NWA210AX Firmware bug, leaks package to wrong VLAN

rndr
rndr Posts: 6
Friend Collector First Comment

Hi,

I am using a NWA210AX with firmware version V6.70(2). I discovered a bug in the recent firmware.

Summary:
IPV6 ICMP Router advertisement packages with a multicast destination address ff02::1 received on the Ethernet port and tagged with a VLAN ID 132 are forwarded to SSIDs configured with a different VLAN ID 116 in the AP's SSID profile.

Wifi config:
SSID1: Uses WPA2 Enterprise with Radius server. VLAN116
SSID2: Uses WPA2 Personal. VLAN132

Network config:
The AP is connected via Ethernet to a PFSense router. It receives untagged and tagged ethernet traffic from the PFSense. Management VLAN is configured as 1 with "As Nativ VLAN". VLANs 116 and 132 are configured as tagged.

Problem description:
The PFSense router sends IPV6 ICMP router advertisement packages so that the clients connected to the different SSIDs can configure IPV6 addresses. I observed that clients on SSID1 are configured with IPV6 prefixes for both VLANs 116 and 132 (wrong).

I ran two package capture with Wireshark. Capture one on the ethernet trunk on the pfsense router. Capture two on a client connected via Wifi to SSID1 (VLAN116).

I could observe that the PFSense sends a IPV6 ICMP package to the multicast address ff02::1 that is correctly tagged with the 802.1q VLAN ID "132". The Zyxel AP however delivers this multicast package to clients in SSID1, configured with VLAN ID 116 in the AP's SSID profile.

I can forward you the Wireshark traces on request via private message as they contain my public IPs.

Could you please open a bug ticket and fix this with the next firmware release?

Thanks

Thorsten

All Replies

  • Zyxel_Melen
    Zyxel_Melen Posts: 1,626  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @rndr,

    Thanks for the information. Could you share the packets and your diagnostic file for me to check?

    Zyxel Melen

  • rndr
    rndr Posts: 6
    Friend Collector First Comment

    Thanks @Zyxel_Melen , I forwarded you the requested traces.

    One more observation to mention. The problem only surfaces in the SSID using WPA2 Enterprise with Radius (VLAN116, SSID1) but not in the SSID using WPA Personal (VLAN132, SSID2).

    In my setup, PFSense sends router advertisement multicast packets to multicast destination ff02::1 on tagged VLAN116 as well as on tagged VLAN132 with different IPV6 prefixes of course. Only on SSID1 I can observe router advertisements destined for VLANs 116 as well as 132. On SSID2 everything works as expected and only packets destined for VLAN132 are received.

    So something unexpected happens in the packet handling logic for WPA enterprise.

    Please ping me in case you need more information or diagnostics.

    Thanks,

    Thorsten

  • rndr
    rndr Posts: 6
    Friend Collector First Comment
    edited March 26

    Please follow up if you can‘t reproduce or need further information. Right now I would say IPv6 cannot be deployed with this AP when using enterprise authentication on a main SSID together with a guest network on a second SSID. Which is quite a pity.

    Best regards

  • Zyxel_Melen
    Zyxel_Melen Posts: 1,626  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @rndr,

    Could you gather the diagnostic info and share it with me? This will assist in a more thorough investigation of the issue.

    Zyxel Melen

  • rndr
    rndr Posts: 6
    Friend Collector First Comment

    Thanks @Zyxel_Melen for having a look. I just shared the diagnostic info with you via private message.

    Best wishes

  • Zyxel_Melen
    Zyxel_Melen Posts: 1,626  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @rndr,

    Thanks! We are investigating it now. I will update you if I have any new information.

    Zyxel Melen

  • Zyxel_Melen
    Zyxel_Melen Posts: 1,626  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @rndr,

    We tried to reproduce this issue with our USG FLEX but could not reproduce it. Could you share your PFSense configuration with me? We will set up PFSense to reproduce again. Also, could you share the packets without filtering? We would like to have more information from the packets. It would be great if you could help to capture about 5~10 minutes. Thanks in advance.

    Zyxel Melen

  • rndr
    rndr Posts: 6
    Friend Collector First Comment

    Thanks for your research.

    I need to prepare my environment for the packet capture in order to not leak anything. Please stay tuned. Regarding pfsense config, would some screenshots suffice? The full config probably contains credentials and other sensitive stuff and needs to be cleaned.

    When you try to reproduce, beware that it takes some time, up to 10 minutes or more before the offending multicast packet is sent. The first router advertisement with pfsense happens via unicast and only later multicasts are sent.

    In the meantime I tried to reproduce this via replaying the pcap trace file. I connected my Macbook via Wifi with the WPA2 enterprise SSID (VLAN116), immediately after it receives it's IP, disconnected the uplink port of the Wifi router, connect it to Ethernet and resend the packet using "tcpreplay -i en6 radvd.pcapng". The packet resent was previously captured on the trunk and is tagged with VLAN132 (shared with you, please remove whitespace from filename if tryring this).

    The AP will sent out the packet to my Macbook via Wifi immediately, resulting in wrong IPv6 prefix in VLAN116.

    Regards and happy easter!

  • Zyxel_Melen
    Zyxel_Melen Posts: 1,626  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hi @rndr,

    Apologize for the delayed reply. The screenshot of the IPv6 configuration is enough.

    Zyxel Melen

  • rndr
    rndr Posts: 6
    Friend Collector First Comment

    No worries. I have forwarded some screenshots with my PF Sense config. I get a /56 subnet from my provider and use tracked interface to split the subnet into multiple /64s.

    While experimenting, I made a strange observation. You can best reproduce the bug, when you are starting with Router Advertisement and IPV6 disabled in the pfsense while already connected to the AP. Then you start configuring IPV6 and router advertisements.

    In this case I could observe the packets from the wrong VLAN. And the problem would persist, i.e. new multicasts would be received over the next hours.

    After reboot of both router and ap my setup was running stable over the weekend without any wrong prefixes. So this seems also to be timing related.