Indeed, aside from iw and iwinfo (only in master), barely any wireless tools (or smartphone scanners) can detect WPA3 reliably.
1 Like
You are both right, i checked it on the devices themself with "iwinfo phy0 scan" and its showing me "Encryption: WPA3 SAE (CCMP)" on the Mesh.
Do you have any tool recommendation or a better way to check this in the future?
Sadly, at the moment, I only know about iw (for all linux systems) and very recent iwinfo for OpenWrt. While I haven't checked 'every' wifi scanner for android, none of the ones I use can identify WPA3 so far.
1 Like
A bit Offtopic: How can i check if the clients are using it? Because even my Android 9 device seem to report it wrong.
Edit: nvm, looks like WPA3 SAE is only fully supported under Android 10.
I only know of two options, first trying to find the generated wpa_supplicant.conf file (this won't work on android, at least not easily or without rooting the devcie) - the other would be to (temporarily) configure your AP to accept WPA3/ SAE only and to make ieee80211w mandatory (2), without a fallback for WPA2.
While I am running android 9 on one of my android devices, its kernel is too old (>= v3.8.x is required) for it to actually function, so I haven't been able to actually test it with android yet. The situation on (recent) desktop linux is better, as long as you have a recent wpa_supplicant (>= v2.7, better >= v2.8), but especially older WLAN hardware (e.g. ipw2200, rt61pci/ rt73usb) will fall hard over the IEEE 802.11w requirement there as well (ath5k, ath9k (other than owl/ sowl draft-n chipsets) and ath10k are fine).
1 Like
Well my OnePlus One is running LineageOS with a 3.4.x Kernel. Thats explain it. And by the description, well looks like i probably need a newer wlan card in my Thinkpad. Im realising now how hard it will affects devices once WPA2 becomes completely deprecated.
Client compatibility (especially with IEEE 802.11w) will remain quite an issue for several years to come, also for Windows.
I tested mesh encryption with psk2/aes, it seems like all works fine but there is a weird behavior after node was rebooted. It may take too much time to associate with each other, from 5 to infinity minutes waiting.
I see it with dump stations, when the nodes keep BLOCKED for a long time.
iw dev wlan0 station dump
Then, now I apply a rough hack, just delete all BLOCKED stations.
#!/bin/sh
mesh_iface=wlan0
blocked_nodes=$(iw dev $mesh_iface station dump | grep -B 15 BLOCKED | grep "Station " | awk '{print $2}')
for mac in ${blocked_nodes}
do
iw dev $mesh_iface station del $mac
done
That script starts by cron every 1 minute on each station and it really helps to reduce the problem.
So, is there a more proper method to resolve that?
Did you try psk2+ccmp?
Yes, Now I use that.
But, is it really mean? Because of I see the SAE in wpa_supplicant configuration file in any case.
cat /var/run/wpa_supplicant-wlan0.conf
country=US
network={
ssid="<mesh_id>"
key_mgmt=SAE
mode=5
mesh_fwding=0
fixed_freq=1
frequency=2437
ht40=1
max_oper_chwidth=0
noscan=1
sae_password="<password>"
beacon_int=100
}
And yet, nohwcrypt=1 a little bit improve the situation:
cat /etc/modules.d/ath9k
ath9k nohwcrypt=1
I saw that in encryption mode nodes sometimes may choose not optimal route, for example the node with signal -70 dBm appears more preferable than the node with -55dBm. However, that shows the BMX6 routing table, so, it may be also problem with BMX6. Anyway it happens when encryption is enabled.
I will try to resolve last problem with option mesh_rssi_threshold
which routers are you using ? are you running mesh and access point at the same time or no?
I use tp-link tl-wr841 (various versions) with 8Mb flash and cpe-210v2. Yes, I am running AP+MESH on some routers which are indoor.
1 Like
there is a performance drop particularly when running mesh and ap on the same radio concurrently
just compare results for
batctl tp another-mesh-node-mac
also I have seen most only reach upto 37-40 Mbps
I tried BMX7 also but now run without just batman-adv
I use various
latest cheap hacked device is the Aruba AP-105 (used @ $ 3.39 each)
! Gbps POE 300 Mbps dual radio 128MB ram 16MB Flash
I have made my own mesh firmware builds and get upto 104 Mbps mesh thoughput un-encrypted
Run only a mesh on the one radio and ap on other
2 Likes
I am ready to admit a performance drop, but it rather like a jamming for a few minutes, when all packets are drop. I changed that node (tp-link 841v9) with a generic board AP-147-010 (with 128Mb RAM) what I had and now more or less works fine, for now...
So, It seems encryption wants more RAM, AP+cryptedMESH wants more than 32Mb.
32 MB can work for minimal router/AP functions, but may repeatedly âcrashâ, depending on your hardware and use case
Archer C7v2, ath79, ath10k (non-CT) drivers and firmware, running as a WPA2/SAE 802.11s/batman-adv mesh participant and AP only:
jeff@garage:~$ free
total used free shared buff/cache available
Mem: 123212 21680 75312 108 26220 63796
Swap: 0 0 0
# free
total used free shared buffers cached
Mem: 125264 28868 96396 332 2480 9188
-/+ buffers/cache: 17200 108064
Swap: 0 0 0
I've tried to stop uhttpd, netserver, sysntpd, munin-node(socat), odhcpd, gwck:
# free
total used free shared buffers cached
Mem: 125264 27576 97688 320 2480 9236
-/+ buffers/cache: 15860 109404
Swap: 0 0 0
It appears BMX6 is a heavy daemon.
1 Like
I've back to un-encrypted MESH. After a week testing I found out that the bandwidth is about 13Mbit/s opposite 35Mbit/s (from my point). Besides the stability of the network was decreased in encryption mode.
Thus, I applied that trick for 802.11s, which helps me to prevent to join uninvited guests.
It's just an experience for me, let user-end programs take encryption functions.
Its very strange. Im using mesh on 2x c2600 and get ~300mbit throughput on 5ghz. But well im not using batman-adv yet. A bit offtopic: Do you have any informations about the status of bonding with wifi interfaces? So far i know, batman cant really process the available troughput on wifi interfaces. My idea is to combine both 2,4 and 5ghz Mesh for maximum capacity.
There are some features in batman-adv to use multiple links. I havenât looked into them in detail as if youâre using 2.4 GHz for client access, you run into the ârepeater effectâ which generally at least halves the available bandwidth. (Also on 5 GHz, but I selected a triple-radio device for my mesh.)
Indeed, im planing to use the 2x c2600 only for mesh.