diff --git a/nix/pkgs/openwrt/uci-config.nix b/nix/pkgs/openwrt/uci-config.nix index 340a2b6..79c8951 100644 --- a/nix/pkgs/openwrt/uci-config.nix +++ b/nix/pkgs/openwrt/uci-config.nix @@ -323,16 +323,25 @@ in uci set wireless.@wifi-iface[-1].rrm_neighbor_report=1 uci set wireless.@wifi-iface[-1].rrm_beacon_report=1 + uci set wireless.@wifi-iface[-1].ieee80211r=1 - uci set wireless.@wifi-iface[-1].ft_over_ds=1 + # when unset derived from interface MAC + uci set wireless.@wifi-iface[-1].nasid=${pad 12 "0" (toString ((lib.toInt (lib.removePrefix "ap" hostName)) * 65536 + index))} + # when unset derived from the first 4 chars of the md5 hashed SSID + uci set wireless.@wifi-iface[-1].mobility_domain=${pad 4 "0" (lib.toHexString (49920 + netConfig.vlan))} + + # https://github.com/openwrt/openwrt/issues/7907 + uci set wireless.@wifi-iface[-1].ft_over_ds=0 + # as recommend in 7907 and seems to fairly often trigger while testing + uci set wireless.@wifi-iface[-1].reassociation_deadline=20000 + + # might be unused if ft_over_ds is not used uci set wireless.@wifi-iface[-1].ft_bridge=${mgmtInterface} + + # otherwise the r0kh/r1kh options below are not applied uci set wireless.@wifi-iface[-1].ft_psk_generate_local=0 - uci set wireless.@wifi-iface[-1].nasid=${pad 12 "0" ( - toString ((lib.toInt (lib.removePrefix "ap" hostName)) * 65536 + index) - )} - uci set wireless.@wifi-iface[-1].mobility_domain=${ - pad 4 "0" (lib.toHexString (49920 + netConfig.vlan)) - } + + # do not just rely on the monility domain for increased security # https://forum.openwrt.org/t/802-11r-fast-transition-how-to-understand-that-ft-works/110920/81 uci set wireless.@wifi-iface[-1].r0kh=ff:ff:ff:ff:ff:ff,\*,${netConfig.wifi.ieee80211rKey} uci set wireless.@wifi-iface[-1].r1kh=00:00:00:00:00:00,00:00:00:00:00:00,${netConfig.wifi.ieee80211rKey}