Friday, November 26, 2021

Getting IEEE 802.11s (mesh) and 802.11r (fast transition) working on some old hardware in OpenWRT 21.02.1

OpenWRT has got to be one of my favorite Linux distributions of all time. It is small, efficient, simple, and well-thought-out. I've been running OpenWRT (and LEDE, and OpenWRT) for a very long time on TP-Link hardware, which can often be scored off of eBay for $20 -- and even less -- at the Goodwill Store (imagine my incredible glee when I scored a WDR3500 for $6).

The TP-Link WDR4300, 3600, and 3500 all use Atheros system-on-chip and offer 802.11g/n and 802.11an, which, for my modest home use, has been satisfactory since 2012. What's really interesting is that OpenWRT *still* is still supported on these devices. 

Making a more "modern" network consisting of mesh networking and fast transitioning has been a challenge because of how many iterations the software has gone through. For some time, I have wanted to walk through the house and roam across APs with minimal service interruption. After tinkering, I finally have mostly everything working.

I will now dispel old Internet lore regarding these devices:

  1. 802.11s mesh networking works "out of the box." You do NOT need to install wpad-mesh-wolfssl any more. However, on my hardware, 802.11s does NOT work with encryption. SAE encryption is supported in the LuCI UI, but when this is attempted, the devices refuse to talk to one another. Perhaps this will be fixed in a later version of OpenWRT.

  2. 802.11r fast transition requires identical SSIDs and encryption on all APs you want to roam between, which should seem obvious. What is not obvious is that all APs must have the same user-specified mobility domain, and "Generate PMK locally" must be checked. Options involving PMK, R0 and R1 keys do not need to be specified and are automatically managed by OpenWRT. I have read documentation stating that mobility domains are automatically generated by OpenWRT but what I have found is that if they are not specified, then fast transition does not work correctly.

  3. I have found that a lot of IoT devices do not enjoy dissociation on low acknowledgement at all. As soon as the AP dissociates them, they immediately re-associate. Even my Windows 10 laptop seems to do this. So I figured that I would disable this option (it is enabled by default). This seems to make things a little less bumpy for these low-cost devices.

Below, I have included /etc/config/wireless from my "gateway" AP which serves as the central point of access:

config wifi-device 'radio0'
	option type 'mac80211'
	option hwmode '11g'
	option path 'platform/ahb/18100000.wmac' # There will be some default here, don't change it 
	option htmode 'HT40'
	option channel '9'
	option cell_density '0'

config wifi-device 'radio1'
	option type 'mac80211'
	option hwmode '11a'
	option path 'pci0000:00/0000:00:00.0' # There will be some default here, don't change it
	option htmode 'HT40'
	option channel '36'
	option cell_density '0'
	option noscan '1'

config wifi-iface 'mesh'
	option ifname 'mesh0'
	option network 'mesh lan'
	option device 'radio1'
	option mode 'mesh'
	option mesh_id 'YourSSIDMesh'
	option key 'your_secret_key'
	option mesh_fwding '1'
	option mesh_rssi_threshold '0'
	option encryption 'none' # maybe 'SAE' will work one day

config wifi-iface 'wifinet0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'YourSSID'
	option encryption 'psk2+ccmp'
	option key 'your_secret_key'
	option auth_cache '1'
	option skip_inactivity_poll '1'
	option ieee80211r '1'
	option ft_over_ds '1'
	option ft_psk_generate_local '1'
	option mobility_domain '3137' # four digits, same across all interfaces
	option max_inactivity '20'
	option disassoc_low_ack '0'

config wifi-iface 'wifinet1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'YourSSID'
	option encryption 'psk2+ccmp'
	option key 'your_secret_key'
	option auth_cache '1'
	option skip_inactivity_poll '1'
	option ieee80211r '1'
	option ft_over_ds '1'
	option ft_psk_generate_local '1'
	option mobility_domain '3137' # four digits, same across all interfaces
	option disassoc_low_ack '0'
	option max_inactivity '30' 

Similarly, the following is the configuration from a mesh "repeater" node.

config wifi-device 'radio0'
	option type 'mac80211'
	option hwmode '11g'
	option path 'platform/ahb/18100000.wmac' # There will be some default here, don't change it 
	option htmode 'HT40'
	option channel '3'
	option cell_density '0'

config wifi-device 'radio1'
	option type 'mac80211'
	option hwmode '11a'
	option path 'pci0000:00/0000:00:00.0' # There will be some default here, don't change it
	option htmode 'HT40'
	option channel '36'
	option noscan '1'
	option cell_density '0'

config wifi-iface 'mesh'
	option ifname 'mesh0'
	option network 'mesh lan'
	option device 'radio1'
	option mode 'mesh'
	option mesh_id 'YourSSIDMesh'
	option key 'your_secret_key'
	option mesh_fwding '1'
	option mesh_rssi_threshold '0'
	option encryption 'none' # maybe 'SAE' will work one day

config wifi-iface 'wifinet0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'YourSSID'
	option encryption 'psk2+ccmp'
	option key 'your_secret_key'
	option auth_cache '1'
	option skip_inactivity_poll '1'
	option ieee80211r '1'
	option ft_over_ds '1'
	option ft_psk_generate_local '1'
	option mobility_domain '3137' # four digits, same across all interfaces
	option disassoc_low_ack '0'
	option max_inactivity '20'

config wifi-iface 'wifinet1'
	option device 'radio1'
	option network 'lan'
	option mode 'ap'
	option ssid 'YourSSID'
	option encryption 'psk2+ccmp'
	option key 'your_secret_key'
	option auth_cache '1'
	option skip_inactivity_poll '1'
	option ieee80211r '1'
	option ft_over_ds '1'
	option ft_psk_generate_local '1'
	option mobility_domain '3137' # four digits, same across all interfaces
	option disassoc_low_ack '0'
	option max_inactivity '20'


 
 

No comments: