Do I need encryption on dedicated WDS units?

Discussion in 'Tomato Firmware' started by LanceMoreland, Jun 27, 2010.

  1. LanceMoreland

    LanceMoreland Network Guru Member

    I have two routers running tomato setup as dedicated WDS units. Their sole purpose in life is to connect my upstairs routers (tomato access points) to the downstairs routers (also tomato access points and the main router) and the WDS units do not serve as wireless access points except to each other. I have mac filtering on so that they only talk to each other and ssid broadcast is off. I have the upstairs access points hardwired into the WDS router upstairs and likewise the downstairs access points are hardwired into the down stairs WDS router. I did this so that I do not lose any internet speed by having the access point carry the additional load of serving as an access point and WDS. With this setup download speed from upstairs is almost as fast as it is with a machine wired into the cable modem (downstairs) but with wireless security off I see a slight increase in download speed. I am wondering since the wireless mode is set to WDS only on these dedicated WDS units if I can turn off WPA encryption. They do not show up as access points and I don't think you can link to them wirelessly from a computer or can you? A crude diagram of the setup is attached.

    Attached Files:

  2. rhester72

    rhester72 Network Guru Member

    It would be trivially easy to execute a MITM attack on an unencrypted WDS network using MAC spoofing. Leave it on unless you _really_ need the slight bandwidth increase.

  3. HennieM

    HennieM Network Guru Member

    I beg to differ slightly from rhester; I don't think it would be trivial to hack you - I'd rather classify it as "not so easy, but certainly possible". As WDS works on MAC addresses, and attacker would have to spoof one of your WDS units' MAC address, AND then provide a signal stronger than your other WDS unit, in order for your first WDS unit to connect with the hacker's WDS unit, and he's on your network. Secondly, as your unencrypted data is being broadcast, a hacker with the right software can VERY easily eavesdrop without having to be connected to any part of your network.

    If you don't work for the FBI both instances above is unlikely to happen (just becasue of human nature, not because of technical difficulties).

    However, I do agree that you would sleep easier if you encrypt the WDS-WDS link. Also, remember that not broadcasting the SSID, and/or not showing an access point, would defer the casual hacker, but the real hacker would scan with software that's not dependant upon SSIDs being broadast, and able to identify a WDS link.
  4. Dagger

    Dagger Networkin' Nut Member

    I know more than a couple Wireless ISPs (Wisps) out west that do exactly what you're talking about. They put a central radio on a cell tower somewhere in AP-WDS mode and install radios at customer locations in Station-WDS mode. They turn wireless security off and use MAC filtering to tell the AP which Stations to allow and to tell the Stations which AP to connect to.
  5. GreenThumb

    GreenThumb Addicted to LI Member

    Not broadcasting SSID's wont even stop a casual cracker. Most Wifi cracking software has the ability to scan for "hidden" AP's.
  6. HennieM

    HennieM Network Guru Member

    @Dagger: some ISPs certainly do that, although I think the setup is AP (tower)--wireless client, not WDS(tower)--WDS(client). This removes the possibility of a hacker connecting to the client, as the client has no connectable device (AP or WDS node).

    Four MAC WDS - the type of WDS you get with Tomato, etc., has no AP or client mode - all nodes are just equal WDS nodes. What is commonly termed WDS by many AP manufacturers, i.e. three MAC WDS, is actually not WDS, but a form of AP/Wireless client, or Wireless Ethernet Bridge (WET) mode.

    The ISP also relies on 2 crucial aspects though in case a hacker takes over a legit client's connection:
    1) The hacker would be connected to the internet - no more hacking opportunities than that from a legit client
    2) The legit client would kick up a ruckus - I can't connect! This is because only one wireless client with a certain MAC can connect to their AP and network at a time.

    As for point (2) above, I don't think ISPs set up MAC filtering on their APs (well, not any ISP that has any idea of what they are doing). They would setup RADIUS authentication that works on MAC address. This then centralizes the MAC address control, exactly the same way in which ADSL, dial-up, and other types of ISP authentication function.
  7. Dagger

    Dagger Networkin' Nut Member

    It's AP-WDS to STA-WDS... the STA-WDS at the client side acts like a cable modem or DSL modem. The STA-WDS radio is connected to a home router's WAN port... the home router is what the customer uses for their local network. Sometimes the STA-WDS radio is set to Bridge mode... sometimes it is set to Router mode with the customers PPPoE login info to control service. They use WDS to preserve Layer 2 MAC addresses in Bridge mode... it just works better for some reason.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice