MDNS getting blocked for wireless devices on seperate vlans



  • Hello everyone,

    I am just struck at a very strange situation. This may not be the right place to ask but If anyone can help me out…

    My Scenario :

    Pfsense 2.3.2 box with vlan 101 (192.168.101.0/24)  on Lan (192.168.88.0/24)

    Netgear managed swicth GS108E connected to lan port. The first port is connected to firewall. Ports 2-6 are doing a vlan tagging for vlan 101. All my devices are connected to port7 and port 8 which are on LAN.

    I am able to ping from vlan101 network to Device on LAN network and vice versa. For mDNS I have enabled IGMP snooping in Netgear switch. So any device on vlan 101 are able to discover devices on lan (Port 7 & 8).

    The problem arises when I connect a wifi access point to port 2-6 on Netgear switch. The IPAD get IP address in 101 series and it is  able to ping any device on LAN network (192.168.88.0/24) but mDNS is not working ie it is not able to automatic discover devices connected to LAN network. I think the access point is causing the issue. Can any one point where am I going wrong.

    Thank You,
    Ashima


  • Netgate Administrator

    Try installing the avahi package. IGMP snooping on the switch is not enough there.

    https://doc.pfsense.org/index.php/Avahi_package

    Steve



  • Thank you Steve for the reply.

    I have installed avahi and it is working fine. This is what I have done :

    I have removed vlans and the two subnets are now on seperate lan cards. Also there are seperate unmanaged switch for each lan card. My Airport extreme is getting auto discovered from either of the subnet.

    I have few more questions :

    1. Avahi works with all kind of devices  or it works only for apple devices.

    2) What if I put a managed switch  on two lan subnet, will my mDNS work.

    1. Can avahi work on lan and vlan created on that lan.

    Mean while I'll also try to find solutions for my questions and surely post my findings on the forum.

    If anyone has any pointers, please do post.

    Thank you,
    Ashima


  • Netgate Administrator

    Avahi proxies mDNS so anything that uses that will work with it. That's mostly Apple devices but not exclusively.

    A managed switch should not get in the way there unless it has features that get in the way of mulitcast traffic and they are enabled.

    Avahi can work between any interfaces and pfSense treats a VLAN interface just like any other. So, yes, it will work with VLANs.

    Steve



  • Hello Everyone,

    Finally things are up and working and it's time to summarize every thing.

    Installed avahi with default settings. Created these Lan and Vlan rules. Screenshot attached. Point to be noted… only after creating these Firewall rules my ipad (vlan network)  started communicating with devices on lan network.

    Also another point worth noting :

    If few ports of managed switch are configured for vlan and few for lan, the devices are connected to port configured for lan and ipad is connected to vlan port of same managed switch, the switch  block the communication.

    So I have configured all the ports of managed switch for vlan, connected all wifi devices to it. Connected all devices to unmanaged switch. Here's the diagram :

    Wan1 ----------|
                                  |_______Pfsense Firewall______Unmanaged switch_____Managed switch (Vlan 101) (Netgear GS108E)
                                  |                                                              |                                    |
          Wan2 ----------|                                                        Devices                          Wifi Devices
                                                                                    (192.168.5.X)                    (192.168.101.X)

    A special thanks to Steve for pointing me to avahi.

    Also found that the devices which do not use mDNS can be proxied with IGMP proxy.

    Regards,
    Ashima

    Regards






  • Things are again not working …. I can't figure out the reason.

    First of all its a remote location where this setup is required. So I take a remote through vpn connection to access firewall.

    On the other day, the setup was done as shown in the previous mail. I had connected one of the wifi access point to the managed switch (vlan 101 192.168.101.x)  and connected ipad through it... All the devices on 192.168.5.x series were accessing.

    The next day all the wifi access point were shifted to managed switch (vlan 101) and the devices are still in 192.168.5.x Series. But ipad fail to connect to them.

    avahi-browse -at shows all the devices.

    I can ping from 101 series to 5 series and vice-versa.

    I revert back to old setup where only one wifi was connected but still ipad not able to access the devices. ipad is able to access devices if it's in 192.168.5.x network.  I am clue less... it's become a pain in neck. What should I do ? What are the things I should look upon. Since I am at remote location am not able to physically check the connection. But since all the devices are pingable and avahi showing all the devices... things should ideally run.

    Also I have noted when I reboot firewall avahi fails to start. I have installed watchdog to start the service but doesn't work. Only way to start avahi is to tick Disable dbus and start avahi and then untick disable dbus.

    Can any one please help me in this.

    Regards,
    Ashima


  • Netgate Administrator

    It may take it's settings only when it's started in which case enabling it after wards will not have any effect.

    It's hard to say what the issue is there.

    Maybe run  a packet capture to look at what's happening.

    Devices that don't allow you to enter the IP of the resource always seem like the result of lazy programmers to me, relying entirely on auto-discovery.

    Steve