[BUG] GS108tv3 blocks udp broadcasts to port 123

Hi Retired_Member , you will understand that a switch that does not forward udp port 123 packets on any vlan, because the management cpu that is in it's own management vlan, is using unicast as it should, is unacceptable? It's perfectly fine for me if it doesn't forward it on the management vlan, because it's a table switch after all. And if you have read the thread, you would see, I've already discovered that it always blocks.

But the management of the switch should not interfere with switching.

Now on to broadcasting: to work around a bug in a switch I have to add broadcasting ntp servers on each management domain. Since the switches are pretty limited, I also need to have multiple management domains and per domain a local server that does unicast ntp and broadcasts it to one or more, or have a hell of an l2 design.

I get that you must protect the host cpu, but it's a bug caused by a cheap work around against a possible ntp exploit. Make it less cheap by only filtering the management vlan. If people don't use management vlans, they also don't care about udp port 123.

My target networks are not office tables, it's large halls with machines where being able to get access to a network port is a security breach on it's own. Our need for network ports is that high that we included switches on our own hardware. But these are machine internal switches.

And with machines I mean PoS.

The machines can't be changed. They have been certified by more governmental bodies on their functioning than this switch has seen QA. The protocol over 123 used by these machines is not NTP.

In the mean time, my ticket to netgear support has revealed the following:

For now it only affects Linux+RTL SoC based small switches, not the Linux+Broadcom SoC based switches. I assume it's still a bug somewhere in netgears use of the RTL-sdk, as the sdk's are that different. I can not compare it to the similar DLINK devices that also use the RTL8380, since I do not have a dlink. But at least dlink's source code drop is not an insult to the GPL license.

I am not going to talk about the ECOS+Broadcom SoC based switches. No. Don't ask about them.
The ticket has landed at engineering, so I hope they implement a work around like just limiting the acl to the management vlan.

Anyway, you can clearly feel the difference between the two, because you can't change the management vlan on an RTL switch.