    I have one Tomato router serving as an AP, two tomato routers as WDSs, and an Airport Express running airtunes so I can listen to music on my stereo. All had using WEP/128bit, but I decided to upgrade to WPA. I foolishly thought this would take me 30 minutes. I didn't realize that there was only one "right" configuration and that numerous choices that ought to work don't.

    Here are my notes. I hope these save the next person from some of the hassles I went through.

    WDS routers:
    Wireless Mode: WDS
    SSID, Channel, Shared Key: Same as Router
    Security: WPA Personal
    Encryption: AES
    WDS: "Link with", and give the wireless MAC of the access point​
    I could not get the WDS to communicate with the access point if I set security to WPA2 or WPA/WPA2. Nor could I get it to work setting encryption to TKIP or TKIP/AES. With WEP, I could use "lazy mode" for WDS, but this does not seem to work with WPA.

    Airport Express:
    There is no explicit way to set the encryption mode. Instead, if you use WPA the encryption mode is TKIP, and if you use WPA, the encryption mode is AES. This fact is poorly documented. You must use WPA2/AES.

    Access Point
    Wireless Mode: AP + WDS
    SSID, Channel, Shared Key: As you Wish
    Security: WPA/WPA2 Personal
    Encryption: AES:
    WDS: "Link with", and give the wireless MAC addresses of the WDS routers.​

    For reasons that are not completely clear to me, the AP must be in AES mode. Putting it into TKIP/AES mode would cause it to be unable to communicate with the WDS units. Fortunately, WPA/WPA2 mode does work, so it was still possible to be compatible with both the Airport Express and the WDS units.
