Bridge ethernet to Wi-Fi using WDS 4addr Linksys 3200WRT

Questions about WDS must be getting old, but I'm really stuck.

First, I have this working using Ubuntu 16.04 as my access point. It is running hostapd and NetworkManager is turned off. The interfaces file creates br0 with the ethernet and Wi-Fi. Hostapd is properly configured for WDS sta. This works fine. My client wi-fi device connects and packets flow just fine to the ethernet. My client device routes packets and WDS works as expected. Downstream MACs aren't lost. That's what 4addr is all about.

I need to get this working with OpenWRT. I'm using a Linksys 3200WRT loaded with the 17.1.4 OpenWRT. I'm using Luci. Any pointers will help.

I've connected a local pc to a lan port and can browse to and use Luci.
I have connected wan to the enterprise network.
I have configured wan to be dhcp and I see it get its address from the enterprise. I can ping it. I can't browse to that address. Hmm.
I have configured radio1 to be WDS-AccessPoint and configured encryption. My client device can connect.
I have made sure that br-wan contains the wan and radio1. The logs show ports wlan0 and eth0 connecting to br-wan.
I have not turned off dhcp. I shouldn't need to, right? I don't see any big master switch to turn it off.
I have not turned off VLANs. Should I?

I don't get any packets flowing from wi-fi to ethernet.

So, I will need to ssh in, I suppose, and see what is doing on. Tomorrow.
I don't see anything obvious in the logs or config.
Any suggestions are quite welcome.


WDS bridges packets, not Ethernet frames. Since VLANs are an Ethernet construct, they are not preserved.

There are a few approaches to bridging VLANs including:

  • Multiple SSIDs running WDS, each for a specific VLAN
  • VPN bridging
  • Explicit bridging using gretap or the like, potentially in an encrypted channel

(Routing is also possible, but becomes a hassle if you're roaming over multiple APs)

Using multiple SSIDs is the most straightforward, but quickly becomes unmanageable with more than a couple VLANs. It also adds to channel congestion due to the beacon for each SSID

VPN bridging is possible. I personally don't use it as I don't need the overhead of encryption for my application.

I use a gretap tunnel, a layer 2 tunnel, so the VLANs are "transparent" to the tunnel itself. I run over 802.11s. Others use B.A.T.M.A.N. Let me know if you decide to go that way as there are some "interesting" challenges with MTU as well as subtleties due to the way that OpenWRT names interfaces.

There is a switch to turn off DHCP. I'm not a big LuCI user, but I think it's labeled "Disable DHCP on this interface" or the like. Most people only want a single DHCP server per network and I don't know that busybox can be configured to handle DHCP redundancy on a single network.

(There are, or were, challenges in integrating different implementations of WDS. I don't know if it was ever "standardized".)

I am talking about routing packets. I don't want anything like a VLAN. But, I was worried it might get in the way or something. In Linux, i have a bridge with 2 ports - eth0 and wlan0. Br0 is configured for dhcp. I have hostapd configured to use br0 and wlan0, WDS AP mode, and WPA PSK. Tada! It's done. It works.

I think I've done the same kind of thing using Luci. But packets don't transit from wifi to ethernet. I think the bridge, br-wan, is working. It does get a dhcp address from the enterprise network not the onboard dhcp server. But, its like the wifi packets aren't getting into br-wan.

Well, tomorrow is another day. I'll try to ssh into the box. The logs and configuration look OK, but I guess I need to see more than Luci.

First you have to set up the 802.1X login on Ethernet. If you don't 802.1X you may still get a DHCP address but no Internet.

So make sure wired is working before you say there is a wifi problem.

If you do a simple bridge you will be sending multiple MAC addresses down the Ethernet cable from your various users. The enterprise would have to be rather lax to accept that.

You do not need WDS unless you are going to use a WDS station to have multiple users from another network bridge over the wifi link. If you are only having simple user client devices connect to the AP, it does not need to be in WDS mode.

When you do have a WDS AP, and a WDS STA connects, hostapd will spawn another interface such as wlan0.sta1 and put it into the bridge. brctl show will show what is in your bridges. An AP(WDS) will also accept regular stations. These do not spawn an additional interface, they will go through wlan0.

The DHCP client is disabled on the WAN interface by default. See the wan section of /etc/config/dhcp.

@mk24 All good points. I do need WDS for exactly the reason you say - I have another network bridge talking over the wifi link. There are multiple devices downstream. The enterprise segment I'm connected into upstream is a bit lax. It expects that there are multiple MACs on the ethernet line for bridges and switches and stuff for development.
Your description of how hostapd spawns interfaces for WDS clients and accepts other clients matches my experience with Ubuntu.
I'm feeling a little better now. I need to get the albatross from around my neck.

So, I'm not seeing the wlan1.sta1 interface show up on the br-wan. On my Ubuntu access point, which works, I see the interface. I compared the hostapd configurations and the only thing different is 'ap_isolate=1'. My reading of the hostapd doc says it should be 'ap_isolate=0' or omitted. My Ubuntu has omitted the parameter.

I tried to convince hostapd to reconfigure. I edited the config file and sent SIGHUP. No different. Not sure it its reconfiguring or not.

I tried to convince the wireless configuration by adding "option isolate '0'" to the config wifi-iface in /etc/config/wireless. The option persists in the file, but 'ap_isolate=1' is put into the hostapd config.

I don't see anyplace in Luci for isolation settings.

Any help is greatly appreciated.

Please try manually adding option multicast_to_unicast 0 and option isolate 0 to the config wifi-iface section(s) of /etc/config/wireless, then issue /sbin/wifi to reload the settings.

1 Like

I added option multicast_to_unicast 0 to /etc/config/network and option isolate 0 to /etc/config/wireless. Did the reload.
Yay, the ap_isolate option is not in the hostapd config file.
Boo, it still isn't working. I don't see any wlan1.sta1 added to the bridge. No traffic transits from wlan1 through the bridge to eth1.

Ideas are still welcome.

Would it help if I uploaded the config files?
I don't see a way to do it here. Sorry for my ignorance.
But, thanks again for the help.

You can paste the contents of the config file into the comment box and wrap it into "```" on the first and last line to turn it into preformatted text.

The wireless file

config wifi-device 'radio0'
	option type 'mac80211'
	option channel '36'
	option hwmode '11a'
	option path 'soc/soc:pcie-controller/pci0000:00/0000:00:01.0/0000:01:00.0'
	option htmode 'VHT80'
	option disabled '1'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'LEDE'
	option encryption 'none'

config wifi-device 'radio1'
	option type 'mac80211'
	option channel '11'
	option hwmode '11g'
	option path 'soc/soc:pcie-controller/pci0000:00/0000:00:02.0/0000:02:00.0'
	option htmode 'HT20'
	option country 'US'

config wifi-iface 'default_radio1'
	option device 'radio1'
	option mode 'ap'
	option ssid 'LEDE'
	option wds '1'
	option network 'wan'
	option encryption 'psk2'
	option key 'Unisys1234'
	option multicast_to_unicast '0'
	option isolate '0'

config wifi-device 'radio2'
	option type 'mac80211'
	option channel '36'
	option hwmode '11a'
	option path 'platform/soc/soc:internal-regs/f10d8000.sdhci/mmc_host/mmc0/mmc0:0001/mmc0:0001:1'
	option htmode 'VHT80'
	option disabled '1'

config wifi-iface 'default_radio2'
	option device 'radio2'
	option network 'lan'
	option mode 'ap'
	option ssid 'LEDE'
	option encryption 'none'

And the network file

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr ''
	option netmask ''

config globals 'globals'
	option ula_prefix 'fd11:d867:46d4::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0'
	option proto 'static'
	option ipaddr ''
	option netmask ''
	option ip6assign '60'

config interface 'wan'
	option ifname 'eth1'
	option proto 'dhcp'
	option type 'bridge'
	option multicast_to_unicast '0'

config interface 'wan6'
	option ifname 'eth1'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '0 1 2 3 5'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '4 6'

The only other thing I have thought about to try is to update to the latest firmware. Tomorrow, I guess.

I told my boss all the people over here at are really smart. Don't make me a liar. Grin.

Any suggestions are welcome. I'm really not sure what to look at next. I will compare the hostapd config files again.

Gotta say I've never been happy with WDS. It would just hang/drop connection every so often, it wouldn't recover when the WDS AP would reboot... etc. So I moved to wiring everything, and/or using Powerline ethernet modules for one location where I couldn't easily send a Cat5e.

I suspect 802.11s works better.

So, even if you get this working, be prepared to maybe not like it as much as theoretically you would if it worked flawlessly.

It probably won't help, but I would delete the wan6 network if you're not using IPv6.

Which radio band are you using? The 3200 may not be the best hardware choice due to limitations in the available wifi drivers.

GREtap would be another way to carry a layer 2 bridge over an ordinary AP-STA connection.

Help us out and describe your use case. Seeing the whole picture lets thought flow on how to satisfy the use case, rather than attacking the low-level details one by one.

The use case.
We have a bridging device, running Ubuntu 16 under the covers. It routes packets between an upstream (enterprise) interface and a downstream interface. It's a lot more than a simple bridge. There are lots of proprietary things going on. But, when you ignore the proprietary stuff, it is just a simple bridge. Br0 with ports eth0 and eth1. We've been told that we need to replace eth0 with wlan0. How hard can that be? Well, its not hard if you use 4addr on wlan0 and on the enterprise access point. If I build my own access point using Ubuntu and hostapd, it works. Well, that sounds like OpenWRT. So, that is what I want to get going. That is why I'm asking the questions here.

We know that we could do lots of other things to get the bridging to work in our box. And, I expect that there will be lots of squawking because 4addr isn't really supported all that well in enterprise access points.

But, we'd like to get OpenWRT working first. And, it should work. Something is still funny with hostapd. Or something is funny somewhere.

Ignore OpenWRT for now. If you use GREtap in a bridging device as I described, could you use a plain old 3addr access point connection?

I agree. I used to use 4addr wireless bridges on OpenWrt in the past (ath9k<>ath9k, even ath9k<>b43) and they tended to just work. No intermittend drops or stalling connections. But with mwlwifi or ath10k, the situation might be less stable today.

The setup you describe is also supposed to work, the 4addr mode is an intrinsic mac80211 feature. If it fails to come up on OpenWrt (despite a seemingly correctly generated hostapd.conf) then we need to indeed suspect a hostapd or wireless driver bug.

The first step would be building a custom hostapd/wpad package with a lower debug message cutoff, to see if something can be seen in the resulting debug messages.

Dumping wireless frames with a monitor interface nearby might also be helpful.

After updating to the latest daily build (or what ever its called) it just works.
I should have done this first.

1 Like

Wireless drivers for this device are still under development (see, and WDS support was added recently, so drivers on 17.01 do not support WDS. You can use an updated snapshot, or you can use 17.01 plus the updated drivers available at Pre-compiled updated mwlwifi drivers for stable releases.