Setting up mesh11sd on OpenWRT One

Hi,
What am I doing wrong? I want to replace my 3 node TP-Link M9+ mesh network (using WiFi backhaul) with 3 x OpenWRT One. So far I can get 1 OpenWRT One working with WAN connection (PPPoE to my ISP), WiFi & LAN port, but when I add configuration for mesh11sd then reboot I lose the WiFi networks (nothing seen in "WiFi Analyzer" android app on my phone) and lose the LAN connection too.

I'm trying to follow https://github.com/openNDS/mesh11sd/?tab=readme-ov-file#41-rapid-deployment-firmware-flash

When I include the package px-5g-mbedtls in the firmware builder https://firmware-selector.openwrt.org/?version=24.10.0&target=mediatek%2Ffilogic&id=openwrt_one I get an error:
opkg_install_cmd: Cannot install package px-5g-mbedtls
so I'm leaving that out, adding the minus to -wpad-basic-mbedtls and adding wpad-mbedtls kmod-nft-bridge ip-full vxlan mesh11sd, so my packages are:

base-files ca-bundle dnsmasq dropbear firewall4 fitblk fstools kmod-crypto-hw-safexcel kmod-gpio-button-hotplug kmod-leds-gpio kmod-nft-offload kmod-phy-aquantia libc libgcc libustream-mbedtls logd mtd netifd nftables odhcp6c odhcpd-ipv6only opkg ppp ppp-mod-pppoe procd-ujail uboot-envtools uci uclient-fetch urandom-seed urngd -wpad-basic-mbedtls kmod-mt7915e kmod-mt7981-firmware mt7981-wo-firmware kmod-rtc-pcf8563 kmod-usb3 kmod-nvme kmod-phy-airoha-en8811h wpad-mbedtls kmod-nft-bridge ip-full vxlan mesh11sd luci

Setting up my WAN connection and WiFi is done with this "Script to run on first boot (uci-defaults)":

uci set network.wan.proto='pppoe'
uci set network.wan.username='xxxx'
uci set network.wan.password='xxxx'
uci set network.wan.ipv6='auto'

uci set network.lan.ipaddr='192.168.1.1'
uci commit network

uci set wireless.radio0.country='AU'
uci set wireless.radio0.disabled='0'
uci set wireless.default_radio0.network='lan'
uci set wireless.default_radio0.mode='ap'
uci set wireless.default_radio0.ssid='iota-lan-2.4g'
uci set wireless.default_radio0.encryption='sae'
uci set wireless.default_radio0.key='xxxx'

uci set wireless.radio1.country='AU'
uci set wireless.radio1.disabled='0'
uci set wireless.default_radio1.network='lan'
uci set wireless.default_radio1.mode='ap'
uci set wireless.default_radio1.ssid='iota-lan'
uci set wireless.default_radio1.encryption='sae'
uci set wireless.default_radio1.key='xxxx'
uci commit wireless

uci set dropbear.main=dropbear
uci set dropbear.main.enable='1'
uci set dropbear.main.PasswordAuth='on'
uci set dropbear.main.Port='22'
uci set dropbear.main.Interface='lan'
uci commit dropbear

rootpassword='xxxx'
/bin/passwd root << EOF
$rootpassword
$rootpassword
EOF

That works fine. Now I ssh to the router and run these commands:

uci set mesh11sd.setup.auto_config='1'
uci set mesh11sd.setup.country='AU'   
uci set mesh11sd.setup.auto_mesh_id='IotaMesh'
uci set mesh11sd.setup.mesh_gate_encryption='1'
uci set mesh11sd.setup.mesh_gate_key='xxxx'
# uci set mesh11sd.setup.auto_mesh_band='5g'
uci set mesh11sd.setup.mesh_gate_base_ssid='iota-mesh'
# uci set mesh11sd.setup.ssid_suffix_enable='0'
uci commit mesh11sd

At this stage it still works as before, but after a reboot I lose WiFi and LAN access as I said at the top.

The package name is px5g-mbedtls, typo in instructions or the name of the package has evolved ;-). I was instructed to stop the mesh11sd before issuing uci commands.

You seem to have glanced briefly at the documentation in the link but have not read it in any detail unfortunately.
Yes there was a typo in the name of one of the other packages to install, the correct name is px5g-mbedtls as stated by @mattimat
FYI This typo was corrected a couple of days ago.

The documentation clearly states that the uci-defaults should contain the following:

uci set mesh11sd.setup.auto_config='1' # Note: Set to 0 for Confidence Testing
uci set mesh11sd.setup.auto_mesh_id='MyMeshID'
uci set mesh11sd.setup.mesh_gate_base_ssid='MyNetwork'
uci set mesh11sd.setup.mesh_gate_encryption='1'
uci set mesh11sd.setup.mesh_gate_key='MyWifiCode'
uci commit mesh11sd
uci commit network
rootpassword="myrootpassword"
/bin/passwd root << EOF
$rootpassword
$rootpassword
EOF

The meanings of the uci commands are detailed in the Setup Options section:

It does NOT tell you to set up lots of detail configs in network and wireless.
The wan settings are ok as these do not have anything to to with setting up the mesh.

Where does the documentation tell you to do this?

I strongly suggest you go back and generate a new Rapid Deployment flash image, this time following the instructions.

Once you have it working, you can go back again and add all the complexities and details you want, most of which are done in the mesh11sd config.

There is one big problem though. Currently there is an issue with the OpenWrt build system that is failing to backport the latest version of mesh11sd to 24.10 packages, assuming that is that you are running 24.10.0.

For now you will have to either use snapshot or download the mesh11sd v5.0.1 ipk from github.
Here:

You will have to install this manually on 24.10.0 for now unfortunately.

Let me know how you want to continue and I can talk you through it.

Thanks @mattimat for 2 useful bits of info not in the docs at the time of my post.

Thanks @bluewavenet for your generous offer to help. I realise this takes time and effort and it is appreciated. I find some of your comments to be unkind, unnecessary and contrary to the community guidelines. I'm not taking it personally as I've read the same from you to other new users, but I do hope it stops.

Ok, back to the topic. You have provided the following useful info that was not in the docs:

1. px-5g-mbedtls changed to px5g-mbedtls
2. WAN port config "is ok" to be added to the uci-defaults
3. the LAN/wireless configuration should only be adjusted after the basic mesh is working
4. "most" of the LAN configuration is done in the mesh11sd config
5. mesh11sd won't currently work with 24.10.0 on the OpenWRT build system

I will try using the latest snapshot and be back if I need more help.

With the default "portal_detect=1" a node determines whether it is the "portal" node by attempting an upstream WAN connection. It only runs DHCP if this is successful. So in point 2 above, I believe it is essential (and not just "ok") to have my PPPoE WAN config when first trying mesh11sd.

This is the major inclarity to me too: " "most" of the LAN configuration is done in the mesh11sd config"

All of the basic wireless config should be done in the mesh11sd config.
It can be done in the uci-defaults of course.

Hang on, would it not be best to go full SNAPSHOT then?
@neilbacon is unlikely to want Luci on all of the deployed Openwrt Ones, just the gateway running PPPoE and DHCP and DNS.

As you "read" the documentation but failed to notice the bold/italic warning in the first paragraph:

Please read this entire document before installing the mesh11sd package!

then did a skim over the rest, my comment is justified.
It was not intended to be unkind, it was just a statement of what must have happened.

Clearly, you consider answering your question:

as "contrary to community guidelines".

Nevertheless I am quite willing to help, but please try not to be hurt if you find you have not done something properly. Remember, documentation is hard and constructive feedback on it is always beneficial.

Yes, but not strictly necessary.

A quick, but maybe dumb question regarding the script to run on first boot:

uci set mesh11sd.setup.auto_config='1' # Note: Set to 0 for Confidence Testing
uci set mesh11sd.setup.auto_mesh_id='MyMeshID'
uci set mesh11sd.setup.mesh_gate_base_ssid='MyNetwork'
uci set mesh11sd.setup.mesh_gate_encryption='1'
uci set mesh11sd.setup.mesh_gate_key='MyWifiCode'
uci commit mesh11sd
uci commit network
rootpassword="myrootpassword"
/bin/passwd root << EOF
$rootpassword
$rootpassword
EOF

In the documentation, you mention that the luci wireless configuration can't include everything needed to set this up completely and UCI commands are needed. My question is what exactly to put in the MyMeshID, MyNetwork, and MyWifiCode blocks. Are these at all related to the regular wifi ssid you use on the router or completely separate and different?

In luci you can name your mesh, which I'm guessing is the same as MyNetwork and you can specify a password, which I'm guessing is the same as MyWifiCode and it is the MyMeshID that is absent in the Luci interface?

Maybe I'm overcomplicating this, it's just that I've never hard coded a script to run on first boot with the Firmware Selector. Can you maybe add some more detail to exactly what is supposed to be entered into MyMeshID, MyNetwork, and MyWifiCode? I've read the documentation but my mind isn't getting it properly.

From the documentation:

	###########################################################################################
	# auto_mesh_id (optional)
	#
	# Configure the mesh_id of the wireless interface(s) when auto_config is enabled
	# Default --__
	#
	# This string will be hashed to produce a secure mesh id
	# If set, it must also be set to the same value on every mesh node
	#

So the auto_mesh_id is a seed string used to generate a secure mesh id.
Typically it will look something like 534c56ddd669297e92d490daf46cfe

Users do not need to know this and recent versions of user devices do not even show it.

Then we have:

	###########################################################################################
	# auto_mesh_key (optional)
	#
	# Defaults to a sha256 key to be automatically used on all members of this mesh when auto_config is enabled
	# Generates a secure sha256 key from the string value set in this option.
	#
	# If set, it must also be set to the same value on every mesh node

Typically it will be of the form 068012f8481fec11845178c8e1041b3751801a24ab3e222646a4424b82a13a0a'

Next, MyNetwork:

	###########################################################################################
	# mesh_gate_base_ssid
	#
	# Sets the mesh gate base ssid string
	#	If ssid_suffix_enable is set to 0, must be a maximum of 30 characters in length
	#	If ssid_suffix_enable is set to 1, must be a maximum of 22 characters in length
	#	Excess characters will be truncated
	#
	# Default - uses the ssid string set in the wireless config
	#
	#
	# When set, overrides the ssid string set in the wireless config

and MyWifiCode:

	###########################################################################################
	# mesh_gate_key (optional)
	# Determines the encryption key for this node's gate.
	#
	# Default: not set (encryption disabled)
	# Set to a secret string value to use for encrypting the node's gate
	# Ignored if mesh_gate_encryption is set to 0 or 4
	#

I hope this clarifies it a little.

Thank you. Just clarifying these variables have nothing to do with your regular wifi ssid, but separate and used just in the mesh system setup. Or does the setup need to know your regular wifi ssid?

Are the luci instructions in the wiki up to date? I can't use luci to do it?

OpenWrt 802.11s mesh

Also, I'm making custom firmware and compiling from source code. The Makefile in your source code still references version 3.1.1. I was able to create a new Makefile that compiled 5.0.1, but that should be updated I think.

Focus on the fact that this install starts from the basic flash image with wireless disabled - basic defaults. Then mesh11sd starts up and configures everything for you depending on what you put in the "uci-defaults" text box in the firmware selector (or imagebuilder)

mesh_gate_base_ssid sets the "regular" ssid base string. Then a band identifier (eg 2g, 5g etc) is added, plus a suffix based in the mac address.
Note: A Mesh Gate is an access point that resides on a mesh node.

mesh_gate_key sets the regular "encryption key" for the ssid.

You cannot use luci with mesh11sd. This is because luci is concerned with static configurations that are done once and are remembered after a reboot.
Whereas mesh11sd "auto configures" a dynamic configuration every time it starts.
Version 5 onwards actually disables luci to prevent someone using it and potentially bricking the maeshnode. (It can be turned back on - for advanced mesh11sd users at their own risk).

That is only an example.

The actual makefile is here:

Thanks again. Lots of advancements in the program. Very interesting!

How do we get the new version into the firmware selector? Now that I understand how it all works (thanks again), it needs to be mainstreamed into OpenWrt. I think it's a fantastic, indispensable contribution to the OpenWrt project. Anyone know who I can ask or message about this issue?

There is an outstanding PR waiting on Github. There is a problem with the OpenWrt 24.10 build system currently that makes the CI tests fail any new PRs. The delay is caused by waiting for someone to fix this.

You can take a look here:

I am going to open a new PR soon with v5.0.2, some minor fixes. We can start again with it then. Should be in the next day or so.

How can I setup PPPoE WAN with mesh11sd?

I'm using the firmware builder with SNAPSHOT and it is building with mesh11sd (5.0.1-r1).

I have a config with my PPPoE WAN and LAN and without mesh11sd working. The WAN & LAN config is:

uci set network.wan.proto='pppoe'
uci set network.wan.username='xxxx
uci set network.wan.password='xxxx'
uci set network.wan.ipv6='auto'

uci set network.lan.ipaddr='192.168.1.1'
uci commit network

I have another config with the above and mesh11sd configured. With

portal_detect='1'  # default auto 

and the WAN port connected to the PPPoE server, the PPPoE connection does not succeed and the intended portal node runs in peer mode. So then I configured the portal node with

portal_detect='0'  # portal 

and the peer nodes with

portal_detect='5' # peer 

and finally I get a working mesh, but still without a working WAN PPPoE connection.

So, how can I setup PPPoE WAN with mesh11sd?

I can get luci back with:

mesh11sd commit_all commit

but it's gone again after a restart. How can I get it back permanently?

My full PPPoE with mesh11sd config is:

uci set network.wan.proto='pppoe'
uci set network.wan.username='xxxx
uci set network.wan.password='xxxx'
uci set network.wan.ipv6='auto'

uci set network.lan.ipaddr='192.168.1.1'
uci commit network

uci set mesh11sd.setup.auto_config='1'
uci set mesh11sd.setup.portal_detect='0'  # 0 portal, 5 peer 
uci set mesh11sd.setup.country='AU'   
uci set mesh11sd.setup.auto_mesh_id='xxx'
uci set mesh11sd.setup.mesh_gate_encryption='1'
uci set mesh11sd.setup.mesh_gate_key='xxx'
uci set mesh11sd.setup.auto_mesh_band='5g'
uci set mesh11sd.setup.mesh_gate_base_ssid='xxx'
uci set mesh11sd.setup.portal_use_default_ipv4=’1’ # portal to use network.lan.ipaddr 
uci set mesh11sd.setup.ssid_suffix_enable='1' # 1 to append -(2|5)g-xxxx
uci set mesh11sd.setup.vtun_enable=0 # disable Guest WiFi
uci commit mesh11sd

uci set dropbear.main.Interface='lan' # ssh only from lan
uci commit dropbear

rootpassword="xxxx"
/bin/passwd root << EOF
$rootpassword
$rootpassword
EOF

and as explained above, the portal_detect setting is the only difference between the portal and peer nodes.

In this state, please show the output of:
ip route

I'm not aware of anyone using mesh11sd with pppoe, but there shouldn't be a problem.
Perhaps mesh11sd is failing to detect the upstream gateway for some reason..
It will be good to find out the reason and fix it!

Well that turned out to be an interesting exercise because the WAN connection worked with 24.10.0 with the default set of libs

ip route
default via 203.134.4.106 dev pppoe-wan 
192.168.1.0/24 dev br-lan scope link  src 192.168.1.1 
203.134.4.106 dev pppoe-wan scope link  src 58.178.253.196 

but wouldn't connect with SNAPSHOT (with the default set of libs).

Do I need to build locally from source to get 24.10.0 with mesh11sd (5.0.1-r1)?

It's finally working with 24.10.1.