Setting up WDS

michaelm michael.melkonian
Thu Apr 9 02:01:10 PDT 2015

Hi all

After stuffing around a lot more with 4-address mode, it all appears 
good. Here are some tips (not too obvious in the documentation):

1) On AP side, when writing hostapd configuration file, make sure to add:

When 4-address enabled WDS client connects, an interface appears with a 
name of wlan0.sta1 (I am assuming additional interfaces will appear as 
wlan0.sta2 and so on if more 4-address enabled clients connect).

The wds_bridge line in the hostapd configuration file will automatically 
add the wlan0.sta to your nominated bridge, e.g. br0. Alternatively, you 
can always do brctl addif and so on.

As one would hope, non 4-address clients continue to work as normal and 
co-exist with 4-address clients.

2) On STA side, as specified in documentation, the interface has to be 
brought up with 4addr on option, e.g.
iw phy phy0 interface add wlan_sta0 type station 4addr on

Bridge the 4-addr mode client interface (which is now connected to AP 
side) wlan_sta0 to AP, e.g.
brctl addif br0 wlan_sta0 wlan0

Make sure you disable DHCP on this device as DHCP is already enabled on 
AP side and remember STA is simply a layer 2 device now.

I have tried WPA-PSK and WPA2-PSK authentication between STA and AP, and 
downstream clients connecting to either STA or AP.

Presumably, this arrangement can be extended beyond the two devices

1) Simple WDS without security between WDS peers, use recommendations on
2) Not-so simple WDS, where WDS link is secured by the fact that it is 
really a modified STA-AP link (with all supported authentication options 
available), use recommendations on 
and a few tips in this email.

Best regards


On 09/04/15 04:56, Bob Copeland wrote:
> On Wed, Apr 08, 2015 at 05:18:55PM +1000, michaelm wrote:
>> Anyway, my main question is - with layer 2 arrangement described, is
>> there a way to implement some security?
> I cannot speak for WDS or 4addr mode, but you can use mesh for this if
> your driver/hw supports it (ath9k does).  You can run hostapd on the
> AP virtual interface, bridged with a mesh interface.  On the mesh interface,
> you can run wpa_supplicant with key_mgmt=SAE so that the mesh links will be
> encrypted.

This communication contains information which may be confidential or privileged. The information is intended solely for the use of the individual or entity named above.  If you are not the intended recipient, be aware that any disclosure, copying, distribution or use of the contents of this information is prohibited.  If you have received this communication in error, please notify me by telephone immediately.

More information about the Hostap mailing list