Bonjour: Users on my guest network are able to connect to Bonjour services on my production network

  • 1
  • Question
  • Updated 2 years ago
Due to a business requirement that users authenticate through the captive portal, I had to put the guest network on the production network with a firewall between the two allowing DHCP and web access through. Unfortunately with this configuration users on my guest network have full access to all bonjour enabled services on my production.

Any information or advice greatly appreciated.
Photo of Jonathan

Jonathan

  • 5 Posts
  • 0 Reply Likes

Posted 2 years ago

  • 1
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Hi Jonathan,

Bonjour (mDNS) is just used for discovery. Thankfully, it doesn't magically tunnel traffic to circumvent firewall restrictions. If your guest users have full access to your Bonjour enabled services, this means that your firewall isn't doing its job and is likely misconfigured.

I do question why you felt the need to amalgamate your guest and production network to get a CWP working. It may be worth revisiting all this to see if things can be done in a better way.

Cheers,

Nick
Photo of Jonathan

Jonathan

  • 5 Posts
  • 0 Reply Likes
Good morning, Thanks for your reply.
Could you point out where I may have gone wrong in the firewall which is allowing Bonjour access into the Production network?

And it was set up this was on the advice of an Aerohive staff member who helped me configure the firewall in the first place.

Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Hi Jonathan,

So, as Bonjour just pertains to discovery, a question that I have is... Can the devices being discovered actually be used? Or are they just appearing?

What are the devices/services in question?

Your firewall ruleset, where applied, will allow all HTTP, HTTPS, PPTP, L2TP, IPSEC and IKE between clients/stations. It should deny everything else.

Are you also sure the firewall policy is actually being applied to the desired clients?

It is poor practice to place your guest clients in the same Layer 2 broadcast domain as your production network so you should consider means of properly separating/isolating them.

Regards,

Nick
Photo of Jonathan

Jonathan

  • 5 Posts
  • 0 Reply Likes
Hi Nick, I agree, It isn't ideal to have them configured this way.
According to the aerohive support memeber who helped me set it up, the only way I could have users authenticate through the captive portal was to configure it this way.

Users on guest network are able to use bonjour services.
Photo of BJ

BJ, Champ

  • 374 Posts
  • 45 Reply Likes
Nick nailed it. They key to separating the traffic is to use a separate L2 broadcast domain for your guest traffic if your infrastructure supports VLANs. Assuming you're using RADIUS or PPSK, you should still be able to use a CWP for guests as long as you allow the traffic in your fw policy and have a route setup to access the RADIUS server.

Best,
BJ   
Photo of Jonathan

Jonathan

  • 5 Posts
  • 0 Reply Likes
Thanks BJ

I don't think it's acceptable to say my network setup is incorrect. Clearly the firewall isn't doing it's job.

Aerohive should acknowledge that and fix it.

I appreciate your comments however.
Photo of BJ

BJ, Champ

  • 374 Posts
  • 45 Reply Likes
Jonathan, 
I certainly meant no offense and my comments are meant to be of assistance, not an attack. Personally, I have found it easier to simply split broadcast domains and route desired traffic across, rather than firewalling undesired traffic.   
 
Having said that, I will attempt to help you find a solution. Please be aware that your bonjour devices will continue to broadcast across the broadcast domain, so guests may continue to see the devices. Your concern, obviously, is to ensure guests are unable to access these devices.  

Your firewall rule only appears to permit/deny unicast traffic and I don't see a denial rule for mDNS traffic on UDP port 5353. Adding this will still not deny Bonjour, as it also uses multicast packets on IPv4 address 224.0.0.251, or IPv6 FF02::FB. You may also wish to filter the following MAC addresses...01005E0000FB and 3333000000FB.  

Good luck.

Best,
BJ
Photo of Jonathan

Jonathan

  • 5 Posts
  • 0 Reply Likes
Thanks BJ, the information you provided has stopped users from being able to connect to bonjour on the my guest wifi. They are still however able to see the bonjour connections. Are you aware of any way to stop this.

From a better design perspective. Without having two internet gateways. one for guest and one for Production. How could I go about creating a guest network that didn't touch production at all. I understand network VLAN would be a way of doing this.

Would I need to add the VLAN configuration to my switches as well all the way through the network across the wan to the internet gateway at the edge of my network or can this be configured in a less impact way.
Photo of BJ

BJ, Champ

  • 374 Posts
  • 45 Reply Likes
Jonathan, 
The only way I am aware to keep guests from seeing the broadcasts is to separate the two broadcast domains via VLANs. To do this, you'll need layer two switches that support VLAN tagging, and a layer three router or switch to perform intervlan routing. By using these, you can still keep a single Internet gateway.
Here is a stripped down diagram of how this might look... 
It does not address dhcp, etc., but it might be enough to get you started.

Best,
BJ