UPC WiFree on Mikrotik and OpenWRT

UPC turns your cable modem into WiFi hot-spot available for others. outrageous! and i’ve been using it for quite a while – it generally works. below – how to connect OpenWRT or Mikrotik to such connection.

OpenWRT 22.03.0-rc6

on Polish OpenWRT forum – eko.one.pl – i’ve found a fully functional example. i’ve tesed it on Netgear WNDR4300 and R6220. it works fine for me.
ssh to the router, and there:

opkg update
opkg remove wpad*
opkg install wpad-openssl libopenssl ca-bundle wget 
wget -O /etc/ssl/certs/LGI_Root_CA.cer https://kudzia.eu/b/wp-content/uploads/2020/10/LGI_Root_CA.cer

reboot

# ssh again
uci set wireless.radio0.disabled='0'
uci set wireless.radio0.txpower='20'
uci set wireless.radio0.htmode='HT40'
uci set wireless.radio0.channel='auto'
uci set wireless.radio0.country='PL'
uci set wireless.default_radio0=wifi-iface
uci set wireless.default_radio0.device='radio0'
uci set wireless.default_radio0.mode='sta'
uci set wireless.default_radio0.network='upcwifree'
uci set wireless.default_radio0.ssid='Wi-Free #InternetUPCNajszybszy'
uci set wireless.default_radio0.encryption='wpa2+ccmp'
uci set wireless.default_radio0.eap_type='ttls'
uci set wireless.default_radio0.phase1='peaplabel=1'
uci set wireless.default_radio0.phase2='auth=MSCHAPV2'
uci set wireless.default_radio0.ca_cert='/etc/ssl/certs/LGI_Root_CA.cer'
uci set wireless.default_radio0.wps_pushbutton='0'
# below enter your actual login for UPC WiFree
uci set wireless.default_radio0.identity='my upc wifree login'
# below enter your actual password for UPC WiFree
uci set wireless.default_radio0.password='my password'
uci set wireless.default_radio0.disabled='0'
uci set wireless.default_radio0.ifname='wlan0'
uci set wireless.default_radio0.auth='MSCHAPV2'
uci commit wireless

uci set network.upcwifree=interface 
uci set network.upcwifree.proto='dhcp'
uci set network.upcwifree.auto='1'
uci set network.upcwifree.ipv6='0'
uci commit network

uci set firewall.@zone[1].network=''wan' 'wan6' 'upcwifree''

sometimes, some of the neighboring routers no longer provide connectivity [ or even IP address via DHCP ] for this wlan. to find out all available neighbors – run:

iwinfo wlan0 scan
# you might need to first install it - opkg update; opkg install iwinfo

in the output – find few candidates with highest possible value of Signal – e.g.:

Cell 07 - Address: 92:xx:xx:xx:xx:xx
          ESSID: "Wi-Free #InternetUPCNajszybszy"
          Mode: Master  Channel: 11
          Signal: -61 dBm  Quality: 49/70
          Encryption: WPA2 802.1X (TKIP, CCMP)
...
Cell 09 - Address: AE:xx:xx:xx:xx:xx
          ESSID: "Wi-Free #InternetUPCNajszybszy"
          Mode: Master  Channel: 1
          Signal: -62 dBm  Quality: 48/70
          Encryption: WPA2 802.1X (CCMP)

take the MAC address and run:

uci set wireless.default_radio0.bssid="AE:xx:xx:xx:xx:xx"
uci commit network
reboot

iterate it few times until you find a neighboring device that works.

OpenWRT 19.07.4

install needed packages:

opkg update
opkg remove wpad*
opkg install wpad-openssl libopenssl ca-bundle

uci set wireless.radio0.disabled='0'
uci set wireless.radio0.txpower='20'
uci set wireless.radio0.htmode='HT40'
uci set wireless.radio0.channel='auto'
uci set wireless.radio0.country='PL'
uci set wireless.default_radio0=wifi-iface
uci set wireless.default_radio0.device='radio0'
uci set wireless.default_radio0.mode='sta'
uci set wireless.default_radio0.network='upcwifree'
uci set wireless.default_radio0.ssid='UPC Wi-Free #SprawdzUPCMobile!'
uci set wireless.default_radio0.encryption='wpa2+ccmp'
uci set wireless.default_radio0.eap_type='ttls'
uci set wireless.default_radio0.phase1='peaplabel=1'
uci set wireless.default_radio0.phase2='auth=MSCHAPV2'
uci set wireless.default_radio0.ca_cert='/etc/ssl/certs/LGI_Root_CA.cer'
uci set wireless.default_radio0.wps_pushbutton='0'
# below enter your actual login for UPC WiFree
uci set wireless.default_radio0.identity='my upc wifree login'
# below enter your actual password for UPC WiFree
uci set wireless.default_radio0.password='my password'
uci set wireless.default_radio0.disabled='0'
uci set wireless.default_radio0.ifname='wlan0'
uci set wireless.default_radio0.auth='MSCHAPV2'
uci commit wireless

uci set network.upcwifree=interface 
uci set network.upcwifree.proto='dhcp'
uci set network.upcwifree.auto='1'
uci set network.upcwifree.ipv6='0'
uci commit network

uci set firewall.@zone[1].network=''wan' 'wan6' 'upcwifree''
uci commit firewall

download LGI_Root_CA.cer and save it in /etc/ssl/certs/

opkg install libustream-openssl20150806 ca-bundle ca-certificates wget libustream-openssl20150806
wget -O /etc/ssl/certs/LGI_Root_CA.cer https://kudzia.eu/b/wp-content/uploads/2020/10/LGI_Root_CA.cer

reconfigure your 2.4GHz wifi interface [ WiFree only works on that band, not surprisingly since wall penetration of 5GHz is much worse ]:

uci set wireless.radio0.disabled='0'
uci set wireless.radio0.txpower='20'
uci set wireless.radio0.htmode='HT40'
uci set wireless.radio0.channel='auto'
uci set wireless.radio0.country='PL'
uci set wireless.default_radio0=wifi-iface
uci set wireless.default_radio0.device='radio0'
uci set wireless.default_radio0.mode='sta'
uci set wireless.default_radio0.network='upcwifree'
uci set wireless.default_radio0.ssid='UPC Wi-Free #SprawdzUPCMobile!'
uci set wireless.default_radio0.encryption='wpa2+ccmp'
uci set wireless.default_radio0.eap_type='ttls'
uci set wireless.default_radio0.phase1='peaplabel=1'
uci set wireless.default_radio0.phase2='auth=MSCHAPV2'
uci set wireless.default_radio0.ca_cert='/etc/ssl/certs/LGI_Root_CA.cer'
uci set wireless.default_radio0.wps_pushbutton='0'
# below enter your actual login for UPC WiFree
uci set wireless.default_radio0.identity='my upc wifree login'
# below enter your actual password for UPC WiFree
uci set wireless.default_radio0.password='my password'
uci set wireless.default_radio0.disabled='0'
uci set wireless.default_radio0.ifname='wlan0'
uci set wireless.default_radio0.auth='MSCHAPV2'
uci commit wireless

uci set network.upcwifree=interface 
uci set network.upcwifree.proto='dhcp'
uci set network.upcwifree.auto='1'
uci set network.upcwifree.ipv6='0'
uci commit network

uci set firewall.@zone[1].network=''wan' 'wan6' 'upcwifree''
uci commit firewall

Mikrotik 7.1.beta2

i’m using this on 751G-2HnD with development firmware, although it should work on other software too.

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-eap eap-methods=peap group-ciphers=tkip,aes-ccm management-protection=allowed mode=dynamic-keys mschapv2-password=my-upc-password mschapv2-username=my-upc-login name=UPC supplicant-identity=my-upc-login tls-mode=dont-verify-certificate unicast-ciphers=tkip,aes-ccm
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country=poland default-authentication=no disabled=no frequency=2437 installation=indoor security-profile=UPC ssid="UPC Wi-Free #SprawdzUPCMobile!" wireless-protocol=802.11

/interface wireless connect-list
add interface=wlan1 mac-address=92:5C:14:AB:8F:57 security-profile=UPC ssid="UPC Wi-Free #SprawdzUPCMobile!" wireless-protocol=802.11
# above is not strictly needed but i wanted mikrotik to always choose device that i know is closest to me.

/ip dhcp-client
add disabled=no interface=wlan1

on both devices i’m also running WireGuard VPN – so i can reach both from anywhere in the internet, despite the fact that neither has public IP address. both routers establish VPN to my VPS. OpenWRT gave me a bit of headache – VPN would not re-establish after short drops of the WiFi acts as WAN. after each such episode wg0 would disappear and to reinstantiate it i had to either run /etc/init.d/network restart or reboot router. i’ve searched for help on the OpenWRT forum. this did not help:

uci set network.wg0.tunlink='upcwifree'

so i ended up doing this:

echo "* * * * * root ping -c 5 172.16.1.1 ; if [ $? -ne 0 ] ; then /etc/init.d/network restart ; fi" >> /etc/crontab/root
/etc/init.d/cron restart

where 172.16.1.1 is remote end of the VPN. yes, it’s rather crude measure.

Leave a Reply

Your email address will not be published. Required fields are marked *

(Spamcheck Enabled)