I'd like to use OpenWRT to get connectivity from a public (unencrypted) hotspot at a location where the WiFi hotspot would otherwise offer only very poor and choppy reception.
The public hotspot's Wifi is on 2.4 GHz 801.11n and changes channels over time.
Unfortunately it's in an urban setting with about 40 other visible WiFi networks on 2.4 GHz, some of them being notably stronger. What's a reasonable setup to deal with such a situation?
I grabbed an old TP-Link TL-WA830RE, put the last available OpenWRT on it and configured it as a WiFi client to the public hotspot as the WWAN interface (channel set to auto). I connected the LAN ethernet port via cable to the LAN port of an arbitrary other access point's LAN (I used a Linksys E2000 which I set to 5 GHz only to create a different WPA2 hotspot for local devices to connect to), disabling that one's DHCP (so that the devices will get their IP config from OpenWRT's DHCP).
Do you think this is a reasonable setup? It does work, but improvements in throughput and stability would of course be welcome.
Should I try to get rid of the second NAT (on the OpenWRT router), i.e. would a real layer 2 setup make more sense, where each device individually establishes an IP connection to the hotspot? And if so, would it be sufficient to put the WifI on the OpenWRT device into the LAN zone? (drawback would be that my routers might be exposed from the public hotspot)
Can I expect some major improvement by using some different device, i.e. are some chips/antennas notably better than others?
This sounds like a reasonable approach. Given that this is a public wifi, your speeds may be a bit limited... Do you know what the best speed you're likely to get looks like, and what you're getting with your current config?
No, for several reasons:
- you said the upstream network is public, unencrypted wifi. You should treat this as a hostile/untrusted network, so having a NAT + firewall layer is a good thing.
- If you want to be able to share files and other things between your devices, you may need your own private network... if the public wifi has client-isolation enabled, you won't be able to share anyway... and if it doesn't, even more of a reason to consider it untrusted.
- Setting up a layer 2 bridge (i.e. relayd) with wifi is not ideal and not recommended for a number of technical reasons. It's a hack and it may not work that well in practice. And, as you mentioned, you don't want your own router's admin interface exposed either, so all around it's just not a good option. The standard routed client situation you're using now is the recommended approach.
Maybe... There are APs that have directional antennas and/or more sensitive radio systems (including the antenna designs) that might have better performance on the uplink. But it depends on how good/bad your signal is in the first place.
As a side note, keep in mind that your internet traffic is going to be unencrypted with respect to wifi (see the next part, though), even if you use encryption on your own private network, because the wan of your network is connecting to this unencrpted public network... this means that people in range can listen in on your activities. For things that are not actually encrypted on the internet (such as older websites, dns if not over DoH/DoT, etc) will be 'fair game' to anyone who wishes to evesdrop.However (this is 'the next part'), most things on the internet are actually encrypted these days (https, ssh, etc.) so you don't typically have to worry about the specific data you are accessing being sniped (but this does depend on the site/service, of course).
Thanks for your helpful response.
Yes, I am aware that using a hotspot easily reveals your activities and potentially even exposes you to the risk of MitM attacks. You should make that assumption for the Internet in general though.
The throughput and stability I am getting greatly varies with time of day because it depends on the other 2.4 GHz WiFis' activities/load factor. During night it's much better of course, then I get maybe 20 Mpbs net throughput. I don't think the hotspot's capacity is the limiting factor, it's the congested 2.4 GHz WiFi connection.
This is why I am wondering whether some other device with a different chip might be a better choice. Also there are devices with three antennas instead of two. Would that help?
Placing the antennas is likely a key point and also maybe some shielding might help? I don't know the precise location of the public hotspot, it is probably located within a building and I definitely don't have line of sight.
According to its OUI the public access point uses a device from Ruckus Wireless (Ruckus Networks).
One more thing: when I look at the Firewall Settings on the Luci admin interface the LAN => WAN forwarding is depicted with Masquerading not ticked. Nevertheless things do work fine (so there must be NAT applied???). Is the default setup actually not doing masquerading (which I understand to be a synonym for NAT), or does the web interface display the settings incorrectly?
do you have good signal from the ap. can you check that?
I am not sure if I correctly understand your question. The public AP's signal is poor, mainly due to the congestion in the 2.4 GHz band. Of course if I move physically closer to its location (using a handheld device) it's getting better.
The reception of my "private" 5 GHz AP (from Linksys) is very good and completely sufficient. It is not the issue here and it does not need to cover a huge distance. Plus, the 5 GHz band still has completely empty slots here.
if so you do not need 3 or 4 omni antenna. i think you need a directional antenna. a device like mikrotik or something similar.
i have this device, and for the size is really really powerfull.
if you have inside a more powerfull router, you can make this little device work with trelay, and let the router inside do nat, vpn, all the hard work.
Can this be expected to help also in situations when connecting to an access point which does not send a directed signal?
They device's description talks about "dual chain"; this means "two (build-in) physical antennas", right?
I understand that multiple antennas increase the throughput using MIMO. With 801.11n two antennas are used for (a theoretical maximum of) 300 Mbps, three antennas for 450 Mbps.
Even in congested environments three antennas should deliver a better throughput than two, shouldn't they?
Can I somehow determine whether that local public access points supports MIMO with three antennas? Is there maybe some announcement of capabilities which I can evaluate? Or do I just need to try it out?
yes sure, your client is omni and you have it inside. this device is directional and for outdoor use
and 10 dbi antenna, your device do not even have a 3 dbi antenna
Yes a directional antenna on one end (yours) is still much better. A lot of that is that you won't be interfered as badly by signals from beside or behind the direction that you want.
Make a detailed scan with iw dev wlan0 scan and find the block for the AP you want then look for "HT RX MCS rate indexes supported." "0-7" means it's a 1x1 AP which will not benefit (other than simple diversity reception) from dual chain on your end. "0-15" or "0-23" means that two or three streams are supported respectively.
Thanks. Here's the excerpt from the output:
HT capabilities:
Capabilities: 0x9ad
RX LDPC
HT20
SM Power Save disabled
RX HT20 SGI
TX STBC
RX STBC 1-stream
Max AMSDU length: 7935 bytes
No DSSS/CCK HT40
Maximum RX AMPDU length 65535 bytes (exponent: 0x003)
Minimum RX AMPDU time spacing: 16 usec (0x07)
HT RX MCS rate indexes supported: 0-23
HT TX MCS rate indexes are undefined
HT operation:
* primary channel: 1
* secondary channel offset: no secondary
* STA channel width: 20 MHz
So if I understand correctly it could use MIMO with up to three streams, but my connection is currently using a single one only. Has the access point been configured to do so? Or would it use another one dynamically if traffic requires it?
I also changed my setting from 20 to 40 MHz channel width. Nevertheless I still get:
26.0 Mbit/s, 20MHz, MCS 9
52.0 Mbit/s, 20MHz, MCS 11
(values keep fluctuating of course).
Does it mean that the public access point is fixed/restricted to 20 MHz channels?
(BTW, I'm still wondering how with a single 20 MHz channel one can get a maximum theoretical bandwidth of 75 Mbps; I probably need to dig a bit deeper into the subject)
Since the public hotspot has several access points with the same SSID I removed the BSSID from the OpenWRT WLAN client configuration (i.e. left that field empty) and specify only the ESSID. This will make OpenWRT choose the access point with the strongest signal, right?
I also changed my setting from 20 to 40 MHz channel width. Nevertheless I still get:
26.0 Mbit/s, 20MHz, MCS 9
52.0 Mbit/s, 20MHz, MCS 11
You are going the wrong way leave it at 20, You are never going to get maximum speed with a weak signal so I would install SQM and limit your bandwidth to 10 or 15 Mb's it should be more reliable You may have to go even lower with SQM
The router is always going to try for the maximum speed and that will just cause retransmission's (can't remember the proper term)