I have OpenWrt on my main router, and have a Broadcom router with a tomato firmware that's acting as a wireless client to OpenWrt (on 5 GHz band) with an AP on 2.4 GHz band.
All working right, except that these seem to be some incompatability with WiFi encyption between the two routers. PSK2 personal didn't work, no matter which cypher I tried. It seems that WEP is the only option that works. I understand that WEP is vurnlable, even with MAC address white listing, as that can be faked.
The picture below is form Tomato, showing the avaialble options for securuty. Greyed-out are not avaialble for wiless client. Do you think it's worth trying Radius? Or isn't it likely to work if PSK2 personal didn't?
What packages would be required to run Radius on OpenWrt router (if that could be a solution)?
WEP is beyond insecure. WPA2 with CCMP is required for current 802.11 schemes. On OpenWrt
option encryption 'psk2+ccmp'
(or variants such as with / and/or aes as an equivalent of ccmp) is generally considered the most secure of the "personal" options.
I suspect that the problem is with Tomato, based on what you've posted. If it doesn't support "WPA2 Personal", it isn't standards compliant.
RADIUS or Enterprise security can be run on "any" server, but not a simple thing to set up. Further, many IoT and older devices don't support anything other than PSK-based auth.
Yes, I know how to set-up encryption in LuCI, and WPA2 is supported by Tomato as well (both AES and TKIP). What I'm saying is that when they are set like that, there is no WAN connection on Tomato.
That connection will be only for the connection between the two routers, so no other devices inolved, but if RADIUS doesn't seem like a good idea, is there a way to try to diagnose why WPA2 givs no working connection? I understand that Tomato is outsdie factor, but how to see what's happening form OpenWrt side?
At least from what I understand OpenWrt works properly using WPA2 / CCMP
Can you connect clients to the OpenWrt AP with it configured with WPA2 / CCMP?
I still haven't seen anything to suggest that there is a problem with OpenWrt in this scenario. Would you post the config wifi-iface section of your OpenWrt config (you can block out the key and SSID, and use the pre-formatted button </> for clarity)?
Are there any error messages in the output of logread or the logs seen in LuCI?
Do you have a "wifi scanner" app for your phone, or a desktop that can confirm that OpenWrt is using WPA2 / CCMP? (On recent macOS, option-click of the wireless icon in the menubar will reveal more details.)
I'm not sure why a combined WPA1 / WPA2 mode would be "available" when the fixed WPA modes are locked out.
As a desperate measure, one thing that I have done to press a router with limited firmware to be a wireless relay is to make the relay router an AP and the main router (one of) its clients.
An example of this [problem with the UI/UX] is having the Security option set to "WPA2 Personal" prior to switching to wireless client mode. Only "WPA / WPA2 Personal" is available in wireless client mode, but the setting does not change automatically. As a result the client router will be unable to authenticate, even when WPA2 is the only allowed method on the upstream router.
Do you mean actually swapping them, so the thirdparty router is the one connected directly to internet?
Yes.
Yes
I have no reason to beleive that there is an issue at Openwrt side. I was just asking if there is any way to have the two routers to play together nicely.
If I just change to WEP, on both routers, it just works!
Anyway, I guess I will have ot live with WEP until I change the client router. It's AC @ 5 GHz, so signal won't reach far and hopefully nobody around is expecting to find a WEP to crack!
The problem is almost certainly Tomato, the solution is almost certainly in the first link above. Please read what it says about the flaws in Tomato’s setup process and how to work around them.
No. The router connected to the Internet is the wifi client. The third party router is an AP. With "client isolation" turned off it will bridge all of its other cilents (the users of the extended AP), and those on the other band, back to the main router (using relayd on the main router). This can work even with the most basic stock firmware.
But I agree with @jeff that Tomato ought to be able to work as a WPA client, if you go through the proper dance to set it up.
Anyway, I think I will just give up. I spent like over a day trying to get it to work. So will have to live with WEP till I get another OpenWrt router.
The thning is that in Tomato the WPA2 only isn't avaialble for Wirless Client mode (neither is WAP only for that matter). How is WPA / WAP2 avaialble, I don't understand. But that's confirmed by one of your links.
So I have to choose WPA / WPA2 mixed for Tomato. In OpenWrt, I tried both WPA2 (as one of the article suggested) and WPA / WPA2 mixed. But that gives no WAN connection on Tomato. And on OpenWrt, the Tomato Router appears as associated station for a second or two, with RX of 0, then it just disappers, then shows up again for a second or two then disappears and so on.
It still sounds like your problem is exactly what was described in the linked and quoted post, Toglik's response, here in more detail
Important: When configuring Tomato as a client, click every available drop-down box in the Wireless section, in order from first to last, even if you wish to keep the current setting! If this is not done, it is possible to select an invalid configuration which will prevent the connection from working - even if it seems like it shouldn't make a difference. An example of this is having the Security option set to "WPA2 Personal" prior to switching to wireless client mode. Only "WPA / WPA2 Personal" is available in wireless client mode, but the setting does not change automatically. As a result the client router will be unable to authenticate, even when WPA2 is the only allowed method on the upstream router.
I believe it depends on the fork. While some have been untouched for nearly a decade, others, such as http://freshtomato.org/ show active development (I have not examined the source to determine what that means).
Yes, I did that. If I had the radio set to AP mode with WPA2, then I change to Wirless Client mode, encryption doesn't change, so I change it. though, still doesn't work.
@trendy This one is based on Tomato by Shibby, so from 2017. But yes, chasing it further doesn't sound making the best use of time!