MDNS across two interfaces WITHOUT Avahi - help !



  • Hi - I have an internal LAN subnet and an internal WIFI subnet. The wifi subnet is secured from the LAN and only certain protocols will be allowed.

    I want a client on the Inetrnal WiFi subnet to be able to control an AppleTV / iTunes on the LAN subnet - to do this I had previously used Avahi to handle the multicast DNS.

    I have had no end of problems with Avahi on the Alix2D13 hardware (size / dependancies etc) and someone on the forum has suggested that I may be able to get around the issue by using the builtin IGMP proxy. I have no idea how to configure it.

    I have removed all F/W rules between the LAN and wifi subnet and allowed the advanced option to allow IP Options on both interfaces in the F/W rules.

    Nothing that I do will get the multicast packets from one subnet to the other.

    Can anyone please help !??



  • @doktornotor:

    So have you tried the IGMP proxy, or?

    Yes - I tried all combinations of upstream / downstream and used both subnets (192.168.10.0/24 - LAN; and 10.0.101.0/24 - WiFi)


  • Banned

    So what's your trouble exactly? (No, "does not work" is not exactly useful.)



  • @doktornotor:

    So what's your trouble exactly?

    A client on the WiFi subnet (an iPhone in this case) can't see the iTunes instance running on the LAN subnet. If I move the iPhone to the LAN subnet (different WAP) it pops up as it should in the Apple Remote app.

    I have done a packet capture on both interfaces and can not see the multicast traffic make it across the interface boundaries.


  • Banned

    Kindly post the relevant configuration screenshots here.



  • I too would like to know what the basic setup for IGMP Proxy would be to route mDNS across two LAN subnets.

    I have a download of the pfSense 2.1 book and it's basically a rehash of the Interface, nothing new there.  I've tried Googling the answer, but there's nothing pfSense-specific out there.

    I have two LANs that both communicate to one another but are on two separate subnets and physical LANs.  pfSense sits between both of them.

    All I'm trying to do is route mDNS traffic from (LAN) 10.0.1.0/24 to (LAN2) 10.0.2.0/24.  Really simple.  Both LANs have the default "LAN -> any" rule enabled, so everything is flying back and forth without an issue.  However, I'm not sure which interface to set up as the upstream and which the downstream and which subnets belong where.

    Please see my ignorance-fueled screen shot below.

    ![Screen Shot 2013-09-16 at 11.29.52 PM.png](/public/imported_attachments/1/Screen Shot 2013-09-16 at 11.29.52 PM.png)
    ![Screen Shot 2013-09-16 at 11.29.52 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2013-09-16 at 11.29.52 PM.png_thumb)
    ![Screen Shot 2013-09-16 at 11.30.09 PM.png](/public/imported_attachments/1/Screen Shot 2013-09-16 at 11.30.09 PM.png)
    ![Screen Shot 2013-09-16 at 11.30.09 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2013-09-16 at 11.30.09 PM.png_thumb)
    ![Screen Shot 2013-09-16 at 11.30.18 PM.png](/public/imported_attachments/1/Screen Shot 2013-09-16 at 11.30.18 PM.png)
    ![Screen Shot 2013-09-16 at 11.30.18 PM.png_thumb](/public/imported_attachments/1/Screen Shot 2013-09-16 at 11.30.18 PM.png_thumb)



  • @doktornotor:

    Kindly post the relevant configuration screenshots here.

    I had gone to bed last night when you posted this question. My screenshots and scenario mimick exactly the poster's scenario above. Two subnets and trying to get mDNS packets between them.



  • I'd also like to mention that I've checked off "allow packets with IP options to pass".  See additional screen shot.

    ![Screen Shot 2013-09-17 at 12.05.28 AM.png](/public/imported_attachments/1/Screen Shot 2013-09-17 at 12.05.28 AM.png)
    ![Screen Shot 2013-09-17 at 12.05.28 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2013-09-17 at 12.05.28 AM.png_thumb)



  • What I am noticing is a lot of IPv6 traffic with port 5353 attached to it getting blocked at the firewall.  Not sure if Apple is implementing mDNS via IPv6 and that's why it's not routing.

    Port 5353 is used by mDNS in Apple's implementation.  http://support.apple.com/kb/TS1629?viewlocale=en_US&locale=en_US

    Or, I could be completely lost, which is how I feel.  :)

    ![Screen Shot 2013-09-17 at 12.42.27 AM.png](/public/imported_attachments/1/Screen Shot 2013-09-17 at 12.42.27 AM.png)
    ![Screen Shot 2013-09-17 at 12.42.27 AM.png_thumb](/public/imported_attachments/1/Screen Shot 2013-09-17 at 12.42.27 AM.png_thumb)



  • Are you running IPV6?



  • @kejianshi:

    Are you running IPV6?

    I have IPV6 turned off everywhere I can find a setting for it.


  • Banned

    Well, since you are blocking the traffic by disabling IPv6… mDNS is using multicast to 224.0.0.251 and FF02::FB - http://tools.ietf.org/html/rfc6762



  • @doktornotor:

    Well, since you are blocking the traffic by disabling IPv6… mDNS is using multicast to 224.0.0.251 and FF02::FB - http://tools.ietf.org/html/rfc6762

    I am confused as to what IPv6 has to do with my mDNS problem? Nothing of mine talks IPv6 and mDNS has been around much longer than IPv6 became mainstream.


  • Banned

    Oh really? So the traffic comes from… hmmm, another galaxy? :D Pretty much every OS out there is using IPv6 by default these days.



  • Hey - You were nicer than normal that time.  It does make for alot of noise in the logs though doesn't it?


  • Banned

    Yeah, it does. There's a checkbox somewhere in log settings to disable the default rule logging, plus a bunch of others.



  • Got it…  Thanks.

    Status > System Logs > settings



  • @doktornotor:

    Oh really? So the traffic comes from… hmmm, another galaxy? :D Pretty much every OS out there is using IPv6 by default these days.

    So is this a solution ? Do we have to have IPv6 enabled to make mDNS work ?


  • Banned

    I don't use mDNS nor any Apple device for anything => no such nonsense needed here. As stated by the linked RFC (written by Apple itself, BTW), it uses both IPv4 and IPv6.



  • @doktornotor:

    I don't use mDNS nor any Apple device for anything => no such nonsense needed here. As stated by the linked RFC (written by Apple itself, BTW), it uses both IPv4 and IPv6.

    So what's with the hoohaa about me not using IPv6 ?


  • Banned

    Sigh. I merely replied about the logspam of IPv6 traffic posted in this post. The reply was not aimed at you personally at all, not sure why you've taken is as such or what's the subsequent noise about even. IPv6 is being used on your LAN no matter what checkboxes you disable on the firewall. I frankly don't think you are achieving anything useful by disabling it on the firewall and thus blocking all IPv6 traffic that hit the box (such as the traffic between different subnets).



  • @doktornotor:

    Sigh. I merely replied about the logspam of IPv6 traffic posted in this post. The reply was not aimed at you personally at all, not sure why you've taken is as such or what's the subsequent noise about even. IPv6 is being used on your LAN no matter what checkboxes you disable on the firewall. I frankly don't think you are achieving anything useful by disabling it on the firewall and thus blocking all IPv6 traffic that hit the box (such as the traffic between different subnets).

    Sigh… thanks



  • Hi.
    Since i originally suggested using the igmp proxy to route the multicast traffic needed for mDNS i should chime in.

    This was only a suggesting which i think should work.
    I don't have any apple devices and don't really use mDNS myself.

    From your posted screenshot it looks as if the devices in question are trying to communicate via IPv6 for their mDNS communication.
    However they probably fall back at some time to IPv4 (or querry v4 and v6 together right from the beginning), and you just don't see this kind of traffic in the log because it's allowed.

    I'm not really sure how to debug/verify this.
    I did just now some short tests but couldn't get anything to traverse the pfSense.
    Not sure if i missunderstood something the way the igmp proxy works, or i just can't generate the mDNS lookups the right way. (i'm trying with "dig +short -x 10.0.0.200 @224.0.0.251 -p 5353" and with "getent hosts 10.0.0.200")



  • One of the guys I was sorta kinda working with a little earlier does use what seems to be pretty much any apple device he can find and is running 2.1 + avahi and its working.  The problems so far seem to be with avahi running on smallish alix type systems that upgraded with avahi already in place and had issues.  I've not seem an instance of someone just clean installing 2.1 on alix with avahi yet.  Not sure what that might do.

    Either way I'm waiting to see how igmp proxy might work out.



  • I had IPv6 running on pfSense with a pass-all rule set up just like the default "LAN -> any" rule.  I also checked off the advanced options checkbox like I posted in the IPv4 screen shot too.

    pfSense still wants to block the port 5353 IPv6 traffic and it doesn't want to route the IPv6 traffic.  I don't know squat about IPv6, but I put the IPv6 address of the firewall into the IGMP settings and it still didn't work.

    There's a good chance it's how I am setting up my IPv4 settings in IGMP.  Can anyone give me guidance on that (based on my screen shots included in this thread)?  It should fail back to IPv4 and work, I'm not sure my proxy settings are correct.



  • Well - If you don't need IPV6 block it, then just ignore the noise in your logs about it getting blocked.

    Thats assuming you are on IPV4 and like it that way.



  • @kejianshi:

    Well - If you don't need IPV6 block it, then just ignore the noise in your logs about it getting blocked.

    Thats assuming you are on IPV4 and like it that way.

    This comment reflects my requirements. I have no need for IPv6 at this point and just need to find a way to allow IPv4 packets across network boundaries on pfSense.



  • Yep - Got it.

    I don't know if you can use IGMP proxy to accomplish this.  I do know that avahi does work well.  I just am not sure why its being bad after an update to 2.1 on Alix, because it does seem to be an Alix issue.

    I keep wondering if avahi will work from a clean install of 2.1 but seems no one is willing to image their system from fresh to try it.



  • @kejianshi:

    Yep - Got it.

    I don't know if you can use IGMP proxy to accomplish this.  I do know that avahi does work well.  I just am not sure why its being bad after an update to 2.1 on Alix, because it does seem to be an Alix issue.

    I keep wondering if avahi will work from a clean install of 2.1 but seems no one is willing to image their system from fresh to try it.

    I can take a backup of mine and try it.

    The other major issue that I have is swapping between wired Ethernet and wifi on the same subnet:

    I have a suspicion that this is an Avahi problem and one of the reasons I don't want it on my Alix / pfSesne box any longer however this was to be the topic of another thread I have never had time to start !



  • I think your MAC air is just seeing its name is already in a DHCP reservation with a different MAC and is doing that.



  • @kejianshi:

    I think you MAC air is just seeing its name is already in a DHCP reservation with a different MAC and is doing that.

    OK - so possibly a DCHO configuration / MacbookAir issue. I would imagine that when the macbook leaves a wifi network the DHCP reservation is not released. But the strange this is that the wifi adapter and wired ethernet adapter have different MAC address as would be obviously expected.



  • @ilium007:

    I have a suspicion that this is an Avahi problem and one of the reasons I don't want it on my Alix / pfSesne box any longer however this was to be the topic of another thread I have never had time to start !

    This is definitely Avahi.  I can confirm that.  All of my machines have been renaming themselves for a while, and it's not limited to WiFi.  Some of my cabled machines (including my server) have done that.

    Avahi needs to be updated as it's still listed (I think) as an alpha project.  It's mostly stable, but could/should be more scalable and friendly.



  • Yep - Different MACs but asking for the same name on the network.



  • @kejianshi:

    Yep - Different MACs but asking for the same name on the network.

    Cool - yeah I think thats thee conclusion I came to last time I looked at this ! It was a naming issues which lent itself to being an Avahi 'thing'

    Maybe not… :(

    This is what I see in the DHCP reservation table now and Avahi isn't running:

    10.0.101.101  a8:88:08:69:c5:5c  BW-iPhone-361 2013/09/17 22:50:33  2013/09/18 22:50:33  online  active

    My iphone has been renamed 361 times ! Why does this not happen on any other F/W device I have ever had at home ? I have been running Asus RTN66U with no such shenanigans !



  • I do not know.  Perhaps it is an avahi issue then?

    Try this with your apple device and see if it gets fixed.

    Give it a 1 single name using a static DHCP assignment on wired based on MAC.
    Then give it a slightly different name in DHCP on the interface wireless is on based on MAC.

    (You know how to go into DHCP leases and do that right?)

    (You may be able to give the same name on both interfaces for the 2 MACs, but I wouldn't think so.  Never tried)

    One would think this would put an end to all the renaming.



  • It's an Avahi issue.

    Your device will attach itself to your network and Avahi then announces the mDNS name to the local subnet and then routes it to the next subnet.  I believe it also cache's the name in its own database.

    The next time you attach the same devices to the network, the announcement goes out and Avahi thinks there's a duplicate.  The Mac responds to the duplication message by renaming itself.  All of my machines do this to a certain extent and then by the second or third iteration it stops.

    Removing Avahi and renaming your devices solves the issue.



  • Well - yeah…  But wouldn't a static map and name also do it?  (just guessing here)



  • Unfortunately, it doesn't.

    I have a static IP for my Mac server (10.0.1.240).  On occasion when I reboot the machine and Avahi is running, it renames the box's mDNS name because it thinks there's a conflict.

    I also have another machine with two NICs and two static IPs.  It's on both my 10.0.1.0/24 and 10.0.2.0/24 networks.  The same thing will happen to that machine because it's on both networks with the same mDNS name.

    I don't know exactly how Avahi works, but it seems to be caching the names and may not be associating them with a MAC address or some other voodoo.



  • BUT YOU NEED IT!  What will you do without iStuff?  ;D

    OK - Lets hope you guys can make IGMP proxy work for you then.

    (Did I use up all the possible wrong answers yet?)



  • I think we're going to see the proliferation of more mDNS traffic over time, especially in SOHO and home networks.  Nearly all of Apple's devices communicate over mDNS to make networking and resource sharing easier by declaring the device and its available services on the network.  Google TV and other streaming TV implementations rely on mDNS, and I'll assume that Google will be using mDNS as a standard in all of their mobile devices for the same reason Apple did–to make device and service availability simple for folks.

    So I can see mDNS support becoming more of a requirement than a nice to have in the future.  So breathing life back into the Avahi project or something similar to it would be a good thing.  Either that or someone smarter than me could tell me how to correctly set up IGMP for two LANs and make mDNS route properly.


Log in to reply