[SOLVED] Routing apple Bonjour

[Julien]

Hi Guys,
After I replaced our Cisco with the OPNSENSE, our Bonjour Printers stops working and we can't detect them on the network.
The printers are online and reachable .
Can someone please point me how to enable bonjour services on the firewall ?
Firewall rules are any to any on each interfaces.

[bartjsmit]

Bonjour uses UDP 5353. Check your log for denies?

Bart...

[cbb09]

Hi Guys,
After I replaced our Cisco with the OPNSENSE, our Bonjour Printers stops working and we can't detect them on the network.
The printers are online and reachable .
Can someone please point me how to enable bonjour services on the firewall ?
Firewall rules are any to any on each interfaces.

OPNsense probably routes just fine, but your computers on the other networks/interfaces don't know that printers are there since Bonjour uses multicast to advertise the services and this doesn't traverse from one network to the other.

I have a ubuntu server VM that runs my ancillary network services, incl. avahi, which can be configured as a Bonjour reflector, ie. it receives the multicast advertisements on one network and mirrors them on the other. For that to work, the VM needs to see all networks that need Bonjour.

You can alternatively also use a Raspberry Pi if you work with VLANs. The RPi can be configured to be VLAN-aware.

I've tried to get avahi running directly on my OPNsense box, and while I can get it compiled and installed, I can't get the reflector function working there. It would be great to have a plug-in for ahahi in OPNsense

[fabian]

This issue is fixable:

Yes it is in the man page: http://linux.die.net/man/5/avahi-daemon.conf
And it is in the ports: https://github.com/opnsense/ports/tree/master/net/avahi

Maybe Franco can build the package for you.

Kind regards

Fabian

[franco]

For the moment, the avahi dependencies are just too much for our builds. You'll have to build this on your box.

[Alphabet Soup]

Probably way beyond what you want to do, but if you control DNS you can also populate that with Bonjour records.  In my experience it doesn't work for AirPlay, but AirPrint does fall back to regular unicast DNS lookups to discover and browse printers.  Pro:  avoids all the multicast propagation; gives you centralized control over the printer name/location fields.  Con:  a bit of work to set up; your DNS may not allow dynamic updates which will prevent new printers being plugged in from automatically appearing to your users (this is actually a Pro for me).

An ugly-page quick guide:
http://www.dns-sd.org/ServerStaticSetup.html

More info at:
https://developer.apple.com/library/mac/documentation/Cocoa/Conceptual/NetServices/Introduction.html

[Zeitkind]

Besides all that problems with multicast routing, I strongly recommend giving all printers and servers static IPs and put them into DNS as well.
Bonjour, or better multicast DNS, is designed to work inside a broadcast domain - just like good old AppleTalk did. If it worked before, the Cisco did multicast routing - which is normally a bad idea in most places. Acronis has a quite nice intro to this: https://kb.acronis.com/sites/default/files/content/2013/01/39490/wanbonjour_1.pdf

[cbb09]

You could compile mdns-repeater. It's in the OPNsense ports net repo. It's much less of a dependency hell than avahi.

It works well, ie. it takes mdns broadcasts on one interface and repeats it on the others. The only downside is that it doesn't gather all existing advertised services by pinging them when you start it, but rather only relays the broadcasts when they happen. So as long as you can get the printer to re-advertise its service, it should work.

Avahi polls the interfaces and repeats the results on all configured interfaces, ie. its a bit less cumbersome.

[franco]

mdns-repeater seems like a good utility to add to the package builds, thanks!

[Julien]

The printer are not working because its a DNS issue ?
Our users are suffering from this , and we are deciding to take OPNSENSE offline and put Cisco back.
I can't seem to find a solution for this.
Can someone advise what to do to get this working ?
Bartsmitj opening the ports on the LAN would makes it work ?

Thank you guys

[Zeitkind]

If you set up a printer on any OS, you define how the printer will be reached.
You can either define an IP-address (LPR, RAW etc.) or a windows-like print server, USB printers are normally configured automatically (if a driver was found).
But: if you add a new printer on OS X, the default window will first show all printers that the Mac has automatically detected. This is done by using Bonjour, so all printers that show up there, are shouting their IP into the local network segment (it's multicast) and advertise themselves this way - somehow similar to UPNP. The printers use some kind of individual name, normally "printer type + MAC address" if not set up otherwise. If you have a big network (i.e. big multicast domain), the list can be quite long and the printer name's are often WTF-is-this-damn-printer-like useless. The info a Bonjour printer has to offer is like: "My name is HP Laserjet#67AE56BE33 and I offer LPR, RAW and IPP on my IP-address a.b.c.d". So it doesn't matter which IP it has, users can take this name and a Mac will resolve the IP by the Bonjour info it got. If the IP changes, the Bonjour info will change and the Mac will use the new IP.
But: Normally, a printer should have a static IP and a hostname and you add the printer by IP and not by it's Bonjour name. This is only useful in very small networks with no admins that configure printers properly and the printers get their IP's by DHCP.
So - your users have selected printers outside their broadcast domain by their Bonjour names. This is a bad idea, because Bonjour is intended to be used only in a local network segment. What they should have done (or better, their admin..) is selecting a printer by either their IP or their hostname. Your Cisco routed multicast packets (or used a Bonjour-proxy-like way, no idea, stopped using Cisco 15 years ago) so that all Macs were able to see Bonjour packets from outside their multicast domain. This is not the way it was supposed to work, but well, yes, you can do it.
To do: Check if those printers have static IP's and configure them on the Mac's with either IP or hostname. Do not use Bonjour names for anything (Bonjour can be used to advertise any service) that is outside a broadcast domain.
Or: Use a proxy for Bonjour multicasts. Not my way to do this, but also works.
Or: Enable multicast routing. Worst way.

[Julien]

Zeitkind thank you for your answer with your explination .
the issue is after we installed the OPNsense the printers doesn't shows on the MAC users  we have to specify the IP adres to get it to work.
We never thought about iPad users who needs to print using their iPad.
we have a Domain controller with some file shares and users .
because the MAC is a pain in the ass to add to the DS, we start sharing dhcp using OPNSesne as gatewy and dns on the dhcp scop.
maybe is this related to the issue ?
in Many PFSENSE and Cisco installation the printers works out of the box without any configurations .
Editing the scoop with the Domain controller as DNS and Forward the DNS request to the firewall would fix this ?
adding the printer to the domain controller and  share it over the network would fix this ?
thank your fast answers

i see that Bonjour users UDP port 5353,
creating a firewall Rules on the Group VLAN Any : to UDP 5353 would make it works ?
i hope someone can help us here before we will be forced to remove the OPNsense firewall.

[Zeitkind]

Well, you have to understand that all Bonjour services are bound to the local network segment. So if you have different LAN segments the Macs won't see Bonjour services outside their own segment. It's just not intended to work that way, because otherwise those Bonjour sevices flood all networks. mDNS/Bonjour was an idea to simplify networks for users in small companies and is kinda like the old AppleTalk before, just plug and play.
But if you have a routed network, Bonjour messages will simply get dropped at the next hop because they are multicast - which only works in a local network segment. In such a case you need to set up fixed IP-address (and DNS would be nice too) for printers which need to be accessible from outside their own segment i.e. broadcast domain. If you use VLAN it may be even worse, because you will split a simple subnet into a bunch of individual broadcast domains. So those machines share the same subnet, but not the same broadcast domain. Simplest way may be using a Bonjour-proxy which mirrors all Bonjour advertisements to all or selected networks. Not the way mDNS is intended to work, but who cares. But it's still some kind of a hack, because best practice would be setting up a fixed IP and a DNS entry for all services that need to be accessed and configure them on the client machines. But: if we talk about the little Apple things aka iPhone and iPad, we have another problem called "AirPrint", which is a modified version of IPP mixed with Bonjour. It also works inside a local network only..
https://en.wikipedia.org/wiki/AirPrint
So, if we do not talk about Macs (only) but iPads and iPhones, well, mdns-repeater is the best shot I guess.

[cbb09]

Zeitkind thank you for your answer with your explination .
the issue is after we installed the OPNsense the printers doesn't shows on the MAC users  we have to specify the IP adres to get it to work.
We never thought about iPad users who needs to print using their iPad.
we have a Domain controller with some file shares and users .
because the MAC is a pain in the ass to add to the DS, we start sharing dhcp using OPNSesne as gatewy and dns on the dhcp scop.
maybe is this related to the issue ?
in Many PFSENSE and Cisco installation the printers works out of the box without any configurations .
Editing the scoop with the Domain controller as DNS and Forward the DNS request to the firewall would fix this ?
adding the printer to the domain controller and  share it over the network would fix this ?
thank your fast answers

i see that Bonjour users UDP port 5353,
creating a firewall Rules on the Group VLAN Any : to UDP 5353 would make it works ?
i hope someone can help us here before we will be forced to remove the OPNsense firewall.

As I said, mdns-repeater could help. I just looked at the ports Makefile and it looks like it doesn't require any dependencies. I will build it from source on my FreeBSD build environment and it might just be one binary file. I will quickly test it on my OPNsense box and if it works, I can send you the binary. It could be as easy as scp-ing the file to your machine and run it with the interfaces you want mdns broadcasts to be reflector to/from.

[Julien]

Guys you are a rock if you help me get this fixed.
to answer the qustions about MACS and VLANS,
i have Printer on VLAN 20, MAC on VLAN20 but still can't find the printer have to add it with IP.
the VLAN 20 is  10.20.10.0/24 Printer VLAN and the Users are on VLAN 30,  10.30.10.0/24
so the printer IP is
10.20.10.129
255.255.255.0
10.20.10.1 DNS/Gateway

iPad user is 10.30.10.120 / 255.255.255.0/10.30.10.1 DNS , Gateway

the DC and File server is 10.20.10.20 /255.255.255.0 / 10.20.10.1 Gateway 127.0.0.1 DNS

So configuring the DHCP of each VLAN to to have DNS 10.20.10.20 as primary dns and share the printer from that server, would airprint the printer to the iPads users ?

having the printer on the LAN IP would fix it ?
i have a LAN Physicall NiC, 192.168.1.0/24, on that Phiysical adress i have created the VLAN,
everything routes over LAN as i understand so should be a routing issue.

thank you