Controllerless Networks

I'm having trouble understanding the finer details of mDNS handling in Instant OS.

I'm running a fairly VLAN segmentet setup, and several of those VLANs are wirelessly available using an WPA2-MPSK SSID on my Instant Cluster. Each PSK key maps to a different ROLE that assigns the Clients to their respective VLANs. As a consequence I have disabled AIRGROUP intirely expecting that to isolate all mDNS multicasting within each VLAN unless relayed by my inter VLAN routing firewall.

But that seems not to be the case. Wireless clients in one VLAN can see mDNS services from all wired & wireless servers located in other VLANs, if those VLANs are present on the APs wired port (mDNS for those are not relayed to the clients VLAN at the firewall).

Does Instant OS by default flood Multicast traffic from wired & wireless clients in one VLAN to all other wireless clients in other VLANs - regardless in their roles?
It looks very much like what Instant OS does for regular routed packets if you disable "Deny Local Routing" - IE: It routes packets accros the VLAN boundary without forwarding the packet to the gateway. 

-------------------------------------------

without enabling airgroup one should not see the mdns services from another VLAN.

what does your "wlan SSID-profile"  look like can you paste the configuration here ?

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
------------------------------

Original Message:
Sent: Oct 15, 2025 04:01 PM
From: Keyser
Subject: Understanding mDNS handling in Instant OS

I'm having trouble understanding the finer details of mDNS handling in Instant OS.

I'm running a fairly VLAN segmentet setup, and several of those VLANs are wirelessly available using an WPA2-MPSK SSID on my Instant Cluster. Each PSK key maps to a different ROLE that assigns the Clients to their respective VLANs. As a consequence I have disabled AIRGROUP intirely expecting that to isolate all mDNS multicasting within each VLAN unless relayed by my inter VLAN routing firewall.

But that seems not to be the case. Wireless clients in one VLAN can see services from all wireless servers located in other VLANs - even though no relay is done at the firewall. I do not see any services from Wired servers in that same VLAN.

Does Instant OS by default flood Multicast traffic from a wireless clients in one VLAN to all other wireless clients in other VLANs - regardless in their roles?
It looks very much like what Instant OS does for regular routed packets if you disable "Deny Local Routing" - IE: It routes packets accros the VLAN boundary without forwarding the packet to the gateway. 

-------------------------------------------

I have done some additional testing and there is no doubt all the mDNS announcements from all the different VLANs becomes available through WiFi.

When connected to Client VLAN on wired Ethernet Only, I see 16 _xxxx mDNS categories - exactly the ones allowed through my Gateway/firewall filter.
The second I enable the WiFi adapter on the same client - and that Wifi connects to my MPSK SSID with a key that places it in exactly the same VLAN as the ethernet adapter - I start seeing all 29 _xxxx services I have across all my VLANs.

I only have one MPSK SSID: The individual PSK keys maps to a user-role that assigns the Wired VLAN the Wireless client is bridged to. I can see all mDNS services regardless of what VLAN I'm mapped to, so there is no doubt the AP is flooding the mDNS from all VLANs across different VLAN'ed clients.

Just thinking out loud: Since I only have one SSID, is this like wired "Mac-based VLANs" on ONE switch port that connects multiple clients assigned to different VLANs?  They are correctly assigned and placed in different VLANs by the switch, but since port egress ethernet broadcast is ff:ff, all clients see all broadcasts from all the VLANs currently mapped to the switchport?
I assume Wireless has the same problem or does wireless use some sort of identification/signing of broadcast packets so only clients intended to receive them actually does?

My WLAN SSID is configured as below:

wlan ssid-profile HEAVEN
 enable
 index 0
 type employee
 essid HEAVEN
 opmode mpsk-local
 max-authentication-failures 0
 vlan Guest_
 rf-band all
 captive-portal disable
 mac-authentication-delimiter :
 dtim-period 1
 broadcast-filter unicast-arp-only
 enforce-dhcp
 g-min-tx-rate 12
 a-min-tx-rate 12
 multicast-rate-optimization
 dmo-channel-utilization-threshold 90
 local-probe-req-thresh 0
 max-clients-threshold 64
 dot11r
 dot11k
 dot11v
 advertise-ab-name
 mpsk-local MPSK-STORE 

Additionally I have the following configured:

deny-local-routing
extended-ssid

airgroup
 disable

Original Message:
Sent: Oct 16, 2025 12:51 AM
From: ariyap
Subject: Understanding mDNS handling in Instant OS

without enabling airgroup one should not see the mdns services from another VLAN.

what does your "wlan SSID-profile"  look like can you paste the configuration here ?

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Oct 15, 2025 04:01 PM
From: Keyser
Subject: Understanding mDNS handling in Instant OS

I'm having trouble understanding the finer details of mDNS handling in Instant OS.

I'm running a fairly VLAN segmentet setup, and several of those VLANs are wirelessly available using an WPA2-MPSK SSID on my Instant Cluster. Each PSK key maps to a different ROLE that assigns the Clients to their respective VLANs. As a consequence I have disabled AIRGROUP intirely expecting that to isolate all mDNS multicasting within each VLAN unless relayed by my inter VLAN routing firewall.

But that seems not to be the case. Wireless clients in one VLAN can see services from all wireless servers located in other VLANs - even though no relay is done at the firewall. I do not see any services from Wired servers in that same VLAN.

Does Instant OS by default flood Multicast traffic from a wireless clients in one VLAN to all other wireless clients in other VLANs - regardless in their roles?
It looks very much like what Instant OS does for regular routed packets if you disable "Deny Local Routing" - IE: It routes packets accros the VLAN boundary without forwarding the packet to the gateway. 

-------------------------------------------

Been doing some digging since I posted the above reply, and it seems my hunch was correct according to this thread:
https://airheads.hpe.com/discussion/mdns-traffic-leaking-between-vlans

So it seems I will have to enable broadcast/multicast filtering and somehow get Airgroup to behave. I have ALLWAYS had a lot of issues with Airgroup not properly reflecting reality.
Examples include:

On one AP some services are more or less permanently missing unless I restart the impacted AP.
Some services are listed but it is no longer possible to connect to them unless I restart the APs.
Some mDNS services are just not registered/working with Airgroup even though "allowall" profile is used.

EDIT: The WiFi specifications should be amended to allow for several parallel GTK keys on an SSID - one pr. VLAN that is bridged in the back. That way broadcast/multicasts can be signed with the proper GTK for the originating VLAN, and while all WLAN clients on the SSID receive all the multicast/broadcast packets, only packets with the client VLAN corresponding GTK will be read/understood - the rest should be dropped.

-------------------------------------------

Original Message:
Sent: Oct 16, 2025 12:51 AM
From: ariyap
Subject: Understanding mDNS handling in Instant OS

without enabling airgroup one should not see the mdns services from another VLAN.

what does your "wlan SSID-profile"  look like can you paste the configuration here ?

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Oct 15, 2025 04:01 PM
From: Keyser
Subject: Understanding mDNS handling in Instant OS

I'm having trouble understanding the finer details of mDNS handling in Instant OS.

I'm running a fairly VLAN segmentet setup, and several of those VLANs are wirelessly available using an WPA2-MPSK SSID on my Instant Cluster. Each PSK key maps to a different ROLE that assigns the Clients to their respective VLANs. As a consequence I have disabled AIRGROUP intirely expecting that to isolate all mDNS multicasting within each VLAN unless relayed by my inter VLAN routing firewall.

But that seems not to be the case. Wireless clients in one VLAN can see services from all wireless servers located in other VLANs - even though no relay is done at the firewall. I do not see any services from Wired servers in that same VLAN.

Does Instant OS by default flood Multicast traffic from a wireless clients in one VLAN to all other wireless clients in other VLANs - regardless in their roles?
It looks very much like what Instant OS does for regular routed packets if you disable "Deny Local Routing" - IE: It routes packets accros the VLAN boundary without forwarding the packet to the gateway. 

-------------------------------------------

Hmm, not to impressed with the limitations Airgroup has... 
1: By default Airgroup also reflects all services across all VLANs (like when you run without a broadcast/multicast filter).
2: There is no way to limit it to only allow WLAN clients to see services learned on the actual VLAN they are bridged to.
3: You can deny services to a VLAN or a Role, but this is effectively impossible to use since you have to manually configure and manage every service available to achieve this. Airgroup in Instant only supports 5 custom AirGroup Services - I have 24 outside of the builtin services in Airgroup, so no can do....

As far as I can tell, that only leaves one option: Create a SSID pr. VLAN to avoid mDNS pollution and privacy breaches/service visibility in a VLAN segmented home setup :-( 

Not exactly what I was hoping for......

EDIT: It would be cool if Instant had a "best effort" Broadcast/Multicast filter that converted all multicast packets originating from a wired VLAN to unicast for WLAN clients assigned to that VLAN only. A filter selectable "variant" of DMO if you like that restricts the unicast conversion to clients within the VLAN they are bridged to

-------------------------------------------

Original Message:
Sent: Oct 16, 2025 12:51 AM
From: ariyap
Subject: Understanding mDNS handling in Instant OS

without enabling airgroup one should not see the mdns services from another VLAN.

what does your "wlan SSID-profile"  look like can you paste the configuration here ?

------------------------------
If my post was useful accept solution and/or give kudos.
Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.

Original Message:
Sent: Oct 15, 2025 04:01 PM
From: Keyser
Subject: Understanding mDNS handling in Instant OS

I'm having trouble understanding the finer details of mDNS handling in Instant OS.

I'm running a fairly VLAN segmentet setup, and several of those VLANs are wirelessly available using an WPA2-MPSK SSID on my Instant Cluster. Each PSK key maps to a different ROLE that assigns the Clients to their respective VLANs. As a consequence I have disabled AIRGROUP intirely expecting that to isolate all mDNS multicasting within each VLAN unless relayed by my inter VLAN routing firewall.

But that seems not to be the case. Wireless clients in one VLAN can see services from all wireless servers located in other VLANs - even though no relay is done at the firewall. I do not see any services from Wired servers in that same VLAN.

Does Instant OS by default flood Multicast traffic from a wireless clients in one VLAN to all other wireless clients in other VLANs - regardless in their roles?
It looks very much like what Instant OS does for regular routed packets if you disable "Deny Local Routing" - IE: It routes packets accros the VLAN boundary without forwarding the packet to the gateway. 

-------------------------------------------