New Avahi package

dennypage

@sammybernard said in New Avahi package:

Thanks. I have edited the avahi.inc file for the moment while waiting the package update. Just want to make sure if the package got updated via GUI then the avahi-deamon.conf gets updated with the point to point flag.

Not sure if you are asking about the behavior with the current version 2.0.0_1 or the coming 2.0.0_2...

With 2.0.0_1, any change to the configuration will cause avahi-daemon.conf to be overwritten, and the manual edit for allow-point-to-point flag will be lost.

With 2.0.0_2 and beyond, the config file will always be written with the allow-point-to-point flag set. Given that the interface list is positive selection only, there really isn’t a reason to make the point-to-point setting configurable via the GUI.

I expect the new version will be available shortly after folk return from holiday next week. You can follow the PR using the link above.

Gertjan

Same package, another question :
In the good old days, I could see what avahi "sees" doing by running :

avahi-browse -a -v

Or, now :

avahi-browse -a -v
Failed to create client object: Daemon not running

With the help of Google and the left mouse button, I found out that in the file
/usr/local/etc/avahi/avahi-daemon.conf
This line

enable-dbus=no

is hard coded to "no".
Making it

enable-dbus=yes

rewriting the config and .....

avahi-browse -a -v
Server version: avahi 0.7; Host name: pfsense.local
E Ifce Prot Name                                          Type                 Domain
+   fxp0 IPv6 pfsense [00:12:3f:b3:58:75]                   _workstation._tcp    local
+   fxp0 IPv4 pfsense [00:12:3f:b3:58:75]                   _workstation._tcp    local
+   sis0 IPv6 pfsense [00:0f:b5:fe:4e:e7]                   _workstation._tcp    local
+   sis0 IPv4 pfsense [00:0f:b5:fe:4e:e7]                   _workstation._tcp    local
+   fxp0 IPv6 pfsense                                       _ssh._tcp            local
+   fxp0 IPv4 pfsense                                       _ssh._tcp            local
+   sis0 IPv6 pfsense                                       _ssh._tcp            local
......

Thoughts ?

dennypage

@gertjan Yes, this is intentional. There are no local mDNS browse clients for pfSense, so there isn't much use for dbus support on the firewall itself. Further dbus was the cause of a couple of significant issues, one being the minimum 5 second startup delay, and the other being a sporadic failure of Avahi to start at boot for many users.

If you want to see what is in the network, I would recommend doing this from a general workstation or laptop in the network. This will also give you a better view into the overall functionality of reflection. There are several tools that support this. If you are a Mac user, then there is a free application called "Discovery" that is pretty nice. For a Unix based system, you can use avahi-discover (GUI) or avahi-browse (command line). I haven't used Windows in many years, but I'm sure there are some decent tools there as well.

Gertjan

@dennypage said in New Avahi package:

@gertjan Yes, this is intentional. There are no local mDNS browse clients for pfSense, so there isn't much use for dbus support on the firewall itself. Further dbus was the cause of a couple of significant issues, one being the minimum 5 second startup delay, and the other being a sporadic failure of Avahi to start at boot for many users

Ok, get it - the only browser that exist on the firewall was ..... avahi-browser ^^ (this one needs avahi - logic, and mbus I guess).

I have the Discovery app my Mac (iPhone) : great tool !

Thanks for the detailed explanation.

sammybernard

@dennypage said in New Avahi package:

the point-to-point setting configurable via the GUI.

I meant that while we wait for the 2.0.0_2 version, I have edited the avahi.inc file based on the GitHub changes you had submitted so avahi-deamon.conf will have the allow-point-to-point flag.

dennypage

@sammybernard Sounds good.

A Former User

I can confirm my OpenVPN interfaces, that wouldn't get MDNS before, get it now with v2.0.0_2
Thanks!
(I can control the Chromecast from work once again...)

dennypage

@muppet You’re welcome. Glad it’s working for you.

METDeath

Would it be possible to to set a single listen network then select rebroadcast networks?

I have an edge case of having several VLANs, three of which have castable devices, but only one of those devices should be visible on multiple networks.

There is a common area Shield TV (should be visible to it's network, and three others), as well as my bedroom Chromecast (should only be visible on my network) and my roommate has a Chromecast (should only be visible on his network).

Or a a client exclusion by IP address or network?

dennypage

@METDeath Avahi reflection, which is what is used to proxy mDNS, applies to all allowed interfaces. There is no way to limit the advertisements. Remember however that being able to see the device doesn't mean that you can route packets to it. Standard firewall rules still apply.

In other words, you can't hide it but you can easily prevent people from using it.

METDeath

@dennypage Yup, just wanted to make it less of a headache, plus I had my roommate on his VLAN try casting to my Chromecast on my VLAN and it triggered some odd behavior on my phone about my Chromecast.

TomT

Hi.
Sorry if this is a stupid question.

My setup is Lan interface on OPT1 192.168.10.x and wireless on OPT2 10.10.10.x

I have some rules in place to allow specific Lan devices to access the wireless network.

However anything using multicast, Chromecast, printer, scanner, DNLA etc fail.
Would this package help and how would I set it up ?

Thanks

Gertjan

@TomT said in New Avahi package:

Would this package help and how would I set it up ?

Yep.
Install it - start it - done.
Default setup values do fine for me. Just select all your local LAN interfaces.

TomT

Thanks. I'll give it a go

TomT

I'm about to set this up.. but had a quick follow up thought.

When this is enabled will it allow OPT -> OPT1 & OPT1 -> OPT ?

Thanks

dennypage

@TomT Avahi reflection allows cross network discovery for all interfaces which it is configured on. That being said, remember Avahi itself offers discovery only. In other words, Avahi will allow you to see that a service is available in another network, but it doesn't mean you will be able to access the service. Access is controlled by firewall rules.

Bernard Senior

@dennypage

Hello,
Sorry if I don't post in the right place.
We have a site-to-site vpn tunnel (openvpn) between 2 pfSense instances. It is operational. We want to be able to use the Mac OS Messages app (formerly iChat) between our 2 LANs. We installed and configured Avahi 2.0.0_2 on each side. In the friends list, we can't see the remote stations. Likewise, Discovery app only lists local stations. The firewall is configured to allow to see (any ports) the remote stations on each side: LAN 192.168.10.0/24 and LAN 192.168.60.0/24.
We don't see why it doesn't work.
However, a post indicates that it is possible: https://forum.netgate.com/topic/18877/routing-apple-bonjour
Thanks in advance for any help. We aren't geeks !
Best regards from France.

Here is the Avahi configuration used:
[Server]
allow-interfaces = RE0
allow-Point-to-Point = yes
use-ipv4 = yes
use-ipv6 = no
enable-dbus = no
Cache-entries-max = 0

[Wide-area]
enable-wide-area = no

[Publish]
disable-publishing = yes
publish-addresses = No
publish-hinfo = no
publish-workstation = no
publish-domain = No.
publish-yyyy-on-ipv4 = no
publish-on-a-ipv6 = no
disable-user-service-publishing = yes

[Reflector]
enable-reflector = yes

dennypage

@Bernard-Senior said in New Avahi package:

Here is the Avahi configuration used:
[Server]
allow-interfaces = RE0

You only have a single allowed interface. Multiple interfaces are required for Avahi reflection to have anything to do. In other words, you need to have your LAN and your tunnel in the allowed list on both sides.

When I have a minute, I'll add a check to the UI to prevent enabling reflection if only one allowed interface is defined.

Bernard Senior

@dennypage

Thank you very much for your answer.
I added and enabled a virtual interface for the vpn tunnel : ovpnc1.
The configuration is now :
[server]
allow-interfaces=re0,ovpnc1
Is it better ? I have to enter the same config at the other end of the tunnel.

I tried this configuration but when I added opvnc1 on the second pfSense, I lost the connection of the tunnel !
Presently, the VPN connection go out through a WAN 4G interface to a VPN server hosted by a small VPS on the internet.
I think it's safer for us to talk to the person who installed the VPN tunnel !
Thank you for your help.

jagradang

Does anyone know a good windows mDNS browser i can use, there are suggestions above for mac and linux but i can't seem to find anything for windows.

I am struggling casting to my samsung smart tv and my firestick and can't print to my epson printer. Was hoping to use a discovery tool to see what is actually being found and try and work from there.