Wireless configuration file
Type | Description |
---|---|
wifi-device | physical radio device |
wifi-iface | logical wifi interface |
Physical radio device
Name | Type | Required | Default | Description |
---|---|---|---|---|
type | string | yes | (autodetected) | The type is determined on firstboot during the initial radio device detection - it is usually not required to change it. Used values are broadcom on brcm47xx, or mac80211 for b43, ath5k and ath9k |
phy | string | no/yes | (autodetected) | Specifies the radio phy associated to this section. If present, it is usually autodetected and should not be changed. |
macaddr | MAC address | yes/no | (autodetected) | Specifies the radio adapter associated to this section, it is not used to change the device mac but to identify the underlying interface. |
disabled | boolean | no | 0 | Disables the radio adapter if set to 1 . Removing this option or setting it to 0 will enable the adapter |
channel | integer or “auto” | yes | auto | Specifies the wireless channel to use. “auto” defaults to the minimum channel available |
hwmode | string | no | (driver default) | Selects the wireless protocol to use, possible values are 11b , 11g , and 11a (note that 11ng and 11na are not available options, see ticket 17541) |
htmode | string | no | (driver default) | Specifies the channel width in 802.11n and 802.11ac mode, possible values are:HT20 (single 20MHz channel),HT40- (2x 20MHz channels, primary/control channel is upper, secondary channel is below)HT40+ (2x 20MHz channels, primary/control channel is lower, secondary channel is above).NONE (disbales 802.11n rates and enforce the usage of legacy 802.11 b/g/a rates)VHT20 / VHT40 / VHT80 / VHT160 (channel width in 802.11ac, extra channels are picked according to the specification) Cf. why.can.t.i.use.ht40.with.channel.11 and http://hostap.epitest.fi/cgit/hostap/tree/hostapd/hostapd.conf (search for HT40) in the web page. This option is only used for type mac80211 |
chanbw | integer | no | 20 | Specifies a narrow channel width, possible values are: 5 (5MHz channel), 10 (10MHz channel) or 20 (20MHz channel). Only supported by the ath9k /ath5k driver (since Attitude Adjustment) |
ht_capab | string | no | (driver default) | Specifies the available capabilities of the radio. The values are autodetected. See http://hostap.epitest.fi/cgit/hostap/tree/hostapd/hostapd.conf for options (search for ht_capab in web page). This option is only used for type mac80211 |
txpower | integer | no | (driver default) | Specifies the transmission power in dBm |
diversity | boolean | no | 1 | Enables or disables the automatic antenna selection by the driver |
rxantenna | integer | no | (driver default) | Specifies the antenna for receiving, the value may be driver specific, usually it is 1 for the first and 2 for the second antenna. Specifying 0 enables automatic selection by the driver if supported. This option has no effect if diversity is enabled |
txantenna | integer | no | (driver default) | Specifies the antenna for transmitting, values are identical to rxantenna |
antenna | string | no | (driver default) | Selects the antenna, possible values are vertical for internal vertical polarization, horizontal for internal horizontal polarization or external to use the external antenna connectorOnly used on the Ubiquiti NanoStation device family instead of the rxantenna/txantenna settings. |
country | varies | no | (driver default) | Specifies the country code, affects the available channels and transmission powers. For type broadcom a two letter country code is used (EN or DE ). The madwifi driver expects a numeric code. |
country_ie | boolean | no | 1 if country is set, otherwise 0 | Enables IEEE 802.11d country IE (information element) advertisement in beacon and probe response frames. This IE contains the country code and channel/power map. Requires country . |
distance | integer | no | (driver default) | Distance between the ap and the furthest client in meters . Only supported by madwifi , and the mac80211 type (in trunk) |
noscan | boolean | no | 0 | Do not scan for overlapping BSSs in HT40+/- mode. Only supported by mac80211 Turning this on will violate regulatory requirements! |
beacon_int | integer | no | 100 (hostapd default) | Set the beacon interval. This is the time interval between beacon frames, measured in units of 1.024 ms. hostapd permits this to be set between 15 and 65535. This option only has an effect on ap and adhoc wifi-ifaces. Only supported by mac80211 (in trunk) |
basic_rate | list | no | (hostapd/driver default) | Set the supported basic rates. Each basic_rate is measured in kb/s. This option only has an effect on ap and adhoc wifi-ifaces. Only supported by mac80211 (in trunk) |
require_mode | string | no | none | (AP mode) Set the minimum mode that connecting clients need to support to be allowed to connect. Supported values: g = 802.11g, n = 802.11n, ac = 802.11ac |
log_level | integer | no | 2 | Set the log_level. Supported levels are: 0 = verbose debugging, 1 = debugging, 2 = informational messages, 3 = notification, 4 = warning |
The options below are only used by the proprietary Broadcom driver (type broadcom
).
Name | Type | Required | Default | Description |
---|---|---|---|---|
frameburst | boolean | no | 0 | Enables Broadcom frame bursting if supported |
maxassoc | integer | no | (driver default) | Limits the maximum allowed number of associated clients |
slottime | integer | no | (driver default) | Slot time in milliseconds |
Logical wireless interface
Name | Type | Required | Default | Description |
---|---|---|---|---|
device | string | yes | (first device id) | Specifies the used wireless adapter, must refer to one of the defined wifi-device sections |
mode | string | yes | ap | Selects the operation mode of the wireless network interface controller (some are supported simultaneously by some drivers):ap for Access Point,sta for managed (client) mode,adhoc for Ad-Hoc,wds for static WDS, monitor for monitor mode,mesh for IEEE 802.11s mesh modemesh mode only supported by mac80211 (in trunk) |
disabled | boolean | no | 0 | When set to 1, wireless network is disabled. |
ssid | string | yes | OpenWrt | The broadcasted SSID of the wireless network (for managed mode the SSID of the network you're connecting to) |
bssid | BSSID address | no | (driver default) | Override the BSSID of the network, only applicable in adhoc or sta mode. In wds mode specifies the BSSID of another AP to create WDS with. |
mesh_id | Mesh ID | no | none | The Mesh ID as defined in IEEE 802.11s. If set, the wireless interface will join this mesh network when brought up. If not, it is necessary to invoke iw <iface> mesh join <mesh_id> to join a mesh after the interface is brought up. Only supported by mac80211 (in trunk) |
hidden | boolean | no | 0 | Turns off SSID broadcasting if set to 1 |
isolate | boolean | no | 0 | Isolate wireless clients from each other, only applicable in ap mode. May not be supported in the original Backfire release for mac80211 |
doth | boolean | no | 0 | Enables 802.11h support. Not supported for the mac80211 type yet |
wmm | boolean | no | 1 | Enables WMM (802.11e) support. Required for 802.11n support |
network | string | yes | lan | Specifies the network interface to attach the wireless to. Most wireless drivers do not support bridging in client mode (see Bridged Client Mode Issues and relayclient, as well as notes on specific devices, e.g. wl500gp and tplink wr841nd), the wifi interface cannot be attached to networks that are creating a bridge or already have switches interfaces connected, if the wifi interface uses the mode 'sta'. |
encryption | string | no | none | Wireless encryption method. none for an open network, wep for WEP, psk for WPA-PSK, or psk2 for WPA2-PSK. See the WPA modes table for additional possible values.For an access point in WEP mode, the default is “open system” authentication. Use wep+shared for “shared key” authentication (less secure), wep+open to explicitly use “open system,” or wep+mixed to allow either. wep+mixed is only supported by hostapd. |
key | integer or string | no | (none) | In any WPA-PSK mode, this is a string that specifies the pre-shared passphrase from which the pre-shared key will be derived. If a 64-character hexadecimal string is supplied, it will be used directly as the pre-shared key instead. In WEP mode, this can be an integer specifying which key index to use ( key1 , key2 , key3 , or key4 .) Alternatively, it can be a string specifying a passphrase or key directly, as in key1 .In any WPA-Enterprise AP mode, this option has a different interpretation. |
key1 | string | no | (none) | WEP passphrase or key #1 (selected by the index in key ). This string is treated as a passphrase from which the WEP key will be derived. If a 10- or 26-character hexadecimal string is supplied, it will be used directly as the WEP key instead. |
key2 | string | no | (none) | WEP passphrase or key #2 (selected by the index in key ), as in key1 . |
key3 | string | no | (none) | WEP passphrase or key #3 (selected by the index in key ), as in key1 . |
key4 | string | no | (none) | WEP passphrase or key #4 (selected by the index in key ), as in key1 . |
macfilter | string | no | disable | Specifies the mac filter policy, disable to disable the filter, allow to treat it as whitelist or deny to treat it as blacklist.Supported for the mac80211 since r25105 |
maclist | list of MAC addresses | no | (none) | List of MAC addresses (divided by spaces) to put into the mac filter. |
iapp_interface | string | no | (none) | Specifies a network interface to be used for 802.11f (IAPP) - only enabled when defined. |
rsn_preauth | boolean | no | 0 | Allow preauthentication for WPA2-EAP networks (and advertise it in WLAN beacons). Only works if the specified network interface is a bridge. |
ieee80211w | integer | no | 0 | Enables MFP (802.11w) support (0 = disabled, 1 = optional, 2 = required). Only supported by the ath9k driver (since 10.03) |
ieee80211w_max_timeout | integer | no | (hostapd default) | Specifies the 802.11w Association SA Query maximum timeout. Only supported by the ath9k driver (since 10.03) |
ieee80211w_retry_timeout | integer | no | (hostapd default) | Specifies the 802.11w Association SA Query retry timeout . Only supported by the ath9k driver (since 10.03) |
maxassoc | integer | no | (hostapd/driver default) | Specifies the maximum number of clients to connect. |
macaddr | mac address | no | (hostapd/driver default) | Overrides the MAC address used for the wifi interface. |
dtim_period | integer | no | 2 (hostapd default) | Set the DTIM (delivery traffic information message) period. There will be one DTIM per this many beacon frames. This may be set between 1 and 255. This option only has an effect on ap wifi-ifaces. Only supported by mac80211 (in trunk) |
short_preamble | boolean | no | 1 | Set optional use of short preamble Supported for the mac80211 since r35565 |
max_listen_int | integer | no | 65535 (hostapd default) | Set the maximum allowed STA (client) listen interval. Association will be refused if a STA attempts to associate with a listen interval greater than this value. This option only has an effect on ap wifi-ifaces. Only supported by mac80211 (in trunk) |
mcast_rate | integer | no | (driver default) | Sets the fixed multicast rate, measured in kb/s. Only supported by madwifi , and mac80211 (for type adhoc in trunk) |
See the WPA tables below for a full listing of WPA related options used for WPA2 Enterprise (802.1x) | ||||
See the WPS Options below for a full listing of Wi-Fi Protected Setup options. | ||||
wds | boolean | no | 0 | This sets 4-address mode |
Besides the WPA mode, the encryption
option also specifies the group and peer ciphers to use.
To override the cipher, the value of encryption
must be given in the form mode+cipher
.
See the listing below for possible combinations. If the hwmode
of the interface is set to ng
or na
, then the CCMP
cipher is always added to the list.
Value | WPA Version | Ciphers |
---|---|---|
psk2+tkip+ccmp psk2+tkip+aes | WPA2 Personal (PSK) | TKIP, CCMP |
psk2+tkip | WPA2 Personal (PSK) | TKIP |
psk2+ccmp psk2+aes psk2 | WPA2 Personal (PSK) | CCMP |
psk+tkip+ccmp psk+tkip+aes | WPA Personal (PSK) | TKIP, CCMP |
psk+tkip | WPA Personal (PSK) | TKIP |
psk+ccmp psk+aes psk | WPA Personal (PSK) | CCMP |
mixed-psk+tkip+ccmp mixed-psk+tkip+aes mixed-psk | WPA/WPA2 Personal (PSK) mixed mode | TKIP, CCMP |
mixed-psk+tkip | WPA/WPA2 Personal (PSK) mixed mode | TKIP |
mixed-psk+ccmp mixed-psk+aes | WPA/WPA2 Personal (PSK) mixed mode | CCMP |
wpa2+tkip+ccmp wpa2+tkip+aes | WPA2 Enterprise | TKIP, CCMP |
wpa2+ccmp wpa2+aes wpa2 | WPA2 Enterprise | CCMP |
wpa2+tkip | WPA2 Enterprise | TKIP |
wpa+tkip+ccmp wpa+tkip+aes | WPA Enterprise | TKIP, CCMP |
wpa+ccmp wpa+aes | WPA Enterprise | CCMP |
wpa+tkip wpa | WPA Enterprise | TKIP |
mixed-wpa+tkip+ccmp mixed-wpa+tkip+aes mixed-wpa | WPA/WPA2 Enterprise mixed mode | TKIP, CCMP |
mixed-wpa+tkip | WPA/WPA2 Enterprise mixed mode | TKIP |
mixed-wpa+ccmp mixed-wpa+aes | WPA/WPA2 Enterprise mixed mode | CCMP |
Listing of Access Point related options for WPA Enterprise. Basic WPA Enterprise configuration instructions
Name | Default | Description |
---|---|---|
server | (none) | RADIUS server to handle client authentication |
port | 1812 | RADIUS port |
key | (none) | Shared RADIUS secret |
wpa_group_rekey | 600 | WPA Group Cipher rekeying interval in seconds |
The options below are for hostapd (not the Broadcom nas authenticator) |
||
auth_server | (none) | RADIUS authentication server to handle client authentication |
auth_port | 1812 | RADIUS authentication port |
auth_secret | (none) | Shared authentication RADIUS secret |
auth_cache | 0 | Disable or enable PMKSA and Opportunistic Key Caching |
acct_server | (none) | RADIUS accounting server to handle client authentication |
acct_port | 1813 | RADIUS accounting port |
acct_secret | (none) | Shared accounting RADIUS secret |
nasid | (none) | NAS ID to use for RADIUS authentication requests |
ownip | (none) | NAS IP Address to use for RADIUS authentication requests - introduced in r40934 |
dae_client | (none) | Dynamic Authorization Extension client. This client can send “Disconnect-Request” or “CoA-Request” packets to forcibly disconnect a client or change connection parameters. |
dae_port | 3799 | Port the Dynamic Authorization Extension server listens on. |
dae_secret | (none) | Shared DAE secret. |
dynamic_vlan | 0 | Dynamic VLAN assignment |
vlan_naming | 1 | VLAN Naming |
vlan_tagged_interface | (none) | VLAN Tagged Interface |
vlan_bridge | (none) | VLAN Bridge Naming Scheme - added in r43473 |
The dae
options were introduced in r37734
To enable Dynamic Authorization Extensions, both dae_client
and dae_secret
must be set.
(Dynamic) VLAN Support added in r41872
Listing of Client related options for WPA Enterprise.
Name | Default | Description |
---|---|---|
eap_type | (none) | Defines the EAP protocol to use, possible values are tls for EAP-TLS and peap or ttls for EAP-PEAP |
auth | MSCHAPV2 | “auth=PAP”/PAP/MSCHAPV2 - Defines the phase 2 (inner) authentication method to use, only applicable if eap_type is peap or ttls |
identity | (none) | EAP identity to send during authentication |
password | (none) | Password to send during EAP authentication |
ca_cert | (none) | Specifies the path the CA certificate used for authentication |
client_cert | (none) | Specifies the client certificate used for the authentication |
priv_key | (none) | Specifies the path to the private key file used for authentication, only applicable if eap_type is set to tls |
priv_key_pwd | (none) | Password to unlock the private key file, only works in conjunction with priv_key |
When using WPA Enterprise type PEAP with Active Directory Servers, the “auth” option must be set to “auth=MSCHAPV2” or “auth=PAP”
option auth 'auth=MSCHAPV2'
or
option auth 'auth=PAP'