OPNsense Forum

Archive => 16.1 Legacy Series => Topic started by: Julien on July 17, 2016, 12:11:19 pm

Title: [SOLVED] Routing apple Bonjour
Post by: Julien on July 17, 2016, 12:11:19 pm
Hi Guys,
After I replaced our Cisco with the OPNSENSE, our Bonjour Printers stops working and we can't detect them on the network.
The printers are online and reachable .
Can someone please point me how to enable bonjour services on the firewall ?
Firewall rules are any to any on each interfaces.
Title: Re: Routing apple Bonjour
Post by: bartjsmit on July 17, 2016, 02:34:55 pm
Bonjour uses UDP 5353. Check your log for denies?

Bart...
Title: Re: Routing apple Bonjour
Post by: cbb09 on July 17, 2016, 04:35:05 pm
Hi Guys,
After I replaced our Cisco with the OPNSENSE, our Bonjour Printers stops working and we can't detect them on the network.
The printers are online and reachable .
Can someone please point me how to enable bonjour services on the firewall ?
Firewall rules are any to any on each interfaces.

OPNsense probably routes just fine, but your computers on the other networks/interfaces don't know that printers are there since Bonjour uses multicast to advertise the services and this doesn't traverse from one network to the other.

I have a ubuntu server VM that runs my ancillary network services, incl. avahi, which can be configured as a Bonjour reflector, ie. it receives the multicast advertisements on one network and mirrors them on the other. For that to work, the VM needs to see all networks that need Bonjour.

You can alternatively also use a Raspberry Pi if you work with VLANs. The RPi can be configured to be VLAN-aware.

I've tried to get avahi running directly on my OPNsense box, and while I can get it compiled and installed, I can't get the reflector function working there. It would be great to have a plug-in for ahahi in OPNsense
Title: Re: Routing apple Bonjour
Post by: fabian on July 17, 2016, 05:51:10 pm
This issue is fixable:

Yes it is in the man page: http://linux.die.net/man/5/avahi-daemon.conf
And it is in the ports: https://github.com/opnsense/ports/tree/master/net/avahi

Maybe Franco can build the package for you.

Kind regards

Fabian
Title: Re: Routing apple Bonjour
Post by: franco on July 17, 2016, 10:30:45 pm
For the moment, the avahi dependencies are just too much for our builds. You'll have to build this on your box.
Title: Re: Routing apple Bonjour
Post by: Alphabet Soup on July 18, 2016, 04:53:29 am
Probably way beyond what you want to do, but if you control DNS you can also populate that with Bonjour records.  In my experience it doesn't work for AirPlay, but AirPrint does fall back to regular unicast DNS lookups to discover and browse printers.  Pro:  avoids all the multicast propagation; gives you centralized control over the printer name/location fields.  Con:  a bit of work to set up; your DNS may not allow dynamic updates which will prevent new printers being plugged in from automatically appearing to your users (this is actually a Pro for me).

An ugly-page quick guide:
http://www.dns-sd.org/ServerStaticSetup.html (http://www.dns-sd.org/ServerStaticSetup.html)

More info at:
https://developer.apple.com/library/mac/documentation/Cocoa/Conceptual/NetServices/Introduction.html (https://developer.apple.com/library/mac/documentation/Cocoa/Conceptual/NetServices/Introduction.html)
Title: Re: Routing apple Bonjour
Post by: Zeitkind on July 18, 2016, 04:53:19 pm
Besides all that problems with multicast routing, I strongly recommend giving all printers and servers static IPs and put them into DNS as well.
Bonjour, or better multicast DNS, is designed to work inside a broadcast domain - just like good old AppleTalk did. If it worked before, the Cisco did multicast routing - which is normally a bad idea in most places. Acronis has a quite nice intro to this: https://kb.acronis.com/sites/default/files/content/2013/01/39490/wanbonjour_1.pdf
Title: Re: Routing apple Bonjour
Post by: cbb09 on July 19, 2016, 03:03:50 am
You could compile mdns-repeater. It's in the OPNsense ports net repo. It's much less of a dependency hell than avahi.

It works well, ie. it takes mdns broadcasts on one interface and repeats it on the others. The only downside is that it doesn't gather all existing advertised services by pinging them when you start it, but rather only relays the broadcasts when they happen. So as long as you can get the printer to re-advertise its service, it should work.

Avahi polls the interfaces and repeats the results on all configured interfaces, ie. its a bit less cumbersome.
Title: Re: Routing apple Bonjour
Post by: franco on July 19, 2016, 02:07:45 pm
mdns-repeater seems like a good utility to add to the package builds, thanks!
Title: Re: Routing apple Bonjour
Post by: Julien on July 20, 2016, 04:40:00 pm
The printer are not working because its a DNS issue ?
Our users are suffering from this , and we are deciding to take OPNSENSE offline and put Cisco back.
I can't seem to find a solution for this.
Can someone advise what to do to get this working ?
Bartsmitj opening the ports on the LAN would makes it work ?

Thank you guys
Title: Re: Routing apple Bonjour
Post by: Zeitkind on July 20, 2016, 05:27:33 pm
If you set up a printer on any OS, you define how the printer will be reached.
You can either define an IP-address (LPR, RAW etc.) or a windows-like print server, USB printers are normally configured automatically (if a driver was found).
But: if you add a new printer on OS X, the default window will first show all printers that the Mac has automatically detected. This is done by using Bonjour, so all printers that show up there, are shouting their IP into the local network segment (it's multicast) and advertise themselves this way - somehow similar to UPNP. The printers use some kind of individual name, normally "printer type + MAC address" if not set up otherwise. If you have a big network (i.e. big multicast domain), the list can be quite long and the printer name's are often WTF-is-this-damn-printer-like useless. The info a Bonjour printer has to offer is like: "My name is HP Laserjet#67AE56BE33 and I offer LPR, RAW and IPP on my IP-address a.b.c.d". So it doesn't matter which IP it has, users can take this name and a Mac will resolve the IP by the Bonjour info it got. If the IP changes, the Bonjour info will change and the Mac will use the new IP.
But: Normally, a printer should have a static IP and a hostname and you add the printer by IP and not by it's Bonjour name. This is only useful in very small networks with no admins that configure printers properly and the printers get their IP's by DHCP.
So - your users have selected printers outside their broadcast domain by their Bonjour names. This is a bad idea, because Bonjour is intended to be used only in a local network segment. What they should have done (or better, their admin..) is selecting a printer by either their IP or their hostname. Your Cisco routed multicast packets (or used a Bonjour-proxy-like way, no idea, stopped using Cisco 15 years ago) so that all Macs were able to see Bonjour packets from outside their multicast domain. This is not the way it was supposed to work, but well, yes, you can do it.
To do: Check if those printers have static IP's and configure them on the Mac's with either IP or hostname. Do not use Bonjour names for anything (Bonjour can be used to advertise any service) that is outside a broadcast domain.
Or: Use a proxy for Bonjour multicasts. Not my way to do this, but also works.
Or: Enable multicast routing. Worst way.
Title: Re: Routing apple Bonjour
Post by: Julien on July 20, 2016, 08:10:15 pm
Zeitkind thank you for your answer with your explination .
the issue is after we installed the OPNsense the printers doesn't shows on the MAC users  we have to specify the IP adres to get it to work.
We never thought about iPad users who needs to print using their iPad.
we have a Domain controller with some file shares and users .
because the MAC is a pain in the ass to add to the DS, we start sharing dhcp using OPNSesne as gatewy and dns on the dhcp scop.
maybe is this related to the issue ?
in Many PFSENSE and Cisco installation the printers works out of the box without any configurations .
Editing the scoop with the Domain controller as DNS and Forward the DNS request to the firewall would fix this ?
adding the printer to the domain controller and  share it over the network would fix this ?
thank your fast answers

i see that Bonjour users UDP port 5353,
creating a firewall Rules on the Group VLAN Any : to UDP 5353 would make it works ?
i hope someone can help us here before we will be forced to remove the OPNsense firewall.
Title: Re: Routing apple Bonjour
Post by: Zeitkind on July 21, 2016, 12:28:55 am
Well, you have to understand that all Bonjour services are bound to the local network segment. So if you have different LAN segments the Macs won't see Bonjour services outside their own segment. It's just not intended to work that way, because otherwise those Bonjour sevices flood all networks. mDNS/Bonjour was an idea to simplify networks for users in small companies and is kinda like the old AppleTalk before, just plug and play.
But if you have a routed network, Bonjour messages will simply get dropped at the next hop because they are multicast - which only works in a local network segment. In such a case you need to set up fixed IP-address (and DNS would be nice too) for printers which need to be accessible from outside their own segment i.e. broadcast domain. If you use VLAN it may be even worse, because you will split a simple subnet into a bunch of individual broadcast domains. So those machines share the same subnet, but not the same broadcast domain. Simplest way may be using a Bonjour-proxy which mirrors all Bonjour advertisements to all or selected networks. Not the way mDNS is intended to work, but who cares. But it's still some kind of a hack, because best practice would be setting up a fixed IP and a DNS entry for all services that need to be accessed and configure them on the client machines. But: if we talk about the little Apple things aka iPhone and iPad, we have another problem called "AirPrint", which is a modified version of IPP mixed with Bonjour. It also works inside a local network only..
https://en.wikipedia.org/wiki/AirPrint
So, if we do not talk about Macs (only) but iPads and iPhones, well, mdns-repeater is the best shot I guess.
Title: Re: Routing apple Bonjour
Post by: cbb09 on July 21, 2016, 12:35:37 am
Zeitkind thank you for your answer with your explination .
the issue is after we installed the OPNsense the printers doesn't shows on the MAC users  we have to specify the IP adres to get it to work.
We never thought about iPad users who needs to print using their iPad.
we have a Domain controller with some file shares and users .
because the MAC is a pain in the ass to add to the DS, we start sharing dhcp using OPNSesne as gatewy and dns on the dhcp scop.
maybe is this related to the issue ?
in Many PFSENSE and Cisco installation the printers works out of the box without any configurations .
Editing the scoop with the Domain controller as DNS and Forward the DNS request to the firewall would fix this ?
adding the printer to the domain controller and  share it over the network would fix this ?
thank your fast answers

i see that Bonjour users UDP port 5353,
creating a firewall Rules on the Group VLAN Any : to UDP 5353 would make it works ?
i hope someone can help us here before we will be forced to remove the OPNsense firewall.

As I said, mdns-repeater could help. I just looked at the ports Makefile and it looks like it doesn't require any dependencies. I will build it from source on my FreeBSD build environment and it might just be one binary file. I will quickly test it on my OPNsense box and if it works, I can send you the binary. It could be as easy as scp-ing the file to your machine and run it with the interfaces you want mdns broadcasts to be reflector to/from.
Title: Re: Routing apple Bonjour
Post by: Julien on July 21, 2016, 12:43:31 am
Guys you are a rock if you help me get this fixed.
to answer the qustions about MACS and VLANS,
i have Printer on VLAN 20, MAC on VLAN20 but still can't find the printer have to add it with IP.
the VLAN 20 is  10.20.10.0/24 Printer VLAN and the Users are on VLAN 30,  10.30.10.0/24
so the printer IP is
10.20.10.129
255.255.255.0
10.20.10.1 DNS/Gateway

iPad user is 10.30.10.120 / 255.255.255.0/10.30.10.1 DNS , Gateway

the DC and File server is 10.20.10.20 /255.255.255.0 / 10.20.10.1 Gateway 127.0.0.1 DNS

So configuring the DHCP of each VLAN to to have DNS 10.20.10.20 as primary dns and share the printer from that server, would airprint the printer to the iPads users ?

having the printer on the LAN IP would fix it ?
i have a LAN Physicall NiC, 192.168.1.0/24, on that Phiysical adress i have created the VLAN,
everything routes over LAN as i understand so should be a routing issue.

thank you
Title: Re: Routing apple Bonjour
Post by: Zeitkind on July 21, 2016, 03:07:50 am
As said before, it's not a problem of routing. It a problem of packets not getting routed because they are not routeable because they are multicast.
If a Mac has a printer set up via Bonjour, it will need these multicasts a lot of time, repeatingly, just like UPNP. If the printer is set up via IP, it doesn't need anything till this IP changes. If it is set up via a DNS hostname, it will need a DNS server but will come over changing IPs.
So, best way is to use DNS names. Second IPs. Third - and only in its local broadcast domain - Bonjour.
But: AirPrint is a different beast, because it needs Bonjour & IPP and a printer capable or AirPrint. There are Apps out there to get normal printservers to behave like AirPrint etc., but they still need to be in the Bonjour multicast domain. So, for iPad and iPhone the best way will be a proxy that pushes all Bonjour packets into all LAN segments that need mDNS. It's not nice, but works. Windows DNS server is a pita and you do not want to fill it with SRV mDNS records.

https://www.ietf.org/rfc/rfc6762.txt
https://tools.ietf.org/html/rfc6763
Title: Re: Routing apple Bonjour
Post by: cbb09 on July 21, 2016, 03:15:58 am
See the mdns-repeater binary attached. This has been built from source against FreeBSD 10.3 and I confirm that it works on OPNsense 16.7. Transfer the file to your OPNsense installation (I tend to put these "add-ons" in a newly created /opt directory).

Run the binary: mdns-repeater <interface 1> <interface 2> <etc>. I noticed that using the "-f" option outputs debugging information only on monitors and not on console or shell, ie. you won't see it if you are connecting to OPNsense e.g. via ssh, but it works.
Title: Re: Routing apple Bonjour
Post by: franco on July 21, 2016, 09:29:07 am
With 16.1.19 you can install from the repository:

# pkg install mdns-repeater

The package will also be in the final 16.7 release next week.
Title: Re: Routing apple Bonjour
Post by: Julien on July 21, 2016, 09:51:35 am
thank you guy,
The package is installed
 
Quote
Proceed with this action? [y/N]: y
Fetching mdns-repeater-1.10_2.txz: 100%   12 KiB  12.6kB/s    00:01
Checking integrity... done (0 conflicting)
[1/1] Installing mdns-repeater-1.10_2...
[1/1] Extracting mdns-repeater-1.10_2: 100%
root@firewall:~ #

I have 3 LANS, one LAN is up with 5 VLANS.

mdns-repeater <interface 1>  how do I know which interface is the LAN1 ?
Or run the command :
Mans-repeater lan ?

When I run the command I get the below error r:
root@firewall:~ # mdns-repeater <interface 1>
Missing name for redirect.
root@firewall:~ #


thank you
Title: Re: Routing apple Bonjour
Post by: cbb09 on July 21, 2016, 07:26:43 pm
Go to "Interfaces" > "Assignments". It should show you which interface is linked to which physical port.

LAN could be ethX or emX, VLAN interfaces usually have "_vlanXX" added to their host interface. So let's say you have LAN at eth0 and VLAN20, you would enter:

mdns-repeater eth0 eth0_vlan20

Title: Re: Routing apple Bonjour
Post by: Julien on July 21, 2016, 07:42:38 pm
Go to "Interfaces" > "Assignments". It should show you which interface is linked to which physical port.

LAN could be ethX or emX, VLAN interfaces usually have "_vlanXX" added to their host interface. So let's say you have LAN at eth0 and VLAN20, you would enter:

mdns-repeater eth0 eth0_vlan20
Thank you for your answer
The interface is em0 so I've linked all productions VLANS to the mans-repeart
mdns-repeater em0 em0_vlan20 em0_vlan10 em0_vlan30 em0_vlan40 em0_vlan60
The command doesn't shows up any error.
Does it means now the AirPrint should start working whenever the user is on of those VLANS ?
Title: Re: Routing apple Bonjour
Post by: cbb09 on July 21, 2016, 09:33:02 pm
Go to "Interfaces" > "Assignments". It should show you which interface is linked to which physical port.

LAN could be ethX or emX, VLAN interfaces usually have "_vlanXX" added to their host interface. So let's say you have LAN at eth0 and VLAN20, you would enter:

mdns-repeater eth0 eth0_vlan20
Thank you for your answer
The interface is em0 so I've linked all productions VLANS to the mans-repeart
mdns-repeater em0 em0_vlan20 em0_vlan10 em0_vlan30 em0_vlan40 em0_vlan60
The command doesn't shows up any error.
Does it means now the AirPrint should start working whenever the user is on of those VLANS ?

It should! Let us know if it worked.
Title: Re: Routing apple Bonjour
Post by: Julien on July 22, 2016, 09:34:32 am
Thank you guys,
unfortunately the issue is not solved yet .
just had a iPad and i couldn't detect a printer to print with.
When I run the debug to check the log, I received the below.


root@firewall:~ # mdns-repeater -f
mDNS repeater (version 1.10)
Copyright (C) 2011 Darell Tan

usage: mdns-repeater [ -f ] <ifdev> ...

<ifdev> specifies an interface like "eth0"
packets received on an interface is repeated across all other specified interfac                                       es
maximum number of interfaces is 5

 flags:
        -f      runs in foreground for debugging
        -p      specifies the pid file path (default: /var/run/mdns-repeater.pid                                       )
        -h      shows this help

mdns-repeater: error: at least 2 interfaces must be specified
root@firewall:~ #
Title: Re: Routing apple Bonjour
Post by: cbb09 on July 22, 2016, 09:02:08 pm
"-f" does not give you debug information on a running session bur rather specifies that you want debug information on the new session you are starting.

Kill the running mdns-repeater session (killall mdns-repeater)

Then restart with all the interfaces as before and append "-f".
Title: Re: Routing apple Bonjour
Post by: Julien on July 23, 2016, 11:49:16 am
Do I have to do this every time the firewall has been rebooted ?

Do you mean run the the command again to add the interfaces to the mdns with the below command ?

mdns-repeater em0 em0_vlan20 em0_vlan10 em0_vlan30 em0_vlan40 em0_vlan60 -f

I just saw there 16.1.20 is this is ok to install ?
Title: Re: Routing apple Bonjour
Post by: Zeitkind on July 23, 2016, 12:10:58 pm
Quite sure you also have to allow the incoming packets to arrive at the firewall section.
5353    UDP    Multicast DNS (MDNS)  mdns Bonjour, AirPlay, Home Sharing, Printer Discovery, Back to My Mac
to 224.0.0.251 and v6 FF02::FB
https://support.apple.com/en-us/HT202944
You also need to open the ports for IPP, RAW and LPR etc. to allow printing then etc.
Title: Re: Routing apple Bonjour
Post by: Julien on July 23, 2016, 12:39:51 pm
Thank you zeitkind for your continue support.
Can you please point me where to open the ports ? I am blocking the RFC 1918 networks and Reserved/not assigned by IANA would that affect the AirPrint? I see the AirPrint users a RFC port 3927


Much appreciate it
Title: Re: Routing apple Bonjour
Post by: Zeitkind on July 23, 2016, 08:10:57 pm
Just think about 1 possible connection as an example and think about what is all involved.
1. The printer sends out its propagation into its local subnet using mDNS
2. The proxy running on the firewall takes this information and sends it out into all other LAN's.
3. The mobile device takes this information (IP and service propagated) and then tries to connect to this IP and the port the service runs (eg. LPR or IPP)

So, if you have separated VLAN's with restricted traffic, you need to allow all those packets to get through the filters. That also means, that a printer with a dynamic IP isn't really a good idea, because you need pinholes through the firewall to allow this printer to be used from outside its network/VLAN. So either you have to open the firewall like "allow LPR from any to any" or you "allow LPR from any to <IP of printer>"  - and a changing IP of the printer will be a little pita.. ^^
I'm quite sure that your firewall is blocking to much. Check if
1. you see the Bonjour packets from other subnets and
2. you can connect to the printer service (IPP, LPR or whatever it offers)
Title: Re: Routing apple Bonjour
Post by: Julien on July 23, 2016, 09:42:02 pm
Just think about 1 possible connection as an example and think about what is all involved.
1. The printer sends out its propagation into its local subnet using mDNS
2. The proxy running on the firewall takes this information and sends it out into all other LAN's.
3. The mobile device takes this information (IP and service propagated) and then tries to connect to this IP and the port the service runs (eg. LPR or IPP)

So, if you have separated VLAN's with restricted traffic, you need to allow all those packets to get through the filters. That also means, that a printer with a dynamic IP isn't really a good idea, because you need pinholes through the firewall to allow this printer to be used from outside its network/VLAN. So either you have to open the firewall like "allow LPR from any to any" or you "allow LPR from any to <IP of printer>"  - and a changing IP of the printer will be a little pita.. ^^
I'm quite sure that your firewall is blocking to much. Check if
1. you see the Bonjour packets from other subnets and
2. you can connect to the printer service (IPP, LPR or whatever it offers)
Thank you for your answer,
The scenario is have 4 VLANS attached to the em1.
I've grouped the 4VLANS and em1 as one interface, so there is no block between the VLANS.
We have a similar situation on Pfsense and Cisco and it works fine, I understand Cisco is routing the traffic between the VLANS. But Pfsense is the same as OPNSENSE ? The traffic should be allow between the interfaces and VLANS ? No rules are needed because the allow any to any is on top of the VLANS.
Please correct me if I am wrong, I am just trying to understand this .
Title: Re: Routing apple Bonjour
Post by: cbb09 on July 23, 2016, 11:05:29 pm
I think we night to solve the problem of not detecting the AirPrint printers first. Regardless of your firewall settings, the iPads on the other VLANs should be able to see them via mdns-responder. The might have issues connecting, but they should detect them.

An alternative to mdns-responder would be to use say a Raspberry Pi running avahi. You could connect the RPi to your switch and create a tagged trunk line from that port to the RPi. The RPi can be configured to be VLAN aware. Then configure avahi to run in reflector mode, specify the VLAN interfaces and Bob's your uncle. That's what I had running before moving to a VM.

It's easy.
Title: Re: Routing apple Bonjour
Post by: Zeitkind on July 23, 2016, 11:16:36 pm
Any to any is not really a setup I expect on VLANs.. why using them at all?
Anyway, did you check if you can see any mDNS offers on those VLANs? You can use Bonjour Browser or Wireshark.
Title: Re: Routing apple Bonjour
Post by: Julien on July 23, 2016, 11:57:23 pm
I think we night to solve the problem of not detecting the AirPrint printers first. Regardless of your firewall settings, the iPads on the other VLANs should be able to see them via mdns-responder. The might have issues connecting, but they should detect them.

An alternative to mdns-responder would be to use say a Raspberry Pi running avahi. You could connect the RPi to your switch and create a tagged trunk line from that port to the RPi. The RPi can be configured to be VLAN aware. Then configure avahi to run in reflector mode, specify the VLAN interfaces and Bob's your uncle. That's what I had running before moving to a VM.

It's easy.
If you can provide me the way of doing this, I'll appreciate it really .
Monday I'll ask the user about the printer using the mens-responder, if this is still not working we can try your PI and avahi.
I am sure the Anahi is working fine with the pfsense
Can you advise how to install avahi and configure it on the OPNsense ?
I'll be great full on having this fixed for our customer.
Title: Re: Routing apple Bonjour
Post by: franco on July 24, 2016, 12:58:01 pm
Hi Julien,

I don't want to step on your toes, but I fear that getting avahi up and running may be above your expertise. You've received a lot of valuable help and insight from this community and I do think hiring a local expert on the matter is going to be better for you in the long run. You seem to have reasons for wanting to migrate, it's a game of numbers and going back is probably not in favour of your numbers. The budget for migration was underestimated a bit from what I can gather.

Avahi can be build from our ports tree on any OPNsense itself and configured in a manner that is common for FreeBSD, although I fear that it costs you more money and user trust in OPNsense than is worth asking for every detail or step in this forum.

We are very glad to help out where we can, but keep in mind that your issues are not necessarily with OPNsense, but also your network design.


Cheers,
Franco
Title: Re: Routing apple Bonjour
Post by: cbb09 on July 24, 2016, 04:41:14 pm
Any to any is not really a setup I expect on VLANs.. why using them at all?
Anyway, did you check if you can see any mDNS offers on those VLANs? You can use Bonjour Browser or Wireshark.

I agree, but there are situations where this makes sense. In my case, for example, I have a VLAN that uses a openVPN client on the firewall and as such a different gateway. It still can talk to my other VLANs.
Title: Re: Routing apple Bonjour
Post by: cbb09 on July 24, 2016, 05:04:29 pm
I think we night to solve the problem of not detecting the AirPrint printers first. Regardless of your firewall settings, the iPads on the other VLANs should be able to see them via mdns-responder. The might have issues connecting, but they should detect them.

An alternative to mdns-responder would be to use say a Raspberry Pi running avahi. You could connect the RPi to your switch and create a tagged trunk line from that port to the RPi. The RPi can be configured to be VLAN aware. Then configure avahi to run in reflector mode, specify the VLAN interfaces and Bob's your uncle. That's what I had running before moving to a VM.

It's easy.
If you can provide me the way of doing this, I'll appreciate it really .
Monday I'll ask the user about the printer using the mens-responder, if this is still not working we can try your PI and avahi.
I am sure the Anahi is working fine with the pfsense
Can you advise how to install avahi and configure it on the OPNsense ?
I'll be great full on having this fixed for our customer.

there's a pkg for pfsense but on OPNsense you need to build it from source from the ports. Avahi needs a build environment and a lot of dependencies and is rather difficult to build if you don't do this all the time.

for the RPi:

1. get a Raspberry Pi B+ 1, 2 or 3
2. Install Raspian as per www.raspberrypi.org, use the raspbian-lite image
3. Create a trunk port on your network switch with LAN and all VLANs that need mDNS
4. Connect your RPi to that port
5. SSH into your PI (default setting is dhcp so you should be able to find the IP in your DHCP server listing}
6. Update and upgrade: sudo apt update & sudo apt upgrade
7. Install vlan and avahi: sudo apt install vlan avahi-daemon
8. edit /etc/network/interfaces:
auto lo
iface lo inet loopback

auto eth0
allow-hotplug eth0
iface eth0 inet dhcp
        post-up ifup eth0.XX [add one line per VLAN, XX is the VLAN ID]

iface eth0.XX net dhcp [add one line per VLAN]
9. edit the following lines in /etc/etc/avahi/avahi-daemon.conf:

uncomment and edit:
allow-interfaces=eth0,eth0.XX [add all interfaces here, separated by ",")

enable-reflector=yes

10. reboot: sudo reboot

Should work.

Title: Re: Routing apple Bonjour
Post by: Julien on July 24, 2016, 10:33:28 pm
Thank you Franco for your answer.
I believe we needed to think twice before migrating to OPNsense. As the test went fine , but we didn't think about the Mac users and their AirPrint.
Its not about the design of the network, the design of the network is fine as it working fine with PFsense right now.
We been forced to take OPNsense firewall of the network.
I am continuing asking on this forum to understand the way how OPNsense works to either decide continue with it or not.
I appreciate every support you guys provided.

This is how it's working on Pfsense

The em1 ip is 192.168.1.0/24
VLAN10 is 10.10.10.0/24 VLAN20 20.20.20.0/24
I've configured the printer IP to use the em1 subnet and not the VLANS subnet.
IP is 192.168.1.100 and it detectable from VLANS and users can print.

whenever I try the same with OPNsense it doesn't work, the firewall rules are the same as OPNsense , from the WAN and LAN side.

I am willing to fix this without any package .
So having the users and the printers on the same VLAN would makes this works ?
Title: Re: Routing apple Bonjour
Post by: franco on July 24, 2016, 11:33:25 pm
Hi Julien,

Which version, 2.3 or 2.2 or possibly both? See, we've learned something here. :)

Are you sure you're not missing vital info like the setup of IGMP-Proxy? A full working config would certainly help to spot this.


Cheers,
Franco
Title: Re: Routing apple Bonjour
Post by: Julien on July 24, 2016, 11:46:55 pm
Hi Julien,

Which version, 2.3 or 2.2 or possibly both? See, we've learned something here. :)

Are you sure you're not missing vital info like the setup of IGMP-Proxy? A full working config would certainly help to spot this.


Cheers,
Franco
Hi Franco,
The version is 2.3.1-RELEASE-p5 (amd64)
built on Thu Jun 16 12:53:15 CDT 2016
FreeBSD 10.3-RELEASE-p3

I can provide you the config no problem, I've spend my Sunday in Germany rebuilding the OPNsense to PFsense.
We are willing to keep using OPNsense, for Windows users we have no issue with the other 4 customers, but those two MAC users become a issue.
If the multicast is not working between the VLANS on OPNSense, and I have managed to get those sales iPads and iPhones on the same VLAN as the Printers , would this works ?
What configures do you need? Let me know and I'll export it for you
Title: Re: Routing apple Bonjour
Post by: franco on July 25, 2016, 12:38:18 am
I'll just need a working config from pfSense to look at. You can send it to: franco AT opnsense DOT org
Title: Re: Routing apple Bonjour
Post by: Julien on July 25, 2016, 08:50:19 am
I think we night to solve the problem of not detecting the AirPrint printers first. Regardless of your firewall settings, the iPads on the other VLANs should be able to see them via mdns-responder. The might have issues connecting, but they should detect them.

An alternative to mdns-responder would be to use say a Raspberry Pi running avahi. You could connect the RPi to your switch and create a tagged trunk line from that port to the RPi. The RPi can be configured to be VLAN aware. Then configure avahi to run in reflector mode, specify the VLAN interfaces and Bob's your uncle. That's what I had running before moving to a VM.

It's easy.
thank you man for your continu support.
we have OPNsense at a local customer , i can go there and get mdns-responder configured.
i'll report back in 30 min
Title: Re: Routing apple Bonjour
Post by: Julien on July 25, 2016, 10:51:17 am
Hi Guys,
i managed to get this fxed.
let me explain what happens,
i have created a group of the productions LAN and VLANS.
i've traced the Airprint package using wireshark and figured out there was deny rule.
so checked the firewall rules and found out that the Productions interface doesn't have a Allow Any to Any, just on each interface.
Because on Pfsense it does Works and OPNSENSE not, so i compared the configuration and i noticed the different between the setup of Pfsense and Opnsense is the group of the Interfaces.
after i created any to any rules on the productions interface printers shows up on the iPads/iPhone.
even the bonjour services is working now.
i dont know if it does works out of the box or mdns-rep package does the job.

so to sum up :

it's working now thank you guys for your support. and no 5353    UDP is open or NAT to the printer
i am ready to provide any log/informatie needed to help you guys understand the idea behind.

when creating a group of interfaces, does the rules on the interface side apply as first than the group firewall rules ?

Title: Re: Routing apple Bonjour
Post by: cbb09 on July 25, 2016, 08:08:17 pm
Hi Guys,
i managed to get this fxed.
let me explain what happens,
i have created a group of the productions LAN and VLANS.
i've traced the Airprint package using wireshark and figured out there was deny rule.
so checked the firewall rules and found out that the Productions interface doesn't have a Allow Any to Any, just on each interface.
Because on Pfsense it does Works and OPNSENSE not, so i compared the configuration and i noticed the different between the setup of Pfsense and Opnsense is the group of the Interfaces.
after i created any to any rules on the productions interface printers shows up on the iPads/iPhone.
even the bonjour services is working now.
i dont know if it does works out of the box or mdns-rep package does the job.

so to sum up :

it's working now thank you guys for your support. and no 5353    UDP is open or NAT to the printer
i am ready to provide any log/informatie needed to help you guys understand the idea behind.

when creating a group of interfaces, does the rules on the interface side apply as first than the group firewall rules ?

Glad you got this running. i think mdns-repeater does the trick as even with any to any rules, broadcast packets get dropped.
Title: Re: Routing apple Bonjour
Post by: franco on July 25, 2016, 08:41:45 pm
Hi Julien,

I'm glad this got sorted. I'm marking it solved. :)

when creating a group of interfaces, does the rules on the interface side apply as first than the group firewall rules ?

Floating rules are first (first batch), then come VPN types + Groups (together in second batch), afterwards all normal interface rules (third batch).


Cheers,
Franco
Title: Re: [SOLVED] Routing apple Bonjour
Post by: Julien on July 25, 2016, 09:12:16 pm
Guys a big thank you for this.
I am going to continue contributing on the community to share and learn.
Title: Re: [SOLVED] Routing apple Bonjour
Post by: LKaderavek on December 19, 2016, 10:10:48 pm
Hello Julien,
I'm looking nearly for the same solution to a printer problem...I want to discover printers from Windows and Mac Clients and also mobile devices (smartphones and tablets).

At my environment the printers are on the LAN subnet.
I want to print over WiFi connections.

From print-server over SMB connected printers can print and be managed inter VLAN.

My following Interface-Configuration.
1xWAN
1xLAN (local subnet with servers, desktops and printers)
1x WIFI (Management-Interface for Access Points, Switches)
1x VLAN100 subinterface of WIFI
1x VLAN101 subinterface of WIFI
1x VLAN200 subinterface of WIFI (not allowed for printing)
1x VLAN300 subinterface of WIFI (not allowed for printing)

On which interface did you setup this Any-Any Rule?
On the LAN interface where the printers are??
Or did you setup a floating-rule?

I've already installed the mdns-responder package into box and restarted.
I've tried to activate it for Port 53 and bind interfaces LAN, VLAN100 and VLAN101.
Also I set a floating rule from any to any.

Can you please provide me more information about your solution?

Thanks.

Lukas

Title: Re: [SOLVED] Routing apple Bonjour
Post by: LKaderavek on December 21, 2016, 11:46:14 pm
Hello,

since I've received no answer yet - I tried many configurations on my own.

By now I have installed mdns responder and started it for interfaces LAN, VLAN100 and VLAN101.
((Shall I start it everytime we restart the appliance??))

I built up an interface group for LAN, VLAN100 and VLAN100.

And I setup an any-any rule in every interface to test.

At mdns I see the broadcasts from clients and printers get repeated rightly.

I'm sure only a few steps away from solution.

Can you provide me with screenshots of your rule-set or shall I post mine?

Thanks

Lukas









Title: Re: [SOLVED] Routing apple Bonjour
Post by: Julien on February 11, 2017, 10:20:41 pm
Hello,

since I've received no answer yet - I tried many configurations on my own.

By now I have installed mdns responder and started it for interfaces LAN, VLAN100 and VLAN101.
((Shall I start it everytime we restart the appliance??))

I built up an interface group for LAN, VLAN100 and VLAN100.

And I setup an any-any rule in every interface to test.

At mdns I see the broadcasts from clients and printers get repeated rightly.

I'm sure only a few steps away from solution.

Can you provide me with screenshots of your rule-set or shall I post mine?

Thanks

Lukas
I am sorry for my late reply.
have you fixed this or not yet ?