41 KBytes
[ 5] 65.00-66.00 sec 0.00 Bytes 0.00 bits/sec 0 1.41 KBytes
on the stock firmware of this eap620hd i did have 802.11r roaming setup before and it performed as expected (with mobility domains set)
i tested wpad-wolfssl and the default wpad-basic-mbedtls and saw the same results
brada4
March 12, 2025, 7:28pm
2
You need wpad-mbedtls to enable 11R (not -basic- flavour)
ubus call system board
cat /etc/config/wireless # replace secrets with ABC
cat /etc/config/network
cat /etc/config/firewall
Formatting as code </>
i was doing most of the testing with wpad-woflssl, wpad-basic-mbedtls was just a final fest (although the 11r option does show in there?)
root@OpenWrt:~# ubus call system board
{
"kernel": "6.6.80",
"hostname": "OpenWrt",
"system": "ARMv8 Processor rev 4",
"model": "TP-Link EAP620HD V2",
"board_name": "tplink,eap620hd-v2",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "SNAPSHOT",
"firmware_url": "https://downloads.openwrt.org/",
"revision": "r28965-371cad4f28",
"target": "qualcommax/ipq60xx",
"description": "OpenWrt SNAPSHOT r28965-371cad4f28",
"builddate": "1741610382"
}
}
root@OpenWrt:~# cat /etc/config/wireless # replace secrets with ABC
config wifi-device 'radio0'
option type 'mac80211'
option path 'platform/soc@0/c000000.wifi'
option band '5g'
option channel 'auto'
option htmode 'HE80'
option txpower '18'
option country 'CA'
option disabled '0'
option cell_density '0'
config wifi-device 'radio1'
option type 'mac80211'
option path 'platform/soc@0/c000000.wifi+1'
option band '2g'
option channel '6'
option htmode 'HE20'
option txpower '9'
option country 'CA'
option disabled '0'
option cell_density '0'
config wifi-iface 'wifinet0'
option device 'radio0'
option mode 'ap'
option ssid 'xxxx'
option encryption 'psk-mixed+ccmp'
option dtim_period '3'
option key 'xxxxxxxxx'
option network 'lan'
option ieee80211r '1'
option mobility_domain '4f10'
option ft_over_ds '0'
option ft_psk_generate_local '1'
config wifi-iface 'wifinet1'
option device 'radio0'
option mode 'ap'
option ssid 'xxxx_IoT'
option encryption 'psk-mixed+ccmp'
option key 'xxxxxxx'
option network 'iot'
option ieee80211r '1'
option mobility_domain '4f17'
option ft_over_ds '0'
option ft_psk_generate_local '1'
config wifi-iface 'wifinet2'
option device 'radio1'
option mode 'ap'
option ssid 'xxxxx'
option encryption 'psk-mixed+ccmp'
option dtim_period '3'
option key 'xxxxxx'
option network 'lan'
option ieee80211r '1'
option mobility_domain '4f10'
option ft_over_ds '0'
option ft_psk_generate_local '1'
config wifi-iface 'wifinet3'
option device 'radio1'
option mode 'ap'
option ssid 'xxxxx_IoT'
option encryption 'psk-mixed+ccmp'
option key 'xxxxxxx'
option network 'iot'
option ieee80211r '1'
option mobility_domain '4f17'
option ft_over_ds '0'
option ft_psk_generate_local '1'
root@OpenWrt:~# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'fdad:d91e:8f1f::/48'
option packet_steering '2'
config device
option name 'br-lan'
option type 'bridge'
list ports 'lan.10'
config interface 'lan'
option device 'br-lan'
option proto 'dhcp'
config device
option type 'bridge'
option name 'br-iot'
list ports 'lan.107'
config interface 'iot'
option proto 'dhcp'
option device 'br-iot'
config device
option type '8021q'
option ifname 'lan'
option vid '107'
option name 'lan.107'
config device
option type '8021q'
option ifname 'lan'
option vid '10'
option name 'lan.10'
root@OpenWrt:~# cat /etc/config/firewall
config defaults
option syn_flood '1'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
list network 'iot'
config zone
option name 'wan'
list network 'wan'
list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
That's false. The default wpad-basic-mbedtls package supports 802.11r, as mentioned in the hostapd Makefile .
1 Like
brada4
March 12, 2025, 11:58pm
5
Ladt device requiring wpa1 is 15 years or older, wifi-g. Just use wpa2 without tweaks.
And dont limit tx power, you can restrict low data rates via cell density to limit range.
oo thanks for that spot. I meant to only have wpa2!
if we increase tx power, that would affect throughput (negativitely) no?
Just adding more tests with updating to wpa2 and using wpad-mbedtls.
we can see that the client does flip over to the other AP from "iwconfig" client is ubuntu 24.04, amd wifi
however still on this flip, all data transfer is 0. if I move back towards the origininating AP, data flows again.