====== /etc/config/wireless ======

Wireless configuration file

===== Sections =====

^ Type ^ Description ^
| [[config_wireless#wifi-device|wifi-device]] | physical radio device |
| [[config_wireless#wifi-iface|wifi-iface]] | logical wifi interface |

==== wifi-device ====

== Common options ==

Physical radio device

=== Common Options ===

^ Name ^ Type ^ Required ^ Default ^ Description ^
| ''type'' | string | yes | //(autodetected)// | The ''type'' is determined on firstboot during the initial radio device detection - it is usually not required to change it. Used values are ''broadcom'' on brcm47xx, or ''mac80211'' for b43, ath5k and ath9k |
| ''phy'' | string | no/yes | //(autodetected)// | Specifies the radio phy associated to this section. If present, it is usually autodetected and should not be changed. |
| ''macaddr'' | MAC address | yes/no | //(autodetected)// | Specifies the radio adapter associated to this section, it is //not// used to change the device mac but to identify the underlying interface. |
| ''disabled'' | boolean | no | ''0'' | Disables the radio adapter if set to ''1''. Removing this option or setting it to ''0'' will enable the adapter |
| ''channel'' | integer or "auto" | yes | ''auto'' | Specifies the wireless channel to use. "auto" defaults to the minimum channel available |
| ''hwmode'' | string | no | //(driver default)// | Selects the wireless protocol to use, possible values are ''11b'', ''11g'', and ''11a'' (note that ''11ng'' and ''11na'' are not available options, see [[https://dev.openwrt.org/ticket/17541|ticket 17541]]) |
| ''htmode'' | string | no | //(driver default)// | Specifies the channel width in 802.11n and 802.11ac mode, possible values are:\\ ''HT20'' (single 20MHz channel),\\ ''HT40-'' (2x 20MHz channels, primary/control channel is upper, secondary channel is below)\\ ''HT40+'' (2x 20MHz channels, primary/control channel is lower, secondary channel is above).\\ ''NONE'' (disbales 802.11n rates and enforce the usage of legacy 802.11 b/g/a rates)\\ ''VHT20'' / ''VHT40'' / ''VHT80'' / ''VHT160'' (channel width in 802.11ac, extra channels are picked according to the specification) \\ Cf. [[doc/faq/faq.wireless#why.can.t.i.use.ht40.with.channel.11]] and [[http://hostap.epitest.fi/cgit/hostap/tree/hostapd/hostapd.conf]] (search for HT40) in the web page. \\ :!: **This option is only used for type ''mac80211''** |
| ''chanbw'' | integer | no | 20 | Specifies a narrow channel width, possible values are: ''5'' (5MHz channel), ''10'' (10MHz channel) or ''20'' (20MHz channel). \\ :!: **Only supported by the ''ath9k''/''ath5k'' driver (since Attitude Adjustment)** |
| ''ht_capab'' | string | no | //(driver default)// | Specifies the available capabilities of the radio. The values are autodetected.  See [[http://hostap.epitest.fi/cgit/hostap/tree/hostapd/hostapd.conf]] for options (search for ht_capab in web page). \\ :!: **This option is only used for type ''mac80211''** |
| ''txpower'' | integer | no | //(driver default)// | Specifies the //transmission power in dBm// |
| ''diversity'' | boolean | no | ''1'' | Enables or disables the automatic antenna selection by the driver |
| ''rxantenna'' | integer | no | //(driver default)// | Specifies the //antenna for receiving//, the value may be driver specific, usually it is ''1'' for the first and ''2'' for the second antenna. Specifying ''0'' enables automatic selection by the driver if supported. This option has no effect if diversity is enabled |
| ''txantenna'' | integer | no | //(driver default)// | Specifies the //antenna for transmitting//, values are identical to ''rxantenna'' |
| ''antenna'' | string | no | //(driver default)//| Selects the antenna, possible values are ''vertical'' for internal vertical polarization, ''horizontal'' for internal horizontal polarization or ''external'' to use the external antenna connector\\ :!: **Only used on the [[toh:ubiquiti::nanostation|Ubiquiti NanoStation]] device family instead of the rxantenna/txantenna settings.** |
| ''country'' | varies | no | //(driver default)// | Specifies the country code, affects the available channels and transmission powers. For type ''broadcom'' a two letter country code is used (''EN'' or ''DE''). The ''madwifi'' driver expects a numeric code. |
| ''country_ie'' | boolean | no | 1 if ''country'' is set, otherwise 0 | Enables IEEE 802.11d country IE (information element) advertisement in beacon and probe response frames. This IE contains the country code and channel/power map. Requires ''country''. |
| ''distance'' | integer | no | //(driver default)// | Distance between the ap and the furthest client in meters .\\ :!: **Only supported by ''madwifi'',  and the ''mac80211'' type (in trunk)**|
| ''noscan'' | boolean | no | ''0'' | Do not scan for overlapping BSSs in HT40+/- mode.\\ :!: **Only supported by ''mac80211''** \\ :!: **Turning this on will violate regulatory requirements!** |
| ''beacon_int'' | integer | no | //100 (hostapd default)// | Set the beacon interval. This is the time interval between beacon frames, measured in units of 1.024 ms. hostapd permits this to be set between 15 and 65535. This option only has an effect on ''ap'' and ''adhoc'' wifi-ifaces. \\ :!: **Only supported by ''mac80211'' (in trunk)** |
| ''basic_rate'' | list | no | //(hostapd/driver default)// | Set the supported basic rates. Each basic_rate is measured in kb/s. This option only has an effect on ''ap'' and ''adhoc'' wifi-ifaces. \\ :!: **Only supported by ''mac80211'' (in trunk)** |
| ''require_mode'' | string | no | //none// | (AP mode) Set the minimum mode that connecting clients need to support to be allowed to connect. Supported values: g = 802.11g, n = 802.11n, ac = 802.11ac |
| ''log_level'' | integer | no | 2 | Set the log_level. Supported levels are: 0 = verbose debugging, 1 = debugging, 2 = informational messages, 3 = notification, 4 = warning |

=== Broadcom Options ===

:!: The options below are only used by the proprietary Broadcom driver (type ''broadcom'').

^ Name ^ Type ^ Required ^ Default ^ Description ^
| ''frameburst'' | boolean | no | ''0'' | Enables Broadcom frame bursting if supported |
| ''maxassoc'' | integer | no | //(driver default)// | Limits the maximum allowed number of associated clients |
| ''slottime'' | integer | no | //(driver default)// | Slot time in milliseconds |

==== wifi-iface ====

Logical wireless interface

== Common options ==

^ Name ^ Type ^ Required ^ Default ^ Description ^
| ''device'' | string | yes | //(first device id)// | Specifies the used wireless adapter, must refer to one of the defined ''wifi-device'' sections |
| ''mode'' | string | yes | ''ap'' | Selects the //[[http://wireless.kernel.org/en/users/Documentation/modes|operation mode]]// of the wireless network interface controller (some are supported simultaneously by some drivers):\\ ''ap'' for Access Point,\\ ''sta'' for managed (client) mode,\\ ''adhoc'' for Ad-Hoc,\\ ''wds'' for static WDS, \\ ''monitor'' for monitor mode,\\ ''mesh'' for [[wp>IEEE 802.11s]] mesh mode\\ :!: **''mesh'' mode only supported by ''mac80211'' (in trunk)**|
| ''disabled'' | boolean | no | ''0'' | When set to 1, wireless network is disabled. |
| ''ssid'' | string | yes | ''OpenWrt'' | The broadcasted SSID of the wireless network (for managed mode the SSID of the network you're connecting to) |
| ''bssid'' | BSSID address | no | //(driver default)// | Override the BSSID of the network, only applicable in ''adhoc'' or ''sta'' mode. In ''wds'' mode specifies the BSSID of another AP to create WDS with. |
| ''mesh_id'' | Mesh ID | no | none | The Mesh ID as defined in IEEE 802.11s.  If set, the wireless interface will join this mesh network when brought up.  If not, it is necessary to invoke ''iw <iface> mesh join <mesh_id>'' to join a mesh after the interface is brought up. \\ :!: **Only supported by ''mac80211'' (in trunk)**|
| ''hidden'' | boolean | no | ''0'' | Turns off SSID broadcasting if set to ''1'' |
| ''isolate'' | boolean | no | ''0'' | Isolate wireless clients from each other, only applicable in ''ap'' mode.  // May not be supported in the original Backfire release for mac80211 // |
| ''doth'' | boolean | no | ''0'' | Enables 802.11h support.\\ :!: **Not supported for the ''mac80211'' type yet** |
| ''wmm'' | boolean | no | ''1'' | Enables WMM (802.11e) support. Required for 802.11n support |
| ''network'' | string | yes | ''lan'' | Specifies the [[doc:uci:network#interfaces|network interface]] to attach the wireless to. :!: Most wireless drivers do not support bridging in client mode (see [[doc/howto/clientmode#bridged.client.mode.issues|Bridged Client Mode Issues]] and [[doc:recipes:relayclient]], as well as notes on specific devices, e.g. [[toh:asus:wl500gp]] and tplink wr841nd), the wifi interface cannot be attached to networks that are creating a bridge or already have switches interfaces connected, if the wifi interface uses the mode 'sta'. |
| ''encryption'' | string | no | ''none'' | Wireless encryption method. ''none'' for an open network, ''wep'' for WEP, ''psk'' for WPA-PSK, or ''psk2'' for WPA2-PSK. See the [[doc:uci:wireless#WPA.Modes|WPA modes]] table for additional possible values.\\ For an access point in **WEP** mode, the default is "open system" authentication. Use ''wep+shared'' for "shared key" authentication (less secure), ''wep+open'' to explicitly use "open system," or ''wep+mixed'' to allow either. ''wep+mixed'' is only supported by hostapd. |
| ''key'' | integer or string | no | //(none)// | In any **WPA-PSK** mode, this is a string that specifies the pre-shared passphrase from which the pre-shared key will be derived. If a 64-character hexadecimal string is supplied, it will be used directly as the pre-shared key instead.\\ In **WEP** mode, this can be an integer specifying which key index to use (''key1'', ''key2'', ''key3'', or ''key4''.) Alternatively, it can be a string specifying a passphrase or key directly, as in ''key1''.\\ In any **[[doc:uci:wireless#wpa.enterprise.access.point|WPA-Enterprise AP]]** mode, this option has a different interpretation. |
| ''key1'' | string | no | //(none)// | WEP passphrase or key #1 (selected by the index in ''key''). This string is treated as a passphrase from which the WEP key will be derived. If a 10- or 26-character hexadecimal string is supplied, it will be used directly as the WEP key instead. |
| ''key2'' | string | no | //(none)// | WEP passphrase or key #2 (selected by the index in ''key''), as in ''key1''. |
| ''key3'' | string | no | //(none)// | WEP passphrase or key #3 (selected by the index in ''key''), as in ''key1''. |
| ''key4'' | string | no | //(none)// | WEP passphrase or key #4 (selected by the index in ''key''), as in ''key1''. |
| ''macfilter'' | string | no | ''disable'' | Specifies the //mac filter policy//, ''disable'' to disable the filter, ''allow'' to treat it as whitelist or ''deny'' to treat it as blacklist.\\ :!: **Supported for the ''mac80211'' since [[https://dev.openwrt.org/changeset/25105/trunk|r25105]]** |
| ''maclist'' | list of MAC addresses | no | //(none)// | List of MAC addresses (divided by spaces) to put into the mac filter. |
| ''iapp_interface'' | string | no | //(none)// | Specifies a [[doc:uci:network#interfaces|network interface]] to be used for 802.11f (IAPP) - only enabled when defined. |
| ''rsn_preauth'' | boolean | no | ''0'' | Allow preauthentication for WPA2-EAP networks (and advertise it in WLAN beacons). Only works if the specified network interface is a bridge. |
| ''ieee80211w'' | integer | no | ''0'' | Enables MFP (802.11w) support (0 = disabled, 1 = optional, 2 = required).\\ :!: **Only supported by the ''ath9k'' driver (since 10.03)**|
| ''ieee80211w_max_timeout'' | integer | no | //(hostapd default)// | Specifies the 802.11w Association SA Query maximum timeout.\\ :!: **Only supported by the ''ath9k'' driver (since 10.03)** |
| ''ieee80211w_retry_timeout'' | integer | no | //(hostapd default)// | Specifies the 802.11w Association SA Query retry timeout .\\ :!: **Only supported by the ''ath9k'' driver (since 10.03)** |
| ''maxassoc'' | integer | no | //(hostapd/driver default)// | Specifies the maximum number of clients to connect. |
| ''macaddr'' | mac address | no | //(hostapd/driver default)// | Overrides the MAC address used for the wifi interface. |
| ''dtim_period'' | integer | no | //2 (hostapd default)// | Set the DTIM (delivery traffic information message) period. There will be one DTIM per this many beacon frames. This may be set between 1 and 255. This option only has an effect on ''ap'' wifi-ifaces. \\ :!: **Only supported by ''mac80211'' (in trunk)** |
| ''short_preamble'' | boolean | no | //1// | Set optional use of short preamble \\ :!: **Supported for the ''mac80211'' since [[https://dev.openwrt.org/changeset/35565/trunk|r35565]]** |
| ''max_listen_int'' | integer | no | //65535 (hostapd default)// | Set the maximum allowed STA (client) listen interval. Association will be refused if a STA attempts to associate with a listen interval greater than this value. This option only has an effect on ''ap'' wifi-ifaces. \\ :!: **Only supported by ''mac80211'' (in trunk)** |
| ''mcast_rate'' | integer | no | //(driver default)// | Sets the fixed multicast rate, measured in kb/s. \\ :!: **Only supported by ''madwifi'', and ''mac80211'' (for type ''adhoc'' in trunk)** |
| :!: See the [[doc:uci:wireless#WPA.Modes|WPA tables]] below for a full listing of WPA related options used for WPA2 Enterprise (802.1x) |||||
| :!: See the [[doc:uci:wireless#WPS.Options|WPS Options]] below for a full listing of //Wi-Fi Protected Setup// options. |||||
| ''wds'' | boolean | no | ''0'' | This sets [[http://wireless.kernel.org/en/users/Documentation/iw#Using_4-address_for_AP_and_client_mode|4-address mode]] |

=== WPA Modes ===

Besides the WPA mode, the ''encryption'' option also specifies the group and peer ciphers to use.
To override the cipher, the value of ''encryption'' must be given in the form ''mode+cipher''.
See the listing below for possible combinations. If the ''hwmode'' of the interface is set to ''ng'' or ''na'', then the ''CCMP'' cipher is always added to the list.

^ Value ^ WPA Version ^ Ciphers ^
| ''psk2+tkip+ccmp''\\ ''psk2+tkip+aes'' | WPA2 Personal (PSK) | TKIP, CCMP |
| ''psk2+tkip'' | WPA2 Personal (PSK) | TKIP |
| ''psk2+ccmp''\\ ''psk2+aes''\\ ''psk2'' | WPA2 Personal (PSK) | CCMP |
| ''psk+tkip+ccmp''\\ ''psk+tkip+aes'' | WPA Personal (PSK) | TKIP, CCMP |
| ''psk+tkip'' | WPA Personal (PSK) | TKIP |
| ''psk+ccmp''\\ ''psk+aes''\\ ''psk'' | WPA Personal (PSK) | CCMP |
| ''mixed-psk+tkip+ccmp''\\ ''mixed-psk+tkip+aes''\\ ''mixed-psk'' | WPA/WPA2 Personal (PSK) mixed mode | TKIP, CCMP |
| ''mixed-psk+tkip'' | WPA/WPA2 Personal (PSK) mixed mode | TKIP |
| ''mixed-psk+ccmp''\\ ''mixed-psk+aes'' | WPA/WPA2 Personal (PSK) mixed mode | CCMP |
| ''wpa2+tkip+ccmp''\\ ''wpa2+tkip+aes'' | WPA2 Enterprise | TKIP, CCMP |
| ''wpa2+ccmp''\\ ''wpa2+aes''\\ ''wpa2'' | WPA2 Enterprise | CCMP |
| ''wpa2+tkip'' | WPA2 Enterprise | TKIP |
| ''wpa+tkip+ccmp''\\ ''wpa+tkip+aes'' | WPA Enterprise | TKIP, CCMP |
| ''wpa+ccmp''\\ ''wpa+aes'' | WPA Enterprise | CCMP |
| ''wpa+tkip''\\ ''wpa'' | WPA Enterprise | TKIP |
| ''mixed-wpa+tkip+ccmp''\\ ''mixed-wpa+tkip+aes''\\ ''mixed-wpa'' | WPA/WPA2 Enterprise mixed mode | TKIP, CCMP |
| ''mixed-wpa+tkip'' | WPA/WPA2 Enterprise mixed mode | TKIP |
| ''mixed-wpa+ccmp''\\ ''mixed-wpa+aes'' | WPA/WPA2 Enterprise mixed mode | CCMP |

=== WPA Enterprise (Access Point) ===

Listing of Access Point related options for WPA Enterprise. [[doc:howto:wireless.security.8021x|Basic WPA Enterprise configuration instructions]]

^ Name ^ Default ^ Description ^
| ''server'' | //(none)// | RADIUS server to handle client authentication |
| ''port'' | ''1812'' | RADIUS port |
| ''key'' | //(none)// | Shared RADIUS secret |
| ''wpa_group_rekey'' | ''600'' | WPA Group Cipher rekeying interval in seconds |
| :!: The options below are for hostapd (not the Broadcom ''nas'' authenticator) |||
| ''auth_server'' | //(none)// | RADIUS authentication server to handle client authentication |
| ''auth_port'' | ''1812'' | RADIUS authentication port |
| ''auth_secret'' | //(none)// | Shared authentication RADIUS secret |
| ''auth_cache'' | ''0'' | Disable or enable PMKSA and Opportunistic Key Caching |
| ''acct_server'' | //(none)// | RADIUS accounting server to handle client authentication |
| ''acct_port'' | ''1813'' | RADIUS accounting port |
| ''acct_secret'' | //(none)// | Shared accounting RADIUS secret |
| ''nasid'' | //(none)// | NAS ID to use for RADIUS authentication requests |
| ''ownip'' | //(none)// | NAS IP Address to use for RADIUS authentication requests - introduced in [[https://dev.openwrt.org/changeset/40934/trunk|r40934]] |
| ''dae_client'' | //(none)// | Dynamic Authorization Extension client. This client can send "Disconnect-Request" or "CoA-Request" packets to forcibly disconnect a client or change connection parameters. |
| ''dae_port'' | ''3799'' | Port the Dynamic Authorization Extension server listens on. |
| ''dae_secret'' | //(none)// | Shared DAE secret. |
| ''dynamic_vlan'' | ''0'' | Dynamic VLAN assignment |
| ''vlan_naming'' | ''1'' | VLAN Naming |
| ''vlan_tagged_interface'' | //(none)// | VLAN Tagged Interface |
| ''vlan_bridge'' | //(none)// | VLAN Bridge Naming Scheme - added in [[https://dev.openwrt.org/changeset/43473/|r43473]] |

:!: The ''dae'' options were introduced in [[https://dev.openwrt.org/changeset/37734/trunk|r37734]]

:!: To enable Dynamic Authorization Extensions, both ''dae_client'' and ''dae_secret'' must be set.

:!: (Dynamic) VLAN Support added in [[https://dev.openwrt.org/changeset/41872|r41872]]

=== WPA Enterprise (Client) ===

Listing of Client related options for WPA Enterprise.

^ Name ^ Default ^ Description ^
| ''eap_type'' | //(none)// | Defines the EAP protocol to use, possible values are ''tls'' for EAP-TLS and ''peap'' or ''ttls'' for EAP-PEAP |
| ''auth'' | ''MSCHAPV2'' | "auth=PAP"/PAP/MSCHAPV2 - Defines the phase 2 (inner) authentication method to use, only applicable if ''eap_type'' is ''peap'' or ''ttls'' |
| ''identity'' | //(none)// | EAP identity to send during authentication |
| ''password'' | //(none)// | Password to send during EAP authentication |
| ''ca_cert'' | //(none)// | Specifies the path the CA certificate used for authentication |
| ''client_cert'' | //(none)// | Specifies the client certificate used for the authentication |
| ''priv_key'' | //(none)// | Specifies the path to the private key file used for authentication, only applicable if ''eap_type'' is set to ''tls'' |
| ''priv_key_pwd'' | //(none)// | Password to unlock the private key file, only works in conjunction with ''priv_key'' |
:!: When using WPA Enterprise type PEAP with Active Directory Servers, the "auth" option must be set to "auth=MSCHAPV2" or "auth=PAP"
<code>
     option auth 'auth=MSCHAPV2'
</code>
or
<code>
     option auth 'auth=PAP'
</code>