vpn leaks imcpv6, mdns, arp, lldp, dns

[realies]

some of these probably can't be stopped for the device to work, however... can DNS resolution of ping domains like these be stopped?

and of course, if the noise of any of the other protos could also be removed/reduced

[peacey]

Does this only happen when you use FORCED_LOCAL_INTERFACE to force all local traffic?

[realies]

I believe this is dpinger doing its uptime thing via ubios-udapi-server. I think it does the same with and without setting FORCED_LOCAL_INTERFACE.

[peacey]

No I know the pings are from dpinger, but does this traffic go through the VPN even when you don't use FORCED_LOCAL_INTERFACE?

[realies]

The above Wireshark screenshot is from an adapter connected to the UDM WAN port with FORCED_LOCAL_INTERFACE enabled.

[peacey]

Okay, so this script isn't leaking anything then? Do you just want to stop dpinger from working at all, or do you want to force all traffic from the UDM, but exempt dpinger from going out the VPN?

You can definitely stop dpinger, but then you won't have the uptime or latency info on the Unifi Network dashboard, and it might mess with Unifi OS recognizing if a connection is up or not.

[realies]

Okay, so this script isn't leaking anything then? I would expect when the WAN port is enabled in FORCED_LOCAL_INTERFACE no UDM traffic to leak. That does not seem to be the case.

Ideally, I'd like to have nothing escaping the VPN. Everything going through the WAN interface to be encapsulated in the tunnel. Basically #181. But this issue is because I expected that FORCED_LOCAL_INTERFACE=eth8 would not leak the stuff in the screenshot above (+lldp, mdns, imcpv6, etc).

[realies]

@peacey, any idea how to not leak this DNS traffic on reboot when FORCED_LOCAL_INTERFACE is set to the WAN interface?

[realies]

@peacey, do you think a firewall rule could filter out this traffic if it's not going on udp.port == 51820?