MR8300 (21.02.3 & 22.03.0-rc5) - Mesh Point has no encryption

fcc · July 10, 2022, 1:52pm

Hi all,
i migrated my Openwrt Installation from an Archer C7 to the Linksys MR8300.
Everything works as expected except the mesh point is not encrypted although it is configured like this. (i use wpad-mesh-wolfssl)
Anyone else has the issue with this device?

/etc/config/mesh11sd

config mesh11sd 'setup'
        option enabled '1'
        option debuglevel '3'
        option checkinterval '10'
        option interface_timeout '10'

config mesh11sd 'mesh_params'
        option mesh_fwding '1'
        option mesh_rssi_threshold '-80'
        option mesh_gate_announcements '1'
        option mesh_hwmp_rootmode '3'
        option mesh_max_peer_links '150'

/etc/config/wireless

config wifi-iface 'default_radio2'
        option device 'radio2'
        option network 'lan'
        option mode 'mesh'
        option mesh_id 'mesh'
        option key '**************'
        option ifname 'mesh0'
        option mesh_fwding '1'
        option mesh_rssi_threshold '0'
        option encryption 'sae'

iw dev mesh0 info

Interface mesh0
        ifindex 72
        wdev 0x200000022
        addr XXXXXXXXXXXXX
        type mesh point
        wiphy 2
        channel 48 (5240 MHz), width: 80 MHz, center1: 5210 MHz
        txpower 23.00 dBm
        multicast TXQ:
                qsz-byt qsz-pkt flows   drops   marks   overlmt hashcol tx-bytes        tx-packets
                718586  5190    174     0       0       2740    6072    266904          1347

iwinfo

mesh0     ESSID: "mesh"
          Access Point: XXXXXXXXXXXXXXX
          Mode: Mesh Point  Channel: 48 (5.240 GHz)
          Center Channel 1: 42 2: unknown
          Tx-Power: 23 dBm  Link Quality: unknown/70
          Signal: unknown  Noise: -104 dBm
          Bit Rate: unknown
          Encryption: none
          Type: nl80211  HW Mode(s): 802.11nac
          Hardware: XXXXXXXXXXXXXXXXXX [Qualcomm Atheros IPQ4019]
          TX power offset: none
          Frequency offset: none
          Supports VAPs: yes  PHY name: phy2

bluewavenet · July 11, 2022, 7:39am

I am running as a test system, a gl-inet B1300, also an IPQ4019, with no problems, but I use wpad-wolfssl (the full version). Might be worth changing although I have also used wpad-mesh-wolfssl on other devices (I use the full version on this one for other reasons).

Here is an output of iwinfo from mine:

mesh0     ESSID: "bluewave"
          Access Point: 94:83:C4:04:DE:D9
          Mode: Mesh Point  Channel: 9 (2.452 GHz)
          Center Channel 1: 7 2: unknown
          Tx-Power: 20 dBm  Link Quality: 70/70
          Signal: -23 dBm  Noise: -103 dBm
          Bit Rate: 300.0 MBit/s
          Encryption: WPA3 SAE (CCMP)
          Type: nl80211  HW Mode(s): 802.11bgn
          Hardware: 168C:003C 168C:4019 [Qualcomm Atheros IPQ4019]
          TX power offset: none
          Frequency offset: none
          Supports VAPs: yes  PHY name: phy0

Comparing with yours, yours looks like it might not be actively in the mesh....

Please show the output of mesh11sd status to see if it gives us any more clues.

McGiverGim · July 11, 2022, 8:03am

There are other threads with same problem and it seemed that iwinfo shows the wrong information and the mesh is really encrypted...
I've the same problem with an ax3600 so very interested to get to the end of this.

badulesia · July 11, 2022, 2:56pm

Hi.
I'm running a mesh on a MR8300. No issue.
Running iwinfo I also see encryption: none displayed. I concur with @McGiverGim , it may be simply a wrong info from iwinfo.

EDIT: right now the other mesh point is powered off, so the MR8300 is not linked. So maybe the encryption message only means that the mesh is off. That may sounds silly, but I can't power on the other mesh point right now to check.

bluewavenet · July 11, 2022, 2:58pm

But I get the following from iwinfo:

So is it dependent on iwinfo version, or does iwinfo report correctly if you are using the full version of wpad?

bluewavenet · July 11, 2022, 3:25pm

I just tried this on my test system. It had 3 meshnodes connected.
I powered the remote meshnodes down, ran wifi command, checked that mesh11sd status was reporting 0 peers, then ran iwinfo.

It still reports:
Encryption: WPA3 SAE (CCMP)

I am really thinking it is wpad-mesh-wolfssl that gives iwinfo the incorrect information. As I mentioned earlier, I am using the full version - wpad-wolfssl.

I will have to revert the full wpad to the mesh version and test again - but cannot at the moment as working on it on another project.

Perhaps someone else here can go the other way and see if iwinfo then reports correctly.
@McGiverGim @fcc

Another thing that springs to mind is I am NOT using the Ath10k CT drivers, instead using the non-CT versions. The CT version limits to only 16 connections, that is the sum of connected clients and meshnodes on any radio.

badulesia · July 11, 2022, 3:36pm

I'll be able to power on the mesh lately today and check.
I'm using both the wpad-wolfsll and the ath10k CT drivers (qca9888, not qca4019).

bluewavenet · July 11, 2022, 3:39pm

Do you have the ipq-wifi-linksys_mr8300-v0 package installed? I don't know if this is relavent.

ipq-wifi-linksys_mr8300-v0 - 1 - The Linksys MR8300 requires board-specific, reference ("cal") data that is not yet present in the upstream wireless firmware distribution. This package supplies board-2.bin file(s) that, in the interim, overwrite those supplied by the ath10k-firmware-* packages. This is package is only necessary for the Linksys MR8300. Do not install it for any other device!

badulesia · July 11, 2022, 3:45pm

I have. It's part of the default packages when building.

McGiverGim · July 11, 2022, 5:22pm

I'm using the full wpad-wolfssl and I tested with all the variants without luck... In my case the ax3600 uses the new ath11k.

badulesia · July 11, 2022, 5:59pm

Have you try another channel, 40 or 44 for example ?
On my device I'm using the qca9888 at channel 116.

bluewavenet · July 11, 2022, 6:22pm

A quick way to test if you actually have an encrypted mesh is to set encryption to "none" instead of "sae" just on one meshnode. If you can still use that node after restarting, encryption is not working on any meshnode.

McGiverGim · July 11, 2022, 7:17pm

Good idea. I'm out of home for two weeks. I will try it at my return.

badulesia · July 11, 2022, 7:28pm

I have set encryption to none instead of sae as you suggested in your latest message: the link can't be established. Back to SAE setting, it works back, so the link is really encrypted. But iwinfo still report encryption: none

fcc · July 11, 2022, 8:09pm

Thanks for all the replies!!

I have tried it today again (incl wpad-wolfssl and non ct firmware).
The system still do not show encryption - BUT the mesh network is working. (I did not tried it as i though something is wrong in my router config)
So it is encrypted as the other nodes are showing encryption.

Lets see if this will be fixed in future releases ;

Thanks for all your suggestions!

bluewavenet · July 12, 2022, 8:39am

Ah! So this incorrect reporting by iwinfo only occurs with the MR8300?

timdf911 · July 12, 2022, 8:51am

I have the same issue on my BT HH5a mesh running 22.03.0 rc4 with wpad-mesh-openssl, ie I know I'm using SAE encryption on the mesh but the overview reports that I'm not.

I've been having other more serious problems and put the encryption indication down as a minor bug for later.

fcc · July 12, 2022, 9:23am

Yes - on the other two devices (Archer C7, Cudy AC2100) the encrytion is shown also without connection to another node.

badulesia · July 12, 2022, 9:23am

It seems so for the MR8300, but I can't tell "only" for it

bluewavenet · July 12, 2022, 3:41pm

In the context of the OP yes "only", but of course not for "every other" hardware model...
There will be some common factor for those that do not work though, I am sure.

For those interested in investigating further, I can say, after testing, that iwinfo reports correctly for the following:
gl-inet B1300 (Qualcomm Atheros IPQ4019)
gl-inet MT300n-V2 (Mediatek MT76x8)