WDS requires an unused SSID?

I have 2 routers (both EA4500) running OpenWrt. The first is used as the main AP (WDS) router. The second is used as a Client (WDS). Everything seems to work correctly, except when I delete or disable the default "OpenWrt" SSID.

The stock install comes with an "OpenWrt" SSID on each radio. I usually delete and recreate these on my routers. My Client router only needs to serve ethernet computers and does not need any wireless AP. In other words, I'm not looking to "extend" my wifi connection.

If I disable/delete this default SSID, my computer that connects via ethernet to the Client router is unable to access the internet or the main AP Luci config page, but it is still able to access the Client Luci config page. I am able to change the ESSID and other settings for this default SSID without breaking WDS, but for some reason deleting it triggers this problem.

Why does this happen? Is this documented anywhere?

To be clear, is the client device connected by Ethernet or via the OpenWrt SSID?

Also, can you clarify why you delete and recreate a SSID that already exists and why you delete/disable it after a completed setup?

Unless I misunderstand the issue, it sounds normal and expected that the client cannot reach upstream if you disabled the master WiFi device.

2 Likes

Sorry, I'll try to clarify.

There are two routers and a computer:

  1. A router named "MAIN". This router broadcasts a "Foobar" SSID in "AP (WDS)" mode. This router handles DNS and DHCP.
  2. A router named "CLIENT". This router connects to the MAIN router via the Foobar SSID. This router is also broadcasting the "OpenWrt" SSID that I am trying to remove. It also added a "Foobar" SSID in "Client (WDS)" mode after joining as part of the WDS config setup.
  3. A computer named "COMPUTER". This computer connects to the CLIENT router via Ethernet. This computer receives DNS and DHCP from the MAIN router as desired since WDS is being used. This is the computer I use to edit the config using Luci.

Also, to be clear, the CLIENT router has 2 SSIDs listed:

  1. "OpenWrt" SSID in "AP" mode. This is the built in default SSID that I want to delete. Nothing is connected to this and is completely unused.
  2. "Foobar" SSID in "Client (WDS)" mode. This was created when I connected to the MAIN router's "Foobar" SSID. I assume this is where all of the traffic is transmitted between CLIENT and MAIN.

To be clear, is the client device connected by Ethernet or via the OpenWrt SSID?

The only Ethernet cable in the setup is between COMPUTER and CLIENT. (Technically this setup also requires an Ethernet cable between the MAIN wan and a modem for internet access, but that should be irrelevant for this issue.) The connection between CLIENT and MAIN is done over the Foobar SSID.

The "OpenWrt" SSID has nothing connected to it. No computers, no other routers, nothing. I can even change the ESSID and password to something random to ensure I did not even accidentally connect something to it.

Also, can you clarify why you delete and recreate a SSID that already exists and why you delete/disable it after a completed setup?

I want to delete it, but I don't want to recreate it. I don't want any AP SSIDs being broadcast from CLIENT. I don't have any laptops/computers that need to connect to CLIENT via wifi. Having an unused SSID just increases the possible attack surface for no reason. I also want to prevent unnecessary pollution and simplify the config.

Unless I misunderstand the issue, it sounds normal and expected that the client cannot reach upstream if you disabled the master WiFi device.

The "Foobar" SSID in "Client (WDS)" mode is still there after deleting the "OpenWrt" SSID. From what I understand, the CLIENT router should be connecting to the MAIN router using the "Foobar" SSID, so as long as this one is still enabled, shouldn't everything still work?

Just use these SSID

  • Main: Foobar" SSID in "AP (WDS)" mode.
  • Client : "Foobar" SSID in "Client (WDS)"

and the WDS will work.
Don't use any other SSID on both Main and client (I mean on the same phy).
That being said, if both routers have another wifi (phy) available, you can configure them separatly.

I use such config myself. WDS is on 5 GHz band. The client device than broadcast as master on 2.4 GHz band.

2 Likes

That's similar to my situation. I use WDS on the 2.4 GHz band though.

My MAIN router also has a more complicated config. I have other SSIDs and changed settings on my MAIN, so I'll check if for some reason they're the culprit. I had assumed the issue this whole time was caused by the CLIENT config since a lot needs to be changed on the CLIENT to support WDS and the extra SSID also exists on CLIENT. The only change I made to MAIN to enable WDS was to change from "AP" to "AP (WDS)", but maybe the root cause of the issue is somehow on MAIN.

My CLIENT config is fairly straight forward.

For reference, here is my actual wireless config (with sensitive info redacted as XXXXXXXX):

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'mbus@f1000000/mbus@f1000000:pcie@82000000/pci0000:00/0000:00:01.0/0000:01:00.0'
	option channel 'auto'
	option band '2g'
	option htmode 'HT40'
	option cell_density '0'
	option country 'US'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'mbus@f1000000/mbus@f1000000:pcie@82000000/pci0000:00/0000:00:02.0/0000:02:00.0'
	option channel '36'
	option band '5g'
	option htmode 'HT20'
	option disabled '1'

config wifi-iface 'wifinet1'
	option device 'radio0'
	option mode 'sta'
	option network 'lan'
	option ssid 'XXXXXXXX'
	option encryption 'psk2'
	option key 'XXXXXXXX'
	option wds '1'

config wifi-iface 'wifinet0'
	option device 'radio0'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'

The problem happens when option disabled '1' is added to wifinet0:

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'mbus@f1000000/mbus@f1000000:pcie@82000000/pci0000:00/0000:00:01.0/0000:01:00.0'
	option channel 'auto'
	option band '2g'
	option htmode 'HT40'
	option cell_density '0'
	option country 'US'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'mbus@f1000000/mbus@f1000000:pcie@82000000/pci0000:00/0000:00:02.0/0000:02:00.0'
	option channel '36'
	option band '5g'
	option htmode 'HT20'
	option disabled '1'

config wifi-iface 'wifinet1'
	option device 'radio0'
	option mode 'sta'
	option network 'lan'
	option ssid 'XXXXXXXX'
	option encryption 'psk2'
	option key 'XXXXXXXX'
	option wds '1'

config wifi-iface 'wifinet0'
	option device 'radio0'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'
	option disabled '1'

It should work aswell. Bandwith will be lower though. Depends on your needs.
Just use one SSID on 2.4 GHZ for each device.

delete Openwrt SSDI on wifinet0. It's useless.
Add country to radio 1

1 Like

Unfortunately that didn't work. The country code did not seem to affect anything and once I deleted the SSID, it stopped working.

I'm going to do a full factory reset on both routers to make sure there's nothing else that's causing this issue and then I can provide the full configs.

1 Like
  • Why is the OpenWrt SSID config missing the network option?
  • Can we see your network config?
  • Usually, "Wireless LAN to Ethernet bridging" doesn't work without additional software and configuration, so it's not clear why wifinet1 is configured for LAN

Did you use the WWAN setup wizard on the web GUI?

Lastly, since the OpenWrt SSID is disabled by default, why did you enable it?

1 Like

Why is the OpenWrt SSID config missing the network option?

I'm not sure what you mean. You might need to scroll down in the text box.

Can we see your network config?

I'm redoing everything from scratch to make this easier to reproduce and to show full details. I'll include the new wireless and network configs below.

Usually, "Wireless LAN to Ethernet bridging" doesn't work without additional software and configuration, so it's not clear why wifinet1 is configured for LAN

I'm not sure. I was roughly following this guide and I think this config option is due to where it says:

The wireless mode should be Client (WDS) and the Network in Interface Configuration has to be changed from wwan to lan.

Did you use the WWAN setup wizard on the web GUI?

If you mean the config page that pops up when you click [Scan], then yes.

Lastly, since the OpenWrt SSID is disabled by default, why did you enable it?

I could not connect to the internet after entering my config. After many hours of troubleshooting, I happened to get lucky. By chance I realized that enabling this fixed the issue but had no idea why. I did not have any real intuition that lead me to enable it.

1 Like

I did a factory reset on both routers and documented exactly what steps I took. I think this should be reproducible. Please disregard the configs above as these are now outdated and replaced with those below.

Configure MAIN in Luci

System -> System
	Hostname = MAIN
	Click [Save]
Network -> Wireless
	Remove default SSID for radio0
	Remove default SSID for radio1
	Click [Add] on radio0
		Mode = "Access Point (WDS)"
		ESSID = "Foobar"
		Network = "lan"
		Encryption = WPA2-PSK
		Key = "password"
		Click [Save]
	Click [Save & Apply]

Reboot MAIN router

Configure CLIENT in Luci

Network -> Interfaces
	Click [Edit] on lan
		IPv4 address = 192.168.1.2
		Click [Save]
	Click [Save & Apply] and [Apply and keep settings]

Reconnect to Luci at 192.168.1.2

System -> System
	Hostname = CLIENT
	Click [Save]
Network -> Wireless
	For now, do NOT remove default SSID for radio0 (Note that it is in a disabled state)
	Remove default SSID for radio1
	Click [Scan] on radio0
		Click [Join] on Foobar
		WPA passphrase = "password"
		Create / Assign firewall-zone = "lan"
		Click [Submit]
		Mode = "Client (WDS)"
		Network = "lan"
		Click [Save]
	Click [Save & Apply]
Network -> Interfaces
	Click [Edit] on lan
		IPv4 gateway = 192.168.1.1
		Click [DHCP Server]
		Ignore interface = Check
		Click [Save]
	Click [Save & Apply]
Network -> DHCP and DNS
	Click [Forwards]
	DNS Forwards = 192.168.1.1
	Click [Save & Apply]
Network -> Interfaces
	Click [Devices]
	Click [Configure...] on br-lan
	Click [Advanced device options]
	Enable STP = Check
	Click [Save]
Click [Save & Apply]

Reboot CLIENT router

The Problem

At this point, we are still plugged in via Ethernet to CLIENT.
Currently the default "OpenWrt" SSID is disabled and there are 2 issues:

  1. The COMPUTER can not access the Luci pages for MAIN (192.168.1.1) or CLIENT (192.168.1.2) or access the internet. It seems to still be issued a dynamic IP.
    If I manually connect the COMPUTER using a static IP (e.g. 192.168.1.20), I can access the Luci page for CLIENT (192.168.1.2), but still cant access MAIN or the internet.
  2. Once connected with a static IP, the COMPUTER can not access the internet or the MAIN router Luci page.

We plug the Ethernet into each router to obtain their configs:

MAIN wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'mbus@f1000000/mbus@f1000000:pcie@82000000/pci0000:00/0000:00:01.0/0000:01:00.0'
	option channel '1'
	option band '2g'
	option htmode 'HT20'
	option cell_density '0'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'mbus@f1000000/mbus@f1000000:pcie@82000000/pci0000:00/0000:00:02.0/0000:02:00.0'
	option channel '36'
	option band '5g'
	option htmode 'HT20'
	option disabled '1'

config wifi-iface 'wifinet0'
	option device 'radio0'
	option mode 'ap'
	option ssid 'Foobar'
	option encryption 'psk2'
	option wds '1'
	option key 'password'
	option network 'lan'

MAIN network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix '****:****:****::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'ethernet1'
	list ports 'ethernet2'
	list ports 'ethernet3'
	list ports 'ethernet4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device
	option name 'internet'
	option macaddr '**:**:**:**:**:**'

config interface 'wan'
	option device 'internet'
	option proto 'dhcp'

config interface 'wan6'
	option device 'internet'
	option proto 'dhcpv6'

CLIENT wireless

config wifi-device 'radio0'
	option type 'mac80211'
	option path 'mbus@f1000000/mbus@f1000000:pcie@82000000/pci0000:00/0000:00:01.0/0000:01:00.0'
	option channel '1'
	option band '2g'
	option htmode 'HT20'
	option cell_density '0'

config wifi-iface 'default_radio0'
	option device 'radio0'
	option network 'lan'
	option mode 'ap'
	option ssid 'OpenWrt'
	option encryption 'none'
	option disabled '1'

config wifi-device 'radio1'
	option type 'mac80211'
	option path 'mbus@f1000000/mbus@f1000000:pcie@82000000/pci0000:00/0000:00:02.0/0000:02:00.0'
	option channel '36'
	option band '5g'
	option htmode 'HT20'
	option disabled '1'

config wifi-iface 'wifinet1'
	option device 'radio0'
	option mode 'sta'
	option network 'lan'
	option ssid 'Foobar'
	option encryption 'psk2'
	option key 'password'
	option wds '1'

CLIENT network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix '****:****:****::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'ethernet1'
	list ports 'ethernet2'
	list ports 'ethernet3'
	list ports 'ethernet4'
	option stp '1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.2'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option gateway '192.168.1.1'

config device
	option name 'internet'
	option macaddr '**:**:**:**:**:**'

config interface 'wan'
	option device 'internet'
	option proto 'dhcp'

config interface 'wan6'
	option device 'internet'
	option proto 'dhcpv6'

config interface 'wwan'
	option proto 'dhcp'

Workaround for the problem

When we enable the unused SSID, the 2 issues mentioned above go away.

Network -> Wireless
	Enable "OpenWrt" SSID

If we disable or delete this extra unused SSID, the problem returns. (We might need to reboot or restart the radio to trigger the change.)

This is what I previously noted - that "Wireless Bridging" to LAN with a STA config won't work (except only on Broadcom chipsets, as I recall). You'll need to either:

  • setup relayd

or

  • Continue the setup as new network WAN and assign to WAN Firewall Zone - this is my suggestion

Thanks for your help, I really appreciate it!

This sounds like a better option than relayd. (I think I used relayd in the past but had issues because every device behind the router was treated as having the same MAC.)

Are you suggesting that I repeat exactly what I did before, except I should change the 2 steps marked below?
Change:

	Click [Scan] on radio0
		Click [Join] on Foobar
		WPA passphrase = "password"
	-->	Create / Assign firewall-zone = "lan"
		Click [Submit]
		Mode = "Client (WDS)"
	-->	Network = "lan"
		Click [Save]

to:

	Click [Scan] on radio0
		Click [Join] on Foobar
		WPA passphrase = "password"
	-->	Create / Assign firewall-zone = "wan"
		Click [Submit]
		Mode = "Client (WDS)"
	-->	Network = "wwan"
		Click [Save]

Select Client. By your own admission, you don't need WDS for this use case.

You device on Ethernet LAN should then have upstream connectivity.

:spiral_notepad: Lastly, ensure you MAIN LAN doesn't conflict with 192.168.1.0/24 on the client's LAN. They have to be unique - so use e.g. 192.168.2.1 if there's a conflict.

1 Like

STP will down interface that looped back stp packet, do you have wired link too?

1 Like

Sorry, I wasn't very clear. The MAIN and CLIENT routers must be connected via wifi. (There is a physical barrier preventing an cable, unfortunately.) What I meant is that I don't need the CLIENT router to broadcast it's own AP SSID. The CLIENT will only serve computers connected via an Ethernet cable. The two routers will be separated by a short distance and so I'm not looking to make my wifi signal travel farther. I want all wireless devices to connect to MAIN exclusively. My wording was probably poor in hindsight.

It seems like I misunderstood what "Client (WDS)" mode is for. Is WDS only needed if wireless devices will connect to the CLIENT itself? I suppose having 2 subnets would work and just regular Client mode would probably simplify things too. Thanks again for your help and for pointing me in the right direction!

Here's a diagram to assist:

Modem (Internet) ═══ MAIN ─── CLIENT ═══ COMPUTER
                     │ │         ╚══════ COMPUTER2
                     │ │
                     │ └─── LAPTOP
                     └───── LAPTOP2

Key:
─── WiFi
═══ Ethernet cable

I don't think I have any loops. I think my setup is pretty simple with MAIN as the root of the tree. Please see the diagram above.

Are your Computer1 and Coomputer2 working at this time, or are you still having issues?

Thanks for the diagram - I did understand. I was assisting you with setting up a WWAN STA connection on the Client router to the Main's AP when you provided the diagram. You have been clear in your descriptions.

Feel free to provide the configs if you're still in need of assistance.

	Click [Scan] on radio0
		Click [Join] on Foobar
		WPA passphrase = "password"
	-->	Create / Assign firewall-zone = "wan"
		Click [Submit]
		Mode = "Client"
	-->	Network = "wwan"
		Click [Save]

As long as your Main and Client LAN subnets are not in conflict (i.e. only client LAN has the network 192.168.1.0/24) - then Computers 1 and 2 should work on LAN via Ethernet connection via their Wiresless WAN connection to SSID Foobar.

1 Like

Yes, WDS stands for Wireless Distribution System and is a means of extending wireless coverage.

You need CLIENT to be configured as a wireless STA, or station, and not as a WDS Access point.

2 Likes

Yes, I think almost everything is working now! Thanks again! Your advice was very clear and straight forward and you really helped me build some intuition about what is going on.

I think the only issue is that this now puts the computers on a different subnet, so traffic is now blocked by the firewall. Currently, COMPUTER can ping LAPTOP, which is good. (I think this is because by default, the CLIENT firewall includes the "wan" zone in the "lan" zone's Forwardings list (lan => wan).)

The issue is that LAPTOP can not ping COMPUTER (or any other 192.168.2.0/24 device). I first thought this was due to the MAIN firewall settings for "lan", but now I'm thinking it's probably the CLIENT firewall blocking incoming traffic from the CLIENT wan.