Community discussions

MikroTik App
 
staticsafe
just joined
Topic Author
Posts: 6
Joined: Sun Dec 28, 2014 6:42 pm

Router Advertisement leakage across VLANs

Sun Dec 28, 2014 6:48 pm

Hi all,

I am running a CRS125-24G-1S-RM with RouterOS version 6.24. I am seeing a rather strange issue where I'm seeing IPv6 router advertisements leaking across VLANs. Unsure if this a bad configuration somewhere on my part or a bug.

Example:
My desktop PC on VLAN 10, whenever I turn on something in VLAN 20, I see the router solicitation and the corresponding router advertisements which confuses the host in VLAN 10.

Thank you in advance for any help.

My configuration:
[admin@janus] > /export compact hide-sensitive
# dec/28/2014 16:27:10 by RouterOS 6.24
# software id = ZLEQ-11VA
#
/interface bridge
add comment="Wired Standard" name=br10
add comment="Wireless Standard" name=br20
add comment="IPv6Only Experimental" name=br30
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether2 ] name=ether2-slave-local
set [ find default-name=ether3 ] name=ether3-slave-local
set [ find default-name=ether4 ] name=ether4-slave-local
set [ find default-name=ether5 ] name=ether5-slave-local
set [ find default-name=ether6 ] name=ether6-slave-local
set [ find default-name=ether7 ] name=ether7-slave-local
set [ find default-name=ether8 ] name=ether8-slave-local
set [ find default-name=ether9 ] name=ether9-slave-local
set [ find default-name=ether10 ] master-port=ether1-gateway name=ether10-slave-local
set [ find default-name=ether11 ] master-port=ether1-gateway name=ether11-slave-local
set [ find default-name=ether12 ] master-port=ether1-gateway name=ether12-slave-local
set [ find default-name=ether13 ] master-port=ether1-gateway name=ether13-slave-local
set [ find default-name=ether14 ] master-port=ether1-gateway name=ether14-slave-local
set [ find default-name=ether15 ] master-port=ether1-gateway name=ether15-slave-local
set [ find default-name=ether16 ] master-port=ether1-gateway name=ether16-slave-local
set [ find default-name=ether17 ] master-port=ether1-gateway name=ether17-slave-local
set [ find default-name=ether18 ] master-port=ether1-gateway name=ether18-slave-local
set [ find default-name=ether19 ] master-port=ether1-gateway name=ether19-slave-local
set [ find default-name=ether20 ] master-port=ether1-gateway name=ether20-slave-local
set [ find default-name=ether21 ] master-port=ether1-gateway name=ether21-slave-local
set [ find default-name=ether22 ] master-port=ether1-gateway name=ether22-slave-local
set [ find default-name=ether23 ] master-port=ether1-gateway name=ether23-slave-local
set [ find default-name=ether24 ] master-port=ether1-gateway name=ether24-slave-local
set [ find default-name=sfp1 ] master-port=ether1-gateway name=sfp1-slave-local
/interface 6to4
add local-address=174.117.80.88 mtu=1480 name=sit1 remote-address=216.66.38.58
/ip neighbor discovery
set br10 comment="Wired Standard"
set br20 comment="Wireless Standard"
set br30 comment="IPv6Only Experimental"
/interface vlan
add comment="Wired Standard" interface=ether2-slave-local l2mtu=1584 name=vlan10 vlan-id=10
add comment="Wireless Standard" interface=ether2-slave-local l2mtu=1584 name=vlan20 vlan-id=20
add comment="IPv6Only Experimental" interface=ether2-slave-local l2mtu=1584 name=vlan30 vlan-id=30
/ip neighbor discovery
set vlan10 comment="Wired Standard"
set vlan20 comment="Wireless Standard"
set vlan30 comment="IPv6Only Experimental"
/ip pool
add name="VLAN10 pool" ranges=10.0.10.2-10.0.10.253
add name="VLAN20 pool" ranges=10.0.20.3-10.0.20.253
/ip dhcp-server
add add-arp=yes address-pool="VLAN10 pool" always-broadcast=yes authoritative=yes disabled=no interface=br10 name="VLAN10 DHCP"
add add-arp=yes address-pool="VLAN20 pool" always-broadcast=yes authoritative=yes disabled=no interface=br20 name="VLAN20 DHCP"
/port
set 0 name=serial0
/interface bridge port
add bridge=br20 interface=ether4-slave-local
add bridge=br20 interface=vlan20
add bridge=br10 interface=ether2-slave-local
add bridge=br10 interface=vlan10
add bridge=br10 interface=ether3-slave-local
add bridge=br10 interface=ether5-slave-local
add bridge=br10 interface=ether6-slave-local
add bridge=br10 interface=ether7-slave-local
add bridge=br10 interface=ether8-slave-local
add bridge=br30 interface=ether9-slave-local
add bridge=br30 interface=vlan30
/interface ethernet switch egress-vlan-tag
add disabled=yes tagged-ports=switch1-cpu vlan-id=10
add disabled=yes tagged-ports=switch1-cpu vlan-id=20
/interface ethernet switch ingress-vlan-translation
add customer-vid=0 disabled=yes new-customer-vid=20 ports=ether4-slave-local sa-learning=yes
add customer-vid=0 disabled=yes new-customer-vid=10 ports=ether2-slave-local,ether3-slave-local,ether5-slave-local,ether6-slave-local sa-learning=yes
/ip address
add address=10.0.10.1/24 interface=br10 network=10.0.10.0
add address=10.0.20.1/24 interface=br20 network=10.0.20.0
add address=10.0.10.254/24 interface=vlan10 network=10.0.10.0
add address=10.0.20.254/24 interface=vlan20 network=10.0.20.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1-gateway use-peer-dns=no use-peer-ntp=no
/ip dhcp-server lease
*snip static leases*
/ip dhcp-server network
add address=10.0.10.0/24 dns-server=10.0.10.3 gateway=10.0.10.1 netmask=24
add address=10.0.20.0/24 dns-server=10.0.10.3 gateway=10.0.20.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=2001:470:b2c9:10:c23f:d5ff:fe68:2453
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-gateway
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=10.0.10.0/24,10.0.20.0/24
set ssh address=10.0.10.0/24,10.0.20.0/24
set api disabled=yes
set api-ssl disabled=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=ether1-gateway type=external
add interface=br10 type=internal
add interface=br20 type=internal
/ipv6 address
add address=2001:470:1c:96b::2 advertise=no interface=sit1
add address=2001:470:b2c9:10::1 advertise=no interface=br10
add address=2001:470:b2c9:20::1 advertise=no interface=br20
add address=2001:470:b2c9:30::1 advertise=no interface=br30
/ipv6 nd
set [ find default=yes ] disabled=yes
add advertise-mac-address=no hop-limit=64 interface=br10 mtu=1480
add advertise-mac-address=no disabled=yes hop-limit=64 interface=br20 mtu=1480
add advertise-mac-address=no disabled=yes hop-limit=64 interface=br30 mtu=1480
/ipv6 nd prefix
add interface=br10 prefix=2001:470:b2c9:10::/64
add disabled=yes interface=br20 prefix=2001:470:b2c9:20::/64
add disabled=yes interface=br30 prefix=2001:470:b2c9:30::/64
/ipv6 route
add distance=1 dst-address=2000::/3 gateway=2001:470:1c:96b::1
/lcd
set read-only-mode=yes
/system clock
set time-zone-name=Etc/UTC
/system identity
set name=janus
/system ntp client
set enabled=yes primary-ntp=192.67.222.4 secondary-ntp=167.88.40.177
 
theprojectgroup
Frequent Visitor
Frequent Visitor
Posts: 99
Joined: Tue Feb 21, 2017 11:40 pm

Re: Router Advertisement leakage across VLANs

Sat Aug 06, 2022 11:25 pm

I have exactly the same issue.
I have a MT at my home office with:

hAP AC2:
- bridge (is default vlan1) without vlan filtering enabled
- vlans configured on switch chip

On my macbook connected via WLAN i have a windows VM running which gets IPv6 addresses from a few, sometimes all vlan interfaces with advertising turned on.
This happens on every reboot. If I disable IPv6 on the Windows NIC and re-enable it, I "only" get the IPv6 address as expected.
After a reboot I have at least two IPv6 addresses from at least two different vlans and this is also random on every reboot.
The virtual NIC of the VM is bridged on macOS via the Hypervisor Parallels...

How is this possible?
Last edited by theprojectgroup on Sat Aug 06, 2022 11:39 pm, edited 1 time in total.
 
theprojectgroup
Frequent Visitor
Frequent Visitor
Posts: 99
Joined: Tue Feb 21, 2017 11:40 pm

Re: Router Advertisement leakage across VLANs

Sat Aug 06, 2022 11:30 pm

The still persists, even when I disable the particular VLANs on the switch:
CleanShot 2022-08-06 at 22.29.06@2x.png
CleanShot 2022-08-06 at 22.51.28@2x.png
CleanShot 2022-08-06 at 22.33.47@2x.png
You do not have the required permissions to view the files attached to this post.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Router Advertisement leakage across VLANs

Sun Aug 07, 2022 10:26 am

Most Windows network card drivers silently strip any VLAN tags from received frames, rather than ignoring VLAN-tagged ones.
 
theprojectgroup
Frequent Visitor
Frequent Visitor
Posts: 99
Joined: Tue Feb 21, 2017 11:40 pm

Re: Router Advertisement leakage across VLANs

Sun Aug 07, 2022 11:10 am

Hm. How is it possible that this is going over WiFi?
IIRC WLAN tags aren't sent over WiFi, right? But my Win-VM running on the mac (connected via WiFI) inside Parallels Hypervisor receives RAs so there must be some leak...
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 2855
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Router Advertisement leakage across VLANs

Sun Aug 07, 2022 1:31 pm

You ressurected 8 years old topic started for 6.24 ROS version. Is your configuration really the same as that old one? There was a big change @6.41 version są maybe you should send your configuration? Do you still use 6.24? Think not as hAP is IMHO not ready for 6.24.
 
theprojectgroup
Frequent Visitor
Frequent Visitor
Posts: 99
Joined: Tue Feb 21, 2017 11:40 pm

Re: Router Advertisement leakage across VLANs

Sun Aug 07, 2022 2:41 pm

No,
I am on current ROS 7 and I answered here because the topic perfectly matches my issue.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Router Advertisement leakage across VLANs

Sun Aug 07, 2022 2:46 pm

OK, so go ahead and post the export of the actual configuration, not just random screenshosts. If no misconfiguration can be found in the export, the next step is to sniff on the bridge interface, to see what is really going on there when the Windows boot.
 
User avatar
BartoszP
Forum Guru
Forum Guru
Posts: 2855
Joined: Mon Jun 16, 2014 1:13 pm
Location: Poland

Re: Router Advertisement leakage across VLANs

Sun Aug 07, 2022 2:51 pm

There is a manual https://help.mikrotik.com/docs/display/ ... tSwitching
maybe it could put some light on the problem:
Switch chips with a VLAN table support (QCA8337, Atheros8327, Atheros8316, Atheros8227 and Atheros7240) can override the port isolation configuration when enabling a VLAN lookup on the switch port (the vlan-mode is set to fallback, check or secure). If additional port isolation is needed between ports on the same VLAN, a switch rule with a new-dst-ports property can be implemented. Other devices without switch rule support cannot overcome this limitation.
 
theprojectgroup
Frequent Visitor
Frequent Visitor
Posts: 99
Joined: Tue Feb 21, 2017 11:40 pm

Re: Router Advertisement leakage across VLANs

Mon Aug 08, 2022 9:19 am

Config Export
/interface bridge
add admin-mac=AA:BB:CC:DD:EE:C8 auto-mac=no comment=defconf name=bridge \
    protocol-mode=stp
/interface ethernet
set [ find default-name=ether1 ] comment="connected to M-net FritzBox" name=\
    ether1-wan speed=100Mbps
set [ find default-name=ether2 ] comment=\
    "conntected to MikroTik2 SleepingRoom" speed=100Mbps
set [ find default-name=ether3 ] comment="Subwoofer KH 750 DSP" speed=100Mbps
set [ find default-name=ether4 ] comment=ThunderboltDock speed=100Mbps
set [ find default-name=ether5 ] comment="conntected to MikroTik3 Kitchen"
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
    country=germany disabled=no distance=indoors installation=indoor mode=\
    ap-bridge ssid=MyNET2G station-roaming=enabled wireless-protocol=\
    802.11 wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-n/ac channel-width=20/40/80mhz-Ceee \
    country=germany disabled=no distance=indoors frequency=auto installation=\
    indoor mode=ap-bridge ssid=MyNET station-roaming=enabled \
    wireless-protocol=802.11 wps-mode=disabled
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1-wan name=pppoe-out1 \
    user=USERNAME@mdsl.mnet-online.de

/interface vlan
add comment="vlan2 DMZ" interface=bridge name=vlan2-dmz vlan-id=2
add interface=bridge name=vlan3-test vlan-id=3
add comment="vlan11 Guest" interface=bridge name=vlan11-guest vlan-id=11
/interface ethernet switch port
set 1 default-vlan-id=0 vlan-mode=secure
set 2 default-vlan-id=0 vlan-mode=secure
set 3 default-vlan-id=0 vlan-mode=secure
set 4 default-vlan-id=0 vlan-mode=secure
set 5 default-vlan-id=0 vlan-mode=secure


/interface wireless
add comment=vlan11_guest disabled=no mac-address=AA:BB:CC:DD:EE:CD \
    master-interface=wlan2 name=wlan3-guest security-profile=JoeCockair ssid=\
    Vogelguest station-roaming=enabled vlan-id=11 vlan-mode=use-tag
add mac-address=AA:BB:CC:DD:EE:CC master-interface=wlan1 name=wlan4-guest \
    security-profile=JoeCockair ssid=MyNET-Guest2G station-roaming=\
    enabled

/ip pool
add comment="vlan1 LAN" name=vlan1-lan ranges=192.168.99.100-192.168.99.254
add comment="vpn clients" name=vpn ranges=192.168.101.250-192.168.101.253
add comment="vlan11 Guest" name=vlan11-guest ranges=\
    192.168.66.100-192.168.66.254
add comment="vlan2-dmz" name=vlan2-dmz ranges=\
    192.168.78.100-192.168.78.150
/ip dhcp-server
add address-pool=vlan1-lan bootp-support=none interface=bridge lease-time=\
    4w2d name=vlan0-lan
add address-pool=vlan11-guest bootp-support=none interface=vlan11-guest \
    lease-time=4w2d name=vlan11-guest
add address-pool=vlan2-dmz bootp-support=none interface=vlan2-dmz lease-time=\
    4w2d name=vlan2-dmz
/ipv6 dhcp-server option
add code=23 name=dns-powerDNS value="'2a02:8106:xxx:xxx::2'"
add code=23 name=blank-dns-no-dns-ipv6

/interface bridge filter
add action=drop chain=forward in-interface=wlan3-guest
add action=drop chain=forward out-interface=wlan3-guest
add action=drop chain=forward in-interface=wlan4-guest
add action=drop chain=forward out-interface=wlan4-guest

/interface bridge port
add bridge=bridge interface=ether2
add bridge=bridge interface=wlan1
add bridge=bridge interface=wlan2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether5
add bridge=bridge interface=wlan3-guest
/ip neighbor discovery-settings
set discover-interface-list=discover
/ipv6 settings
set accept-router-advertisements=no max-neighbor-entries=8192
/interface bridge vlan
add bridge=bridge comment="vlan1 LAN" disabled=yes tagged=bridge,*9 vlan-ids=\
    1
add bridge=bridge comment="vlan2 DMZ" disabled=yes tagged=\
    bridge,vlan2-dmz,ether5 vlan-ids=2
add bridge=bridge comment="vlan11 Guest" disabled=yes tagged=\
    bridge,vlan11-guest,ether5,ether2 untagged=wlan3-guest vlan-ids=11
add bridge=bridge comment=vlan10-wan-sharing disabled=yes tagged=\
    bridge,*C,ether5 vlan-ids=10
add bridge=bridge comment=vlan3-test disabled=yes tagged=\
    bridge,vlan3-test,ether5 vlan-ids=3
/interface ethernet switch vlan
add comment="default vlan0" independent-learning=no ports=\
    ether2,ether3,ether4,ether5,switch1-cpu switch=switch1
add comment=vlan11-guest independent-learning=no ports=\
    ether2,ether5,switch1-cpu switch=switch1 vlan-id=11
add comment=vlan2-dmz independent-learning=no ports=ether2,ether5,switch1-cpu \
    switch=switch1 vlan-id=2
add comment=vlan3-test independent-learning=no ports=\
    ether2,ether5,switch1-cpu switch=switch1 vlan-id=3

/ip dhcp-server network
add address=192.168.66.0/24 comment="vlan11 Guest" dns-server=192.168.99.2 \
    gateway=192.168.66.1
add address=192.168.78.0/24 comment="vlan2-DMZ" dns-server=192.168.99.2 \
    gateway=192.168.78.1
add address=192.168.99.0/24 comment="vlan1 LAN" dns-server=192.168.99.2 \
    domain=MyNET.local gateway=192.168.99.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=192.168.99.2

/ipv6 address
add address=::1 advertise=no from-pool=mnet interface=pppoe-out1
add address=::1 from-pool=mnet interface=bridge
add address=::1 from-pool=mnet interface=vlan2-dmz
add address=::1 advertise=no from-pool=mnet interface=vlan3-test
add address=::1 from-pool=mnet interface=vlan11-guest

/ipv6 dhcp-client
add interface=pppoe-out1 pool-name=mnet prefix-hint=::/56 request=prefix

/ipv6 dhcp-server
add address-pool="" dhcp-option=blank-dns-no-dns-ipv6 interface=*9 name=\
    vlan1-lan
add address-pool="" dhcp-option=dns-powerDNS disabled=yes interface=\
    vlan3-test name=vlan3-test
add address-pool="" dhcp-option=blank-dns-no-dns-ipv6 interface=vlan11-guest \
    name=vlan11-guest

/ipv6 nd
set [ find default=yes ] advertise-dns=no interface=bridge \
    other-configuration=yes
add advertise-dns=no interface=vlan2-dmz other-configuration=yes
add advertise-dns=no disabled=yes interface=vlan3-test other-configuration=\
    yes
add advertise-dns=no interface=vlan11-guest other-configuration=yes
 
theprojectgroup
Frequent Visitor
Frequent Visitor
Posts: 99
Joined: Tue Feb 21, 2017 11:40 pm

Re: Router Advertisement leakage across VLANs

Mon Aug 08, 2022 9:23 am

There is a manual https://help.mikrotik.com/docs/display/ ... tSwitching
maybe it could put some light on the problem:
Switch chips with a VLAN table support (QCA8337, Atheros8327, Atheros8316, Atheros8227 and Atheros7240) can override the port isolation configuration when enabling a VLAN lookup on the switch port (the vlan-mode is set to fallback, check or secure). If additional port isolation is needed between ports on the same VLAN, a switch rule with a new-dst-ports property can be implemented. Other devices without switch rule support cannot overcome this limitation.
Thanks @BartoszP for the suggestion.
I'm not sure if this can help - especially because the issue happens on WiFi.
It's also possible that I just don't understand - can you explain please?
Thanks a lot!
 
User avatar
cfikes
Member Candidate
Member Candidate
Posts: 106
Joined: Mon Dec 08, 2014 9:14 pm
Location: Texas
Contact:

Re: Router Advertisement leakage across VLANs

Fri Aug 26, 2022 11:39 pm

I'm experiencing the same issue on a CCR2004-1G-12S+2XS on 7.2. Upgrading it to the latest non RC when everyone leaves for the day. Hopefully it fixes the issue. I'll be back with a config if it doesn't. Nothing crazy with my config, just basic intervlan routing.
 
User avatar
cfikes
Member Candidate
Member Candidate
Posts: 106
Joined: Mon Dec 08, 2014 9:14 pm
Location: Texas
Contact:

Re: Router Advertisement leakage across VLANs

Sat Aug 27, 2022 5:08 pm

Issue still persist. Only on wired connections though. Wireless only gets their appropriate RA, but wired connections get ALL of them. I stripped out all the public addresses, but left the v4 internal as they are NAT'd anyway. New revelation today with this export is it looks like the 2 vlan interfaces (Data100 and Data102) on sfp-sfpplus2 are triggering a Duplicate Address Detected. Perhaps someone was nice enough to loop a cable back into another port in the wall crossing vlans? I know it's an old thread that has been revived but thought more exploration may help someone aside from me.

Thanks!
REMOVED
 
User avatar
cfikes
Member Candidate
Member Candidate
Posts: 106
Joined: Mon Dec 08, 2014 9:14 pm
Location: Texas
Contact:

Re: Router Advertisement leakage across VLANs

Sat Aug 27, 2022 7:51 pm

So i found the issue. Nothing to do with Mirotik.

It's coming from Ubiquiti. . . . . .

Every single In-Wall AP is sending out RA packets for VLANS on assigned physical ports. . . . .

I cannot wait till Mikrotik has WiFi 6/6e with CAPsMAN support.
 
User avatar
cfikes
Member Candidate
Member Candidate
Posts: 106
Joined: Mon Dec 08, 2014 9:14 pm
Location: Texas
Contact:

Re: Router Advertisement leakage across VLANs

Sun Aug 28, 2022 3:44 am

Beating a dead horse, but thought all would find this interesting. Check out all this misbehaving Ubiquiti Unifi AP's.
Screenshot from 2022-08-27 19-38-46.png
You do not have the required permissions to view the files attached to this post.
 
theprojectgroup
Frequent Visitor
Frequent Visitor
Posts: 99
Joined: Tue Feb 21, 2017 11:40 pm

Re: Router Advertisement leakage across VLANs

Sun Mar 05, 2023 1:27 am

I'm still seeing this issue in various deployments.

Searching the net shows lots of people have similar issues only related to IPv6 RAs and it looks like only WindowscClients are affected...

It looks like Windows just strips off the vlan tags and then gets the RAs which are in VLAN tagged packets.
- PriorityVLANTag (standard Window keyword for NICs) documentation states (https://docs.microsoft.com/en-us/window ... n-keywords):
"The miniport driver should remove the 802.1Q header from all receive packets regardless of the *PriorityVLANTag setting.
If the 802.1Q header is left in a packet, other drivers might not be able to parse the packet correctly.
If the Rx flag is enabled on the receive path, the miniport driver should copy the removed 802.1Q header into OOB.
Otherwise, if the Rx flag is disabled, the miniport driver should not copy the removed 802.1Q header into OOB."

- https://community.arubanetworks.com/com ... ?MID=31121
"Windows listens to RA's coming in on tagged vlans."
- viewtopic.php?t=191386
"This has nothing to do with Mikrotik specifically, the same would be seen using a router from any other network vendor.
It is well known that most Microsoft network drivers strip VLAN tags on ingress,
so any tagged broadcast/multicast packets will also be delivered to the network stack rather than being discarded."
Regarding IPv4 DHCP Broadcasts:
"IPv4 is not targeted most of the time because DHCPv4 answers are normally unicast, except if the broadcast flag is set in the request"
That makes perfect sense. Yes the broadcast can also leak but the answer is unicast and would never reach the server.
- VMWare: https://communities.vmware.com/t5/ESXi- ... d-p/451197
"Note: Some Windows machines can strip VLAN tags unless Monitor mode is enabled for the guest OS NIC (VLAN pass-thru)."

Anyone knows how to turn this off in Windows?

In my case a Windows Client is connected to a port with PVID 1 which also has some tagged vlans on it.
The Windows Client is running inside a VM. It's not possible to remove the VLAN tags off of the port because they're required for other VMs on the VM-Switch.
My hypervisor is Proxmox and I'm using virtio vNIC (https://bugzilla.redhat.com/show_bug.cgi?id=1854416).

There seem two workarounds:

Option #1:
Set "Priority and VLAN tagging" in the driver to disabled
CleanShot 2023-03-05 at 01.02.05@2x.png

Option #2:
Set VLAN ID to the untagged PVID of the port the machine is connected to.
In my case PVID is 1 so I set the NIC driver to vlan 1 (is set to zero by default):
CleanShot 2023-03-05 at 00.58.06@2x.png
You do not have the required permissions to view the files attached to this post.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11383
Joined: Thu Mar 03, 2016 10:23 pm

Re: Router Advertisement leakage across VLANs

Sun Mar 05, 2023 1:16 pm

IMO it's a gross misconfiguration (of network admin mostly) to set port as hybrid or trunk when machibe, connecting to that port is a Windows machine. Only when machine administrator adjusts adapter/network stack settings to deal with tagged frames properly, then it's time for network admin to allow tagged frames towards such machine.

If windows machine is running virtualized, then VM platform admin has to make appropriate configuration adjustments.

The whole thing is (almost) never due to bugs in switches/bridges, so it's not clear why are we still discussing it in this forum?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Router Advertisement leakage across VLANs

Sun Mar 05, 2023 2:14 pm

I suspect this thread was manufactured by ChatGPT LOL.........
OR.
We have a good reason finally to ditch the ridiculous concept of ipv6..........

Good sunday morning............ let the fun begin.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Router Advertisement leakage across VLANs

Sun Mar 05, 2023 2:35 pm

The whole thing is (almost) never due to bugs in switches/bridges, so it's not clear why are we still discussing it in this forum?
Maybe because people run into that issue, google it up, find this topic, and don't read my post #4 :D
 
User avatar
cfikes
Member Candidate
Member Candidate
Posts: 106
Joined: Mon Dec 08, 2014 9:14 pm
Location: Texas
Contact:

Re: Router Advertisement leakage across VLANs

Sun Mar 05, 2023 4:56 pm

The whole thing is (almost) never due to bugs in switches/bridges, so it's not clear why are we still discussing it in this forum?
Maybe because people run into that issue, google it up, find this topic, and don't read my post #4 :D

I wish it was only related to Windows, but I have experienced in Linux and ChromeOS(Linux) as well, ironically not on Android(Another Linux), but only with the CCR2004-1G-12S+2XS as the source of the RA's
 
theprojectgroup
Frequent Visitor
Frequent Visitor
Posts: 99
Joined: Tue Feb 21, 2017 11:40 pm

Re: Router Advertisement leakage across VLANs

Sun Mar 05, 2023 7:40 pm

The whole thing is (almost) never due to bugs in switches/bridges, so it's not clear why are we still discussing it in this forum?
Maybe because people run into that issue, google it up, find this topic, and don't read my post #4 :D
Hey Sindy.
I hear you and thanks for the hint with drivers stripping off the vlan tags. That makes totally sense.

I also fully agree that its within the admin‘s responsibility to fix this on the port or virtual machine.
But myself, and many others just weren’t 100% familiar how some things work - so everyone is constantly learning.

Do you have an idea how this also can happen on WiFi?
From my understanding, vlan tags are not sent over WiFi, right?
I will try to reproduce this, to make sure I don’t mix of things in my memories, but IIRC a windows VM running on my Mac (connected via WiFi) in Parallels had IPv6 addresses from different vlans.
Is that even possible?
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Router Advertisement leakage across VLANs

Sun Mar 05, 2023 7:58 pm

From my understanding, vlan tags are not sent over WiFi, right?
They are, but I am not sure (shame on me) whether there is a standard for it or whether Mikrotik has implemented that in a proprietary way. I only know it wasn't there, say, 7 years ago and the manual was recommending to use VPLS when you needed to deliver a VLAN trunk across a wireless link, and then something changed and it became possible to pass a trunk of multiple VLANs through a single wireless interface/SSID.

I will try to reproduce this, to make sure I don’t mix of things in my memories, but IIRC a windows VM running on my Mac (connected via WiFi) in Parallels had IPv6 addresses from different vlans.
Is that even possible?
That adds a bunch of additional suspects into the picture. The WiFi driver of the MAC may or may not transparently support VLANs over wireless in the same format Mikrotik uses, or it may ignore/strip the VLAN tag in the frames but accept the rest of the frame, the same way like Windows network card drivers do. You'd have to sniff (Wireshark) on the "wired" (actually, silicon) side of the wireless interface to find out. Then the networking part of Parallels may have its own approach to that, and finally the known "not-a-bug" of Windows may cause that.
 
theprojectgroup
Frequent Visitor
Frequent Visitor
Posts: 99
Joined: Tue Feb 21, 2017 11:40 pm

Re: Router Advertisement leakage across VLANs

Sun Mar 05, 2023 9:25 pm

Makes sense, thanks a lot.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Router Advertisement leakage across VLANs

Sun Mar 05, 2023 10:25 pm

Interesting, as I will be trying to send vlans over wifi in the near future........ax3 testing.
 
theprojectgroup
Frequent Visitor
Frequent Visitor
Posts: 99
Joined: Tue Feb 21, 2017 11:40 pm

Re: Router Advertisement leakage across VLANs

Mon Mar 27, 2023 8:25 pm

*) wifiwave2 - fixed issue which lead to VLAN-tagged wireless clients receiving tagged traffic from other VLANs;
viewtopic.php?t=194781
Could this explain the issues with a Windows VM running on a Wireless client?
 
linGeRvanTAt
just joined
Posts: 7
Joined: Sun Feb 21, 2021 2:31 pm

Re: Router Advertisement leakage across VLANs

Sat Apr 22, 2023 11:53 am

WifiWave2 is the new driver from MikroTik for some of their Wi-Fi chipsets. Some devices require the new one, some older devices can leverage the new one. For the latter, MikroTik provides a compatibility list … Your MikroTik hAP ac² uses not this but the traditional driver.

Nevertheless, let us investigate this change in the latest RouterOS 7.9 beta release: ‘fixed issue which lead to VLAN-tagged wireless clients receiving tagged traffic from other VLANs’. Let us assume you use WPA-Enterprise as encryption. Let us assume your RADIUS server assigns a VLAN via Mikrotik-Wireless-VLANID. Then, your Wi-Fi client is put into that VLAN. Everything it sends via Wi-Fi gets that VLAN attached on the Ethernet interface of your MikroTik. And your MikroTik sends everything for that VLAN to that Wi-Fi client, and the VLAN is removed on the Wi-Fi interface. Long story short, you are using a single SSID with multiple VLANs. That was about unicast traffic. When it comes to broadcast and multicast traffic – like IPv6 Router Advertisements – the situation is much more complex …

RouterOS 7.9 with WifiWave2 uses GTK1 for that traffic, but every VLAN gets its own GTK1. I monitored this via Wireshark because I had to debug this issue as well. In other words, the Wi-Fi client sees traffic for all VLANs but is not able to decrypt the others because then the GTK1 is wrong. That is a bit of a hack, but several Wi-Fi vendors do it that way. Before, this was broken in RouterOS 7.8 and the new WifiWave2 driver; the Wi-Fi client saw all VLANs, IPv6 Router Advertisements leaked across VLANs. That was the new WifiWave2 driver package, which you do not use.

The traditional Wi-Fi driver package in your MikroTik hAP ac² uses a different approach: Multicast to Unicast. When several VLANs are active, the GTKs are not used anymore, and everything is encrypted via the PMK. In other words, broadcast and multicast traffic is converted to unicast. With the traditional driver, this does not happen on default; you have to activate it, for example, via WebFig → Wireless → click on your Wireless interface → (button) Advanced Mode → (Wireless) Multicast Helper: change from ‘default’ to ‘full’. With traditional Wi-Fi driver package, if you do not change this, IPv6 Router Advertisements leak across VLANs.

Very long story short, I don't know whether this tackles your issue. The original thread was about something other than Wi-Fi. It was about Dot1X via Ethernet interfaces. It looks like you are about Wi-Fi. However, you add another layer of complexity because you are using a virtual machine with Windows on Apple macOS host. If multicast-helper=full does not solve your issue, please, go for a network analyzer like Wireshark and trace the data packets both in Windows and macOS. In Windows, to list interfaces at all, Wireshark could be started with administration rights, for example. Please note that IPv6 Router Advertisements arrive periodically, which might take several minutes. Therefore, the best would be to monitor the Ethernet interface of your MikroTik as well to know exactly when those arrive. In my case, it is about 10 minutes. However, I saw Internet routers that have defaults of 30 minutes and even longer.

Who is online

Users browsing this forum: ItchyAnkle, menyarito and 87 guests