Avahi-daemon choosing VIP instead of interface IP

  • I have pfblockerng-devel installed and configured with DNSBL on most of my interfaces and VLANs. I also have avahi-daemon working as a mDNS reflector between a few VLANs and it works well, when the issue below is not occuring.

    For those who are not aware, pfblockerng creates a VIP address on the LAN interface for sending black listed DNS entries to, it's the sinkhole that returns an error back to the requestor, web browser usually, that what they want is not available. This allows a fast reply to the requestor so it does not have to timeout.

    The issue is that when avahi-daemon is configured for mdns reflection at least, it chooses the IP of the VIP for a selected interface instead of the primary interface IP address. Obviously this defeats the purpose of reflecting mdns traffic to the LAN network and instead it reflects the mdns traffic to the VIP network, which by definition, goes no where. The work around was to bind the VIP to another VLAN interface, one which I do not want mdns reflection to occur and thus have no selected for avahi-daemon usage.

    This works as a work around, but it would preferred that avahi-daemon config generation would check if an IP it attempts to use is a VIP and if so, alert or have a check box on the web gui to select use VIP if available for the interface, this way avahi-daemon can rely on the user to make the determination of which bound IP to use.

    Update - I will post a bug report on redmine as soon as I am able to sign in.... Ironically, having issues with that at the moment.

  • Based on feedback I've opened https://redmine.pfsense.org/issues/10253 to pfblockerng to move the default VIP bind to localhost instead of a user interface.

Log in to reply