NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Ardje
May 28, 2020Guide
[BUG] GS108tv3 blocks udp broadcasts to port 123
Hi Guys, I was evaluating the GS108Tv3 for table/POS access switch usage. I discovered that third party hardware suddenly was not able to communicatie with eachother anymore, so I investigated it...
- Sep 11, 2020
Update:
We got a beta release 7.0.4.7beta that fixed the issue.
Currently the switch has been running production for 2 months I think, and not a problem that's related to that switch.
Of course I've seen weird things going on in the switch (upnp, weird configuration daemons and such), but it doesn't stop it from working. So that beta seems good.
Changing the management vlan will be my next achievement, I fear I have to do that with scripted tftp download, sed, tftp upload, reboot. As the web doesn't allow it, and the command line doesn't allow it. Maybe if we use the serial console, but we do not intend to solder one on every switch ;-).Anyway, past the initial problems of getting a support ticket opened (the "owner" is a different person than the tech support here), the support crew was helpful in getting it resolved.
Regards,
Ard van Breemen
Ardje
Jun 15, 2020Guide
Hi Retired_Member , you will understand that a switch that does not forward udp port 123 packets on any vlan, because the management cpu that is in it's own management vlan, is using unicast as it should, is unacceptable? It's perfectly fine for me if it doesn't forward it on the management vlan, because it's a table switch after all. And if you have read the thread, you would see, I've already discovered that it always blocks.
But the management of the switch should not interfere with switching.
Now on to broadcasting: to work around a bug in a switch I have to add broadcasting ntp servers on each management domain. Since the switches are pretty limited, I also need to have multiple management domains and per domain a local server that does unicast ntp and broadcasts it to one or more, or have a hell of an l2 design.
I get that you must protect the host cpu, but it's a bug caused by a cheap work around against a possible ntp exploit. Make it less cheap by only filtering the management vlan. If people don't use management vlans, they also don't care about udp port 123.
My target networks are not office tables, it's large halls with machines where being able to get access to a network port is a security breach on it's own. Our need for network ports is that high that we included switches on our own hardware. But these are machine internal switches.
And with machines I mean PoS.
The machines can't be changed. They have been certified by more governmental bodies on their functioning than this switch has seen QA. The protocol over 123 used by these machines is not NTP.
In the mean time, my ticket to netgear support has revealed the following:
For now it only affects Linux+RTL SoC based small switches, not the Linux+Broadcom SoC based switches. I assume it's still a bug somewhere in netgears use of the RTL-sdk, as the sdk's are that different. I can not compare it to the similar DLINK devices that also use the RTL8380, since I do not have a dlink. But at least dlink's source code drop is not an insult to the GPL license.
I am not going to talk about the ECOS+Broadcom SoC based switches. No. Don't ask about them.
The ticket has landed at engineering, so I hope they implement a work around like just limiting the acl to the management vlan.
Anyway, you can clearly feel the difference between the two, because you can't change the management vlan on an RTL switch.
Ardje
Sep 11, 2020Guide
Update:
We got a beta release 7.0.4.7beta that fixed the issue.
Currently the switch has been running production for 2 months I think, and not a problem that's related to that switch.
Of course I've seen weird things going on in the switch (upnp, weird configuration daemons and such), but it doesn't stop it from working. So that beta seems good.
Changing the management vlan will be my next achievement, I fear I have to do that with scripted tftp download, sed, tftp upload, reboot. As the web doesn't allow it, and the command line doesn't allow it. Maybe if we use the serial console, but we do not intend to solder one on every switch ;-).
Anyway, past the initial problems of getting a support ticket opened (the "owner" is a different person than the tech support here), the support crew was helpful in getting it resolved.
Regards,
Ard van Breemen
Related Content
NETGEAR Academy

Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!