Yes, there is certain lack of documentation of how to do it properly
No, it started to work very quickly
I didn’t try WDS
0voters
I have two routers in ‘ap bridge’ mode with WDS mode ‘static’. I’ve added ‘wds1’ interface with WDS address of the opposite side to both routers and set connection in Connection List with special security profile ‘wds_profile’. APs have different SSID and ‘WDS ignore SSID’ is on. When I make Mode ‘none’ in ‘wds_profile’ of both ends, they do connect well and I see established link in Registration tab. When I make Mode ‘dynamic keys’ and set any combination of {WPA PSK, WPA2 PSK} and {aes ccm, tkip} (of course, equal on both ends with same WPA/WPA2 pre-shared key), then both ends fail to connect with following error: ‘disconnected, unicast key exchange timeout’ and try to reconnect each 30 seconds.
The security profile for AP is different from WDS (WDS profile is identical on both ends, but AP profile have different pre-shared key, also SSID is different).
Is it possible to have WPA2 WDS with such configuration?
There is group key timeout and it is set to 5 minutes (which is larger than 5 seconds of client disconnection). I should stress on that APs are different – different SSID, different pre-shared key. I set separate security profile for WDS, so theoretically this shouldn’t be a problem.
The message about “timeout” is not the actual timeout but plain authentication failure. Group key timeout have nothing to do with this! Did your WDS use pre-shared key or EAP?
Finally, I managed to establish WDS WPA2 link. Here are my conlusions:
SSIDs of WDS-enabled interfaces must match. WDS Ignore SSID flag doesn’t help! This is not true for non-WPA links, I guess.
Security profiles of APs and WDSs must be identical including pre-shared key! So, it is impossible to have WDS pre-shared key different from AP!!!
The possible way out of these restrictions is to add second virtual AP and have different SSID and different security profile on it. Don’t forget to assign IP-address to it and add a bridge port for it!
It’s too early to celebrate… Though it scarcely connects, the connection is very unstable! There were no any problems with clients, the signal is very strong, SNR > 40 dB, distance between points is several meters. Nevertheless, points cant hold stable WDS connection. Tried too many variations: AP + AP; AP + WDS Station; AP + WDS Slave and many other options, nothing helps!
I think, its a bug in Mikrotik’s WPA client implementation! Considering too many similar complaints…
My wds links between APs work with wpa2. I just do not use the physical interface at all (not member of bridges, no ip) just running virtual APs with their own mac addresses different from physical wlan. Try this too.
And anyway, putting negative rating to someone who is the only one trying to help you can easily lead to the situation that none will try to help you further.
This just proves the instability of WPA code in Mikrotik firmware. I synchronized clock via NTP, and it became somehow more stable. But overnight anyway hung. After a hang I need to reboot one of nodes, otherwise they never connect.
Btw, according to this article “Dynamically assigned and rotated encryption keys are usually not supported in a WDS connection”. Which means, that either this is a proprietary Mikrotik technology or static pre-shared key is used all the time. In latter case I do not see the security difference from WEP.
‘Security Profile: none’ in Connection List means Security Profile from wlan interface is used. Somehow, it connects much better when ‘Security Profile: none’ is in Connection. The link in Registration still shows WPA2.
There should be Connection List entry only on one side, not both. Will check if this brings stability.
