Hello,
I want to use the
mDNS repeater on OPNsense to forward mDNS between two subnets.
Out of the documentation it is not clear to me what firewall rules I need to allow the mDNS multicast traffic between these two vpn.
- on both interfaces to port 5353 at 224.0.0.251 and [ff02::fb] or
- on both interfaces to port 5353 at "subnet address" or
- on both interfaces to port 5353 at "this firewall"
Or a combination out of these three?
I haven't tried it, but I would expect that if you have the "Default allow LAN to any rule", it should "just work" (from LAN), but if you don't, you'd need something like your option (1).
OK, I did not mentioned that these two vlans are isolated from each other by default and only inter vlan routing is possible where it explicitly is allowed by a firewall rule.
Yes, I just could make trial and error. But I want to understand what is right and what is wrong. That's why I am asking in the hope someone know the answer.
yes, also interested in the response to this question... anyone ?
I'd go with
Protocol: UDP
Source: XY net (the interface to which the rule applies)
Destination: any
Destination port: 5353
What bad can come from a "wrong" destination address?
Also keep in mind that if you have e.g. a trustworthy LAN and a less trusted IOT and you want to "browse" IOT devices from LAN and not vice versa, it's sufficient to have this rule on LAN. mDNS-Repeater must be enabled on both interfaces, still.
HTH,
Patrick