Router Advertisement leakage across VLANs

Hey Sindy.
I hear you and thanks for the hint with drivers stripping off the vlan tags. That makes totally sense.

I also fully agree that its within the admin‘s responsibility to fix this on the port or virtual machine.
But myself, and many others just weren’t 100% familiar how some things work - so everyone is constantly learning.

Do you have an idea how this also can happen on WiFi?
From my understanding, vlan tags are not sent over WiFi, right?
I will try to reproduce this, to make sure I don’t mix of things in my memories, but IIRC a windows VM running on my Mac (connected via WiFi) in Parallels had IPv6 addresses from different vlans.
Is that even possible?

They are, but I am not sure (shame on me) whether there is a standard for it or whether Mikrotik has implemented that in a proprietary way. I only know it wasn’t there, say, 7 years ago and the manual was recommending to use VPLS when you needed to deliver a VLAN trunk across a wireless link, and then something changed and it became possible to pass a trunk of multiple VLANs through a single wireless interface/SSID.

That adds a bunch of additional suspects into the picture. The WiFi driver of the MAC may or may not transparently support VLANs over wireless in the same format Mikrotik uses, or it may ignore/strip the VLAN tag in the frames but accept the rest of the frame, the same way like Windows network card drivers do. You’d have to sniff (Wireshark) on the “wired” (actually, silicon) side of the wireless interface to find out. Then the networking part of Parallels may have its own approach to that, and finally the known “not-a-bug” of Windows may cause that.

Makes sense, thanks a lot.

Interesting, as I will be trying to send vlans over wifi in the near future…ax3 testing.

*) wifiwave2 - fixed issue which lead to VLAN-tagged wireless clients receiving tagged traffic from other VLANs;
http://forum.mikrotik.com/t/v7-9beta-testing-is-released/165419/1
Could this explain the issues with a Windows VM running on a Wireless client?

WifiWave2 is the new driver from MikroTik for some of their Wi-Fi chipsets. Some devices require the new one, some older devices can leverage the new one. For the latter, MikroTik provides a compatibility list … Your MikroTik hAP ac² uses not this but the traditional driver.

Nevertheless, let us investigate this change in the latest RouterOS 7.9 beta release: ‘fixed issue which lead to VLAN-tagged wireless clients receiving tagged traffic from other VLANs’. Let us assume you use WPA-Enterprise as encryption. Let us assume your RADIUS server assigns a VLAN via Mikrotik-Wireless-VLANID. Then, your Wi-Fi client is put into that VLAN. Everything it sends via Wi-Fi gets that VLAN attached on the Ethernet interface of your MikroTik. And your MikroTik sends everything for that VLAN to that Wi-Fi client, and the VLAN is removed on the Wi-Fi interface. Long story short, you are using a single SSID with multiple VLANs. That was about unicast traffic. When it comes to broadcast and multicast traffic – like IPv6 Router Advertisements – the situation is much more complex …

RouterOS 7.9 with WifiWave2 uses GTK1 for that traffic, but every VLAN gets its own GTK1. I monitored this via Wireshark because I had to debug this issue as well. In other words, the Wi-Fi client sees traffic for all VLANs but is not able to decrypt the others because then the GTK1 is wrong. That is a bit of a hack, but several Wi-Fi vendors do it that way. Before, this was broken in RouterOS 7.8 and the new WifiWave2 driver; the Wi-Fi client saw all VLANs, IPv6 Router Advertisements leaked across VLANs. That was the new WifiWave2 driver package, which you do not use.

The traditional Wi-Fi driver package in your MikroTik hAP ac² uses a different approach: Multicast to Unicast. When several VLANs are active, the GTKs are not used anymore, and everything is encrypted via the PMK. In other words, broadcast and multicast traffic is converted to unicast. With the traditional driver, this does not happen on default; you have to activate it, for example, via WebFig → Wireless → click on your Wireless interface → (button) Advanced Mode → (Wireless) Multicast Helper: change from ‘default’ to ‘full’. With traditional Wi-Fi driver package, if you do not change this, IPv6 Router Advertisements leak across VLANs.

Very long story short, I don’t know whether this tackles your issue. The original thread was about something other than Wi-Fi. It was about Dot1X via Ethernet interfaces. It looks like you are about Wi-Fi. However, you add another layer of complexity because you are using a virtual machine with Windows on Apple macOS host. If multicast-helper=full does not solve your issue, please, go for a network analyzer like Wireshark and trace the data packets both in Windows and macOS. In Windows, to list interfaces at all, Wireshark could be started with administration rights, for example. Please note that IPv6 Router Advertisements arrive periodically, which might take several minutes. Therefore, the best would be to monitor the Ethernet interface of your MikroTik as well to know exactly when those arrive. In my case, it is about 10 minutes. However, I saw Internet routers that have defaults of 30 minutes and even longer.