I have the following boxes running RC5:

   * First WL500gd running as access point (wl0_mode=ap)
   * Second WL500gd running as bridge (wl0_mode=wet)

WPA1 (PSK)  is turned on and all works just fine:

wl0_akm=psk
wl0_crypto=tkip
wl0_ssid=not_telling
wl0_wpa_psk=not_telling

Now the strange thing is: if a machine "A" behind the access point pings a machine "B" behind the bridge, then I look at the ARP table on "A", I see the MAC address of the bridge, not of machine "B"!

# on machine A
$ ping 172.17.0.79
PING 172.17.0.79 (172.17.0.79): 56 data bytes
64 bytes from 172.17.0.79: icmp_seq=0 ttl=64 time=4.847 ms
^C
--- 172.17.0.79 ping statistics ---
1 packets transmitted, 1 packets received, 0% packet loss
round-trip min/avg/max/stddev = 4.847/4.847/4.847/0.000 ms
$ arp 172.17.0.79
? (172.17.0.79) at 00:11:d8:01:cc:09 on rl0 [ethernet]

Here 172.17.0.79 is the IP address of machine "B" behind the bridge. But 00:11:d8:01:cc:09 is the MAC address of the bridge itself.

If I put a second machine behind the bridge, it also works just fine. But it also shows the bridge's MAC address in ARP, not its own:

$ arp 172.17.0.189
? (172.17.0.189) at 00:11:d8:01:cc:09 on rl0 [ethernet]

If I do tcpdump at both sides I see different packets:

# original reply from B:
15:54:42.010382 00:12:3f:69:6c:3c > 00:48:54:d0:bb:d5, ethertype ARP (0x0806), length 42: arp reply 172.17.0.79 is-at 00:12:3f:69:c9:3c

# packet which arrives at A:
15:54:41.875302 00:11:d8:01:cc:09 > 00:48:54:d0:bb:d5, ethertype ARP (0x0806), length 60: arp reply 172.17.0.79 is-at 00:11:d8:01:cc:09

So, does this mean that wet mode is doing some strange MAC masquerading, and is not really a true bridge at all? I've not tried any non-IP traffic (NetBIOS etc). I'm just interested to know what's going on.

Regards,

Brian.

Right; use WDS if you want a true bridge.

OK, now I open a box that I was hoping not to open :-)

My knowledge of the various modes of wifi operation (STA vs WET vs WDS), and how they interact with WPA etc. (specifically WPA-PSK), is limited.

But let me check if what I know so far is correct. Assuming I have

   \|/  . . . . . . .  \|/  . . . . . . Z
    |                   |
    A (mode             B (mode
    |  =ap)             |  =wds)
    |                   |
    X                   Y

X and Y are wired ethernet devices; Z is a wireless client

then am I right in saying:

(1) I must either explicitly configure the MAC address of B as WDS client into A, or else configure A for 'lazy wds' so that anyone who wants to make a WDS association can do so

(2) An additional wireless client, Z, could associate with either A or B (depending on which has the stronger signal?)

Things that concern me about WDS:

* How does WPA work in this mode? If Z comes along and associates with B, is Z the supplicant and B the authenticator? Or is Z the supplicant and A the authenticator (tunneled through)? Or does Z authenticate to B, *and* B separately authenticate to A? Is traffic encrypted at Z, decrypted at B, and then re-encrypted for relay to B to A?

[This would particularly concern me when using WPA-EAP and RADIUS. A only needs to be configured to point to a RADIUS server; would B need to be configured to point to a RADIUS server, *and* contain its own keying material to authenticate to A?]

* What prevents loops occuring? For example, if I have access point A and WDS repeaters B, C and D, all within range of A, and all are configured for lazy WDS. A client comes along which is within range of all of them. What stops packets going B->C->D->A or even B->C->D->B->C->D->... ? Is there spanning tree or similar running? If so, is the AP forced to be the root, or should this be done manually?

* What are the security implications of WDS? If WDS is secure, then why doesn't every access point just turn on lazy WDS by default? Why should you either disable it, or enable it for certain MAC addresses only?

Cheers, Brian.