nss-setup: Add example NSS configs/scripts

Included starter config seed NSS offloading for MX4300. Although it can
be used by any compatible ipq807x NSS setup.

There is also an example 'uci-defaults' script that you can use to build
a single image for multiple nodes.

Although the script includes options to set low/high band for mesh backhaul.
Only the high-band works for offloading.

Signed-off-by: Sean Khan <datapronix@protonmail.com>

nss-setup/config-nss.seed

@@ -0,0 +1,136 @@
+# copy to `.config` and run `make defconfig`
+# This builds for all ipq807x targets. 
+# To use this config, you must build from https://github.com/qosmio/openwrt-ipq
+
+# 1. copy this config to root of build folder name it ".config"
+# 2. run `make defconfig`
+#
+# use `make menuconfig` to further customize building just for your target or adding custom packages.
+# Target platform
+CONFIG_TARGET_qualcommax=y
+CONFIG_TARGET_qualcommax_ipq807x=y
+
+# Uncomment target device you want to build for, set '=y'
+# CONFIG_TARGET_qualcommax_ipq807x_DEVICE_arcadyan_aw1000 is not set
+# CONFIG_TARGET_qualcommax_ipq807x_DEVICE_asus_rt-ax89x is not set
+# CONFIG_TARGET_qualcommax_ipq807x_DEVICE_buffalo_wxr-5950ax12 is not set
+# CONFIG_TARGET_qualcommax_ipq807x_DEVICE_cmcc_rm2-6 is not set
+# CONFIG_TARGET_qualcommax_ipq807x_DEVICE_compex_wpq873 is not set
+# CONFIG_TARGET_qualcommax_ipq807x_DEVICE_dynalink_dl-wrx36 is not set
+# CONFIG_TARGET_qualcommax_ipq807x_DEVICE_edgecore_eap102 is not set
+# CONFIG_TARGET_qualcommax_ipq807x_DEVICE_edimax_cax1800 is not set
+# CONFIG_TARGET_qualcommax_ipq807x_DEVICE_linksys_mx4200v1 is not set
+# CONFIG_TARGET_qualcommax_ipq807x_DEVICE_linksys_mx4200v2 is not set
+CONFIG_TARGET_qualcommax_ipq807x_DEVICE_linksys_mx4300=y
+# CONFIG_TARGET_qualcommax_ipq807x_DEVICE_linksys_mx5300 is not set
+# CONFIG_TARGET_qualcommax_ipq807x_DEVICE_linksys_mx8500 is not set
+# CONFIG_TARGET_qualcommax_ipq807x_DEVICE_netgear_rax120v2 is not set
+# CONFIG_TARGET_qualcommax_ipq807x_DEVICE_netgear_sxr80 is not set
+# CONFIG_TARGET_qualcommax_ipq807x_DEVICE_netgear_sxs80 is not set
+# CONFIG_TARGET_qualcommax_ipq807x_DEVICE_netgear_wax218 is not set
+# CONFIG_TARGET_qualcommax_ipq807x_DEVICE_netgear_wax620 is not set
+# CONFIG_TARGET_qualcommax_ipq807x_DEVICE_netgear_wax630 is not set
+# CONFIG_TARGET_qualcommax_ipq807x_DEVICE_prpl_haze is not set
+# CONFIG_TARGET_qualcommax_ipq807x_DEVICE_qnap_301w is not set
+# CONFIG_TARGET_qualcommax_ipq807x_DEVICE_redmi_ax6 is not set
+# CONFIG_TARGET_qualcommax_ipq807x_DEVICE_spectrum_sax1v1k is not set
+# CONFIG_TARGET_qualcommax_ipq807x_DEVICE_xiaomi_ax3600 is not set
+# CONFIG_TARGET_qualcommax_ipq807x_DEVICE_xiaomi_ax9000 is not set
+# CONFIG_TARGET_qualcommax_ipq807x_DEVICE_yuncore_ax880 is not set
+# CONFIG_TARGET_qualcommax_ipq807x_DEVICE_zbtlink_zbt-z800ax is not set
+# CONFIG_TARGET_qualcommax_ipq807x_DEVICE_zte_mf269 is not set
+# CONFIG_TARGET_qualcommax_ipq807x_DEVICE_zyxel_nbg7815 is not set
+
+# NSS Offloading
+CONFIG_ATH11K_NSS_SUPPORT=y
+CONFIG_ATH11K_NSS_MESH_SUPPORT=y
+CONFIG_PACKAGE_MAC80211_NSS_SUPPORT=y
+
+# Additional NSS packages (VLAN, Multicast Snooping, etc)
+CONFIG_PACKAGE_kmod-qca-nss-drv-vlan-mgr=y
+CONFIG_PACKAGE_kmod-qca-mcs=y
+
+# NSS SQM Traffic Shaping
+CONFIG_PACKAGE_sqm-scripts=y
+CONFIG_PACKAGE_sqm-scripts-nss=y
+
+# Compiler Optimization
+CONFIG_BUILD_PATENTED=y
+CONFIG_CCACHE=y
+CONFIG_DEVEL=y
+CONFIG_EXPERIMENTAL=y
+CONFIG_TOOLCHAINOPTS=y
+CONFIG_TARGET_OPTIONS=y
+CONFIG_TARGET_OPTIMIZATION="-O3 -pipe -mcpu=cortex-a53+crc+crypto"
+CONFIG_TARGET_INIT_PATH="/usr/sbin:/usr/bin:/sbin:/bin:/opt/usr/bin:/opt/bin:/opt/sbin:/opt/usr/sbin"
+CONFIG_USE_GC_SECTIONS=y
+
+# Kernel Config
+CONFIG_COLLECT_KERNEL_DEBUG=y
+CONFIG_KERNEL_PERF_EVENTS=y
+CONFIG_KERNEL_DYNAMIC_DEBUG=y
+CONFIG_KERNEL_ARM_PMU=y
+CONFIG_KERNEL_ARM_PMUV3=y
+CONFIG_KERNEL_PREEMPT_NONE=y
+CONFIG_KERNEL_PREEMPT_NONE_BUILD=y
+
+# SSL Configuration
+CONFIG_PACKAGE_libustream-openssl=y
+CONFIG_PACKAGE_libustream-mbedtls=n
+CONFIG_PACKAGE_libopenssl=y
+CONFIG_LUA_ECO_OPENSSL=y
+CONFIG_LUA_ECO_MBEDTLS=n
+CONFIG_OPENSSL_OPTIMIZE_SPEED=y
+
+# LUCI Config
+CONFIG_PACKAGE_luci=y
+CONFIG_PACKAGE_luci-ssl-openssl=y
+CONFIG_PACKAGE_wpad-mesh-openssl=y
+CONFIG_PACKAGE_wpad-basic-mbedtls=n
+
+# LUCI Applications
+CONFIG_PACKAGE_luci-app-firewall=y
+CONFIG_PACKAGE_luci-app-opkg=y
+CONFIG_PACKAGE_luci-app-sqm=y
+CONFIG_PACKAGE_luci-app-statistics=y
+CONFIG_PACKAGE_luci-app-acme=y
+CONFIG_PACKAGE_luci-app-firewall=y
+CONFIG_PACKAGE_luci-app-nlbwmon=y
+CONFIG_PACKAGE_luci-app-opkg=y
+CONFIG_PACKAGE_luci-app-sqm=y
+CONFIG_PACKAGE_luci-app-statistics=y
+CONFIG_PACKAGE_luci-app-watchcat=y
+CONFIG_PACKAGE_luci-proto-wireguard=y
+
+# Library Optimization
+CONFIG_ZLIB_OPTIMIZE_SPEED=y
+CONFIG_ZSTD_OPTIMIZE_O3=y
+
+# Reduce kernel module size
+CONFIG_ATH11K_DEBUGFS_HTT_STATS=n
+CONFIG_ATH11K_DEBUGFS_STA=n
+CONFIG_ATH11K_THERMAL=n
+
+# Additional kernel modules
+CONFIG_PACKAGE_kmod-fs-vfat=y
+CONFIG_PACKAGE_kmod-fs-f2fs=y
+CONFIG_PACKAGE_kmod-fs-ntfs3=y
+CONFIG_PACKAGE_kmod-nft-bridge=y
+CONFIG_PACKAGE_kmod-usb-storage=y
+CONFIG_PACKAGE_kmod-ramoops=y
+
+# Additional packages
+CONFIG_PACKAGE_iperf3=y
+CONFIG_PACKAGE_htop=y
+CONFIG_PACKAGE_curl=y
+CONFIG_PACKAGE_rsync=y
+CONFIG_PACKAGE_jq=y
+CONFIG_PACKAGE_pigz=y
+CONFIG_PACKAGE_tar=y
+CONFIG_PACKAGE_tcpdump=y
+
+CONFIG_HTOP_LMSENSORS=n
+
+# Prevent opkg from adding custom feeds to /etc/opkg/distfeeds.conf
+CONFIG_FEED_nss=n
+CONFIG_FEED_sqm_scripts_nss=n

nss-setup/example/01-mesh-node

@@ -0,0 +1,109 @@
+
+config wifi-device 'radio0'
+	option type 'mac80211'
+	option path 'platform/soc@0/c000000.wifi'
+	option band '5g'
+	option txpower '21'
+	option country 'US'
+	option htmode 'HE80'
+	option channel '64'
+	option cell_density '0'
+	option noscan '1'
+
+config wifi-device 'radio1'
+	option type 'mac80211'
+	option path 'platform/soc@0/c000000.wifi+1'
+	option band '2g'
+	option txpower '24'
+	option country 'US'
+	option htmode 'HE20'
+	option channel '1'
+	option cell_density '0'
+
+config wifi-device 'radio2'
+	option type 'mac80211'
+	option path 'platform/soc@0/c000000.wifi+2'
+	option band '5g'
+	option txpower '30'
+	option country 'US'
+	option htmode 'HE80'
+	option channel '161'
+	option cell_density '3'
+	option noscan '1'
+
+config wifi-iface '5g'
+	option device 'radio1'
+	option mode 'ap'
+	option network 'lan'
+	option ssid 'MX4300'
+	option encryption 'psk2+ccmp'
+	option key 'xxxxxxxxxxxxx'
+	option beacon_int '97'
+	option bss_transition '1'
+	option disassoc_low_ack '0'
+	option dtim_period '3'
+	option ft_over_ds '0'
+	option ft_psk_generate_local '1'
+	option ieee80211r '1'
+	option ieee80211k '1'
+	option proxy_arp '1'
+	option reassociation_deadline '20000'
+	option skip_inactivity_poll '1'
+	option time_advertisement '2'
+	option time_zone 'GMT0'
+	option wnm_sleep_mode '1'
+	option wpa_group_rekey '86400'
+	option pmk_r1_push '1'
+	option macaddr '80:69:1A:22:FF:BA'
+
+config wifi-iface '2g'
+	option device 'radio1'
+	option mode 'ap'
+	option network 'lan'
+	option ssid 'MX4300'
+	option encryption 'psk2+ccmp'
+	option key 'xxxxxxxxxxxxx'
+	option bss_transition '1'
+	option beacon_int '100'
+	option disassoc_low_ack '0'
+	option dtim_period '3'
+	option ft_over_ds '0'
+	option ft_psk_generate_local '1'
+	option ieee80211r '1'
+	option ieee80211k '1'
+	option proxy_arp '1'
+	option reassociation_deadline '20000'
+	option skip_inactivity_poll '1'
+	option time_advertisement '2'
+	option time_zone 'GMT0'
+	option wnm_sleep_mode '1'
+	option wpa_group_rekey '86400'
+	option max_inactivity '4260'
+	option pmk_r1_push '1'
+	option macaddr '80:69:1A:22:FF:BB'
+
+config wifi-iface 'mesh'
+	option device 'radio2'
+	option encryption 'sae'
+	option key '4b22dd0c95846d36a8760ec90b703601c60f31ce4c8db1d9ade683cd3a2c2326'
+	option mesh_id 'MX4300-MESH'
+	option mode 'mesh'
+	option network 'lan'
+	option mesh_fwding '1'
+	option mesh_gate_announcements '1'
+	option mesh_hwmp_rootmode '2'
+	option mesh_max_peer_links '16'
+	option mesh_rssi_threshold '-65'
+	option disabled '0'
+	option macaddr '80:69:1A:22:AA:BC'
+
+config wifi-iface 'wds'
+	option device 'radio2'
+	option mode 'sta'
+	option network 'lan'
+	option ssid 'MX4300-WDS'
+	option encryption 'psk2+ccmp'
+	option key '4b22dd0c95846d36a8760ec90b703601c60f31ce4c8db1d9ade683cd3a2c2326'
+	option wds '1'
+	option disabled '1'
+	option macaddr '80:69:1A:22:AA:BC'

nss-setup/example/02-mesh-sat-node

@@ -0,0 +1,109 @@
+
+config wifi-device 'radio0'
+	option type 'mac80211'
+	option path 'platform/soc@0/c000000.wifi'
+	option band '5g'
+	option txpower '21'
+	option country 'US'
+	option htmode 'HE80'
+	option channel '64'
+	option cell_density '0'
+	option noscan '1'
+
+config wifi-device 'radio1'
+	option type 'mac80211'
+	option path 'platform/soc@0/c000000.wifi+1'
+	option band '2g'
+	option txpower '24'
+	option country 'US'
+	option htmode 'HE20'
+	option channel '1'
+	option cell_density '0'
+
+config wifi-device 'radio2'
+	option type 'mac80211'
+	option path 'platform/soc@0/c000000.wifi+2'
+	option band '5g'
+	option txpower '30'
+	option country 'US'
+	option htmode 'HE80'
+	option channel '161'
+	option cell_density '3'
+	option noscan '1'
+
+config wifi-iface '5g'
+	option device 'radio1'
+	option mode 'ap'
+	option network 'lan'
+	option ssid 'MX4300'
+	option encryption 'psk2+ccmp'
+	option key 'xxxxxxxxxxxxx'
+	option beacon_int '97'
+	option bss_transition '1'
+	option disassoc_low_ack '0'
+	option dtim_period '3'
+	option ft_over_ds '0'
+	option ft_psk_generate_local '1'
+	option ieee80211r '1'
+	option ieee80211k '1'
+	option proxy_arp '1'
+	option reassociation_deadline '20000'
+	option skip_inactivity_poll '1'
+	option time_advertisement '2'
+	option time_zone 'GMT0'
+	option wnm_sleep_mode '1'
+	option wpa_group_rekey '86400'
+	option pmk_r1_push '1'
+	option macaddr '80:69:1A:22:FF:FF'
+
+config wifi-iface '2g'
+	option device 'radio1'
+	option mode 'ap'
+	option network 'lan'
+	option ssid 'MX4300'
+	option encryption 'psk2+ccmp'
+	option key 'xxxxxxxxxxxxx'
+	option bss_transition '1'
+	option beacon_int '100'
+	option disassoc_low_ack '0'
+	option dtim_period '3'
+	option ft_over_ds '0'
+	option ft_psk_generate_local '1'
+	option ieee80211r '1'
+	option ieee80211k '1'
+	option proxy_arp '1'
+	option reassociation_deadline '20000'
+	option skip_inactivity_poll '1'
+	option time_advertisement '2'
+	option time_zone 'GMT0'
+	option wnm_sleep_mode '1'
+	option wpa_group_rekey '86400'
+	option max_inactivity '4260'
+	option pmk_r1_push '1'
+	option macaddr '80:69:1A:22:FF:FE'
+
+config wifi-iface 'mesh'
+	option device 'radio2'
+	option encryption 'sae'
+	option key '4b22dd0c95846d36a8760ec90b703601c60f31ce4c8db1d9ade683cd3a2c2326'
+	option mesh_id 'MX4300-MESH'
+	option mode 'mesh'
+	option network 'lan'
+	option mesh_fwding '0'
+	option mesh_gate_announcements '0'
+	option mesh_hwmp_rootmode '0'
+	option mesh_max_peer_links '16'
+	option mesh_rssi_threshold '-65'
+	option disabled '0'
+	option macaddr '80:69:1A:22:AA:AA'
+
+config wifi-iface 'wds'
+	option device 'radio2'
+	option mode 'sta'
+	option network 'lan'
+	option ssid 'MX4300-WDS'
+	option encryption 'psk2+ccmp'
+	option key '4b22dd0c95846d36a8760ec90b703601c60f31ce4c8db1d9ade683cd3a2c2326'
+	option wds '1'
+	option disabled '1'
+	option macaddr '80:69:1A:22:AA:AA'

nss-setup/example/03-uci-defaults

@@ -0,0 +1,403 @@
+#!/bin/sh -e
+# shellcheck disable=3037,2091,3010 shell=busybox
+# Custom UCI defaults script for Linksys MX4200/4300/5300 etc
+# Create folder "files/etc/uci-defaults/" in your buildroot and copy this script there.
+# Customize to your needs.
+
+# Uncomment the following line to capture all output to a log file
+# exec > /root/uci-defaults.log 2>&1
+
+mac=$(fw_printenv -n ethaddr | tr '[:upper:]' '[:lower:]')
+
+# Set to '0' to enable WDS and disable mesh
+wds_disable=1
+bridge_mode=true
+
+channel_2g=6
+
+ap_5g_radio="radio0"
+ap_2g_radio="radio1"
+mesh_radio="radio2"
+wds_radio="${mesh_radio}"
+
+mesh_channel="161"
+ap_5g_channel="64"
+
+# Unique UCI config names for each interface
+ap_5g_iface="ap_5g"
+ap_2g_iface="ap_2g"
+mesh_iface="mesh"
+wds_iface="wds"
+
+# Must be the same SSID for both 2G and 5G for 802.11 k/v/r
+ap_2g_ssid="OpenWrt"
+ap_5g_ssid="${ap_2g_ssid}"
+
+mesh_id="OpenWrt-Mesh"
+wds_ssid="OpenWrt-WDS"
+
+mesh_gate_key='SOME_KEY'
+ap_key='SOME_KEY'
+wds_key="${mesh_gate_key}"
+
+country="US"
+timezone="EST5EDT,M3.2.0,M11.1.0"
+zonename="America/New_York"
+
+# In case you want to reset firmware in future, but want to use different mesh band
+# use `fw_setenv mesh_band low_5g` to use "radio0" (low 5G band) (36-64)
+# use `fw_setenv mesh_band high_5g` to use "radio2" (high 5G band) (100-165)
+# This will then be used to set the channel for the mesh interface.
+# Default is high_5g (radio2) (channel 161)
+mesh_band="$(fw_printenv -n mesh_band 2> /dev/null)"
+mesh_band="${mesh_band:-high_5g}"
+mesh_rssi_threshold='-65'
+
+if [ "$mesh_band" = "low_5g" ]; then
+  mesh_radio="radio0"
+  mesh_channel="64"
+  ap_5g_radio="radio2"
+  ap_5g_channel="100"
+fi
+
+# Setup satellite nodes to simply extend wifi coverage from the main router.
+# This avoids "daisy chaining" traffic through multiple nodes.
+# This usecase covers 99% for typical home setups.
+mesh_gate_announcements='0'
+mesh_hwmp_rootmode='0'
+mesh_fwding='0'
+
+stp_priority=8192
+
+# Only version version 11.4.0.5 has mesh offload support, so disable and use WDS instead
+if ! grep -q NSS.HK.11.4.0.5 /lib/firmware/qca-nss0-retail.bin 2> /dev/null; then
+  wds_disable=0
+fi
+
+# For Linksys MX4200/4300/5300 etc, only need to match the first 5 bytes
+# replace 'xx:xx' with the one found on the bottom of the device
+if [[ "${mac}" =~ "80:69:1a:xx:xx" ]]; then
+  suffix=0
+  wds_mode=ap
+  # Not required as it will generate based on device mac.
+  # But recommended to set static mac address after the
+  # device is up and running.
+  ap_5g_channel="64"
+  # If the node is connected to a router via cable, or itself is acting as a router.
+  mesh_gate_announcements='1'
+  mesh_hwmp_rootmode='2'
+  mesh_fwding='1'
+elif [[ "${mac}" =~ "80:69:1a:22:xx" ]]; then
+  suffix=1
+  wds_mode=sta
+  channel_2g=1
+  if [ "$mesh_band" = "low_5g" ]; then
+    ap_5g_channel="144"
+  fi
+fi
+
+hostname="MX4300-$((suffix + 1))"
+router=192.168.1.1
+netmask=24
+ipaddr="192.168.1.$((suffix + 1))"
+ip6addr="fd00:cafe:cafe::$((suffix + 1))"
+
+[ -n "$hostname" ] && {
+  uci batch <<- EOF > /dev/null
+	del system.@system[0]
+	add system system
+	set system.@system[0]=system
+	set system.@system[0].hostname='${hostname}'
+	set system.@system[0].timezone='${timezone}'
+	set system.@system[0].ttylogin='0'
+	set system.@system[0].log_size='128'
+	set system.@system[0].urandom_seed='1'
+	set system.@system[0].zonename='${zonename}'
+	set system.@system[0].cronloglevel='9'
+	set system.@system[0].conloglevel='6'
+	del system.ntp
+	set system.ntp=timeserver
+	set system.ntp.enable_server='1'
+	set system.ntp.interface='lan'
+	add_list system.ntp.server='${router}'
+	add_list system.ntp.server='129.6.15.28'
+	add_list system.ntp.server='129.6.15.29'
+	add_list system.ntp.server='129.6.15.30'
+	add_list system.ntp.server='2610:20:6f15:15::27'
+	add_list system.ntp.server='2610:20:6f15:15::28'
+	add_list system.ntp.server='129.6.15.27'
+	add_list system.ntp.server='129.6.15.26'
+EOF
+}
+
+# satellite nodes should not have any DHCP/DNS services running.
+# Nor should they have any firewall/dnsmasq rules.
+
+${bridge_mode} && {
+
+  # Disable services services in case we are running as dumb ap
+  for prog in firewall sqm unbound adblock-fast banip; do
+    CMD=/etc/init.d/${prog}
+    if [ -r ${CMD} ]; then
+      ${CMD} disable
+    fi
+  done
+
+  [ -r /etc/hotplug.d/ntp/25-unbound ] && rm /etc/hotplug.d/ntp/25-unbound
+
+  uci import <<- EOF > /dev/null
+
+package dhcp
+
+config dnsmasq
+	option boguspriv '0'
+	option rebind_protection '0'
+	option domain 'lan'
+	option expandhosts '1'
+	option readethers '1'
+	option leasefile '/tmp/dhcp.leases'
+	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
+	option localservice '0'
+	option ednspacket_max '1232'
+
+config dhcp 'lan'
+	option interface 'lan'
+	option dhcpv4 'disabled'
+	option dhcpv6 'disabled'
+	option ignore '1'
+	option dynamicdhcp '0'
+
+config odhcpd 'odhcpd'
+	option maindhcp '0'
+	option leasefile '/tmp/hosts/odhcpd'
+	option leasetrigger '/usr/sbin/odhcpd-update'
+	option loglevel '4'
+
+EOF
+
+  uci import <<- EOF > /dev/null
+package network
+
+config globals 'globals'
+
+config interface 'loopback'
+	option device 'lo'
+	option proto 'static'
+	option ipaddr '127.0.0.1'
+	option netmask '255.0.0.0'
+
+config device
+	option name 'br-lan'
+	option type 'bridge'
+	list ports 'lan1'
+	list ports 'lan2'
+	list ports 'lan3'
+	option macaddr '${mac}'
+	option stp '1'
+	option igmp_snooping '1'
+	option arp_accept '1'
+	option priority '$((stp_priority + suffix))'
+
+config interface 'lan'
+	option device 'br-lan'
+	option proto 'static'
+	list ipaddr '${ipaddr}/${netmask:-24}'
+	list ip6addr '${ip6addr}'
+	list dns '${router}'
+	option gateway '${router}'
+	option delegate '0'
+
+config interface 'lan6'
+	option device '@lan'
+	option proto 'dhcpv6'
+	option reqaddress 'try'
+	option reqprefix 'no'
+	option delegate '0'
+
+config device
+	option name 'lan1'
+	option macaddr '${mac}'
+
+config device
+	option name 'lan2'
+	option macaddr '${mac}'
+
+config device
+	option name 'lan3'
+	option macaddr '${mac}'
+EOF
+}
+
+# If not in bridge mode, then assume setting up as a router
+${bridge_mode} || {
+  uci batch <<- EOF > /dev/null
+	set network.lan.proto='static'
+	set network.lan.ipaddr=''${ipaddr}/${netmask:-24}''
+EOF
+}
+
+uci import <<- EOF
+package wireless
+
+config wifi-device 'radio0'
+	option type 'mac80211'
+	option path 'platform/soc@0/c000000.wifi'
+	option band '5g'
+	option txpower '21'
+	option country '${country:-US}'
+	option htmode 'HE80'
+	option channel '64'
+	option cell_density '0'
+	option noscan '1'
+
+config wifi-device 'radio1'
+	option type 'mac80211'
+	option path 'platform/soc@0/c000000.wifi+1'
+	option band '2g'
+	option txpower '24'
+	option country '${country:-US}'
+	option htmode 'HE20'
+	option channel '${channel_2g:-6}'
+	option cell_density '0'
+
+config wifi-device 'radio2'
+	option type 'mac80211'
+	option path 'platform/soc@0/c000000.wifi+2'
+	option band '5g'
+	option txpower '30'
+	option country '${country:-US}'
+	option htmode 'HE80'
+	option channel '161'
+	option cell_density '3'
+	option noscan '1'
+
+config wifi-iface '${ap_5g_iface}'
+	option device '${ap_5g_radio}'
+	option mode 'ap'
+	option network 'lan'
+	option ssid '${ap_5g_ssid}'
+	option encryption 'psk2+ccmp'
+	option key '${ap_key}'
+	option beacon_int '97'
+	option bss_transition '1'
+	option disassoc_low_ack '0'
+	option dtim_period '3'
+	option ft_over_ds '0'
+	option ft_psk_generate_local '1'
+	option ieee80211r '1'
+	option ieee80211k '1'
+	option proxy_arp '1'
+	option reassociation_deadline '20000'
+	option time_advertisement '2'
+	option time_zone 'GMT0'
+	option wnm_sleep_mode '1'
+	option wpa_group_rekey '86400'
+	option pmk_r1_push '1'
+
+config wifi-iface '${ap_2g_iface}'
+	option device '${ap_2g_radio}'
+	option mode 'ap'
+	option network 'lan'
+	option ssid '${ap_2g_ssid}'
+	option encryption 'psk2+ccmp'
+	option key '${ap_key}'
+	option bss_transition '1'
+	option beacon_int '100'
+	option disassoc_low_ack '0'
+	option dtim_period '3'
+	option ft_over_ds '0'
+	option ft_psk_generate_local '1'
+	option ieee80211r '1'
+	option ieee80211k '1'
+	option proxy_arp '1'
+	option reassociation_deadline '20000'
+	option time_advertisement '2'
+	option time_zone 'GMT0'
+	option wnm_sleep_mode '1'
+	option wpa_group_rekey '86400'
+	option max_inactivity '4260'
+	option pmk_r1_push '1'
+
+config wifi-iface '${mesh_iface}'
+	option device '${mesh_radio}'
+	option encryption 'sae'
+	option key '${mesh_gate_key}'
+	option mesh_id '${mesh_id}'
+	option mode 'mesh'
+	option network 'lan'
+	option mesh_fwding '${mesh_fwding:-0}'
+	option mesh_gate_announcements '${mesh_gate_announcements:-0}'
+	option mesh_hwmp_rootmode '${mesh_hwmp_rootmode:-0}'
+	option mesh_max_peer_links '16'
+	option mesh_rssi_threshold '${mesh_rssi_threshold}'
+	option disabled $([ ${wds_disable:-1} -eq 1 ] && echo '0' || echo '1')
+
+config wifi-iface '${wds_iface}'
+	option device '${wds_radio}'
+	option mode '${wds_mode:-ap}'
+	option network 'lan'
+	option ssid '${wds_ssid}'
+	option encryption 'psk2+ccmp'
+	option key '${wds_key}'
+	option wds '1'
+	option disabled '${wds_disable:-1}'
+	$([ "${wds_mode:-ap}" = "ap" ] && echo "option hidden '1'")
+EOF
+
+cat << EOF | uci batch
+	set wireless.${mesh_radio}.channel=''${mesh_channel}''
+	set wireless.${ap_5g_radio}.channel=''${ap_5g_channel}''
+
+	set wireless.${mesh_radio}.cell_density='3'
+	set wireless.${ap_5g_radio}.cell_density='0'
+
+	set wireless.${mesh_iface}.device=''${mesh_radio}''
+	set wireless.${wds_iface}.device=''${mesh_radio}''
+	set wireless.${ap_5g_iface}.device=''${ap_5g_radio}''
+EOF
+
+# Set to a less annoying dim green color
+uci import <<- EOF
+package system
+
+config led
+	option name 'Blue Off'
+	option sysfs 'blue:status'
+	option trigger 'none'
+	option default '0'
+
+config led
+	option name 'Red Off'
+	option sysfs 'red:status'
+	option trigger 'none'
+	option default '0'
+EOF
+
+# Sometimes nodes may not be able to reach the gateway for whatever reason
+# Since they will be connected via wifi it's cumbersome having to hardwire just to troubleshoot
+# Install the `watchcat` package to automatically reboot the node if it can't reach the gateway
+uci import <<- EOF > /dev/null
+
+package watchcat
+
+config watchcat
+	option period '5m'
+	option mode 'ping_reboot'
+	option pinghosts '${router}'
+	option addressfamily 'any'
+	option pingperiod '10s'
+	option pingsize 'standard'
+	option forcedelay '1m'
+EOF
+
+uci changes
+
+uci commit system
+uci commit luci_statistics
+uci commit dhcp
+uci commit network
+uci commit wireless
+
+fw_setenv mesh_band "${mesh_band}"
+
+exit 0