Inter Vlan Routing and avahi / bonjour / mdns

luna_s

Sorry if this is a silly question just want to ask before I waste time on it.
Is this possible with pfsense ?
All I need it to do is route between two vlans all mdns / bonjour traffic and nothing else.

I have one vlan with desktops and another with wifi and I'm attempting to get airserver on desktops to work for mirroring I devices on the wifi.

Switches are l2 netgear gs724t

Any quick guides ?

Cheers

luna_s

So anyway thought I'd have a go,
set up the interfaces and no go, the devices aren't being shown in airplay

Interfaces are lan on vr0, vlan on vr1, lan on vr1

I set firewall rules up like this

I can't ping / trace / resolve any .local either?

tim.mcmanus

mDNS only works on the local subnet.  Are both vLANs part of the same subnet?  Otherwise it won't work.

http://tools.ietf.org/html/rfc6762

Section 11:  …

"Since queriers will ignore responses apparently originating outside
  the local subnet, a responder SHOULD avoid generating responses that
  it can reasonably predict will be ignored.  This applies particularly
  in the case of overlayed subnets.  If a responder receives a query
  addressed to the mDNS IPv4 link-local multicast address 224.0.0.251,
  from a source address not apparently on the same subnet as the
  responder (or, in the case of IPv6, from a source IPv6 address for
  which the responder does not have any address with the same prefix on
  that interface), then even if the query indicates that a unicast
  response is preferred (see Section 5.4, "Questions Requesting Unicast
  Responses"), the responder SHOULD elect to respond by multicast
  anyway, since it can reasonably predict that a unicast response with
  an apparently non-local source address will probably be ignored."

luna_s

Yes but I thought avahi can reflect to all interfaces?

tim.mcmanus

They're both based on the same standard which works within the scope of the local subnet.

I've never set up/worked with/used avahi, so I don't know if it extends the scope of ZeroConfig, but the standard only works within the local subnet.

iFloris

Have you looked into wide area bonjour / DNS-SD?
I think that mDNS can do multicasting over several subnets if you use DNS-SD.

There was some talk about this back in '07 here:
https://discussions.apple.com/thread/1251044?threadID=1251044

Also, MO. wrote the following in '10 about this:

Theoretically, though, you could configure a router to pass packets bound for the multicast group 224.0.0.251 between your two subnets, which should do the right thing — assuming you don’t have NAT involved. Whether and how you can do this depends on the type of router you have sitting between the wireless and wired networks.

There Darell Tan wrote a mdns repeater for *WRT here:
mdns-repeater: mDNS across subnets

Joel Knight wrote something about this as well, specifically using AVAHI.
AirPlay, VLANs, and an Open Source Solution

And lastly, there are applications for windows and osx that can help you, as detailed here:
Bonjour/ZeroConf/Rendezvous/mDNS across multiple subnets

luna_s

thank you, plenty of reading to be done then :)

In fairness I've read a lot lately on it (ive read that knight blog for instance), set up a Linux machine and tried avahi (then discovered it's probably not possible to do without layer 3 switches) then I remembered I had a pfsense box (alix) and thought i'd give that a try and this has failed also, nothing much has helped so I'm probably going to have to go down a split domain route :( .

iFloris

Hopefully that you can find a solution.

It seems to me that Joel Knight's solution is the easiest, because you already have access to avahi in pfsense.
If you can set the reflector functionality in your avahi-daemon.conf as he has done, that might suffice to get things working as you require.
Have you also tried setting your vlans as Knight has?

tim.mcmanus

If it's any comfort, I'll be trying to do the same thing next week.  I am physically separating my 10.0.1.x/24 and 10.0.2.x/24 subnets, and we are a 90% Apple/Mac shop.

Not sure if I'll implement the Avahi package on pfSense because it's an Alpha release for 1.2.3, but if I get anything to work I'll post back.

luna_s

This was the problem I had with Ubuntu and avahi, the reflection didn't work (quite possibly because I'm not running L3 switches, the number keeps increasing.
I could ping and traceroute .local addresses, but the traffic tried to go outside the lan (no routing on the switches I guess)

I thought I could use the pfsense box as a router instead of forking out for an expensive l3 switch, looks like I may need one!

tim.mcmanus

I completed the physical separation of my 10.0.1.0/24 and 10.0.2.0/24 networks this past weekend.  The 10.0.1.0/24 network has the bulk of the mDNS devices on it, and it is a cheap unmanaged GigE switch.

I just installed the avahi package in pfSense.  It seems to be working okay.  There were some interesting log entries generated during install, but nothing to indicate that anything was wrong.

I could see my Mac OS X Server 10.8.x from my MacBook Pro.  I could also see the Brother printer I have on the 10.0.1.x/24 network too.  I had thought about firing up a CentOS server on my ESXi server.  I have both the 10.0.1.0/24 and 10.0.2.0/24 networks going into that box and the CentOS server could route between the two subnets.  In a fit of laziness I decided to go with the pfSense package instead.  I didn't feel like using up a few hours of my life creating another CentOS appliance.  :)

Seems to work okay.  No major issues to report.  I wish the package would move out of alpha status because it seems fairly stable.

iFloris

Sounds great! So you only installed avahi, nothing else? Did you bridge your vlans?

tim.mcmanus

I don't have any vLANs.  I did at one time have both LANs on the same managed switch but decided instead to move them to a different physical switch.

Both LANs can talk to each other, there are no rules preventing communication.  The challenge that avahi solves is mDNS's inability to communicate across different subnets.  It's not in its spec to do that.  avahi solves that problem.

I didn't really need to make the change or install the package other than to support a minority of things.  Setting avahi up is very easy.  Select the interfaces you want it to work with and turn it on.

So in short, no firewall restrictions between LANs, avahi extends mDNS across both subnets, install is a breeze.

iFloris

As an alternative to avahi, I came across this free virtual appliance by Aerohive, aiming to solve this problem:
http://aerohive.com/products/software-management/bonjour-gateway
http://community.aerohive.com/aerohive/topics/how_do_you_install_free_virtual_bonjour_gateway