IP Helper Addresses for UDP broadcast VLAN traversal

I have had two important marine projects recently that have multi vendor equipment onboard (hydraulics, nav, IT, VoIP, navigation etc) that need to all be in separate VLANs from a security perspective.

However because application developers don’t typically understand networks or network security, all the smartphone and tablet based apps that the crew and guests need to use to manage these devices rely on UDP broadcast for device discovery and management.

CISCO have the idea of an IP helper address that act as a UDP broadcast proxy between VLANS.

Please please please can we add that capability to MAX devices and Switches ASAP?

2 Likes

If I understand correct, the ip helper-address from Cisco is used to relay the BOOTP and DHCP to the BOOTP/DHCP server - IP Addressing: DHCP Configuration Guide, Cisco IOS Release 15SY - Configuring the Cisco IOS DHCP Relay Agent [Support] - Cisco. It mainly forwards the broadcast traffic from the client to Unicast to the server.

If this is correct, do you think this helps?


Its not DHCP I want to relay.

Onboard there are many electro-mechanical services that are now network connected. These often have tablet and smartphone clients. A client will join a SSID (Crew, Engineering, Owner), and run their management apps.

The apps will sent a UDP broadcast packet to their subnets broadcast address on a specific port the idea being that the devices they want to control listen on the same UDP port and all of them receive the broadcast.

This all works fine when the devices that need to be controlled are all on a flat network with the user devices (phones and tablets) that need to do the controlling.

However that is not the desired situation. We want crew and engineering, and owner to be in separate VLANs for bandwidth management. We want the navigation computer and autopilot to be in a different VLAN to the hydraulics and infotainment systems so that remote engineers from these different companies are restricted to what they manage.

So we need a UDP broadcast proxy. Configurable so that you decide which UDP ports on which VLANs get re-broadcast on other VLANs.

Do that and all my superyacht security and remote management issues go away, and I can deliver better user experience for everyone on board.

This is the most regularly used example of UDP broadcast relay online which is a good place to start: GitHub - udp-redux/udp-broadcast-relay-redux: Small daemon to relay udp broadcast / multicast packages on a different subnet.

But, if you used something like this we could even proxy the UDP broadcasts over L3 PepVPN which would mean I could run a navigation plotter here on my desk connected to an autopilot on a remote vessel and remotely pilot it… (not a typical use case, but you see what I mean).

GitHub - synfinatic/udp-proxy-2020: A crappy UDP proxy for the year 2020 and beyond

1 Like

+1 for me we could use this as well. For the same reason, customers have a roku app on the wifi vlan , and video devices on another vlan. With the ip helper address we could still keep them on seperate networks , but the app would work.

+1 for me too.