AR150 Wireless Mesh

Hello,

I’m looking to deploy a bunch of the AR150s in a MESH net. The long version of the background is below. My big question is can I configure them in a way that is cost effective. What I’d like to do is have 3 SSIDs on the single on-board radio:

MESH net to Internet Gateway - All traffic crosses this to get to the Internet, walled garden controller, RADIUS, etc. - WPK2 PSK

SSID1 for Staff - used for registration, card processing, VOIP etc. - WPA2 PSK

SSID2 for Vendors - used for card processing and email - WPA1/2 EAP via RADIUS

The captive portal, RADIUS, and Internet routing will be handled by a separate controller so the AR150 won’t have to deal with these other than pass EAP to the RADIUS server to see what’s up. It would be nice, but not critical to have OpenVPN support for the RADIUS traffic.

So is it reasonably possible to configure OpenWRT to support this configuration with the AR150?

The background:

This client has moved from 30,000 sq ft site to a 250,000 sq ft site. There’s no power at the new site so everything has to run from batteries or generators. I guess they thought I could use a challenge. Based on the EIRP of 22 dBm and -98 dBm sensitivity with the external antenna it looks like 7 units will cover the site with the required overlap for the MESH to be reliable. They’ll be 9 to 16 feet off the ground so all units will have a clear line of sight on each other. Power will be coming from a set of USB Power Packs and so long as I don’t require a USB radio should power everything for 12 hours. The 0.6W power requirement is pretty impressive on that AR150. Everything will be mounted in water resistant enclosures and the antenna will be mounted on the underside of the enclosure. They are reflective to prevent heat buildup.

Any thoughts are welcomed.

 

Hello!

I work with a project out of Pittsburgh, PA called PittMesh that has a similar setup, and we have recently begun using the same router model. We use our routers to link buildings all over the city. The only major difference from our network is the captive portal, and WPA2 Encryption on the mesh backhaul.

We use a protocol called OLSR, or Optimized State Link Routing protocol, which creates the mesh network itself, however I can’t find any information as to using it with WPA2. Our network leaves the mesh backhaul unencrypted, as it is a public network. I’m going to look into somehow using WPA2 with OLSR, but if I recall I don’t believe there is support for it. There may be other mesh protocols, but I can’t be of much assistance with those.

I can confirm in your case though that you can setup multiple SSIDs- but only on atheros-based routers, such as the AR150s. Using GL-Inet routers such as the MT300N or MT300A, uses a mediatek chip, which doesn’t support simultaneous SSID broadcasts. But the AR150 should have no trouble with what you want to accomplish.

Also, you should be able to power the routers from the USB battery packs without much issue. We’ve tested a couple USB battery packs with the AR150 and found it to last a decent amount of time - we only tested with some really cheap power packs from china - so we only got about 3 hours runtime, but if you have a half decent power pack you should have no trouble. I would test first though, to ensure that the routers run as long as you want.

Justin,

Thanks for the pointer! Looks like PittMesh is using Meta Mesh’s system and it has good documentation.

Encryption is something I’ll have to resolve. I’m betting someone would frown upon me leaving credit card transactions on an unprotected wireless network. It looks like AuthSAE has been broken for a very long time. 802.11s is in the trunk now which should bring the Supplicant into grasp, but it might require radio firmware to enable. I’m not going to count on stumbling into luck with the WPA supplicant without a working firmware for the radio, but I will test it. I think that leaves me hacking a fix as others have done, begging for a patch, or running a VPN back to the controller. Worst case I could do something like:

SSIDs for vendors and staff <-> OPEN VPN <->Ethernet WAN <-> Ethernet LAN <-> MESH <-> Controller <-> Open VPN <-> processors

I don’t know why, but I feel pretty strongly that a lot isn’t going to glue to the mess without a 55 gallon drum of friction eliminator.

<span style=“line-height: 1.5;”>I might have to consider putting two AR150s in the air at each point if anything is broken in the chain. I think I read that OPEN VPN is still questionable on the AR150s without special firmware.</span>

I’ve been looking at OLSR and BATMAN. The advantage of BATMAN is that it is very lightweight and supports some control over items like gateways. I’m pretty sure either is a non-issue until I hit a couple of dozen nodes. OLSR documentation seems pretty solid and straight forward.

Thanks for the conformation on Multiple SSIDs on Atheros. I was pretty sure that is a ATH9K feature. I know a few others can do mutliple SSIDs but the multimode (combining adhoc for mesh and sta for AP) is a no go for most non ATH9K cards.

In good news I have a variety of 37+WH USB Power Packs coming for this project. Even if I have to double up AR150s and am pulling 1.2 watts, I should still have 30 hours of run time. My only big concern is the heat of the day causing the batteries to discharge or the converter to heat up lowering it’s efficiency. There’s something sexy about putting a router in the air with no wires and walking away for the weekend. I’ll take that test advice though. Knowing how my application will affect run time is worth a few days in the lab.

Thanks again!

Mike

I just wish I could have been more assistance when it comes to the encryption. I’ve been searching for a while now but I cannot find any WPA compatibility with OLSR.

I have however been playing around with another idea, what if you were to put a central AR150, then have all other AR150s connect as wireless clients? It woulden’t technically be a true “mesh”, but it should allow for WPA encryption. How bandwidth heavy will this event be? Is it just for credit card transactions mainly, or will there be people there streaming video, uploading to social media, etc?

I run OpenVPN on my AR150 (2.13) using TAP to communicate with my OpenVPN Server on OpenWrt 15.05 RC2 (PC-Engines ALIX). If I recall there are\were some issues installing packages via Luci, but I could\did install them via CLI using OPKG.

duplicate reply deleted

Justin,

Actually you did help with the encryption. You gave me some hints by bounding it with, it isn’t a BATMAN only issue. You also took the big “is this even possible” off the list. It’s amazing what a little focus can do.

Seems some are having success with BATMAN and OLSR by removing wpad-mini and replacing with either wpad or the supplicant:

https://wiki.openwrt.org/doc/howto/mesh.80211s

https://forum.openwrt.org/viewtopic.php?id=39659

I should have hardware tomorrow and will poke at this.

People have it working, but few are actually sharing the end result. Ex: OpenWrt Forum Archive

Justin,

I have however been playing around with another idea, what if you were to put a central AR150, then have all other AR150s connect as wireless clients? It woulden’t technically be a true “mesh”, but it should allow for WPA encryption. How bandwidth heavy will this event be? Is it just for credit card transactions mainly, or will there be people there streaming video, uploading to social media, etc?
That is actually how my smaller systems work right now. For small sites where everything can hit one node it works fine. Bigger sites are leading to issues with repeaters and requiring boots on the ground. If a router doesn't associate with the right upstream AP, and turns up the public facing SSIDs, it is likely to cause an outage.

Filling holes in coverage is also problematic. This could be the topic for a book. There are a lot of barriers for the untrained like estimating distance in a straight line, reading 4" high numbers from 50+ feet away, carrying binoculars… The hardware on the other hand is an expert at determining who it’s best peers are. Once it connects it can call home to get configuration. Heck it can even determine if the configuration was a dud, and revert to a baseline recovery config. APs are highly trainable and rarely forget.

So my idea here is to get a setup where if they can fly it, it will do something reasonable. This will allow me to put a couple of extra APs and Controllers in the box for emergencies, swaps, fills, etc, and simple instructions on how not to kill ones self flying an AP. I can think of a lot of ways to get there. Mesh seems like a good start. Worst case, the router can run scripts on a timer and self configure. I just had to move us to technology that is able to do these things. Fortunately some fine engineer thought about open source and power consumption for the AR150. It was an easy argument. “The AR150 wants 0.6W. The next best wants 5.6W. How much battery do you want to purchase?”

M

 

 

 

RangerZ,

I appreciate the collision avoidance there. I certainly would have started with LuCi. What do you think about that ALIX? I loved the WRAPs.

 

M

The hardware arrived Friday afternoon. Firmware 2.12 was on-board and while I could do a great many things, I couldn’t get OLSRd or BATMAN-adv to install. After loading firmware 2.13, OLSRd installed without a hitch. I set up 3 in mesh mode and headed for the park. I plotted AP1 and AP2 180 feet apart and 12 feet up and they both came up and talked with a 42dB SNR in partly cloudy conditions with 46% humidity and 70F. AP3 was mounted to a 12 foot pole and I set off across the field. It was able to maintain 30dB SNR at 550 ft to AP2 and 500 ft to AP1. Oddly when I walked AP2 away in the same line it only reached 420 ft before hitting 30dB SNR with AP1. The mesh routes packets and with a connection to AP1 I was able to see good signal across all three APs.

To setup the OLSR mesh, I used the instructions at Meta Mesh with very minor adjustments to create a flatter routing model. Much thanks to Justin for making that connection. While many claim BATMAN to be a better routing solution, I’m seeing a lot of “studies” that claim it uses a lot more traffic for the same end result.

Kudos to the GLi team for making these very power efficient. In the lab I powered a pair off an 10Ah USB power pack for 6 hours. It still claimed it was at least 75% charged.

 

On the down side, something odd happened with AP3 and while connected to it I received “connection refused” messages after a short time while attempting to access the other APs via HTTP or ping. AP1 and AP2 never refused connections and always reached AP3 without issue. I suspect the firewall or routing tables are wrong.

I’d love to implement BATMAN and might play with 2.17.

Still on the list of things to figure out:

  1. Encryption on the mesh.

  2. Configuring APs for roaming across the mesh. I know it can be done, but I’m blanking on how to get OLSR to come along for the ride. It’s very insistent on non-overlapping IP ranges. I might be thinking at the wrong layer.

  3. Find out how to prevent the AP SSIDs from coming up until the mesh has made a connection and received routing data.

  4. Look at firmware 2.17 to see if it provides any advantages over 2.13.

  5. Compile the whole think locally to ensure we can respond to dependency issues.

Thanks again for the help!

M

@Mmonaghan

Very happy with my ALIX boxes (I have 2, an older one with 128MB memory and the 700mhz cpu, no USB as backup now). Depending on your need and location, they can be had for cheap on ebay. But for more than about $50, I think I would buy the APU or something else. I do not use these for wireless, just gateway and vpn. It also is only a 100Mbps board, which is ok with my service.

Do you have antennas on these?

Can you measure performance (www.speedtest.et or similar) at various points and let us know!

Would be a good Blog article.

2.13 vs 2.17

2.17 has batman-adv, some support for batman, and openvpn-openssl.

2.17 has no repositories. The software that’s installed is what you get.

OLSR vs BATMAN

I keep reading articles that state that OLSR has less traffic than BATMAN. Well that’s true if and only if, you’re good with routed network. OLSR works at layer 3 while BATMAN is at layer 2. OLSR depends on routing and daemons to make magic. BATMAN treats the whole network like a switch. So if routing is all you need, then OLSR is a clear winner. If instead you want multiple SSIDs on multiple APs and wish to mesh the backhaul, then the tide turns in favor of BATMAN. All the daemons you’ll need to forward DHCP, ARP, and everything else you need over OLSR will surely equal the traffic of BATMAN and the complexity is completely different.

M

 

@RangerZ,

I always wanted to put a couple of the ALIX in the mix, but never had the traffic to justify moving off the WRAPs. I’ve got wifi cards in a few of them with encryption accelerators as well. PC Engines did a fine job.

I have 5dBi antennas on the AR150s. ERIP is likely 22 or 23 dBm.

Once I have the mesh running, I’ll see about a speed test. All of this is going to be fed by cellular hot-spots so I’m not sure we’ll see any degradation as the strongest link is 6M. I’d love to roll a satellite truck, but no power equals a fuel bill.

I’m thinking more a “how to” in the OpenWRT wiki.

@RangerZ,

By your request… Speed tests

Network Configuration

ISP Premise <> R1 WAN <FW> R1 LAN

<> WAN AR#1 <BR> W AP#1 on AR1 <FW+Masq> W AP#2 on AR#1

<BR> <span style=“line-height: 1.5;”>80211s Mesh <BR> W AP#3 on AR#3</span>

Ping, Down, Up, Test Point

23 9.0 0.8 R1 LAN interface

28 12.4 0.9 AP#1 (Nice to see the buffer bloat code works)

29 11.2 1.0 AP#2 (bridged to Mesh on router connected to Internet source)

27 8.05 0.9 AP#3 (crossing mesh to get to Internet)

Not at all shabby. That’s with encryption on the 80211s mesh and nothing on the AP test points. Next up a field test to determine if these will work at 300 ft spacing with 80211s and encryption enabled across 3 mesh points.

The 10AH USB battery pack held for 28 hours with 2 AR150s on it. That would be close to 56 hours with one AR150 on it.

M

Very useful info. Hope you can share your mesh encryption settings.

On firmware 2.17, it it mainly testing OpenVPN.

For mesh, I think the most important thing is the WebUI, monitoring and management. I hope to make it work later.

@Alzhao,

2.17 worked okay for me, but the repositories for it were empty and being an OpenWRT noob I couldn’t figure how to update. I moved back to 2.13 as I feared I’d need some package to make things work, although I’ll say it looks like you had the majority of packages installed for BATMAN.

I agree that WebUI monitoring and management are key. I’m working on the same elements for large scale deployments.

Now why would you want the encryption settings? (lol) I was actually shocked to learn that most people have been misinformed and I updated the OpenWRT Wiki to correct a typo in the encryption settings. It is amazing what changing + to / will accomplish. Fortunately the source was pretty well documented so I found the error.

Steps to setup 80211s mesh.

SSH/Putty to the router.

opkg remove wpad-mini

opkg install wpad authsae

opkg install joe (optional text editor for haters of vi)


This replaces wpad with the full version which includes full support for mesh auth. You might also try wpa-mesh which is a bit smaller. Authsae is handles the “Simultaneous Authentication of Equals” protocol required to share WPAx-PSK between peers.

In /etc/config/wireless

config wifi-iface

option device ‘radio0’

option mode ‘mesh’

option encryption ‘psk2/aes’

option key ‘your encryption key’

option ssid ‘bachhaulmesh’

option network ‘network_name’

option mesh_id ‘mess_network_name’


If you want you can pre-configure the network interface and wifi in Luci. It will be missing 3 key items:

  1. option mesh_id ‘m2’

This is like an ESSID for a mesh and must match across all mesh points (MP). This alone will allow the mesh to come up without encryption.

  1. option encryption ‘psk2/aes’

This sets the encryption method. Like the great Henry Ford used to say, you have have any encryption you want, so long as its psk2/aes.

  1. option key ‘your encryption key’

Replace ‘your encryption key’ and you’re good to go!

I’ve tested to ensure the Wifi is actually encrypted, and indeed it shows as WPA2/AES. Recent versions of Wireshark have a dissector and it agrees.

So my current challenge is that I want multiple SSIDs on each AP. I could accomplish this by adding them to the same MESH, but that would leave them in the same broadcast domain and someone would notice. I’ve tried establishing a second 80211s mesh, but doing so immediately kills all WiFi on the device. There was nothing of note in the log. Disabling mesh two restored wifi. My only guess is that I need to establish VLANS on the mesh interface. I have no idea how to establish a VLAN in OpenWRT and digging through the web I haven’t found anything other than VLANs on Ethernet ports or switches. Anyone have a clue?

Thanks,

M

Actually I know 802.1s encryption. Any hints on BATMAN mesh encryption?

I have several ideas for encryption on batman-adv, but I can’t test any of them. Help me get a working instance of Batman with access to repositories and I’ll test them. BATMAN is the best solution for multiple SSIDs, at least until I find a way to VLAN 80211s.

Here’s what I’m hitting:

  1. Can’t install batman-adv on firmware 2.13.

  2. On firmware 2.17 I can’t access any package repositories. This is lack of knowledge on my part - I just don’t know where they are configured or how to point 2.17 at the 2.13 repository - assuming 2.17 can use the 2.13 repository. I know 2.17 is just for testing and understand why you haven’t setup repositories.

Any clues how to solve these?

As for encryption on batman-adv, there are modes in the source, but I can’t easily tell which ones are supported. WPA-NONE and IBSS RSN are heavily referenced on the open-mesh site and in numerous posts. With a working test bed I can likely find the right settings. :wink: I’m not opposed to writing up a “how-to for batman-adv on AR150 with mesh encryption”.

M