Traffic leaking between RADIUS dynamic VLANs: IPv6 RAs

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
12

Traffic leaking between RADIUS dynamic VLANs: IPv6 RAs

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
12 Reply
Re:Traffic leaking between RADIUS dynamic VLANs: IPv6 RAs
2024-03-20 18:29:33

Like @Yttra replying since I was tagged (I only check these forums occasionally). My two Omada sites are using EAP670s and EAP650-Outdoor units, Omada switches, and SuperMicro systems running OPNsense BE for routing/firewall/network services. Both use PPSKs for dynamic VLAN assignment. I use the mDNS Repeater plugin for multicast proxy between VLANs, along with appropriate firewall rules. I do not use switch L3 features at either site right now. All internal addressing is IPv4.

 

I don't have the time budget right now to dig into this, so I can't provide direct useful testing. That said this response by @Clive_A  was a little confusing:

Clive_A wrote

mDNS and DHCP are expected. The firmware has fixed the reported issue and the other aspects you proposed do not compose an issue.

mDNS packets will influence the Apple Bonjour Service, as a result, someone using Airprint ® or screen sharing would not be able to use them after we stop the mDNS transition in different VLANs.

That definitely does not sound like expected behavior, including in Omada. I expect everything between VLANs, including all Bonjour services, to be fully isolated by default as if they were on a physically different LAN unless I explicitly bridge them. That's the entire point, it's a "virtual LAN". I may want a given printer, speaker or whatever on one VLAN only available to select others (or indeed select clients on others), or not at all. The point of mDNS Repeaters is to bridge multicast across L3, and firewall rules. And indeed Omada itself includes this capability, that's the point of Services > mDNS right? Under no circumstances should WAPs decide to just go around that. If Omada WAPs were deciding on their own to just share multicast traffic between VLANs even without any explicit mDNS rule I'd consider that a pretty significant security bug and violation of expectations.

 

I'd certainly want verify that's exactly what's happening with a clean minimal setup, fresh controller, etc. But yeah, mDNS absolutely should not cross subnets by all by itself.

  0  
  0  
#12
Options
Re:Traffic leaking between RADIUS dynamic VLANs: IPv6 RAs
2024-03-21 01:14:01

Hi @sonaric 

Thanks for posting in our business forum.

sonaric wrote

Like @Yttra replying since I was tagged (I only check these forums occasionally). My two Omada sites are using EAP670s and EAP650-Outdoor units, Omada switches, and SuperMicro systems running OPNsense BE for routing/firewall/network services. Both use PPSKs for dynamic VLAN assignment. I use the mDNS Repeater plugin for multicast proxy between VLANs, along with appropriate firewall rules. I do not use switch L3 features at either site right now. All internal addressing is IPv4.

 

I don't have the time budget right now to dig into this, so I can't provide direct useful testing. That said this response by @Clive_A  was a little confusing:

Clive_A wrote

mDNS and DHCP are expected. The firmware has fixed the reported issue and the other aspects you proposed do not compose an issue.

mDNS packets will influence the Apple Bonjour Service, as a result, someone using Airprint ® or screen sharing would not be able to use them after we stop the mDNS transition in different VLANs.

That definitely does not sound like expected behavior, including in Omada. I expect everything between VLANs, including all Bonjour services, to be fully isolated by default as if they were on a physically different LAN unless I explicitly bridge them. That's the entire point, it's a "virtual LAN". I may want a given printer, speaker or whatever on one VLAN only available to select others (or indeed select clients on others), or not at all. The point of mDNS Repeaters is to bridge multicast across L3, and firewall rules. And indeed Omada itself includes this capability, that's the point of Services > mDNS right? Under no circumstances should WAPs decide to just go around that. If Omada WAPs were deciding on their own to just share multicast traffic between VLANs even without any explicit mDNS rule I'd consider that a pretty significant security bug and violation of expectations.

 

I'd certainly want verify that's exactly what's happening with a clean minimal setup, fresh controller, etc. But yeah, mDNS absolutely should not cross subnets by all by itself.

Correct about the highlight part.

 

I am waiting to see any test results from him or you if you can provide them. Without configuring the mDNS on the router/AP, it leaks. I hope to see further details on this if there are any.

 

mDNS is supposed to be broadcast if configured between the designated VLANs.

This is the basis of the comment which I did not bring up. I did not consider the PMK and GTK as I haven't handled cases in Controller and AP in recent days. 

 

I did not read his comment meticulously. But the dev read that and informed me that these are expected in his scenario which might be under the context of PMK and GTK situation.

 

I will get @Hank21 to follow up this next week if there are any test results with a diagram.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#13
Options