Hi All,

Sadly - I'm now left with no choice but to make a security issue public.

To be clear - I've been working with the support folks in Draytek over the past 6 months or so. Theres been very very slow support from Development on solving my issue, generally good support from the UK. I'm posting this in hope that enough people see the same issue, and that it gets raised in priority.

I'm trying to keep the amount of kit on a new remote site to a minimum, hence trying to use all the features the Draytek has to achieve this. I'm not doing anything that the Draytek doesn't say it supports.

We setup a Draytek 2920 using VLANs, multiple Wifi SSIDs and some static routes. My initial problem was that I couldn't route traffic to another router in my LAN because the Draytek was dropping packets. After fixing that in a beta, we then found that the 2920 was actually LEAKING BROADCAST PACKETS between VLANs, both wired and wireless.

The 2 SSIDs were configured so that one SSID is a guest wifi, the other a corporate Wifi. I'm able to see broadcast packets (including DHCP REQ messaging) from Guest wifi/non-wifi clients, within my Corporate VLAN.

I've been waiting, waiting, waiting for Draytek to fix this. In a recent private beta they claimed they did, until I tested, and found that, no, wifi still leaks through.

They've confirmed this several weeks ago, but according to the email below, might just have to "disappoint" me in getting it fixed.

So: if you're using VLANs, theres a chance that your draytek might not be keeping the traffic as separate as you'd like. And my worry: if its leaking broadcast, then what else might be leaking through?

I've now had enough frankly, and wasted enough of my time trying to help Draytek sort its issues. I'm left with little choice but to switch over to another vendor for this project.

Email I've received today:

I just wanted to give you an update.

We are aware of the issue of the DHCP request going over to wireless
LAN when using VLAN's. We did escalate this to the development team. However,
there is no announced fix date for this, nor a commitment that a
fix will be available. It’s difficult to provide a fix for every
customer, just sometimes we have to disappoint. We appreciate your
expectation is to have a fix, but we don’t have a formal schedule
or a commitment for this currently. If this changes we will off course
let you know straightway.

We appreciate and apologise this isn't the update you might have been expecting.

If you're looking for a managed wireless solution that is cost effective then have a look into UniFi. Units are roughly £40 each, we buy them in packs of three. The software allows for mulitple SSID's, we run 5 including a guest access. Guest access is controlled by tokens, you can setup a paid token access if you wish to. Can create users and user groups etc.

Just a heads up if you are indeed looking.

Do you mean that the DHCP request goes from the PC/client and is passed to
other VLANs ? (port based or 802.1q?) or that the reply from the DHCP server
does (or both) ?

Its one direction from what we could see (client on our guest wifi -> DHCP server on our Corp LAN).

We noticed it because we were seeing DHCP DISCOVER messages for Guest devices on our Corporate LAN DHCP server, something that shouldn't be possible.

We confirmed the issue in both wired and wireless at first. The latest private beta (beta_0414) I received has fixed it in the wired LAN, but not the wireless, which of course for a guest network.. is going to be mostly wifi.

Due to the amount of time its taken to get even this far in debug, and given the last statement from the support manager - I've no choice now but to plan a migration away from Draytek, which is a shame as I find the kit easy to use, if not always stable.

Also, I've found out that they're not sold in the country I'll need to support (Japan), another factor.

I've put a workaround in place for my project by turning off wifi in the Draytek, and using a Netgear wifi AP, and controlling the packets on a wired L2 switch.

Although it doesn't seem to be much of a security risk, it's still not correct behaviour and as a current
product, I think it's likely to be fixed if users want it to be, and that reply from support looks
like a "rogue" answer...which isn't good in itself, granted !

Its from a support Manager. I've informed them of this thread, as I'm hoping it helps them get visibility internally and escalated so that it does get resolved.

I'm still trying to help them. Today we've identified yet another issue where the 2920 seems to be "forgetting" devices on the LAN. The device disappears from the ARP table in the Draytek. I though it was just a Netgear Wifi router, but now its spread to a Dell DRAC card as well. All vlan1, untagged. And both devices are visible to other local devices that share the same L2 Netgear switch. Sigh.