Enabling IGMP snooping destablizes my network

I can’t really figure out why. But my network is broken when IGMP snooping is enabled. But in 2 different ways, on 2 different Mikrotik devices. For context, rt1 is the gateway to the internet, that’s a Fritzbox. In the logs of the Fritzbox I do see “04.05.25 21:11:23 IGMPv2 multicast router 0.0.0.0 ignored”. But I tried all day. So it’s weird I only see one entry there. Also no source of the error (sw1/rt2).

Maybe also a good question, do I really need this IGMP snooping? Maybe rt1 is the one that handles this? No other devices should mingle with that?

The first device, called rt2, has the following config.

It has IGMP Snooping enabled, but also multicast-querier=yes. Because otherwise IPv6 addresses didn’t show up in the MDB overview. However, only IPv4 connections work now and no IPv6 addresses are handed out. Specifically it’s a RB5009UPr+S+ routerboard. How can I make sure that IPv6 also just works?

[user@rt2] > /interface/bridge/print 
Flags: D - dynamic; X - disabled, R - running 
 0  R name="bridge" mtu=auto actual-mtu=1500 l2mtu=1514 arp=enabled arp-timeout=auto mac-address=xxx:94 protocol-mode=mstp fast-forward=yes igmp-snooping=yes multicast-router=temporary-query multicast-querier=yes startup-query-count=2 last-member-query-count=2 last-member-interval=1s membership-interval=4m20s 
      querier-interval=4m15s query-interval=2m5s query-response-interval=10s startup-query-interval=31s250ms igmp-version=2 mld-version=1 auto-mac=no admin-mac=xxx:94 ageing-time=5m priority=0x8000 max-message-age=20s forward-delay=15s transmit-hold-count=6 region-name="" region-revision=0 max-hops=20 vlan-filtering=yes 
      ether-type=0x8100 pvid=10 frame-types=admit-all ingress-filtering=yes dhcp-snooping=no port-cost-mode=long mvrp=no max-learned-entries=auto

MDB details

[<user>@<hostname>] > /interface/bridge/mdb/print detail
Flags: X - disabled; I - invalid; D - dynamic
 0   D group=<ipv4_mc_prefix>.x50 ports="" bridge=bridge vid=10 on-ports=ether2,ether1
 1   D group=<ipv6_multicast_addr> ports="" bridge=bridge vid=10 on-ports=bridge,ether2,ether1
 2   D group=<ipv6_multicast_addr> ports="" bridge=bridge vid=10 on-ports=ether1
 3   D group=<ipv6_multicast_addr> ports="" bridge=bridge vid=10 on-ports=bridge
 4   D group=<ipv6_multicast_addr> ports="" bridge=bridge vid=10 on-ports=ether1
 5   D group=<ipv6_multicast_addr> ports="" bridge=bridge vid=10 on-ports=ether1
 6   D group=<ipv6_snmc_prefix>::xx0 ports="" bridge=bridge vid=10 on-ports=bridge,ether2,ether1
 7   D group=<ipv6_snmc_prefix>::xx50 ports="" bridge=bridge vid=10 on-ports=ether1
 8   D group=<ipv6_snmc_prefix>::xx18 ports="" bridge=bridge vid=10 on-ports=ether1
 9   D group=<ipv6_snmc_prefix>::xx7f ports="" bridge=bridge vid=10 on-ports=ether3
10   D group=<ipv6_snmc_prefix>::xx75 ports="" bridge=bridge vid=10 on-ports=ether1
11   D group=<ipv6_snmc_prefix>::xx20 ports="" bridge=bridge vid=10 on-ports=ether1
12   D group=<ipv6_snmc_prefix>::xx33 ports="" bridge=bridge vid=10 on-ports=ether4
13   D group=<ipv6_snmc_prefix>::xx79 ports="" bridge=bridge vid=10 on-ports=ether2,ether1
14   D group=<ipv6_snmc_prefix>::xx94 ports="" bridge=bridge vid=10 on-ports=bridge
15   D group=<ipv6_snmc_prefix>::xxa7 ports="" bridge=bridge vid=10 on-ports=ether1
16   D group=<ipv6_snmc_prefix>::xx0f ports="" bridge=bridge vid=10 on-ports=ether1
17   D group=<ipv6_snmc_prefix>::xx3f ports="" bridge=bridge vid=10 on-ports=ether5
18   D group=<ipv6_snmc_prefix>::xxce ports="" bridge=bridge vid=10 on-ports=ether6
19   D group=<ipv6_snmc_prefix>::xx0d ports="" bridge=bridge vid=10 on-ports=ether7
20   D group=<ipv6_multicast_addr> ports="" bridge=bridge vid=10 on-ports=ether2,ether1
21   D group=<ipv6_multicast_addr> ports="" bridge=bridge vid=11 on-ports=ether6
22   D group=<ipv6_multicast_addr> ports="" bridge=bridge vid=11 on-ports=ether1
23   D group=<ipv6_multicast_addr> ports="" bridge=bridge vid=11 on-ports=ether1
24   D group=<ipv6_multicast_addr> ports="" bridge=bridge vid=11 on-ports=ether1
25   D group=<ipv6_snmc_prefix>::xx0 ports="" bridge=bridge vid=11 on-ports=ether6
26   D group=<ipv6_snmc_prefix>::xx4b ports="" bridge=bridge vid=11 on-ports=ether1
27   D group=<ipv6_snmc_prefix>::xxce ports="" bridge=bridge vid=11 on-ports=ether6
28   D group=<ipv6_snmc_prefix>::xx88 ports="" bridge=bridge vid=11 on-ports=ether1
29   D group=<ipv6_snmc_prefix>::xxc4 ports="" bridge=bridge vid=11 on-ports=ether1
30   D group=<ipv6_multicast_addr> ports="" bridge=bridge vid=12 on-ports=ether6
31   D group=<ipv6_snmc_prefix>::xx0 ports="" bridge=bridge vid=12 on-ports=ether6
32   D group=<ipv6_snmc_prefix>::xxce ports="" bridge=bridge vid=12 on-ports=ether6

And the port settings

[user@rt2] > /interface/bridge/port/print detail 
Flags: X - disabled, I - inactive; D - dynamic; H - hw-offload 
 0   H ;;; rt1
       interface=ether2 bridge=bridge priority=0x80 edge=auto point-to-point=auto learn=auto horizon=none hw=yes auto-isolate=no restricted-role=no restricted-tcn=no pvid=10 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes unknown-unicast-flood=yes unknown-multicast-flood=yes broadcast-flood=yes tag-stacking=no 
       bpdu-guard=no trusted=yes mvrp-registrar-state=normal mvrp-applicant-state=normal-participant multicast-router=temporary-query fast-leave=no 

 1   H ;;; rp1
       interface=ether3 bridge=bridge priority=0x80 edge=yes point-to-point=auto learn=auto horizon=none hw=yes auto-isolate=no restricted-role=no restricted-tcn=no pvid=10 frame-types=admit-all ingress-filtering=yes unknown-unicast-flood=no unknown-multicast-flood=yes broadcast-flood=yes tag-stacking=no bpdu-guard=yes trusted=no 
       mvrp-registrar-state=normal mvrp-applicant-state=normal-participant multicast-router=temporary-query fast-leave=no 

 2   H ;;; rp2
       interface=ether4 bridge=bridge priority=0x80 edge=yes point-to-point=auto learn=auto horizon=none hw=yes auto-isolate=no restricted-role=no restricted-tcn=no pvid=10 frame-types=admit-all ingress-filtering=yes unknown-unicast-flood=no unknown-multicast-flood=yes broadcast-flood=yes tag-stacking=no bpdu-guard=yes trusted=no 
       mvrp-registrar-state=normal mvrp-applicant-state=normal-participant multicast-router=temporary-query fast-leave=no 

 3   H ;;; rp3
       interface=ether5 bridge=bridge priority=0x80 edge=yes point-to-point=auto learn=auto horizon=none hw=yes auto-isolate=no restricted-role=no restricted-tcn=no pvid=10 frame-types=admit-all ingress-filtering=yes unknown-unicast-flood=no unknown-multicast-flood=yes broadcast-flood=yes tag-stacking=no bpdu-guard=yes trusted=no 
       mvrp-registrar-state=normal mvrp-applicant-state=normal-participant multicast-router=temporary-query fast-leave=no 

 4   H ;;; rp4
       interface=ether6 bridge=bridge priority=0x80 edge=yes point-to-point=auto learn=auto horizon=none hw=yes auto-isolate=no restricted-role=no restricted-tcn=no pvid=10 frame-types=admit-all ingress-filtering=yes unknown-unicast-flood=no unknown-multicast-flood=yes broadcast-flood=yes tag-stacking=no bpdu-guard=yes trusted=no 
       mvrp-registrar-state=normal mvrp-applicant-state=normal-participant multicast-router=temporary-query fast-leave=no 

 5   H ;;; rp5
       interface=ether7 bridge=bridge priority=0x80 edge=yes point-to-point=auto learn=auto horizon=none hw=yes auto-isolate=no restricted-role=no restricted-tcn=no pvid=10 frame-types=admit-all ingress-filtering=yes unknown-unicast-flood=no unknown-multicast-flood=yes broadcast-flood=yes tag-stacking=no bpdu-guard=yes trusted=no 
       mvrp-registrar-state=normal mvrp-applicant-state=normal-participant multicast-router=temporary-query fast-leave=no 

 6 I H ;;; glass
       interface=ether8 bridge=bridge priority=0x80 edge=yes point-to-point=auto learn=auto horizon=none hw=yes auto-isolate=no restricted-role=no restricted-tcn=no pvid=10 frame-types=admit-all ingress-filtering=yes unknown-unicast-flood=no unknown-multicast-flood=yes broadcast-flood=yes tag-stacking=no bpdu-guard=yes trusted=no 
       mvrp-registrar-state=normal mvrp-applicant-state=normal-participant multicast-router=temporary-query fast-leave=no 

 7 X   ;;; sfp
       interface=sfp-sfpplus1 bridge=bridge priority=0x80 edge=auto point-to-point=auto learn=auto horizon=none auto-isolate=no restricted-role=no restricted-tcn=no pvid=10 frame-types=admit-all ingress-filtering=yes unknown-unicast-flood=yes unknown-multicast-flood=yes broadcast-flood=yes tag-stacking=no bpdu-guard=no trusted=no 
       mvrp-registrar-state=normal mvrp-applicant-state=normal-participant multicast-router=temporary-query fast-leave=no 

 8   H ;;; sw1
       interface=ether1 bridge=bridge priority=0x80 edge=auto point-to-point=auto learn=auto horizon=none hw=yes auto-isolate=no restricted-role=no restricted-tcn=no pvid=10 frame-types=admit-all ingress-filtering=yes unknown-unicast-flood=yes unknown-multicast-flood=yes broadcast-flood=yes tag-stacking=no bpdu-guard=no trusted=yes 
       mvrp-registrar-state=normal mvrp-applicant-state=normal-participant multicast-router=temporary-query fast-leave=no

And the IPv6 ND info. Note that 1-3 are disabled. I prefer to have that enabled, because those VLANs should not communicate to the Internet. But I disabled those configs, just to make sure that wasn’t the problem. Still, no IPv6 connection.

[user@rt2] > /ipv6/nd/print detail 
Flags: X - disabled, I - invalid; * - default 
 0  * interface=all ra-interval=3m20s-10m ra-delay=3s mtu=unspecified reachable-time=unspecified retransmit-interval=unspecified ra-lifetime=30m ra-preference=medium hop-limit=unspecified advertise-mac-address=yes advertise-dns=yes managed-address-configuration=no other-configuration=no 

 1 X  interface=vlan11 ra-interval=3m20s-10m ra-delay=3s mtu=unspecified reachable-time=unspecified retransmit-interval=unspecified ra-lifetime=none ra-preference=medium hop-limit=unspecified advertise-mac-address=yes advertise-dns=no managed-address-configuration=no other-configuration=no 

 2 X  interface=vlan12 ra-interval=3m20s-10m ra-delay=3s mtu=unspecified reachable-time=unspecified retransmit-interval=unspecified ra-lifetime=none ra-preference=medium hop-limit=unspecified advertise-mac-address=yes advertise-dns=no managed-address-configuration=no other-configuration=no 

 3 X  interface=vlan13 ra-interval=3m20s-10m ra-delay=3s mtu=unspecified reachable-time=unspecified retransmit-interval=unspecified ra-lifetime=none ra-preference=medium hop-limit=unspecified advertise-mac-address=yes advertise-dns=no managed-address-configuration=no other-configuration=no

As you can see, no IPv6 connectivity.

 talos-lhi-31e  ~  ping -c 3 google.com
PING google.com (172.217.23.206) 56(84) bytes of data.
64 bytes from ams16s37-in-f14.1e100.net (172.217.23.206): icmp_seq=1 ttl=119 time=2.02 ms
64 bytes from ams16s37-in-f14.1e100.net (172.217.23.206): icmp_seq=2 ttl=119 time=1.18 ms
64 bytes from ams16s37-in-f14.1e100.net (172.217.23.206): icmp_seq=3 ttl=119 time=1.32 ms

--- google.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 1.182/1.504/2.017/0.366 ms

 talos-lhi-31e  ~  ip -brief -6 route
fe80::/64 dev end0 proto kernel metric 256 pref medium
fe80::/64 dev end0.11 proto kernel metric 256 pref medium
fe80::/64 dev end0.12 proto kernel metric 256 pref medium
fe80::/64 dev flannel.1 proto kernel metric 256 pref medium

Now sw1

This is a CRS310-8G+2S+ Cloud Switch. For this model, this applies: https://help.mikrotik.com/docs/spaces/ROS/pages/59277403/Bridge+IGMP+MLD+snooping#BridgeIGMP/MLDsnooping-Introduction

CRS3xx series devices with Marvell-98DX3236, Marvell-98DX224S or Marvell-98DX226S switch chips are not able to distinguish non-IP/IPv4/IPv6 multicast packets once IGMP or MLD querier is detected. It means that the switch will stop forwarding all unknown non-IP/IPv4/IPv6 multicast traffic when the querier is detected. This does not apply to certain link-local multicast address ranges, like 224.0.0.0/24 or ff02::1.

Maybe I’m too tired, but IGMP snooping should still work, right?

However, when I enable the switch with that setting, all connectivity just stops. No IPv6 or IPv6 is working anymore. All connected devices become unreachable. What am I missing to make this work?

[user@sw1] > /interface/bridge/print 
Flags: D - dynamic; X - disabled, R - running 
 0  R name="bridge" mtu=auto actual-mtu=1500 l2mtu=1592 arp=enabled arp-timeout=auto mac-address=xxx:50 protocol-mode=mstp fast-forward=yes igmp-snooping=no auto-mac=no admin-mac=xxx:50 ageing-time=5m priority=0x8000 max-message-age=20s forward-delay=15s transmit-hold-count=6 region-name="" region-revision=0 
      max-hops=20 vlan-filtering=yes ether-type=0x8100 pvid=10 frame-types=admit-all ingress-filtering=yes dhcp-snooping=no port-cost-mode=long mvrp=no max-learned-entries=auto

As you can see, at the moment IGMP snooping is disabled, otherwise the device becomes unreachable.

[user@sw1] > /interface/bridge/port/print detail 
Flags: X - disabled, I - inactive; D - dynamic; H - hw-offload 
 0   H ;;; rt1
       interface=ether1 bridge=bridge priority=0x80 edge=auto point-to-point=auto learn=auto horizon=none hw=yes auto-isolate=no restricted-role=no restricted-tcn=no pvid=10 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes unknown-unicast-flood=yes unknown-multicast-flood=yes broadcast-flood=yes tag-stacking=no 
       bpdu-guard=no trusted=yes mvrp-registrar-state=normal mvrp-applicant-state=normal-participant multicast-router=temporary-query fast-leave=no 

 1   H ;;; rt2
       interface=ether2 bridge=bridge priority=0x80 edge=auto point-to-point=auto learn=auto horizon=none hw=yes auto-isolate=no restricted-role=no restricted-tcn=no pvid=10 frame-types=admit-all ingress-filtering=yes unknown-unicast-flood=yes unknown-multicast-flood=yes broadcast-flood=yes tag-stacking=no bpdu-guard=no trusted=yes 
       mvrp-registrar-state=normal mvrp-applicant-state=normal-participant multicast-router=temporary-query fast-leave=no 

 2   H ;;; rt1a
       interface=ether3 bridge=bridge priority=0x80 edge=yes point-to-point=auto learn=auto horizon=none hw=yes auto-isolate=no restricted-role=no restricted-tcn=no pvid=10 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes unknown-unicast-flood=yes unknown-multicast-flood=yes broadcast-flood=yes tag-stacking=no 
       bpdu-guard=yes trusted=no mvrp-registrar-state=normal mvrp-applicant-state=normal-participant multicast-router=temporary-query fast-leave=no 

 3 I H ;;; rt1b
       interface=ether4 bridge=bridge priority=0x80 edge=yes point-to-point=auto learn=auto horizon=none hw=yes auto-isolate=no restricted-role=no restricted-tcn=no pvid=10 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes unknown-unicast-flood=yes unknown-multicast-flood=yes broadcast-flood=yes tag-stacking=no 
       bpdu-guard=yes trusted=no mvrp-registrar-state=normal mvrp-applicant-state=normal-participant multicast-router=temporary-query fast-leave=no 

 4   H ;;; ps5
       interface=ether5 bridge=bridge priority=0x80 edge=yes point-to-point=auto learn=auto horizon=none hw=yes auto-isolate=no restricted-role=no restricted-tcn=no pvid=10 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes unknown-unicast-flood=yes unknown-multicast-flood=yes broadcast-flood=yes tag-stacking=no 
       bpdu-guard=yes trusted=no mvrp-registrar-state=normal mvrp-applicant-state=normal-participant multicast-router=temporary-query fast-leave=no 

 5   H ;;; ws1
       interface=ether6 bridge=bridge priority=0x80 edge=yes point-to-point=auto learn=auto horizon=none hw=yes auto-isolate=no restricted-role=no restricted-tcn=no pvid=10 frame-types=admit-all ingress-filtering=yes unknown-unicast-flood=yes unknown-multicast-flood=yes broadcast-flood=yes tag-stacking=no bpdu-guard=yes trusted=no 
       mvrp-registrar-state=normal mvrp-applicant-state=normal-participant multicast-router=temporary-query fast-leave=no 

 6   H ;;; rt1c
       interface=ether7 bridge=bridge priority=0x80 edge=yes point-to-point=auto learn=auto horizon=none hw=yes auto-isolate=no restricted-role=no restricted-tcn=no pvid=10 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes unknown-unicast-flood=yes unknown-multicast-flood=yes broadcast-flood=yes tag-stacking=no 
       bpdu-guard=yes trusted=no mvrp-registrar-state=normal mvrp-applicant-state=normal-participant multicast-router=temporary-query fast-leave=no 

 7 I H ;;; glass
       interface=ether8 bridge=bridge priority=0x80 edge=yes point-to-point=auto learn=auto horizon=none hw=yes auto-isolate=no restricted-role=no restricted-tcn=no pvid=10 frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes unknown-unicast-flood=yes unknown-multicast-flood=yes broadcast-flood=yes tag-stacking=no 
       bpdu-guard=yes trusted=no mvrp-registrar-state=normal mvrp-applicant-state=normal-participant multicast-router=temporary-query fast-leave=no 

 8 X   ;;; defconf
       interface=sfp-sfpplus1 bridge=bridge priority=0x80 edge=auto point-to-point=auto learn=auto horizon=none auto-isolate=no restricted-role=no restricted-tcn=no pvid=1 frame-types=admit-all ingress-filtering=yes unknown-unicast-flood=yes unknown-multicast-flood=yes broadcast-flood=yes tag-stacking=no bpdu-guard=no trusted=no 
       mvrp-registrar-state=normal mvrp-applicant-state=normal-participant multicast-router=temporary-query fast-leave=no 

 9 X   ;;; defconf
       interface=sfp-sfpplus2 bridge=bridge priority=0x80 edge=auto point-to-point=auto learn=auto horizon=none auto-isolate=no restricted-role=no restricted-tcn=no pvid=1 frame-types=admit-all ingress-filtering=yes unknown-unicast-flood=yes unknown-multicast-flood=yes broadcast-flood=yes tag-stacking=no bpdu-guard=no trusted=no 
       mvrp-registrar-state=normal mvrp-applicant-state=normal-participant multicast-router=temporary-query fast-leave=no

unknown-unicast-flood=no on rt2 was messing up IPv6. That probably messed up some IPv6 things, I think. Still troubleshooting.

Edit: It seems to work now on rt2, with that unknown-unicast-flood set to no and on rt1 (Fritzbox) I for some reason didn’t get a IPv6 prefix anymore. After a reboot IPv6 works fine now on rt2.

Edit 2: It seems to work for sw1 as well! I had to configure multicast-querier=yes for that one.

I think rt1 (Fritzbox) was having issues and that’s why everything failed. Then i started to mess with settings, which made things worse.

I cheered too soon. The network doesn’t break immediately, but after a few hours there are hiccups. Not fatal though, but enough to disable the IGMP snooping on sw1 for now. Any advice to troubleshoot further? I don’t see fatal things in the logs. The network just seems to stop, mainly the Internet network, the control plane is still reachable (separate VLAN).

Maybe it has to do with “mld-querier: none” being empty on sw1. It’s also empty on rt2 now, since I disabled snooping on sw1. Before that it was filled in for rt2 I believe.

At least for the RB5009, you can forget about turning on IGMP Snooping and using VLANs and IPv6 at the same time for now. I’ve been trying to do that on my RB5009 for the past two years. tried everything, with every RouterOS versions released since then, it has never worked properly. I tried turning it back on every time a newer RouterOS version is released, sometimes it appears to work for a few days, only for the MDB table to miss the entries again and the client devices no longer receive the multicast frames required for IPv6 to function correctly.

In my experience IGMP Snooping and using VLANs and IPv6 at the same time can work if there is an external MLD querier running on every VLAN using IPv6, disabling the ROS integrated one. In my case it is a 3rd party switch having a mld querier with 30s interval configured on every VLAN. With this RB5009 keeps the mdb table up to date.
The problem with the ROS integrated mld querier is it runs on the CPU, is not VLAN aware and in my experience it is quite random on what bridge ports and VLANs mld queries egress. Causing troubles with RB5009 keeping bridge mdb up to date. And potentially also on other mld aware devices in the network.

This seems related to a ticket I submitted. If IGMP snooping is active on the bridge, devices don’t get an IPv6 SLAAC address until the next periodic RA is sent. Mikrotik acknowledged the bug, said they were able to verify it, and that it would be fixed in the future, but they said they couldn’t provide an estimated time/version for the fix.

Do you have a link to that ticket? Then I’ll subscribe for updates. I hope this fix also includes the CRS3xx series.

Don’t know if related, I have an RB4001 and hAP ac2 network, with VLAN used to isolate main LAN and IoT, having mDNS enabled is working, printer is able to be discovered from the isolate LAN.
Another network with RB5009 and hAP ax2 configured in a similar way but with CAPsMAN, also with mDNS enabled on both VLANs, unable to find the printer without static DNS, spent an enormous time wasted without a solution, at the end I had to move printer to main LAN.
The only thing that was not tested is disable IGMP Snooping, RB5009 switch chip is capable of hardware offloading.

Is IGMP Snooping that broken or anyone had this feature enabled without issues?

Not sure how your RB4011 setup was with working mDNS.

IGMP snooping is a l2 traffic optimization feature (by forwarding multicast packages only to ports with at least on subscribed member) and as such works per VLAN. It does not forward btw. VLANs.
Starting with ROS 7.16, ROS has mDNS forwarder which can be used to forward mDNS btw. interfaces on different VLANs.
https://help.mikrotik.com/docs/spaces/ROS/pages/37748767/DNS#DNS-mDNS

Both RB4011 and RB5009 are configured in a very similar way, basic config following instructions from help pages.
mDNS is enabled using /ip dns set mdns-repeat-ifaces=IoT-VLAN,LAN-VLAN
Difference between both networks are the use of CAPs-MAN to manage AP and IGMP snooping enabled on RB5009.

Is IGMP Snooping working in the latest version?

Assuming we are now talking about IPv4/IGMP and not IPv6/MLD: Yes, IGMP snooping with l2hw works on my RB5009 with mDNS, mDNS forwarding btw. VLANs and IPTV at my home network. I suggest to use ROS packet capturing to see how mDNS packets flow and if the mDNS forwarder works as intended.

Thanks @jbl42!
Are you using CAPsMAN with AX AP?

mDNS was flowing until the L2 switch but none of wireless device was able to discover printer, but during configuration a PC connected via ethernet worked.
Will do more tests replicating the network environment to find the issue.