I had an issue on a site where I needed devices on VLAN2 to see Chromecasts, AppleTV's and Airprint on VLAN1. Taking some ideas I had while formulating the post about mDNS on Wireguard I tried it out. Apparently Mikrotik have a solution for mDNS in ROS they are still cooking up so we'll have to wait; until then...
I have a CRS354 switch on site doing IGMP snooping and a router doing PIM-SM and of course this doesn't help for mDNS between VLANs. I also have some hEX's acting as managed switches (using VLAN-filtering) in some rooms so I tried this on a hEX:
* hEX has a VLAN-filtered bridge with VLAN1 and VLAN2 with these tagged on Eth1 and untagged on the other ports as needed.
* Created a new bridge called BridgemDNS.
* Create 2 VLAN interfaces (VLAN1 and VLAN2) whose parent is the main VLAN filtered bridge.
* Put the ports for the VLANs onto the new bridge and do some filtering.
/interface bridge
add name=BridgemDNS protocol-mode=none
/interface bridge port
add bridge=BridgemDNS frame-types=admit-only-untagged-and-priority-tagged \
interface=VLAN1 pvid=1001
add bridge=BridgemDNS frame-types=admit-only-untagged-and-priority-tagged \
interface=VLAN2 pvid=1001
/interface bridge vlan
add bridge=BridgemDNS untagged=VLAN1,VLAN2 vlan-ids=1001
/interface bridge filter
add action=accept chain=forward comment="Allow mDNS" dst-address=\
224.0.0.251/32 dst-mac-address=01:00:5E:00:00:FB/FF:FF:FF:FF:FF:FF \
dst-port=5353 in-bridge=BridgemDNS ip-protocol=udp \
mac-protocol=ip out-bridge=BridgemDNS src-port=5353
add action=drop chain=forward in-bridge=BridgemDNS \
out-bridge=BridgemDNS
/interface bridge nat
add action=src-nat chain=srcnat dst-mac-address=\
01:00:5E:00:00:FB/FF:FF:FF:FF:FF:FF to-src-mac-address=CC:2D:E0:14:64:AD
Nothing seemed to happen at this point until I did a SRCNAT on the MAC address of frames being sent out using the MAC address (CC:2D:E0:14:64:AD) of the main VLAN-filtered bridge (not the mDNS bridge). I think has to do with IGMP snooping and traffic flooding egress on ports and making sure the MAC is known on that network.
So this seemed to work and mDNS broadcast traffic flowed both ways. The network through the main router allows traffic initiated from VLAN2 to go to VLAN1 so Airplay worked when I connect a Macbook on VLAN2 to an AppleTV on VLAN1.
I did another test to see if I could just allow certain mDNS traffic across.
/interface bridge filter
add action=accept chain=forward comment="Allow mDNS VLAN1" \
dst-address=224.0.0.251/32 dst-mac-address=\
01:00:5E:00:00:FB/FF:FF:FF:FF:FF:FF dst-port=5353 in-bridge=BridgemDNS \
in-interface=VLAN1 ip-protocol=udp mac-protocol=ip \
out-bridge=BridgemDNS src-mac-address=34:FD:6A:03:A1:8B/FF:FF:FF:FF:FF:FF \
src-port=5353
add action=drop chain=forward comment="Drop all other mDNS from VLAN1" \
dst-address=224.0.0.251/32 dst-mac-address=\
01:00:5E:00:00:FB/FF:FF:FF:FF:FF:FF dst-port=5353 in-bridge=BridgemDNS \
in-interface=VLAN1 ip-protocol=udp mac-protocol=ip \
out-bridge=BridgemDNS src-port=5353
add action=accept chain=forward comment="Allow mDNS" dst-address=\
224.0.0.251/32 dst-mac-address=01:00:5E:00:00:FB/FF:FF:FF:FF:FF:FF \
dst-port=5353 in-bridge=BridgemDNS ip-protocol=udp \
mac-protocol=ip out-bridge=BridgemDNS src-port=5353
add action=drop chain=forward in-bridge=BridgemDNS \
out-bridge=BridgemDNS
/interface bridge nat
add action=src-nat chain=srcnat dst-mac-address=\
01:00:5E:00:00:FB/FF:FF:FF:FF:FF:FF to-src-mac-address=CC:2D:E0:14:64:AD
* The next rule drops all other mDNS traffic from VLAN1->2.
* The third rule then allows any remaining mDNS traffic which will only be VLAN2->1 and finally the main drop rule to block everything else getting across either way and the MAC SRCNAT.
The Macbook at this point could then only see the one AppleTV device and the Airprint printer became unavailable.
I am still testing this out but it seems solid enough. I didn't assign any IP addresses to the VLAN interfaces. There might be unintended consequences to doing this even though the packet flow maps shows bridge packets will get handled before IP.
I'd suggest trying this out on an independent Routerboard device on your network as I have and not your main router and switches.