WPA on WDS - no go?

RouterOS Wireless Networking
1

Sorry for a noob question, I read relevant wiki articles, tried numerous configurations, search the forum a bit, but to no avail … I’m still stuck :frowning: .

Due to poor network planning, we’re stuck with this configuration:
(why it doesn’t want to display is beyond me … please click the link, it will open in a new window … sorry!)

Everything works fine, except the WDS link (marked red in the pic) between DWL and MT - DWL is running in AP mode, configured with MAC of the MTs wlan1 card. WPA with PSK is used for authentication.
MT’s wlan1 card config is below. When the card is in station mode, it connects to the DWL OK (but WDS doesn’t work in station mode :unamused: ).
When the MT’s wlan1 card is in ‘ap-bridge’ or ‘bridge’ mode (which it should be according to the info I read on WDS), it just cries out in the log:
timestamp [MAC of the DWL]@wlan1:connected, is AP, wants WDS
timestamp+3s [MAC of the DWL]@wlan1:disconnected, decided to deauth: 4-way handshake timeout(15)

And so on …

Any suggestions are greatly appreciated! Thanks!

Relevant config info:

WDS interface:
/ interface wireless wds
add name=“wds1” mtu=1500 arp=enabled disable-running-check=no
master-interface=wlan1 wds-address=[DWL_MAC] comment=“” disabled=no

WLAN1 interface:
set wlan1 name=“wlan1” mtu=1500 mac-address=[MAC] arp=enabled
disable-running-check=no radio-name=“MAC” mode=ap-bridge
ssid=“SomeNet” area=“” frequency-mode=superchannel
country=croatia antenna-gain=0 frequency=2472 band=2.4ghz-onlyg
scan-list=default rate-set=default
supported-rates-b=1Mbps,2Mbps,5.5Mbps,11Mbps
supported-rates-a/g=6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps
basic-rates-b=1Mbps basic-rates-a/g=6Mbps max-station-count=2007
ack-timeout=dynamic tx-power-mode=default noise-floor-threshold=default
periodic-calibration=default periodic-calibration-interval=60
burst-time=disabled dfs-mode=none antenna-mode=ant-a wds-mode=static
wds-default-bridge=wds_bridge wds-default-cost=100 wds-cost-range=50-150
wds-ignore-ssid=yes update-stats-interval=disabled
default-authentication=yes default-forwarding=yes default-ap-tx-limit=0
default-client-tx-limit=0 proprietary-extensions=post-2.9.25 hide-ssid=no
security-profile=default disconnect-timeout=3s on-fail-retry-time=100ms
preamble-mode=both compression=no allow-sharedkey=no comment=“” disabled=no

Bridge interface:
add name=“wds_bridge” mtu=1500 arp=enabled stp=yes priority=32768
ageing-time=5m forward-delay=15s garbage-collection-interval=5s
hello-time=2s max-message-age=20s comment=“” disabled=no
/ interface bridge port
add interface=wlan2 bridge=wds_bridge priority=128 path-cost=10 comment=“”
disabled=no
add interface=wds1 bridge=wds_bridge priority=128 path-cost=10 comment=“”
disabled=no
add interface=wlan1 bridge=wds_bridge priority=128 path-cost=10 comment=“”
disabled=no


Bye,
chense

2

If you set mode=station, DWL-MT are able to authenticate with current settings using encryption ?
Make sure that encryption settigs match on both routers.
I have the similar setup AP<—>AP link running encryption WPA and WDS

3

Yes, in station mode the MT connects to the DWL OK, ping works between them.
But the DWL part of the network can’t see the clients connected to the MTs wlan2 card … nor the other way around.


Bye,
chense

4

Chense, make sure you have correct encryption settings on both routers.

  • Install the latest RouterOS version;
  • enable wireless,debug logs in ‘/ system logging’;
  • generate support output file, when routers are trying to establish communications;
  • send support output file to the support (support@mikrotik.com).
    Just curios, if you disable WPA encryption, is wireless link established or not ?
5

I will verify it once again, but I’m pretty sure it’s the same.

Thanks for the tip!
I played a bit with various log topics, but was unable to get more detail in the critical section - just the same ‘connected , disconnected’ routine mentioned in the original post …

No, not in any mode (station nor ap-bridge).

Thanks for the help … I guess I’ll try another MT version, or flash the DWL :unamused: … or give up on WDS totally and separate the subnets and route them back together.


Bye,
chense

6

If you will send support output files from the routers to support, when ‘wireless,debug’ logs are enabled. Support can give more detailed information about the problem with WPA/WDS.

7

Another note: It is possible that the MikroTik WDS will not work with non-MikroTik WDS devices, as the WDS implementation could be different on different manufacturer devices. It means that you will not be able to get connection with this device using encryption.

8

Quite possible, although somewhat unlikely - I’ve read reports on several forums from people who got it working with Ovislink AP WL1120 AP, AP 5460, WL118G+ …

The whole purpose of a standardized protocol is the ability to work with devices from different manufacturers … at least in a perfect world :laughing:


Bye,
chense