How to Forward mDNS/Bonjour (UDP 5353) Across IPsec Tunnel?

alfredo

Hi all,

I’m looking for advice on how to forward Bonjour/mDNS traffic across an IPsec tunnel between two pfSense-managed sites.

Setup:

Station A (10.10.10.0/24):
pfSense router
macOS boxes offering Bonjour services (e.g., Apple Remote Desktop status)

Station B (10.10.18.0/24):
pfSense router
Macs on this network need to discover Bonjour services from Station A
The IPsec tunnel between A and B works well for all unicast traffic. Full routing is in place, and Station B can reach hosts on Station A by IP with no issue.

Goal:
I want the Macs on Station B to see Bonjour/mDNS services (UDP 5353) that are broadcast by the macOS boxes on Station A — particularly to restore Apple Remote Desktop status visibility and service discovery.

Problem:
mDNS relies on multicast (224.0.0.251), and IPsec doesn’t natively forward multicast.
The Avahi and mDNS-Bridge packages on pfSense don’t allow selecting the IPsec interface for forwarding.
I’d prefer not to maintain a separate Linux VM just for forwarding, but will if needed.
Question:
Has anyone succeeded in forwarding Bonjour/mDNS traffic one-way over IPsec between two pfSense networks?

Is there any way to enable Avahi or a similar tool on pfSense to bridge mDNS from LAN to IPsec?
Would pimd help here?
Are there newer pfSense-compatible tools or packages for this?
Any guidance or working examples would be greatly appreciated!

Thanks,
Alfredo

dennypage

@alfredo said in How to Forward mDNS/Bonjour (UDP 5353) Across IPsec Tunnel?:

mDNS relies on multicast (224.0.0.251), and IPsec doesn’t natively forward multicast.
The Avahi and mDNS-Bridge packages on pfSense don’t allow selecting the IPsec interface for forwarding.

At this time, both Avahi and mDNS-Bridge require multicast enabled interfaces to work with.

Has anyone succeeded in forwarding Bonjour/mDNS traffic one-way over IPsec between two pfSense networks?

Is there any way to enable Avahi or a similar tool on pfSense to bridge mDNS from LAN to IPsec?
Would pimd help here?

NB: mDNS must be bidirectional or it will not work properly.

In theory you might be able to set something up with pimd, but this is problematic because pimd is not mDNS aware and will forward everything it sees on 5353. Without any filtering, some of the forwarded data may be invalid in the receiving network--link local addresses are an obvious example.

FWIW, I know that OpenVPN with tap has a bridging capability, but I don't know if it presents a multicast enabled interface. I've heard of people trying it, but I don't recall anyone saying that they were successful with mDNS this way.

If you start experimenting with alternatives, make sure that whatever you use supports disabling IP_MULTICAST_LOOP, otherwise you'll flood the network.

That all said, I wasn't aware that Apple Remote Desktop required mDNS to operate. It's VNC based isn't it? Doesn't it support simple point to point?

alfredo

@dennypage
Thanks for the info. Yeah, it appears somewhat complicated with IPSEC. ARD works over IPSEC but without live status and system information, which is what we had hoped to get working over our old IPSEC tunnels. ARD works fully with OPENVPN for us.

Has anybody else had some successes here?

Thanks,

Alfredo