Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    New Avahi package

    Scheduled Pinned Locked Moved pfSense Packages
    57 Posts 12 Posters 43.8k Views 14 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • dennypageD Offline
      dennypage
      last edited by

      Note that if you have publishing disabled (which is the default) you may see the following errors in the system log:

      Failed to add service 'fw' of type '_sftp-ssh._tcp', ignoring service group (/usr/local/etc/avahi/services/sftp-ssh.service): Not permitted
      Failed to add service 'fw' of type '_ssh._tcp', ignoring service group (/usr/local/etc/avahi/services/ssh.service): Not permitted
      

      These errors are benign and can be ignored.

      1 Reply Last reply Reply Quote 1
      • GertjanG Offline
        Gertjan
        last edited by

        Hi,

        Being stupid, I found the upgrade, and hit the update button.

        True, Avahi 2.0.0 won't restart after updating - I visited the settings page, what'l left of it ;) , and a simple Save (without even looking the option - again, I'm stupid) started the Avahi daemon right away.

        All is well. Thank your for your notice.

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        1 Reply Last reply Reply Quote 0
        • D Offline
          Dammex
          last edited by

          Hi,

          I just updated the avahi package to version 2.0.0_1. But no response from avahi to any MDNS requests...

          I tried with one/several interfaces but did not work.

          Avahi configuration :0_1542039891202_image.JPG

          Any idea?

          dennypageD 2 Replies Last reply Reply Quote 0
          • X Offline
            xpxp2002
            last edited by

            I’ve also been having a lot of intermittent issues with specific devices (namely an iDevices brand switch) not responding in HomeKit since upgrading to 2.0.0_1. Other devices don’t appear to be affected. Was there any change to the Avahi service with this upgrade, or was it only a GUI change?

            dennypageD 1 Reply Last reply Reply Quote 0
            • dennypageD Offline
              dennypage @Dammex
              last edited by

              @dammex Can you explain what subnets you have devices mDNS devices in? I note that your LAN is not included in the list of subnets--are there no mDNS devices in the LAN? I also see you have an OpenVPN interface defined--I don't know that OpenVPN supports multicast forwarding.

              Unrelated: unless you have a specific reason for using it, you probably want to disable publishing of information about the pfSense host.

              1 Reply Last reply Reply Quote 0
              • dennypageD Offline
                dennypage @xpxp2002
                last edited by

                @xpxp2002 said in New Avahi package:

                I’ve also been having a lot of intermittent issues with specific devices (namely an iDevices brand switch) not responding in HomeKit since upgrading to 2.0.0_1. Other devices don’t appear to be affected. Was there any change to the Avahi service with this upgrade, or was it only a GUI change?

                No change to the underlying Avahi service, just the GUI.

                X 1 Reply Last reply Reply Quote 0
                • dennypageD Offline
                  dennypage @Dammex
                  last edited by

                  @dammex One other note: when you add/remove connectivity between devices, sometimes they won't work right away. I have a couple of stupid devices that don't respond to discovery--I either have to wait N minutes for the devices to retry their own discovery or restart them to force it.

                  1 Reply Last reply Reply Quote 0
                  • X Offline
                    xpxp2002 @dennypage
                    last edited by

                    @dennypage that’s very odd, then. Is there a cache on disk that I might be able to try deleting? Restarting the Avahi service brings the device "back to life" for about 15 minutes, then it drops out again. I can still see it sending multicasts every couple seconds, so I’m not sure why restarting the service has any effect.

                    dennypageD 1 Reply Last reply Reply Quote 0
                    • dennypageD Offline
                      dennypage @xpxp2002
                      last edited by

                      @xpxp2002 Avahi caching is completely disabled.

                      To help me understand, can you give a brief explanation of what devices you are trying to communicate between, and what interfaces they are attached to on your pfSense box?

                      Also, can you show your Avahi config please?

                      X 1 Reply Last reply Reply Quote 0
                      • X Offline
                        xpxp2002 @dennypage
                        last edited by

                        @dennypage I have several Apple devices with HomeKit support (iPhone, Apple Watch, and MacBook, Apple TV) that control a variety of HomeKit devices on a different subnet. Most devices work near flawlessly in this configuration.

                        However, one unique device (iDevices Outdoor Switch) works for about several minutes after Avahi starts, then shows as "not responding" in Home app. The iDevices app continues to work using their cloud service as a relay for control once HomeKit control stops. Restarting the avahi daemon also temporarily restores this one device.

                        [server]
                        allow-interfaces=hn1,hn3
                        use-ipv4=yes
                        use-ipv6=yes
                        enable-dbus=no
                        cache-entries-max=0

                        [wide-area]
                        enable-wide-area=no

                        [publish]
                        disable-publishing=yes
                        publish-addresses=no
                        publish-hinfo=no
                        publish-workstation=no
                        publish-domain=no
                        publish-aaaa-on-ipv4=no
                        publish-a-on-ipv6=no
                        disable-user-service-publishing=yes

                        [reflector]
                        enable-reflector=yes

                        dennypageD 1 Reply Last reply Reply Quote 0
                        • dennypageD Offline
                          dennypage @xpxp2002
                          last edited by

                          @xpxp2002 Hmm... with your configuration, Avahi should not emit any packets when it is restarted, so I'm not sure how restarting it would cause the device to start working again. The only thing Avahi does in that configuration is replay (reflect) mDNS packets received from one interface to the other interface. If you leave it alone for an extended period, does the device ever start working again on it's own?

                          One thing is to check the firewall log to see if there are any point to point packets being blocked between the devices on the different subnets.

                          Another thing to try would be disabling IPv6. I know, sounds weird. I haven't experienced this myself, but I've seen a few references to iDevices having issues that were resolved by disabling (or sometime enabling) IPv6.

                          Failing that, we're down to looking at packet dumps to figure out what is going on. ☹

                          X 1 Reply Last reply Reply Quote 0
                          • X Offline
                            xpxp2002 @dennypage
                            last edited by

                            @dennypage I've looked at firewall logs, and didn't see anything that indicated an issue. It is worth noting that I recently noticed the same behavior with a printer that is mDNS-discoverable, as well.

                            I took some pcaps that I'd be happy to share with you privately. I don't expect that they'll have any sensitive information in them, other than say MAC addresses and whatnot. This is the strangest part of all. In the captures, I can see the iDevice switch continuing to send out its unsolicited mDNS query answers indefinitely. But when I look with Bonjour browser on the Mac or on the iPhone, the switch only appears in the hap.local domain while it is visible in the Home app for the first 5-10 minutes after I restart Avahi. Even though the mDNS multicasts continue to occur on the subnet, the device disappears from the mDNS browser at the same time that it disappears from the Home app. That's the part I don't understand. The only step left that I can think to do is look at the mDNS answers before and after it disappears from the mDNS browser and see if anything is changing in the packet that might cause it to be disappearing.

                            I don't see the device acquiring an IPv6 address, but in the meantime since it's quick and simple I'll try turning off IPv6 in Avahi.

                            1 Reply Last reply Reply Quote 0
                            • X Offline
                              xpxp2002
                              last edited by

                              @dennypage Thanks for your help troubleshooting this. In an interesting development tonight, the issue may not be related to the reflector (as you may have already suspected). I installed an updated firmware that just became available to my APs and switches this evening, and so far I've gone about an hour without the issue presenting. I'm going to keep an eye on it over the next 24 hours and see if I can confirm that it is no longer a problem.

                              dennypageD 1 Reply Last reply Reply Quote 0
                              • S Offline
                                sammybernard
                                last edited by

                                The Avahi package also appears to have issues with GRE tunnel. I have a IPSEC site to site tunnel using a VTI interface. At both sites the ipsec tunnels are up and the gre tunnels are up as well. When Avahi starts it does not register the service on the GRE tunnel and the VTI tunnels even though both have been selected in the interface list.

                                dennypageD 1 Reply Last reply Reply Quote 0
                                • dennypageD Offline
                                  dennypage @xpxp2002
                                  last edited by

                                  @xpxp2002 Cool.

                                  X 1 Reply Last reply Reply Quote 0
                                  • dennypageD Offline
                                    dennypage @sammybernard
                                    last edited by

                                    @sammybernard This would generally be a limitation of Avahi itself, rather than the pfSense package.

                                    Not sure I can be of much help here, but some questions that come to mind:

                                    • By "does not register the service" do you mean that it doesn't bind to the interface? Or something else?

                                    • Do you have Avahi reflection on both ends?

                                    • Have you restarted Avahi (both ends) after the tunnels are up?

                                    • Do any of the interfaces have the POINTOPOINT flag set?

                                    • Have you separately confirmed multicast connectivity through the tunnel?

                                    • Have you done any packet sniffing to determine which hop is not working?

                                    S 1 Reply Last reply Reply Quote 0
                                    • S Offline
                                      sammybernard @dennypage
                                      last edited by

                                      @dennypage
                                      —— By "does not register the service" do you mean that it doesn't bind to the interface? Or something else?

                                      I have selected 4 interfaces for a Avahi bind to, LAN1, LAN2, GRETunnel and IPSEcVTI Interface. Avahi only binds to LAN1 and 2 at both end points of IPSec tunnels before the interface enumeration message appears and does. It bind to any further interfaces. Minimal log info to see why it failed to bind to the GREUnnel or IPSEcVTI interfaces.

                                      Do you have Avahi reflection on both ends?

                                      Yes Reflection is enabled at. Othbend points.

                                      Have you restarted Avahi (both ends) after the tunnels are up?

                                      Yes have tested restarting Avahi and entire routers as well.

                                      Do any of the interfaces have the POINTOPOINT flag set?

                                      No interface has any poittopoint flag set.

                                      Have you separately confirmed multicast connectivity through the tunnel?

                                      Prior to AVAHi 2.0.0 update it worked well with the same tunnel setup but noting after 2.0.0.0 update.

                                      Have you done any packet sniffing to determine which hop is not working?

                                      Yes, packet capture only shows the keep alive pings going across gretunnel but no other Avahi packets. It this is. It surprising since Avahi does not seem to be binding to the greinterface.

                                      dennypageD 1 Reply Last reply Reply Quote 0
                                      • dennypageD Offline
                                        dennypage @sammybernard
                                        last edited by dennypage

                                        @sammybernard said in New Avahi package:

                                        I have selected 4 interfaces for a Avahi bind to, LAN1, LAN2, GRETunnel and IPSEcVTI Interface. Avahi only binds to LAN1 and 2 at both end points of IPSec tunnels before the interface enumeration message appears and does. It bind to any further interfaces. Minimal log info to see why it failed to bind to the GREUnnel or IPSEcVTI interfaces.

                                        Avahi doesn't actually bind to interfaces. It binds to wildcards.

                                        Please post the following:

                                        • Name and description of each of the interfaces involved
                                        • Contents of /usr/local/etc/avahi/avahi-daemon.conf
                                        • System log messages for process "avahi"
                                        • Output of ifconfig for each of the interfaces involved
                                        • Output of ifconfig -a -n | grep 5353
                                        S 2 Replies Last reply Reply Quote 0
                                        • S Offline
                                          sammybernard @dennypage
                                          last edited by

                                          This post is deleted!
                                          1 Reply Last reply Reply Quote 0
                                          • S Offline
                                            sammybernard @dennypage
                                            last edited by

                                            @dennypage
                                            So after some digging into thing it appears that IPSEC endpoints and GRE endpoints would be considered point to point links and hence why avahi is failing. The default behavior is for POINT-to-POINT links be ignored and the new package gui does not seem to allow for this "allow-point-to-point=yes" flag to be set. If I manually edit the /usr/local/etc/avahi/avahi-daemon.conf to add this entry it seems avahi then latches on to the GRE and IPSEC interfaces and now we can have multicast messages across the IPSec tunnels between two different sites. This might be an important GUI option since a lot of folks might want to use avahi reflector functioning to enable multicast over an IPSec tunnel and GRE would be the only way to do it which would be a point-to-point link.

                                            dennypageD 1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.