MikroTik hAP ac lite won't encrypt 802.11s mesh

I'm trying to get a MikroTik hAP ac lite with OpenWrt 23.05.03 to mesh over 5GHz with an ASUS RT-AX53U, also with OpenWrt 23.05.03.

I've followed the 802.11s mesh how-to to the letter, tried all the mesh-capable wpad versions, replaced the ath10k-ct driver with the ct-less version, but the MikroTik stubbornly refuses to do mesh encryption of any sort. If I try to select anything but open encryption, LuCI complains about my wpa-supplicant not being SAE-compatible, or that the 802.11s mode is incompatible. I can't blame LuCI either, because manually editing /etc/config/wireless to set encryption renders the mesh interface inactive.

Mesh configuration on the Asus gives me no grief whatsoever. Also, when 'no encryption' is selected on both the Asus and the Mikrotik, the mesh works flawlessly. I'm concluding that the ath10k driver or the Atheros QCA9887 SoC itself is somehow flawed or incompatible.

Has anyone found a workable mesh configuration -- with encryption -- for this MikroTik or any other router with the same Atheros QCA9887 SoC? Are there any workarounds apart from stringing an Ethernet cable to the MikroTik? I don't want WDS or a separate subnet.

In a SSH shell, can you run iw phy and paste the results here?
If I remember correctly the hap ac lite radios are weird, the 2.4ghz is 2x2 mimo but the 5ghz is only 1x1 mimo.
Have you tried meshing over the 2.4ghz radio?

1 Like

I just had a similar issue with luci giving a wpa-supplicant error.

Are you converting the mikrotik AP from a dumb access point to a mesh point? Because DumbAP guide has a startup script that has a line for

rm /usr/sbin/wpa_supplicant

that was causing me problems. Removed it, re-flashed OpenWrt with Attended sysupgrade, kept the config and the error went away.

Have you tried meshing over the 2.4ghz radio?

Like hecatae said, it might also be that 5Ghz radio doesn't work.

1 Like

Here goes, my iw phy output:

Wiphy phy1
	wiphy index: 1
	max # scan SSIDs: 4
	max scan IEs length: 2257 bytes
	max # sched scan SSIDs: 0
	max # match sets: 0
	Retry short limit: 7
	Retry long limit: 4
	Coverage class: 0 (up to 0m)
	Device supports AP-side u-APSD.
	Device supports T-DLS.
	Available Antennas: TX 0x3 RX 0x3
	Configured Antennas: TX 0x3 RX 0x3
	Supported interface modes:
		 * IBSS
		 * managed
		 * AP
		 * AP/VLAN
		 * monitor
		 * mesh point
		 * P2P-client
		 * P2P-GO
		 * outside context of a BSS
	Band 1:
		Capabilities: 0x11ef
			RX LDPC
			HT20/HT40
			SM Power Save disabled
			RX HT20 SGI
			RX HT40 SGI
			TX STBC
			RX STBC 1-stream
			Max AMSDU length: 3839 bytes
			DSSS/CCK HT40
		Maximum RX AMPDU length 65535 bytes (exponent: 0x003)
		Minimum RX AMPDU time spacing: 8 usec (0x06)
		HT TX/RX MCS rate indexes supported: 0-15
		Frequencies:
			* 2412 MHz [1] (20.0 dBm)
			* 2417 MHz [2] (20.0 dBm)
			* 2422 MHz [3] (20.0 dBm)
			* 2427 MHz [4] (20.0 dBm)
			* 2432 MHz [5] (20.0 dBm)
			* 2437 MHz [6] (20.0 dBm)
			* 2442 MHz [7] (20.0 dBm)
			* 2447 MHz [8] (20.0 dBm)
			* 2452 MHz [9] (20.0 dBm)
			* 2457 MHz [10] (20.0 dBm)
			* 2462 MHz [11] (20.0 dBm)
			* 2467 MHz [12] (20.0 dBm)
			* 2472 MHz [13] (20.0 dBm)
			* 2484 MHz [14] (disabled)
	valid interface combinations:
		 * #{ managed } <= 2048, #{ AP, mesh point } <= 8, #{ P2P-client, P2P-GO } <= 1, #{ IBSS } <= 1,
		   total <= 2048, #channels <= 1, STA/AP BI must match, radar detect widths: { 20 MHz (no HT), 20 MHz, 40 MHz }

	HT Capability overrides:
		 * MCS: ff ff ff ff ff ff ff ff ff ff
		 * maximum A-MSDU length
		 * supported channel width
		 * short GI for 40 MHz
		 * max A-MPDU length exponent
		 * min MPDU start spacing
	max # scan plans: 1
	max scan plan interval: -1
	max scan plan iterations: 0
	Supported extended features:
		* [ RRM ]: RRM
		* [ FILS_STA ]: STA FILS (Fast Initial Link Setup)
		* [ CQM_RSSI_LIST ]: multiple CQM_RSSI_THOLD records
		* [ CONTROL_PORT_OVER_NL80211 ]: control port over nl80211
		* [ TXQS ]: FQ-CoDel-enabled intermediate TXQs
		* [ SCAN_RANDOM_SN ]: use random sequence numbers in scans
		* [ SCAN_MIN_PREQ_CONTENT ]: use probe request with only rate IEs in scans
		* [ CAN_REPLACE_PTK0 ]: can safely replace PTK 0 when rekeying
		* [ AIRTIME_FAIRNESS ]: airtime fairness scheduling
		* [ CONTROL_PORT_NO_PREAUTH ]: disable pre-auth over nl80211 control port support
		* [ DEL_IBSS_STA ]: deletion of IBSS station support
		* [ MULTICAST_REGISTRATIONS ]: mgmt frame registration for multicast
		* [ SCAN_FREQ_KHZ ]: scan on kHz frequency support
		* [ CONTROL_PORT_OVER_NL80211_TX_STATUS ]: tx status for nl80211 control port support
Wiphy phy0
	wiphy index: 0
	max # scan SSIDs: 16
	max scan IEs length: 199 bytes
	max # sched scan SSIDs: 0
	max # match sets: 0
	Retry short limit: 7
	Retry long limit: 4
	Coverage class: 0 (up to 0m)
	Device supports AP-side u-APSD.
	Available Antennas: TX 0x1 RX 0x1
	Configured Antennas: TX 0x1 RX 0x1
	Supported interface modes:
		 * managed
		 * AP
		 * AP/VLAN
		 * monitor
		 * mesh point
	Band 2:
		Capabilities: 0x196f
			RX LDPC
			HT20/HT40
			SM Power Save disabled
			RX HT20 SGI
			RX HT40 SGI
			RX STBC 1-stream
			Max AMSDU length: 7935 bytes
			DSSS/CCK HT40
		Maximum RX AMPDU length 65535 bytes (exponent: 0x003)
		Minimum RX AMPDU time spacing: 8 usec (0x06)
		HT TX/RX MCS rate indexes supported: 0-7
		VHT Capabilities (0x33800132):
			Max MPDU length: 11454
			Supported Channel Width: neither 160 nor 80+80
			RX LDPC
			short GI (80 MHz)
			RX antenna pattern consistency
			TX antenna pattern consistency
		VHT RX MCS set:
			1 streams: MCS 0-9
			2 streams: not supported
			3 streams: not supported
			4 streams: not supported
			5 streams: not supported
			6 streams: not supported
			7 streams: not supported
			8 streams: not supported
		VHT RX highest supported: 0 Mbps
		VHT TX MCS set:
			1 streams: MCS 0-9
			2 streams: not supported
			3 streams: not supported
			4 streams: not supported
			5 streams: not supported
			6 streams: not supported
			7 streams: not supported
			8 streams: not supported
		VHT TX highest supported: 0 Mbps
		VHT extended NSS: not supported
		Frequencies:
			* 5180 MHz [36] (23.0 dBm)
			* 5200 MHz [40] (23.0 dBm)
			* 5220 MHz [44] (23.0 dBm)
			* 5240 MHz [48] (23.0 dBm)
			* 5260 MHz [52] (20.0 dBm) (radar detection)
			* 5280 MHz [56] (20.0 dBm) (radar detection)
			* 5300 MHz [60] (20.0 dBm) (radar detection)
			* 5320 MHz [64] (20.0 dBm) (radar detection)
			* 5500 MHz [100] (26.0 dBm) (radar detection)
			* 5520 MHz [104] (26.0 dBm) (radar detection)
			* 5540 MHz [108] (26.0 dBm) (radar detection)
			* 5560 MHz [112] (26.0 dBm) (radar detection)
			* 5580 MHz [116] (26.0 dBm) (radar detection)
			* 5600 MHz [120] (26.0 dBm) (radar detection)
			* 5620 MHz [124] (26.0 dBm) (radar detection)
			* 5640 MHz [128] (26.0 dBm) (radar detection)
			* 5660 MHz [132] (26.0 dBm) (radar detection)
			* 5680 MHz [136] (26.0 dBm) (radar detection)
			* 5700 MHz [140] (26.0 dBm) (radar detection)
			* 5720 MHz [144] (13.0 dBm) (radar detection)
			* 5745 MHz [149] (13.0 dBm)
			* 5765 MHz [153] (13.0 dBm)
			* 5785 MHz [157] (13.0 dBm)
			* 5805 MHz [161] (13.0 dBm)
			* 5825 MHz [165] (13.0 dBm)
			* 5845 MHz [169] (13.0 dBm)
			* 5865 MHz [173] (13.0 dBm)
	valid interface combinations:
		 * #{ AP, mesh point } <= 8, #{ managed } <= 1,
		   total <= 8, #channels <= 1, STA/AP BI must match, radar detect widths: { 20 MHz (no HT), 20 MHz, 40 MHz, 80 MHz }

	HT Capability overrides:
		 * MCS: ff ff ff ff ff ff ff ff ff ff
		 * maximum A-MSDU length
		 * supported channel width
		 * short GI for 40 MHz
		 * max A-MPDU length exponent
		 * min MPDU start spacing
	max # scan plans: 1
	max scan plan interval: -1
	max scan plan iterations: 0
	Maximum associated stations in AP mode: 0
	Supported extended features:
		* [ VHT_IBSS ]: VHT-IBSS
		* [ RRM ]: RRM
		* [ SET_SCAN_DWELL ]: scan dwell setting
		* [ FILS_STA ]: STA FILS (Fast Initial Link Setup)
		* [ CQM_RSSI_LIST ]: multiple CQM_RSSI_THOLD records
		* [ CONTROL_PORT_OVER_NL80211 ]: control port over nl80211
		* [ ACK_SIGNAL_SUPPORT ]: ack signal level support
		* [ TXQS ]: FQ-CoDel-enabled intermediate TXQs
		* [ AIRTIME_FAIRNESS ]: airtime fairness scheduling
		* [ AQL ]: Airtime Queue Limits (AQL)
		* [ CONTROL_PORT_NO_PREAUTH ]: disable pre-auth over nl80211 control port support
		* [ SCAN_FREQ_KHZ ]: scan on kHz frequency support
		* [ CONTROL_PORT_OVER_NL80211_TX_STATUS ]: tx status for nl80211 control port support

A 2.4GHz mesh doesn't fare any better than a 5GHz one. Again, the MikroTik won't allow any form of encryption to be selected. Actually, it fares worse, since the 2.4GHz mesh doesn't get established, encryption or not. I didn't look into it further, because a 2.4GHz mesh defeats my purpose, which is to have the MikroTik serve IoT devices over 2.4Ghz.

I have to agree that my hAP ac lite has acted strangely from the very beginning. I banished it from the office because it couldn't resolve hostnames. I put it down to MikroTik's quirky RouterOS, but strangely, now with OpenWrt, I'm in the very same situation. As much as I'd like to give the Latvians business, I have my doubts about their hardware.

Dakoriki, I have no wpa_supplicant in /usr/sbin.

I initially flashed the MikroTik with the official 23.05.03 firmware, then I dumbed it down to a dumb AP. I haven't bothered with attended sysupgrades, since I have no extra packages except for nano, to edit config files.

There is no such limitation forbidding mesh in presence of iot.

Did you follow the dumb AP guide to the letter as well, then if you did you might have also copied the startup script from the guide which has the command to remove wpa_supplicant from /usr/bin/

So if this is true then it might have been deleted by the startup script

So in LuCI, in System, Startup and Local Startup you might have a line of code in the box that is

rm /usr/sbin/wpa_supplicant

which was my problem atleast, could be different for you tho

3 Likes

I don't think I have made mention of any restrictions related to IoT. The IoT devices in question are one Matter smartplug, half a dozen ESP-based microcontrollers and a MediaTek LinkIt Smart 7688 running OpenWrt 23.05.0 (gotta upgrade that one). They're associated as 2.4GHz 802.11n stations to the MikroTik AP. They all steer clear of the 5GHz 802.11s mesh.

You know what, it appears that I did follow the Dumb AP instructions to the letter and included the startup script containing the offending line that deletes wpa_supplicant from /usr/sbin. That was the source of my problems. Incidentally, I hadn't added the script to my Asus, which I have configured as a dumb AP as well, so it wasn't affected.

What a great find!

As you can tell from the screenshot above, my 5GHz mesh is now up and running!

You should edit the Dumb AP guide to warn people of mesh encryption problems. It's bound to cause headaches now that meshes are becoming more commonplace.

2 Likes

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.