diff --git a/feeds/wifi-ax/hostapd/files/hostapd.sh b/feeds/wifi-ax/hostapd/files/hostapd.sh
index a1d0801dd..c8e1eca88 100644
--- a/feeds/wifi-ax/hostapd/files/hostapd.sh
+++ b/feeds/wifi-ax/hostapd/files/hostapd.sh
@@ -76,6 +76,15 @@ hostapd_append_wpa_key_mgmt() {
 		;;
 	esac
 
+	[ "$fils" -gt 0 ] && {
+		case "$auth_type" in
+			eap*)
+				append wpa_key_mgmt FILS-SHA256
+				[ "${ieee80211r:-0}" -gt 0 ] && append wpa_key_mgmt FT-FILS-SHA256
+			;;
+		esac
+	}
+
 	[ "$auth_osen" = "1" ] && append wpa_key_mgmt "OSEN"
 }
 
@@ -115,6 +124,7 @@ hostapd_common_add_device_config() {
 	config_add_int airtime_mode
 
 	config_add_boolean multiple_bssid rnr_beacon he_co_locate ema
+
 	hostapd_add_log_config
 }
 
@@ -374,6 +384,9 @@ hostapd_common_add_bss_config() {
 	config_add_int eap_server
 	config_add_string eap_user_file ca_cert server_cert private_key private_key_passwd server_id
 
+	config_add_boolean fils
+	config_add_string fils_dhcp
+
 	config_add_boolean ratelimit
 }
 
@@ -523,6 +536,69 @@ append_airtime_sta_weight() {
 	[ -n "$1" ] && append bss_conf "airtime_sta_weight=$1" "$N"
 }
 
+append_radius_server() {
+
+	json_get_vars \
+		auth_server auth_secret auth_port \
+		dae_client dae_secret dae_port \
+		ownip radius_client_addr \
+		eap_reauth_period request_cui \
+		erp_domain mobility_domain \
+		fils_realm fils_dhcp
+
+	# legacy compatibility
+	[ -n "$auth_server" ] || json_get_var auth_server server
+	[ -n "$auth_port" ] || json_get_var auth_port port
+	[ -n "$auth_secret" ] || json_get_var auth_secret key
+
+	[ "$fils" -gt 0 ] && {
+		set_default erp_domain "$mobility_domain"
+		set_default erp_domain "$(echo "$ssid" | md5sum | head -c 8)"
+		set_default fils_realm "$erp_domain"
+
+		append bss_conf "erp_send_reauth_start=1" "$N"
+		append bss_conf "erp_domain=$erp_domain" "$N"
+		append bss_conf "fils_realm=$fils_realm" "$N"
+		append bss_conf "fils_cache_id=$(echo "$fils_realm" | md5sum | head -c 4)" "$N"
+
+		[ "$fils_dhcp" = "*" ] && {
+			json_get_values network network
+			fils_dhcp=
+			for net in $network; do
+				fils_dhcp="$(ifstatus "$net" | jsonfilter -e '@.data.dhcpserver')"
+				[ -n "$fils_dhcp" ] && break
+			done
+
+			[ -z "$fils_dhcp" -a -n "$network_bridge" -a -n "$network_ifname" ] && \
+				fils_dhcp="$(udhcpc -B -n -q -s /lib/netifd/dhcp-get-server.sh -t 1 -i "$network_ifname" 2>/dev/null)"
+		}
+		[ -n "$fils_dhcp" ] && append bss_conf "dhcp_server=$fils_dhcp" "$N"
+	}
+
+	set_default auth_port 1812
+	set_default dae_port 3799
+	set_default request_cui 0
+
+	[ "$eap_server" -eq 0 ] && {
+		append bss_conf "auth_server_addr=$auth_server" "$N"
+		append bss_conf "auth_server_port=$auth_port" "$N"
+		append bss_conf "auth_server_shared_secret=$auth_secret" "$N"
+	}
+
+	[ "$request_cui" -gt 0 ] && append bss_conf "radius_request_cui=$request_cui" "$N"
+	[ -n "$eap_reauth_period" ] && append bss_conf "eap_reauth_period=$eap_reauth_period" "$N"
+
+	[ -n "$dae_client" -a -n "$dae_secret" ] && {
+		append bss_conf "radius_das_port=$dae_port" "$N"
+		append bss_conf "radius_das_client=$dae_client $dae_secret" "$N"
+	}
+	json_for_each_item append_radius_auth_req_attr radius_auth_req_attr
+
+	[ -n "$ownip" ] && append bss_conf "own_ip_addr=$ownip" "$N"
+	[ -n "$radius_client_addr" ] && append bss_conf "radius_client_addr=$radius_client_addr" "$N"
+	[ "$macfilter" = radius ] && append bss_conf "macaddr_acl=2" "$N"
+}
+
 hostapd_set_bss_options() {
 	local var="$1"
 	local phy="$2"
@@ -547,8 +623,9 @@ hostapd_set_bss_options() {
 		airtime_bss_weight airtime_bss_limit airtime_sta_weight \
 		multicast_to_unicast proxy_arp per_sta_vif \
 		eap_server eap_user_file ca_cert server_cert private_key private_key_passwd server_id \
-		vendor_elements
+		vendor_elements fils
 
+	set_default fils 0
 	set_default isolate 0
 	set_default maxassoc 0
 	set_default max_inactivity 0
@@ -570,6 +647,8 @@ hostapd_set_bss_options() {
 	set_default airtime_bss_limit 0
 	set_default eap_server 0
 
+	/usr/sbin/hostapd -vfils || fils=0
+
 	append bss_conf "ctrl_interface=/var/run/hostapd"
 	if [ "$isolate" -gt 0 ]; then
 		append bss_conf "ap_isolate=$isolate" "$N"
@@ -643,6 +722,10 @@ hostapd_set_bss_options() {
 			# Here we make the assumption that if we're in open mode
 			# with WPS enabled, we got to be in unconfigured state.
 			wps_not_configured=1
+			[ "$macfilter" = radius ] && {
+				append_radius_server
+				vlan_possible = 1
+			}
 		;;
 		psk|sae|psk-sae)
 			json_get_vars key wpa_psk_file
@@ -666,41 +749,9 @@ hostapd_set_bss_options() {
 			wps_possible=1
 		;;
 		eap|eap192|eap-eap256|eap256)
-			json_get_vars \
-				auth_server auth_secret auth_port \
-				dae_client dae_secret dae_port \
-				ownip radius_client_addr \
-				eap_reauth_period request_cui
-
+			append_radius_server
 			# radius can provide VLAN ID for clients
 			vlan_possible=1
-
-			# legacy compatibility
-			[ -n "$auth_server" ] || json_get_var auth_server server
-			[ -n "$auth_port" ] || json_get_var auth_port port
-			[ -n "$auth_secret" ] || json_get_var auth_secret key
-
-			set_default auth_port 1812
-			set_default dae_port 3799
-			set_default request_cui 0
-
-			[ "$eap_server" -eq 0 ] && {
-				append bss_conf "auth_server_addr=$auth_server" "$N"
-				append bss_conf "auth_server_port=$auth_port" "$N"
-				append bss_conf "auth_server_shared_secret=$auth_secret" "$N"
-			}
-
-			[ "$request_cui" -gt 0 ] && append bss_conf "radius_request_cui=$request_cui" "$N"
-			[ -n "$eap_reauth_period" ] && append bss_conf "eap_reauth_period=$eap_reauth_period" "$N"
-
-			[ -n "$dae_client" -a -n "$dae_secret" ] && {
-				append bss_conf "radius_das_port=$dae_port" "$N"
-				append bss_conf "radius_das_client=$dae_client $dae_secret" "$N"
-			}
-			json_for_each_item append_radius_auth_req_attr radius_auth_req_attr
-
-			[ -n "$ownip" ] && append bss_conf "own_ip_addr=$ownip" "$N"
-			[ -n "$radius_client_addr" ] && append bss_conf "radius_client_addr=$radius_client_addr" "$N"
 			append bss_conf "eapol_key_index_workaround=1" "$N"
 			append bss_conf "ieee8021x=1" "$N"
 
@@ -869,6 +920,10 @@ hostapd_set_bss_options() {
 				done
 			fi
 		fi
+		if [ "$fils" -gt 0 ]; then
+			json_get_vars fils_realm
+			set_default fils_realm "$(echo "$ssid" | md5sum | head -c 8)"
+		fi
 
 		append bss_conf "wpa_disable_eapol_key_retries=$wpa_disable_eapol_key_retries" "$N"
 
@@ -893,7 +948,7 @@ hostapd_set_bss_options() {
 		fi
 
 		append bss_conf "okc=$auth_cache" "$N"
-		[ "$auth_cache" = 0 ] && append bss_conf "disable_pmksa_caching=1" "$N"
+		[ "$auth_cache" = 0 -a "$fils" = 0 ] && append bss_conf "disable_pmksa_caching=1" "$N"
 
 		# RSN -> allow management frame protection
 		case "$ieee80211w" in
@@ -1058,6 +1113,7 @@ hostapd_set_bss_options() {
 
 	if [ "$eap_server" = "1" ]; then
 		append bss_conf "eap_server=1" "$N"
+		append bss_conf "eap_server_erp=1" "$N"
 		[ -n "$eap_user_file" ] && append bss_conf "eap_user_file=$eap_user_file" "$N"
 		[ -n "$ca_cert" ] && append bss_conf "ca_cert=$ca_cert" "$N"
 		[ -n "$server_cert" ] && append bss_conf "server_cert=$server_cert" "$N"
@@ -1198,8 +1254,8 @@ wpa_supplicant_set_fixed_freq() {
 	append network_data "frequency=$freq" "$N$T"
 	case "$htmode" in
 		NOHT) append network_data "disable_ht=1" "$N$T";;
-		HT20|VHT20|HE20) append network_data "disable_ht40=1" "$N$T";;
-		HT40*|VHT40*|VHT80*|VHT160*) append network_data "ht40=1" "$N$T";;
+		HE20|HT20|VHT20) append network_data "disable_ht40=1" "$N$T";;
+		HT40*|VHT40|VHT80|VHT160|HE40|HE80|HE160) append network_data "ht40=1" "$N$T";;
 	esac
 	case "$htmode" in
 		VHT*) append network_data "vht=1" "$N$T";;
@@ -1224,7 +1280,7 @@ wpa_supplicant_add_network() {
 	json_get_vars \
 		ssid bssid key \
 		basic_rate mcast_rate \
-		ieee80211w ieee80211r \
+		ieee80211w ieee80211r fils \
 		multi_ap \
 		default_disabled
 
@@ -1316,6 +1372,7 @@ wpa_supplicant_add_network() {
 
 			json_get_vars eap_type identity anonymous_identity ca_cert ca_cert_usesystem
 
+			[ "$fils" -gt 0 ] && append network_data "erp=1" "$N$T"
 			if [ "$ca_cert_usesystem" -eq "1" -a -f "/etc/ssl/certs/ca-certificates.crt" ]; then
 				append network_data "ca_cert=\"/etc/ssl/certs/ca-certificates.crt\"" "$N$T"
 			else
diff --git a/patches/wifi/0006-hostapd-add-multiple_bssid-rnr_beacon-he_co_locate-e.patch b/patches/wifi/0006-hostapd-add-multiple_bssid-rnr_beacon-he_co_locate-e.patch
new file mode 100644
index 000000000..dfe97a5b7
--- /dev/null
+++ b/patches/wifi/0006-hostapd-add-multiple_bssid-rnr_beacon-he_co_locate-e.patch
@@ -0,0 +1,59 @@
+From de25771a044c87fb9462066c4a162ea148612b89 Mon Sep 17 00:00:00 2001
+From: John Crispin <john@phrozen.org>
+Date: Mon, 7 Feb 2022 09:56:20 +0100
+Subject: [PATCH 6/7] hostapd: add multiple_bssid rnr_beacon he_co_locate ema
+ options
+
+Signed-off-by: John Crispin <john@phrozen.org>
+---
+ package/network/services/hostapd/files/hostapd.sh | 13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/package/network/services/hostapd/files/hostapd.sh b/package/network/services/hostapd/files/hostapd.sh
+index a56bc69562..209ae3dc46 100644
+--- a/package/network/services/hostapd/files/hostapd.sh
++++ b/package/network/services/hostapd/files/hostapd.sh
+@@ -123,6 +123,8 @@ hostapd_common_add_device_config() {
+ 
+ 	config_add_int airtime_mode
+ 
++	config_add_boolean multiple_bssid rnr_beacon he_co_locate ema
++
+ 	hostapd_add_log_config
+ }
+ 
+@@ -134,7 +136,8 @@ hostapd_prepare_device_config() {
+ 
+ 	json_get_vars country country3 country_ie beacon_int:100 dtim_period:2 doth require_mode legacy_rates \
+ 		acs_chan_bias local_pwr_constraint spectrum_mgmt_required airtime_mode cell_density \
+-		rts_threshold beacon_rate rssi_reject_assoc_rssi rssi_ignore_probe_request maxassoc
++		rts_threshold beacon_rate rssi_reject_assoc_rssi rssi_ignore_probe_request maxassoc \
++		multiple_bssid he_co_locate rnr_beacon ema
+ 
+ 	hostapd_set_log_options base_cfg
+ 
+@@ -144,6 +147,10 @@ hostapd_prepare_device_config() {
+ 	set_default legacy_rates 0
+ 	set_default airtime_mode 0
+ 	set_default cell_density 0
++	set_default he_co_locate 0
++	set_default rnr_beacon 0
++	set_default multiple_bssid 0
++	set_default ema 0
+ 
+ 	[ -n "$country" ] && {
+ 		append base_cfg "country_code=$country" "$N"
+@@ -236,6 +243,10 @@ hostapd_prepare_device_config() {
+ 	append base_cfg "dtim_period=$dtim_period" "$N"
+ 	[ "$airtime_mode" -gt 0 ] && append base_cfg "airtime_mode=$airtime_mode" "$N"
+ 	[ -n "$maxassoc" ] && append base_cfg "iface_max_num_sta=$maxassoc" "$N"
++	[ "$rnr_beacon" -gt 0 ] && append base_cfg "rnr_beacon=$rnr_beacon" "$N"
++	[ "$he_co_locate" -gt 0 ] && append base_cfg "he_co_locate=$he_co_locate" "$N"
++	[ "$multiple_bssid" -gt 0 ] && append base_cfg "multiple_bssid=$multiple_bssid" "$N"
++	[ "$ema" -gt 0 ] && append base_cfg "ema=$ema" "$N"
+ 
+ 	json_get_values opts hostapd_options
+ 	for val in $opts; do
+-- 
+2.25.1
+
diff --git a/patches/wifi/0007-hostapd-move-radius-into-its-own-function.patch b/patches/wifi/0007-hostapd-move-radius-into-its-own-function.patch
new file mode 100644
index 000000000..7450d43c8
--- /dev/null
+++ b/patches/wifi/0007-hostapd-move-radius-into-its-own-function.patch
@@ -0,0 +1,188 @@
+From d6510fa7b82b8e9fdd2266142aa7472ec407bcfb Mon Sep 17 00:00:00 2001
+From: John Crispin <john@phrozen.org>
+Date: Mon, 7 Feb 2022 11:16:12 +0100
+Subject: [PATCH 7/7] hostapd: move radius into its own function
+
+Signed-off-by: John Crispin <john@phrozen.org>
+---
+ .../network/services/hostapd/files/hostapd.sh | 127 ++++++++++--------
+ .../mt7621/base-files/lib/upgrade/platform.sh |   9 ++
+ 2 files changed, 77 insertions(+), 59 deletions(-)
+
+diff --git a/package/network/services/hostapd/files/hostapd.sh b/package/network/services/hostapd/files/hostapd.sh
+index 209ae3dc46..c8e1eca88b 100644
+--- a/package/network/services/hostapd/files/hostapd.sh
++++ b/package/network/services/hostapd/files/hostapd.sh
+@@ -536,6 +536,69 @@ append_airtime_sta_weight() {
+ 	[ -n "$1" ] && append bss_conf "airtime_sta_weight=$1" "$N"
+ }
+ 
++append_radius_server() {
++
++	json_get_vars \
++		auth_server auth_secret auth_port \
++		dae_client dae_secret dae_port \
++		ownip radius_client_addr \
++		eap_reauth_period request_cui \
++		erp_domain mobility_domain \
++		fils_realm fils_dhcp
++
++	# legacy compatibility
++	[ -n "$auth_server" ] || json_get_var auth_server server
++	[ -n "$auth_port" ] || json_get_var auth_port port
++	[ -n "$auth_secret" ] || json_get_var auth_secret key
++
++	[ "$fils" -gt 0 ] && {
++		set_default erp_domain "$mobility_domain"
++		set_default erp_domain "$(echo "$ssid" | md5sum | head -c 8)"
++		set_default fils_realm "$erp_domain"
++
++		append bss_conf "erp_send_reauth_start=1" "$N"
++		append bss_conf "erp_domain=$erp_domain" "$N"
++		append bss_conf "fils_realm=$fils_realm" "$N"
++		append bss_conf "fils_cache_id=$(echo "$fils_realm" | md5sum | head -c 4)" "$N"
++
++		[ "$fils_dhcp" = "*" ] && {
++			json_get_values network network
++			fils_dhcp=
++			for net in $network; do
++				fils_dhcp="$(ifstatus "$net" | jsonfilter -e '@.data.dhcpserver')"
++				[ -n "$fils_dhcp" ] && break
++			done
++
++			[ -z "$fils_dhcp" -a -n "$network_bridge" -a -n "$network_ifname" ] && \
++				fils_dhcp="$(udhcpc -B -n -q -s /lib/netifd/dhcp-get-server.sh -t 1 -i "$network_ifname" 2>/dev/null)"
++		}
++		[ -n "$fils_dhcp" ] && append bss_conf "dhcp_server=$fils_dhcp" "$N"
++	}
++
++	set_default auth_port 1812
++	set_default dae_port 3799
++	set_default request_cui 0
++
++	[ "$eap_server" -eq 0 ] && {
++		append bss_conf "auth_server_addr=$auth_server" "$N"
++		append bss_conf "auth_server_port=$auth_port" "$N"
++		append bss_conf "auth_server_shared_secret=$auth_secret" "$N"
++	}
++
++	[ "$request_cui" -gt 0 ] && append bss_conf "radius_request_cui=$request_cui" "$N"
++	[ -n "$eap_reauth_period" ] && append bss_conf "eap_reauth_period=$eap_reauth_period" "$N"
++
++	[ -n "$dae_client" -a -n "$dae_secret" ] && {
++		append bss_conf "radius_das_port=$dae_port" "$N"
++		append bss_conf "radius_das_client=$dae_client $dae_secret" "$N"
++	}
++	json_for_each_item append_radius_auth_req_attr radius_auth_req_attr
++
++	[ -n "$ownip" ] && append bss_conf "own_ip_addr=$ownip" "$N"
++	[ -n "$radius_client_addr" ] && append bss_conf "radius_client_addr=$radius_client_addr" "$N"
++	[ "$macfilter" = radius ] && append bss_conf "macaddr_acl=2" "$N"
++}
++
+ hostapd_set_bss_options() {
+ 	local var="$1"
+ 	local phy="$2"
+@@ -659,6 +722,10 @@ hostapd_set_bss_options() {
+ 			# Here we make the assumption that if we're in open mode
+ 			# with WPS enabled, we got to be in unconfigured state.
+ 			wps_not_configured=1
++			[ "$macfilter" = radius ] && {
++				append_radius_server
++				vlan_possible = 1
++			}
+ 		;;
+ 		psk|sae|psk-sae)
+ 			json_get_vars key wpa_psk_file
+@@ -682,67 +749,9 @@ hostapd_set_bss_options() {
+ 			wps_possible=1
+ 		;;
+ 		eap|eap192|eap-eap256|eap256)
+-			json_get_vars \
+-				auth_server auth_secret auth_port \
+-				dae_client dae_secret dae_port \
+-				ownip radius_client_addr \
+-				eap_reauth_period request_cui \
+-				erp_domain mobility_domain \
+-				fils_realm fils_dhcp
+-
++			append_radius_server
+ 			# radius can provide VLAN ID for clients
+ 			vlan_possible=1
+-
+-			# legacy compatibility
+-			[ -n "$auth_server" ] || json_get_var auth_server server
+-			[ -n "$auth_port" ] || json_get_var auth_port port
+-			[ -n "$auth_secret" ] || json_get_var auth_secret key
+-
+-			[ "$fils" -gt 0 ] && {
+-				set_default erp_domain "$mobility_domain"
+-				set_default erp_domain "$(echo "$ssid" | md5sum | head -c 8)"
+-				set_default fils_realm "$erp_domain"
+-
+-				append bss_conf "erp_send_reauth_start=1" "$N"
+-				append bss_conf "erp_domain=$erp_domain" "$N"
+-				append bss_conf "fils_realm=$fils_realm" "$N"
+-				append bss_conf "fils_cache_id=$(echo "$fils_realm" | md5sum | head -c 4)" "$N"
+-
+-				[ "$fils_dhcp" = "*" ] && {
+-					json_get_values network network
+-					fils_dhcp=
+-					for net in $network; do
+-						fils_dhcp="$(ifstatus "$net" | jsonfilter -e '@.data.dhcpserver')"
+-						[ -n "$fils_dhcp" ] && break
+-					done
+-
+-					[ -z "$fils_dhcp" -a -n "$network_bridge" -a -n "$network_ifname" ] && \
+-						fils_dhcp="$(udhcpc -B -n -q -s /lib/netifd/dhcp-get-server.sh -t 1 -i "$network_ifname" 2>/dev/null)"
+-				}
+-				[ -n "$fils_dhcp" ] && append bss_conf "dhcp_server=$fils_dhcp" "$N"
+-			}
+-
+-			set_default auth_port 1812
+-			set_default dae_port 3799
+-			set_default request_cui 0
+-
+-			[ "$eap_server" -eq 0 ] && {
+-				append bss_conf "auth_server_addr=$auth_server" "$N"
+-				append bss_conf "auth_server_port=$auth_port" "$N"
+-				append bss_conf "auth_server_shared_secret=$auth_secret" "$N"
+-			}
+-
+-			[ "$request_cui" -gt 0 ] && append bss_conf "radius_request_cui=$request_cui" "$N"
+-			[ -n "$eap_reauth_period" ] && append bss_conf "eap_reauth_period=$eap_reauth_period" "$N"
+-
+-			[ -n "$dae_client" -a -n "$dae_secret" ] && {
+-				append bss_conf "radius_das_port=$dae_port" "$N"
+-				append bss_conf "radius_das_client=$dae_client $dae_secret" "$N"
+-			}
+-			json_for_each_item append_radius_auth_req_attr radius_auth_req_attr
+-
+-			[ -n "$ownip" ] && append bss_conf "own_ip_addr=$ownip" "$N"
+-			[ -n "$radius_client_addr" ] && append bss_conf "radius_client_addr=$radius_client_addr" "$N"
+ 			append bss_conf "eapol_key_index_workaround=1" "$N"
+ 			append bss_conf "ieee8021x=1" "$N"
+ 
+diff --git a/target/linux/ramips/mt7621/base-files/lib/upgrade/platform.sh b/target/linux/ramips/mt7621/base-files/lib/upgrade/platform.sh
+index f044325752..924f259e25 100755
+--- a/target/linux/ramips/mt7621/base-files/lib/upgrade/platform.sh
++++ b/target/linux/ramips/mt7621/base-files/lib/upgrade/platform.sh
+@@ -46,6 +46,15 @@ platform_do_upgrade() {
+ 		dd if=/dev/mtd5 bs=1024 count=52224 >> /tmp/backup_firmware.bin
+ 		mtd -e firmware2 write /tmp/backup_firmware.bin firmware2
+ 		;;
++	actiontec,web7200)
++		if grep -q bootselect=0 /proc/cmdline; then
++			PART_NAME=firmware2
++			fw_setenv bootselect 1 || exit 1
++		else
++			PART_NAME=firmware1
++			fw_setenv bootselect 0 || exit 1
++		fi
++		;;
+ 	esac
+ 
+ 	case "$board" in
+-- 
+2.25.1
+