I have mDNS repeating running over a Wireguard link. I had started the process of building this https://github.com/TheMickeyMike/docker-mdns-repeater-mikrotik but then as the container system only allows one interface and the trick with this container is to feed in VLANs over it so things started to look messy or not possible this way with EoIP. I thought there might be another simpler method with bridge filters.
Wireguard is joining the subnets on L3 and each subnet is routed to the other with no filter rules.
EoIP is joining the bridges at each end using the same Wireguard link - no IPSEC used. The following filters are applied at each end as well to only let mDNS and SSDP (for UPnP) frames through on EoIP.
/interface bridge filter
add action=accept chain=forward dst-address=224.0.0.251/32 dst-mac-address=\
01:00:5E:00:00:FB/FF:FF:FF:FF:FF:FF dst-port=5353 ip-protocol=udp \
mac-protocol=ip out-interface=EoIP src-port=5353 comment=mDNS
add action=accept chain=forward comment=SSDP dst-address=239.255.255.250/32 \
dst-mac-address=01:00:5E:7F:FF:FA/FF:FF:FF:FF:FF:FF dst-port=1900 \
ip-protocol=udp log-prefix=SSDP mac-protocol=ip out-interface=EoIP
add action=drop chain=output out-interface=EoIP
add action=drop chain=forward out-interface=EoIP
My iPad and CUPs on my PC can both discover and print to the printer at the other side. The LG Smart TV at the other house with the Photos and Videos App can discover (using SSDP) and play from my MythTV server.
Nothing seemed to work quite right until I reduced the MTU of the Wireguard interface to 1412 bytes as one end is using PPPoE. Also, the neighbour discovery service (dest. MAC FF:FF:FF:FF:FF:FF UDP:5678) seems to be out of the capture reach of the bridge filter so those frames get through. Mitigation would be to make sure that interface in question isn’t included in the discovery process.
This method should work fine with VLANs or any other sets of bridge interfaces Mikrotik supports. No mDNS repeater software in containers, rPi’s or IGMP snoopers needed; certainly not for small cases like this. I have tested using iPads at each site to discover and print to printers on the other site. So it works.
Here is a quick config I just knocked up on a hAPAC Lite to illustrate mDNS relaying between VLANs using bridge filtering and no IGMP snooping. IPv4 only.
- To be clear this mDNS relay config only relays mDNS traffic. It does not proxy any other data or do any IGMP or other multcast tasks.
- VLAN filtering is enabled using BridgeMain. Tagged VLANs 100 and 200 go to it for the VLANs interface to access.
- eth2 has PVID100, eth3 has PVID200.
- BridgeVLANs is the bridge that will straddle the 2 VLANs. It has the VLAN100 and VLAN200 ports attached as members. If left unfiltered all layer 2 broadcast traffic on both VLANs will pass between them.
- The bridge filter setup operates on each VLAN port only allowing mDNS to pass each way and blocking all other layer 2 traffic.
- Any actual data traffic that clients or servers use on either VLAN using addresses learned in the mDNS packets will pass via the routes on layer 3. You’ll need add firewall rules to limit the traffic interaction but is out of the scope of this example.
- I would imagine this would work just fine on a CRS3xx switch as well but you might as well use the rolled gold standard of IGMP snooping.
/interface bridge
add comment="Main Bridge VLAN filtering runs on" frame-types=admit-only-vlan-tagged name=BridgeMain protocol-mode=none pvid=999 vlan-filtering=yes
add comment="Bridge for linking VLANs with filtering" name=BridgeVLANs protocol-mode=none
/interface ethernet
set [ find default-name=ether2 ] comment="Eth PVID100"
set [ find default-name=ether3 ] comment="Eth PVID200"
/interface vlan
add comment="VLAN100 on main bridge" interface=BridgeMain name=VLAN100 vlan-id=100
add comment="VLAN200 on main bridge" interface=BridgeMain name=VLAN200 vlan-id=200
/interface bridge filter
add action=accept chain=forward comment="Allow VLAN100 mDNS traffic out" dst-address=224.0.0.251/32 dst-mac-address=\
01:00:5E:00:00:FB/FF:FF:FF:FF:FF:FF dst-port=5353 out-interface=VLAN100 ip-protocol=udp mac-protocol=ip src-port=5353
add action=accept chain=forward comment="Allow VLAN200 mDNS traffic out" dst-address=224.0.0.251/32 dst-mac-address=\
01:00:5E:00:00:FB/FF:FF:FF:FF:FF:FF dst-port=5353 out-interface=VLAN200 ip-protocol=udp mac-protocol=ip src-port=5353
add action=drop chain=forward comment="VLAN100 drop all other forwarding" out-interface=VLAN100
add action=drop chain=output comment="VLAN100 drop all output" out-interface=VLAN100
add action=drop chain=forward comment="VLAN200 drop all other forwarding" out-interface=VLAN200
add action=drop chain=output comment="VLAN200 drop all output" out-interface=VLAN200
/interface bridge port
add bridge=BridgeVLANs comment="VLAN100 Port" interface=VLAN100
add bridge=BridgeVLANs comment="VLAN200 port" interface=VLAN200
add bridge=BridgeMain comment="Eth PVID100" frame-types=admit-only-untagged-and-priority-tagged interface=ether2 pvid=100
add bridge=BridgeMain comment="Eth PVID200" frame-types=admit-only-untagged-and-priority-tagged interface=ether3 pvid=200
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes
/interface bridge vlan
add bridge=BridgeMain comment="VLAN100 port definitions" tagged=BridgeMain vlan-ids=100
add bridge=BridgeMain comment="VLAN200 port definitions" tagged=BridgeMain vlan-ids=200
/ip address
add address=172.16.200.254/24 comment="VLAN200 interface address" interface=VLAN200 network=172.16.200.0
add address=172.16.100.254/24 comment="VLAN100 interface address" interface=VLAN100 network=172.16.100.0