I didn't have time lately to play around with this, but after some google-ing and experimenting I seem to have success with encryption (finally). The trick was to change "option encryption 'authsae' ". If seems we just need to put 'psk2' or 'psk2+ccmp' like "normal". I am using wpad-mesh (without authsae)
I had no success with wpad-mesh and encryption. My experiments are using the packages wpad-mini and authsae (17.01.4 on x86-legacy thin clients and extrooted TL-WR703Ns).
My guinea pigs only can join the mesh when the password matches, so it at least halfway works.
As long as I don't know how to verify that encryption really is doing its job I do not bridge the mesh to my LAN or WAN interfaces. So I have not tried bridging it yet.
The router is just plugged in one of my bedrooms in the "middle" of my apartment. I can connect just fine the its AP and get internet/lan via the Mesh. IP addresses are via DHCP on my main router, and my devices get these just fine via the "mesh". Using only wpad-mesh. The authsae package is really old and depreciated.
Does encryption really work...thats a good question. I don't know how to check, I can only confirm that without a key or wrong key it doesn't connect. Suppose it doesn't work, should I be able to see the mesh-traffic as "plain-text" using wireshark, and how?
I'll give it another shot when I have some free time, but I just wanted to say @drbrains -- huge thank you for replying in this thread and to PMs of multiple people trying to achieve working mesh setup.
Hi there.
I'm new to working with Mesh Networks. I've been trying to install packages on my R7800 Netgear router, via opkg. But everytime I try this 'opkg install wpad authsae', I get the following message :
Package authsae (2014-06-09-8531ab158910a525d4bcbb3ad02c08342f6987f2) installed
in root is up to date.
Configuring libnl-tiny.
//usr/lib/opkg/info/libnl-tiny.postinst: //usr/lib/opkg/info/libnl-tiny.postinst
: 4: default_postinst: not found
Configuring authsae.
//usr/lib/opkg/info/authsae.postinst: //usr/lib/opkg/info/authsae.postinst: 4: d
efault_postinst: not found
Configuring babeld.
//usr/lib/opkg/info/babeld.postinst: //usr/lib/opkg/info/babeld.postinst: 4: def
ault_postinst: not found
Configuring hostapd-common.
//usr/lib/opkg/info/hostapd-common.postinst: //usr/lib/opkg/info/hostapd-common.
postinst: 4: default_postinst: not found
Collected errors:
* check_data_file_clashes: Package wpad wants to install file /usr/sbin/hostapd
But that file is already provided by package * qca-hostap
* check_data_file_clashes: Package wpad wants to install file /usr/sbin/wpa_sup
plicant
But that file is already provided by package * qca-wpa-supplicant
* opkg_install_cmd: Cannot install package wpad.
* pkg_run_script: package "libnl-tiny" postinst script returned status 127.
* opkg_configure: libnl-tiny.postinst returned 127.
* pkg_run_script: package "authsae" postinst script returned status 127.
* opkg_configure: authsae.postinst returned 127.
* pkg_run_script: package "babeld" postinst script returned status 127.
* opkg_configure: babeld.postinst returned 127.
* pkg_run_script: package "hostapd-common" postinst script returned status 127.
* opkg_configure: hostapd-common.postinst returned 127.
This is the content of my opkg.conf file
dest root /
dest ram /tmp
lists_dir ext /var/opkg-lists
option overlay_root /overlay
option check_signature 1
src/gz snapshots_base http://downloads.openwrt.org/snapshots/trunk/ipq806x/generic/packages/base
If you do build libopenssl into an image, you might want to set CONFIG_OPENSSL_WITH_COMPRESSION=y otherwise uhttpd won't run TLS sucessfully, at least as configured by default.
i have a setup a mesh network among 5 routers utilizing 802.11s mesh routing protocols, now i have two switches with trunk and access ports and what i am trying to do is to propagate VLAN taggs over my mesh nework (connect one mesh router to the source switch and another to the destination switch ) so as to avoid redundant mesh broadcast flow.
now the question is that are vlan taggs propagated among these routers from source switch to the destination switch using mesh routing protocol . does the mesh setup understand vlan tagging or not
That would great if anyone can guide me through this .
hey @jeff thanls for your prompt response but isn't GRE for direct tunneling communication among two routers ? The scenario which I want to implement is to use kinda multihop communication. meaning from the source to the destination many routers are engaged and frames are pass through intermmediate nodes (other 3 routers) not just direct communication
Perhaps your objectives are different than mine, so let me quickly lay out what mine are:
Isolate various classes of devices from each other, and potentially limiting their outside access
Provide different services to each class of device (DNS, for example)
Wireless connectivity to most APs
Allow "seamless" roaming between multiple APs
Relatively easy to maintain, once set up
#1 I achieve through providing an SSID for each class of device, with its own subnet and VLAN #2 I achieve by using VLAN-aware service hosts, running multiple instances, as needed #3 I currently use 802.11s with GRE encapsulation
#4 As 802.11s, as far as I know, is effectively a routed protocol at Layer 3. The mesh is transparent to clients roaming between APs which are connected over the mesh. They aren't mesh clients, but are AP clients. While I could put every AP's clients on their own subnet and route between them, I'd need a dynamic routing protocol, which wouldn't be fast enough, especially with 802.11r. It would also mean replicating non-routable services, such as DHCP and NTP broadcast on the VLANs associated with each AP, violating #5, easy to maintain. So I chose to bridge (Layer 2) each of the VLANs among the APs and the gateway to the rest of the world rather than route them.
At a high level, my setup for each AP (including the "master" AP) looks like:
AP with distinct SSID for each class, with a VLAN constant across my entire network for that class of device
No cross-VLAN routing permitted at any AP or at the master AP
Mesh node to provide connectivity among the APs and the master AP; node-to-node self-routing provided by 802.11s
GRE tunnel over the mesh addresses, between each AP and the master AP
Each VLAN tunneled over the GRE tunnel
Ethernet connectivity between the master AP and the rest of the network (VLAN tagged)
Services provided elsewhere on VLAN-aware service hosts
Routing provided elsewhere on VLAN-aware router/firewall
<laptop>----access<TP link switch1>Trunk(p5)----<buffalo router1>-----5GHZ-----<Bufallo router2>---trunk(p5)<TP link switch2>access---cisco routers(4 router each having separate vlans)
My Buffalo routers are communicating via 5GHz mesh protocol
Both switches: port 1vlan11, port2:vlan12, port3 vlan 21,port4 vlan 22 and port 5 default vlan 1(trunk)
Cisco routers: 1st router port1 , 2nd one port2, 3rd one port 3 and 4th one port 4
The thing i am trying to investigate is to find out whether the mesh protocol between 2 routers understands vlan taging . For example I can ping cisco 1 plugged to port 1 of switch2( vlan 11) form my laptop only when its connected to port 1 of the switch1 (without touching the vlaning configuration of bufallo switches ). can anyone explains if its possible?
However the laptop can only ping the first buffalo rotuer only when the ports are swapped (laptop ---> trunk port and bufallo--->access port) and can't ping in the scenario above. can anyone clarify the reason ?