Secure Mesh Networking GL-AR150

twonfkennedy · March 3, 2020, 7:34pm

Greetings everyone!

I am very fresh to the forum and just joined because I'm looking to develop a comprehensive and updated guide for configuring a secure (WPA2 or comparable) wireless Mesh network with OpenWRT. I was hoping the community may be able to give this novice some help filling in the gaps.

I've been hammering away at building some sort of setup for the past month utilizing GL-AR150 devices with little luck. I have referenced several guides I've found in both this forum and others but it seems like they are not as useful anymore due to the depreciation of authsae (maybe I'm missing something however I keep getting the error [even after updating]; ' opkg_install_cmd: Cannot install package authsae.')

Has anyone had any luck implementing this on the most recent clean openWRT build for firmware: openwrt-ar150.3.017? Which packages did you install and what's the best way to set up the interfaces/networks to allow it to run smoothly?

Overall the goals for this project are below:

The Master Node (MN):
-Access to the internet
-Access to certain devices in my home network (10.0.x.x/24 range. I would utilize my home network firewall rules to restrict access to things I don't want the mesh to touch)
Remote Master Node (RMN):
-VPN access to the home network when out of range of Master Node
--IE: RMN has VPN client running/connected with assigned IP from my home network of: 10.0.50.55. Mesh Node 30 with a reserved attached device IP of 192.168.1.33 is able to access a device on the home network via VPN with IP of 10.0.50.20.
Remote Nodes (RN):
-Network Layout
--IE: Node 10 would have a static IP of 192.168.1.10, DHCP range of 11-19
Node 20 would have a static IP of 192.168.1.20, DHCP range or 21-29

-Access to and from any attached device's static reservations from any node in mesh with or without master/remote master node being available in the network.
--IE: Device at Node 10 with static reservation of 192.168.1.11 can communicate with Device at Node 40 with static reservation of 192.168.1.45 (assuming the mesh architecture figures out the best route to get to there)

and finally the best available encryption between each node

IF there is a better way to layout the network to accomplish the goals above i'm all ears. I realize what I'm suggesting may not exactly work in this environment and could require some sort of different subnetting at each device.

What are your thoughts?

castillofrancodamian · March 4, 2020, 2:53am

I don't know if it can help you. I use BATMAN and this is my configuration:

/etc/config/network

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1 bat0.100'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option delegate '0'

config interface 'guest'
        option proto 'static'
        option netmask '255.255.255.0'
        option delegate '0'
        option ipaddr '10.0.0.1'
        option type 'bridge'
        option ifname 'bat0.101'

config interface 'mesh'
        option mtu '2304'
        option proto 'batadv_hardif'
        option master 'bat0'

config interface 'bat0'
        option proto 'batadv'
        option routing_algo 'BATMAN_IV'
        option aggregated_ogms '1'
        option ap_isolation '0'
        option bonding '0'
        option fragmentation '1'
        option gw_mode 'off'
        option log_level '0'
        option orig_interval '1000'
        option bridge_loop_avoidance '1'
        option distributed_arp_table '1'
        option multicast_mode '1'
        option network_coding '0'
        option hop_penalty '30'
        option isolation_mark '0x00000000/0x00000000'

config interface 'vlan1111'
        option type 'bridge'
        option stp '1'
        option ifname 'eth0.1111 bat0.1111'
        option proto 'static'
        option ipaddr '192.168.200.1'
        option netmask '255.255.255.0'
        option delegate '0'

/etc/config/wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option channel '36'
        option hwmode '11a'
        option path 'pci0000:00/0000:00:00.0'
        option htmode 'VHT80'
        option legacy_rates '0'
        option country 'AR'

config wifi-iface 'default_radio0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option key 'password'
        option ifname '5G_ap'
        option ssid 'LAG'
        option encryption 'psk2+ccmp'

config wifi-device 'radio1'
        option type 'mac80211'
        option channel '11'
        option hwmode '11g'
        option path 'platform/ahb/18100000.wmac'
        option noscan '1'
        option legacy_rates '0'
        option htmode 'HT40'
        option country 'AR'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option key 'password'
        option ifname '2G_ap'
        option ssid 'LAG'
        option encryption 'psk2+ccmp'

config wifi-iface 'wifinet2'
        option network 'guest'
        option ifname '2G_ap_guest'
        option ssid 'Invitados'
        option encryption 'psk2+ccmp'
        option device 'radio1'
        option mode 'ap'
        option wps_pushbutton '1'
        option key 'password'

config wifi-iface 'wifinet3'
        option ifname '2G_mesh'
        option network 'mesh'
        option encryption 'sae'
        option device 'radio1'
        option mesh_fwding '0'
        option mesh_id 'Mesh'
        option key 'password'
        option mode 'mesh'
        option mesh_rssi_threshold '0'

mk24 · March 4, 2020, 12:51pm

The functionality of authsae has been incorporated directly into wpad. However this is only found in the complete versions of wpad not the mini or basic that is installed by default. For example wpad-mesh-openssl.

Raw (mesh_fwding = 0) 802.11s as the radio interface for BATMAN is the typical modern mesh. VLANs can be applied to a bat interface with conventional notation i.e. bat0.2. VLANs cannot operate directly on the radio layer.

castillofrancodamian · March 4, 2020, 11:35pm

I forgot to write the packages that I have installed and they are wpa-supplicant-mesh-openssl and hostapd-openssl.

twonfkennedy · March 5, 2020, 3:55am

Awesome I knew I was missing something. I’ll give that a shot and post the results. Any thought on the network layout i proposed? Do you think that could work like that? (Assuming I just kept it flat no VLANS)

Was also thinking of trying to use OLSR unless anyone suggests I avoid that and go straight to BATMAN. After talking with some friends I think I’m going to be hard set on getting the “master node” and “remote master node” concept running smoothly. Not sure how exactly I would do that. My initial thought was some sort of WAN failover.

mk24 · March 5, 2020, 6:35pm

Of course when working remotely in order to VPN back home the "remote" setup has to have a connection to the Internet.