OPNsense Forum
English Forums => General Discussion => Topic started by: Greelan on November 06, 2020, 10:37:16 am
-
I know this is not a new topic, but I'm really struggling to get mDNS repeated/relayed across VLANs, after spending days searching the forum and the web and trying various setups.
I recently replaced the UniFi Security Gateway in my network with an OPNsense box. I've managed to set up everything to replicate the network topology I had with the USG and have now introduced the box into the network.
My network includes a number of VLANs. Of relevance here are VLAN10 and VLAN49. VLAN10 includes my trusted devices and VLAN49 includes IoT type devices, including an AirPrint printer and AppleTVs.
Generally VLAN49 is prevented from communicating with VLAN10 (but not vice versa). With the USG I had implemented a mDNS repeater that meant VLAN10 could find all the Bonjour devices in VLAN49.
I am trying to replicate that with OPNsense. I have used both the os-mdns-repeater and os-udpbroadcast-relay plugins (separately), but without success. I have tried those plugins with firewall rules accepting traffic on port 5353 in both VLANs, but without success.
I just cannot figure out what I am doing incorrectly. If anyone has a setup similar to mine and has mDNS successfully being repeated/relayed across VLANs - particularly for AirPrint and AirPlay - could they please let me know how they have achieved it?
Thanks
-
Did you also allow the traffic through the firewall? It's going to be blocked otherwise. Port 5353 UDP.
Sent from my IN2023 using Tapatalk
-
I did. I included rules on each interface, ie:
VLAN10 - allow UDP into the interface from VLAN10 net to 224.0.0.251 port 5353
VLAN49 - allow UDP into the interface from VLAN49 net to 224.0.0.251 port 5353
I also included similar rules for IPv6, although I understand that mdns-repeater may only work with IPv4? That is:
VLAN10 - allow UDP into the interface from fe80::/10 to ff02::fb port 5353
VLAN49 - allow UDP into the interface from fe80::/10 to ff02::fb port 5353
Do they look right?
-
At first glance this looks correct, yeah. I'm in the same boat as you (replace USG with OPN) but I haven't deployed it yet - will do that this weekend.
I don't have access to the rules I implemented, but I can't see anything wrong straight away.
-
I will be very interested to hear how you go.
TBH, I’m not sure the firewall was causing my issues as I didn’t see any IPv4 multicast being blocked by the default deny rule in OPNsense, even without allow rules being included.
Fingers crossed. This is a bit of a killer for me - I really don’t want to go back to the USG (it’s now abandonware), and I’m not inclined to switch to pfSense (I understand that it has an Avahi plugin which works reliably).
-
So, this morning I got my maintenance window ;) and switched over.
mDNS is enabled on iot and lan vlans
Traffic rules to allow traffic from lan/iot net -> firewall (5353/udp)
and everything *seems* to work - I see the mdns traffic from my iot devices coming in on my lan.
-
Interesting. So what’s the destination for those firewall rules? 224.0.0.251 or firewall IP?
-
They're pointing at the multicast addresses. Sorry, that was less than clear.
-
I run two VLANs over a lagg/trunk port to a Cisco switch and mDNS works for me. I do have rather permissive "pass all" rules between those two VLANs, though. So I cannot tell you what traffic precisely to allow. I use os-mdns-repeater.
Bonjour uses multicast predominantly. If your rules are not based on interfaces alone but also networks, probably something is missing.
Although this does not help much - I guess the information that os-mdns-repeater generally works is still valuable.
HTH,
Patrick
-
Thanks both for your responses.
This is quite the mystery. Doing a package capture on OPNsense (the VLAN10 and VLAN49 interfaces) actually shows what appears to be the repeater working - for example, a multicast packet from an Apple TV in VLAN49 to the VLAN49 interface does appear to be repeated in VLAN10 (with the VLAN10 IP of OPNsense being the source). At least that is the case for IPv4 (224.0.0.251); IPv6 (ff02::fb) does not appear to be repeated.
I'm still though seeing all kinds of strange and inconsistent behaviour on devices, which I won't bore you with.
I have tried a permissive rule in the firewall, allowing all traffic from VLAN49 to anywhere, just for testing. It didn't make a difference.
I wonder now whether it's not OPNsense but rather the other elements in the network - particularly APs, but maybe switches - that could be having an effect (if so, damn you Ubiquiti!). It's odd because with the same switches and APs with the USG as the router, I had greater success with mDNS repeating usually working.
I guess I will keep testing different configurations, and hoping the others in the forum may have insights too.
-
Just set this up myself, there are a few Unifi-isms, I'm running:
3 x Unifi AC AP Pros
1 x Unifi Pro 48 Port Gen2 switch
1 x Unifi Pro 24 Port POE Gen2 switch
A number of Flex and Flex Mini switches
- Firstly, firmware 4.3.20 is key for me. On APs and switches. .21 and .22 caused all sorts of havoc. I shall be staying on this firmware version
- Firewalls rules as you have above, destination 224.0.0.251, UDP, port 5353, inbound all VLANs you want to repeat
- Enable 'Multicast Enhancement' on each wifi network that you have mDNS repeater setup for on the Unifi controller (Settings -> Wifi - > Edit -> Advanced
- Enable IGMP Snooping on the Unifi for each VLAN/profile setup with mDNS (Settings -> Advanced Features ->Network Isolation -> Edit)
- I had to allow all traffic BACK from my AppleTVs, to the streaming devices (iphones, computers). I think the port range is huge, so I decided to create 2 groups and allow all traffic between them. Airport express seemed to work ok without this, but I believe AppleTV needs to be able to initiate connections back to the iPhone, computer, etc.
.. think that's it
-
Thanks. Are any of your APs on uplinks? I think the uplink on 5GHz is where it breaks.
I am also on 4.3.20 and previously had IGMP snooping enabled but not multicast enhancement. Will give that a try.
I don’t have any relevant firewall rules for the Apple TVs because I am not seeing anything being blocked in the firewall logs. And previously when troubleshooting I opened up the relevant VLAN entirely back to my main VLAN without any effect.
-
No, only iPhones / computers on WiFi - everything else cabled.
-
Yeah, figured as much given you have that many switchports lol. I’d love to do the same, but retrofitting in my house is an expensive PITA
-
Not so much the cabling - Sparks can turn a ceiling into swiss-cheese to thread cables pretty quickly (in my experience)... it's more the plastering etc that follows!
Thankfully, we did it before we moved in. Ummmed and ahhhed at the time, over whether to destroy the place or not. But now, completely worth it :)
-
Something else, whilst I remember, Fast Roaming on the wifi network settings, broke it as well when enabled.
... network Auto Optimise probably will as well, as I believe that restricts Multicast in some way.
-
Yep, have always steered well clear of those
-
Started getting a weird, perhaps similar problem to you, on 4.3.20...
Out of the 3 APs, after a few days, one would randomly stop passing multicast traffic - devices wouldn't see the Airplay announcements - port mirroring I could see it leaving the switch, but devices connected to an impacted AP did not see it. Restarting the AP recovered things, for a few days.... then another AP would be impacted.
So far, downgrading APs to 4.0.80 again it hasn't happened again... yet anyway :)
-
I'm seeing this kind of behaviour too... odd. Still on the latest firmwares.
-
4.3.20 was supposed to fix....
[UAP] Fix intermittent multicast packet loss on static VLANs.
Seems likely that it didn't - airplay problems have not reoccurred since downgrading to 4.0.80 :)
4.0.80 still seems to be solid for me, even though the 'experience' scores for various devices are 'wonky' on this version, the actual wireless connection seems to be sound on all devices. I was on this before going to the 4.3.x branch... which seems to have been a bit of a disaster generally.
4.3.20 still seems to be ok for me on switches, however, no outstanding issues/problems there for me.
-
Well, blow me down - having changed nothing in my network over the last week, today I am seeing all mDNS traffic from my IoT VLAN in my main VLAN. What the?!
Let's see if it lasts.
-
In case you still see issues, you might want to take a look at the latest official firmware for the APs:
https://community.ui.com/releases/UAP-Firmware-4-3-26-11358/e05cd041-ea54-460c-85f4-7f3fd97261e8
[UAP-G2] Fix intermittent broadcast and multicast packet drop on gen2 APs, introduced in 4.3.24. This impacted users with non-UniFi DHCP servers which use broadcast for DHCP, along with IoT devices that rely on multicast for discovery.
-
I did see that, but read it as fixing an issue introduced in a version released recently. Anyway, fingers crossed but so far mDNS traffic is still being passed between VLANs on my existing firmware (4.3.20)
-
For me it atleast worked for solving my ARP traffic issue ;)
Edit: nope. Spoke too soon
-
Just set this up myself, there are a few Unifi-isms, I'm running:
3 x Unifi AC AP Pros
1 x Unifi Pro 48 Port Gen2 switch
1 x Unifi Pro 24 Port POE Gen2 switch
A number of Flex and Flex Mini switches
- Firstly, firmware 4.3.20 is key for me. On APs and switches. .21 and .22 caused all sorts of havoc. I shall be staying on this firmware version
- Firewalls rules as you have above, destination 224.0.0.251, UDP, port 5353, inbound all VLANs you want to repeat
- Enable 'Multicast Enhancement' on each wifi network that you have mDNS repeater setup for on the Unifi controller (Settings -> Wifi - > Edit -> Advanced
- Enable IGMP Snooping on the Unifi for each VLAN/profile setup with mDNS (Settings -> Advanced Features ->Network Isolation -> Edit)
- I had to allow all traffic BACK from my AppleTVs, to the streaming devices (iphones, computers). I think the port range is huge, so I decided to create 2 groups and allow all traffic between them. Airport express seemed to work ok without this, but I believe AppleTV needs to be able to initiate connections back to the iPhone, computer, etc.
.. think that's it
Sorry to revive an old thread but am trying to get this working for myself. I have recently made the switch from pfSense to OPNSense and am trying to get my AirPrint to work across VLANS. I also am running UniFi AP's and switches, so have turned on the features you mentioned on those items.
My printers are on a IOT VLAN (103) with IPs 10.103.0.0/24
I have a LAN network with IPS 10.1.0.0/23
I have a Guest VLAN (102) with IPs 10.102.0.0/24
I have activated os-mdns-repeater and have it listening on the LAN, IOT and Guest interfaces. I can see and print to the printers from my LAN, which has access to all the other VLANs. The IOT and Guest VLAN has rules blocking anything originating on those nets to the LAN net.
I am trying to get my Guest net to also see and print to the IOT printers, but AirPrint fails to discover them. I am sure it is a Firewall rule, but am having a hard time understanding the discussions I come across that discuss the rules. In particular from your post:
Firewalls rules as you have above, destination 224.0.0.251, UDP, port 5353, inbound all VLANs you want to repeat
I am not following what this means. Can you please show me a shot from your rules table with these rules so I can decipher what I need to set. Where does this rule get placed?
Thank you!
-
Hello,
found this thread as i have also the issue with Multicast. Also related to the Rules im not sure if i have configured them correctly?
I hope someone could have a short look, and let me know, if they are correct or not :)
Thx!