Open putnam opened 4 years ago
I never captured any of the traffic while running the supplicant but I do know that the new Unifi interface will not let you set VLAN 0 on the WAN interface. It tells you "VLAN must be at least 2 "
I have kept digging around on this. Some early comments from 2016 mentioned that the ONT sends traffic to the gateway tagged with VLAN0, but doesn't care about VLAN tags at all on the ONT's ingress.
Assuming nothing has changed here (and it sounds like it) then the only concern is having the router/firewall ignore or discard VLAN tags, or, if that's impossible, assume the identity of VLAN0 on the WAN interface.
Over in the PFSense community, the script used for wpa_supplicant (pfatt) is using netgraph to make a special interface that tags all traffic as VLAN0 (and therefore doesn't discard VLAN0 traffic on ingress).
At Mikrotik, community members have a similar solution as this project: on almost all of their hardware, traffic tagged as VLAN0 will implicitly have the tag stripped and ignored, and packets processed as if they had no VLAN at all.
But the thing is, at Microtik they're effectively depending on an unpredictable and inconsistent behavior. On some hardware, ports pass through a switching chip which may or may not have configurable VLAN "fallback" behavior; and on others, all ports are controlled directly by the CPU. In the CPU case, you can put a port in a bridge group and have it ignore VLAN tags, but potentially with a performance hit.
Anyway this leads me to my concern with Unifi hardware. If we are relying on an undocumented, unknown behavior (the UDM Pro currently not discarding VLAN0 packets on its WAN ports) then it can break on a subsequent board revision or software update.
So, with that said, do we know exactly why the UDM Pro is not dropping tagged VLAN traffic for which there is no matching virtual interface/VLAN table entry? Is there a setting somewhere for this and it's just off by default, is it a hardware thing, or what?
I understand the short answer to be: the eapol 802.1x auth stuff happens on the untagged interface (no vlan), but after the interface is authenticated and allowed access to the network, the dhcp and traffic binds to the vlan 0 subinterface
ref: https://www.devicelocksmith.com/2018/12/eap-tls-credentials-decoder-for-nvg-and.html
Keep in mind that wpa_supplicant needs to bind to unencapsulated interface (like eth0), while DHCP and DHCPv6-PD may require sending requests with 802.1p tags, what is commonly referred to as "VLAN 0".
Do we know specifically why it is not necessary to create a vif with vlan 0 on this device? Every guide up until this point has needed this as part of the setup, but people are saying that simply using wpa_supplicant on the UDM-Pro is sufficient. But why? Is there some kind of bug in the UDM-Pro where it's tolerant of (invalid) VLAN-0 tagged packets? I am concerned that in the upcoming million revisions that UI releases, they will inadvertently "fix" this behavior and things will be broken again. Did AT&T stop requiring the traffic between the ONT and the gateway to be 802.1Q tagged?