Same backup archive for multiple AP's

I have three openwrt routers configured as access points wired to and edge router X. They all run the same Openwrt version but one is a tp link archer, another a BThh5 and the third a zyxel armour z2. WiFi networks are configured identically to facilitate fast roaming. I can't see any logical reason why they should not all be configured identically as DHCP clients with static addresses from the edgerouter and use the same backup archive.
Am I correct?

Configuration backup tarballs are not compatible between different devices (even of the same model), as they do contain device specific data (e.g. GPIO/ LED configs, ssh keys/ ssl host certs, network configuration (CPU ports, switches, etc.), MAC addresses, and you're in all kind of troubles if two devices on your network share the same MAC address).

1 Like

If you have similar hardware, you might get away with it, but generally speaking, it won't work.

MAC addresses are not part of the backup unless you manually configured them for some interfaces. This is at least the case on my TP-Link Archer C7 v2. LED configuration is also not part of the backup unless you manually configured them to do something else. Switch configuration is part of the backup, so you need to make sure the switch and interface layout is the same. I haven't looked at the three devices in question, but I would guess, they are not identical.

Another problem is the wireless configuration. And this is really tricky, because config/wireless actually contains the device path for each radio (like option path 'platform/ahb/18100000.wmac' on my Archver C7 v2 for the 2.4 GHz radio). So, they would need to be identical on all devices, which would be the case if they all are the same model, sometimes even if you have similar models. But I would bet that this is not the case on these three devices mentioned above.

As for certificates: If you use LuCI with SSL encryption, this would be an issue. But they are usually self-signed certificates anyway and I don't think any browser would complain (more than it already does) if they are the same on all devices, so you might ignore that (or just skip LuCI entirely).
And then we're left with SSH: The SSH host keys are supposed to be different for each host. It might work if you use the same on all (and you might have to ignore warnings by your SSH client), but, speaking for myself, I wouldn't do it. I can see two ways to work around this: a) remove dropbear if you don't need SSH or b) exclude the SSH host keys from the backup. dropbear should then recreate them during the boot process. But this means your host key would change after each sysupgrade. For the SSH client keys (authorized_keys), I don't see a problem. You are probably managing your access points from the same computer (or set of computers) anyway, so they can be the same for all access points.

That is not quite correct, while not for all devices, MAC addresses are automatically added to the network configuration for quite a few devices, whenever there is no mechanism to set it directly from the DTS. This happens in particular whem there are more complex approaches at play, e.g. MAC addresses derived from uboot-env (nbg6817 from that list). DSA based configurations are also much more likely to specify MAC addresses as part of the firstboot config, it's very commonly found.

They are, if defined by board.d firstboot default configuration, while there is a push to express this in the DTS (with smarter parsers), this is still the case on many devices by default.

Indeed, they aren't (number of CPU ports, internal connections, order, swconfig vs dsa).

1 Like

Interesting. So, I happen to just have a device where MAC addresses and LED configuration don't need to be baked into the configuration files.

I'd assume you could still strip the LED configuration from config/system and your device would continue to work, but since we already established that you would need devices with very similar, if not identical hardware, then LEDs proabably won't be an issue.

In any case, the gist is: If you really wanted to use the same backup archive for multiple access points they would have to be the same hardware (more or less) and you need do determine beforehand that the device is one that doesn't need the mac address(es) in config/network. And then you're left with the caveats regarding SSL and SSH host certificates.