WDS (Wireless Distribution System) and Encryption in Asus Firmware

[jkau]

The Asus RT-AC5300 does not support encryption for WDS bridging. This is hardly to explain, since the RT-AC5300 is Asus’s flagship and most expensive router. In contrast, cheaper Asus devices like RT-AC3200 and RT-AC68U support encryption, namely WPA2-Personal.

My configuration: An RT-AC5300 is gateway to the internet and is configured as router. An older RT-AC3200 is used as second access-point, placed in the attic. The two are bridged using WDS. That actually works fine, but the issue is the link can’t be encrypted! Asus, is that a joke?
Before I purchased the RT-AC5300 I had the RT-AC3200 in that place and an RT-AC68U was the access-point in the attic. The two were also bridged using WDS and it was possible to have the link encrypted, I used WPA2-Personal. That worked fine!

Here the statement that appears for the RT-AC5300:

Note: The function only support [Open System/NONE, Open System/WEP] security authentication method.​

And the statement that appears for the RT-AC3200 and RT-AC68U:

Note: The function does not support [ WPA2-Enterprise, WPA-Auto-Enterprise ] security authentication method.​

Open System/WEP is not a valuable option. Had I been aware of this limit prior to purchasing the RT-AC5300 I would have thought twice, whether the RT-AC5300 was really worth it.

When testing WDS, I discovered another issue, WDS worked in the 5GHz-1 band, but not in the 5GHz-2 band. Another bug? I did not test the 2.4GHz band, since I do not use that for WDS.

I have reported these issues to Asus support, but have not yet received an explanation, or a statement whether they are going to fix that.

Does anybody know more or can possibly explain the reason behind it?

 

[RMerlin]

WDS requires the key to be static. WPA2, by design, rotates the key every "x" seconds. That's why WDS only works with WEP and Open, regardless of the model. My guess is, what you read about the AC3200/AC68U was a typo.

There are a few manufacturers that claim to offer WPA2 support for WDS, but what they most likely do is either rely on a proprietary implementation, or simply do not rotate the key, which effectively nullifies a large part of the security provided by WPA2.

 

[jkau]

WDS requires the key to be static. WPA2, by design, rotates the key every "x" seconds. That's why WDS only works with WEP and Open, regardless of the model. My guess is, what you read about the AC3200/AC68U was a typo.

There are a few manufacturers that claim to offer WPA2 support for WDS, but what they most likely do is either rely on a proprietary implementation, or simply do not rotate the key, which effectively nullifies a large part of the security provided by WPA2.

Thank you for the explanation.

I see your point, but here the manufacturer is Asus. It has WPA2-Personal support for WDS in its RT-AC3200 and RT-AC68U models, probably more, but does not have it in its new and most expensive model, the RT-AC5300. I do not understand why that can’t be done likewise, just to maintain consistency in the firmware.

I had the WDS bridge well working between the RT-AC3200 and RT-AC68U, with WPA2-Personal. Now I am forced to leave the bridge unencrypted, a situation that I would like to avoid.

For the AP there is WDS only mode and Hybrid mode. I am using WDS only. If I chose Hybrid, would that mean I had to leave the access point fully open and unprotected? Unbelievable!

 

[sfx2000]

WDS requires the key to be static. WPA2, by design, rotates the key every "x" seconds. That's why WDS only works with WEP and Open, regardless of the model. My guess is, what you read about the AC3200/AC68U was a typo.

There are a few manufacturers that claim to offer WPA2 support for WDS, but what they most likely do is either rely on a proprietary implementation, or simply do not rotate the key, which effectively nullifies a large part of the security provided by WPA2.

What RMerlin says is absolutely correct - it runs into some issues with key management...

Some vendors do extended networks another way - and there, security can be maintained - Apple has a nice platform that does this - but somehow I think this will fall on unfriendly ears...

 

[RMerlin]

I see your point, but here the manufacturer is Asus. It has WPA2-Personal support for WDS in its RT-AC3200 and RT-AC68U models, probably more, but does not have it in its new and most expensive model, the RT-AC5300. I do not understand why that can’t be done likewise, just to maintain consistency in the firmware.

Those models use different Broadcom SDKs, so they ahve different capabilities. I'm even surprised that it's supported at all on the RT-AC68U, which is why I wonder if it's not a mistake.

WDS is obsolete anyway (because of its limitations) - you should use Media Bridge mode instead.

 

[jkau]

Those models use different Broadcom SDKs, so they ahve different capabilities. I'm even surprised that it's supported at all on the RT-AC68U, which is why I wonder if it's not a mistake.

WDS is obsolete anyway (because of its limitations) - you should use Media Bridge mode instead.

I can’t use media bridge mode because of the unfortunate way Asuswrt implements it.

The reason I am using an RT-AC5300 and an RT-AC3200 is because they have two transmitters in the 5GHz band. Further, the separate antennas for receive and transmit enhance throughput.

In my configuration, the RT-AC3200 is configured as access point, but actually acts as repeater. One 5GHz transmitter is dedicated for linking to the RT-AC5300. The other 5GHz transmitter is used for retransmission. On the RT-AC5300 side, one 5GHz transmitter is dedicated for linking to the RT-AC3200. This way a bisection of throughput is avoided, that is usually the case with repeaters having only one transmitter. One of the reasons I replaced the RT-AC68U.

The way Asus implements the media bridge only allows use of the device as a bridge between wireless and wired. It does not allow using one transmitter for the bridge and the other for retransmission. That would be the solution for me, but it is not available. So, only WDS is left.

 

[jkau]

Finally, I like to deliver the rest of the story and hope it might help somebody with similar issues: I abandoned WDS. As RMerlin wrote, it has many limitations.

For a while I had it in place. Since encryption is still not supported here for the RT-AC5300, I established the link to the RT-AC3200 with no encryption. It worked actually. But later I found out that the link throughput was much lower than that what was to be expected for a 802.11ac link with 80MHz bandwidth. When I copied files the throughput was terrible, way less than that what the bitrate suggested. This means that the WDS link was not using the optimal configuration, one the hardware should be able to achieve. I do not know why, details for WDS are mysterious.

In searching for a solution for the RT-AC3200 I started to experiment with DD-WRT and Tomato. With DD-WRT I had severe stability issues and abandoned it quickly. Tomato was more stable, but I was unable to establish a Wireless Ethernet Bridge. A thing that I was able to do easily on an old RT-N66U. I must say, Tomato is not what it once was anymore.

I finally ended up swapping the RT-AC3200 for an RT-AC68U, using the Repeater Mode the RT-AC68U supports. A thing Asus WRT on the RT-AC3200 does not. Although on the RT-AC68U with its slower processor and single 5GHz transmitter, repeating cuts the throughput into half, the resulting throughput ended up higher than what it was on the RT-AC3200 with WDS.

Still searching for a solution I am disappointed. In my experience, the software on these new and expensive devices does not keep up with their hardware capabilities. A thing to consider when buying new stuff.