NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

sascha_52's avatar
sascha_52
Aspirant
Apr 03, 2022

GS308E Access Management Site

Hello,   I currently used two GS305e at different locations at home. Between the switches I used a trunc-connection with VLAN 101 (192.168.2.0/24) and VLAN 200 (192.168.10.0/24) on Port 5. Port 5 i...
sascha_52's avatar
sascha_52
Aspirant
Apr 03, 2022

used firmware:

GS305e     V1.0.0.5

GS308e     V1.00.11GR ; V1.00.03GR testet also

schumaku's avatar
schumaku
Guru - Experienced User
Apr 03, 2022
YeZ can you please make switch engineering investigate again please?
  • waxar's avatar
    waxar
    Tutor
    Apr 18, 2022

    I have encountered the same problem with the GS308E switch. There are two major issues with the web management interface's traffic:

     

    1. Outgoing web management traffic is broadcast on all ports regardless of the incoming port (wow!).
    2. Outgoing web management traffic is always untagged.

    Having outgoing web management traffic on all ports is a major security breach and must be addressed asap!

     

    The following is the traffic captured by mirroring one tagged port (a trunk) to another tagged port (a monitor) while the web management console is being accessed. 192.168.1.1 is the router, 192.168.1.11 is the GS308E switch. Note how all outgoing traffic (from the GS308E's perspective) is untagged while incoming traffic from VLAN 1 is tagged. Currently, I am forced to use PVID=1 on the trunk port on the router in order to be able to access the management interface.

     

    • waxar's avatar
      waxar
      Tutor
      Apr 18, 2022

      The traffic dump mentioned above:

       

      20:20:49.713902 30:23:03:e0:69:08 > 6c:cd:d6:b3:39:67, ethertype 802.1Q (0x8100), length 78: vlan 1, p 0, ethertype IPv4, (tos 0x0, ttl 64, id 53624, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.1.1.34482 > 192.168.1.11.80: Flags [S], cksum 0x7b36 (correct), seq 3970534656, win 64240, options [mss 1460,sackOK,TS val 1909316610 ecr 0,nop,wscale 6], length 0
20:20:49.715590 6c:cd:d6:b3:39:67 > 30:23:03:e0:69:08, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 1604, offset 0, flags [none], proto TCP (6), length 44)
    192.168.1.11.80 > 192.168.1.1.34482: Flags [S.], cksum 0xf6b0 (correct), seq 1064097850, ack 3970534657, win 1460, options [mss 1460], length 0
20:20:49.715751 30:23:03:e0:69:08 > 6c:cd:d6:b3:39:67, ethertype 802.1Q (0x8100), length 60: vlan 1, p 0, ethertype IPv4, (tos 0x0, ttl 64, id 53625, offset 0, flags [DF], proto TCP (6), length 40)
    192.168.1.1.34482 > 192.168.1.11.80: Flags [.], cksum 0x1931 (correct), ack 1, win 64240, length 0
20:20:49.715837 30:23:03:e0:69:08 > 6c:cd:d6:b3:39:67, ethertype 802.1Q (0x8100), length 94: vlan 1, p 0, ethertype IPv4, (tos 0x0, ttl 64, id 53626, offset 0, flags [DF], proto TCP (6), length 76)
    192.168.1.1.34482 > 192.168.1.11.80: Flags [P.], cksum 0x1535 (correct), seq 1:37, ack 1, win 64240, length 36: HTTP, length: 36
	GET / HTTP/1.1
	Host: 192.168.1.11
20:20:49.721632 6c:cd:d6:b3:39:67 > 30:23:03:e0:69:08, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 1605, offset 0, flags [none], proto TCP (6), length 40)
    192.168.1.11.80 > 192.168.1.1.34482: Flags [.], cksum 0x0e4a (correct), ack 37, win 1460, length 0
20:20:49.721778 30:23:03:e0:69:08 > 6c:cd:d6:b3:39:67, ethertype 802.1Q (0x8100), length 87: vlan 1, p 0, ethertype IPv4, (tos 0x0, ttl 64, id 53627, offset 0, flags [DF], proto TCP (6), length 69)
    192.168.1.1.34482 > 192.168.1.11.80: Flags [P.], cksum 0x0e7b (correct), seq 37:66, ack 1, win 64240, length 29: HTTP
20:20:49.733810 6c:cd:d6:b3:39:67 > 30:23:03:e0:69:08, ethertype IPv4 (0x0800), length 1454: (tos 0x0, ttl 64, id 1606, offset 0, flags [none], proto TCP (6), length 1440)
    192.168.1.11.80 > 192.168.1.1.34482: Flags [P.], cksum 0xf359 (correct), seq 1:1401, ack 66, win 1460, length 1400: HTTP, length: 1400
	HTTP/1.1 200 OK
	Connection: close
	X-Frame-Options: SAMEORIGIN
	X-XSS-Protection: 1; mode=block
	X-Content-Type-Options: nosniff
	Content-Type: text/html
	Cache-Control: no-cache
	Expires: -1
	...[SKIPPED]...
20:20:49.733958 30:23:03:e0:69:08 > 6c:cd:d6:b3:39:67, ethertype 802.1Q (0x8100), length 60: vlan 1, p 0, ethertype IPv4, (tos 0x0, ttl 64, id 53628, offset 0, flags [DF], proto TCP (6), length 40)
    192.168.1.1.34482 > 192.168.1.11.80: Flags [.], cksum 0x1850 (correct), ack 1401, win 63000, length 0
20:20:49.740727 6c:cd:d6:b3:39:67 > 30:23:03:e0:69:08, ethertype IPv4 (0x0800), length 1454: (tos 0x0, ttl 64, id 1607, offset 0, flags [none], proto TCP (6), length 1440)
    192.168.1.11.80 > 192.168.1.1.34482: Flags [P.], cksum 0x51f1 (correct), seq 1401:2801, ack 66, win 1460, length 1400: HTTP
20:20:49.740866 30:23:03:e0:69:08 > 6c:cd:d6:b3:39:67, ethertype 802.1Q (0x8100), length 60: vlan 1, p 0, ethertype IPv4, (tos 0x0, ttl 64, id 53629, offset 0, flags [DF], proto TCP (6), length 40)
    192.168.1.1.34482 > 192.168.1.11.80: Flags [.], cksum 0x12d8 (correct), ack 2801, win 63000, length 0
20:20:49.746038 6c:cd:d6:b3:39:67 > 30:23:03:e0:69:08, ethertype IPv4 (0x0800), length 668: (tos 0x0, ttl 64, id 1608, offset 0, flags [none], proto TCP (6), length 654)
    192.168.1.11.80 > 192.168.1.1.34482: Flags [P.], cksum 0x5084 (correct), seq 2801:3415, ack 66, win 1460, length 614: HTTP
20:20:49.746175 30:23:03:e0:69:08 > 6c:cd:d6:b3:39:67, ethertype 802.1Q (0x8100), length 60: vlan 1, p 0, ethertype IPv4, (tos 0x0, ttl 64, id 53630, offset 0, flags [DF], proto TCP (6), length 40)
    192.168.1.1.34482 > 192.168.1.11.80: Flags [.], cksum 0x1072 (correct), ack 3415, win 63000, length 0
20:20:49.748383 6c:cd:d6:b3:39:67 > 30:23:03:e0:69:08, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 1609, offset 0, flags [none], proto TCP (6), length 40)
    192.168.1.11.80 > 192.168.1.1.34482: Flags [F.], cksum 0x00d6 (correct), seq 3415, ack 66, win 1460, length 0
20:20:49.748628 30:23:03:e0:69:08 > 6c:cd:d6:b3:39:67, ethertype 802.1Q (0x8100), length 60: vlan 1, p 0, ethertype IPv4, (tos 0x0, ttl 64, id 53631, offset 0, flags [DF], proto TCP (6), length 40)
    192.168.1.1.34482 > 192.168.1.11.80: Flags [F.], cksum 0x1070 (correct), seq 66, ack 3416, win 63000, length 0
20:20:49.750373 6c:cd:d6:b3:39:67 > 30:23:03:e0:69:08, ethertype IPv4 (0x0800), length 60: (tos 0x0, ttl 64, id 1610, offset 0, flags [none], proto TCP (6), length 40)
    192.168.1.11.80 > 192.168.1.1.34482: Flags [.], cksum 0x00d5 (correct), ack 67, win 1460, length 0

       

      The GS308's firmware version - V1.00.11EN

       

  • waxar's avatar
    waxar
    Tutor
    May 04, 2022

    schumaku Is there a chance to get any updates on this from the team? Thanks!

    • schumaku's avatar
      schumaku
      Guru - Experienced User
      May 04, 2022
      YeZ please

NETGEAR Academy

Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology! 

Join Us!

ProSupport for Business

Comprehensive support plans for maximum network uptime and business peace of mind.

 

Learn More