mDNS Relay Issues with OPNsense and FritzBox Exposed Host Setup

[Tibor]

Hi everyone,

I have a question, and I'm hoping someone can provide some insights regarding mDNS usage in the following setup:

- FritzBox with an exposed host configuration for the OPNsense WAN interface
- A printer connected on the LAN side
- mDNS repeater installed and configured on OPNsense

In this scenario, should the broadcast relay work between these two interfaces?

What I find odd is that when I capture traffic on the OPNsense WAN interface, I don't see any mDNS traffic. Could this be an issue with the FritzBox or the exposed host configuration?

I'd really appreciate any advice or input!

Thanks in advance.

Best regards, 
Tibor

[dseven]

I assume you mean that the WAN interface of OPNsense is connected to the FRITZ!Box's LAN?

You say "A printer connected on the LAN side" ... the LAN side of what? The FRITZ!Box or OPNsense?

Where is the mDNS client? How are you testing it?

I don't have a FRITZ!Box, but I wouldn't expect the "exposed host" function to do anything with multicast (don't know, though).

If you're expecting to receive mDNS on the WAN interface of your OPNsense bopx, you will need a firewall rule to allow it too.

[Tibor]

Dear Dseven,

Thank you very much for your input.

To confirm, the OPNsense WAN interface is indeed connected to the LAN interface of the FritzBox, and the printer is connected to the LAN interface of the OPNsense. I attempted to locate the printer by connecting my iPad to the WLAN of the FritzBox and searching for printing devices.

I have also configured firewall rules to allow incoming traffic on the WAN interface:

    Source: FritzBox LAN address (port: any)
    Destination: mDNS IP and port.

This setup works successfully between two VLANs on the OPNsense; however, there's an issue when the OPNsense WAN interface is also involved.

Any additional insights or troubleshooting suggestions would be greatly appreciated.

Many thanks in advance!

Best regards

[dseven]

By "FritzBox LAN address", do you mean the individual IP address, or the subnet? I think it'd have to be the latter, as the multicast traffic would be sourced from the client (iPad).

You may also need to disable "Block [private/bogon] networks" on your OPNsense WAN interface, if applicable....

[Strator]

@Tibor

That looks like an out-of-the-box idea to me. You have NAT on WAN, right? I don't think the mDNS repeater can work with it. Also, mDNS was designed for local networks and, although it uses multicast, it does not work the same as IGMP.

[Tibor]

By "FritzBox LAN address", do you mean the individual IP address, or the subnet? I think it'd have to be the latter, as the multicast traffic would be sourced from the client (iPad).

You may also need to disable "Block [private/bogon] networks" on your OPNsense WAN interface, if applicable....

I mean the subnet, and yes this option is disabled (block priv/bogon)

@Tibor

That looks like an out-of-the-box idea to me. You have NAT on WAN, right? I don't think the mDNS repeater can work with it. Also, mDNS was designed for local networks and, although it uses multicast, it does not work the same as IGMP.

Yes I have NAT on it. Do you mean without NAT it could perhaps working?

[Strator]

@Tibor

That looks like an out-of-the-box idea to me. You have NAT on WAN, right? I don't think the mDNS repeater can work with it. Also, mDNS was designed for local networks and, although it uses multicast, it does not work the same as IGMP.

Yes I have NAT on it. Do you mean without NAT it could perhaps working?

Well, there is also a firewall there. mDNS creates a lot of traffic. The repeater makes it even worse. mDNS traffic can be easily taken as a DoS attack by the firewall. Some other unexpected rules may not like it, either. If I were you, I would forget about this idea.

[Tibor]

okay, many thanks for your advise ;-)