Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    MDNS struggles

    Scheduled Pinned Locked Moved pfSense Packages
    39 Posts 3 Posters 18.2k Views 4 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • johnpozJ Offline
      johnpoz LAYER 8 Global Moderator @nazuro
      last edited by johnpoz

      @nazuro said in MDNS struggles:

      and I can see that from the answer in the MDNS query when my phone is on the MAIN/11 network.

      No your not - has NO IP in what your thinking is an answer - so how would you talk to it?

      If your not seeing avahi pass on the traffic like I showed - then avahi is not running, or your firewall rules do not allow avahi to see the traffic to be able to pass it on.

      you posted your avahi settings - where are the firewall rules that allow pfsense/avahi to see that broadcast so it can send it on? That floating rule looks to be outbound? See the little double green arrow icon. Oh that is for quick.. What direction is the rule set for?

      If your not seeing pfsense pass on the traffic - then no it would not be possible to discover this via mdns..

      What are you interface rules? As mentioned before - even if you discover it, if you do not have the firewall rules to allow the traffic (after discovered) then no your not going to be able to talk to it either. But what you posted, had no IP in it.. And that was coming from your phone.. As an announcement maybe.. For mdns to work - you should see a specific response from the device with its IP in it..

      edit: Ah!! Always helps to go to the RFCS ;)

      https://datatracker.ietf.org/doc/html/rfc6762#section-7.1

      When a Multicast DNS querier sends a query to which it already knows
      some answers, it populates the Answer Section of the DNS query
      message with those answers

      This explains what your seeing in that frame from your phone.

      edit2:
      If your phone already knows the IP, then possible your problem is firewall not letting it talk to that IP on whatever that is - but if that was the case you would see traffic to that IP in your sniff on the 12 network trying to go to the 11. address? Which I didn't see..

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

      N 1 Reply Last reply Reply Quote 0
      • N Offline
        nazuro @johnpoz
        last edited by

        @johnpoz on my floating rule the direction is set to any.

        By the way, same problem the other way round, I have an Apple HomePod (192.168.12.145) on IOT and I am not able to "discover" it with my phone on MAIN. Pcap does not show any SSDP from the HomePod just MDNS.

        I've created a test floating rule to allow all from MAIN to IOT. However, I do already have explicit default deny rules on all interfaces with logging enabled and cannot see any blocked firewall traffic from the Denon (192.168.11.20). Still no luck.

        Screenshot 2021-10-01 at 10.10.49.png

        johnpozJ 1 Reply Last reply Reply Quote 0
        • johnpozJ Offline
          johnpoz LAYER 8 Global Moderator @nazuro
          last edited by johnpoz

          If you do not see the query passed on, then no it would not discover. What version of pfsense are you running, what is the version of the package?

          Did you try actually selecting the interface in avahi - vs not selecting any? And hoping it listening on all?

          Your screenshot is so zoom in, maybe you have some other interface selected.. Select the 2 interfaces your wanting to use directly.

          You do not have avahi set to filter service.. Any other settings?

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

          N 1 Reply Last reply Reply Quote 0
          • N Offline
            nazuro @johnpoz
            last edited by

            @johnpoz pfSense 2.5.2 - selected MAIN and IOT interfaces only for Avahi.

            Not changed anything else in the Avahi settings Screenshot 2021-10-02 at 04.27.43.png

            johnpozJ 1 Reply Last reply Reply Quote 0
            • johnpozJ Offline
              johnpoz LAYER 8 Global Moderator @nazuro
              last edited by

              @nazuro why are publishing pfsense - it has no services you would use via mdns.. those are not default..

              This is how it should be set.. Set it like this - and set your firewall rule to 224.0.0.251

              avahi.jpg

              I show current package as 2.2 and its running

              service.jpg

              If you do not see it passing on the traffic via sniff - with a response - then no its not going to work, and something is wrong.

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

              N 1 Reply Last reply Reply Quote 0
              • N Offline
                nazuro @johnpoz
                last edited by

                @johnpoz Ok, I've adjusted my settings to match yours including the floating FW rule. I too am on v 2.2. Not sure what else could be the issue unless something funny going on with the ubiquiti AP or Netgear switch :(

                johnpozJ 1 Reply Last reply Reply Quote 0
                • johnpozJ Offline
                  johnpoz LAYER 8 Global Moderator @nazuro
                  last edited by

                  @nazuro said in MDNS struggles:

                  going on with the ubiquiti AP or Netgear switch :(

                  Those have little to do with if you sniff on interface A of pfsense and see the query, it should be passed on out interface B coming from pfsense IP address on interface B.

                  I specifically showed exactly how to validate and troubleshoot this... If pfsense never sees query to 224.0.0.251 from the device looking.. It will not pass it on, if it passes it on but doesn't get a response then no the device is not going to find what its looking for..

                  In your sniff I see from 192.168.11.128 to 224.0.0.251 a query - DO YOU SEE it sent on on interface B from the pfsense IP??

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                  N 1 Reply Last reply Reply Quote 0
                  • N Offline
                    nazuro @johnpoz
                    last edited by

                    @johnpoz In my sniffs I can't seem to see query FROM pfsense IP, even when iPhone is connected to MAIN network and I am able to see/connect to Denon AVR. Whether I am incorrectly doing the tcpdump or not I'm not sure. Should I sniff on the parent interface with something like
                    tcpdump -i igb1 -nn -e vlan

                    OR, separate sniffing on the virtual interface like
                    tcpdump -I igb1.11 -nn
                    tcpdump -I igb1.12 -nn

                    johnpozJ 1 Reply Last reply Reply Quote 0
                    • johnpozJ Offline
                      johnpoz LAYER 8 Global Moderator @nazuro
                      last edited by johnpoz

                      Why would you have to do anything other than the gui to do the package capture.. You shouldn't nave to see the vlan tags in the sniff.. Since pfsense has an IP in the 11 interface, and it has an IP in the 12 interface does it not? If it didn't how would ever see the traffic to pass on the traffic.. Be it tagged or not..

                      Just do the package capture in the gui on those interfaces - if its not seeing the traffic to 224.0.0.251 then your firewall rules are not correct. Or you have something blocking that traffic before pfsense could see it? Like sure an AP or switch.. You clearly posted up a sniff of 11.128 sending to 244.0.0.251 - where did you do that sniff at.. Was that not done on pfsense?

                      If your not sniffing on pfsense when you posted up that traffic - then yeah pfsense maybe not ever seeing the traffic to pass it on. You need to sniff on pfsense!! To validate it sees the traffic, and passes it on!

                      I assumed that was were you were sniffing..

                      You should just sniff on whatever iot vlan or main interface in the gui..

                      Example - my psk is a vlan interface - And just sniff like this..

                      2021-10-04_214912.jpg

                      And here I see it - I could download it sure into wireshark - but can see that some mdns traffic was sent from IP of my phone to 224.0.0.251, and should then see such traffic leaving the IP of pfsense to 224.0.0.251 on other interface..

                      sniff.jpg

                      If your not seeing it via sniffing on pfsense - then no its not going to work because pfsense is not seeing the traffic to send on, either its really not seeing it - or your firewall rule is not allowing avahi to see it, if you see it in the sniff on pfsense.

                      Its possible your AP is not passing on the multicast traffic for pfsense to see it from your phone.. But I assumed you were sniffing on pfsense when you posted up 11.128 sending to 224.0.0.251

                      edit: You need to be sniffing here

                      here.jpg

                      If your not seeing it there then pfsense is not seeing it, if not seeing it - can not pass it on.. If it passes on and no response.. Then maybe your device is not seeing it because of AP or switch settings on that network... But you need to sniff on pfsense, and see the traffic if ever going to work.

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                      N 1 Reply Last reply Reply Quote 0
                      • N Offline
                        nazuro @johnpoz
                        last edited by

                        @johnpoz Hi John, yes all my sniffs have been from pfSense

                        This is sniff from IOT. I can see mdns traffic leaving phone (192.168.12.7) 192.168.12.105 is another IOT device.
                        Screenshot 2021-10-06 at 09.51.04.png

                        However, on the MAIN interface I do not see anything going FROM pfsense. In this sniff, 192.168.11.20 is my denon AVR, .119 is a laptop.
                        Screenshot 2021-10-06 at 09.54.17.png

                        It is very odd because as I mentioned, all of my interfaces have explicit deny rules with logging enabled, and I do not see any traffic deny to 224.0.0.251.

                        BUT, as I said before, even if I start a sniff on MAIN interface and switch my phone to the MAIN network (and thus am able to discover the Denon AVR), I still do not see any traffic FROM pfSense IP address to 224.0.0.251

                        johnpozJ 1 Reply Last reply Reply Quote 0
                        • johnpozJ Offline
                          johnpoz LAYER 8 Global Moderator @nazuro
                          last edited by

                          @nazuro said in MDNS struggles:

                          FROM pfSense IP address to 224.0.0.251

                          Why would you think that pfsense would send any traffic from itself to 224.0.0.251 unless it was forwarding traffic via avahi.

                          If you see traffic to 224.0.0.251 on your iot interface, but do not see it going out the main.. Then your firewall rules are not allowing it. Or avahi is not working, not actually running..

                          You do understand you have to sniff on main, while you actively searching for something via your phone on iot right.. Or atleast other mdns traffic being broadcast on the iot.

                          I am running 21.05.1 - but I fired up my 2.5.2 pfsense vm to try and duplicate this. But from this last post, My guess would be avahi services isn't actually running. Or your firewall rules are not allowing access to the avahi for it to forward it..

                          So I have 2 lan side interface on pfsense lan (192.168.9.33 pfsense IP) and then another interface in my wlan 192.168.2/24 network. OPT on this vm, pfsense IP address 192.168.2.252

                          I installed the avahi package.. Set it up as you see. Notice I have the 2 interfaces I want to avahi to use highlighted. When I left it blank avahi did not want to start.. See services where it shows avahi actually running.

                          Created my floating rule.. My lan and opt rules.. And connected my phone to the 192.168.2 network and you can see via sniff phone at 192.168.2.199 sending traffic to 224.0.0.251 (mdns)..

                          If I sniff on the lan interface in my pfsense vm, you can see traffic being sent from pfsense IP 192.168.9.33 to 224.0.0.251... There is no responses since I have nothing in this network doing anything with mdns.. Its a chatty protocol that has really little value.. I prevent it and disable it on anything I can disable it on..

                          252.jpg

                          Here is details of the floating rule and sniffs

                          252-1.jpg

                          But this works just fine.. Tested both on 21.05.1 and now 2.5.2 and unable to duplicate any sort of problem with avahi and how it is suppose to work. I see no bugs in redmine related, and I would think if it was broke - then there would be lots of people screaming about it ;)

                          So its something unique to your setup/environment where we seem to be missing part of the puzzle.

                          I would actually validate the avahi service is running if your not seeing any mdns traffic passed on. And I would actually select the 2 interfaces in the avahi setup you want to pass traffic between.

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                          1 Reply Last reply Reply Quote 2
                          • N Offline
                            nazuro
                            last edited by

                            @johnpoz said in MDNS struggles:

                            Why would you think that pfsense would send any traffic from itself to 224.0.0.251 unless it was forwarding traffic via avahi

                            Exactly, I am looking for it forwarding traffic via Avahi, like you demonstrated in your pcap from earlier on.

                            You do understand you have to sniff on main, while you actively searching for something via your phone on iot right.. Or atleast other mdns traffic being broadcast on the iot.

                            Yes! I do.

                            Notice I have the 2 interfaces I want to avahi to use highlighted
                            I do have them highlighted, looks a bit odd on my Safari but you can just about see it.
                            Screenshot 2021-10-06 at 20.48.45.png

                            Also Avahi service is always running when I check it in Status.
                            Screenshot 2021-10-06 at 21.02.58.png

                            Nothing in the logs either of interest. Apart from when it restarts (this is after I reselected MAIN and IOT in the Avahi GUI and saved the config:
                            Screenshot 2021-10-06 at 20.51.20.png

                            Looks like my configs all align with what you have so must be something odd in my environment.

                            johnpozJ 1 Reply Last reply Reply Quote 0
                            • johnpozJ Offline
                              johnpoz LAYER 8 Global Moderator @nazuro
                              last edited by johnpoz

                              @nazuro do you have any IPS installed, snort or suricata? Or pimd maybe?

                              Trying to think of what could be preventing avahi from repeating..

                              edit: Maybe this?
                              https://redmine.pfsense.org/issues/10253

                              Do you have pfblocker with vip setup? Or any other vips setup on your interfaces? From your log it looks correct with 12.1 and 11.1 - but I just can not duplicate anything close to the problem your having.

                              An intelligent man is sometimes forced to be drunk to spend time with his fools
                              If you get confused: Listen to the Music Play
                              Please don't Chat/PM me for help, unless mod related
                              SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                              N 1 Reply Last reply Reply Quote 0
                              • N Offline
                                nazuro
                                last edited by

                                @johnpoz
                                I have suricata running on WAN and LAN but it is not in blocking mode. I will try disabling it.

                                No pfblocker / VIP set up.

                                Well, I do really appreciate your help you have taught me a few things. Real head scratcher this

                                1 Reply Last reply Reply Quote 0
                                • N Offline
                                  nazuro @johnpoz
                                  last edited by

                                  @johnpoz I've noticed that if I restart the avahi service, I seem to be able to discover across VLAN for a short period of time (not tested exactly but about 24hrs maybe). Odd because the Avahi service seems to be running fine otherwise. After 24hr-ish I then can no longer discover it and I need to restart Avahi again

                                  johnpozJ 1 Reply Last reply Reply Quote 0
                                  • johnpozJ Offline
                                    johnpoz LAYER 8 Global Moderator @nazuro
                                    last edited by

                                    @nazuro well avahi not actually running would put a hamper on discovery.. You see nothing in the log showing it stopped?

                                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                                    If you get confused: Listen to the Music Play
                                    Please don't Chat/PM me for help, unless mod related
                                    SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                                    N 1 Reply Last reply Reply Quote 0
                                    • N Offline
                                      nazuro @johnpoz
                                      last edited by

                                      @johnpoz Oh wow, think I found it. So, I think we must have fixed it (thanks again for your great help) about half way up the thread, but then I didn't realise it automatically broke at 00:30.

                                      Oct 13 00:30:21 pfSense php[45999]: [Suricata] There is a new set of Emerging Threats Open rules posted. Downloading emerging.rules.tar.gz...
                                      Oct 13 00:30:24 pfSense php[45999]: [Suricata] Emerging Threats Open rules file update downloaded successfully.
                                      Oct 13 00:30:24 pfSense php[45999]: [Suricata] There is a new set of Snort GPLv2 Community Rules posted. Downloading community-rules.tar.gz...
                                      Oct 13 00:30:25 pfSense php[45999]: [Suricata] Snort GPLv2 Community Rules file update downloaded successfully.
                                      Oct 13 00:30:28 pfSense php[45999]: [Suricata] Updating rules configuration for: WAN ...
                                      Oct 13 00:30:30 pfSense php[45999]: [Suricata] Enabling any flowbit-required rules for: WAN...
                                      Oct 13 00:30:30 pfSense php[45999]: [Suricata] Building new sid-msg.map file for WAN...
                                      Oct 13 00:30:30 pfSense php[45999]: [Suricata] Suricata STOP for WAN_IDS(igb0)...
                                      Oct 13 00:30:45 pfSense php[45999]: [Suricata] Suricata START for WAN_IDS(igb0)...
                                      Oct 13 00:30:45 pfSense php[45999]: [Suricata] Suricata has restarted with your new set of rules for WAN...
                                      Oct 13 00:30:45 pfSense php[45999]: [Suricata] Updating rules configuration for: LAN ...
                                      Oct 13 00:30:46 pfSense php[45999]: [Suricata] Building new sid-msg.map file for LAN...
                                      Oct 13 00:30:46 pfSense php[45999]: [Suricata] Suricata STOP for LAN(igb1)...
                                      Oct 13 00:30:47 pfSense kernel: igb1: link state changed to DOWN
                                      Oct 13 00:30:47 pfSense kernel: igb1.11: link state changed to DOWN
                                      Oct 13 00:30:47 pfSense kernel: igb1.12: link state changed to DOWN
                                      Oct 13 00:30:47 pfSense kernel: igb1.14: link state changed to DOWN
                                      Oct 13 00:30:47 pfSense check_reload_status[378]: Linkup starting igb1
                                      Oct 13 00:30:47 pfSense check_reload_status[378]: Linkup starting igb1.11
                                      Oct 13 00:30:47 pfSense check_reload_status[378]: Linkup starting igb1.12
                                      Oct 13 00:30:47 pfSense check_reload_status[378]: Linkup starting igb1.14
                                      Oct 13 00:30:48 pfSense php-fpm[339]: /rc.linkup: Hotplug event detected for LAN(lan) static IP (192.168.10.1 )
                                      Oct 13 00:30:48 pfSense check_reload_status[378]: Reloading filter
                                      Oct 13 00:30:48 pfSense php-fpm[340]: /rc.linkup: Hotplug event detected for MAIN(opt2) static IP (192.168.11.1 )
                                      Oct 13 00:30:48 pfSense php-fpm[339]: /rc.linkup: Hotplug event detected for IOT(opt3) static IP (192.168.12.1 )
                                      Oct 13 00:30:48 pfSense check_reload_status[378]: Reloading filter
                                      Oct 13 00:30:48 pfSense php-fpm[66890]: /rc.linkup: Hotplug event detected for GUEST(opt6) static IP (192.168.14.1 )
                                      Oct 13 00:30:49 pfSense avahi-daemon[91829]: Leaving mDNS multicast group on interface igb1.11.IPv6 with address fe80::21b:21ff:fe33:9ee9.
                                      Oct 13 00:30:49 pfSense kernel: igb1: link state changed to UP
                                      Oct 13 00:30:49 pfSense kernel: igb1.11: link state changed to UP
                                      Oct 13 00:30:49 pfSense kernel: igb1.12: link state changed to UP
                                      Oct 13 00:30:49 pfSense kernel: igb1.14: link state changed to UP
                                      Oct 13 00:30:49 pfSense avahi-daemon[91829]: Leaving mDNS multicast group on interface igb1.11.IPv4 with address 192.168.11.1.
                                      Oct 13 00:30:49 pfSense avahi-daemon[91829]: Leaving mDNS multicast group on interface igb1.12.IPv6 with address fe80::21b:21ff:fe33:9ee9.
                                      Oct 13 00:30:49 pfSense avahi-daemon[91829]: Leaving mDNS multicast group on interface igb1.12.IPv4 with address 192.168.12.1.

                                      bmeeksB 1 Reply Last reply Reply Quote 0
                                      • bmeeksB Offline
                                        bmeeks @nazuro
                                        last edited by

                                        @nazuro said in MDNS struggles:

                                        @johnpoz Oh wow, think I found it. So, I think we must have fixed it (thanks again for your great help) about half way up the thread, but then I didn't realise it automatically broke at 00:30.

                                        Oct 13 00:30:21 pfSense php[45999]: [Suricata] There is a new set of Emerging Threats Open rules posted. Downloading emerging.rules.tar.gz...
                                        Oct 13 00:30:24 pfSense php[45999]: [Suricata] Emerging Threats Open rules file update downloaded successfully.
                                        Oct 13 00:30:24 pfSense php[45999]: [Suricata] There is a new set of Snort GPLv2 Community Rules posted. Downloading community-rules.tar.gz...
                                        Oct 13 00:30:25 pfSense php[45999]: [Suricata] Snort GPLv2 Community Rules file update downloaded successfully.
                                        Oct 13 00:30:28 pfSense php[45999]: [Suricata] Updating rules configuration for: WAN ...
                                        Oct 13 00:30:30 pfSense php[45999]: [Suricata] Enabling any flowbit-required rules for: WAN...
                                        Oct 13 00:30:30 pfSense php[45999]: [Suricata] Building new sid-msg.map file for WAN...
                                        Oct 13 00:30:30 pfSense php[45999]: [Suricata] Suricata STOP for WAN_IDS(igb0)...
                                        Oct 13 00:30:45 pfSense php[45999]: [Suricata] Suricata START for WAN_IDS(igb0)...
                                        Oct 13 00:30:45 pfSense php[45999]: [Suricata] Suricata has restarted with your new set of rules for WAN...
                                        Oct 13 00:30:45 pfSense php[45999]: [Suricata] Updating rules configuration for: LAN ...
                                        Oct 13 00:30:46 pfSense php[45999]: [Suricata] Building new sid-msg.map file for LAN...
                                        Oct 13 00:30:46 pfSense php[45999]: [Suricata] Suricata STOP for LAN(igb1)...
                                        Oct 13 00:30:47 pfSense kernel: igb1: link state changed to DOWN
                                        Oct 13 00:30:47 pfSense kernel: igb1.11: link state changed to DOWN
                                        Oct 13 00:30:47 pfSense kernel: igb1.12: link state changed to DOWN
                                        Oct 13 00:30:47 pfSense kernel: igb1.14: link state changed to DOWN
                                        Oct 13 00:30:47 pfSense check_reload_status[378]: Linkup starting igb1
                                        Oct 13 00:30:47 pfSense check_reload_status[378]: Linkup starting igb1.11
                                        Oct 13 00:30:47 pfSense check_reload_status[378]: Linkup starting igb1.12
                                        Oct 13 00:30:47 pfSense check_reload_status[378]: Linkup starting igb1.14
                                        Oct 13 00:30:48 pfSense php-fpm[339]: /rc.linkup: Hotplug event detected for LAN(lan) static IP (192.168.10.1 )
                                        Oct 13 00:30:48 pfSense check_reload_status[378]: Reloading filter
                                        Oct 13 00:30:48 pfSense php-fpm[340]: /rc.linkup: Hotplug event detected for MAIN(opt2) static IP (192.168.11.1 )
                                        Oct 13 00:30:48 pfSense php-fpm[339]: /rc.linkup: Hotplug event detected for IOT(opt3) static IP (192.168.12.1 )
                                        Oct 13 00:30:48 pfSense check_reload_status[378]: Reloading filter
                                        Oct 13 00:30:48 pfSense php-fpm[66890]: /rc.linkup: Hotplug event detected for GUEST(opt6) static IP (192.168.14.1 )
                                        Oct 13 00:30:49 pfSense avahi-daemon[91829]: Leaving mDNS multicast group on interface igb1.11.IPv6 with address fe80::21b:21ff:fe33:9ee9.
                                        Oct 13 00:30:49 pfSense kernel: igb1: link state changed to UP
                                        Oct 13 00:30:49 pfSense kernel: igb1.11: link state changed to UP
                                        Oct 13 00:30:49 pfSense kernel: igb1.12: link state changed to UP
                                        Oct 13 00:30:49 pfSense kernel: igb1.14: link state changed to UP
                                        Oct 13 00:30:49 pfSense avahi-daemon[91829]: Leaving mDNS multicast group on interface igb1.11.IPv4 with address 192.168.11.1.
                                        Oct 13 00:30:49 pfSense avahi-daemon[91829]: Leaving mDNS multicast group on interface igb1.12.IPv6 with address fe80::21b:21ff:fe33:9ee9.
                                        Oct 13 00:30:49 pfSense avahi-daemon[91829]: Leaving mDNS multicast group on interface igb1.12.IPv4 with address 192.168.12.1.

                                        I see you are using Suricata. Be aware that if using Suricata with Inline IPS Mode (which uses the netmap kernel device), each time Suricata restarts it will physically cycle the interface it is running on. That means the interface will behave the same as if you manually did an "ifdn" followed by an "ifup" command sequence. Many network applications do not like the interface they are running on going offline and then coming back online. They will either crash, or automatically shut themselves down in that scenario.

                                        To prevent Suricata from cycling the interface when updating rules, you can go to the GLOBAL SETTINGS tab and enable the option to "Live Update" the rules. That option is unchecked by default. The only real downside of enabling that option is RAM usage will briefly increase during the rules update job because Suricata will keep two complete copies of the rules in RAM as it updates. When the update is finished, it will discard the old copy of the rules.

                                        N 1 Reply Last reply Reply Quote 0
                                        • N Offline
                                          nazuro @bmeeks
                                          last edited by

                                          @bmeeks Thank you so much - that seems to have solved the issue! And thanks to John as well

                                          bmeeksB 1 Reply Last reply Reply Quote 0
                                          • bmeeksB Offline
                                            bmeeks @nazuro
                                            last edited by bmeeks

                                            @nazuro said in MDNS struggles:

                                            @bmeeks Thank you so much - that seems to have solved the issue! And thanks to John as well

                                            Glad that helped you.

                                            What really happens is when Suricata stops and then restarts, it makes a call to the netmap device code to first "close" the open netmap interface (when stopping); and then it makes a call to "open" the netmap interface (when starting). The netmap kernel device performs a literal "down" and then "up" cycle as it switches the interface from and to netmap-mode (netmap-mode unhooks the interface from its normal kernel connections). You can see this in your log snippet:

                                            Oct 13 00:30:47 pfSense kernel: igb1: link state changed to DOWN
                                            Oct 13 00:30:47 pfSense kernel: igb1.11: link state changed to DOWN
                                            Oct 13 00:30:47 pfSense kernel: igb1.12: link state changed to DOWN
                                            Oct 13 00:30:47 pfSense kernel: igb1.14: link state changed to DOWN
                                            

                                            followed later by:

                                            Oct 13 00:30:49 pfSense kernel: igb1: link state changed to UP
                                            Oct 13 00:30:49 pfSense kernel: igb1.11: link state changed to UP
                                            Oct 13 00:30:49 pfSense kernel: igb1.12: link state changed to UP
                                            Oct 13 00:30:49 pfSense kernel: igb1.14: link state changed to UP
                                            

                                            Using the "Live Update" mode for rules updates means Suricata never actually stops and restarts. It keeps running during the update cycle and does the in-memory rules duplication/update thing I described earlier. Since it never restarts, it does not call the netmap code to close and then open the interface.

                                            1 Reply Last reply Reply Quote 0
                                            • johnpozJ johnpoz referenced this topic on
                                            • johnpozJ johnpoz referenced this topic on
                                            • johnpozJ johnpoz referenced this topic on
                                            • johnpozJ johnpoz referenced this topic on
                                            • johnpozJ johnpoz referenced this topic on
                                            • johnpozJ johnpoz referenced this topic on
                                            • T tknospdr referenced this topic on
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.