Multiple SSID should not be a problem related to mesh.
On firmware 2.13 you should be able to install batman-adv
One 2.17 you cannot access repo, this is true. When I upgrade firmware for testing, I will try to use the old repo. But you cannnot install kernel modules.
Waiting for your BATMAN-ADV encryption.
Correction: kmod-batman-adv will install. Having the flu really breaks my reasoning. I’m trying configurations now.
I’m not limited in the number of SSIDs except for the driver limit of 8 which is not the issue. The issue I’m running into with the 802.11s mesh is configuring the bridges to provide some sort of isolation between SSIDs. The 802.11 mesh acts as a virtual switch, much like BATMAN, so even with SSIDs bridged to MESH one bridge per SSID, everything can see everything. There’s not a lot of point in multiple SSIDs if there’s no isolation between them. As the 802.11s mesh is acting as a switch, one might think it would take a VLAN configuration. Thus far I haven’t figured out how to accomplish that. Putting VLANs on the bridges is something I haven’t successfully tested. I’m not trying to get to the Ethernet ports at all. Everything will land on a controller that is part of the mesh and it will deal with assigning addresses to the mesh VLANs, walled garden, etc. (Hint: batman-adv has VLANs - that’s what it is so often selected).
I’ll look forward to 2.18.
Thanks for your insights!
M
WPA2 CCMP Encryption using PSK2 on an ad-hoc wireless connection
Pre configuration I could see my ICMP (Ping packets)
Post configuration they are replaced with QoS packets with a CCMP (AES) payload
Someone please duplicate and test to ensure result is an actual encrypted channel!!!
@Justin: This should work regardless of the routing/bridging protocol, aka OLSR should work.
@Alzhao: As promised:
M
This works for 802.11s, not BATMAN
What’s not working? I’ve got 7 AR150s on 2.13 running this config with 3 kmod-batman-adv VLANs on top. Works a charm! Did you establish the adhoc without encryption and test at the adhoc level first? I had trouble initially going directly to a full config. I suspect the settings the GLi web interface is setting in wireless for radio0 (11ng, HT40, and noscan instead of 11g, and HT40). After I worked that bit out the adhoc is working great.
M
I mean, seems that the mesh config is using 802.11s, not batman-adv. Anyway I will test further.
These instructions might work for 802.11s, but I didn’t test 802.11s with this particular method.
I didn’t include any mesh as it doesn’t matter. This puts the interface in ad-hoc and adds encryption. Whatever we do above that with batman-adv or OLSR will ride the interface as it is configured. See the next message for real world testing.
This weekend I ran 8 AR150s at an outdoor festival using the instructions above to establish a secure backbone. A couple of friends swore it wasn’t possible to run security over ad-hoc and did me the favor of validating the configuration while it was live. All of the data packets they captured were encrypted with CCMP (a.k.a. AES). Management frames were of course in the clear and that’s a challenge for another day.
The network covered ~328,000 square feet or ~30,000 square meters. The majority of the units ran with 5 dBi antennas while some ran 11 dBi directional antennas along the edge of the property and through a tree line. Performance was reasonable within 3 hops to the Internet gateway. Beyond 3 hops, round trip time impacted performance and exceeded 500 ms. There was no power in the middle of the property so some APs were 4 hops to the gateway. Still, for the intended purpose, the network ran well. I believe that with proper antennas and a bit more height, I could cut the number of units to 4 while improving the signal and round trip times.
Here’s what I used for security on 802.11s:
config wifi-iface
option device 'radio0'
option mode 'ap'
option ssid 'm2'
option network 'mesh2'
option encryption 'psk-mixed'
option key '********'
The following works on ad-hoc:
config wifi-iface
option device 'radio0'
option mode 'adhoc'
option ssid 'mesh'
option bssid '02:02:02:02:02:02'
option network 'mesh'
option encryption 'psk2'
option key '********'
Both require replacing wpad-mini with wpad + authsae. I see no reason that psk2 and psk-mixed can't be interchanged and psk2 would of course be the better choice. The end result is still CCMP data packets as they consider that the first stop in WPAd.
M
Very, very interesting post. Thanks for coming back with your results!
By chance, did you eventually go with BATMAN or OLSR? If so, is adding that file all you needed to do to make encryption work?
Thanks again for updating us on the progress of this project, should be beneficial to other users in the same situation.
A lot of people helped get me this far and paying it forward feels right.
By chance, did you eventually go with BATMAN or OLSR?I went with kmod-batman-adv from a field of OLSR, 802.11s, and BATMANd. Reasons:
If so, is adding that file all you needed to do to make encryption work?
Thanks. I will test more on my side next week.
Thank you very much @Mmonaghan for the update. This is very useful information for my network as well.
How’s the mesh been holding up since you got it setup last year? Have you made any improvements or changed over to 802.11s since April?
Hello!
Sorry to revive an old thread. Given the amount of interest in running a mesh network over a WPA2 secured connection, I have written a bit of documentation on how to setup OLSR over a WPA2 Ad-Hoc network.
This has been tested on all GL-Inet routers with Atheros based chips (NOT MEDIATEK!)
https://www.justingoetz.net/docs/docs_openwrt/olsr/adhoc-wpa.html
If you have any questions or comments regarding the documents please do let me know!
Best of luck with your mesh adventures.