Passing Broadcast Packets Between Subnets (Not DHCP)
-
Hi,
We have an application that runs on our systems that discovers items of equipment on a TCP Port 11xxx, using broadcast packets.
Traditionally the software only works on one subnet, and the team have to run versions on machines in each subnet -
I know that routers do not usually pass broadcast packets and that with DHCP for instance I use a helper or with PFSense a Relay.
Is there any way to relay the packets and replies between subnets with a rule for instance? -
@Jake-Biker what is the application, knowing that - maybe others are using it and might have a solution.
-
@johnpoz Hi John,
It's not a proprietary application, it's developed in-house to work at polling the equipment we manufacturer, -
@Jake-Biker well then the "correct" solution if you will, would have the ability to add devices that are not on the same subnet.. Maybe have the ability to scan remote subnets? or the ability to manually add the IP or fqdn of devices that are not local?
I would look into having your in-house guys add that functionality.
Does it use something like mdns to discover? If so then something like the avahi package would allow that to work across segments.
-
Hi John, the devices are designed to pickup an address on DHCP so they can be used by our customers. And as such the devices must be simple.
Its a little like mDNS I think (not being one of the developers) but uses our specified port. I was approached by the engineering team to see if we could create a rule to get this traffic flowing between the subnets.
But gut feel (this not being my specialism) is that a broadcast packet is bound to a subnet a simple rule will not work it has to be active rather like the DHCP relay in Pfsense?
-
@Jake-Biker yeah its not even a firewall "rule" if you will, its basics of networking and routing.. A broadcast packet doesn't leave its network by design.
It would defeat the whole point of a "broadcast domain" ;)
Multicast and Broadcast are meant to be contained to their own network.
Now if they were using UDP, the udpbroadcastrelay package might work, or if uses mdns then you could use the avahi package..
Yeah dhcp relay is a specific thing listening for a specific type of broadcast, then relays it a specific dhcp server with the info needed by the dhcpd, and then to take that info it gets back from the dhcpd and send it back to the client asking for a dhcp address in the specific scope.
But lets say there was some way in pfsense to do it - how would that solve your problem for customers? Are all of them using pfsense?
I would think the better course of action would be to allow for scanning of a remote network, that any normal router could allow for.. Send to 192.168.1.1:port, send to 192.168.1.2:port, etc. which any firewall/router would route or could allow when the thing scanning is on say 192.168.0/24 - or the ability to manually add devices that are not on the local network software is running on.
-
Thank John,
This confirms my thinking.
You are sir, an accomplished anaylist :).
We are looking for a way to make our lives easier - not theirs.
My feels is that our developers need to look at the method of finding the devices and refine it.
-
@Jake-Biker maybe a way for the equipment your trying to find "phone home" if you will?
Possible dhcp option the customers could add so your devices in segment A know to check in with some IP on segment B..
dhcp option 43 could be used by your device to know who to check in with..
So for example - the unifi controller that can find and "adopt" devices to manage. When the devices are on a remote network you can tell the device specific the IP of the controller to check in with, be it via a dhcp option 43, dns or even on the specific device directly.
-
@johnpoz UDPBroadcast Package - John is that an installable package or are you talking about the DHCP Relay?
-
@Jake-Biker that is a package you can install
-
@johnpoz Thank you John - could you link me please as I can't find it in the package manager?
Excuse my ignorance in thisJake
-
-
@johnpoz Oh indeed.
I can see it on my plus boxes but not the my test edge box.
Of course my bad. Much appreciated John that didn't occur to me. -
@Jake-Biker but not sure how this would fix your problem - you going to make sure all your customers run pfsense? ;)
And you stated your software sends a tcp broadcast not udp.
-
@johnpoz Hi John,
No it is in fact a UDP Broadcast.
We are only using this across our development campus which has two subnets.
We are working on our software to develop the ability to scan remote subnets, knowing that the devices are there is going to aid with the development.
Hope that makes sense !
Regards
Jake
-
@Jake-Biker ah ok - yeah that makes sense.. Good luck, let us know how it turns out.. Yeah I get discovery to make life simple for stuff.. I mean you can not expect grandma to know the IP of some iot device she connects, that sort of thing.
But all companies should also account for segmented networks.. And the ability add devices not on the same segment - discovery doesn't always work in all environments
On my wish list is for companies to allow for turning off discovery as well - some of these applications are noisy as AF.. sending out broadcast or multicast every 10 seconds.. I don't need discovery, and if I did I don't need it running 24/7/365 when I have already discovered my device, etc.
edit:
Freaking plex sends out discovery every 10 seconds, not a thing I need or want. And there is no way to turn it off.. I finally blocked it at the switch port with an ACL ;)And don't get me started with smart wifi light bulbs - noisy SOBs
