Getting Avahi mDNS to work

marcbodea · January 18, 2025, 10:36am

Hi all,

I've recently decided to segment my network to keep IOT and Guests separate from my trusted LAN. I'm running a Fujitsu S920 with a dual gigabit card, plugged into a switch and a unifi AP. I managed to configure the VLANs and AP so that different SSIDs go on the different VLANs. Great.

The issue is that I've been trying to get mDNS reflection to work and nothing I've tried seems to work. I've followed this guide, here are my configs:

/etc/avahi/avahi-daemon.conf

[server]
#host-name=foo
#domain-name=local
use-ipv4=yes
use-ipv6=yes
check-response-ttl=no
use-iff-running=no

[publish]
publish-addresses=yes
publish-hinfo=yes
publish-workstation=no
publish-domain=yes
#publish-dns-servers=192.168.1.1
#publish-resolv-conf-dns-servers=yes

[reflector]
enable-reflector=yes
reflect-ipv=no

[rlimits]
#rlimit-as=
rlimit-core=0
rlimit-data=4194304
rlimit-fsize=0
rlimit-nofile=30
rlimit-stack=4194304
rlimit-nproc=3

/etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd3c:3b17:7a04::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '10.31.5.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        list dns '127.0.0.1'
        list dns '0::1'
        option dns_metric '20'

config interface 'wan'
        option device 'eth1.20'
        option proto 'pppoe'
        option username '*********@digi'
        option password '********'
        option ipv6 'auto'
        option peerdns '0'
        option dns_metric '50'
        list dns '1.1.1.1'
        list dns '1.0.0.1'
        list dns '2606:4700:4700::1111'
        list dns '2606:4700:4700::1001'

config interface 'tailscale'
        option proto 'none'
        option device 'tailscale0'

config interface 'Guest'
        option proto 'static'
        option device 'eth0.30'
        option ipaddr '10.31.30.1'
        option netmask '255.255.255.0'

config interface 'IOT'
        option proto 'static'
        option device 'eth0.20'
        option ipaddr '10.31.20.1'
        option netmask '255.255.255.0'
        option dns_metric '20'
        list dns '127.0.0.1'
        list dns '0::1'
        option ip6assign '64'

/etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option flow_offloading '1'
        option flow_offloading_hw '1'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        list network 'wan'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config redirect
        option dest 'lan'
        option target 'DNAT'
        option name 'Plex'
        list proto 'tcp'
        option src 'wan'
        option src_dport '32400'
        option dest_ip '10.31.5.200'
        option dest_port '32400'

config zone
        option name 'tailscale'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        option masq '1'
        option mtu_fix '1'
        list network 'tailscale'

config forwarding
        option src 'tailscale'
        option dest 'lan'

config forwarding
        option src 'tailscale'
        option dest 'wan'

config zone
        option name 'untrusted'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list network 'Guest'
        list network 'IOT'

config forwarding
        option src 'untrusted'
        option dest 'wan'

config rule
        option name 'allow mDNS'
        list proto 'udp'
        option src '*'
        option src_port '5353'
        list dest_ip '224.0.0.251'
        option dest_port '5353'
        option target 'ACCEPT'
        option dest '*'

config forwarding
        option src 'lan'
        option dest 'untrusted'

config rule
        option name 'allow DHCP & DNS'
        option src 'untrusted'
        option dest_port '53 67 68'
        option target 'ACCEPT'

config forwarding
        option src 'untrusted'
        option dest 'lan'

In the logs I see avahi running and registering what seems to be it's own IP on the different VLANs, but when I try to ping an mDNS URI from the IOT network, it can't find it, and neither does it work the other way around. As you can see from the configs, I currently let the untrusted zone access LAN for testing purposes, thought maybe that's my issue, but no. I can see the mDNS queries in wireshark, but seems no-one is answering them.

trying to ping device on LAN from IOT network using macOS

ping tower.local
ping: cannot resolve tower.local: Unknown host

Wireshark

Any help would be appreciated, thank you. Couldn't find much info on avahi not working, it seems that it just works for everyone else haha

fkl7834456 · January 19, 2025, 9:15am

block igmp traffic and the problem will be solved
if your network does not have your provider's iptv, then in fact igmp is not needed, on the contrary, it is even better without it for security
Multicast DNS (mDNS) runs on port 5353
extreme case block this port

Ramon · January 19, 2025, 7:38pm

Does pinging the IP address work? I.e. is the issue only the address lookup?

Note I do have the allow-interfaces and deny-interfaces specified explicitly under the server section. I also have IGMP enabled (and working), so not sure how that could affect things.

Try the avahi-browse tool/package to see what shows up.

marcbodea · January 20, 2025, 8:51am

Not sure how blocking IGMP or the mDNS port would help

marcbodea · January 20, 2025, 9:52am

So I figured out the issue...and well it's annoying

My setup was this:

It seems the TP-Link router was blocking mDNS even if it was in AP mode. Figured it out using avahi-browse on the router, since everything was looking ok on my laptop and Tower connected to LAN. Seems the mDNS requests weren't even making it to OpenWRT.

Thanks

system · January 30, 2025, 9:52am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.