Seeing as I too struggled to get info together on this scenario, I don't mind sharing what I have learned.
Answers to your q's:
like why do we need to connect (as your diagram ) node6 to node4 ? isn't enough to connect node6 to node1 ? is this to only make roaming ?
This is purely for redundancy. It is not a requirement, purely a backup path.
and is the mac-list in the wds AP's contains only the other wds ap's we want to connect to ? wht about the users mac addresses , is thier another list for them ? or we wont put thier mac's in any list ( i mean mac filtering )
Well, as in the wiki example on this site, the authentication methods are used for WDS connections specifically. Anyone else (a client) does not create a WDS connection. The connect-list rules refer to the security profile assigned to that interface, and applicable to WDS only. Also, connect-list refers to AP's that each node will connect to
and not what will connect to it. This is controlled with access-rule
list and default-authenticate.
In my final configuration, I created Virtual AP's with unique SSID's for the clients to connect, and the backbone controlled by connect-list rules.
Reason for this was although using same SSID's worked (and therefore allowing 'roaming'), CPE devices don't necessarily connect to the new AP with better signal when a different MAC is presented.
So what happened was they would connect to a strong signal, maybe roam and not refresh/repair the network connection, and the CPE would hang on for dear life to the original AP it connected to...
Using unique SSID's stops transparent roaming (only the first pass for eg laptops) and ensures the client always connects to the strongest signal.
Using PPPoE on each node will also stop roaming, as the connection will drop as they move to a new AP, but this is not really an issue for my clients. They hardly ever work on their laptops while walking around!
Hope that helps...