mDNS between VLANs with just bridge filters - Look Mum, no containers!

UpRunTech · Thu Feb 01, 2024 10:54 pm

[EDIT this was my initial version but is superseded by the MACVLAN version below]

I had an issue on a site where I needed devices on VLAN2 to see Chromecasts, AppleTV's and Airprint on VLAN1. Taking some ideas I had while formulating the post about mDNS on Wireguard I tried it out. Apparently Mikrotik have a solution for mDNS in ROS they are still cooking up so we'll have to wait; until then...

I have a CRS354 switch on site doing IGMP snooping and a router doing PIM-SM and of course this doesn't help for mDNS between VLANs. I also have some hEX's acting as managed switches (using VLAN-filtering) in some rooms so I tried this on a hEX:

* hEX has a VLAN-filtered bridge with VLAN1 and VLAN2 with these tagged on Eth1 and untagged on the other ports as needed.
* Created a new bridge called BridgemDNS.
* Create 2 VLAN interfaces (VLAN1 and VLAN2) whose parent is the main VLAN filtered bridge.
* Put the ports for the VLANs onto the new bridge and do some filtering.

/interface bridge
add name=BridgemDNS protocol-mode=none

/interface bridge port
add bridge=BridgemDNS frame-types=admit-only-untagged-and-priority-tagged \
    interface=VLAN1 pvid=1001
add bridge=BridgemDNS frame-types=admit-only-untagged-and-priority-tagged \
    interface=VLAN2 pvid=1001

/interface bridge vlan
add bridge=BridgemDNS untagged=VLAN1,VLAN2 vlan-ids=1001

/interface bridge filter
add action=accept chain=forward comment="Allow mDNS" dst-address=\
    224.0.0.251/32 dst-mac-address=01:00:5E:00:00:FB/FF:FF:FF:FF:FF:FF \
    dst-port=5353 in-bridge=BridgemDNS ip-protocol=udp \
    mac-protocol=ip out-bridge=BridgemDNS src-port=5353
add action=drop chain=forward in-bridge=BridgemDNS \
    out-bridge=BridgemDNS

/interface bridge nat
add action=src-nat chain=srcnat dst-mac-address=\
    01:00:5E:00:00:FB/FF:FF:FF:FF:FF:FF to-src-mac-address=CC:2D:E0:14:64:AD

So you can see in the 1st part the new bridge is created and VLAN ports set up to join it using a PVID of 1001. This way the layer 2 traffic from VLAN1 and VLAN2 will be connected. It's vitally important that the drop filter rule is there to block all the L2 traffic flowing both ways which would create havoc. The rule before the drop is the magic one that lets mDNS traffic through only, after that the drop rule blocks all other traffic.

Nothing seemed to happen at this point until I did a SRCNAT on the MAC address of frames being sent out using the MAC address (CC:2D:E0:14:64:AD) of the main VLAN-filtered bridge (not the mDNS bridge). I think has to do with IGMP snooping and traffic flooding egress on ports and making sure the MAC is known on that network.

So this seemed to work and mDNS broadcast traffic flowed both ways. The network through the main router allows traffic initiated from VLAN2 to go to VLAN1 so Airplay worked when I connect a Macbook on VLAN2 to an AppleTV on VLAN1.

I did another test to see if I could just allow certain mDNS traffic across.

/interface bridge filter
add action=accept chain=forward comment="Allow mDNS VLAN1" \
    dst-address=224.0.0.251/32 dst-mac-address=\
    01:00:5E:00:00:FB/FF:FF:FF:FF:FF:FF dst-port=5353 in-bridge=BridgemDNS \
    in-interface=VLAN1 ip-protocol=udp mac-protocol=ip \
    out-bridge=BridgemDNS src-mac-address=34:FD:6A:03:A1:8B/FF:FF:FF:FF:FF:FF \
    src-port=5353

add action=drop chain=forward comment="Drop all other mDNS from VLAN1" \
    dst-address=224.0.0.251/32 dst-mac-address=\
    01:00:5E:00:00:FB/FF:FF:FF:FF:FF:FF dst-port=5353 in-bridge=BridgemDNS \
    in-interface=VLAN1 ip-protocol=udp mac-protocol=ip \
    out-bridge=BridgemDNS src-port=5353
    
add action=accept chain=forward comment="Allow mDNS" dst-address=\
    224.0.0.251/32 dst-mac-address=01:00:5E:00:00:FB/FF:FF:FF:FF:FF:FF \
    dst-port=5353 in-bridge=BridgemDNS ip-protocol=udp \
    mac-protocol=ip out-bridge=BridgemDNS src-port=5353

add action=drop chain=forward in-bridge=BridgemDNS \
    out-bridge=BridgemDNS
    
/interface bridge nat
add action=src-nat chain=srcnat dst-mac-address=\
    01:00:5E:00:00:FB/FF:FF:FF:FF:FF:FF to-src-mac-address=CC:2D:E0:14:64:AD

* The 1st filter rule lets only mDNS traffic from VLAN1->2 across if the SRCMAC is 34:FD:6A:03:A1:8B which is a particular AppleTV.
* The next rule drops all other mDNS traffic from VLAN1->2.
* The third rule then allows any remaining mDNS traffic which will only be VLAN2->1 and finally the main drop rule to block everything else getting across either way and the MAC SRCNAT.

The Macbook at this point could then only see the one AppleTV device and the Airprint printer became unavailable.

I am still testing this out but it seems solid enough. I didn't assign any IP addresses to the VLAN interfaces. There might be unintended consequences to doing this even though the packet flow maps shows bridge packets will get handled before IP.

I'd suggest trying this out on an independent Routerboard device on your network as I have and not your main router and switches.

Amm0 · Thu Feb 01, 2024 11:37 pm

Great work! Very Cleaver. You've been at this problem for a while now

.

Very minor nit on the example. The BridgemDNS is a "dumb" switch (e.g. vlan-filtering=no). And maybe the :export does this, but the frame-types & pvid & VLAN assignment should NOT be needed (and do nothing):

/interface bridge port
add bridge=BridgemDNS frame-types=admit-only-untagged-and-priority-tagged \
interface=VLAN1 pvid=1001
add bridge=BridgemDNS frame-types=admit-only-untagged-and-priority-tagged \
interface=VLAN2 pvid=1001
/interface bridge vlan
add bridge=BridgemDNS untagged=VLAN1,VLAN2 vlan-ids=1001

But I like this approach & on a hEX... you don't have the option of containers...

UpRunTech · Thu Feb 01, 2024 11:43 pm

I always figured there was a way to do mDNS reflecting with bridge filters. Bridge filters are a really useful tool and they have solved some tricky problems for me before.

I'll disable the VLAN 1001 stuff later and see what happens. As you say, could be vestigial at this point and removed.

I will add that enabling a bridge filter may well disable any hardware switching so be warned! It's not an issue for a device like a hEX which usually is doing everything in software anyway. I think there are low complexity cases on a hEX where the bridge is happy to let the switch chip do the leg work.

UpRunTech · Tue Feb 13, 2024 10:05 pm

I was tooling through the Help as it likes to change unannounced from time to time and I noticed and read about MACVLAN. Of course it's been around a few months as a tab in Winbox but I never looked into it. This interface solves the problem of being able to do this bridge filtering technique BUT ON YOUR MAIN ROUTER. No offsider router like I used in the OP.

The cool thing about MACVLAN it it gives you another MAC address and interface endpoint hanging off an existing ethernet or VLAN interface. This is just awesome because until now you couldn't add another VLAN interface to a bridge with the same VLAN ID.

My main VLAN is 100 and a test VLAN is 101. I joined MACVLAN interfaces to each VLAN interface and added an mDNS bridge from above. Voila, it works. My phone on 101 can now see the Chromecast on 100 and control it.

* I have VLAN100 and VLAN101 interfaces with their subnet IP addresses and normal L3 routing and filtering - this is where all the main traffic goes between a device and the CC after discovery. I had to disable the DROP rule I had that blocked traffic non-established and related traffic between 101 -> 100.
* I added MACVLANs to each VLAN and joined them on a common (non-VLANed) bridge with bridge filtering. Bridge NAT will make sure the source MAC address is valid on that segment.
* Just to be clear, my main bridge which the VLAN interfaces hang off is VLAN-filtered.

/interface bridge
add name=BridgemDNS protocol-mode=none

/interface macvlan
add interface=VLAN100 name=macvlan100
add interface=VLAN101 name=macvlan101

/interface bridge filter
add action=accept chain=forward comment="Allow mDNS only" dst-address=\
    224.0.0.251/32 dst-mac-address=01:00:5E:00:00:FB/FF:FF:FF:FF:FF:FF \
    dst-port=5353 in-bridge=BridgemDNS ip-protocol=udp \
    mac-protocol=ip out-bridge=BridgemDNS src-port=5353
add action=drop chain=forward in-bridge=BridgemDNS comment="Drop all other L2 traffic" \
    out-bridge=BridgemDNS
    
/interface bridge nat
add action=src-nat chain=srcnat dst-mac-address=\
    01:00:5E:00:00:FB/FF:FF:FF:FF:FF:FF to-src-mac-address=48:A9:8A:EF:61:03 \
    comment="Use your primary bridge MAC address here"

* The thing about this technique is you don't need a container running some reflector like Avahi and it'll work even on the puniest SMIPS device.
* You can make bridge filter rules that block certain MAC addresses (so you can just allow the mDNS ads from only a printer and not your other gadgets for example).
* Technically it's more efficient than a container as you obviously don't need the resources of a container, but mainly all the packet management is done in kernel space rather than user space.

Can you add more VLANs into the mix? It's untested but why not? All you need to do is add another MACVLAN interface to the additional VLANs. If you're keen you can make certain ACCEPT/DROP rules that only allow particular MACs to traverse between particular VLANs by adding rules with in-interface and out-interface.

qqflexx · Sun Mar 03, 2024 11:26 am

I was tooling through the Help as it likes to change unannounced from time to time and I noticed and read about MACVLAN. Of course it's been around a few months as a tab in Winbox but I never looked into it. This interface solves the problem of being able to do this bridge filtering technique BUT ON YOUR MAIN ROUTER. No offsider router like I used in the OP.

This really works. Very eloquently elegant compared to container (no dependency on third-party software). Thank you!

/interface macvlan add interface=vlan10 name=macvlan10
/interface macvlan add interface=vlan80 name=macvlan80

/interface bridge add name=bridge-mdns protocol-mode=none
/interface bridge port add bridge=bridge-mdns interface=macvlan10
/interface bridge port add bridge=bridge-mdns interface=macvlan80

/interface bridge filter add action=accept chain=forward comment="Allow mDNS only" dst-address=224.0.0.251/32 dst-mac-address=01:00:5E:00:00:FB/FF:FF:FF:FF:FF:FF dst-port=5353 in-bridge=bridge-mdns ip-protocol=udp mac-protocol=ip out-bridge=bridge-mdns src-port=5353
/interface bridge filter add action=drop chain=forward in-bridge=bridge-mdns out-bridge=bridge-mdns comment="Drop all other L2 traffic"

/interface bridge nat add action=src-nat chain=srcnat dst-mac-address=01:00:5E:00:00:FB/FF:FF:FF:FF:FF:FF to-src-mac-address=[/interface bridge get [find name="bridge"] mac-address] comment="SNAT to Primary VLAN bridge"

Is there any (unintended?) downside doing it this way?

UpRunTech · Sun Mar 03, 2024 1:12 pm

Is there any (unintended?) downside doing it this way?

So far I don't think so, I am happy to hear arguments against doing it this way though. I can only think of a misconfiguration or getting the last drop rule wrong (or disabled) causing issues.

DarkNate · Sun Mar 03, 2024 2:40 pm

Looks hacky to me. Why not just use PIM-SM? I've shared PIM-SM config sample on this forum a few times, works on ROS v7 latest stable.

S8T8 · Sun Mar 03, 2024 3:21 pm

Hi DarkNate, I tested your suggestion about PIM-SM but was not working with printers, Chomecast, etc…
Support said that we need multicast repeater (will paste their answer if needed).
It should work for you?

DarkNate · Sun Mar 03, 2024 5:58 pm

Hi DarkNate, I tested your suggestion about PIM-SM but was not working with printers, Chomecast, etc…
Support said that we need multicast repeater (will paste their answer if needed).
It should work for you?

Share support's full reply. I don't know MikroTik multicast inter-VLAN routing is so messy.

S8T8 · Sun Mar 03, 2024 9:59 pm

...

/routing pimsm instance add name="PIM-SM" disabled=no [+ Bridge set multicast-querier=no]
/routing pimsm interface-template add instance="PIM-SM" interfaces=LAN-VLAN,IoT-VLAN source-addresses=10.0.3.60

are those two lines of code enough to find the printer connected in IoT-VLAN with IP 10.0.3.60 from LAN-VLAN ?

mDNS cannot be routed between networks using IGMP proxy or PIM, because it uses link-local (non-routable) multicast destination IP address.
And RouterOS natively does not support mDNS proxy, unfortunately.

UpRunTech · Sun Mar 03, 2024 10:34 pm

Looks hacky to me. Why not just use PIM-SM? I've shared PIM-SM config sample on this forum a few times, works on ROS v7 latest stable.

PIM-SM won't pass IPv4 mDNS. Lord knows I have tried to force it to no avail. PIM-SM works fine for a Chromecast as it uses mDNS and discovery compatible with PIM-SM but I could not get other devices discovered like such as a printer and Airplay. I have had PIM-SM working on VLAN systems and across Wireguard and Zerotier links. In all cases unless I set up something with bridge filtering like my other Wireguard/EoIP example and now this with MACVLANS the IPv4 mDNS traffic can't get across.

Is it hacky? I don't think so for small situations at least with only a handful of VLANs which let's face it, is 90%+ of interested users here. I would be very wary of using it on larger sites with large volumes of mDNS traffic without being selective with MAC filtering and rate limiting in the bridge filter rules.

Until Mikrotik spins up something in ROS that does mDNS repeating this is all there is unless you start to get containers involved which is only limited to ARM and x86 devices.

DarkNate · Mon Mar 04, 2024 2:24 pm

Anyone played with this?

https://help.mikrotik.com/docs/display/ ... t+Protocol

UpRunTech · Mon Mar 04, 2024 10:35 pm

Anyone played with this?

https://help.mikrotik.com/docs/display/ ... t+Protocol

Thanks for your suggestion. 224.0.0.0/24 doesn't appear to work even when added to GMP probably due to the 2nd paragraph in https://www.iana.org/assignments/multic ... sses.xhtml.

I could be in error, not the 1st time. You're the protocol expert in this forum though. Tell me what I am doing wrong.

DarkNate · Tue Mar 05, 2024 9:10 am

Haha, I'm not an expert, unlike other wannabe-experts in this forum or industry in general, I'm just a guy who loves to play with networks.

I'm not sure why it works or doesn't work, yet, haven't had time to deep dive into multicast routing. But I do hope, someone with time can properly build a “clean” solution for inter-VLAN multicast routing and “clean” way to do mDNS/link-local multicast across VLANs.

Or maybe, mDNS/multicast discovery IPv6 specs could be updated through the IETF in the future, to allow an official inter-VLAN routing flag or procedure with proper security measures in place at the protocol level. To my knowledge, such a thing doesn't exist yet.

UpRunTech · Tue Mar 05, 2024 12:04 pm

I put 224.0.0.251 into GMP and it does not show up in the MDB table in the switch.

I put 224.0.1.251, 224.1.1.251 and 224.1.0.251 into GMP at the same time and they *do* show up in the MDB table in the switch.

I am pretty sure Mikrotik are following convention and not allowing 224.0.0.0/24 to work with the PIM-SM and IGMP protocols. I did ask them to break convention and have a flag to allow it with PIM-SM and got no reply yet.

The scope of the experiments I have done with mDNS and the bridge filter technique only covers IPv4, not IPv6 (and it's ff02::fb address) as most people, including myself, seem to be eschewing IPv6 routing for now and most mDNS is still on IPv4.

I suspect any luck you have had with PIM-SM and mDNS is that you are routing IPv6 and ff02:fb is working for you and your devices that use IPv6 for mDNS.

As for the bridge filter technique, the most basic version here should reflect mDNS between member ports on the mDNS bridge and in effect really isn't different to some of the user space programs like https://github.com/Gandem/bonjour-reflector/ that just copy the packets between VLANs on a single ethernet interface.

I am no Go expert but on reading the code Bonjour-reflector (B-R) project checks the DNS QR flag in the body of the packet and floods it to all the known device origin VLANs in the .toml file. If the QR flag is not set it will check the SRC MAC of the packet and flood it only to valid VLANS defined for a valid device MAC.

Bridge-filter (B-F) cannot check for this QR flag and will flood all interfaces in the bridge with an mDNS packet.
B-R can only deal with VLANs but B-F will work with any kind of interface that can be a port member of a bridge, not just VLANs.
B-F can also be fine grained by only allowing certain SRCMACs to get though and (untested) possibly only allow SRCMACs out on limited bridge ports using interface lists.

B-R also rewrites the source MAC address of the packet to that of the ethernet interface it's being reflected out on. The bridge filter technique does the same by SRCNATing the packet with the MAC address of the *main* bridge (not the mDNS bridge).

Looking at the ROS bridge filter options you could make it more fine grained too by setting filter rules that allow or deny based on:
* Traffic between particular interfaces with In and Out Bridge List (using interface lists)
* SRC MAC addresses
* Packet marks
and by the looks of it be able to control the rate too which B-R can't do.

What I am getting at is the B-F method can do the same thing as B-R with some additional rules but without the headache of containers and it's ROS native.

DarkNate · Tue Mar 05, 2024 2:00 pm

I suspect any luck you have had with PIM-SM and mDNS is that you are routing IPv6 and ff02:fb is working for you and your devices that use IPv6 for mDNS.

Yes, all my home networks/devices and production network are 100% IPv6-enabled/deployed/only/mostly.

I stopped wasting my time on legacy IPv4 years ago. I would suggest you play with IPv6 multicast routing going forward. IPv4 should, one day, be removed from the network stack.

mozerd · Tue Mar 05, 2024 2:06 pm

I stopped wasting my time on legacy IPv4 years ago. I would suggest you play with IPv6 multicast routing going forward. IPv4 should, one day, be removed from the network stack.

While I agree with your sentiments wholeheartedly MANY ISP's still do not support ipv6 .... very sad to say .... My old ISP [Rogers] did suuport ipv6 but my new ISP [Bell] does not so far. I am hopefull the my new ISP will have a change of heart considering the fact that the US Gov has mandated that all of its communications will be ipv6 by 2025.

DarkNate · Wed Mar 06, 2024 8:32 am

mDNS uses link-local IPv6…

donkeyKong · Tue Mar 12, 2024 12:20 am

Just tested it with my home setup. 3 different VLANs and it works perfectly. I got rid of a small VM running Avahi to do the same thing.

jlpedrosa · Tue Mar 19, 2024 4:06 am

@UpRunTech

you mention: "Just to be clear, my main bridge which the VLAN interfaces hang off is VLAN-filtered."

What do you mean by "my main bridge", I have a router with multiple interfaces and each interface goes to a switch, I don't have any other bridge. Not sure if you could lend me a hand. I tried using your aproach with a single bridge, but.... No Way Jose.

Thanks in advance

Kataius · Sat Mar 30, 2024 9:34 pm

Hi everyone, thanks for sharing, I put this setup in the routerboard, it works, but it doesn't find the Sonos soundbar, it only finds all the chromecasts. any suggestions?

UpRunTech · Sat Mar 30, 2024 10:06 pm

Hi everyone, thanks for sharing, I put this setup in the routerboard, it works, but it doesn't find the Sonos soundbar, it only finds all the chromecasts. any suggestions?

EDIT: Before going down the route below try the PIM-SM method 1st. viewtopic.php?t=195714

Have a look at the end of this: https://sonos.svrooij.io/sonos-communication Sonos uses SSDP not mDNS. I don't have a Sonos to test this on but you could try add the line BEFORE the drop (so after the "Allow mDNS"). Here be dragons though, SSDP has issues concerning security and broadcast amplification. I expect the risk is low on a properly firewalled network.

/interface bridge filter
add action=accept chain=forward comment="Forward SSDP" dst-address=239.255.255.250/32 \
    dst-mac-address=01:00:5E:7F:FF:FA/FF:FF:FF:FF:FF:FF dst-port=1900 \
    ip-protocol=udp mac-protocol=ip out-bridge=BridgemDNS

Also add a NAT rule to for the SSDP packets:

/interface bridge nat
add action=src-nat chain=srcnat dst-mac-address=\
    01:00:5E:7F:FF:FA/FF:FF:FF:FF:FF:FF to-src-mac-address=48:A9:8A:EF:61:03 \
    comment="Use your primary bridge MAC address here"

From my other post about sending mDNS and SSDP over Wireguard I found that I had to make firewall rules to srcnat and dstnat the IP address to fool my SSDP device, MythTV, as it didn't accept SSDP discovery traffic from subnets it wasn't on for security reasons.

Kataius · Sat Mar 30, 2024 11:18 pm

Thanks for replay but nor PIM-SM nor your filter rule solved my problem.
Plus i have noticed that bridge nat (mdns) has 0 Packets, is it normal?

EDIT:

My Bad! The app sonos is working, but i cannot discover the device from spotify, any help?

bridge nat rule is not working... here my firwall config.

Thanks

/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment=\
    "ONLY allow trusted subnet full access to router services" \
    src-address-list=net_casa
add action=accept chain=input comment=PiHole dst-port=53,123 in-interface-list=\
    LAN protocol=udp
add action=accept chain=input comment=PiHole dst-port=53 in-interface-list=LAN \
    protocol=tcp
add action=drop chain=input comment="DROP ALL ELSE"
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment="allow access to ALL DomusNET from LAN" \
    dst-address-list=net_domus src-address-list=net_casa
add action=accept chain=forward comment=\
    "allow access to ALL ControlNET  from LAN" dst-address-list=net_control \
    src-address-list=net_casa
add action=accept chain=forward comment=\
    "allow access to ALL CasaNET  from DOMUS" dst-address-list=net_casa \
    src-address-list=net_domus
add action=accept chain=forward comment="allow access to PiHOLE" dst-address=\
    192.168.55.55 in-interface-list=LAN
add action=drop chain=forward comment="BLOCK DOT and DOH" dst-address-list=\
    DNS-DOH dst-port=443,853 protocol=udp src-address-list=filtered
add action=drop chain=forward comment="BLOCK DOT and DOH" dst-address-list=\
    DNS-DOH dst-port=443,853 protocol=tcp src-address-list=filtered
add action=accept chain=forward comment="internet traffic" in-interface-list=\
    LAN out-interface-list=WAN src-address-list=!net_control
add action=accept chain=forward comment="port forwarding" connection-nat-state=\
    dstnat
add action=drop chain=forward comment="DROP ALL ELSE"

EDIT2:

HAPPY EASTER!

Kataius · Thu Apr 04, 2024 3:35 pm

Has anyone managed to get spotify connect to work? Sonos and Chromecast apps work great. Thank you!

UpRunTech · Sun Apr 07, 2024 6:51 am

Has anyone managed to get spotify connect to work? Sonos and Chromecast apps work great. Thank you!

This says it uses mDNS.

https://developer.spotify.com/documenta ... s/zeroconf

Kataius · Sun Apr 07, 2024 9:50 am

Hi, I'm so sorry to bother you. I deleted everything and redid everything from the beginning. The filter and nat rules show packets now, so they are working. But I don't have any discovery between vlans. Can you guide me where I can look to understand why it doesn't work?

UpRunTech · Sun Apr 07, 2024 11:41 am

Hi, I'm so sorry to bother you. I deleted everything and redid everything from the beginning. The filter and nat rules show packets now, so they are working. But I don't have any discovery between vlans. Can you guide me where I can look to understand why it doesn't work?

For your NAT rules what have you put as the SRCMAC address? Is the the MAC of the main VLAN filtered bridge?

Mine is 48:A9:8A:EF:61:03 as per the example. You must change this to yours.

Kataius · Sun Apr 07, 2024 12:25 pm

Thanks for the reply, sorry if I cause you problems.
These are the configurations, BR-Capsman is my main filter bridge. In NAT rules put the MAC of the main bridge.

 
/interface/bridge/filter/ print
0   ;;; Allow mDNS only
     chain=forward action=accept in-bridge=BR-mDNS out-bridge=BR-mDNS 
     dst-mac-address=01:00:5E:00:00:FB/FF:FF:FF:FF:FF:FF mac-protocol=ip 
     dst-address=224.0.0.251/32 src-port=5353 dst-port=5353 ip-protocol=udp 
     log=no log-prefix="" 

 1   ;;; Forward SSDP
     chain=forward action=accept in-bridge=BR-mDNS out-bridge=BR-mDNS 
     dst-mac-address=01:00:5E:7F:FF:FA/FF:FF:FF:FF:FF:FF mac-protocol=ip 
     dst-address=239.255.255.250/32 dst-port=1900 ip-protocol=udp log=no 
     log-prefix="" 

 2   ;;; Drop all other L2 traffic
     chain=forward action=drop in-bridge=BR-mDNS out-bridge=BR-mDN

/interface/bridge/nat/ print

0   ;;; mDNS - SNAT to Primary VLAN bridge
     chain=srcnat action=src-nat to-src-mac-address=48:A9:8A:59:75:CC 
     dst-mac-address=01:00:5E:00:00:FB/FF:FF:FF:FF:FF:FF log=no 
     log-prefix="" 

 1   ;;; SSDP - SNAT to Primary VLAN bridge
     chain=srcnat action=src-nat to-src-mac-address=48:A9:8A:59:75:CC 
     dst-mac-address=01:00:5E:7F:FF:FA/FF:FF:FF:FF:FF:FF log=no 
     log-prefix="" 

 /interface/macvlan/print

0 R macvlan100  1480  100-Casa   BA:C9:E8:55:EE:D8  private
1 R macvlan400  1480  400-Domus  C2:AB:7F:29:3C:40  private

/interface/bridge/port> print

0  H sfp-sfpplus1  BR-Capsman  yes     1  0x80             10  10  none   
1 IH ether8        BR-Capsman  yes     1  0x80             10  10  none   
2    veth-pihole   BR-PiHole           1  0x80             10  10  none   
3    macvlan100    BR-mDNS             1  0x80                     none   
4    macvlan400    BR-mDNS             1  0x80                     none

/interface/bridge/ print

0 R ;;; Capsman
     name="BR-Capsman" mtu=auto actual-mtu=1500 l2mtu=1514 arp=enabled 
     arp-timeout=auto mac-address=48:A9:8A:59:75:CC protocol-mode=rstp 
     fast-forward=yes igmp-snooping=no auto-mac=yes ageing-time=5m 
     priority=0x6000 max-message-age=20s forward-delay=15s 
     transmit-hold-count=6 vlan-filtering=yes ether-type=0x8100 pvid=1 
     frame-types=admit-all ingress-filtering=yes dhcp-snooping=no 
     port-cost-mode=short 

 1 R ;;; PiHole
     name="BR-PiHole" mtu=auto actual-mtu=1500 l2mtu=65535 arp=enabled 
     arp-timeout=auto mac-address=5A:1A:EE:6D:F7:68 protocol-mode=rstp 
     fast-forward=yes igmp-snooping=no auto-mac=yes ageing-time=5m 
     priority=0x8000 max-message-age=20s forward-delay=15s 
     transmit-hold-count=6 vlan-filtering=no dhcp-snooping=no 
     port-cost-mode=short 

 2 R ;;; -mDNS
     name="BR-mDNS" mtu=auto actual-mtu=1480 l2mtu=65535 arp=enabled 
     arp-timeout=auto mac-address=BA:C9:E8:55:EE:D8 protocol-mode=none 
     fast-forward=yes igmp-snooping=no auto-mac=yes ageing-time=5m 
     vlan-filtering=no dhcp-snooping=no port-cost-mode=long

jbl42 · Sun Apr 07, 2024 2:23 pm

In devices supporting l2hw for VLAN filterig, using bridge rules disables l2hw. Depending on the device and network topology, this might be an issue or not.

For simple setups were it is only about getting mDNS and/or UPnP passed between two different L3 routed VLANs, switch rules also work and are HW based, working with enabled l2hw on supported devices.
An example for RB5009, with ether5 and ether6 as untagged members of different VLANS (L3 routing with firewalling on CPU, isolated on L2)

/interface/ethernet/switch/rule add comment=mDNS copy-to-cpu=yes dst-address=224.0.0.251/32 dst-mac-address=01:00:5E:7F:FF:FB/FF:FF:FF:FF:FF:FF dst-port=5353 mac-protocol=ip new-dst-ports=ether5,ether6 ports=ether5,ether6 protocol=udp switch=switch1

This forwards mDNS messages on L2. Multicast address range 224.0.0.x is linklocal and is explicitly not meant to be routed on L3. So some L3 services rightfully do not forward them, even if configured to do so.
It is less flexible than the solutions above and only works for certain setups and devices supporting switch rules. It also might be obscure as it is only visible in switch rules and nowhere else.
But where it is good enough, its simple and fully HW based.

Amm0 · Sun Apr 07, 2024 5:39 pm

It also might be obscure as it is only visible in switch rules and nowhere else.
But where it is good enough, its simple and fully HW based.

That's a good point on this approach, you could do this in a switch rule for L2HW.

Now the obscurity is more that requires understanding BOTH the bowels of multicast & also low-level details of L2HW offloading ... than config location

.

Kataius · Mon Apr 08, 2024 4:33 pm

in log ho NAT Rules i have this:

Kataius · Mon Apr 08, 2024 4:44 pm

Hello again!

In log of NAT Rules i have this:

NAT mdns srcnat: in:(unknown 0) out:macvlan400, connection-state:invalid src-mac MAC DEVICE, dst-mac 01:00:5e:00:00:fb, eth-proto 0800, UDP, 192.168.0.60:5353->224.0.0.251:5353, len 121
NAT mdns srcnat: in:(unknown 0) out:sfp-sfpplus1, connection-state:invalid src-mac 48:a9:8a:59:75:cc, dst-mac 01:00:5e:00:00:fb, eth-proto 0800, UDP, 192.168.0.60:5353->224.0.0.251:5353, len 121

NAT ssdp srcnat: in:(unknown 0) out:macvlan400, connection-state:invalid src-mac MAC DEVICE, dst-mac 01:00:5e:7f:ff:fa, eth-proto 0800, UDP, 192.168.0.10:49012->239.255.255.250:1900, len 129
NAT ssdp srcnat: in:(unknown 0) out:sfp-sfpplus1, connection-state:invalid src-mac 48:a9:8a:59:75:cc, dst-mac 01:00:5e:7f:ff:fa, eth-proto 0800, UDP, 192.168.0.10:49012->239.255.255.250:1900, len 129

Vlan100 has dhcp 192.168.0.1/24
Vlan400 has dhcp 192.168.240.1/24

Is this the problem?

Thanks

EDIT:

I noticed that if I have this rule in the firewall filter (along with the two (SSDP NAT and FORWARD SSDP):

chain=forward action=accept connection-state=invalid src-address-list=vlan400 dst-address-list=vlan100 log=no log-prefix=""

Sonos APP works, if i disable it sonos app stop working (sonos devices are in vlan400), control device is in vlan100

evergreen · Sun Apr 14, 2024 11:03 pm

I was tooling through the Help as it likes to change unannounced from time to time and I noticed and read about MACVLAN. ... This interface solves the problem of being able to do this bridge filtering technique BUT ON YOUR MAIN ROUTER. ...

@UpRunTech

Thanks so much for posting your experience.

I've been wanting to tackle this for a year. This week I started developing a routing daemon in Rust to solve this specifically for MikroTik via containers. I made some progress with my daemon, but multicast programming seemed opaque to a sockets newbie like me and I see why the Go codebase mentioned in this thread just used a PCAP library rather than fussing with multicast routing on Linux interfaces.

The MACVLAN approach was going to be fewer lines of config without even considering Docker storage and building a daemon, so I tried your approach and got the kinks worked out (forgot L2 nat at first). One of my devices appears sluggish to show up in as an AirPlay sink, but it sure works now and the inter-vlan DJ battles will begin

Thanks again!

UpRunTech · Mon Apr 15, 2024 3:00 am

@UpRunTech

Thanks so much for posting your experience.

No problem. It always bugged me that there might be a way with bridge filtering but I didn't really try it until I needed it. It's always been possible so long as the VLAN interfaces didn't have an IP address assigned so you'd have to run it on a 2nd Mikrotik ROS device apart from the main router. The addition of MACVLAN interfaces now completes the solution and is probably an unintended benefit.

Mikrotik may come out with an mDNS repeater of some kind in the future. It could possibly be done in PIM-SM by allowing the mDNS subnet to be relayed by PIM-SM (it seems to be *deliberately* excluded) but that'd probably cause some blood vessels to burst in some foreheads. I can't see any downsides with this bridge method apart from maybe needing some GUI sugar. You can use the extra bridge rule options to rate limit the mDNS packets, enforce time of day enabling and using the SRC MAC address only allow some devices on the other side of the bridge to have their response to mDNS queries get back to the queriers VLAN.

mDNS between VLANs with just bridge filters - Look Mum, no containers!

mDNS between VLANs with just bridge filters - Look Mum, no containers!

Re: mDNS between VLANs with just bridge filters - no containers!

Re: mDNS between VLANs with just bridge filters - Look Mum, no containers!

Re: mDNS between VLANs with just bridge filters - Look Mum, no containers!

Re: mDNS between VLANs with just bridge filters - Look Mum, no containers!

Re: mDNS between VLANs with just bridge filters - Look Mum, no containers!

Re: mDNS between VLANs with just bridge filters - Look Mum, no containers!

Re: mDNS between VLANs with just bridge filters - Look Mum, no containers!

Re: mDNS between VLANs with just bridge filters - Look Mum, no containers!

Re: mDNS between VLANs with just bridge filters - Look Mum, no containers!

Re: mDNS between VLANs with just bridge filters - Look Mum, no containers!

Re: mDNS between VLANs with just bridge filters - Look Mum, no containers!

Re: mDNS between VLANs with just bridge filters - Look Mum, no containers!

Re: mDNS between VLANs with just bridge filters - Look Mum, no containers!

Re: mDNS between VLANs with just bridge filters - Look Mum, no containers!

Re: mDNS between VLANs with just bridge filters - Look Mum, no containers!

Re: mDNS between VLANs with just bridge filters - Look Mum, no containers!

Re: mDNS between VLANs with just bridge filters - Look Mum, no containers!

Re: mDNS between VLANs with just bridge filters - Look Mum, no containers!

Re: mDNS between VLANs with just bridge filters - Look Mum, no containers!

Re: mDNS between VLANs with just bridge filters - Look Mum, no containers!

Re: mDNS between VLANs with just bridge filters - Look Mum, no containers!

Re: mDNS between VLANs with just bridge filters - Look Mum, no containers!

Re: mDNS between VLANs with just bridge filters - Look Mum, no containers!

Re: mDNS between VLANs with just bridge filters - Look Mum, no containers!

Re: mDNS between VLANs with just bridge filters - Look Mum, no containers!

Re: mDNS between VLANs with just bridge filters - Look Mum, no containers!

Re: mDNS between VLANs with just bridge filters - Look Mum, no containers!

Re: mDNS between VLANs with just bridge filters - Look Mum, no containers!

Re: mDNS between VLANs with just bridge filters - Look Mum, no containers!

Re: mDNS between VLANs with just bridge filters - Look Mum, no containers!

Re: mDNS between VLANs with just bridge filters - Look Mum, no containers!

Re: mDNS between VLANs with just bridge filters - Look Mum, no containers!

Re: mDNS between VLANs with just bridge filters - Look Mum, no containers!

Who is online