An old chestnut - mDNS/Bonjour across VLANs

[Greelan]

I know this is not a new topic, but I'm really struggling to get mDNS repeated/relayed across VLANs, after spending days searching the forum and the web and trying various setups.

I recently replaced the UniFi Security Gateway in my network with an OPNsense box. I've managed to set up everything to replicate the network topology I had with the USG and have now introduced the box into the network.

My network includes a number of VLANs. Of relevance here are VLAN10 and VLAN49. VLAN10 includes my trusted devices and VLAN49 includes IoT type devices, including an AirPrint printer and AppleTVs.

Generally VLAN49 is prevented from communicating with VLAN10 (but not vice versa). With the USG I had implemented a mDNS repeater that meant VLAN10 could find all the Bonjour devices in VLAN49.

I am trying to replicate that with OPNsense. I have used both the os-mdns-repeater and os-udpbroadcast-relay plugins (separately), but without success. I have tried those plugins with firewall rules accepting traffic on port 5353 in both VLANs, but without success.

I just cannot figure out what I am doing incorrectly. If anyone has a setup similar to mine and has mDNS successfully being repeated/relayed across VLANs - particularly for AirPrint and AirPlay - could they please let me know how they have achieved it?

Thanks

[devilkin]

Did you also allow the traffic through the firewall? It's going to be blocked otherwise. Port 5353 UDP.

Sent from my IN2023 using Tapatalk

[Greelan]

I did. I included rules on each interface, ie:

VLAN10 - allow UDP into the interface from VLAN10 net to 224.0.0.251 port 5353
VLAN49 - allow UDP into the interface from VLAN49 net to 224.0.0.251 port 5353

I also included similar rules for IPv6, although I understand that mdns-repeater may only work with IPv4? That is:

VLAN10 - allow UDP into the interface from fe80::/10 to ff02::fb port 5353
VLAN49 - allow UDP into the interface from fe80::/10 to ff02::fb port 5353

Do they look right?

[devilkin]

At first glance this looks correct, yeah. I'm in the same boat as you (replace USG with OPN) but I haven't deployed it yet - will do that this weekend.

I don't have access to the rules I implemented, but I can't see anything wrong straight away.

[Greelan]

I will be very interested to hear how you go.

TBH, I’m not sure the firewall was causing my issues as I didn’t see any IPv4 multicast being blocked by the default deny rule in OPNsense, even without allow rules being included.

Fingers crossed. This is a bit of a killer for me - I really don’t want to go back to the USG (it’s now abandonware), and I’m not inclined to switch to pfSense (I understand that it has an Avahi plugin which works reliably).

[devilkin]

So, this morning I got my maintenance window and switched over.

mDNS is enabled on iot and lan vlans
Traffic rules to allow traffic from lan/iot net -> firewall (5353/udp)

and everything *seems* to work - I see the mdns traffic from my iot devices coming in on my lan.

[Greelan]

Interesting. So what’s the destination for those firewall rules? 224.0.0.251 or firewall IP?

[devilkin]

They're pointing at the multicast addresses. Sorry, that was less than clear.

[Patrick M. Hausen]

I run two VLANs over a lagg/trunk port to a Cisco switch and mDNS works for me. I do have rather permissive "pass all" rules between those two VLANs, though. So I cannot tell you what traffic precisely to allow. I use os-mdns-repeater.

Bonjour uses multicast predominantly. If your rules are not based on interfaces alone but also networks, probably something is missing.

Although this does not help much - I guess the information that os-mdns-repeater generally works is still valuable.

HTH,
Patrick

[Greelan]

Thanks both for your responses.

This is quite the mystery. Doing a package capture on OPNsense (the VLAN10 and VLAN49 interfaces) actually shows what appears to be the repeater working - for example, a multicast packet from an Apple TV in VLAN49 to the VLAN49 interface does appear to be repeated in VLAN10 (with the VLAN10 IP of OPNsense being the source). At least that is the case for IPv4 (224.0.0.251); IPv6 (ff02::fb) does not appear to be repeated.

I'm still though seeing all kinds of strange and inconsistent behaviour on devices, which I won't bore you with.

I have tried a permissive rule in the firewall, allowing all traffic from VLAN49 to anywhere, just for testing. It didn't make a difference.

I wonder now whether it's not OPNsense but rather the other elements in the network - particularly APs, but maybe switches - that could be having an effect (if so, damn you Ubiquiti!). It's odd because with the same switches and APs with the USG as the router, I had greater success with mDNS repeating usually working.

I guess I will keep testing different configurations, and hoping the others in the forum may have insights too.

[iMx]

Just set this up myself, there are a few Unifi-isms, I'm running:

3 x Unifi AC AP Pros
1 x Unifi Pro 48 Port Gen2 switch
1 x Unifi Pro 24 Port POE Gen2 switch
A number of Flex and Flex Mini switches

- Firstly, firmware 4.3.20 is key for me.  On APs and switches.  .21 and .22 caused all sorts of havoc.  I shall be staying on this firmware version

- Firewalls rules as you have above, destination 224.0.0.251, UDP, port 5353, inbound all VLANs you want to repeat

- Enable 'Multicast Enhancement' on each wifi network that you have mDNS repeater setup for on the Unifi controller (Settings -> Wifi - > Edit -> Advanced

- Enable IGMP Snooping on the Unifi for each VLAN/profile setup with mDNS (Settings -> Advanced Features ->Network Isolation -> Edit)

- I had to allow all traffic BACK from my AppleTVs, to the streaming devices (iphones, computers).  I think the port range is huge, so I decided to create 2 groups and allow all traffic between them. Airport express seemed to work ok without this, but I believe AppleTV needs to be able to initiate connections back to the iPhone, computer, etc.

.. think that's it

[Greelan]

Thanks. Are any of your APs on uplinks? I think the uplink on 5GHz is where it breaks.

I am also on 4.3.20 and previously had IGMP snooping enabled but not multicast enhancement. Will give that a try.

I don’t have any relevant firewall rules for the Apple TVs because I am not seeing anything being blocked in the firewall logs. And previously when troubleshooting I opened up the relevant VLAN entirely back to my main VLAN without any effect.

[iMx]

No, only iPhones / computers on WiFi - everything else cabled.

[Greelan]

Yeah, figured as much given you have that many switchports lol. I’d love to do the same, but retrofitting in my house is an expensive PITA

[iMx]

Not so much the cabling - Sparks can turn a ceiling into swiss-cheese to thread cables pretty quickly (in my experience)... it's more the plastering etc that follows!

Thankfully, we did it before we moved in.  Ummmed and ahhhed at the time, over whether to destroy the place or not.  But now, completely worth it