The device will reject any configuration that causes warnings if strict mode is enabled.
The unique ID of the configuration. This is the unix timestamp of when the config was created.
A device has certain properties that describe its identity and location. These properties are described inside this object.
This is a free text field, stating the administrative name of the device. It may contain spaces and special characters.
The hostname that shall be set on the device. If this field is not set, then the devices serial number is used.
This is a free text field, stating the location of the device. It may contain spaces and special characters.
This allows you to change the TZ of the device.
"UTC"
"EST5"
"CET-1CEST,M3.5.0,M10.5.0/3"
This allows forcing all LEDs off.
The device shall have no password, create a random root password or use the provided one.
Require username/password login on tty/S ports.
A device has certain global properties that are used to derive parts of the final configuration that gets applied.
Define the IPv4 range that is delegatable to the downstream interfaces This is described as a CIDR block. (192.168.0.0/16, 172.16.128/17)
"192.168.0.0/16"
Define the IPv6 range that is delegatable to the downstream interfaces This is described as a CIDR block. (fdca:1234:4567::/48)
"fdca:1234:4567::/48"
Define the default WMM behaviour of all SSIDs on the device. Each access category can be assigned a default class selector that gets used for packet matching.
No Additional PropertiesDefine a default profile that shall be used for the WMM behaviour of all SSIDs on the device.
A device has certain global properties that are used to derive parts of the final configuration that gets applied.
All properties whose name matches the following regular expression must respect the following conditions
Property name regular expression:.+
When using EAP encryption we need to provide the required information allowing us to connect to the AAA servers.
NAS-Identifier string for RADIUS messages. When used, this should be unique to the NAS within the scope of the RADIUS server.
This will enable support for Chargeable-User-Identity (RFC 4372).
Describe the properties of the local Radius server inside hostapd.
EAP methods that provide mechanism for authenticated server identity delivery use this value.
Specifies a collection of local EAP user/psk/vid triplets.
Describes a local EAP user/psk/vid triplet.
Must be at least 1
characters long
Must be at least 8
characters long
Must be at most 63
characters long
Value must be lesser or equal to 4096
3
100
200
4094
Describe the properties of a Radius server.
The URI of our Radius server.
"192.168.1.10"
The network port of our Radius server.
Value must be greater or equal to 1024
and lesser or equal to 65535
1812
The shared Radius authentication secret.
"secret"
The additional Access-Request attributes that gets sent to the server.
{
"id": 27,
"value": 900
}
{
"id": 32,
"value": "My NAS ID"
}
{
"id": 56,
"value": 1004
}
{
"id": 126,
"value": "Example Operator"
}
The ID of the RADIUS attribute
Value must be greater or equal to 1
and lesser or equal to 255
The numeric RADIUS attribute value
Value must be greater or equal to 0
and lesser or equal to 4294967295
The RADIUS attribute value string
"126:s:Operator"
Should the radius server be used for MAC address ACL.
Describe the properties of a Radius server.
Same definition as configurations_radius-servers_pattern1_authentication_allOf_i0The interim accounting update interval. This value is defined in seconds.
Value must be greater or equal to 60
and lesser or equal to 600
This section defines the link speed and duplex mode of the physical copper/fiber ports of the device.
The list of physical network devices that shall be configured. The names are logical ones and wildcardable.
"LAN1"
"LAN2"
"LAN3"
"LAN4"
"LAN*"
"WAN*"
"*"
The link speed that shall be forced.
The duplex mode that shall be forced.
Specifies the country code, affects the available channels and transmission powers.
Must be at least 2
characters long
Must be at most 2
characters long
"US"
All properties whose name matches the following regular expression must respect the following conditions
Property name regular expression:.+
Describe a physical radio on the AP. A radio is be parent to several VAPs. They all share the same physical properties.
Allow disabling the radio.
Specifies the wireless band to configure the radio for. Available radio device phys on the target system are matched by the wireless band given here. If multiple radio phys support the same band, the settings specified here will be applied to all of them.
Specifies the wireless channel to use. A value of 'auto' starts the ACS algorithm.
Value must be greater or equal to 1
and lesser or equal to 196
"auto"
Pass a list of valid-channels that can be used during ACS.
Value must be greater or equal to 1
and lesser or equal to 196
This property defines whether a radio may use DFS channels.
Define the ideal channel mode that the radio shall use. This can be 802.11n, 802.11ac or 802.11ax. This is just a hint for the AP. If the requested value is not supported then the AP will use the highest common denominator.
The channel width that the radio shall use. This is just a hint for the AP. If the requested value is not supported then the AP will use the highest common denominator.
Stations that do no fulfill these HT modes will be rejected.
This option allows configuring the antenna pairs that shall be used. This is just a hint for the AP. If the requested value is not supported then the AP will use the highest common denominator.
This option specifies the transmission power in dBm
Value must be greater or equal to 0
and lesser or equal to 30
Allow legacy 802.11b data rates.
Beacon interval in kus (1.024 ms).
Value must be greater or equal to 15
and lesser or equal to 65535
Set the DTIM (delivery traffic information message) period. There will be one DTIM per this many beacon frames. This may be set between 1 and 255. This option only has an effect on ap wifi-ifaces.
Value must be greater or equal to 1
and lesser or equal to 255
Set the maximum number of clients that may connect to this radio. This value is accumulative for all attached VAP interfaces.
The rate configuration of this BSS.
The beacon rate that shall be used by the BSS. Values are in Mbps.
The multicast rate that shall be used by the BSS. Values are in Mbps.
This section describes the HE specific configuration options of the BSS.
Enabling this option will make the PHY broadcast its BSSs using the multiple BSSID beacon IE.
This enables BSS Coloring on the PHY. setting it to 0 disables the feature 1-63 sets the color and 64 will make hostapd pick a random color.
All properties whose name matches the following regular expression must respect the following conditions
Property name regular expression:.+
This section describes the logical network interfaces of the device. Interfaces as their primary have a role that is upstream, downstream, guest, ....
The role defines if the interface is upstream or downstream facing.
This option makes sure that any traffic leaving this interface is isolated and all local IP ranges are blocked. It essentially enforces "guest network" firewall settings.
The routing metric of this logical interface. Lower values have higher priority.
Value must be greater or equal to 0
and lesser or equal to 4294967295
The MTU of this logical interface.
Value must be greater or equal to 1280
and lesser or equal to 1500
The services that shall be offered on this logical interface. These are just strings such as "ssh", "lldp", "mdns"
"ssh"
"lldp"
This section describes the vlan behaviour of a logical network interface.
This is the pvid of the vlan that shall be assigned to the interface. The individual physical network devices contained within the interface need to be told explicitly if egress traffic shall be tagged.
Value must be lesser or equal to 4050
This section describes the bridge behaviour of a logical network interface.
The MTU that shall be used by the network interface.
Value must be greater or equal to 256
and lesser or equal to 65535
1500
The Transmit Queue Length is a TCP/IP stack network interface value that sets the number of packets allowed per kernel transmit queue of a network interface device.
5000
Isolates the bridge ports from each other.
All properties whose name matches the following regular expression must respect the following conditions
Property name regular expression:.+
The list of physical network devices that shall serve .1x for this interface.u
All properties whose name matches the following regular expression must respect the following conditions
Property name regular expression:.+
This section describes the IPv4 properties of a logical interface.
This option defines the method by which the IPv4 address of the interface is chosen.
"static"
This option defines the static IPv4 of the logical interface in CIDR notation. auto/24 can be used, causing the configuration layer to automatically use and address range from globals.ipv4-network.
"auto/24"
This option defines the static IPv4 gateway of the logical interface.
"192.168.1.1"
include the devices hostname inside DHCP requests
true
Define which DNS servers shall be used. This can either be a list of static IPv4 addresse or dhcp (use the server provided by the DHCP lease)
"8.8.8.8"
"4.4.4.4"
This option only applies to "downstream" interfaces. The downstream interface will prevent traffic going out to the listed CIDR4s. This can be used to prevent a guest / captive interface being able to communicate with RFC1918 ranges. Setting this option to 'true' will block all RFC1918 ranges.
"192.168.0.0/16"
"172.16.0.0/12"
"10.0.0.0/8"
This section describes the DHCP server configuration
The last octet of the first IPv4 address in this DHCP pool.
10
The number of IPv4 addresses inside the DHCP pool.
100
How long the lease is valid before a RENEW must be issued.
The DNS server sent to clients as DHCP option 6.
This section describes the static DHCP leases of this logical interface.
The MAC address of the host that this lease shall be used for.
"00:11:22:33:44:55"
The offset of the IP that shall be used in relation to the first IP in the available range.
10
How long the lease is valid before a RENEW muss ne issued.
Shall the hosts hostname be made available locally via DNS.
This section describes the IPv6 properties of a logical interface.
This option defines the method by which the IPv6 subnet of the interface is acquired. In static addressing mode, the specified subnet and gateway, if any, are configured on the interface in a fixed manner. Also - if a prefix size hint is specified - a prefix of the given size is allocated from each upstream received prefix delegation pool and assigned to the interface. In dynamic addressing mode, a DHCPv6 client will be launched to obtain IPv6 prefixes for the interface itself and for downstream delegation. Note that dynamic addressing usually only ever makes sense on upstream interfaces.
This option defines a static IPv6 prefix in CIDR notation to set on the logical interface. A special notation "auto/64" can be used, causing the configuration agent to automatically allocate a suitable prefix from the IPv6 address pool specified in globals.ipv6-network. This property only applies to static addressing mode. Note that this is usually not needed due to DHCPv6-PD assisted prefix assignment.
"auto/64"
This option defines the static IPv6 gateway of the logical interface. It only applies to static addressing mode. Note that this is usually not needed due to DHCPv6-PD assisted prefix assignment.
"2001:db8:123:456::1"
For dynamic addressing interfaces, this property specifies the prefix size to request from an upstream DHCPv6 server through prefix delegation. For static addressing interfaces, it specifies the size of the sub-prefix to allocate from the upstream-received delegation prefixes for assignment to the logical interface.
Value must be greater or equal to 0
and lesser or equal to 64
This section describes the DHCPv6 server configuration
Specifies the DHCPv6 server operation mode. When set to "stateless", the system will announce router advertisements only, without offering stateful DHCPv6 service. When set to "stateful", emitted router advertisements will instruct clients to obtain a DHCPv6 lease. When set to "hybrid", clients can freely chose whether to self-assign a random address through SLAAC, whether to request an address via DHCPv6, or both. For maximum compatibility with different clients, it is recommended to use the hybrid mode. The special mode "relay" will instruct the unit to act as DHCPv6 relay between this interface and any of the IPv6 interfaces in "upstream" mode.
Overrides the DNS server to announce in DHCPv6 and RA messages. By default, the device will announce its own local interface address as DNS server, essentially acting as proxy for downstream clients. By specifying a non-empty list of IPv6 addresses here, this default behaviour can be overridden.
Selects a specific downstream prefix or a number of downstream prefix ranges to announce in DHCPv6 and RA messages. By default, all prefixes configured on a given downstream interface are advertised. By specifying an IPv6 prefix in CIDR notation here, only prefixes covered by this CIDR are selected.
All properties whose name matches the following regular expression must respect the following conditions
Property name regular expression:.+
A device has certain properties that describe its identity and location. These properties are described inside this object.
An SSID can have a special purpose such as the hidden on-boarding BSS. All purposes other than "user-defined" are static pre-defined configurations.
The encryption/authentication method used by this BSS.
The broadcasted SSID of the wireless network and for for managed mode the SSID of the network you’re connecting to
Must be at least 1
characters long
Must be at most 32
characters long
The list of radios hat the SSID should be broadcasted on. The configuration layer will use the first matching phy/band.
Selects the operation mode of the wireless network interface controller.
Override the BSSID of the network, only applicable in adhoc or sta mode.
Isolates wireless clients from each other on this BSS.
Convert multicast traffic to unicast on this BSS.
The services that shall be offered on this logical interface. These are just strings such as "wifi-steering"
"wifi-steering"
Proxy ARP is the technique in which the host router, answers ARP requests intended for another machine.
The maximum interval for FILS discovery announcement frames. This is a condensed beacon used in 6GHz channels for passive BSS discovery.
Value must be lesser or equal to 20
A device has certain properties that describe its identity and location. These properties are described inside this object.
The wireless encryption protocol that shall be used for this BSS
"psk2"
The Pre Shared Key (PSK) that is used for encryption on the BSS when using any of the WPA-PSK modes.
Must be at least 8
characters long
Must be at most 63
characters long
Enable 802.11w Management Frame Protection (MFP) for this BSS.
PMKSA created through EAP authentication and RSN preauthentication can be cached.
The name of the radius server that shall be used. The settings reside inside the configurations block of the config.
A SSID can have multiple PSK/VID mappings. Each one of them can be bound to a specific MAC or be a wildcard.
The Pre Shared Key (PSK) that is used for encryption on the BSS when using any of the WPA-PSK modes.
Must be at least 8
characters long
Must be at most 63
characters long
Value must be lesser or equal to 4096
3
100
200
4094
The UE rate-limiting configuration of this BSS.
The ingress rate to which hosts will be shaped. Values are in Mbps
The egress rate to which hosts will be shaped. Values are in Mbps
Enable 802.11r Fast Roaming for this BSS.
Shall the pre authenticated message exchange happen over the air or distribution system.
Whether to generate FT response locally for PSK networks. This avoids use of PMK-R1 push/pull from other APs with FT-PSK networks.
Mobility Domain identifier (dot11FTMobilityDomainID, MDID).
Must be at least 4
characters long
Must be at most 4
characters long
"abcd"
Enable 802.11r Fast Roaming for this BSS. This will enable "auto" mode which will work for most scenarios.
The MAC ACL that defines which clients are allowed or denied to associations.
Defines if this is an allow or deny list.
Association requests will be denied if the rssi is below this threshold.
This array allows passing raw hostapd.conf lines.
"ap_table_expiration_time=3600"
"device_type=6-0050F204-1"
"ieee80211h=1"
"rssi_ignore_probe_request=-75"
"time_zone=EST5"
"uuid=12345678-9abc-def0-1234-56789abcdef0"
"venue_url=1:http://www.example.com/info-eng"
"wpa_deny_ptk0_rekey=0"
This Object defines the properties of a mesh interface overlay.
This field must be set to mesh.
Specific value:"mesh-batman"
This section describes all of the services that may be present on the AP. Each service is then referenced via its name inside an interface, ssid, ...
This section can be used to setup a SSH server on the AP.
This option defines which port the SSH server shall be available on.
Value must be lesser or equal to 65535
This option defines if password authentication shall be enabled. If set to false, only ssh key based authentication is possible.
This section can be used to setup the mdns servers.
This is an array of additional hostnames that the AP shall announce.
This section can be used to enable lldp on network ports..
The name that gets annouced.
The description that gets annouced.
This section can be used to setup the upstream NTP servers.
This is an array of URL/IP of the upstream NTP servers that the unit shall use to acquire its current time.
"0.openwrt.pool.ntp.org"
This section can be used to configure remote syslog support.
IP address of a syslog server to which the log messages should be sent in addition to the local destination.
"192.168.1.10"
Port number of the remote syslog server specified with log_ip.
Value must be greater or equal to 100
and lesser or equal to 65535
2000
Sets the protocol to use for the connection, either tcp or udp.
Size of the file based log buffer in KiB. This value is used as the fallback value for logbuffersize if the latter is not specified.
Value must be greater or equal to 32
Filter messages by their log priority. the value maps directly to the 0-7 range used by syslog.
Value must be greater or equal to 0
This section allows enabling wired ieee802.1X
This field must be set to 'radius or user'
Specifies a collection of local EAP user/psk/vid triplets.
Describes a local EAP user/psk/vid triplet.
Same definition as configurations_radius-servers_pattern1_local_users_itemsSpecifies the information about radius account authentication and accounting
NAS-Identifier string for RADIUS messages. When used, this should be unique to the NAS within the scope of the RADIUS server.
The URI of our Radius server.
"192.168.1.10"
The network port of our Radius server.
Value must be greater or equal to 1024
and lesser or equal to 65535
1812
The shared Radius authentication secret.
"secret"
The URI of our Radius server.
"192.168.1.10"
The network port of our Radius server.
Value must be greater or equal to 1024
and lesser or equal to 65535
1813
The shared Radius accounting secret.
"secret"
The URI of our Radius server.
"192.168.1.10"
The network port of our Radius server.
Value must be greater or equal to 1024
and lesser or equal to 65535
1814
The shared Radius accounting secret.
"secret"
Trigger mac-auth when a new ARP is learned.