Traffic leaking between RADIUS dynamic VLANs: IPv6 RAs
Since mid 2021, TP-Link supports Dynamic VLAN Assignment in their EAP series. Found no way to enable it in standalone mode. However in controller mode, this feature works as described in the Knowledge Base and a FAQ. Via Tunnel-Private-Group-ID in my FreeRADIUS, I am able to control the VLAN. Excellent. However, Multicast messages like IPv6 Router Advertisements (RAs) from all VLANs reach each Wi-Fi client. These RAs are sent periodically by the IPv6 router, for example all 10 minutes, some routers send every 30 minutes. This happens because TP-Link sends those messages via the group key (GTK1). And all Wi-Fi clients still share the same GTK1. What happens with those additional IPv6 prefixes depends on the operating system of the Wi-Fi client, some replace/add those. The consequences of that depends on the app used, some apps just get slower, some loose IPv6 connectivity, some apps loose their whole Internet connectivity. I confirmed that. Should be the same for mDNS, but I did not test that.
Some tech journalists and Wi-Fi administrators test this for years, for example:
- 3 years ago, Germany, magazine Heise c’t 7/2020 page 100 ‘Funkkutscher’
- 8 years ago, again Germany, Deutsche Forschungsnetz (DFN) ‘WLAN: Single SSID + Multiple VLANs = Multicast-Problem’
Both can be found on the Internet. I am not allowed to link those directly. The latter provides strategies for a fix. My Ubiquiti UniFi stop to use multicast and switches to unicast when VLAN assignment was involved. My MikroTik – based on their recent WifiWave2 package – use a rather new strategy, assigning each VLAN its own GTK1. I verified that via Wireshark and monitored the Wi-Fi traffic via the PMKs. Other vendors provide features like ‘gtk-per-vlan’ or ‘multicast-to-unicast’ which must be enabled manually.
With TP-Link EAP, I found no way to remedy this. I played around with the Multicast settings in the software controller (tested: 5.9.31). Did not help. I played around with a Wi-Fi 6 enabled access point, EAP620 HD v1 with firmware 1.1.1 Build 20220224 and the newer 1.1.0 Build 20230303. Same issue. Until this is fixed, I have to decide between IPv6 or Dynamic VLAN Assignment.