OpenWrt uconfig schema
The device will reject any configuration that causes warnings if strict mode is enabled.
The unique ID of the configuration. This is the unix timestamp of when the config was created.
A device has certain properties that describe its identity and location. These properties are described inside this object.
The hostname that shall be set on the device. If this field is not set, then the devices serial number is used.
This allows you to change the TZ of the device. This is used to derive the wifi RegDB settings.
"UTC"
"EST5"
"CET-1CEST,M3.5.0,M10.5.0/3"
This allows forcing all LEDs off.
The password that shall be set on the device. This needs to be the hash that can be found on /etc/shadow.
"$5$W6IguIG.fr6rP8oD$7SE7nHa0gpU7s9klNAOOwR.d4XDlCQDbKWZWW1C1H9A"
Require username/password login on tty/S ports.
All properties whose name matches the following regular expression must respect the following conditions
Property name regular expression:.+ Describe a physical radio on the AP. A radio is be parent to several VAPs. They all share the same physical properties.
Specifies the wireless band to configure the radio for. Available radio device phys on the target system are matched by the wireless band given here. If multiple radio phys support the same band, the settings specified here will be applied to all of them.
Specifies the wireless channel to use. A value of 'auto' starts the ACS algorithm.
Value must be greater or equal to 1 and lesser or equal to 196
"auto" Define the ideal channel mode that the radio shall use. This can be 802.11n, 802.11ac or 802.11ax. This is just a hint for the AP. If the requested value is not supported then the AP will use the highest common denominator.
The channel width that the radio shall use. This is just a hint for the AP. If the requested value is not supported then the AP will use the highest common denominator.
Pass a list of valid-channels that can be used during ACS.
Value must be greater or equal to 1 and lesser or equal to 196
This property defines whether a radio may use DFS channels.
Stations that do no fulfill these HT modes will be rejected.
This option specifies the transmission power in dBm
Value must be greater or equal to 0 and lesser or equal to 30
The rate configuration of this BSS.
The beacon rate that shall be used by the BSS. Values are in Mbps.
The multicast rate that shall be used by the BSS. Values are in Mbps.
Allow legacy 802.11b data rates.
Set the maximum number of clients that may connect to this radio. This value is accumulative for all attached VAP interfaces.
Enabling this option will make the PHY broadcast its BSSs using the multiple BSSID beacon IE.
All properties whose name matches the following regular expression must respect the following conditions
Property name regular expression:.+ This section describes the logical network interfaces of the device. Interfaces as their primary have a role that is upstream, downstream, guest, ....
The role defines if the interface is upstream or downstream facing.
Allows disabling an SSID from the UI.
This section describes the IPv4 properties of a logical interface.
This option defines the method by which the IPv4 address of the interface is chosen.
"static"
This option defines the static IPv4 of the logical interface in CIDR notation. auto/24 can be used, causing the configuration layer to automatically use and address range from globals.ipv4-network.
"auto/24"
This option defines the static IPv4 gateway of the logical interface.
"192.168.1.1"
include the devices hostname inside DHCP requests
true
Define which DNS servers shall be used. This can either be a list of static IPv4 addresse or dhcp (use the server provided by the DHCP lease)
"8.8.8.8"
"4.4.4.4"
This option only applies to "downstream" interfaces. The downstream interface will prevent traffic going out to the listed CIDR4s. This can be used to prevent a guest / captive interface being able to communicate with RFC1918 ranges. Setting this option to 'true' will block all RFC1918 ranges.
"192.168.0.0/16"
"172.16.0.0/12"
"10.0.0.0/8"
This section describes the DHCP server configuration
The last octet of the first IPv4 address in this DHCP pool.
10
The number of IPv4 addresses inside the DHCP pool.
100
How long the lease is valid before a RENEW must be issued.
The DNS server sent to clients as DHCP option 6.
All properties whose name matches the following regular expression must respect the following conditions
Property name regular expression:.+ This section describes the static DHCP leases of this logical interface.
The MAC address of the host that this lease shall be used for.
"00:11:22:33:44:55"
The offset of the IP that shall be used in relation to the first IP in the available range.
10
How long the lease is valid before a RENEW muss ne issued.
Shall the hosts hostname be made available locally via DNS.
This section describes the IPv6 properties of a logical interface.
This option defines the method by which the IPv6 subnet of the interface is acquired. In static addressing mode, the specified subnet and gateway, if any, are configured on the interface in a fixed manner. Also - if a prefix size hint is specified - a prefix of the given size is allocated from each upstream received prefix delegation pool and assigned to the interface. In dynamic addressing mode, a DHCPv6 client will be launched to obtain IPv6 prefixes for the interface itself and for downstream delegation. Note that dynamic addressing usually only ever makes sense on upstream interfaces.
This option defines a static IPv6 prefix in CIDR notation to set on the logical interface. A special notation "auto/64" can be used, causing the configuration agent to automatically allocate a suitable prefix from the IPv6 address pool specified in globals.ipv6-network. This property only applies to static addressing mode. Note that this is usually not needed due to DHCPv6-PD assisted prefix assignment.
"auto/64"
This option defines the static IPv6 gateway of the logical interface. It only applies to static addressing mode. Note that this is usually not needed due to DHCPv6-PD assisted prefix assignment.
"2001:db8:123:456::1"
For dynamic addressing interfaces, this property specifies the prefix size to request from an upstream DHCPv6 server through prefix delegation. For static addressing interfaces, it specifies the size of the sub-prefix to allocate from the upstream-received delegation prefixes for assignment to the logical interface.
Value must be greater or equal to 0 and lesser or equal to 64
This section describes the DHCPv6 server configuration
Specifies the DHCPv6 server operation mode. When set to "stateless", the system will announce router advertisements only, without offering stateful DHCPv6 service. When set to "stateful", emitted router advertisements will instruct clients to obtain a DHCPv6 lease. When set to "hybrid", clients can freely chose whether to self-assign a random address through SLAAC, whether to request an address via DHCPv6, or both. For maximum compatibility with different clients, it is recommended to use the hybrid mode. The special mode "relay" will instruct the unit to act as DHCPv6 relay between this interface and any of the IPv6 interfaces in "upstream" mode.
Overrides the DNS server to announce in DHCPv6 and RA messages. By default, the device will announce its own local interface address as DNS server, essentially acting as proxy for downstream clients. By specifying a non-empty list of IPv6 addresses here, this default behaviour can be overridden.
Selects a specific downstream prefix or a number of downstream prefix ranges to announce in DHCPv6 and RA messages. By default, all prefixes configured on a given downstream interface are advertised. By specifying an IPv6 prefix in CIDR notation here, only prefixes covered by this CIDR are selected.
This section describes the vlan behaviour of a logical network interface.
This is the pvid of the vlan that shall be assigned to the interface. The individual physical network devices contained within the interface need to be told explicitly if egress traffic shall be tagged.
Value must be lesser or equal to 4050
Upstream interfaces can prOvide NAT for downstream interfaces that have a different VLAN Id
Value must be greater or equal to 1 and lesser or equal to 4050
All properties whose name matches the following regular expression must respect the following conditions
Property name regular expression:.+ A device has certain properties that describe its identity and location. These properties are described inside this object.
Allows disabling an SSID from the UI.
An SSID can have a special purpose such as the hidden on-boarding BSS. All purposes other than "user-defined" are static pre-defined configurations.
The configuration/behaviour template used by the BSS.
The encryption strength used by this BSS when a template is selected.
The list of radios hat the SSID should be broadcasted on. The configuration layer will use the first matching phy/band.
Selects the operation mode of the wireless network interface controller.
The broadcasted SSID of the wireless network and for for managed mode the SSID of the network you’re connecting to
Must be at least 1 characters long
Must be at most 32 characters long
A device has certain properties that describe its identity and location. These properties are described inside this object.
The wireless encryption protocol that shall be used for this BSS
"psk2"
The Pre Shared Key (PSK) that is used for encryption on the BSS when using any of the WPA-PSK modes.
Must be at least 8 characters long
Must be at most 63 characters long
Enable 802.11w Management Frame Protection (MFP) for this BSS.
PMKSA created through EAP authentication and RSN preauthentication can be cached.
The name of the radius server that shall be used. The settings reside inside the configurations block of the config.
Override the BSSID of the network, only applicable in adhoc or sta mode.
Isolates wireless clients from each other on this BSS.
Convert multicast traffic to unicast on this BSS.
All properties whose name matches the following regular expression must respect the following conditions
Property name regular expression:.+ A SSID can have multiple PSK/VID mappings. Each one of them can be bound to a specific MAC or be a wildcard.
The Pre Shared Key (PSK) that is used for encryption on the BSS when using any of the WPA-PSK modes.
Must be at least 8 characters long
Must be at most 63 characters long
Value must be lesser or equal to 4096
3
100
200
4094
The UE rate-limiting configuration of this BSS.
The ingress rate to which hosts will be shaped. Values are in Mbps
The egress rate to which hosts will be shaped. Values are in Mbps
The rate to which hosts will be shaped. Values are in Mbps
Enable 802.11r Fast Roaming for this BSS.
Shall the pre authenticated message exchange happen over the air or distribution system.
Whether to generate FT response locally for PSK networks. This avoids use of PMK-R1 push/pull from other APs with FT-PSK networks.
Mobility Domain identifier (dot11FTMobilityDomainID, MDID).
Must be at least 4 characters long
Must be at most 4 characters long
"abcd"
Enable 802.11r Fast Roaming for this BSS. This will enable "auto" mode which will work for most scenarios.
The MAC ACL that defines which clients are allowed or denied to associations.
Defines if this is an allow or deny list.
Association requests will be denied if the rssi is below this threshold.
All properties whose name matches the following regular expression must respect the following conditions
Property name regular expression:.+ The list of physical network devices that shall serve .1x for this interface.u
All properties whose name matches the following regular expression must respect the following conditions
Property name regular expression:.+ This option makes sure that any traffic leaving this interface is isolated and all local IP ranges are blocked. It essentially enforces "guest network" firewall settings.
This section describes the available upstream bandwidth in "mbit". Both values need to be enabled for DSCP classification to get enabled.
The upstream bandwidth.
The upstream bandwidth.
The services that shall be offered on this logical interface. These are just strings such as "ssh", "mdns"
"ssh"
"mdns"
An interface can be an easymesh controller, agent or both
The Easymesh backhaul configuration.
The broadcasted SSID of the easymesh backhaul BSS
Must be at least 1 characters long
Must be at most 32 characters long
The list of radios hat the SSID should be broadcasted on. The configuration layer will use the first matching phy/band.
Override the BSSID of the network, only applicable in adhoc or sta mode.
These encryption properties of this fronthaul SSID
The wireless encryption protocol that shall be used for this BSS
"psk2"
The Pre Shared Key (PSK) that is used for encryption on the BSS when using any of the WPA-PSK modes.
Must be at least 8 characters long
Must be at most 63 characters long
All properties whose name matches the following regular expression must respect the following conditions
Property name regular expression:.+ A device has certain properties that describe its identity and location. These properties are described inside this object.
The broadcasted SSID of the wireless network and for for managed mode the SSID of the network you’re connecting to
Must be at least 1 characters long
Must be at most 32 characters long
The list of radios hat the SSID should be broadcasted on. The configuration layer will use the first matching phy/band.
Override the BSSID of the network, only applicable in adhoc or sta mode.
A device has certain global properties that are used to derive parts of the final configuration that gets applied.
Define the IPv4 range that is delegatable to the downstream interfaces This is described as a CIDR block. (192.168.0.0/16, 172.16.128/17)
"192.168.0.0/16"
Define the IPv6 range that is delegatable to the downstream interfaces This is described as a CIDR block. (fdca:1234:4567::/48)
"fdca:1234:4567::/48"
This is an array of URL/IP of the upstream NTP servers that the unit shall use to acquire its current time.
"0.openwrt.pool.ntp.org"
All properties whose name matches the following regular expression must respect the following conditions
Property name regular expression:.+ When using EAP encryption we need to provide the required information allowing us to connect to the AAA servers.
NAS-Identifier string for RADIUS messages. When used, this should be unique to the NAS within the scope of the RADIUS server.
This will enable support for Chargeable-User-Identity (RFC 4372).
Describe the properties of a Radius server.
The URI of our Radius server.
"192.168.1.10"
The shared Radius authentication secret.
The additional Access-Request attributes that gets sent to the server.
{
"id": 27,
"value": 900
}
{
"id": 32,
"value": "My NAS ID"
}
{
"id": 56,
"value": 1004
}
{
"id": 126,
"value": "Example Operator"
}
The ID of the RADIUS attribute
Value must be greater or equal to 1 and lesser or equal to 255
The numeric RADIUS attribute value
Value must be greater or equal to 0 and lesser or equal to 4294967295
The RADIUS attribute value string
"126:s:Operator"
The network port of our Radius server.
Value must be greater or equal to 1024 and lesser or equal to 65535
Should the radius server be used for MAC address ACL.
Describe the properties of a Radius server.
Same definition as definitions_radius-servers_pattern1_authentication_allOf_i0The network port of our Radius server.
Value must be greater or equal to 1024 and lesser or equal to 65535
The interim accounting update interval. This value is defined in seconds.
Value must be greater or equal to 60 and lesser or equal to 600
Describe the properties of the local Radius server inside hostapd.
EAP methods that provide mechanism for authenticated server identity delivery use this value.
Specifies a collection of local EAP user/psk/vid triplets.
Describes a local EAP user/psk/vid triplet.
Must be at least 1 characters long
Must be at least 8 characters long
Must be at most 63 characters long
Value must be lesser or equal to 4096
3
100
200
4094
This section defines the link speed and duplex mode of the physical copper/fiber ports of the device.
The list of physical network devices that shall be configured. The names are logical ones and wildcardable.
"LAN1"
"LAN2"
"LAN3"
"LAN4"
"LAN*"
"WAN*"
"*"
The link speed that shall be forced.
The duplex mode that shall be forced.
This section describes all of the services that may be present on the AP. Each service is then referenced via its name inside an interface, ssid, ...
This section can be used to setup the AdguardHome service
The port that the WebUI will run on.
Value must be greater or equal to 100 and lesser or equal to 65535
Intercept/redirect all DNS traffic on enabled interfaces
A list of upstream servers the requests get forwarded to
The password hash used for admin login. The default password is 'abc123'. The hash is generated using htpasswd - htpasswd -B -C 10 -n -b
This section allows enabling wired ieee802.1X
This field must be set to 'radius or user'
Specifies a collection of local EAP user/psk/vid triplets.
Describes a local EAP user/psk/vid triplet.
Same definition as definitions_radius-local_users_itemsSpecifies the information about radius account authentication and accounting
NAS-Identifier string for RADIUS messages. When used, this should be unique to the NAS within the scope of the RADIUS server.
The URI of our Radius server.
"192.168.1.10"
The network port of our Radius server.
Value must be greater or equal to 1024 and lesser or equal to 65535
1812
The shared Radius authentication secret.
"secret"
The URI of our Radius server.
"192.168.1.10"
The network port of our Radius server.
Value must be greater or equal to 1024 and lesser or equal to 65535
1813
The shared Radius accounting secret.
"secret"
The URI of our Radius server.
"192.168.1.10"
The network port of our Radius server.
Value must be greater or equal to 1024 and lesser or equal to 65535
1814
The shared Radius accounting secret.
"secret"
Trigger mac-auth when a new ARP is learned.
This section can be used to enable lldp on network ports..
The name that gets annouced.
The description that gets annouced.
This section can be used to configure remote syslog support.
IP address of a syslog server to which the log messages should be sent in addition to the local destination.
"192.168.1.10"
Port number of the remote syslog server specified with log_ip.
Value must be greater or equal to 100 and lesser or equal to 65535
2000
Sets the protocol to use for the connection, either tcp or udp.
Size of the file based log buffer in KiB. This value is used as the fallback value for logbuffersize if the latter is not specified.
Value must be greater or equal to 32
Filter messages by their log priority. the value maps directly to the 0-7 range used by syslog.
Value must be greater or equal to 0
This section can be used to setup the mdns servers.
This is an array of additional hostnames that the AP shall announce.
This section can be used to setup a SSH server on the AP.
This option defines which port the SSH server shall be available on.
Value must be lesser or equal to 65535
This option defines if password authentication shall be enabled. If set to false, only ssh key based authentication is possible.
This section can be used to setup a local radius server.
The secret that users users need to provide during authentication and accounting sessions.