mDNS and avahi reflector one way?

Hey everyone,

I've configured my network with different VLANS, I have one IoT Vlan, which is accesible by firewall from other vlan, call it secure vlan.

mDNS was not working as expected from Secure to IOT, almost read every thread related in the forum, and got it working using avahi reflector, so I can reach mDNS devices like chromecast and other stuff from Secure to IOT.

I've set avahi to only allow both vlan interfaces using allow-interfaces=br-lan.x, br-lan.y, so the other vlans are outside avahi.

The problem is that mDNS from Secure are being reflected aswell to IOT, which is not desirable. I inspected mDNS traffic, and the traffic reflected is coming from the router itself, so I don't know how to filter that by firewall.

Is there any way to do it?
does any more elegant solution exist?
The perfect for me would be like a server in the middle instead of avahi, listening to all mDNS and making a list, and then when a device needs a service, give it the list with all avalaible mDNS devices(avoiding flooding the network with mDNS shit), of course with any kind of filtering (I think enterprise brands like aruba or cisco has something like this).

There are a few other ways depending how you want it :+1:

In the section for reflector:

reflect-filters=_airplay._tcp.local,_raop._tcp.local

With tcpdump you can figure more names like chromecasts.

tcpdump -v multicast

You can also do it with firewall traffic rules and deny those you don't want to broadcast.

I think that looks like this:

src: lan
src ip: your device ip
dest ip: 224.0.0.0/8
action: reject

Do not specify a destination zone, it needs to be the router itself.

If I'm not wrong, mDNS traffic isn't routable.
Your solution will probably work, but it will end up with me having to manually add every discoverable service manually, which is not ideal.

The problem with avahi, is that if I allow 2 interfaces, then it will reflect from interface 1 to 2, but also from 2 to 1.

That's why I asked if there is any more granulated solution, maybe setting up a DNS-SD server and getting rid of mDNS, I don't know, the problem is that I can't find any documentation from anyone who already did it with OpenWRT.

mDNS itself is not routable but the reflector is just doing that.

If I am not mistaken it uses port 5353 so by allowing or rejecting port 5353 you might be able to allow only one way traffic?

1 Like

I have the same issue. I know it's not ideal that the kinds of services are leaked, but in the end its not like a connection can be made... So i kind of left it like this

So you mean one firewall rule to just deny 5353 port from router to interface X, right?

Something like that, give it a try :slight_smile:

I just tried it out of curiosity. The services are still discoverable but name resolution is prevented.

I didn’t try anything beyond avahi-browse --all --resolve --no-db-lookup --terminate

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.