[SOLVED] Routing apple Bonjour

[Zeitkind]

As said before, it's not a problem of routing. It a problem of packets not getting routed because they are not routeable because they are multicast.
If a Mac has a printer set up via Bonjour, it will need these multicasts a lot of time, repeatingly, just like UPNP. If the printer is set up via IP, it doesn't need anything till this IP changes. If it is set up via a DNS hostname, it will need a DNS server but will come over changing IPs.
So, best way is to use DNS names. Second IPs. Third - and only in its local broadcast domain - Bonjour.
But: AirPrint is a different beast, because it needs Bonjour & IPP and a printer capable or AirPrint. There are Apps out there to get normal printservers to behave like AirPrint etc., but they still need to be in the Bonjour multicast domain. So, for iPad and iPhone the best way will be a proxy that pushes all Bonjour packets into all LAN segments that need mDNS. It's not nice, but works. Windows DNS server is a pita and you do not want to fill it with SRV mDNS records.

https://www.ietf.org/rfc/rfc6762.txt
https://tools.ietf.org/html/rfc6763

[cbb09]

See the mdns-repeater binary attached. This has been built from source against FreeBSD 10.3 and I confirm that it works on OPNsense 16.7. Transfer the file to your OPNsense installation (I tend to put these "add-ons" in a newly created /opt directory).

Run the binary: mdns-repeater <interface 1> <interface 2> <etc>. I noticed that using the "-f" option outputs debugging information only on monitors and not on console or shell, ie. you won't see it if you are connecting to OPNsense e.g. via ssh, but it works.

[franco]

With 16.1.19 you can install from the repository:

# pkg install mdns-repeater

The package will also be in the final 16.7 release next week.

[Julien]

thank you guy,
The package is installed

Proceed with this action? [y/N]: y
Fetching mdns-repeater-1.10_2.txz: 100%   12 KiB  12.6kB/s    00:01
Checking integrity... done (0 conflicting)
[1/1] Installing mdns-repeater-1.10_2...
[1/1] Extracting mdns-repeater-1.10_2: 100%
root@firewall:~ #

I have 3 LANS, one LAN is up with 5 VLANS.

mdns-repeater <interface 1>  how do I know which interface is the LAN1 ?
Or run the command :
Mans-repeater lan ?

When I run the command I get the below error r:
root@firewall:~ # mdns-repeater <interface 1>
Missing name for redirect.
root@firewall:~ #


thank you

[cbb09]

Go to "Interfaces" > "Assignments". It should show you which interface is linked to which physical port.

LAN could be ethX or emX, VLAN interfaces usually have "_vlanXX" added to their host interface. So let's say you have LAN at eth0 and VLAN20, you would enter:

mdns-repeater eth0 eth0_vlan20

[Julien]

Go to "Interfaces" > "Assignments". It should show you which interface is linked to which physical port.

LAN could be ethX or emX, VLAN interfaces usually have "_vlanXX" added to their host interface. So let's say you have LAN at eth0 and VLAN20, you would enter:

mdns-repeater eth0 eth0_vlan20

Thank you for your answer
The interface is em0 so I've linked all productions VLANS to the mans-repeart
mdns-repeater em0 em0_vlan20 em0_vlan10 em0_vlan30 em0_vlan40 em0_vlan60
The command doesn't shows up any error.
Does it means now the AirPrint should start working whenever the user is on of those VLANS ?

[cbb09]

Go to "Interfaces" > "Assignments". It should show you which interface is linked to which physical port.

LAN could be ethX or emX, VLAN interfaces usually have "_vlanXX" added to their host interface. So let's say you have LAN at eth0 and VLAN20, you would enter:

mdns-repeater eth0 eth0_vlan20

Thank you for your answer
The interface is em0 so I've linked all productions VLANS to the mans-repeart
mdns-repeater em0 em0_vlan20 em0_vlan10 em0_vlan30 em0_vlan40 em0_vlan60
The command doesn't shows up any error.
Does it means now the AirPrint should start working whenever the user is on of those VLANS ?

It should! Let us know if it worked.

[Julien]

Thank you guys,
unfortunately the issue is not solved yet .
just had a iPad and i couldn't detect a printer to print with.
When I run the debug to check the log, I received the below.


root@firewall:~ # mdns-repeater -f
mDNS repeater (version 1.10)
Copyright (C) 2011 Darell Tan

usage: mdns-repeater [ -f ] <ifdev> ...

<ifdev> specifies an interface like "eth0"
packets received on an interface is repeated across all other specified interfac                                       es
maximum number of interfaces is 5

flags:
        -f      runs in foreground for debugging
        -p      specifies the pid file path (default: /var/run/mdns-repeater.pid                                       )
        -h      shows this help

mdns-repeater: error: at least 2 interfaces must be specified
root@firewall:~ #

[cbb09]

"-f" does not give you debug information on a running session bur rather specifies that you want debug information on the new session you are starting.

Kill the running mdns-repeater session (killall mdns-repeater)

Then restart with all the interfaces as before and append "-f".

[Julien]

Do I have to do this every time the firewall has been rebooted ?

Do you mean run the the command again to add the interfaces to the mdns with the below command ?

mdns-repeater em0 em0_vlan20 em0_vlan10 em0_vlan30 em0_vlan40 em0_vlan60 -f

I just saw there 16.1.20 is this is ok to install ?

[Zeitkind]

Quite sure you also have to allow the incoming packets to arrive at the firewall section.
5353    UDP    Multicast DNS (MDNS)  mdns Bonjour, AirPlay, Home Sharing, Printer Discovery, Back to My Mac
to 224.0.0.251 and v6 FF02::FB
https://support.apple.com/en-us/HT202944
You also need to open the ports for IPP, RAW and LPR etc. to allow printing then etc.

[Julien]

Thank you zeitkind for your continue support.
Can you please point me where to open the ports ? I am blocking the RFC 1918 networks and Reserved/not assigned by IANA would that affect the AirPrint? I see the AirPrint users a RFC port 3927


Much appreciate it

[Zeitkind]

Just think about 1 possible connection as an example and think about what is all involved.
1. The printer sends out its propagation into its local subnet using mDNS
2. The proxy running on the firewall takes this information and sends it out into all other LAN's.
3. The mobile device takes this information (IP and service propagated) and then tries to connect to this IP and the port the service runs (eg. LPR or IPP)

So, if you have separated VLAN's with restricted traffic, you need to allow all those packets to get through the filters. That also means, that a printer with a dynamic IP isn't really a good idea, because you need pinholes through the firewall to allow this printer to be used from outside its network/VLAN. So either you have to open the firewall like "allow LPR from any to any" or you "allow LPR from any to <IP of printer>"  - and a changing IP of the printer will be a little pita.. ^^
I'm quite sure that your firewall is blocking to much. Check if
1. you see the Bonjour packets from other subnets and
2. you can connect to the printer service (IPP, LPR or whatever it offers)

[Julien]

Just think about 1 possible connection as an example and think about what is all involved.
1. The printer sends out its propagation into its local subnet using mDNS
2. The proxy running on the firewall takes this information and sends it out into all other LAN's.
3. The mobile device takes this information (IP and service propagated) and then tries to connect to this IP and the port the service runs (eg. LPR or IPP)

So, if you have separated VLAN's with restricted traffic, you need to allow all those packets to get through the filters. That also means, that a printer with a dynamic IP isn't really a good idea, because you need pinholes through the firewall to allow this printer to be used from outside its network/VLAN. So either you have to open the firewall like "allow LPR from any to any" or you "allow LPR from any to <IP of printer>"  - and a changing IP of the printer will be a little pita.. ^^
I'm quite sure that your firewall is blocking to much. Check if
1. you see the Bonjour packets from other subnets and
2. you can connect to the printer service (IPP, LPR or whatever it offers)

Thank you for your answer,
The scenario is have 4 VLANS attached to the em1.
I've grouped the 4VLANS and em1 as one interface, so there is no block between the VLANS.
We have a similar situation on Pfsense and Cisco and it works fine, I understand Cisco is routing the traffic between the VLANS. But Pfsense is the same as OPNSENSE ? The traffic should be allow between the interfaces and VLANS ? No rules are needed because the allow any to any is on top of the VLANS.
Please correct me if I am wrong, I am just trying to understand this .

[cbb09]

I think we night to solve the problem of not detecting the AirPrint printers first. Regardless of your firewall settings, the iPads on the other VLANs should be able to see them via mdns-responder. The might have issues connecting, but they should detect them.

An alternative to mdns-responder would be to use say a Raspberry Pi running avahi. You could connect the RPi to your switch and create a tagged trunk line from that port to the RPi. The RPi can be configured to be VLAN aware. Then configure avahi to run in reflector mode, specify the VLAN interfaces and Bob's your uncle. That's what I had running before moving to a VM.

It's easy.