mDNS or Multicast Traffice Not Passing Between Multiple Vlans
-
Dear all pfsense experts,
I'm using pfSense 2.8.0-RELEASE, and I have multiple VLANs under my LAN.
The problem is that I can’t discover printers or IoT devices across VLANs.
If I connect to the same VLAN as the printers, everything shows up just fine. But from other VLANs, the printers and devices are not visible.I believe pfSense does not allow multicast (like mDNS) between VLANs by default.
Can anyone with good pfSense knowledge help me set it up so I can discover printers across different VLANs?
Adil Yaqoob
adil@itsoll.com -
@ayansaari Install and configure Avahi.
-
@WN1X I installed and configure it but still unable to view devices from the other vlans
-
@ayansaari Please post your Avahi config page (Services / Avahi).
-
-
@ayansaari Suggestions I would make:
- Start by removing all the service entries, which will allow all services to be forwarded. You can add back appropriate restrictions later. When you do, make sure they are the correct ones for your printing protocols.
- If you don't have one yet, get an mDNS/Bounjour browser. This will be much better than trying to use OS printer discovery tools. For iOS or MacOS I recommend Discovery.app. For Windows I don't have a specific recommendation, but there are a few out there (perhaps someone else has a recommendation to offer?).
- Disable Publishing in the advanced section. It's not related to your issue, but it almost certainly is not something you want to be doing on your firewall. That's why it's hidden in the Advanced section.
-
@dennypage I think you didn't have the sound knowledge about this issue
-
@ayansaari said in mDNS or Multicast Traffice Not Passing Between Multiple Vlans:
@dennypage I think you didn't have the sound knowledge about this issue
I agree with @dennypage suggestions for making cross VLAN multicast work. Give them a try before discounting his advice.
-
@ayansaari said in mDNS or Multicast Traffice Not Passing Between Multiple Vlans:
think you didn't have the sound knowledge about this issue
I'm sure you are aware that @dennypage is the maintainer of the Avahi pfSense package and the author of mdns-bridge package (alternatvie package to Avahi).
It's save to say he knows what he talks about.
-
@patient0 Okay brother I did as he said I still no traffic passing between cross vlans
-
@dennypage I follow your seggestions but still unable to access printer devices from the other vlan, can you give me some mins to check it via remotely,
ayansaari@gmail.com
-
@ayansaari said in mDNS or Multicast Traffice Not Passing Between Multiple Vlans:
I follow your seggestions but still unable to access printer devices from the other vlan
"unable to access printer devices" isn't sufficient detail to identify your issue.
Are you using an mDNS browser and not finding any entries? If so, this would be an Avahi issue. If this is what you are seeing, please post screenshots of the mDNS browser when connected to the various network segments.
Or are you seeing the printer, but not able to connect to it? If so, this would be a firewall rules issue. I'm sure you are aware of this, but just to make sure, mDNS (Avahi or mdns-bridge) is only used to facilitate discovery of services. Actual access to the services following discovery would be controlled by firewall rules. If this is what you are seeing, have you checked the firewall log?
FWIW, assuming that your firewall is at address 172.16.10.254, your states information for FETMANAGEMENT shows for that the firewall has received mDNS from hosts .7, .8 and .9, and also sent messages. Did you disable publishing in Avahi as I suggested? Assuming so, messages sent from the firewall would be mDNS information that has been forwarded from another interface.
That's the only interface shown, so I cannot say anything about the others... Have you looked at all the interfaces to check mDNS activity? Choose Interface "all" and filter on "5353".
-
-
G Gertjan referenced this topic
-
@ayansaari Two things I told you previously:
Please re-read my posts above.
As I said previously, firewall rules are not used to forward mDNS. The firewall rule forwarding port 5353 has absolutely no purpose. Avahi does not forward packets from the source network to the destination network -- it sends packets that it creates to the destination containing information gathered from packets it receives in the source network.
Also as I said previously, remove every entry you have in the Service list for Avahi Reflection Filtering, and do not add any entries to the Service list until you have successfully tested. And again, disable Avahi Publishing -- having this enabled is a bad idea, especially if you do not understand the basics of mDNS.
-
@dennypage I’ve tried almost everything to resolve this issue, but I’m still unable to find a solution. I also asked you to give me a few minutes to check it remotely, but unfortunately, you didn’t respond to my request.
Sometimes, live support is necessary—please try to understand.
Just for remote access
+92 321 4050 320
ayansaari@gmail.com -
Why not just add the printer by IP address and forget about mDNS?
But if you must did you try an mDNS browser to see what is being advertised?
-
@ayansaari said in mDNS or Multicast Traffice Not Passing Between Multiple Vlans:
I also asked you to give me a few minutes to check it remotely, but unfortunately, you didn’t respond to my request.
Are you asking to hire me as a consultant to fix your firewall via remote login? I don't think that is a particularly good choice, not only for security reasons, but also for cost reasons -- I am very, very expensive.
I recommend you hire someone locally who has pfSense experience instead. Failing that, I believe Netgate offers professional services. I don't know what countries they offer services in or what their rates are, so you would have to contact them and ask.
-
@stephenw10 dear I was tried by giving IP Address of the printer and no chance to discover it
I think Pfsense is not have the ability to multicast traffic between vlans
-
If you add the device by IP address then mDNS is not involved at all. No multicast traffic is required. The firewall just routes traffic between the subnets like any other traffic.
Now you may not be able to add things by IP because for some reason developers like to remove that option in order to somehow make it.... easier I guess.
But if you can, like in Windows, it should just work. -
@dennypage dear as you give suggestions I done at and still unable to discover devices from the other vlans
so I think pfsense is not have the ability to manage multiple vlans
I think it is a good firewall when we have a single subnet
