Can't get WDS to Ethernet bridge operating

I followed the docs here after flashing router to latest version -> https://openwrt.org/docs/guide-user/network/wifi/atheroswds

Connects to the base AP just fine. I believe my interfaces and wireless settings are right, but can't get any DHCP lease from the base AP, etc.

/etc/config/wireless:


config wifi-device 'radio0'
	option type 'mac80211'
	option channel '36'
	option hwmode '11a'
	option path 'pci0000:00/0000:00:00.0'
	option htmode 'VHT80'

config wifi-device 'radio1'
	option type 'mac80211'
	option hwmode '11g'
	option path 'platform/ahb/18100000.wmac'
	option htmode 'HT20'
	option channel '6'

config wifi-iface 'wifinet3'
	option ssid 'Access-2928'
	option device 'radio1'
	option key 'redacted'
	option network 'lan'
	option encryption 'psk2'
	option wds '1'
	option mode 'sta'

/etc/config/network:

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd4f:0338:fc82::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth1.1'
	option proto 'static'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option ipaddr '192.168.2.1'

config interface 'wan'
	option ifname 'eth0.2'
	option proto 'dhcp'

config interface 'wan6'
	option ifname 'eth0.2'
	option proto 'dhcpv6'

config switch
	option name 'switch0'
	option reset '1'
	option enable_vlan '1'

config switch_vlan
	option device 'switch0'
	option vlan '1'
	option ports '2 3 4 5 0t'

config switch_vlan
	option device 'switch0'
	option vlan '2'
	option ports '1 6t'

config interface 'wwan'
	option proto 'dhcp'

I think the problem is that.
is router one able to do access point wds? if yes you need set the ip address of your client router on the same range, like 192.168.1.1 router a, 192.168.1.2 router client

1 Like

@bricco1981's remark is correct, the IP should be in the address range of the AP.
However even if it was wrong, it would not affect the DHCP. Have you switched off DHCP server on this one?
Can you ping from this router the AP? (after you fix the IP address).

I cannot ping the AP from this router. I did fix the network address so it was in the same subnet. In my first example I was just assigning a static IP in another network so I could ssh into it from an ethernet device and see if I could ping the base IP

Some other observations, and I think it might be the base AP doesn't support WDS (or at least properly)

  1. With the stock firmware I can get WDS bridge working, but only with 2.4GHz and Open security or WPA, not WPA2. I only didn't notice because ISPs by default allowed both WPA and WPA2, and even then buggy router somehow flipped itself to Open security, where it was working great! Never got it to work on the 5GHz band, which is kind of why I decided to try other firmware.

  2. OpenWRT firmware works great if I just use the OpenWRT device as a router and WLAN interface is a regular client treated as WWAN. I wanted to avoid double-NAT scenario though.

  3. After my experiments with the stock firmware, even tried open security on the base AP as from what I've researched, WDS support/non support can be affected by supported ciphers,etc.

  4. When trying to do WDS bridge, in the GUI it always shows traffic outgoing from OpenWRT on the wireless interface and nothing coming back, which may be the fault of the base AP? Data rate shows nothing coming back as well as bytes in/out showing only traffic out. Looks fine when the wlan is assigned a client and functioning as WWAN. I'm going to try to bridge the OpenWRT (TP-Link Archer C7 v2) with another device and see if I fair better.

This is essential to assume that there is connectivity.
In accordance with

I suppose the client has not connected properly.

Keep in mind that in station (or client) mode the wireless interface can be routed only. To achieve bridging you need WDS preferably or mesh, l2 gre tunnel, relayd.

It was essentially the ISP router not supporting WDS, even though it would somewhat go with the stock TP-Link firmware for some strange reason.

Got a D-Link DIR-835 that my friend had retired (but already had OpenWRT on it), and it worked pretty much straight away using the D-Link as the Master WDS.

What I have now:
ISP router - 192.168.0.1, acting as gateway and DHCP server (stuck with it because it contains the cable modem)
DIR-835 - WDS Master - 192.168.0.253
Archer C7 v2 - WDS Client 192.168.0.254

OpenWRT devices are running the lastest flash.
The client is connected in 5Ghz/40Mhz to the Master (802.11n as the D-Link is pre-802.11ac).

After playing a bit with the antennae orientations, I'm getting 270-450 data rates reported, and over 200mbit actual throughput on some file copies. Now I don't need to buy wireless adapters for several wired devices. Posting all my results for archival purposes.

One thing I do experience now, is access the WDS Client device via HTTP or SSH seems very unreliable. I reset it to factory several times and the results seem repeatable. If I disconnect the Client OpenWRT device from the Master via the HTTP interface(keep in mind I'm doing this from a client connected to the Client device via ethernet - connectivity to the far side of the bridge seems rock soild), it starts working again for a while then seems to die, like a firewall rule is blocking it. I can always ping the WDS client's static IP of 192.168.0.254 from my test workstation, and internet traffic, DHCP, everything is working. Once the WDS (Client) reconnects to the Master, it might work for a minute, it might work for 15 minutes. I might try an older flash image on the client device to see if I've hit a bug or something with the latest version on the Archer C7 device. But this is minor if it works otherwise.

1 Like

Hi there! I'm experiencing issues with WDS as well, ref. DHCPREQUEST not forwarded with WDS on 2x Linksys EA4500 (Cisco). Could you post the config files for your Base AP and for your Client, please?

/etc/config/network on the Base station

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd9a:cab5:751f::/48'

config interface 'lan'
        option ifname 'eth0.1'
        option force_link '1'
        option type 'bridge'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.0.253'
        option gateway '192.168.0.1'
        option dns '192.168.0.1'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'dhcp'

config interface 'wan6'
        option ifname '@wan'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '0t 1 2 3 4'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0t 5'

/etc/config/wireless on the Base ( just using 5ghz, 2.4 is left as default/disabled:

config wifi-device 'radio0'
        option type 'mac80211'
        option channel '11'
        option hwmode '11g'
        option htmode 'HT20'
        option disabled '1'
        option path 'platform/ahb/18100000.wmac'

config wifi-iface 'wifinet0'
        option device 'radio0'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'none'

config wifi-device 'radio1'
        option type 'mac80211'
        option channel '36'
        option hwmode '11a'
        option path 'pci0000:00/0000:00:00.0'
        option txpower '17'
        option country 'US'
        option htmode 'HT40'

config wifi-iface 'wifinet1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt'
        option wds '1'
        option encryption 'psk2'
        option key 'secret'

/etc/config/network on the Client:

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd3e:f2ed:e7ce::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth1.1'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ipaddr '192.168.0.254'
        option gateway '192.168.0.1'
        option dns '192.168.0.1'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'dhcp'

config interface 'wan6'
        option ifname 'eth0.2'
        option proto 'dhcpv6'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option ports '2 3 4 5 0t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '1 6t'

/etc/config/wireless on the client:

config wifi-device 'radio0'
        option type 'mac80211'
        option channel '36'
        option hwmode '11a'
        option disabled '0'
        option country 'US'
        option legacy_rates '1'
        option htmode 'VHT40'
        option path 'pci0000:00/0000:00:00.0'

config wifi-device 'radio1'
        option type 'mac80211'
        option channel '11'
        option hwmode '11g'
        option htmode 'HT20'
        option disabled '1'
        option path 'platform/ahb/18100000.wmac'

config wifi-iface 'default_radio1'
        option device 'radio1'
        option network 'lan'
        option mode 'ap'
        option ssid 'OpenWrt'
        option encryption 'none'

config wifi-iface 'wifinet0'
        option ssid 'OpenWrt'
        option encryption 'psk2'
        option device 'radio0'
        option mode 'sta'
        option bssid 'B8:A3:86:4F:4F:82'
        option key 'secret'
        option wds '1'
        option network 'lan'

This is all working with the exception I can't ssh/http to the client on 192.168.0.254 once the bridge comes up. I can ping 192.168.0.254. The requests are actively refused, not timing out so it must be something strange with the firewall config I don't know how to fix.

1 Like

Thanks for the config files!

I noticed that I have two small settings that were missing. However, after I set them up and did a full reboot, it is still the same.. :frowning:

Are you actually getting DHCP reponses for clients connected to the Client AP?

Yes, I have clients connected to the Ethernet ports on the client device and get DHCP leases successfully.

Could you post your firewall settings, too, please?

perhaps I have something in mine that hinders the dhcprequest messages to get through...

Can you ssh from the machines on the client ap and to machines to the base ap, and vice versa?

I can ssh from the machine on the client ap to the base ap. From any machine to the client ap... well mostly it says connection was rejected, but then will work randomly at times, for no reason, and with no config changes. But the bridge for all other purposes works fine.

Base station firewall config:

config defaults
        option syn_flood        1
        option input            ACCEPT
        option output           ACCEPT
        option forward          REJECT
# Uncomment this line to disable ipv6 rules
#       option disable_ipv6     1

config zone
        option name             lan
        list   network          'lan'
        option input            ACCEPT
        option output           ACCEPT
        option forward          ACCEPT

config zone
        option name             wan
        list   network          'wan'
        list   network          'wan6'
        option input            REJECT
        option output           ACCEPT
        option forward          REJECT
        option masq             1
        option mtu_fix          1

config forwarding
        option src              lan
        option dest             wan

# We need to accept udp packets on port 68,
# see https://dev.openwrt.org/ticket/4108
config rule
        option name             Allow-DHCP-Renew
        option src              wan
        option proto            udp
        option dest_port        68
        option target           ACCEPT
        option family           ipv4

# Allow IPv4 ping
config rule
        option name             Allow-Ping
        option src              wan
        option proto            icmp
        option icmp_type        echo-request
        option family           ipv4
        option target           ACCEPT

# Allow DHCPv6 replies
# see https://dev.openwrt.org/ticket/10381
config rule
        option name             Allow-DHCPv6
        option src              wan
        option proto            udp
        option src_ip           fe80::/10
        option src_port         547
        option dest_ip          fe80::/10
        option dest_port        546
        option family           ipv6
        option target           ACCEPT

# Allow essential incoming IPv6 ICMP traffic
config rule
        option name             Allow-ICMPv6-Input
        option src              wan
        option proto    icmp
        list icmp_type          echo-request
        list icmp_type          echo-reply
        list icmp_type          destination-unreachable
        list icmp_type          packet-too-big
        list icmp_type          time-exceeded
        list icmp_type          bad-header
        list icmp_type          unknown-header-type
        list icmp_type          router-solicitation
        list icmp_type          neighbour-solicitation
        list icmp_type          router-advertisement
        list icmp_type          neighbour-advertisement
        option limit            1000/sec
        option family           ipv6
        option target           ACCEPT

# Allow essential forwarded IPv6 ICMP traffic
config rule
        option name             Allow-ICMPv6-Forward
        option src              wan
        option dest             *
        option proto            icmp
        list icmp_type          echo-request
        list icmp_type          echo-reply
        list icmp_type          destination-unreachable
        list icmp_type          packet-too-big
        list icmp_type          time-exceeded
        list icmp_type          bad-header
        list icmp_type          unknown-header-type
        option limit            1000/sec
        option family           ipv6
        option target           ACCEPT

# include a file with users custom iptables rules
config include
        option path /etc/firewall.user


### EXAMPLE CONFIG SECTIONS
# do not allow a specific ip to access wan
#config rule
#       option src              lan
#       option src_ip   192.168.45.2
#       option dest             wan
#       option proto    tcp
#       option target   REJECT

# block a specific mac on wan
#config rule
#       option dest             wan
#       option src_mac  00:11:22:33:44:66
#       option target   REJECT

# block incoming ICMP traffic on a zone
#config rule
#       option src              lan
#       option proto    ICMP
#       option target   DROP

# port redirect port coming in on wan to lan
#config redirect
#       option src                      wan
#       option src_dport        80
#       option dest                     lan
#       option dest_ip          192.168.16.235
#       option dest_port        80
#       option proto            tcp

# port redirect of remapped ssh port (22001) on wan
#config redirect
#       option src              wan
#       option src_dport        22001
#       option dest             lan
#       option dest_port        22
#       option proto            tcp

# allow IPsec/ESP and ISAKMP passthrough
#config rule
#       option src              wan
#       option dest             lan
#       option protocol         esp
#       option target           ACCEPT

#config rule
#       option src              wan
#       option dest             lan
#       option src_port         500
#       option dest_port        500
#       option proto            udp
#       option target           ACCEPT

### FULL CONFIG SECTIONS
#config rule
#       option src              lan
#       option src_ip   192.168.45.2
#       option src_mac  00:11:22:33:44:55
#       option src_port 80
#       option dest             wan
#       option dest_ip  194.25.2.129
#       option dest_port        120
#       option proto    tcp
#       option target   REJECT

#config redirect
#       option src              lan
#       option src_ip   192.168.45.2
#       option src_mac  00:11:22:33:44:55
#       option src_port         1024
#       option src_dport        80
#       option dest_ip  194.25.2.129
#       option dest_port        120
#       option proto    tcp

Client firewall config.

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option network 'lan wds'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'


It is a bit curious there is quite a few differences in the firewall config. I didn't really change anything from defaults, the only thing I can say, as opposed to yourself I have two different devices, but both running the latest 19.07.2 firmware build.

OK, thanks. I'll have a go at it later today.

Tried it, still doesn't work here for me, even if my configuration is identical to yours. :frowning:

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.