Traffic leaking between RADIUS dynamic VLANs: IPv6 RAs

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
12

Traffic leaking between RADIUS dynamic VLANs: IPv6 RAs

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Traffic leaking between RADIUS dynamic VLANs: IPv6 RAs
Traffic leaking between RADIUS dynamic VLANs: IPv6 RAs
2024-02-21 16:57:44
Model: EAP245  
Hardware Version: V3
Firmware Version: 5.1.0

9 months ago, I reported a software bug. That thread got closed. That thread was not updated. Were you able to reproduce the issue? That thread does not list all models/versions affected. I am not asking whether that bug gets fixed in my V3. I am ready to upgrade to V4 if the issue was solved there. Alternatively, I am ready to upgrade to other models. However, I need some support on the current state of that bug report. And, I am happy to provide more details if the bug is not reproducible.

  0      
  0      
#1
Options
12 Reply
Re:Traffic leaking between RADIUS dynamic VLANs: IPv6 RAs
2024-02-22 03:20:03

Hi @CISTORop,

 

EAPs support multicast to unicast, please keep your all devices' firmware are the latest.

Best Regards! >> Omada EAP Firmware Trial Available Here << >> Get the Latest Omada SDN Controller Releases Here << *Try filtering posts on each forum by Label of [Early Access]*
  0  
  0  
#2
Options
Re:Traffic leaking between RADIUS dynamic VLANs: IPv6 RAs
2024-02-22 08:33:38

  @Hank21 I am sorry, I do not understand. Is there newer firmware for my EAP245 V3 or EAP620 HD V1? I was and I am not able to find that. Both products show no change with ‘multicast to unicast’ set, they still exhibit that issue. Which models/versions support that feature? Furthermore, has reproducing my report revealed that this setting/feature works around the issue?

  0  
  0  
#3
Options
Re:Traffic leaking between RADIUS dynamic VLANs: IPv6 RAs
2024-03-05 12:26:59

If there is another support channel, I should go for, please, say so. Learning how to deal with feature requests but also bug reports from the ‘field’, reported by users, could be the unique selling point for Omada series. As of today, I am still not sure whether my other thread was transformed into a bug report internally at all. If it was, which status does that have now, and which Omada models are consider to be fixed. I went for the latest Omada SDN controller 5.13.30.8, reset my devices to factory and re-adopted them, did not help. Such re-tests take time, making Omada more expensive than it should be. Then, I re-visited the thread about early-access firmware. For the EAP650, EAP655, and EAP670, it states, ‘Fixed abnormal IPv6 address acquisition for clients when enables Dynamic VLAN’. Again, I am just guessing, but that might relate to my bug report. Therefore, I went for a (not mentioned) EAP653. Not sure, why that model was not mentioned. And I am not sure why this bug fix was not found in the official release notes. Again failures, failures. But indeed, without fiddling around with the Multicast/Broadcast settings in the controller, the behavior of the EAP653 was different; IPv6 RAs from my router do not leak across VLANs. But in my last thread, IPv6 was just one example!

 

mDNS still leaks. Furthermore, I tested more than one Wi-Fi client connected to the same access point: All multicast/broadcast messages from one Wi-Fi client, although in a different VLANs, are sent to all other Wi-Fi clients. Again, I monitored via Wireshark: The client sends broadcast messages via PMK, and the access point re-sends them via GTK. Consequently, Omada does not isolate the different VLANs. The latter could be worked around with Client Isolation or, as TP-Link called it, ‘SSID isolation,’ enabled on each access point. However, that is just a workaround because then members of the same VLAN cannot talk to each other either. Furthermore, TP-Link enhanced that feature into Guest Network, blocking Wi-Fi clients from private IP addresses, too. But I do not need/want that.

 

Long story short, RADIUS dynamic VLAN is still broken in the world of Omada. For example, a bad Wi-Fi client in a guest network is able to send IPv6 RAs himself, tearing down IPv6 connectivity for all Wi-Fi clients, even those in different VLANs. Consequently, the team who added Dynamic VLAN did neither implement nor test correctly. Consequently, the one who tackled my bug report just focused on the example and did not understand the broader picture. I am not sure, whether giving that team this bug report again would be a good idea. Again, the solution is quite easy as you just have to monitor Wi-Fi on the air layer with the help of the PMK, and then copy the behavior of Cisco, UniFi, or MikroTik.

  0  
  0  
#4
Options
Re:Traffic leaking between RADIUS dynamic VLANs: IPv6 RAs
2024-03-06 05:41:23

Hi @CISTORop 

Thanks for posting in our business forum.

CISTORop wrote

If there is another support channel, I should go for, please, say so. Learning how to deal with feature requests but also bug reports from the ‘field’, reported by users, could be the unique selling point for Omada series. As of today, I am still not sure whether my other thread was transformed into a bug report internally at all. If it was, which status does that have now, and which Omada models are consider to be fixed. I went for the latest Omada SDN controller 5.13.30.8, reset my devices to factory and re-adopted them, did not help. Such re-tests take time, making Omada more expensive than it should be. Then, I re-visited the thread about early-access firmware. For the EAP650, EAP655, and EAP670, it states, ‘Fixed abnormal IPv6 address acquisition for clients when enables Dynamic VLAN’. Again, I am just guessing, but that might relate to my bug report. Therefore, I went for a (not mentioned) EAP653. Not sure, why that model was not mentioned. And I am not sure why this bug fix was not found in the official release notes. Again failures, failures. But indeed, without fiddling around with the Multicast/Broadcast settings in the controller, the behavior of the EAP653 was different; IPv6 RAs from my router do not leak across VLANs. But in my last thread, IPv6 was just one example!

 

mDNS still leaks. Furthermore, I tested more than one Wi-Fi client connected to the same access point: All multicast/broadcast messages from one Wi-Fi client, although in a different VLANs, are sent to all other Wi-Fi clients. Again, I monitored via Wireshark: The client sends broadcast messages via PMK, and the access point re-sends them via GTK. Consequently, Omada does not isolate the different VLANs. The latter could be worked around with Client Isolation or, as TP-Link called it, ‘SSID isolation,’ enabled on each access point. However, that is just a workaround because then members of the same VLAN cannot talk to each other either. Furthermore, TP-Link enhanced that feature into Guest Network, blocking Wi-Fi clients from private IP addresses, too. But I do not need/want that.

 

Long story short, RADIUS dynamic VLAN is still broken in the world of Omada. For example, a bad Wi-Fi client in a guest network is able to send IPv6 RAs himself, tearing down IPv6 connectivity for all Wi-Fi clients, even those in different VLANs. Consequently, the team who added Dynamic VLAN did neither implement nor test correctly. Consequently, the one who tackled my bug report just focused on the example and did not understand the broader picture. I am not sure, whether giving that team this bug report again would be a good idea. Again, the solution is quite easy as you just have to monitor Wi-Fi on the air layer with the help of the PMK, and then copy the behavior of Cisco, UniFi, or MikroTik.


Since my associate left, I have taken over this temporarily and I am new to this issue. There was an email forwarded to me about your issue.

As instructed, here's the download link I need to share with you and you can take a look.

EAP245_v3.0_5.1.90_build20240305_rel60554

 

Let me know if this resolves your issue or not.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#5
Options
Re:Traffic leaking between RADIUS dynamic VLANs: IPv6 RAs
2024-03-06 13:17:06

With the new firmware 5.1.90, behaves like EAP653 now: IPv6 does not leak. Multicast/Broadcast originating at the Wi-Fi client like mDNS and DHCP leak.

  0  
  0  
#6
Options
Re:Traffic leaking between RADIUS dynamic VLANs: IPv6 RAs
2024-03-08 03:25:02 - last edited 2024-03-08 03:55:44

Hi @CISTORop 

Thanks for posting in our business forum.

CISTORop wrote

With the new firmware 5.1.90, behaves like EAP653 now: IPv6 does not leak. Multicast/Broadcast originating at the Wi-Fi client like mDNS and DHCP leak.

mDNS and DHCP are expected. The firmware has fixed the reported issue and the other aspects you proposed do not compose an issue.

mDNS packets will influence the Apple Bonjour Service, as a result, someone using Airprint ® or screen sharing would not be able to use them after we stop the mDNS transition in different VLANs.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#7
Options
Re:Traffic leaking between RADIUS dynamic VLANs: IPv6 RAs
2024-03-09 11:39:16

  @CISTORop 

 

What is the device you are using that is experiencing the leaking?  Model & version.  Had a very similar issue on EAP610, EAP650, EAP653, and EAP655-Wall.  It was resolved by a beta firmware that has not been released publicly.  

 

If we can highlight another device with the same issue it adds more attention for TP-Link to fix the issue permanently.

 

B

  0  
  0  
#8
Options
Re:Traffic leaking between RADIUS dynamic VLANs: IPv6 RAs
2024-03-12 15:26:03

I don't know what I shall say. How do you come to that conclusion? Again, DHCP is just an example. The whole concept of how to deal with multicast/broadcast (from client devices and from the router) in case of dynamically assigned VLANs is broken. GTK is misused currently. Each VLAN must be isolated. The current situation creates the wildest issues, explained in the source cited in my previous thread, years ago. Therefore, I invite @MikeSchnagli @StevieDuk @Nitin-Lohchab @pokhui @TomasAAA @Christian2705 @bky @Oliv2831 @MatthiasL22 @Holl595 @Yttra @sonaric @MR.S @mtl_squirrel because they reported to use Dynamic VLAN Assignment. @4uba @Eguliker @Ofloo @mobb @NickyV @0llli @mtpi @maresu @bolhaskutya @Kamal9 intended to use Dynamic VLAN Assignment. Hopefully, you are still with Omada, using Dynamic VLAN, and noticed my reported issue. Perhaps you can explain/convince TP-Link, which I cannot.

 

@BrnM

  • EAP653 V1 1.0.12 Build 20240131
  • EAP620 V1 1.1.0 Build 20230303
  • EAP245 V3 5.1.90 Build 20240305

Do you have a newer release on your EAP653?

  0  
  0  
#9
Options
Re:Traffic leaking between RADIUS dynamic VLANs: IPv6 RAs
2024-03-13 07:34:25

Hi @CISTORop

 

CISTORop wrote

I don't know what I shall say. How do you come to that conclusion? Again, DHCP is just an example. The whole concept of how to deal with multicast/broadcast (from client devices and from the router) in case of dynamically assigned VLANs is broken. GTK is misused currently. Each VLAN must be isolated. The current situation creates the wildest issues, explained in the source cited in my previous thread, years ago. Therefore, I invite @MikeSchnagli @StevieDuk @Nitin-Lohchab @pokhui @TomasAAA @Christian2705 @bky @Oliv2831 @MatthiasL22 @Holl595 @Yttra @sonaric @MR.S @mtl_squirrel because they reported to use Dynamic VLAN Assignment. @4uba @Eguliker @Ofloo @mobb @NickyV @0llli @mtpi @maresu @bolhaskutya @Kamal9 intended to use Dynamic VLAN Assignment. Hopefully, you are still with Omada, using Dynamic VLAN, and noticed my reported issue. Perhaps you can explain/convince TP-Link, which I cannot.

 

@BrnM

  • EAP653 V1 1.0.12 Build 20240131
  • EAP620 V1 1.1.0 Build 20230303
  • EAP245 V3 5.1.90 Build 20240305

Do you have a newer release on your EAP653?


Your last reply about mDNS and DHCP was read by the dev and it is not something useful and fruitful.

 

If you want to continue this conversation with me, please show the test method, topology of your test environment and Wireshark result.

I will check if is expected or not and if it is logical and will get the dev to read through your test methodology as well.

So far, you just say mDNS does not make sense. DHCP is leaking, how do you test it out? DHCP's first query is broadcasting. Do you think the broadcast is leaking? I don't think this will be a dialectic and logical way to discuss.

 

I only take concrete evidence and a dialectic way to illustrate an issue. Please, please reply with some other concrete information as we go further into this conversation.

Best Regards! If you are new to the forum, please read: Howto - A Guide to Use Forum Effectively. Read Before You Post. Look for a model? Search your model NOW Official and Beta firmware. NEW features! Subscribe for the latest update!Download Beta Here☚ ☛ ★ Configuration Guide ★ ☚ ☛ ★ Knowledge Base ★ ☚ ☛ ★ Troubleshooting ★ ☚ ● Be kind and nice. ● Stay on the topic. ● Post details. ● Search first. ● Please don't take it for granted. ● No email confidentiality should be violated. ● S/N, MAC, and your true public IP should be mosaiced.
  0  
  0  
#10
Options
Re:Traffic leaking between RADIUS dynamic VLANs: IPv6 RAs
2024-03-19 11:34:12
Hi, I reply to this thread because i was tagged. I am using Dynamic Vlan in a multi-vlan context with no multicast/broadcast issues. I have set the mDNS repeater in the Services tab for the services of interest, and my different mDNS services work consistently. I can share, from experience, that ACLs do block mDNS requests. Without exclusion, ACLs, block printer sharing and different cast services. I can not comment on the other aspects. Regards
  0  
  0  
#11
Options