802.11s routing is, as far as I know, is only for 802.11s mesh nodes. The APs' clients are off-mesh, and won't be routed. Once you get to that point, you'll either need to tunnel or route client traffic over the mesh, or use something like https://openwrt.org/docs/guide-user/network/wifi/mesh/batman instead of the 802.11s routing protocols.
That link should also help you getting your mesh up and running. Without seeing your /etc/config/network, I'm guessing that the problem lies there.
Im also using wpad-mesh with 18.06.1 version, the guide above changes slightly with newer luci interface with regard to the mesh network interface creation
Thank you @jeff for your reply. The mesh APs' /etc/config/wireless only differ in their lan ip addresses and their MACs:
config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix '_unique local address_'
config interface 'lan'
option type 'bridge'
option ifname 'eth0.1'
option proto 'static'
option ipaddr '192.168.0.101'
option netmask '255.255.255.0'
option gateway '192.168.0.1'
list dns '200.12.232.4'
list dns '200.12.229.1'
list dns '8.8.8.8'
option ip6assign '60'
config device 'lan_dev'
option name 'eth0.1'
option macaddr '_mac address_'
config interface 'wan'
option ifname 'eth0.2'
option proto 'dhcp'
config device 'wan_dev'
option name 'eth0.2'
option macaddr '_other mac address_'
config interface 'wan6'
option ifname 'eth0.2'
option proto 'dhcpv6'
config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'
config switch_vlan
option device 'switch0'
option vlan '1'
option ports '0 1 6t'
config switch_vlan
option device 'switch0'
option vlan '2'
option ports '4 6t'
Should my setup be sufficient for clients to roam from mesh AP to mesh AP while using the same wireless network name? Will the clients associated to a non-wired mesh AP be able to connect through to the wired mesh AP?
Since two of the mesh APs won't be wired, I would have liked to log in to them from the clients for administration. That's why I'm concerned about not being able to route to them.
Any N access points that share a backhaul and have the same SSID and the same security, and are on separate channels will be sufficient to roam successfully. Whether the backhaul is mesh, ethernet, powerline, or something exotic (fiber, coax, whatever) doesn't matter.
What the mesh backhaul gives you is zero wires and the ability to move the APs around easily to optimize placement.
That's what I've got up and running at home. In my case, three or four of the five are "wireless only" with administrative access via a dedicated VLAN carried over the mesh, just as each of the isolated SSIDs have their own VLANs. I was originally using GRE, Layer 2 tunnels, but have moved to batman-adv as the configuration is easier (no "master" AP that is configured differently than the "remotes").
Thank you for your reply @dlakelan. Each mesh AP has to be on a separate channel? What would happen if they were on the same channel? I'm currently using WDS, and I have them on the same channel, but roaming is nonexistent.
Meshes need to be on the same channel to talk to each other, but the regular AP (which is a separate SSID) is better off on different channels. One way to accomplish this is if you use dual radio APs and put the mesh on a separate radio from the access point for clients.
Roaming is entirely controlled by the client. The ESSID identifies radios that all participate in the same network (ESSID stands for Extended Service Set ID, meaning a network of radios that all are connected to the same subnet). The client determines which of those radios to talk to based on its own decision making software.
The best way to force clients to roam is turn down power on the radio so that it loses its signal around about the time the closer AP has a very good signal. There are some hacks to hostapd to force clients off based on received signal strength (received by the hostapd AP) but they are not yet integrated in OpenWRT that I know of. Ideally you have at most two radios (on different changes) with usable signal strength at any point in the physical space you are covering. Wherever you are, the closest and maybe second closest APs could be usable, but all other APs should be turned down enough that they are unusable (ie. -85 dBm received strength or less).
According to this article published in IEEE Wireless Communications,
"With 802.11s, mesh stations perform the dictionary attack-proof Simultaneous Authentication of Equals (SAE) [11] algorithm. Besides mutual authentication, SAE provides two mesh stations with a pairwise master key (PMK) that they use to encrypt their frame. As its name indicates, SAE does not rely on a keying hierarchy like traditional 802.11 encryption [4]. Instead, it implements a distributed approach that both mesh stations may initiate simultaneously. Because of the pairwise encryption, each link is independently secured."
So, could it be that mesh stations do their own authentication, and no explicit security settings need to be configured in /etc/config/wireless ?
No magic -- if you don't configure the security settings, it will be an unencrypted mesh. With SAE they still need some kind of "shared secret". The common configuration is "trivial" by adding