WDS with WPA/WPA2 doesn't work

Discussion in 'Tomato Firmware' started by dll2002dll, Sep 9, 2008.

  1. dll2002dll

    dll2002dll Network Guru Member

    Hi guys,

    I have two routers WRT54G v1.1 (main router) and WRT54GL v1.1 (as repeater/bridge), they both are running Tomato Version 1.21, I have configured both of them to be AP+WDS now with that setup, I was unable to get WPA, WPA2, or WPA/WPA2 b/w WDS to work, with no encryption or WEP (128) WDS works fine between them, anybody knows whats going on?
  2. i1135t

    i1135t Network Guru Member

    I believe WPA and WPA2 is not supported when using WDS mode. Someone can correct me if I'm wrong...
  3. Mastec

    Mastec Network Guru Member

    I have WPA working on all three of my routers in WDS
  4. HennieM

    HennieM Network Guru Member

    WPA-PSK (with AES encryption, can't remember about TKIP) works fine in WDS or WDS+AP mode, but WPA2-PSK does not (to the best of my recollection).
    This has been discussed before - search the forums.
  5. TexasFlood

    TexasFlood Network Guru Member

    WPA/TKIP worked for me but with periodic disconnects. WPA/AES has been very stable for me though.
  6. Mastec

    Mastec Network Guru Member

    I should have mentioned that's what i always use myself, WPA/AES. Very stable connection between the three routers.
  7. bigclaw

    bigclaw Network Guru Member

    WPA/WPA2 AES worked for me back when I had both the WRTSL54GS and the WRT54GL.
  8. dll2002dll

    dll2002dll Network Guru Member

    Can someone please share the configs for WPA with AES?

    I can't make it work unfortunately when I tried :(
  9. Mastec

    Mastec Network Guru Member

    Here are two screenshots, one from the main router in green. The other, a client I have in my boys room.

    Hope it helps

    Attached Files:

  10. njeske

    njeske Network Guru Member

    i can also vouch for WPA/WPA2-AES working on both of my routers in WDS mode.
  11. TexasFlood

    TexasFlood Network Guru Member

    I just switched mine over to WPA/WPA2-AES with WDS to test it again. It's been a while since I last tested it. It seems to be working so far. Last time I was probably still running WPA/TKIP. And... I had a dd-wrt router in the mix that I currently don't have so I might have been seeing a Tomato/DD-WRT encryption interoperability issue as well. I'm sure the DD-WRT and Tomato router worked with WDS under WPA/PSK/AES but maybe not other modes.
  12. TexasFlood

    TexasFlood Network Guru Member

    FYI, just a bit ago, after about 43 hours running with WPA/WPA2-PSK/AES, my primary router suddently stopped routing traffic to the internet. It had been up for 12 days & counting before that. I went back to my comfort zone of WPA-PSK/AES and all is fine again. I can't say for sure that WPS/WPA2 caused the issue but it's the only thing I can't & it was stable before.
  13. sjk

    sjk Network Guru Member

    I've never been able to get any variant of WPA working with WDS between a WRT54GSv1 (with any version of DD-WRT firmware) and AirPort Express. I'm curious if that would work with Tomato, but not enough to try it without doing more research first.

    I've also tried adding a second SSID and disabling security for it (an acceptable workaround for the intended traffic), but couldn't make that work with WDS either (testing bridged/unbridged configurations).

    I'm stumped and no one's responded to my posts on the DD-WRT forum. I'd sure appreciate if anyone here has suggestions -- thanks!
  14. TexasFlood

    TexasFlood Network Guru Member

    I've gotten WDS working between DD-WRT and Tomato with WPA TKIP/AES. I admit that I have experienced problems getting it 'sync up' initially, but it's stable once established.

    At first I would just manually reboot the routers until the WDS was established and it would be stable afterwards. This was a major PITA of course. So I enbabled the WDS watchdog on the DD-WRT router and did a script to do the same on the Tomato router. I'm not doing it now but from my notes, below is the script I was using.

    As written it creates script /tmp/keepalive which tries 3 pings and reboots if they all fail and is scheduled to run every 5 minutes.

    You will need to edit the IP address from to whatever the IP of the router on the other end of the WDS link is and change the number of ping attempts if you'd like. On, and of course, you might want to adjust the interval on the cru command from the default of every 5 minutes.

    Tomato router Keepalive script for Init tab
    cat <<END > /tmp/keepalive
    while ( ( ping -c 1 | grep -q '100% packet loss' ) && \
     [ \$ping_attempt -lt '3' ] )
     ping_attempt=\`expr \$ping_attempt + 1\`
     sleep 1
     if [ \$ping_attempt = 3 ] ; then
    chmod 755 /tmp/keepalive
    cru a KeepAliveScript "*/5 * * * * /tmp/keepalive >/dev/null 2>&1"
  15. sjk

    sjk Network Guru Member

    Thanks for the response. It's the AirPort Express that dislikes the WDS+WPA combination with DD-WRT so I'm trying to determine if it's worth testing with Tomato since I can't afford to buy another WDS+WPA-compatible router right now. Then again, Tomato has all the features I care about in DD-WRT and is much simpler so maybe I'd want to switch even if the AE WDS+WPA connection still doesn't work. Still hoping to find confirmation that this configuration will definitely work, or not, with any version of firmware for the WRT54GS.
  16. TexasFlood

    TexasFlood Network Guru Member

    OK, sorry, misread your orignal post. Tomato's WDS, and Tomato in general actually, does seem a bit more stable to me than DD-WRT, so maybe it's worth trying. As for getting DD-WRT to work, you might find some hints in the DD-WRT WIKI WDS page.
  17. gotamd

    gotamd Network Guru Member

    I had a 3-router chain going for about 1.5 years using WPA AES (not WPA2) and it was very stable. The only time my network went down was when I upgraded the firmware. TKIP never worked well for me and neither did WPA2.
  18. sjk

    sjk Network Guru Member

    Already been there. The Airport Express section even has a note claiming:

    [EDIT: WPA2 seems to work just fine with the above configuration, as of March 16 2008.]

    … but unfortunately it hasn't for me.

    WDS without encryption has always worked fine. I'd rather not use WEP so I haven't bothered trying it.

    Just realized this morning my old Toshiba notebook PC 802.11b card/driver doesn't support AES, only TKIP. That may become a factor, e.g.:

  19. TexasFlood

    TexasFlood Network Guru Member

    TKIP did work for me but I experienced periodic disconnects that I'm very happy to be without with AES.
  20. sjk

    sjk Network Guru Member

    Quick followup:

    I've been running Tomato v1.21 on my WRT54GSv1.0 for a couple weeks, but was unable to get any combination of WDS+WPA/WPA2 interoperating with my AirPort Express. Otherwise I'm satisfied with Tomato and have no reason to revert to DD-WRT or test other firmware that's at least as unlikely to resolve the WDS+WPA/WPA issue.
  21. astehn

    astehn LI Guru Member

    This forum is AMAZING! I just finished setting up WDS on two WRT54GL routers. Everything seems to be working great with WPA in AES mode (all my reading around these boards convinced me that this was the most stable option). I do, however, have a question about the KeepAlive script mentioned earlier:

    I entered the script Texas Flood posted into my Init tab on my WRT54GL running as a WDS repeater using Tomato. The only thing I changed was the IP address of my WDS host ( Since I'm completely new to this (alternative firmwares & linux), I have what may be a dumb question: How do I know the script is running and working properly? I assumed I should be looking at the log, and here's the portion that seemed relevant:

    Jan 1 01:00:07 user.info init[1]: Tomato 1.21.1515
    Jan 1 01:00:08 cron.notice crond[127]: crond 2.3.2 dillon, started, log level 8
    Jan 1 01:00:08 user.info init[1]: Linksys WRT54G/GS/GL
    Oct 9 18:15:51 cron.warn crond[127]: time disparity of 20392815 minutes detected
    Oct 9 18:20:01 cron.notice crond[127]: USER root pid 217 cmd /tmp/keepalive.sh >/dev/null 2>&1 #KeepAliveScript#

    Does this look right? Is it safe to assume that if I see this and there is no sign that the router has rebooted, then everything is working correctly?

    Thanks a lot for your help. Like I said, this board is an incredible resource!
  22. HennieM

    HennieM Network Guru Member

    Well, the script seems to be in /tmp/keepalive, and your log shows that cron tried to run /tmp/keepalive.sh. What you can deduce is that cron did its job, but not necessarily that your script ran.

    Add perhaps this line to just before the END in the script
    /bin/echo "I ran" > /tmp/myscript
    Now, when you see the relevant line in the log file, do a
    ls -al /tmp
    and check if you see a file called "myscript" dated with near the same time as the log entry. Then you know your script ran.
  23. astehn

    astehn LI Guru Member

    Thanks a lot. I did exactly what you recommended and confirmed the existence of the "myscript" file with a timestamp corresponding to the last log entry. I really appreciate your help.
  24. fyellin

    fyellin LI Guru Member

    Alternative, you can use the command logger to write text to the log file.

    logger "The keep alive script finished"
    will give you the information you need.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice