Network-Engineering | 7 min read
Freshen up your Mist with Freifunk
At the beginning of the first COVID lockdown in early 2020, our partner Juniper made us an offer to join a series of short webinars showing off their new acquisition in WiFi technology, Mist. My initial reluctance to participate turned into fiery enthusiasm upon learning that in exchange for my time I would receive a free Mist AP and PoE switch. They knew I was an easy mark and could not resist the promise of FREE STUFF. They know too much about me.
My original home WiFi setup was done with a FritzBox 4040, with a separate Zyxel router running Freifunk firmware.
The FritzBox is a perfectly cromulent device for home use but for a while I’ve desired a WiFi solution that offered more features and flexibility. Running dot1x WiFI authentication at home may be overkill, but it’s the kind of overkill I’m into. Unfortunately, due to the fact that I am unwilling to pay money to buy things, this idea never went beyond the evaluation stage.
The Replacement: Mist AP41
The AP I received is an older model – AP41 – which unfortunately does not support 802.11ax / WiFi 6. WiFi 6 is only available (as of time of writing) on the newer models AP63, AP43, AP33, AP32 and AP12. The spec sheet of the AP41 claims a maximum data rate of 1’730 Mbps, twice the performance over my old FritzBox. Of course everybody should understand that the maximum PHY rate does not represent the maximum throughput you will actually achieve.
On the 5GHz band, with 2x channel bonding for 40MHz wide channels, the measured throughput of iperf3 tests is consistently around 200mbps. In my view this is good performance for Wifi, considering that ~10 other clients are connected at the same time. Note that in my setup, the AP is not ceiling-mounted as per the official recommendation, but rather in a pile in a corner of the room, covered by bags of instant noodles. I did not see a specific recommendation against this deployment strategy but would imagine that this also has an adverse impact on the throughput.
Here we can confirm that the Mist AP will deliver acceptable performance in suboptimal conditions.
Is There Anything Cool I Can Do With This?
The new gear motivated me to re-do my home network over the Christmas break. My old CPE would be replaced with a PCEngines APU2, while the two WiFi APs will be consolidated into one sending out different SSIDs for each network.
This then raises the question: how do I Freifunk my Mist? Normally you would pick an AP/Wifi router and flash a custom firmware onto it. Such firmware is not (yet?) available for the Mist APs, however.
Fortunately the Freifunk community provides ready-made 32/64-bit “offloader” images to be deployed on VirtualBox or VMWare. The “generic” image can be made to work on other hypervisors with a tiny bit of extra work.
What’s All This Freifunk About, Even?
But what is Freifunk, anyways? Freifunk is a non-commercial initiative to provide free WiFi to communities and is most active in Germany, but recently also has spread into the rest of the DACH area. Anybody with a compatible router may participate and donate some of their bandwidth to the cause. Traffic is tunneled through one of many endpoints and its origin cannot be matched to a specific operator or client.
This makes it easy for a business to offer guest WiFi to visitors without having to register them through a cumbersome captive portal and at the same time carrying responsibility for the things they do while using your network.
Operating a Freifunk node in Switzerland is probably legal as it should not count as a professionally provided service. (see Section 6.2 in “Merkblatt WLAN” https://steigerlegal.ch/wp-content/uploads/2018/04/20180301_ch-dienst-uepf_merkblatt-wlan.pdf). One look at my cabling should convince anybody that there is nothing professional about this operator.
Virtualized Freifunk Setup
Ensure that you have two VLANs, one which will serve the clients and a second for the uplink. DHCP requests will be answered through the tunnel so a DHCP server must not be running on the client network. Just to be on the safe side, the uplink network I chose was the same one where all my untrusted devices (smart TV, the Windows PC, my outdated Sailfish OS phone, the $30 smartphone from China that claims it has 10 CPU cores and 256GB of storage, the Windows Phone I still keep around for some reason, etc.) connect to and cannot reach internal services.
The offloader VM requires two untagged interfaces, the first interface for the uplink and the second for client traffic. Hardware requirements are very modest. I allocated 2 CPU cores and 128MB of RAM to the virtual machine, and even that is already overkill. In my home setup, I deployed the virtual machine to my low-power Proxmox cluster running on a pair of PCEngines APU3D4.
Installation Steps (Proxmox 6)
- Set up the client VLAN on both the hypervisor and the connected switchport, and the interface connected to your AP
- Download the “x86 generic” Freifunk firmware from the official repository, unpack and save it in the Proxmox templates directory
- Create a new virtual machine and give it a name
- Choose “Do not use any media” for the installation, we will import the readymade disk image in a later step
- Provision whatever storage you want, we will delete this after the VM has been created
- Provision a small sprinkling of RAM and 1-2 vCPUs
- Assign the first network interface in a network without the DHCP server, this will be required for the initial configuration of the node
- Finish the setup but do not boot the VM yet
- Initially, add a second network interface to the same VLAN as the first one
- Detach and delete the existing disk from the new VM and import the new one, either in the GUI or CLI, e.g. “qm importdisk (VMID) /var/lib/vz/template/iso/gluon-ff3l-v2020.2.1_001-x86-64.img (STORAGE)”
- Boot the virtual machine, connect a computer to the same VLAN and finish the initial setup, enable “Mesh on WAN”
- After the initial setup is completed and the Freifunk virtual machine reboots, move the first network interface (net0) to the uplink VLAN
- Set up an open-access SSID on your Mist AP on the Freifunk VLAN
Congratulations, you should now have a working Freifunk node!
At this point, unfortunately, I did not have a working Freifunk node! After re-checking and fixing all my VLAN tags, it turned out that the Freifunk network configuration was missing a line that would bridge the clients from the ‘eth1‘ interface to the ‘bat0‘ Freifunk mesh. You can just open the file /etc/config/network in vi to add the missing line. For further troubleshooting, you can install tcpdump through the opkg OpenWRT package manager.
The working configuration, once finished, should look something like the following.
VM network configuration:
Mist AP WLAN configuration:
If you need to change configuration options after the first setup, open the console and enter the following to reset to config mode (this is not a hard “factory” reset, your current configuration will be kept intact):
uci set gluon-setup-mode.@setup_mode.enabled=1 uci commit gluon-setup-mode reboot
Reset the network interface configuration of the VM on the hypervisor as in the initial setup part to access the webUI.
Possibly you’ve heard that slow Wifi clients will take up more airtime and potentially slow down all other devices connected to the AP. When there are multiple connected clients with shaky connections (< -75dBm), all other clients connected to the same radio may suffer noticeable performance degradation. Frankly, at times I had utterly awful throughput over my new and shiny AP.
Following measures have helped me get a better Wifi experience:
- For your own use, set up a separate 5GHz-only SSID to ensure clients don’t drop to 2.4GHz. My tablet loves doing that and I hate it when it does that.
- Only transmit the open access SSID on 2.4GHz so you can keep your 5GHz SSID radio free of sluggish clients
- In the Mist WLAN configuration, play around with the “Data Rates” settings. I’ve found that enabling “High Density” will keep clients with very poor connections off my network, reducing the impact of the performance hit.