For IoT devices I need to be able to route mDNS broadcast traffic through VLANs.
I saw that this is only currently possible with an external server (or maybe a MetaRouter with OpenWRT, but unfortunately my router - RB4011 - doesn’t support MetaRouter yet).
Not a big problem, I already have a RPi which only works as a local DNS server (Pi-hole). I thought I will install avahi-reflector on that one.
However I don’t know what will be the correct configuration for it.
Right now it is plugged into one of the ether ports on the router. The port is an untagged access port, which is only visible on my private VLAN and a firewall forward rule is set to allow the guest network to access the DNS server. This works really great.
However now I don’t know how I could preserve these functions and also be able to use the reflector. If I read it right, you still have to use your private VLAN (in this scenario) as untagged and set the router to route the guest vlan for the Reflector server as a tagged.
This is the right approach for this? Will it affect the DNS server? I assume it might be that in this scenario the DNS server will be also accessible through the guest VLAN (I mean the web interface of the DNS server).
What I have tried: adding the interface of the RPI to the guest vlan as tagged and setting up a sub interface in RPI for the guest vlan. However the RPI did not get a valid address for that vlan, even after enabling DHCP for that sub interface
As for VLAN setup: set the port to tagged for every vlan, just add an interface on your Linux server as the guide says. Just don’t forget to change that port to admit-all frame-type if you have enabled ingress filtering.
Ps.: Google Chromecast/Apple Airplay devices seems to work now… Spotify Connect devices still not show up…
Only other vendor (like Denon) devices don’t show up in Spotify Connect. Google Chromecasts work fine.
I need to fine tune this for Denon devices to work:
Kudos to you for sticking with the thread and posting updates!
I am installing all Unifi equipment, but dont want to leave RouterOS behind. My project is to break up my network into LAN, IoT & NoT. Right now I am dumping all VLANs to the LAN network. I have implemented policies restricting traffic to the LAN - have not moved anything over to their respective SSIDs(VLANs) yet, but I dont have mdns or “VLAN Filtering” turned on in the bridge interface, so I’m expecting issues. Coming across your post was encouraging and helpful.
I’m unfortunately stuck with this.
mDNS reflection seems to be working fine, printers, AirPlay devices shows up correctly on every VLAN immediately and works as it should.
Though Chromecast devices and Spotify Connect devices don’t seem to be working flawlessly. So these devices may need additional config besides mDNS, but I don’t know where I should look…
Well, it seems it is also working for me. I had to reset Wi-Fi on some of the Chromecast devices, I don’t know why, but it now seems working.
You allow access for Chromecast devices on Firewall from multiple networks? I did not tested it from my Guest network fully (which does not have access to any local network), but it finds the Chromecast devices from there as well (but I did not try to connect to them yet from there), so I assume that access is needed for these devices to connect?
Sorry I did not saw this response before!
Yes, it won’t work out of the box, but if you use Unifi you might have better experience with this. As far as I know Unifi has a builtin mDNS reflector, so you just have to turn on a switch for this to work.
As described this should be enough, but there might be differences in devices. If I get this working fully (unfortunately I don’t have much time for this so I’m slowly migrating my devices to my IoT network), I will might do a full post on what is needed for this to work…
Chromecast devices work fully on my main network. Guest network does not seem to work, even with mDNS reflection. On Guest network everything is blocked except WAN traffic. As soon as I enable the vlan_guest network to access everything, devices appear. I don’t know what I need to add to the firewall for this to work. Simple address list with the chromecast devices address are not enough.
Denon devices with Spotify Connect is really unstable. The Denon HEOS app works great, but Spotify Connect not. The Denon devices usually won’t show up in the Devices list, only the Chromeast devices. But sometimes it does show up and for example my PC and iPad always shows these Denon devices also, but my phone and other phones don’t…
I depends on how your firewall is written, but I think you need a to forward (allow) traffic from main to guest. Just give the guest network access to the Avahi reflector, assuming it is sitting on the main network.
Well, you might be right, so I would try this. You mean to allow traffic only to that device?
But:
It was the input chain rule which caused Chromecast devices to appear. So I added a rule to the input chain, not forward which allows access to the whole network from guest network.
The reflector has multiple (virtual) interfaces and it has it’s own address in every subnetwork. Browsing with avahi-browse I can see that it reflects all traffic to every interface it has. I thought this is the meaning of the reflector.
On its local interface (the one which is in the guest network) I can access the reflector.
Well, you might be right, so I would try this. You mean to allow traffic only to that device?
But:
It was the input chain rule which caused Chromecast devices to appear. So I added a rule to the input chain, not forward which allows access to the whole network from guest network.
The reflector has multiple (virtual) interfaces and it has it’s own address in every subnetwork. Browsing with avahi-browse I can see that it reflects all traffic to every interface it has. I thought this is the meaning of the reflector.
On its local interface (the one which is in the guest network) I can access the reflector.
[/quote]
Yes the reflector can grab and IP from every vlan and reflect that traffic. But the to and from devices need to be able to reach each other as the source and destination. Input rules are traffic destined for the router itself. That may be appropriate for a Unfi USG environment that runs the service. These should be forward rules. I am not at home or I would post some. In my case I can have a Kids and Guest VLAN discover a chromecast on my main network and push content. I have to forward/accept traffic from the kids/guest (address list in my case) to the chomercasts IPs (again I have more than one so I put them in an address list. I may have the revers rules as well chomecasts > Kids/Guest, but I cannot remember.
“Browsing with avahi-browse I can see that it reflects all traffic to every interface it has. I thought this is the meaning of the reflector.” - I think that is correct, but you still have to allow the inter vlan communication to flow. Again - this is somewhat dependent on how you have your firewall setup.
Yes I also have an address list with the Chromecast devices IP addresses, and I added them as to the forward chain, so from every network you can access these IPs (no additional config is made there, so everything is forwarded to these IPs) I think this is the same as you are talking about (or not?). I would be happy if you can show how you did this.
And I almost forgot: I connected my phone to my guest network, that one found the Chromecast devices (I think some caching is done here, so discover does not happen every time) and until I did not have this rule to forward packets to Chromecast IPs I was not able to connect to the Chromecast device (so this makes sense). However newly connected devices (and my laptop for example) does not discover devices until I have a rule which allows the guest network for full network access (which I don’t want to have).
It seems that on a new device even on my private vlan the Chromecasts won’t work.
On my private vlan everything is accessible and for debugging purposes now everything is also allowed from the IoT network, but still I can’t get this to work.
I have downloaded a Bonjour Browser which lists the mDNS traffic basically. On both networks (Main and Guest) all mDNS traffic can be seen and it can resolve and show correct mDNS records. Also services purely relying on mDNS works correctly since the beginning (like HomeKit, AirPlay, AirPrint (CUPS)). So it might be something else why my Chromecast devices and Spotify Connect (HEOS) devices don’t work correctly.
It seems that some device don’t just use mDNS but also IGMP to discover devices.
Even Chromecast for Chrome mentions that IGMP is also needed. My Denon HEOS speakers also specifies that IGMP forwarding is needed. And looking into this closer, this is the only thing which is not working properly.
mDNS is correct I’m sure now, but looking at IGMP packets in Wireshark, I can’t see any igmp packet forwarded from my IoT vlan to my main network…
Ok I might have found the problem and maybe someone could help me with a correct avahi reflector config
IGMP forwarding is really needed, though looking at Wireshark a simple IGMP Proxy setup is enough, no need to mess with PIM.
The problem seems to be with avahi-reflector, but I don’t know what is the exact problem. If I stop the reflector and wait a little, open Spotify and then start the reflector everything pops up correctly in the devices list (even Chromecast works fully and much faster). However restarting the Spotify app, the devices will disappear and will not be seen until I restart the reflector again…
So from Mikrotik perspective, everything was set up properly. You might need IGMP proxy for some devices, but no need for PIM (some suggested that IGMP is not enough, even though every guide says it uses IGMP), just a simple IGMP-Proxy setup will do.
I don’t know what was the problem with avahi, because it kinda worked, Google Chromecast devices and Apple related stuffs as I said earlier worked correctly, but some services won’t. That’s why I never thought that the mDNS reflector is not working correctly, because some things worked anyways and also browsing mDNS traffic, everything reported correctly.
However switching mdns reflector, everything started to work immediately. Also discovery is faster now in every service.
There is a newer avahi-daemon version (8.0) but I did not have time to build it (not available through apt yet), it might solve these issues (but I don’t know why this happens).
Anyway thanks for everyone trying to help! It would be great if Mikrotik could implement its own mDNS reflector. Then this might worked for first try and you don’t need to mess around 3rd party services and devices.
Thank you. I too never gave it a thought that avahi wasn’t working as expected because of the devices showing up and only groups missing. Thought it was a google screw up.
I’ve switch myself and a mate to mdns-repeater and both are now fully working.