Avahi trying to broadcast on public interface?
-
It seems that when the public interface is PPPOE, Avahi will automatically try to broadcast in said interface (which I can see if fortunately blocked by the Firewall rules).
I believe this is because in /usr/local/etc/avahi/avahi-daemon.conf there's a configuration setting that makes Avahi automatically use point-to-point interfaces.
allow-point-to-point=yes
From the avahi-daemon docs:
allow-point-to-point= Takes a boolean value ("yes" or "no"). If set to "yes" avahi-daemon will make use of interfaces with the POINTOPOINT flag set. This option defaults to "no" as it might make mDNS unreliable due to usually large latencies with such links and opens a potential security hole by allowing mDNS access from Internet connections. Use with care and YMMV!
Is there any supported mechanism to prevent Avahi from using this interface? (beyond just trying to manually force that setting to "no")
-
One thing, make sure that Interface Action is set to "Allow Interfaces "rather than "Deny Interfaces".
Avahi does have some quirks that cause it to do unexpected things. One of these is a bug/feature that causes Avahi to send packets on all interfaces, even if the interface was not configured. I used to use a firewall rule to silently drop these.
Assuming you are on a recent version (2.8.0+ or 25.07+), you can also switch to mDNS-Bridge which is purpose built for bridging and does not have the various quirks that Avahi does.
-
Yeah it's in allow interfaces.
I'm fairly convinced the issue is the
allow-point-to-point
setting because the feature description seems to align rather well with what I'm seeing.I'm on 24.11 (which shows at the latest stable) and it seems mDNS-Bridge isn't here for me yet. Is 25.03 a beta version?
-
@clearscreen said in Avahi trying to broadcast on public interface?:
I'm fairly convinced the issue is the allow-point-to-point setting because the feature description seems to align rather well with what I'm seeing.
That setting just allows point-to-point interfaces to be used (selected). Is your WAN connection actually a point-to-point interface? Mine certainly isn't and I've seen the exact same behavior.
I'm on 24.11 (which shows at the latest stable) and it seems mDNS-Bridge isn't here for me yet. Is 25.03 a beta version?
mDNS-Bridge is a replacement for Avahi, and appears in the 2.8.0 release of pfSense, and the 25.07 version of pfSense Plus. pfSense 25.07 is currently in RC. pfSense 25.03 doesn't exist anymore (it's now 25.07).
-
@dennypage said in Avahi trying to broadcast on public interface?:
That setting just allows point-to-point interfaces to be used (selected). Is your WAN connection actually a point-to-point interface? Mine certainly isn't and I've seen the exact same behavior.
Then, I'm not sure what'd cause Avahi to publish on the public interface. I just tried disabling this option through the config files and it certainly didn't change anything, so I rolled it back to what it was.
My wan is a PPPOE connection to my ISP.
The interface is shown in the allow list in Avahi but is not selected. Interface action is "Allow Interfaces".
mDNS-Bridge is a replacement for Avahi, and appears in the 2.8.0 release of pfSense, and the 25.07 version of pfSense Plus. pfSense 25.07 is currently in RC. pfSense 25.03 doesn't exist anymore (it's now 25.07).
I guess I might need to update or wait for this to be stable.
Thanks!
-
@clearscreen said in Avahi trying to broadcast on public interface?:
Then, I'm not sure what'd cause Avahi to publish on the public interface.
It stems from Avahi's use of a single socket bound to all interfaces, which leaves a lot of room for problems. mDNS-Bridge uses individual sockets bound to each configured interface which precludes these kind of issues.