[SOLVED] Routing apple Bonjour

[Zeitkind]

Any to any is not really a setup I expect on VLANs.. why using them at all?
Anyway, did you check if you can see any mDNS offers on those VLANs? You can use Bonjour Browser or Wireshark.

[Julien]

I think we night to solve the problem of not detecting the AirPrint printers first. Regardless of your firewall settings, the iPads on the other VLANs should be able to see them via mdns-responder. The might have issues connecting, but they should detect them.

An alternative to mdns-responder would be to use say a Raspberry Pi running avahi. You could connect the RPi to your switch and create a tagged trunk line from that port to the RPi. The RPi can be configured to be VLAN aware. Then configure avahi to run in reflector mode, specify the VLAN interfaces and Bob's your uncle. That's what I had running before moving to a VM.

It's easy.

If you can provide me the way of doing this, I'll appreciate it really .
Monday I'll ask the user about the printer using the mens-responder, if this is still not working we can try your PI and avahi.
I am sure the Anahi is working fine with the pfsense
Can you advise how to install avahi and configure it on the OPNsense ?
I'll be great full on having this fixed for our customer.

[franco]

Hi Julien,

I don't want to step on your toes, but I fear that getting avahi up and running may be above your expertise. You've received a lot of valuable help and insight from this community and I do think hiring a local expert on the matter is going to be better for you in the long run. You seem to have reasons for wanting to migrate, it's a game of numbers and going back is probably not in favour of your numbers. The budget for migration was underestimated a bit from what I can gather.

Avahi can be build from our ports tree on any OPNsense itself and configured in a manner that is common for FreeBSD, although I fear that it costs you more money and user trust in OPNsense than is worth asking for every detail or step in this forum.

We are very glad to help out where we can, but keep in mind that your issues are not necessarily with OPNsense, but also your network design.


Cheers,
Franco

[cbb09]

Any to any is not really a setup I expect on VLANs.. why using them at all?
Anyway, did you check if you can see any mDNS offers on those VLANs? You can use Bonjour Browser or Wireshark.

I agree, but there are situations where this makes sense. In my case, for example, I have a VLAN that uses a openVPN client on the firewall and as such a different gateway. It still can talk to my other VLANs.

[cbb09]

I think we night to solve the problem of not detecting the AirPrint printers first. Regardless of your firewall settings, the iPads on the other VLANs should be able to see them via mdns-responder. The might have issues connecting, but they should detect them.

An alternative to mdns-responder would be to use say a Raspberry Pi running avahi. You could connect the RPi to your switch and create a tagged trunk line from that port to the RPi. The RPi can be configured to be VLAN aware. Then configure avahi to run in reflector mode, specify the VLAN interfaces and Bob's your uncle. That's what I had running before moving to a VM.

It's easy.

If you can provide me the way of doing this, I'll appreciate it really .
Monday I'll ask the user about the printer using the mens-responder, if this is still not working we can try your PI and avahi.
I am sure the Anahi is working fine with the pfsense
Can you advise how to install avahi and configure it on the OPNsense ?
I'll be great full on having this fixed for our customer.

there's a pkg for pfsense but on OPNsense you need to build it from source from the ports. Avahi needs a build environment and a lot of dependencies and is rather difficult to build if you don't do this all the time.

for the RPi:

1. get a Raspberry Pi B+ 1, 2 or 3
2. Install Raspian as per www.raspberrypi.org, use the raspbian-lite image
3. Create a trunk port on your network switch with LAN and all VLANs that need mDNS
4. Connect your RPi to that port
5. SSH into your PI (default setting is dhcp so you should be able to find the IP in your DHCP server listing}
6. Update and upgrade: sudo apt update & sudo apt upgrade
7. Install vlan and avahi: sudo apt install vlan avahi-daemon
8. edit /etc/network/interfaces:
auto lo
iface lo inet loopback

auto eth0
allow-hotplug eth0
iface eth0 inet dhcp
        post-up ifup eth0.XX [add one line per VLAN, XX is the VLAN ID]

iface eth0.XX net dhcp [add one line per VLAN]
9. edit the following lines in /etc/etc/avahi/avahi-daemon.conf:

uncomment and edit:
allow-interfaces=eth0,eth0.XX [add all interfaces here, separated by ",")

enable-reflector=yes

10. reboot: sudo reboot

Should work.

[Julien]

Thank you Franco for your answer.
I believe we needed to think twice before migrating to OPNsense. As the test went fine , but we didn't think about the Mac users and their AirPrint.
Its not about the design of the network, the design of the network is fine as it working fine with PFsense right now.
We been forced to take OPNsense firewall of the network.
I am continuing asking on this forum to understand the way how OPNsense works to either decide continue with it or not.
I appreciate every support you guys provided.

This is how it's working on Pfsense

The em1 ip is 192.168.1.0/24
VLAN10 is 10.10.10.0/24 VLAN20 20.20.20.0/24
I've configured the printer IP to use the em1 subnet and not the VLANS subnet.
IP is 192.168.1.100 and it detectable from VLANS and users can print.

whenever I try the same with OPNsense it doesn't work, the firewall rules are the same as OPNsense , from the WAN and LAN side.

I am willing to fix this without any package .
So having the users and the printers on the same VLAN would makes this works ?

[franco]

Hi Julien,

Which version, 2.3 or 2.2 or possibly both? See, we've learned something here. :)

Are you sure you're not missing vital info like the setup of IGMP-Proxy? A full working config would certainly help to spot this.


Cheers,
Franco

[Julien]

Hi Julien,

Which version, 2.3 or 2.2 or possibly both? See, we've learned something here. :)

Are you sure you're not missing vital info like the setup of IGMP-Proxy? A full working config would certainly help to spot this.


Cheers,
Franco

Hi Franco,
The version is 2.3.1-RELEASE-p5 (amd64)
built on Thu Jun 16 12:53:15 CDT 2016
FreeBSD 10.3-RELEASE-p3

I can provide you the config no problem, I've spend my Sunday in Germany rebuilding the OPNsense to PFsense.
We are willing to keep using OPNsense, for Windows users we have no issue with the other 4 customers, but those two MAC users become a issue.
If the multicast is not working between the VLANS on OPNSense, and I have managed to get those sales iPads and iPhones on the same VLAN as the Printers , would this works ?
What configures do you need? Let me know and I'll export it for you

[franco]

I'll just need a working config from pfSense to look at. You can send it to: franco AT opnsense DOT org

[Julien]

I think we night to solve the problem of not detecting the AirPrint printers first. Regardless of your firewall settings, the iPads on the other VLANs should be able to see them via mdns-responder. The might have issues connecting, but they should detect them.

An alternative to mdns-responder would be to use say a Raspberry Pi running avahi. You could connect the RPi to your switch and create a tagged trunk line from that port to the RPi. The RPi can be configured to be VLAN aware. Then configure avahi to run in reflector mode, specify the VLAN interfaces and Bob's your uncle. That's what I had running before moving to a VM.

It's easy.

thank you man for your continu support.
we have OPNsense at a local customer , i can go there and get mdns-responder configured.
i'll report back in 30 min

[Julien]

Hi Guys,
i managed to get this fxed.
let me explain what happens,
i have created a group of the productions LAN and VLANS.
i've traced the Airprint package using wireshark and figured out there was deny rule.
so checked the firewall rules and found out that the Productions interface doesn't have a Allow Any to Any, just on each interface.
Because on Pfsense it does Works and OPNSENSE not, so i compared the configuration and i noticed the different between the setup of Pfsense and Opnsense is the group of the Interfaces.
after i created any to any rules on the productions interface printers shows up on the iPads/iPhone.
even the bonjour services is working now.
i dont know if it does works out of the box or mdns-rep package does the job.

so to sum up :

it's working now thank you guys for your support. and no 5353    UDP is open or NAT to the printer
i am ready to provide any log/informatie needed to help you guys understand the idea behind.

when creating a group of interfaces, does the rules on the interface side apply as first than the group firewall rules ?

[cbb09]

Hi Guys,
i managed to get this fxed.
let me explain what happens,
i have created a group of the productions LAN and VLANS.
i've traced the Airprint package using wireshark and figured out there was deny rule.
so checked the firewall rules and found out that the Productions interface doesn't have a Allow Any to Any, just on each interface.
Because on Pfsense it does Works and OPNSENSE not, so i compared the configuration and i noticed the different between the setup of Pfsense and Opnsense is the group of the Interfaces.
after i created any to any rules on the productions interface printers shows up on the iPads/iPhone.
even the bonjour services is working now.
i dont know if it does works out of the box or mdns-rep package does the job.

so to sum up :

it's working now thank you guys for your support. and no 5353    UDP is open or NAT to the printer
i am ready to provide any log/informatie needed to help you guys understand the idea behind.

when creating a group of interfaces, does the rules on the interface side apply as first than the group firewall rules ?

Glad you got this running. i think mdns-repeater does the trick as even with any to any rules, broadcast packets get dropped.

[franco]

Hi Julien,

I'm glad this got sorted. I'm marking it solved. :)

when creating a group of interfaces, does the rules on the interface side apply as first than the group firewall rules ?

Floating rules are first (first batch), then come VPN types + Groups (together in second batch), afterwards all normal interface rules (third batch).


Cheers,
Franco

[Julien]

Guys a big thank you for this.
I am going to continue contributing on the community to share and learn.

[LKaderavek]

Hello Julien,
I'm looking nearly for the same solution to a printer problem...I want to discover printers from Windows and Mac Clients and also mobile devices (smartphones and tablets).

At my environment the printers are on the LAN subnet.
I want to print over WiFi connections.

From print-server over SMB connected printers can print and be managed inter VLAN.

My following Interface-Configuration.
1xWAN
1xLAN (local subnet with servers, desktops and printers)
1x WIFI (Management-Interface for Access Points, Switches)
1x VLAN100 subinterface of WIFI
1x VLAN101 subinterface of WIFI
1x VLAN200 subinterface of WIFI (not allowed for printing)
1x VLAN300 subinterface of WIFI (not allowed for printing)

On which interface did you setup this Any-Any Rule?
On the LAN interface where the printers are??
Or did you setup a floating-rule?

I've already installed the mdns-responder package into box and restarted.
I've tried to activate it for Port 53 and bind interfaces LAN, VLAN100 and VLAN101.
Also I set a floating rule from any to any.

Can you please provide me more information about your solution?

Thanks.

Lukas