I have OpenWrt on my main router, and have a Broadcom router with a tomato firmware that's acting as a wireless client to OpenWrt (on 5 GHz band) with an AP on 2.4 GHz band.
All working right, except that these seem to be some incompatability with WiFi encyption between the two routers. PSK2 personal didn't work, no matter which cypher I tried. It seems that WEP is the only option that works. I understand that WEP is vurnlable, even with MAC address white listing, as that can be faked.
The picture below is form Tomato, showing the avaialble options for securuty. Greyed-out are not avaialble for wiless client. Do you think it's worth trying Radius? Or isn't it likely to work if PSK2 personal didn't?
What packages would be required to run Radius on OpenWrt router (if that could be a solution)?
Yes, I know how to set-up encryption in LuCI, and WPA2 is supported by Tomato as well (both AES and TKIP). What I'm saying is that when they are set like that, there is no WAN connection on Tomato.
That connection will be only for the connection between the two routers, so no other devices inolved, but if RADIUS doesn't seem like a good idea, is there a way to try to diagnose why WPA2 givs no working connection? I understand that Tomato is outsdie factor, but how to see what's happening form OpenWrt side?
At least from what I understand OpenWrt works properly using WPA2 / CCMP
Can you connect clients to the OpenWrt AP with it configured with WPA2 / CCMP?
I still haven't seen anything to suggest that there is a problem with OpenWrt in this scenario. Would you post the config wifi-iface section of your OpenWrt config (you can block out the key and SSID, and use the pre-formatted button </> for clarity)?
Are there any error messages in the output of logread or the logs seen in LuCI?
Do you have a "wifi scanner" app for your phone, or a desktop that can confirm that OpenWrt is using WPA2 / CCMP? (On recent macOS, option-click of the wireless icon in the menubar will reveal more details.)
An example of this [problem with the UI/UX] is having the Security option set to "WPA2 Personal" prior to switching to wireless client mode. Only "WPA / WPA2 Personal" is available in wireless client mode, but the setting does not change automatically. As a result the client router will be unable to authenticate, even when WPA2 is the only allowed method on the upstream router.
No. The router connected to the Internet is the wifi client. The third party router is an AP. With "client isolation" turned off it will bridge all of its other cilents (the users of the extended AP), and those on the other band, back to the main router (using relayd on the main router). This can work even with the most basic stock firmware.
But I agree with @jeff that Tomato ought to be able to work as a WPA client, if you go through the proper dance to set it up.
The thning is that in Tomato the WPA2 only isn't avaialble for Wirless Client mode (neither is WAP only for that matter). How is WPA / WAP2 avaialble, I don't understand. But that's confirmed by one of your links.
So I have to choose WPA / WPA2 mixed for Tomato. In OpenWrt, I tried both WPA2 (as one of the article suggested) and WPA / WPA2 mixed. But that gives no WAN connection on Tomato. And on OpenWrt, the Tomato Router appears as associated station for a second or two, with RX of 0, then it just disappers, then shows up again for a second or two then disappears and so on.
It still sounds like your problem is exactly what was described in the linked and quoted post, Toglik's response, here in more detail
Important: When configuring Tomato as a client, click every available drop-down box in the Wireless section, in order from first to last, even if you wish to keep the current setting! If this is not done, it is possible to select an invalid configuration which will prevent the connection from working - even if it seems like it shouldn't make a difference. An example of this is having the Security option set to "WPA2 Personal" prior to switching to wireless client mode. Only "WPA / WPA2 Personal" is available in wireless client mode, but the setting does not change automatically. As a result the client router will be unable to authenticate, even when WPA2 is the only allowed method on the upstream router.
I believe it depends on the fork. While some have been untouched for nearly a decade, others, such as http://freshtomato.org/ show active development (I have not examined the source to determine what that means).