MESH Encryption check?

Installing and Using OpenWrt Network and Wireless Configuration
1

Two months new to OpenWrt. First post.

Picked up (2) MT-6000s and then discovered the ONE router and picked one up as well.

I have all three up and running on 24.10.1.

So far, I have 4 VLANS setup, and 6 wireless SSID's. One of the MT6000 is a dumb access point and the ONE router is an AP as well MESHED to the MT6000. Everything is working as expected, and 802.11r is enabled on all.

I installed wpad-openssl on the MT6000 AP and the ONE AP.

When I look at the connection at NETWORK > WIRELESS, the MT6000 shows WPA3 encryption, and the ONE shows NONE.

Is this a UI error, and if not, how to check?

Thanks for all the great docs and help files!

MT-6000
MT-6000603×126 12.2 KB

One
One593×123 11.8 KB

2

It is a known bug with iwinfo that it miss-reports mesh encryption in some circumstances, seen with some drivers not in others and sometimes seen when a phy has multiple logical interfaces.

Luci uses iwinfo to get the info it displays.

It is worth noting that if all meshnodes have the same mesh id and they all join the mesh, then they must all be either encrypted or not - it will never be mixed.

How to check mesh encryption:
On any or all meshnodes, run the command:
iw dev m-11s-0 scan dump | grep -B 30 "MESH ID:" | grep -A 4 "RSN:"
replacing meshxx with the actual interface name (If you don't know it, you can get it from iwinfo).

Here is the output I get on my test system:

root@meshnode-8ecb:~# iw dev m-11s-0 scan dump | grep -B 30 "MESH ID:" | grep -A 4 "RSN:"
	RSN:	 * Version: 1
		 * Group cipher: CCMP
		 * Pairwise ciphers: CCMP
		 * Authentication suites: SAE
		 * Capabilities: 1-PTKSA-RC 1-GTKSA-RC (0x0000)
--
	RSN:	 * Version: 1
		 * Group cipher: CCMP
		 * Pairwise ciphers: CCMP
		 * Authentication suites: SAE
		 * Capabilities: 1-PTKSA-RC 1-GTKSA-RC (0x0000)
root@meshnode-8ecb:~#

Something to note:
You appear to have five meshnodes, the four shown in your screenshot and the one that produced the screenshot.
The one that produced your screenshot has single hop 802.11s links to the other four.
Lucky positioning of the meshnodes with respect to each other is allowing single hop connections, at least for now. If anything changes this might not be the case and one or more nodes might well drop out of the mesh ("anything" could mean repositioning a node, but also could be something totally unexpected like someone leaves a door open, your dog goes to sleep on the sofa, weird unexpected things - there is a reason radars use similar ranges of frequencies!)

By default, the HWMP mac-routing mesh protocol built into the kernel is effectively disabled and it cannot be enabled in the required modes by the uci config (or by Luci), so any small changes can break the mesh links and they will often not recover without restarting everything.

In addition, vlans are not supported over mesh links.

Solution is to Install a mesh management package such as Mesh11sd or Batman
Mesh11sd dynamically controls the layer 2 HWMP protocol.
Batman uses its own layer 3 mesh management protocol.
Both support the tunnelling required for VLAN support.

3 Likes
3

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.