Apple devices spoofing default gateway?

Fri Jun 7 23:52:08 UTC 2019

This is a less than helpful feature in a lot of situations…

e.g. I was attempting to work on an IOT device and test OTA firmware updates in a Hotel a little while ago.

The client isolation on the wifi network resulted in non-obvious failures that took some time to identify.

In general, people expect communications within a LAN segment to work. Breaking this assumption should only be done in cases where there is very good reason to do so.

I fully appreciate the argument that a hotel WiFi is one such situation and even agree with it to some extent. However, in such circumstances, I believe the fact should be posted in plain view and/or noticed on the captive portal login page.

Owen

> On Jun 7, 2019, at 12:06 , Matt Hoppes <mattlists at rivervalleyinternet.net> wrote:
> 
> Turn on client isolation on the access points?
> 
>> On Jun 7, 2019, at 3:00 PM, Hugo Slabbert <hugo at slabnet.com> wrote:
>> 
>> 
>>> On Fri 2019-Jun-07 16:21:29 +1000, www boy <wwwboy at gmail.com> wrote:
>>> 
>>> I just joined nanog to allow me to respond to a thread that Simon posted in
>>> March. .
>>> (Not sure if this is how to respond)
>>> 
>>> We have the exact same problem with Aruba Access points and with multiple
>>> MacBooks and a iMac.
>>> Where the device will spoof the default gateway and the effect is that vlan
>>> is not usable.
>>> 
>>> I also have raised a case with Apple but so far no luck.
>>> 
>>> What is the status of your issue?  Any luck working out exactly what the
>>> cause is?
>> 
>> We appeared to hit this with Cisco kit:
>> https://www.cisco.com/c/en/us/support/docs/wireless/aironet-3800-series-access-points/214491-arp-responses-for-default-gateway-ip-add.html
>> 
>> They don't say *exactly* that the Apple devices are spoofing the gateway, but some behaviour in what they send out results in the proxy arp being performed by the APs to update the ARP entry for the gateway address to the clients':
>> 
>>> * This is not a malicious attack, but triggered by an interaction between the macOS device while in sleeping mode, and specific broadcast traffic generated by newer Android devices
>>> * AP-COS while in FlexConnect mode provides Proxy ARP (ARP caching) services by default.  Due to their address learning design, they will modify table entries based on this traffic leading to default gateway ARP entry modification
>> 
>> The fix was to disable ARP caching on the APs so they don't proxy ARP but ARP replies pass directly between client devices.
>> 
>> -- 
>> Hugo Slabbert       | email, xmpp/jabber: hugo at slabnet.com
>> pgp key: B178313E   | also on Signal