TP-Link RE450 v2 (6MB) as WPA?-Enterprise AP

I'm trying to migrate my farm network (large area, low budget, low user number, growing number of IoT gadgets and widgets) to 802.1X.

So I need wpad-mbedtls, as far as I know.
And I'd be desperate to have snmp (v2 reading) , lldp and common collectd modules, to too, to include them in my 'observium' surveillance.
Installed 23.05.5 fine so far on D-Link DAP-X1860 and TL-CPE210 (8MB).

Cant' get it onto another two TP-Link RE450 v2.
Obviously they have trouble with weird firmware partition, limiting usable Flash to < 6MB.

There's a large thread on that Support for TP-Link RE450 v1/v2 for 22.X/23.X releases (Change of partition layout) - #80 by cstadach, but I get lost there.

I tried this selection at build host, and get 148 k left (according to df on / and /overlay):

base-files busybox dropbear firewall4 fstools kmod-ath9k kmod-gpio-button-hotplug kmod-nft-offload libc libgcc libustream-mbedtls logd mtd netifd nftables opkg procd procd-seccomp procd-ujail swconfig uboot-envtools uci uclient-fetch urandom-seed urngd wpad-mbedtls kmod-ath10k-ct-smallbuffers ath10k-firmware-qca988x-ct

opkg install snmpd croaks 'No space left on device.'

However, I think I am close to target.
What else can I omit? Firewall? fstools? nftables?

There are loads of kmod-crypto-* revealed by òpkg list-installed.
Do I need them all? Are they pulled in by mbedtls? Is there a fine grained way to select only the ones I'need? How to know? Is it worth the effort?

Or is there a +- pedictable way to change the partition table - without soldering or otherwise fiddling in the hardware?

ok, give it a try ....
base-files busybox dropbear fstools kmod-ath9k kmod-gpio-button-hotplug libc libgcc libustream-mbedtls logd mtd netifd opkg procd procd-seccomp procd-ujail swconfig uboot-envtools uci uclient-fetch urandom-seed urngd wpad-mbedtls kmod-ath10k-ct-smallbuffers ath10k-firmware-qca988x-ct

snmpd did not fit in - online build failed

596 k free in /
opkg info snmpd .... including its dependencies ... say

snmpd                        11.238
  +- libc (installed)
  +- libnetsnmp             376.701
        +- libc (installed)
        +- libnl-tiny1       13.023
        +- libpci            24.831
        +- libpcre2         115.191
                           --------
                Total:      540.984

however...:

root@AP-RE450-122:~# opkg --no-check-certificate   install snmpd
   .....
 * pkg_write_filelist: Failed to open //usr/lib/opkg/info/snmpd.list: No space left on device.

Similiar picture with lldpd and collectd:
each of them is >> 500 kB including their depencies.

So either I find a more lean way for monitoring.
Or I risk the repartition endeavour
Or I stop weighing the pig and continue to feed it...

Just found that most information for device monitoring is available in /proc.
There even is a

root@AP-RE450-122:~# ls -la /proc/net/dev_snmp6/
dr-xr-xr-x    7 root     root             0 Nov 27 14:21 .
dr-xr-xr-x   49 root     root             0 Nov 27 14:21 ..
-r--r--r--    1 root     root             0 Nov 27 14:21 br-lan
-r--r--r--    1 root     root             0 Nov 27 14:21 eth0
-r--r--r--    1 root     root             0 Nov 27 14:21 lo
-r--r--r--    1 root     root             0 Nov 27 14:21 wlan0
-r--r--r--    1 root     root             0 Nov 27 14:21 wlan1

with e.g. thruput figures like

root@AP-RE450-122:~# cat /proc/net/dev_snmp6/br-lan 
	....
Ip6InMcastPkts                          178
Ip6OutMcastPkts                         10
Ip6InOctets                             53729
Ip6OutOctets                            992
Ip6InMcastOctets                        53729
Ip6OutMcastOctets                       992
Ip6InBcastOctets                        0

... and they are even already labelled in SNMP dialect, as far as I can see.

No clue whether this is a remainder of my broken try to install snmp, or available by standard.
Weren't it possible to collect this info from a demon running outside? e.g. by ssh, scp, netcat or so?

Enterprise AP mode is supported by the installed by default wpad-mini. If you need Enterprise STA mode, wpad needs to be upgraded. An AP does no additional crypto processing, the EAP packets are forwarded encrypted end to end to the RADIUS server.

Hei, I have 2 re450 v2s running openwrt. One package that can still be omited is opkg. of course that will rob you of the possibility to add packages after you installed it. So you should build with everything that you want right away.
The sweet spot is 5697kb imagesize (as mentioned by @theMan )

Keep in mind that 24.10.x is pretty much around the corner, while you can get OpenWrt to work within 8 MB flash (and I'm looking at the 'good' examples here, which only lose 192 KB to u-boot/ u-boot-env and wifi calibration here) with that, you do have to strip your package set quite a bit for the inherent image growth. The situation with only 6 MB available should be quite difficult even with the bare minimum, so I would reconsider your efforts here - as the end is quit literally just around the corner (if that means replacing the hardware or just giving up on the more 'optional' packages (snmp, llldp and collectd) is another question - but with a longer term view on it, you should start planning for the former.

Pulling all your answers togehter, I came to conclude that I had to get rid of the 6 MB limit.

So I followed the adviced over there Support for TP-Link RE450 v1/v2 for 22.X/23.X releases (Change of partition layout)
took another beer to increase courage, flashed a V1-Image with modified partitions - and found it bricked. :cry:

Well, I pyid just 20 € for one, so shall I really give in to the hunting instincts :thinking: ?

how bricked tho?

if at first you fail, ...

what does u-boot say on the serial console?

even still struggling to open the case. :man_facepalming:
My cheap CN-3-wing bits don't drive the screws
have to look for more solid ones.

Can you provide me some pointer on debrick howto?
which resistors to bridge?
serial settings?

If it boots but is just inaccessible over the network, you can poke at buttons and get it into failsafe:
https://openwrt.org/docs/guide-user/troubleshooting/failsafe_and_factory_reset

If it doesn't boot, wiki says to try this special firmware image rs450bs.bin:
https://openwrt.org/toh/tp-link/re450#debricking

(but does not specify if this is for v1 or v2 or both, might need another beer!)

serial console instructions are also in the wiki !

For v2 it looks like you need to heat up R64 & R69 a bit and remove them. And if you have the soldering iron out anyway, might as well find a 3-pin header (or whatever works) and mount in the GND/RX/TX holes.

Try 115200 8n1

1 Like

When it did boot, did it show any flashing at the LED'S ?
It does not do so

to be more precise, all LED flash for may be 0.5s, 0,1 s off, 0.2 s on, and then off.
No change when I press any button.
So I assume it stucks at the boot loader?

According to the failsafe manual:

Power on the device, wait for a flashing LED and press a button.

So give it a few tries with some button mashing and see if it starts responding on 192.168.1.1.

There's also a way to be more certain, without a console, according to the failsafe manual:

Wait (with a packet sniffer) for a special broadcast packet and press a button.

The packet will be sent to destination address 192.168.1.255 port UDP 4919.
The packet contains the text “Please press button now to enter failsafe”.

So you can start Wireshark on the connected laptop, make sure the network interface is configured & up, and see if it receives that frame.

If it does, then the device can enter failsafe with the appropriate well-timed button mashing.

I must admit I don't quite get why people keep trying to stuff more packages into these tiny devices :upside_down_face:

Wouldn't it be easier to just build a tiny image with nbd compiled into the kernel, include only wired networking + busybox + dropbear + block-mount + kmod-fs-ext4 in the image, and then just patch the Extroot scripts to set an IP address and mount the /overlay filesystem from a Raspberry Pi somehwere?

I think tcpdump should do the job as well, as the manual says.
But it does not show anything.
When I remove the port / udp stanzas, I get some traffic ,but from some halfway educated guess, that' more SMB broadcasting stuff and does not originate from the router.

....:~$ sudo tcpdump -Ani eth1 port 4919 and udp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes

you mean mounting some extroot, located on the net?
Actually that was my plan B.
Should better have upgraded it to plan A.
At least: Lesson learned :+1:

Time to get soldering I guess :slight_smile:

Luckily only have to do it once, then you have serial access to u-boot forever.

Hope you have a soldering iron with a sharp tip, those SMD components are tiny

yes. put an SD card in an old RPi and host it there fx.

Not tonight anymore (living in CET, wallclock says 3 in the morning)

Reading here:
https://openwrt.org/toh/tp-link/re450#debricking
I don' see the point where I have to enter any input.
So may it be if I'm lucky and get tftp configured correctly, there is some chance?