Setting up authenticated mesh with wpad-mesh

# cat /etc/openwrt_release 
DISTRIB_ID='OpenWrt'
DISTRIB_RELEASE='18.06.0'
DISTRIB_REVISION='r7188-b0b5c64c22'
DISTRIB_TARGET='ar71xx/generic'
DISTRIB_ARCH='mips_24kc'
DISTRIB_DESCRIPTION='OpenWrt 18.06.0 r7188-b0b5c64c22'
DISTRIB_TAINTS=''

Is it proper version? I use it on CPE210-V2

18.06.4 is the latest release.

I've tried with 18.06.4 again and fail:

Wed Sep  4 22:32:11 2019 daemon.notice netifd: Interface 'wlan0_12_ad' is now down
Wed Sep  4 22:32:11 2019 daemon.err bmx6[1106]: WARN  dev_deactivate(): deactivating dev=wlan0_12 llocal=fe80::a2f3:c1ff:fe72:8e97 global=fd66:66:66:17:a2f3:c1ff:fe72:8e97
Wed Sep  4 22:32:11 2019 daemon.notice netifd: Interface 'wlan0_12_ad' is disabled
Wed Sep  4 22:32:11 2019 daemon.notice netifd: Network alias '' link is down
Wed Sep  4 22:32:11 2019 daemon.notice netifd: Interface 'mesh_w0' is now down
Wed Sep  4 22:32:11 2019 daemon.err bmx6[1106]: ERROR rtnl_rcv(): ROUTE_HNA error=No such process
Wed Sep  4 22:32:11 2019 daemon.notice netifd: Interface 'mesh_w0' is disabled
Wed Sep  4 22:32:11 2019 daemon.notice netifd: Interface 'mesh_w0' has link connectivity loss
Wed Sep  4 22:32:11 2019 daemon.err bmx6[1106]: ERROR rtnl_rcv(): ROUTE_HNA error=No such process
Wed Sep  4 22:32:11 2019 daemon.err bmx6[1106]: ERROR rtnl_rcv(): ADDRESS_SET error=No such device
Wed Sep  4 22:32:11 2019 daemon.notice netifd: 8021q 'wlan0_12' link is down
Wed Sep  4 22:32:11 2019 daemon.notice netifd: Interface 'wlan0_12_ad' has link connectivity loss
Wed Sep  4 22:32:12 2019 user.notice mac80211: Failed command: iw phy phy0 set antenna all all
Wed Sep  4 22:32:12 2019 kern.info kernel: [  732.176349] IPv6: ADDRCONF(NETDEV_UP): wlan0: link is not ready
Wed Sep  4 22:32:13 2019 daemon.notice netifd: radio0 (6973): Successfully initialized wpa_supplicant
Wed Sep  4 22:32:14 2019 daemon.notice netifd: radio0 (6973): command failed: Link has been severed (-67)
Wed Sep  4 22:32:14 2019 user.notice mac80211: Failed command: iw dev wlan0 set mesh_param mesh_fwding 0
Wed Sep  4 22:32:14 2019 daemon.notice netifd: Interface 'mesh_w0' is enabled
Wed Sep  4 22:32:14 2019 daemon.notice netifd: Interface 'mesh_w0' is setting up now
Wed Sep  4 22:32:14 2019 kern.info kernel: [  733.677549] IPv6: ADDRCONF(NETDEV_UP): wlan0_12: link is not ready
Wed Sep  4 22:32:14 2019 daemon.err bmx6[1106]: INFO  dev_if_fix(): Autoconfiguring dev=wlan0_12 idx=25 ip=fd66:66:66:19:a2f3:c1ff:fe72:8e97/64
Wed Sep  4 22:32:14 2019 daemon.notice netifd: Interface 'wlan0_12_ad' is enabled
Wed Sep  4 22:32:14 2019 daemon.notice netifd: Interface 'mesh_w0' is now up
Wed Sep  4 22:32:14 2019 daemon.err bmx6[1106]: WARN  dev_if_fix(): No link-local IP for dev=wlan0_12 !

That's last what I see before the soft watchdog reboot the device when it freezes. It happens on CPE210-V2:

config wifi-device 'radio0'
	option type 'mac80211'
	option macaddr 'deleted'
	option channel '6'
	option country 'US'
	option hwmode '11ng'
	option htmode 'HT40+'
	option txpower '20'
	option noscan '1'
	option distance '300'
	option disabled '0'
	list ht_capab 'SHORT-GI-40'
	list ht_capab 'RX-STBC1'
	list ht_capab 'DSSS_CCK-40'

config wifi-iface 'wlan0'
	option device 'radio0'
	option mode 'mesh'
	option mesh_id 'MyMesh'
	option network 'mesh_w0'
	option ifname 'wlan0'
	option mesh_fwding '0'
	option encryption 'psk2/aes'
	option key 'MyPassword'
# cat /etc/openwrt_release 
DISTRIB_ID='OpenWrt'
DISTRIB_RELEASE='18.06.4'
DISTRIB_REVISION='r7808-ef686b7292'
DISTRIB_TARGET='ar71xx/generic'
DISTRIB_ARCH='mips_24kc'
DISTRIB_DESCRIPTION='OpenWrt 18.06.4 r7808-ef686b7292'
DISTRIB_TAINTS=''

I confirm It works on TP-LINK WR841-V9 (with 8Mb ROM and latest OpenWrt) but the only mesh mode without AP. Otherwise mesh interface crashes on start.

Sun Sep  8 13:11:13 2019 daemon.notice netifd: radio0 (29764): Line 6: invalid key_mgmt 'SAE'
Sun Sep  8 13:11:13 2019 daemon.notice netifd: radio0 (29764): Line 6: no key_mgmt values configured.
Sun Sep  8 13:11:13 2019 daemon.notice netifd: radio0 (29764): Line 6: failed to parse key_mgmt 'SAE'.
Sun Sep  8 13:11:13 2019 daemon.notice netifd: radio0 (29764): Line 7: too large mode (value=5 max_value=4)
Sun Sep  8 13:11:13 2019 daemon.notice netifd: radio0 (29764): Line 7: failed to parse mode '5'.
Sun Sep  8 13:11:13 2019 daemon.notice netifd: radio0 (29764): Line 8: unknown network field 'mesh_fwding'.
Sun Sep  8 13:11:13 2019 daemon.notice netifd: radio0 (29764): Line 16: failed to parse network block.

Oh God, I forgot to install wpad-mesh on node with AP :blush:
It really works on WR841-V9, I will test it.

I got it recently working with the newest snapshot on my 2x Archer C2600, fully encrypted together with APs on 5 ghz. You only need wpad-mesh-openssl and bridge the mesh (with option mesh_fwding '1') into your LAN. Meanwhile my APs are running with WPA3/WPA2 mixed.

Oh well: you can only use channel 36-48 on 5ghz for 802.11s.

Beware: Luci in the snapshot is for today a bit buggy, so you should set this up manually.

Here is my config:

config wifi-device 'radio0'
	option type 'mac80211'
	option hwmode '11a'
	option path 'soc/1b500000.pci/pci0000:00/0000:00:00.0/0000:01:00.0'
	option htmode 'VHT80'
	option country 'DE'
	option txpower '23'
	option channel '48'

config wifi-iface 'mesh'
	option device 'radio0'
	option network 'lan'
	option mode 'mesh'
	option mesh_id 'yourmeshid'
	option mesh_fwding '1'
	option key 'yourpw'
	option mesh_rssi_threshold '0'
	option encryption 'sae'

config wifi-device 'radio1'
	option type 'mac80211'
	option hwmode '11g'
	option path 'soc/1b700000.pci/pci0001:00/0001:00:00.0/0001:01:00.0'
	option htmode 'HT40'
	option txpower '20'
	option country 'DE'
	option legacy_rates '0'
	option channel '13'

config wifi-iface 'wifinet1'
	option device 'radio0'
	option key 'yourpw'
	option network 'lan'
	option mode 'ap'
	option ssid 'yourssid'
	option encryption 'sae-mixed'
	option ieee80211w '1'

config wifi-iface 'wifinet2'
	option encryption 'sae-mixed'
	option device 'radio1'
	option key 'yourpw'
	option network 'lan'
	option mode 'ap'
	option ssid 'yourssid'
	option ieee80211w '1'

Edit 1: Checked WPA3 on Mesh again. Its really working! Deleted the wrong assumption of WPA2 fallback.
Edit 2: Added option ieee80211w '1' on both APs since its a requirement for WPA3, but only optional for WPA2 because of compatibility.

It might be an "illusion" of how the utilities report it. As far as I know, 802.11s should report "SAE" or the like for authentication.

2 Likes

Indeed, aside from iw and iwinfo (only in master), barely any wireless tools (or smartphone scanners) can detect WPA3 reliably.

1 Like

You are both right, i checked it on the devices themself with "iwinfo phy0 scan" and its showing me "Encryption: WPA3 SAE (CCMP)" on the Mesh.

Do you have any tool recommendation or a better way to check this in the future?

Sadly, at the moment, I only know about iw (for all linux systems) and very recent iwinfo for OpenWrt. While I haven't checked 'every' wifi scanner for android, none of the ones I use can identify WPA3 so far.

1 Like

A bit Offtopic: How can i check if the clients are using it? Because even my Android 9 device seem to report it wrong.

Edit: nvm, looks like WPA3 SAE is only fully supported under Android 10.

I only know of two options, first trying to find the generated wpa_supplicant.conf file (this won't work on android, at least not easily or without rooting the devcie) - the other would be to (temporarily) configure your AP to accept WPA3/ SAE only and to make ieee80211w mandatory (2), without a fallback for WPA2.

While I am running android 9 on one of my android devices, its kernel is too old (>= v3.8.x is required) for it to actually function, so I haven't been able to actually test it with android yet. The situation on (recent) desktop linux is better, as long as you have a recent wpa_supplicant (>= v2.7, better >= v2.8), but especially older WLAN hardware (e.g. ipw2200, rt61pci/ rt73usb) will fall hard over the IEEE 802.11w requirement there as well (ath5k, ath9k (other than owl/ sowl draft-n chipsets) and ath10k are fine).

1 Like

Well my OnePlus One is running LineageOS with a 3.4.x Kernel. Thats explain it. And by the description, well looks like i probably need a newer wlan card in my Thinkpad. Im realising now how hard it will affects devices once WPA2 becomes completely deprecated.

Client compatibility (especially with IEEE 802.11w) will remain quite an issue for several years to come, also for Windows.

I tested mesh encryption with psk2/aes, it seems like all works fine but there is a weird behavior after node was rebooted. It may take too much time to associate with each other, from 5 to infinity minutes waiting.

I see it with dump stations, when the nodes keep BLOCKED for a long time.

iw dev wlan0 station dump

Then, now I apply a rough hack, just delete all BLOCKED stations.

#!/bin/sh

mesh_iface=wlan0
blocked_nodes=$(iw dev $mesh_iface station dump | grep -B 15 BLOCKED | grep "Station " | awk '{print $2}')

for mac in ${blocked_nodes}
do
	iw dev $mesh_iface station del $mac
done

That script starts by cron every 1 minute on each station and it really helps to reduce the problem.

So, is there a more proper method to resolve that?

Did you try psk2+ccmp?

Yes, Now I use that.
But, is it really mean? Because of I see the SAE in wpa_supplicant configuration file in any case.

cat /var/run/wpa_supplicant-wlan0.conf

country=US
network={
	
	ssid="<mesh_id>"
	key_mgmt=SAE
	mode=5
	mesh_fwding=0
	fixed_freq=1
	frequency=2437
	ht40=1
	max_oper_chwidth=0
	noscan=1
	sae_password="<password>"
	beacon_int=100
}

And yet, nohwcrypt=1 a little bit improve the situation:

cat /etc/modules.d/ath9k 
ath9k nohwcrypt=1

I saw that in encryption mode nodes sometimes may choose not optimal route, for example the node with signal -70 dBm appears more preferable than the node with -55dBm. However, that shows the BMX6 routing table, so, it may be also problem with BMX6. Anyway it happens when encryption is enabled.

I will try to resolve last problem with option mesh_rssi_threshold

which routers are you using ? are you running mesh and access point at the same time or no?

I use tp-link tl-wr841 (various versions) with 8Mb flash and cpe-210v2. Yes, I am running AP+MESH on some routers which are indoor.

1 Like

there is a performance drop particularly when running mesh and ap on the same radio concurrently

just compare results for

batctl tp another-mesh-node-mac

also I have seen most only reach upto 37-40 Mbps

I tried BMX7 also but now run without just batman-adv

I use various

latest cheap hacked device is the Aruba AP-105 (used @ $ 3.39 each)

! Gbps POE 300 Mbps dual radio 128MB ram 16MB Flash

I have made my own mesh firmware builds and get upto 104 Mbps mesh thoughput un-encrypted

Run only a mesh on the one radio and ap on other

2 Likes