Setting up 802.11s for meshed "dumb APs"

I think you should assign a static IP to LAN so you can vilculate the Mesh network in it. Then disable dnsmasq in the access points so that IP addresses are not distributed and only the master does. Although I do not recommend it because you can not get security in 802.11s, at least in Luci.

I think it just requires you to install wpad-full and then WPA2 can be used on the mesh.

Before you spend any more time trying to get this to work I'd strongly advise checking that your clients support 802.11s

As far as I'm aware it's not particularly well supported and you may be wasting your time.

1 Like

The clients connect to the 2.4GHz regular APs, the APs themselves are what need to speak 802.11s to connect together.

@sami I think you should be able to bridge the AP and the mesh on each AP so that packets received on the AP are delivered to your gateway over the mesh and vice versa

Sorry, I was under the impression your clients also need to understand to 802.11s to be able to authenticate and roam from one AP to another effectively.

The simplest setup is to bridge both the mesh interface and the wifi AP into the lan network at each dumb AP. The dumb APs would not run a DHCP server, all DHCP requests are handled by the main router.

This kind of setup has some issues with scaleability and security, but it is the simplest way to get started and is entirely workable for having a few nodes around a house that are not accessible by the public.

It works much like having the APs connected to the main router by a network of Ethernet cables, except that you can't run VLANs on an 802.11s native mesh. You can run VLANs on a BATMAN mesh and use raw 802.11s as the radio link. This is how most "mesh" commercial products work.

1 Like

I already have wpad installed and it does not work.

See if this discussion or one of the discussions linked there can help you with encryption

I already commented on that thread and it is with the wpad-mesh package, not wpad.

Are you trying to run the mesh point and the AP on the same radio? The suggestion here is running them on different radios. Does that make a difference for you?

I'm just testing the Mesh network. I do not have another interface. Use ath9k in Archer C60.

The encryption "option" settings changed several times in early 2018. I have both key and sae_passphrase in one of my configs, and just sae_passphrase in the other. Build on my mesh-enabled Archer C7 v2 units is from master as of 2018-08-31, with local patches rebased on commit dc9388ac55.

config wifi-iface 'mesh1'
        option device 'radio5'
        option ifname 'mesh1'
        option network 'nwi_mesh1'
        option mode 'mesh'
        option mesh_id '<redacted>'
        option mesh_fwding '0'
        option encryption 'psk2+ccmp'
        # option sae_passphrase '<redacted>' -- not with OpenWrt 18.06, use 'key'
        option key '<redacted>'

Edit: As highlighted by @mjs in Encryption in 802.11s, the current (18.06) option is "key"

1 Like

I did not know that you had to put sae_passphrase. I had sae_password in my configuration. I'm going to try again.

Thanks guys, I've bridged the mesh and client AP to the LAN network on each AP and it seems to be working a treat. (Can send configs if anyone is interested in them).

I'm running unsecured at the moment so will try to add some encryption to the link - might be back with questions at some stage!

Also, was wondering if it would be possible to have multiple WAN connections in this configuration? IE: if two APs in the mesh have their own WAN connections? Will clients that are connected to arbitrary APs in the mesh be smart enough to figure out which WAN enabled AP they should route traffic to?


Doing that is simple. The tricky thing is to have security in the mesh link.

Seemed to be fairly straight-forward to me :man_shrugging:

Unless I'm missing something, all I needed to do was install wpad-mesh rather than wpad-mini, and add option encryption 'psk2+ccmp' and option sae_passphrase '<password> to the wireless config of my mesh.

Seems to be secure now, afaik (both my laptop and my phone can see the network and see that it has wpa2-ps-ccmp).

You did not know the easiest. Now I want to see you trying to establish a link of two routers with 802.11s and with cefrado or encryption, or whatever you call it.

How to verify that WPA2 + PSK2 + CCMP is being used?

I have configured it as jeff and according to WiFi Analyzer and WirelessNetView in Windows 10 the security of WEP is changed to WPA2 or vice versa every few seconds.

In another router with OpenWRT when scanning the available networks shows as open in Encryption.

Can you please show us your config? Thank you in advance.

Is wpad-full a package or is it to indicate the wpad package? Is it in stable OpenWRT or Snapshots?

Yeah it's just wpad which has everything including mesh I think.