New Avahi package

METDeath

@dennypage Yup, just wanted to make it less of a headache, plus I had my roommate on his VLAN try casting to my Chromecast on my VLAN and it triggered some odd behavior on my phone about my Chromecast.

TomT

Hi.
Sorry if this is a stupid question.

My setup is Lan interface on OPT1 192.168.10.x and wireless on OPT2 10.10.10.x

I have some rules in place to allow specific Lan devices to access the wireless network.

However anything using multicast, Chromecast, printer, scanner, DNLA etc fail.
Would this package help and how would I set it up ?

Thanks

Gertjan

@TomT said in New Avahi package:

Would this package help and how would I set it up ?

Yep.
Install it - start it - done.
Default setup values do fine for me. Just select all your local LAN interfaces.

TomT

Thanks. I'll give it a go

TomT

I'm about to set this up.. but had a quick follow up thought.

When this is enabled will it allow OPT -> OPT1 & OPT1 -> OPT ?

Thanks

dennypage

@TomT Avahi reflection allows cross network discovery for all interfaces which it is configured on. That being said, remember Avahi itself offers discovery only. In other words, Avahi will allow you to see that a service is available in another network, but it doesn't mean you will be able to access the service. Access is controlled by firewall rules.

Bernard Senior

@dennypage

Hello,
Sorry if I don't post in the right place.
We have a site-to-site vpn tunnel (openvpn) between 2 pfSense instances. It is operational. We want to be able to use the Mac OS Messages app (formerly iChat) between our 2 LANs. We installed and configured Avahi 2.0.0_2 on each side. In the friends list, we can't see the remote stations. Likewise, Discovery app only lists local stations. The firewall is configured to allow to see (any ports) the remote stations on each side: LAN 192.168.10.0/24 and LAN 192.168.60.0/24.
We don't see why it doesn't work.
However, a post indicates that it is possible: https://forum.netgate.com/topic/18877/routing-apple-bonjour
Thanks in advance for any help. We aren't geeks !
Best regards from France.

Here is the Avahi configuration used:
[Server]
allow-interfaces = RE0
allow-Point-to-Point = yes
use-ipv4 = yes
use-ipv6 = no
enable-dbus = no
Cache-entries-max = 0

[Wide-area]
enable-wide-area = no

[Publish]
disable-publishing = yes
publish-addresses = No
publish-hinfo = no
publish-workstation = no
publish-domain = No.
publish-yyyy-on-ipv4 = no
publish-on-a-ipv6 = no
disable-user-service-publishing = yes

[Reflector]
enable-reflector = yes

dennypage

@Bernard-Senior said in New Avahi package:

Here is the Avahi configuration used:
[Server]
allow-interfaces = RE0

You only have a single allowed interface. Multiple interfaces are required for Avahi reflection to have anything to do. In other words, you need to have your LAN and your tunnel in the allowed list on both sides.

When I have a minute, I'll add a check to the UI to prevent enabling reflection if only one allowed interface is defined.

Bernard Senior

@dennypage

Thank you very much for your answer.
I added and enabled a virtual interface for the vpn tunnel : ovpnc1.
The configuration is now :
[server]
allow-interfaces=re0,ovpnc1
Is it better ? I have to enter the same config at the other end of the tunnel.

I tried this configuration but when I added opvnc1 on the second pfSense, I lost the connection of the tunnel !
Presently, the VPN connection go out through a WAN 4G interface to a VPN server hosted by a small VPS on the internet.
I think it's safer for us to talk to the person who installed the VPN tunnel !
Thank you for your help.

jagradang

Does anyone know a good windows mDNS browser i can use, there are suggestions above for mac and linux but i can't seem to find anything for windows.

I am struggling casting to my samsung smart tv and my firestick and can't print to my epson printer. Was hoping to use a discovery tool to see what is actually being found and try and work from there.

edz

EDIT: Well, a lesson if anyone faces a similar issue. I am running Unifi APs and the Block LAN to WLAN Multicast and Broadcast Data option was the culprit. It's all working now. :)

I am having problems on a Mac detecting a NAS Time Machine share (Bonjour/AFP) protocol. I had this working prior with an EdgeRouter and mDNS but am not having much luck on pfSense. I have posted about it here: https://forum.netgate.com/topic/147061/avahi-synology-shares-afp

Appreciate if anyone can help out.

Gertjan

@edz said in New Avahi package:

Appreciate if anyone can help out.

Did you check :

@edz said in New Avahi package:

Unifi APs and the Block LAN to WLAN Multicast and Broadcast Data option

and what if this AP is filtering also the other way around ?
No WLAN to LAN "cast" traffic and Avahi will not see anything ?!

logan5247

Hoping someone can help me out with this, trying to use Avahi to AirPrint across two VLANs...

Interfaces
LAN (default VLAN1) - 10.10.1.0/24 (this is where my iPhone and all other devices are)
BLACKHOLE (VLAN40) - 10.10.40.0/24 (this is where the wireless printer lives, this VLAN has no access back to other VLANs)

The request to print looks like this.

LAN ------print request------> BLACKHOLE

From my LAN (10.10.1.0/24), I can ping the printer (10.10.40.12) and access the web interface, so I know the VLAN setup is working. Below is the firewall setup for my LAN.

However, from my iPhone (on the LAN network), when I try to print, it can't find the printer via AirPrint (even though I can ping the printer from my iPhone). Here is my Avahi setup, what am I missing?

My wireless is through UniFI, so I have made sure this setting is unchecked on all of my wireless networks.

I've also made sure this is checked on my LAN network's wifi.

dennypage

@logan5247 Is mDNS enabled on the printer?

Before trying to diagnose issues across subnets, you want to confirm that it works within the same net. Join the blackhole network with your iPhone and confirm that AirPrint works.

logan5247

@dennypage said in New Avahi package:

@logan5247 Is mDNS enabled on the printer?

Before trying to diagnose issues across subnets, you want to confirm that it works within the same net. Join the blackhole network with your iPhone and confirm that AirPrint works.

Yep, that works just fine! I also used an mDNS discovery app on my iPhone and it also sees the printer.

dennypage

@logan5247 Okay. Have you checked the firewall log? Status -> System Logs -> Firewall. Look for entries for interface LAN or BLACKHOLE.

Are you serving IPv6 in either subnet? Does the discovery app show any IPv6? FWIW, you probably want to disable IPv6 support in Avahi as you don't have sufficient rules to allow IPv6 to work properly between the networks.

logan5247

@dennypage said in New Avahi package:

@logan5247 Okay. Have you checked the firewall log? Status -> System Logs -> Firewall. Look for entries for interface LAN or BLACKHOLE.

Are you serving IPv6 in either subnet? Does the discovery app show any IPv6? FWIW, you probably want to disable IPv6 support in Avahi as you don't have sufficient rules to allow IPv6 to work properly between the networks.

Ah now you're onto something, I see this in the logs!

filterlog: 76,,,1574278188,igb1.40,match,block,in,4,0x0,,255,27,0,none,17,udp,520,10.10.40.12,224.0.0.251,5353,5353,500

My BLACKHOLE network isn't allowed to talk back to LAN, let me open some stuff up and see!

logan5247

@logan5247 said in New Avahi package:

@dennypage said in New Avahi package:

@logan5247 Okay. Have you checked the firewall log? Status -> System Logs -> Firewall. Look for entries for interface LAN or BLACKHOLE.

Are you serving IPv6 in either subnet? Does the discovery app show any IPv6? FWIW, you probably want to disable IPv6 support in Avahi as you don't have sufficient rules to allow IPv6 to work properly between the networks.

Ah now you're onto something, I see this in the logs!

filterlog: 76,,,1574278188,igb1.40,match,block,in,4,0x0,,255,27,0,none,17,udp,520,10.10.40.12,224.0.0.251,5353,5353,500

My BLACKHOLE network isn't allowed to talk back to LAN, let me open some stuff up and see!

@dennypage thank you! I had blocked all communication back from BLACKHOLE to my LAN. I had to allow 5353/udp from BLACKHOLE to LAN and now it's working great!

dennypage

@logan5247 said in New Avahi package:

My BLACKHOLE network isn't allowed to talk back to LAN, let me open some stuff up and see!

@dennypage thank you! I had blocked all communication back from BLACKHOLE to my LAN. I had to allow 5353/udp from BLACKHOLE to LAN and now it's working great!

I think you want to allow BLACKHOLE to send mDNS (5353) to firewall rather than to any.

logan5247

@dennypage said in New Avahi package:

@logan5247 said in New Avahi package:

My BLACKHOLE network isn't allowed to talk back to LAN, let me open some stuff up and see!

@dennypage thank you! I had blocked all communication back from BLACKHOLE to my LAN. I had to allow 5353/udp from BLACKHOLE to LAN and now it's working great!

I think you want to allow BLACKHOLE to send mDNS (5353) to firewall rather than to any.

I just tried that (switching from ANY to FIREWALL) and it didn't work. When I switched back to ANY, it works. The firewall logs show it's trying to send to 224.0.0.251, so maybe I can just allow it to go to that address.