wireless key renewal

Post new topic   Reply to topic    DD-WRT Forum Index -> General Questions
Author Message
johnnyNobody999
DD-WRT User


Joined: 10 Jan 2014
Posts: 499

PostPosted: Tue Apr 06, 2021 21:07    Post subject: wireless key renewal Reply with quote
I've tried the values 0 (zero) and 99999 to try to stop key renewal but the key renews every 12 hours regardless. I want to turn it off because it disrupts all my users on my WDS network when it happens. It takes about 2 minutes for the wireless network to come back up everytime this happens. How can this be fixed? Doesn't matter which firmware I use.
Sponsor
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 9157

PostPosted: Wed Apr 07, 2021 0:44    Post subject: Re: wireless key renewal Reply with quote
Doesn't matter which "firmware" you use, or doesn't matter which "dd-wrt firmware" you use?

WDS is notorious for a number of known problems/issues, many of which prevented it from being adopted as a wifi standard. And the problematic nature of propagating key changes is one of them. In fact, it was so bad, many implementations (which are all proprietary btw) don't even support it. It may lead you to believe it's regenerating keys based on the fact it offers the option, but sometimes it isn't actually implemented for this very reason. That's why I'm a bit surprised if in fact key renewal is even happening, let alone NOT being able to disable it.

Of course, one way to avoid the problem is to NOT use WPA/WPA2, but either WEP or no security at all (I know, NOT what you're looking for). But NOT regenerating the key on a regular basis introduces its own risks (not nearly as bad as WEP or no security at all, but at least some).

I suppose it could be a bug in dd-wrt, or perhaps a wireless driver issue.

How sure are you key renewal is to blame? Seems to me it would default to 3600 (one hour) if there was either a bug or wireless driver issue, NOT 12 hrs. Or does it default to 3600, but any change to that setting results in 12 hrs?

_________________
ddwrt-ovpn-split-basic.sh (UPDATED!) * ddwrt-ovpn-split-advanced.sh (UPDATED!) * ddwrt-ovpn-client-killswitch.sh * ddwrt-ovpn-client-watchdog.sh * ddwrt-ovpn-remote-access.sh * ddwrt-ovpn-client-backup.sh * ddwrt-mount-usb-drives.sh * ddwrt-blacklist-domains.sh * ddwrt-wol-port-forward.sh * ddwrt-dns-monitor.sh (NEW!)
kernel-panic69
DD-WRT Guru


Joined: 08 May 2018
Posts: 14129
Location: Texas, USA

PostPosted: Wed Apr 07, 2021 1:14    Post subject: Reply with quote
On what router, on what build(s)?
_________________
"Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT
Pogo - A minimal level of ability is expected and needed...
DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)

----------------------
Linux User #377467 counter.li.org / linuxcounter.net
johnnyNobody999
DD-WRT User


Joined: 10 Jan 2014
Posts: 499

PostPosted: Wed Apr 07, 2021 16:44    Post subject: Reply with quote
kernel-panic69 wrote:
On what router, on what build(s)?


Netgear R7800, dd-wrt 46239 firmware is what I'm currently using. I've had this issue over several builds.
johnnyNobody999
DD-WRT User


Joined: 10 Jan 2014
Posts: 499

PostPosted: Thu Apr 08, 2021 15:31    Post subject: Reply with quote
I guess the only option is to turn off the WPA connections between the WDS AP and the WDS Stations and then find a way to keep other clients from connecting to the WDS AP. I'll have to try that next time I can get people off the network. But last time I tried to use the wlan0-WDS MAC addresses I could still connect to the WDS AP with devices other than the WDS Stations.
eibgrad
DD-WRT Guru


Joined: 18 Sep 2010
Posts: 9157

PostPosted: Thu Apr 08, 2021 16:12    Post subject: Reply with quote
johnnyNobody999 wrote:
I guess the only option is to turn off the WPA connections between the WDS AP and the WDS Stations and then find a way to keep other clients from connecting to the WDS AP. I'll have to try that next time I can get people off the network. But last time I tried to use the wlan0-WDS MAC addresses I could still connect to the WDS AP with devices other than the WDS Stations.


Using FT (FreshTomato), you have the option to configure the wireless as WDS or WDS+AP, suggesting the former will NOT allow anything other than WDS clients. So it's clearly possible to prevent arbitrary wifi clients from accessing the wireless network. But dd-wrt seems to force you to define AP mode, then decide if you optionally want to include WDS. At least the way it's laid out in the GUI suggests that's your only option.

Just a guess, but maybe using Adhoc mode will prevent arbitrary wifi access yet still allow WDS. IOW, maybe Adhoc mode is enough to *activate* the wireless even though it actually won't be used for those purposes.

All that said, it still seems to me dd-wrt should NOT require AP mode just to have access to WDS. And the fact it requires you to configure WDS separately from the general wireless setup seems to suggest that's the thinking (and part of the problem). In FreshTomato, WDS is configured as part of the general wireless setup, so you can choose to only offer that option.

_________________
ddwrt-ovpn-split-basic.sh (UPDATED!) * ddwrt-ovpn-split-advanced.sh (UPDATED!) * ddwrt-ovpn-client-killswitch.sh * ddwrt-ovpn-client-watchdog.sh * ddwrt-ovpn-remote-access.sh * ddwrt-ovpn-client-backup.sh * ddwrt-mount-usb-drives.sh * ddwrt-blacklist-domains.sh * ddwrt-wol-port-forward.sh * ddwrt-dns-monitor.sh (NEW!)
johnnyNobody999
DD-WRT User


Joined: 10 Jan 2014
Posts: 499

PostPosted: Fri Apr 09, 2021 2:05    Post subject: Reply with quote
I ended up turning off WPA for the WDS radios plus create a wireless MAC address filter on the WDS AP to allow only the WDS routers to connect to the WDS AP (aka ACL) and prevent all others (i.e. laptops, cell phones, etc) from being able to connect to the WDS AP. I setup the wlan0-WDS for PtP instead of LAN. A strange effect occurred when I did all of this where none of the wired connections to these routers would pass traffic but it turned out that by setting up a VAP on each router allowed the wired ports to pass traffic. I wish I had an explanation for this. Anyway, I hope my backups will restore when needed so that I won't have to manually reconfigure (especially the WDS AP).
Display posts from previous:    Page 1 of 1
Post new topic   Reply to topic    DD-WRT Forum Index -> General Questions All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum