OpenWrt uCentral schema
The device will reject any configuration that causes warnings if strict mode is enabled.
The unique ID of the configuration. This is the unix timestamp of when the config was created.
A device has certain properties that describe its identity and location. These properties are described inside this object.
This is a free text field, stating the administrative name of the device. It may contain spaces and special characters.
The hostname that shall be set on the device. If this field is not set, then the devices serial number is used.
This is a free text field, stating the location of the device. It may contain spaces and special characters.
This allows you to change the TZ of the device.
"UTC"
"EST5"
"CET-1CEST,M3.5.0,M10.5.0/3"
This allows forcing all LEDs off.
The device shall create a random root password and tell the gateway about it.
System-config string that holds the password for main (root / admin) user to apply.
The TIP vendor IEs that shall be added to beacons
Add an IE containing the device's name to beacons.
Add an IE containing the device's serial to beacons.
A provider specific ID for the network/venue that the device is part of.
A device has certain global properties that are used to derive parts of the final configuration that gets applied.
Define the IPv4 range that is delegatable to the downstream interfaces This is described as a CIDR block. (192.168.0.0/16, 172.16.128/17)
"192.168.0.0/16"
Define the IPv6 range that is delegatable to the downstream interfaces This is described as a CIDR block. (fdca:1234:4567::/48)
"fdca:1234:4567::/48"
Define the default WMM behaviour of all SSIDs on the device. Each access category can be assigned a default class selector that gets used for packet matching.
No Additional PropertiesDefine a default profile that shall be used for the WMM behaviour of all SSIDs on the device.
This section is used to define templates that can be referenced by a configuration. This avoids duplication of data. A RADIUS server can be defined here for example and then referenced by several SSIDs.
A dictionary of wireless encryption templates which can be referenced by the corresponding property name.
All properties whose name matches the following regular expression must respect the following conditions
Property name regular expression:.+ A device has certain properties that describe its identity and location. These properties are described inside this object.
The wireless encryption protocol that shall be used for this BSS
"psk2"
The Pre Shared Key (PSK) that is used for encryption on the BSS when using any of the WPA-PSK modes.
Must be at least 8 characters long
Must be at most 63 characters long
Enable 802.11w Management Frame Protection (MFP) for this BSS.
PMKSA created through EAP authentication and RSN preauthentication can be cached.
This section defines the linkk speed and duplex mode of the physical copper/fiber ports of the device.
The list of physical network devices that shall be configured. The names are logical ones and wildcardable.
"LAN1"
"LAN2"
"LAN3"
"LAN4"
"LAN*"
"WAN*"
"*"
The link speed that shall be forced.
This allows forcing the port to down state by default.
The services that shall be offered on this L2 interface.
"quality-of-service"
This section defines the switch fabric specific features of a physical switch.
Enable mirror of traffic from multiple minotor ports to a single analysis port.
The list of ports that we want to mirror.
The port that mirror'ed packets should be sent to.
Enable loop detection on the L2 switches/bridge.
Define which protocol shall be used for loop detection.
Define on which logical switches/bridges we want to provide loop-detection.
Describe a physical radio on the AP. A radio is be parent to several VAPs. They all share the same physical properties.
Specifies the wireless band to configure the radio for. Available radio device phys on the target system are matched by the wireless band given here. If multiple radio phys support the same band, the settings specified here will be applied to all of them.
Specifies a narrow channel width in MHz, possible values are 5, 10, 20.
Specifies the wireless channel to use. A value of 'auto' starts the ACS algorithm.
Value must be greater or equal to 1 and lesser or equal to 196
"auto" Pass a list of valid-channels that can be used during ACS.
Value must be greater or equal to 1 and lesser or equal to 196
Exclude non-psc when doing auto channel selection on 6GHz
Specifies the country code, affects the available channels and transmission powers.
Must be at least 2 characters long
Must be at most 2 characters long
"US"
This property defines whether a radio may use DFS channels.
Define the ideal channel mode that the radio shall use. This can be 802.11n, 802.11ac or 802.11ax. This is just a hint for the AP. If the requested value is not supported then the AP will use the highest common denominator.
The channel width that the radio shall use. This is just a hint for the AP. If the requested value is not supported then the AP will use the highest common denominator.
Stations that do no fulfill these HT modes will be rejected.
This option allows configuring the antenna pairs that shall be used. This is just a hint for the AP. If the requested value is not supported then the AP will use the highest common denominator.
This option specifies the transmission power in dBm
Value must be greater or equal to 0 and lesser or equal to 30
Allow legacy 802.11b data rates.
Beacon interval in kus (1.024 ms).
Value must be greater or equal to 15 and lesser or equal to 65535
Set the maximum number of clients that may connect to this radio. This value is accumulative for all attached VAP interfaces.
Ignore probe requests if maximum-clients was reached.
The rate configuration of this BSS.
The beacon rate that shall be used by the BSS. Values are in Mbps.
The multicast rate that shall be used by the BSS. Values are in Mbps.
This section describes the HE specific configuration options of the BSS.
Enabling this option will make the PHY broadcast its BSSs using the multiple BSSID beacon IE.
Enableing this option will make the PHY broadcast its multiple BSSID beacons using EMA.
This enables BSS Coloring on the PHY. setting it to 0 disables the feature 1-63 sets the color and 64 will make hostapd pick a random color.
Value must be greater or equal to 0 and lesser or equal to 64
This config is to set the 6 GHz Access Point type
The URL of the AFC controller that the AP shall connect to.
The CA of the server. This enables mTLS.
The serial number that the AP shall send to the AFC controller.
The request-id that the AP shall send to the AFC controller.
The certificate IDs that the AP shall send to the AFC controller.
The minimum power that the AP shall request from to the AFC controller.
The list of frequency ranges that the AP shall request from to the AFC controller.
The list of frequency ranges that the AP shall request from to the AFC controller.
This array allows passing raw hostapd.conf lines.
"ap_table_expiration_time=3600"
"device_type=6-0050F204-1"
"ieee80211h=1"
"rssi_ignore_probe_request=-75"
"time_zone=EST5"
"uuid=12345678-9abc-def0-1234-56789abcdef0"
"venue_url=1:http://www.example.com/info-eng"
"wpa_deny_ptk0_rekey=0"
This section describes the logical network interfaces of the device. Interfaces as their primary have a role that is upstream, downstream, guest, ....
This is a free text field, stating the administrative name of the interface. It may contain spaces and special characters.
"LAN"
The role defines if the interface is upstream or downstream facing.
This option makes sure that any traffic leaving this interface is isolated and all local IP ranges are blocked. It essentially enforces "guest network" firewall settings.
The routing metric of this logical interface. Lower values have higher priority.
Value must be greater or equal to 0 and lesser or equal to 4294967295
The MTU of this logical interface.
Value must be greater or equal to 1280 and lesser or equal to 1600
The services that shall be offered on this logical interface. These are just strings such as "ssh", "lldp", "mdns"
"ssh"
"lldp"
Setup additional VLANs inside the bridge
The list of physical network devices that shall serve .1x for this interface.
"LAN1"
"LAN2"
"LAN3"
"LAN4"
"LAN*"
"WAN*"
"*"
This section describes the vlan behaviour of a logical network interface.
This is the pvid of the vlan that shall be assigned to the interface. The individual physical network devices contained within the interface need to be told explicitly if egress traffic shall be tagged.
Value must be lesser or equal to 4050
This section describes the bridge behaviour of a logical network interface.
The MTU that shall be used by the network interface.
Value must be greater or equal to 256 and lesser or equal to 65535
1500
The Transmit Queue Length is a TCP/IP stack network interface value that sets the number of packets allowed per kernel transmit queue of a network interface device.
5000
Isolates the bridge ports from each other.
This section defines the physical copper/fiber ports that are members of the interface. Network devices are referenced by their logical names.
The list of physical network devices that shall be added to the interface. The names are logical ones and wildcardable. "WAN" will use whatever the hardwares default upstream facing port is. "LANx" will use the "x'th" downstream facing ethernet port. LAN* will use all downstream ports.
"LAN1"
"LAN2"
"LAN3"
"LAN4"
"LAN*"
"WAN*"
"*"
Enable multicast support.
Controls whether a given port will learn MAC addresses from received traffic or not. If learning if off, the bridge will end up flooding any traffic for which it has no FDB entry. By default this flag is on.
Only allow communication with non-isolated bridge ports when enabled.
Enforce a specific MAC to these ports.
Reverse Path filtering is a method used by the Linux Kernel to help prevent attacks used by Spoofing IP Addresses.
Shall the port have a vlan tag.
This section describes the IPv4 properties of a logical interface.
This option defines the method by which the IPv4 address of the interface is chosen.
"static"
This option defines the static IPv4 of the logical interface in CIDR notation. auto/24 can be used, causing the configuration layer to automatically use and address range from globals.ipv4-network.
"auto/24"
This option defines the static IPv4 gateway of the logical interface.
"192.168.1.1"
include the devices hostname inside DHCP requests
true
Include the provided vendor-class inside DHCP requests
"OpenLAN"
Define additional DHCP options to request inside DHCP requests
Value must be greater or equal to 1 and lesser or equal to 255
43
Define which DNS servers shall be used. This can either be a list of static IPv4 addresse or dhcp (use the server provided by the DHCP lease)
"8.8.8.8"
"4.4.4.4"
This option only applies to "downstream" interfaces. The downstream interface will prevent traffic going out to the listed CIDR4s. This can be used to prevent a guest / captive interface being able to communicate with RFC1918 ranges.
"192.168.0.0/16"
"10.0.0.0/8"
This section describes the DHCP server configuration
The last octet of the first IPv4 address in this DHCP pool.
10
The number of IPv4 addresses inside the DHCP pool.
100
How long the lease is valid before a RENEW must be issued.
The DNS server sent to clients as DHCP option 6.
This section describes the static DHCP leases of this logical interface.
The MAC address of the host that this lease shall be used for.
"00:11:22:33:44:55"
The offset of the IP that shall be used in relation to the first IP in the available range.
10
How long the lease is valid before a RENEW muss ne issued.
Shall the hosts hostname be made available locally via DNS.
This section describes an IPv4 port forwarding.
The layer 3 protocol to match.
The external port(s) to forward.
The internal IP to forward to. The address will be masked and concatenated with the effective interface subnet.
The internal port to forward to. Defaults to the external port if omitted.
This section describes the IPv6 properties of a logical interface.
This option defines the method by which the IPv6 subnet of the interface is acquired. In static addressing mode, the specified subnet and gateway, if any, are configured on the interface in a fixed manner. Also - if a prefix size hint is specified - a prefix of the given size is allocated from each upstream received prefix delegation pool and assigned to the interface. In dynamic addressing mode, a DHCPv6 client will be launched to obtain IPv6 prefixes for the interface itself and for downstream delegation. Note that dynamic addressing usually only ever makes sense on upstream interfaces.
This option defines a static IPv6 prefix in CIDR notation to set on the logical interface. A special notation "auto/64" can be used, causing the configuration agent to automatically allocate a suitable prefix from the IPv6 address pool specified in globals.ipv6-network. This property only applies to static addressing mode. Note that this is usually not needed due to DHCPv6-PD assisted prefix assignment.
"auto/64"
This option defines the static IPv6 gateway of the logical interface. It only applies to static addressing mode. Note that this is usually not needed due to DHCPv6-PD assisted prefix assignment.
"2001:db8:123:456::1"
For dynamic addressing interfaces, this property specifies the prefix size to request from an upstream DHCPv6 server through prefix delegation. For static addressing interfaces, it specifies the size of the sub-prefix to allocate from the upstream-received delegation prefixes for assignment to the logical interface.
Value must be greater or equal to 0 and lesser or equal to 64
This section describes the DHCPv6 server configuration
Specifies the DHCPv6 server operation mode. When set to "stateless", the system will announce router advertisements only, without offering stateful DHCPv6 service. When set to "stateful", emitted router advertisements will instruct clients to obtain a DHCPv6 lease. When set to "hybrid", clients can freely chose whether to self-assign a random address through SLAAC, whether to request an address via DHCPv6, or both. For maximum compatibility with different clients, it is recommended to use the hybrid mode. The special mode "relay" will instruct the unit to act as DHCPv6 relay between this interface and any of the IPv6 interfaces in "upstream" mode.
Overrides the DNS server to announce in DHCPv6 and RA messages. By default, the device will announce its own local interface address as DNS server, essentially acting as proxy for downstream clients. By specifying a non-empty list of IPv6 addresses here, this default behaviour can be overridden.
Selects a specific downstream prefix or a number of downstream prefix ranges to announce in DHCPv6 and RA messages. By default, all prefixes configured on a given downstream interface are advertised. By specifying an IPv6 prefix in CIDR notation here, only prefixes covered by this CIDR are selected.
This section describes an IPv6 port forwarding.
The layer 3 protocol to match.
The external port(s) to forward.
The internal IP to forward to. The address will be masked and concatenated with the effective interface subnet.
The internal port to forward to. Defaults to the external port if omitted.
This section describes an IPv6 traffic accept rule.
The layer 3 protocol to match.
The source IP to allow traffic from.
The source port(s) to accept.
Must contain a minimum of 1 items
The destination IP to allow traffic to. The address will be masked and concatenated with the effective interface subnet.
The destination ports to accept.
Must contain a minimum of 1 items
This Object defines the properties of a broad-band uplink.
This uplink uses WWAN/LTE
Specific value:"wwan" The local protocol that the modem supports.
Commonly known as APN. The name of a gateway between a mobile network and the internet.
The authentication mode that shall be used.
The PIN that shall be used to unlock the SIM card.
This option is only required if an authentication-type is defined.
This option is only required if an authentication-type is defined.
Define what kind of IP stack shall be used.
This Object defines the properties of a PPPoE uplink.
This uplink uses PPPoE
Specific value:"pppoe" The username used to authenticate.
The password used to authenticate.
A device has certain properties that describe its identity and location. These properties are described inside this object.
An SSID can have a special purpose such as the hidden on-boarding BSS. All purposes other than "user-defined" are static pre-defined configurations.
The broadcasted SSID of the wireless network and for for managed mode the SSID of the network you’re connecting to
Must be at least 1 characters long
Must be at most 32 characters long
The band that the SSID should be broadcasted on. The configuration layer will use the first matching band.
Selects the operation mode of the wireless network interface controller.
Override the BSSID of the network, only applicable in adhoc or sta mode.
Isolates wireless clients from each other on this BSS.
Isolate the BSS from all other members on the bridge apart from the first wired port.
Unscheduled Automatic Power Save Delivery.
Set the RTS/CTS threshold of the BSS.
Value must be greater or equal to 1 and lesser or equal to 65535
This option will make the unit braodcast the time inside its beacons.
Convert multicast traffic to unicast on this BSS.
The services that shall be offered on this logical interface. These are just strings such as "wifi-steering"
"wifi-steering"
Set the DTIM (delivery traffic information message) period. There will be one DTIM per this many beacon frames. This may be set between 1 and 255. This option only has an effect on ap wifi-ifaces.
Value must be greater or equal to 1 and lesser or equal to 255
Set the maximum number of clients that may connect to this VAP.
Proxy ARP is the technique in which the host router, answers ARP requests intended for another machine.
The maximum interval for FILS discovery announcement frames. This is a condensed beacon used in 6GHz channels for passive BSS discovery.
Value must be lesser or equal to 20
A device has certain properties that describe its identity and location. These properties are described inside this object.
Same definition as definitions_wireless-encryption_pattern1A SSID can have multiple PSK/VID mappings. Each one of them can be bound to a specific MAC or be a wildcard.
The Pre Shared Key (PSK) that is used for encryption on the BSS when using any of the WPA-PSK modes.
Must be at least 8 characters long
Must be at most 63 characters long
Value must be lesser or equal to 4096
3
100
200
4094
Enable 802.11k Radio Resource Management (RRM) for this BSS.
Enable neighbor report via radio measurements (802.11k).
Enable reduced neighbor reports.
The content of a LCI measurement subelement
The content of a location civic measurement subelement
Publish fine timing measurement (FTM) responder functionality on this BSS.
Stationary AP config indicates that the AP doesn't move.
The UE rate-limiting configuration of this BSS.
The ingress rate to which hosts will be shaped. Values are in Mbps
The egress rate to which hosts will be shaped. Values are in Mbps
Enable 802.11r Fast Roaming for this BSS.
Shall the pre authenticated message exchange happen over the air or distribution system.
Whether to generate FT response locally for PSK networks. This avoids use of PMK-R1 push/pull from other APs with FT-PSK networks.
Mobility Domain identifier (dot11FTMobilityDomainID, MDID).
"abcd"
The pairwise master key R0. This is unique to the mobility domain and is required for fast roaming over the air. If the field is left empty a deterministic key is generated.
The pairwise master key R1. This is unique to the mobility domain and is required for fast roaming over the air. If the field is left empty a deterministic key is generated.
The AES-256 shared amongst a mobility domain. The R0/1K key pairs will be autogenerated based on this value.
Enable 802.11r Fast Roaming for this BSS. This will enable "auto" mode which will work for most scenarios.
When using EAP encryption we need to provide the required information allowing us to connect to the AAA servers.
NAS-Identifier string for RADIUS messages. When used, this should be unique to the NAS within the scope of the RADIUS server.
This will enable support for Chargeable-User-Identity (RFC 4372).
Describe the properties of the local Radius server inside hostapd.
EAP methods that provide mechanism for authenticated server identity delivery use this value.
Specifies a collection of local EAP user/psk/vid triplets.
Describes a local EAP user/psk/vid triplet.
Must be at least 1 characters long
Must be at least 8 characters long
Must be at most 63 characters long
Value must be lesser or equal to 4096
3
100
200
4094
Describe the properties of a Radius server.
The URI of our Radius server.
"192.168.1.10"
The network port of our Radius server.
Value must be greater or equal to 1024 and lesser or equal to 65535
1812
The shared Radius authentication secret.
"secret"
Definition of the secondary/failsafe radius server.
The URI of our Radius server.
"192.168.1.10"
The network port of our Radius server.
Value must be greater or equal to 1024 and lesser or equal to 65535
1812
The shared Radius authentication secret.
"secret"
The additional Access-Request attributes that gets sent to the server.
The ID of the vendor specific RADIUS attribute
Value must be greater or equal to 1 and lesser or equal to 65535
The numeric RADIUS attribute value
The ID of the vendor specific RADIUS attribute
Value must be greater or equal to 1 and lesser or equal to 255
The vendor specific RADIUS attribute value. This needs to be a hexadecimal string.
{
"id": 27,
"value": 900
}
{
"id": 56,
"value": 1004
}
The ID of the RADIUS attribute
Value must be greater or equal to 1 and lesser or equal to 255
The numeric RADIUS attribute value
Value must be greater or equal to 0 and lesser or equal to 4294967295
{
"id": 32,
"value": "My NAS ID"
}
{
"id": 126,
"value": "Example Operator"
}
The ID of the RADIUS attribute
Value must be greater or equal to 1 and lesser or equal to 255
The RADIUS attribute value string
{
"id": 32,
"value": "0a0b0c0d"
}
The ID of the RADIUS attribute
Value must be greater or equal to 1 and lesser or equal to 255
The RADIUS attribute value string
Should the radius server be used for MAC address ACL.
Describe the properties of a Radius server.
Same definition as interfaces_items_ssids_items_radius_authentication_allOf_i0The interim accounting update interval. This value is defined in seconds.
Value must be greater or equal to 60 and lesser or equal to 600
The credentials used when health check probes this radius server.
The username that gets used when doing a healthcheck on this radius server.
The password that gets used when doing a healthcheck on this radius server.
When running a local EAP server or using STA/MESH to connect to another BSS a set of certificates is required.
The device will use its local certificate bundle for the TLS setup and ignores all other certificate options in this section.
The local servers CA bundle.
The local servers certificate.
The local servers private key/
The password required to read the private key.
Enable Hotspot 2.0 support.
This parameter can be used to configure one or more Venue Name Duples for Venue Name ANQP information.
The available values are defined in 802.11u.
Value must be lesser or equal to 32
The available values are defined in IEEE Std 802.11u-2011, 7.3.1.34
Value must be lesser or equal to 32
This parameter can be used to configure one or more Venue URL Duples to provide additional information corresponding to Venue Name information.
This parameter indicates what type of network authentication is used in the network.
Specifies the specific network authentication type in use.
Specifies the redirect URL applicable to the indicated authentication type.
"https://operator.example.org/wireless-access/terms-and-conditions.html"
"http://www.example.com/redirect/me/here/"
The IEEE 802.11u Domain Name.
NAI Realm information
OSU Server-Only Authenticated L2 Encryption Network;
ANQP Domain ID, An identifier for a set of APs in an ESS that share the same common ANQP information.
Value must be greater or equal to 0 and lesser or equal to 65535
The ANQP 3GPP Cellular Network information.
This parameter can be used to configure one or more Operator Friendly Name Duples.
Indicate the type of network. This is part of the interworking IE.
Value must be lesser or equal to 15
Whether the network provides connectivity to the Internet
Additional Step Required for Access.
Emergency services reachable.
Unauthenticated emergency service accessible.
Homogeneous ESS identifier
Roaming Consortium OIs can be configured here. Each OI is between 3 and 15 octets and is configured as a hexstring.
Disable Downstream Group-Addressed Forwarding. This can be used to configure a network where no group-addressed frames are allowed.
IP Address Type Availability.
Value must be lesser or equal to 255
This can be used to advertise what type of IP traffic can be sent through the hotspot.
The operator icons.
{
"width": 32,
"height": 32,
"type": "image/png",
"language": "eng",
"icon": "R0lGODlhEAAQAMQAAORHHOVSKudfOulrSOp3WOyDZu6QdvCchPGolfO0o/XBs/fNwfjZ0frl3/zy7////wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACH5BAkAABAALAAAAAAQABAAAAVVICSOZGlCQAosJ6mu7fiyZeKqNKToQGDsM8hBADgUXoGAiqhSvp5QAnQKGIgUhwFUYLCVDFCrKUE1lBavAViFIDlTImbKC5Gm2hB0SlBCBMQiB0UjIQA7"
}
The width of the operator icon in pixel
64
The height of the operator icon in pixel
64
The mimetype of the operator icon
"image/png"
The base64 encoded image
ISO 639-2 language code of the icon
Must match regular expression:^[a-z][a-z][a-z]$ "eng"
"fre"
"ger"
"ita"
A description of the wan metric offered by this device.
The state of the devices uplink
Estimate of WAN backhaul link current downlink speed in kbps.
Estimate of WAN backhaul link current uplink speed in kbps.
The thresholds that need to be meet for a clien association to be allowed.
Probe requests will be ignored if the rssi is below this threshold.
Association requests will be denied if the rssi is below this threshold.
Clients will get kicked if their SNR drops below this value.
The duration that a client is banned from re-joining after it was kicked.
The MAC ACL that defines which clients are allowed or denied to associations.
Defines if this is an allow or deny list.
Association requests will be denied if the rssi is below this threshold.
This section can be used to setup a captive portal on the AP with a click-to-continue splash page.
This field must be set to 'click-to-continue'
Specific value:"click-to-continue" This section can be used to setup a captive portal on the AP with a click-to-continue splash page.
This field must be set to 'radius'
Specific value:"radius" The URI of our Radius Authentication server.
"192.168.1.10"
The network port of our Radius Authentication server.
Value must be greater or equal to 1024 and lesser or equal to 65535
The shared Radius authentication Authentication secret.
"secret"
The URI of our Radius Authentication server.
"192.168.1.10"
The network port of our Radius Authentication server.
Value must be greater or equal to 1024 and lesser or equal to 65535
The shared Radius authentication Authentication secret.
"secret"
The timeout used for interim messages.
This section can be used to setup a captive portal on the AP with a credentials splash page.
This field must be set to 'credentials'
Specific value:"credentials" The list of local username/password pairs that can be used to login.
This section can be used to setup a captive portal on the AP with a remote UAM server.
This field must be set to 'uam'
Specific value:"uam" The local UAM port.
Value must be greater or equal to 1024 and lesser or equal to 65535
The pre-shared UAM secret.
The fqdn of the UAM server.
The NASID that gets sent to the UAM server.
The NAS MAC that gets send to the UAM server. The devices serial is used if this value is not provided.
The URI of our Radius Authentication server.
"192.168.1.10"
The network port of our Radius Authentication server.
Value must be greater or equal to 1024 and lesser or equal to 65535
The shared Radius authentication Authentication secret.
"secret"
The URI of our Radius Authentication server.
"192.168.1.10"
The network port of our Radius Authentication server.
Value must be greater or equal to 1024 and lesser or equal to 65535
The shared Radius authentication Authentication secret.
"secret"
The timeout used for interim messages.
The name of the SSID that shall be sent as part of the UAM redirect.
Defines the format used to send the MAC address inside AAA frames.
Define the behaviour off the final redirect. Default will honour "userurl" and fallback to "local". Alternatively it is possible to force a redirect to the "UAM" or "local" URL.
Try to authenticate new clients using macauth.
Tunnel all radius traffic via the radius-gw-proxy.
The list of FQDNs that a non-authenticated client is allowed to connect to.
The list of IP addresses that a non-authenticated client is allowed to connect to.
A base64 encoded TAR file with the custom web-root.
A URL where the webroot should be downloaded from.
The SHA256 of the file located at web-root-url.
How long may a client be idle before getting removed.
How long may a client be idle before getting removed.
Setup additional VLANs inside the bridge
This array allows passing raw hostapd.conf lines.
"ap_table_expiration_time=3600"
"device_type=6-0050F204-1"
"ieee80211h=1"
"rssi_ignore_probe_request=-75"
"time_zone=EST5"
"uuid=12345678-9abc-def0-1234-56789abcdef0"
"venue_url=1:http://www.example.com/info-eng"
"wpa_deny_ptk0_rekey=0"
This Object defines the properties of a mesh interface overlay.
This field must be set to mesh.
Specific value:"mesh" This Object defines the properties of a vxlan tunnel.
This field must be set to vxlan.
Specific value:"vxlan" This is the IP address of the remote host, that the VXLAN tunnel shall be established with.
The network port that shall be used to establish the VXLAN tunnel.
Value must be greater or equal to 1 and lesser or equal to 65535
4789
This Object defines the properties of a l2tp tunnel.
This field must be set to vxlan.
Specific value:"l2tp" This is the IP address of the remote host, that the L2TP tunnel shall be established with.
The username used to authenticate.
The password used to authenticate.
This Object defines the properties of a GRE tunnel.
This field must be set to gre.
Specific value:"gre" This is the IP address of the remote host, that the GRE tunnel shall be established with.
Healthcheck will probe if the remote peer replies to DHCP discovery without sending an ACK.
Set “Don't Fragment” flag on encapsulated packets.
This Object defines the properties of a GREv6 tunnel.
This field must be set to gre6.
Specific value:"gre6" This is the IPv6 address of the remote host, that the GRE tunnel shall be established with.
Healthcheck will probe if the remote peer replies to DHCP discovery without sending an ACK.
This section describes all of the services that may be present on the AP. Each service is then referenced via its name inside an interface, ssid, ...
The LLDP description field. If set to "auto" it will be derived from unit.name.
The LLDP location field. If set to "auto" it will be derived from unit.location.
This section can be used to setup a SSH server on the AP.
This option defines which port the SSH server shall be available on.
Value must be lesser or equal to 65535
This option defines if password authentication shall be enabled. If set to false, only ssh key based authentication is possible.
This section can be used to setup the upstream NTP servers.
This is an array of URL/IP of the upstream NTP servers that the unit shall use to acquire its current time.
"0.openwrt.pool.ntp.org"
This section can be used to configure the MDNS server.
Enable this option if you would like to enable the MDNS server on the unit.
This section can be used to setup a persistent connection to a rTTY server.
The server that the device shall connect to.
"192.168.1.10"
This option defines the port that device shall connect to.
Value must be lesser or equal to 65535
The security token that shall be used to authenticate with the server.
Must be at least 32 characters long
Must be at most 32 characters long
"01234567890123456789012345678901"
Shall the connection enforce mTLS
This section can be used to configure remote syslog support.
IP address of a syslog server to which the log messages should be sent in addition to the local destination.
"192.168.1.10"
Port number of the remote syslog server specified with log_ip.
Value must be greater or equal to 100 and lesser or equal to 65535
2000
Sets the protocol to use for the connection, either tcp or udp.
Size of the file based log buffer in KiB. This value is used as the fallback value for logbuffersize if the latter is not specified.
Value must be greater or equal to 32
Filter messages by their log priority. the value maps directly to the 0-7 range used by syslog.
Value must be greater or equal to 0
Enable the webserver with the on-boarding webui
The port that the HTTP server should run on.
Value must be greater or equal to 1 and lesser or equal to 65535
This section allows enabling the IGMP/Multicast proxy
This option defines if the IGMP/Multicast proxy shall be enabled on the device.
This section allows enabling wired ieee802.1X
This field must be set to 'radius or user'
Specifies a list of ports that we want to filter.
{
"LAN1": null
}
Specifies a collection of local EAP user/psk/vid triplets.
Describes a local EAP user/psk/vid triplet.
Same definition as interfaces_items_ssids_items_radius_local_users_itemsSpecifies the information about radius account authentication and accounting
NAS-Identifier string for RADIUS messages. When used, this should be unique to the NAS within the scope of the RADIUS server.
The URI of our Radius server.
"192.168.1.10"
The network port of our Radius server.
Value must be greater or equal to 1024 and lesser or equal to 65535
1812
The shared Radius authentication secret.
"secret"
The URI of our Radius server.
"192.168.1.10"
The network port of our Radius server.
Value must be greater or equal to 1024 and lesser or equal to 65535
1813
The shared Radius accounting secret.
"secret"
The URI of our Radius server.
"192.168.1.10"
The network port of our Radius server.
Value must be greater or equal to 1024 and lesser or equal to 65535
1814
The shared Radius accounting secret.
"secret"
Trigger mac-auth when a new ARP is learned.
This section can be used to setup a radius security proxy instance (radsecproxy).
The radius secret used to communicate with the proxy.
The various realms that we can proxy to.
Defines whether the real should use radsec or normal radius.
The realm that that this server shall be used for.
Auto discover radsec server address via realm DNS NAPTR record.
The remote proxy server that the device shall connect to.
"192.168.1.10"
The remote proxy port that the device shall connect to.
Value must be lesser or equal to 65535
The radius secret that will be used for the connection.
The device will use its local certificate bundle for the TLS setup and ignores all other certificate options in this section.
The local servers CA bundle.
The local servers certificate.
The local servers private key/
The password required to read the private key.
Defines whether the real should use radsec or normal radius.
The realm that that this server shall be used for.
The URI of our Radius server.
"192.168.1.10"
The network port of our Radius server.
Value must be greater or equal to 1024 and lesser or equal to 65535
1812
The shared Radius authentication secret.
"secret"
The URI of our Radius server.
"192.168.1.10"
The network port of our Radius server.
Value must be greater or equal to 1024 and lesser or equal to 65535
1812
The shared Radius authentication secret.
"secret"
Defines whether the real should use radsec or normal radius.
The realm that that this server shall be used for.
The message that is sent when a realm is blocked.
This section can be used to configure the online check service.
Hosts that shall be pinged to find out if we are online.
"192.168.1.10"
URLs to which a http/s connection shall be established to find out if we are online. The service will try to download http://$string/online.txt and expects the content of that file to be "Ok". HTTP 30x is support allowing https redirects.
"www.example.org"
The interval in seconds in between each online-check.
How often does the online check need to fail until the system assumes that it has lost online connectivity.
The action that the device shall execute when it has detected that it is not online.
This section can be used to define eBPF and cBPF blobs that shall be loaded for virtual data-planes and SDN.
A list of programs that can be loaded as ingress filters on interfaces.
The name of the ingress filter.
The base64 encoded xBPF.
This section describes the band steering behaviour of the unit.
Wifi sterring can happen either locally or via the backend gateway.
"local"
Allow rejecting assoc requests for steering purposes.
Minimum required signal level (dBm) for connected clients. If the client will be kicked if the SNR drops below this value.
Minimum required signal level (dBm) to allow connections. If the SNR is below this value, probe requests will not be replied to.
Minimum required signal level (dBm) before an attempt is made to roam the client to a better AP.
Minimum channel load (%) before kicking clients
Allow multiple instances of the steering daemon to coordinate the best channel usage amongst eachother.
Use IPv6 multicast to communicate with remote usteerd instances, rather than IPv4 broadcast.
This section describes the QoS behaviour of the unit.
The physical network devices that shall be considered the primary uplink interface. All classification and shaping will happen on this device.
Defines the upload bandwidth of this device. If it is not known or the device is attached to a shared medium, this value needs to be 0.
Defines the download bandwidth of this device. If it is not known or the device is attached to a shared medium, this value needs to be 0.
The QoS feature can automatically detect and classify bulk flows. This is based on average packet size and PPS.
The differentiated services code point that shall be assigned to packets that belong to a bulk flow.
The required PPS rate that will cause a flow to be classified as bulk.
A list of predefined named services that shall be classified according to the communities DB.
A list of classifiers. Each classifier will map certain traffic to specific ToS/DSCP values based upon the defined constraints.
The differentiated services code point that shall be assigned to packet that match the rules of this entry.
Same definition as dscpEach entry defines a layer3 protocol and a port(range) that will be used to match packets.
The port match can apply for TCP, UDP or any IP protocol.
The port of this match rule.
The last port of this match rule if it is a port range.
Ignore the ToS/DSCP of packets and reclassify them.
Each entry defines a wildcard FQDN. The IP that this resolves to will be used to match packets.
Match for all suffixes of the FQDN.
Ignore the ToS/DSCP of packets and reclassify them.
This section describes the FaceBook Wifi behaviour of the unit.
The Vendors ID.
The Gateways ID.
The Device specific secret
This section describes the vlan behaviour of a logical network interface.
Voice traffic does not get aggregated. As voice and video are both considered priotity voice is considered to have a heavier weight when calculation priority average.
The amount of packets that need to be received for a specific type of traffic before new averageg is calculated.
This option is a percentual value. If more the X% of the traffic is bulk, we assign the bulk weight.
This option is a percentual value. If more the X% of the traffic is priority, we assign the priority weight. Priority classification will take precedence over bulk.
The default ATF weight that UEs get assigned.
The default ATF weight that UEs get assigned when priority traffic above the configured percentage is detected.
The default ATF weight that UEs get assigned when bulk traffic above the configured percentage is detected.
This Object defines the properties of a wireguard-overlay.
This field must be set to wireguard-overlay.
Specific value:"wireguard-overlay" The private key of the device. This key is used to lookup the host entry inside the config.
The network port that shall be used to establish the wireguard tunnel.
Value must be greater or equal to 1 and lesser or equal to 65535
The network port that shall be used to exchange peer data inside the tunnel.
Value must be greater or equal to 1 and lesser or equal to 65535
The descritption of the root node of the overlay.
The public key of the host.
The public IP of the host (optional).
The list of private IPs that a host is reachable on inside the overlay.
The list of all known hosts inside the overlay.
The unique name of the host.
The public key of the host.
The public IP of the host (optional).
The list of subnets that shall be routed to this host.
The list of private IPs that a host is reachable on inside the overlay.
The descritption of the root node of the overlay.
The network port that shall be used to establish the vxlan overlay.
Value must be greater or equal to 1 and lesser or equal to 65535
The MTU that shall be used by the vxlan tunnel.
Value must be greater or equal to 256 and lesser or equal to 65535
If set to true hosts will only be able to talk with the root node and not forward L@ traffic between each other.
This section can be used to configure a GPS dongle
Adjust the systems clock upon a successful GPS lock.
The baudrate used by the attached GPS dongle
Define the vlans on which the dhcp shall be relayed.
The list of physical network devices that shall be used to fwd the DHCP frames.
The list of all vlans
The vlan id.
The unicast target DHCP pool server where frames get relayed to.
This option selects what info shall be contained within a relayed frame's circuit ID.
This option selects what info shall be contained within a relayed frame's remote ID.
The name of the admin ssid.
Must be at least 1 characters long
Must be at most 32 characters long
The Pre Shared Key (PSK) that is used for encryption on the BSS.
Must be at least 8 characters long
Must be at most 63 characters long
The band that the SSID should be broadcasted on. The configuration layer will use the first matching band.
The admin-ui will be spawned when this offline threshold was exceeded.
This section describes the band steering behaviour of the unit.
Tell stations to send a beacon request scan when they associate.
Periodically send station statistics every N seconds.
RRM policy based on Channel Utilization for optimization.
The interval to check channel utilization (in seconds).
Value must be greater or equal to 240
The airtime utilization threshold.
Value must be greater or equal to 0 and lesser or equal to 99
50
The number of times the Channel Utilization is higher than the threshold before triggering channel optimization.
Value must be greater or equal to 1
The algorithm for channel optimization.
"rcs"
"acs"
This section can be used to configure device fingerprinting.
Enable this option if you would like to enable the MDNS server on the unit.
The minimum age a fingerprint must have before it is reported.
The age at which fingerprints get flushed from the local state.
This value defines the period at which entries get reported.
Allow fingerprinting devices found on the WAN port.
There are several types of mertics that shall be reported in certain intervals. This section provides a granual configuration.
Statistics are traffic counters, neighbor tables, ...
The reporting interval defined in seconds.
Value must be greater or equal to 60
A list of names of subsystems that shall be reported periodically.
Health check gets executed periodically and will report a health value between 0-100 indicating how healthy the device thinks it is
The reporting interval defined in seconds.
Value must be greater or equal to 60
This is makes the AP probe local downstream DHCP servers.
This is makes the AP probe remote upstream DHCP servers.
This is makes the AP probe DNS servers.
This is makes the AP probe DNS servers.
Define which types of ieee802.11 management frames shall be sent up to the controller.
A list of the management frames types that shall be sent to the backend.
DHCP snooping allows us to intercept DHCP packages on interface that are bridged, where DHCP is not offered as a service by the AP.
A list of the message types that shall be sent to the backend.
Define the behaviour of the periodic wifi scanning interface.
The periodicity at which the scan shall be performed.
Add capabilities, v/ht_oper, ... to the resulting scan info.
Add all IEs to the resulting scan info.
Configure the unsolicited telemetry stream.
The reporting interval defined in seconds.
The event types that get added to telemetry.
Configure the realtime events that get sent to the cloud.
The event types that get added to telemetry.
This object allows passing raw uci commands, that get applied after all the other configuration was ben generated.
Must contain a minimum of 2 items
[
"set",
"system.@system[0].timezone",
"GMT0"
]
[
"delete",
"firewall.@zone[0]"
]
[
"delete",
"dhcp.wan"
]
[
"add",
"dhcp",
"dhcp"
]
[
"add-list",
"system.ntp.server",
"0.pool.example.org"
]
[
"del-list",
"system.ntp.server",
"1.openwrt.pool.ntp.org"
]
A device has certain properties that describe its identity and location. These properties are described inside this object.
How long can the device be offline before it enters orphan state.
The interval at which an orphaned device will try to discover the cloud.
How long the client has time to connect to the cloud before discovery is restarted.
Additional Properties of any type are allowed.
Type: object