This is a less than helpful feature in a lot of situations… e.g. I was attempting to work on an IOT device and test OTA firmware updates in a Hotel a little while ago.
The client isolation on the wifi network resulted in non-obvious failures that took some time to identify. In general, people expect communications within a LAN segment to work. Breaking this assumption should only be done in cases where there is very good reason to do so. I fully appreciate the argument that a hotel WiFi is one such situation and even agree with it to some extent. However, in such circumstances, I believe the fact should be posted in plain view and/or noticed on the captive portal login page. Owen > On Jun 7, 2019, at 12:06 , Matt Hoppes <[email protected]> > wrote: > > Turn on client isolation on the access points? > >> On Jun 7, 2019, at 3:00 PM, Hugo Slabbert <[email protected]> wrote: >> >> >>> On Fri 2019-Jun-07 16:21:29 +1000, www boy <[email protected]> wrote: >>> >>> I just joined nanog to allow me to respond to a thread that Simon posted in >>> March. . >>> (Not sure if this is how to respond) >>> >>> We have the exact same problem with Aruba Access points and with multiple >>> MacBooks and a iMac. >>> Where the device will spoof the default gateway and the effect is that vlan >>> is not usable. >>> >>> I also have raised a case with Apple but so far no luck. >>> >>> What is the status of your issue? Any luck working out exactly what the >>> cause is? >> >> We appeared to hit this with Cisco kit: >> https://www.cisco.com/c/en/us/support/docs/wireless/aironet-3800-series-access-points/214491-arp-responses-for-default-gateway-ip-add.html >> >> They don't say *exactly* that the Apple devices are spoofing the gateway, >> but some behaviour in what they send out results in the proxy arp being >> performed by the APs to update the ARP entry for the gateway address to the >> clients': >> >>> * This is not a malicious attack, but triggered by an interaction between >>> the macOS device while in sleeping mode, and specific broadcast traffic >>> generated by newer Android devices >>> * AP-COS while in FlexConnect mode provides Proxy ARP (ARP caching) >>> services by default. Due to their address learning design, they will >>> modify table entries based on this traffic leading to default gateway ARP >>> entry modification >> >> The fix was to disable ARP caching on the APs so they don't proxy ARP but >> ARP replies pass directly between client devices. >> >> -- >> Hugo Slabbert | email, xmpp/jabber: [email protected] >> pgp key: B178313E | also on Signal
