Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Selectively blocking mDNS/Avahi

    General pfSense Questions
    2
    4
    419
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mkap218
      last edited by

      Hello, I have 4 VLANs (2 client VLANs and 2 IoT VLANs). I currently have Avahi set up to repeat mDNS messages between all 4 networks.

      I would like to separate the mDNS reflection so that only mDNS packets from client VLAN A can be repeated on IoT VLAN B (and vice versa), and client VLAN C packets to IoT VLAN D. In other words, I would like to make 2 separate/isolated pairs of "broadcast" domains for mDNS.

      Can this be accomplished via firewall rules? If so, can someone point me in the right direction for that? Thanks.

      dennypageD 1 Reply Last reply Reply Quote 0
      • dennypageD
        dennypage @mkap218
        last edited by

        @mkap218 It should be noted that Avahi does not actually repeat mDNS packets across networks, but instead constructs new packets containing mDNS entries that pass the filtering rules.

        Avahi does not currently support per interface filtering rules. That said, even though a host in VLAN B can see that an entity exists in VLAN A, it doesn't mean that the host can actually connect to that entity. Actually connectivity is controlled by firewall rules rather than mDNS advertisements.

        M 1 Reply Last reply Reply Quote 0
        • M
          mkap218 @dennypage
          last edited by

          @dennypage Thanks for the response. Ideally I'd like to totally separate it so clients can't even see the devices not on the designated IoT net. It seems like I can't use firewall rules to block mDNS from reaching Avahi since there's no way to filter out individual destinations, right?

          I could also run a separate Avahi daemon in a Linux container attached to the other two VLANs, and as long as pfSense's Avahi isn't listening on those interfaces, it should do what I'm looking for. Just wondering if there's any better options.

          dennypageD 1 Reply Last reply Reply Quote 0
          • dennypageD
            dennypage @mkap218
            last edited by

            @mkap218 said in Selectively blocking mDNS/Avahi:

            It seems like I can't use firewall rules to block mDNS from reaching Avahi since there's no way to filter out individual destinations, right?

            Yes, you can use a firewall rule to block inbound mDNS packets to the firewall, which would prevent Avahi on the firewall from seeing them. That would allow you to say that mDNS for host X on VLAN A is not seen on either VLAN B or C.

            What you cannot do is to say that host X on VLAN A can be seen by hosts on VLAN B, but not by hosts on VLAN C. By extension, you cannot filter out "_printer._tcp.local" for host X on VLAN A from the advertisements for VLAN B but include it for the advertisements for VLAN C.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.