Netgear WAX610 multicast packets showing up on multiple VLANS

Mission-Ghost

This topic is a branch from the linked thread...

@dennypage said in how to stop logging blocked LAN IGMP?:

Then, the sky fell. The Netgear has an address of 192.168.10.22. Looking at your prior posts, packets from address 192.168.10.22 are arriving on at least 4 different pfSense interfaces:

30_UTIL
40_CAM
50_ENT
60_GUEST_GM

Thank you all again for the educational discussion. This intersection of WiFi with Multicast is beyond my feeble 30-year-old networking skills.

Question: does the fact that the .10 subnet is my management VLAN and designated as such in the config of the four Netgear WAX610s in question on my network explain what is going on with packets showing up on all the other interfaces/VLANs, and it's ok in that case?

Or, should this still not happen even though the .10 subnet has the router, switches and all the access points on it and on the router this subnet's rules grant every device on this subnet access to every other subnet?

As it is, I've gone thorough and tried to shut off all of the Multicast functionality on the four access points, except on VLAN 50 which is the Entertainment VLAN, where it's necessary for the HDHomeRun device to work.

Today I shut off the one Multicast element I could find that I had not done previously, the mDNS Gateway function. This was brought to mind reading this post on the Netgear forum and this bit on the AP's help system:

Configuration > mDNS Gateway Help
You can enable the mDNS Gateway feature to discover services across VLANs when inter-VLAN routing is disabled in the network. Configure the AP that will serve as the mDNS reflector to discover services across VLANs, and then configure policies to define which clients are allowed to access a service on a different VLAN. For example, you might configure policies that allow clients on one VLAN to access print services where the printer is on a different VLAN. If there is more than one AP, enable the mDNS Gateway feature on other node APs participating in the WiFi network.

As it is, I don't understand well what they're saying in this bit of help.

Another question: having done all these changes to Multicast functions on the APs, what do I look for in a new pfSense packet capture to verify the changes I made have stopped the packages showing up on all interfaces, if that is still what I should be aiming to do?

Many thanks again for the stimulating and helpful conversation.

JKnott

@Mission-Ghost

This sounds like a problem I had with a TP-Link access point. Multicasts from the main LAN would appear on my guest VLAN. Apparently, the same problem happened with some TP-Link switches. Replacing the access point fixed the problem.

Do you have any TP-Link gear?

Mission-Ghost

@JKnott thank you for your post.

I have TP-Link switches, but the access points are Netgear. I have always had the Multicast functions selected as 'disabled' on the switches.

I think I got this fixed by shutting off all the Multicast functions on the access points, particularly the mDNS Gateway function. At least, I can't see any traffic from any other subnet/VLAN on the packet capture from pfSense on the Entertainment VLAN any more.

(Aside, I used to have Netgear GS308EP switches, but they had a security vulnerability that could not be patched or fixed.)

JKnott

@Mission-Ghost said in Netgear WAX610 multicast packets showing up on multiple VLANS:

I have TP-Link switches

That could be the problem. As I said, it affected switches and access points. IPv6 uses multicasts a lot and that's why I found the problem. Like you, I was getting addresses from the wrong subnet on my guest WiFi.

There was a thread here about the problem a while ago.

dennypage

@Mission-Ghost It may be worth posting information on your actual VLAN configs: What VLANs are on each device; Whether ports are configured as trunk or access; And tagged vs untagged on those ports.

FWIW, while I haven't had hands on a Netgrear device in 15+ years, I am pretty sure that they run Linux inside, and the "mDNS Gateway" that they refer to is actually the Avahi daemon. Avahi is seriously one of the most frequently misconfigured pieces of software you can find, and I would avoid using any implementation that you cannot inspect and validate the config file for. If you need mDNS bridging, in my opinion you are much better off using the Avahi or mdns-bridge packages on fSense instead.

Mission-Ghost

@dennypage and @JKnott , thank you for your thoughts.

RE: the TP-Link switches, I see your point. Before I make changes which I cannot verify make any positive difference, especially like replacing all my switches, again, I'd like to see evidence that the problem is still present.

I don't know what else to look for in a pcap other than what I'm seeing now: on the .50 subnet, only .50 traffic is appearing, even running the pcap for 30+ minutes. The access point own address, .10.22, doesn't register even once. So maybe it's fixed and nothing more is needed? If someone has an idea how I can further verify this is the case, I'd be grateful to hear it!

RE: mDNS gateway, it's now selected 'disable' on all three switches. Right now I don't have a use case for mDNS, so off is fine. I ran Avahi on pfSense once to gain access to a printer over several VLANs. Ultimately I put the printer on the primary user network and it meets our needs, so I discontinued Avahi. I concur, if I don't need the function on pfSense, I sure don't need it on the access points! Generally speaking, I like to run as little as needed. Unfortunately, documentation is not necessarily clear on what is needed in a given situation so sometimes I discover I'm running things I don't need after it's been running a long time. I'm happy to kick those things to the curb when I find out.

JKnott

@Mission-Ghost said in Netgear WAX610 multicast packets showing up on multiple VLANS:

I'd like to see evidence that the problem is still present.

Multicasts leaking into other subnets is certainly a strong clue. One thing I used when working on this is Wireshark. You can also use Packet Capture, which is included with pfSense.

Mission-Ghost

I ran a packet capture with Wireguard on all my VLANs last night and found no IGMP packets on any except the Entertainment VLAN where they belong. So it seems all the Multicast shutoffs on the Netgear access points have resolved the issue.

I’m not sure why the APs would offer this. It seems like a job for the router.

dennypage

@Mission-Ghost said in Netgear WAX610 multicast packets showing up on multiple VLANS:

I ran a packet capture with Wireguard on all my VLANs last night and found no IGMP packets on any except the Entertainment VLAN where they belong.

I would not look for IGMP packets, I would look for ANY packets with source addresses outside the local subnet, whether they be point to point, multicast or broadcast packets.

Mission-Ghost

@dennypage said in Netgear WAX610 multicast packets showing up on multiple VLANS:

@Mission-Ghost said in Netgear WAX610 multicast packets showing up on multiple VLANS:

I ran a packet capture with Wireguard on all my VLANs last night and found no IGMP packets on any except the Entertainment VLAN where they belong.

I would not look for IGMP packets, I would look for ANY packets with source addresses outside the local subnet, whether they be point to point, multicast or broadcast packets.

I did that too and had the same results; nothing outside of each subnet found. Just reported IGMP since that was what was on my mind from the origin thread.