# Channel Configuration for Infrastructure Nodes ## What Are Channels? Meshtastic supports up to **8 simultaneous channels** (numbered 0 - 7). Channel 0 is the *primary channel* used for most mesh traffic. Channels 1 - 7 can carry separately encrypted traffic for specific groups or purposes. ## PSK - Pre-Shared Key Each channel has a **name** and a **pre-shared key (PSK)**. The PSK can be **0 bytes** (no encryption), **16 bytes** (AES-128), or **32 bytes** (AES-256) - it is not always a 32-byte AES-256 key. Two nodes can communicate on a channel only if they share the same name *and* the same PSK (same key length and value). The PSK encrypts the channel payloads with AES (AES-128 for a 16-byte key, AES-256 for a 32-byte key). ## The Default Public Key The *Default* public channel (LongFast) uses a **well-known, publicly published default key**(the 1-byte key `AQ==`, 0x01) - it is a defined weak key, not an empty/no-encryption PSK, so traffic on it is effectively public. Any node running Meshtastic with the default channel can participate in the public mesh. Using a **custom PSK** creates a private channel readable only by nodes that hold that key. ## Channel Strategy for Community Infrastructure Nodes - **Channel 0 - Default PSK:** Keep the primary channel on the public Default key so all community users benefit from your repeater's coverage. - **Channel 1 - Private PSK:** Adding a secondary channel with a private key for your personal use or club coordination is acceptable. The repeater will relay packets on both channels. ## Remote Administration Meshtastic supports remote administration so that nodes can send configuration commands - changing settings without physical access to the device. In firmware 2.5 and later, the recommended method is **PKC admin keys**configured under **Security Config**: you add the public key(s) of trusted administrator nodes to the remote node's admin-key list, and those nodes can then administer it. The legacy **admin channel**(a secondary channel named exactly `admin`, case-sensitive) exists only for managing pre-2.5 nodes; there is *no* "Is Admin" toggle on a channel. **Setting up remote administration is strongly recommended for unattended permanent deployments.** 1. On firmware 2.5+, open **Security Config** and add the public key of each trusted administrator node to the node's admin-key list. (For legacy pre-2.5 nodes only: create a secondary channel named exactly `admin`.) 2. Verify the exact app path before you publish or commit the change - getting remote admin wrong can lock you out of a remote node entirely. 3. Back up the configuration (export the config, and for legacy admin channels save the QR code) and store it securely - anyone with the admin keys or legacy admin-channel QR code can reconfigure your node remotely. ## Channel Propagation What a relay rebroadcasts depends on its **Rebroadcast Mode**, not just on which channels it has configured. Meshtastic relays based on the *unencrypted* packet header, so under the default `ALL` mode a repeater rebroadcasts **all** packets that match its modem settings and frequency - *including packets on channels whose PSK it does not have and cannot decrypt*. This means a private channel can be carried by a public repeater. Only the `LOCAL_ONLY` or `KNOWN_ONLY` rebroadcast modes restrict relaying to the repeater's own configured/known channels. (A node still has to be on the same modem preset and frequency to hear and relay at all.) For a public community repeater, keeping only the public Default channel configured is the standard approach, but be aware that under default `ALL` mode it will still relay other traffic on the same modem settings. ## Changing Channels on a Deployed Node Options for modifying channel config after deployment: - **Via remote admin** (preferred for remote nodes) - send a channel update from an administrator node whose key is in the remote node's admin-key list (or, on legacy nodes, that shares the admin channel). - **Via serial/USB** - connect a laptop directly to the node. - **Via Bluetooth** - only if Bluetooth was left enabled. **Common pitfall:** losing the admin keys / admin channel config (or disabling Bluetooth and having no USB access) leaves a remote node inaccessible without a physical site visit. Always back up admin keys and any admin-channel QR codes before deployment.