nanog mailing list archives
Re: Apple devices spoofing default gateway?
From: Owen DeLong <owen () delong com>
Date: Fri, 7 Jun 2019 16:52:08 -0700
This is a less than helpful feature in a lot of situations… e.g. I was attempting to work on an IOT device and test OTA firmware updates in a Hotel a little while ago. The client isolation on the wifi network resulted in non-obvious failures that took some time to identify. In general, people expect communications within a LAN segment to work. Breaking this assumption should only be done in cases where there is very good reason to do so. I fully appreciate the argument that a hotel WiFi is one such situation and even agree with it to some extent. However, in such circumstances, I believe the fact should be posted in plain view and/or noticed on the captive portal login page. Owen
On Jun 7, 2019, at 12:06 , Matt Hoppes <mattlists () rivervalleyinternet net> wrote: Turn on client isolation on the access points?On Jun 7, 2019, at 3:00 PM, Hugo Slabbert <hugo () slabnet com> wrote:On Fri 2019-Jun-07 16:21:29 +1000, www boy <wwwboy () gmail com> wrote: I just joined nanog to allow me to respond to a thread that Simon posted in March. . (Not sure if this is how to respond) We have the exact same problem with Aruba Access points and with multiple MacBooks and a iMac. Where the device will spoof the default gateway and the effect is that vlan is not usable. I also have raised a case with Apple but so far no luck. What is the status of your issue? Any luck working out exactly what the cause is?We appeared to hit this with Cisco kit: https://www.cisco.com/c/en/us/support/docs/wireless/aironet-3800-series-access-points/214491-arp-responses-for-default-gateway-ip-add.html They don't say *exactly* that the Apple devices are spoofing the gateway, but some behaviour in what they send out results in the proxy arp being performed by the APs to update the ARP entry for the gateway address to the clients':* This is not a malicious attack, but triggered by an interaction between the macOS device while in sleeping mode, and specific broadcast traffic generated by newer Android devices * AP-COS while in FlexConnect mode provides Proxy ARP (ARP caching) services by default. Due to their address learning design, they will modify table entries based on this traffic leading to default gateway ARP entry modificationThe fix was to disable ARP caching on the APs so they don't proxy ARP but ARP replies pass directly between client devices. -- Hugo Slabbert | email, xmpp/jabber: hugo () slabnet com pgp key: B178313E | also on Signal
Current thread:
- Re: Apple devices spoofing default gateway? www boy (Jun 07)
- Re: Apple devices spoofing default gateway? Hugo Slabbert (Jun 07)
- Re: Apple devices spoofing default gateway? Matt Hoppes (Jun 07)
- Re: Apple devices spoofing default gateway? Owen DeLong (Jun 07)
- Re: Apple devices spoofing default gateway? Matt Freitag (Jun 07)
- Re: Apple devices spoofing default gateway? www boy (Jun 10)
- Re: Apple devices spoofing default gateway? Matt Hoppes (Jun 07)
- Re: Apple devices spoofing default gateway? Hugo Slabbert (Jun 07)
- Re: Apple devices spoofing default gateway? William Herrin (Jun 07)