TL;DR: How can I resolve blah.local to a machine outside the LAN?
I have a router (Buffalo WSR-1166DD) running LEDE (or openwrt 17.01.4). I am trying to use it to keep my computers more isolated from the mountains of IoT things I keep putting on my network. So the network looks like this:
DSL Router (WAN: Internet IP LAN: 10.0.1.1)
Main Router (WAN: 10.0.1.2 LAN: 10.0.2.1)
LEDE Router (WAN: 10.0.2.3 LAN: 10.0.3.1)
The Main router has things like raspberry pi's, esp32's and my chromecast devices.
For example, one chromecast has an IP of 10.0.2.108
The LEDE Router has my phones and laptops connected. I want to be able to connect to the machines in the main router using the .local addresses to resolve the addresses.
Things like ping 10.0.2.108 work fine from inside LEDE router
Things like ping work fine from inside LEDE router
From the googling and poking I've done, Just using IPTABLES to forward the mDNS stuff around is not easy (something about the packets having a TTL of 1?) but a service running on the router could repeat the mDNS requests from WAN to LAN or LAN to WAN. There is a mention of a specific piece of code that will do this (yep, 2011, very old):
Another thing I've found is this python code, which maybe I could run easier, because I don't have to compile python, but it has some dependencies...
My LEDE router has a MediaTek MT7621A CPU. I've never tried to cross compile for an openwrt system.
Is there a simpler solution? There are three different mDNS packages available through LUCI (avahi, mDNS, umdns). I don't see an obvious way to make any of them repeat requests on all the interfaces.
Avahi is a typical way to deal with mDNS proxying. An Internet search on "avahi mDNS proxy" reveals several articles on how to accomplish that goal. Routing/firewall will have to be set up to allow connectivity, as pointed out by @stangri Your network topology and security considerations will indicate how permissive you wish to make that. I'd personally recommend very tight rules related to specific hosts and ports from specific subnets.
Yes, that is correct, mDNS is a link-local service
EDIT: Oops, I meant this as a response to @stangri, not Jeff.
I think you're saying that if I forcibly add the blah.local with it's actual IP address in the router, then the regular DNS server will resolve that. There are two reasons why I'd prefer a mDNS solution:
That address might change, and it means I'll have to change it in one more place when I change things around.
Other services that use mDNS/zeroconf/whatever, like Chromecast won't work in my walled garden, because the phone uses zeroconf to find all devices that support the chromecast service.
The avahi mDNS proxy pointed out some useful things. Thank you. I have avahi-daemon running on my LEDE router, and I have:
enable-reflector=yes
So I think that's the first part of the problem. Now I have to figure out if it's working, and how to get the firewall to allow it. I tried adding a first cut at the rule:
config rule
option enabled '1'
option target 'ACCEPT'
option name 'Accept avahi'
option proto 'udp'
option src '*'
option dest '*'
option dest_port '5353'
Then trying from a device in my 10.0.3.X LAN to something in the 10.0.2.X LAN:
ping jaid.local # Name or service not known
ping 10.0.2.50 # pings fine.
So I'm thinking something's wrong with avahi. on the LEDE router. I also can't resolve LEDE.local from anywhere, and I'm 90% sure that's what it should be for the LEDE router:
Rule to let the avahi daemon "hear" the mDNS broadcasts from your internal network
Rule to let the avahi daemon broadcast from it from the outside interface
Rules to allow specific outside hosts access to the advertised services provided by specific inside services; these should be very specific by the hosts you want to permit, as well as the services on the targets
The first two are perhaps not prohibited by the "stock" OpenWRT firewall. The third is almost certainly prohibited by default. You many have to do some magic with NAT and all, depending on if Avahi is advertising the internal address, or the address of your routers outside interface.
tcpdump is the typical tool used to watch this kind of packet flow for debugging, perhaps connected over ssh to wireshark running on your "desktop" machine.
I would recommend that you reconsider your network architecture to use VLANs instead of multiple NAT layers. It seems that you have a triple-NAT configuration here. Depending on the specifics, you may or may not be improving your security, but each NAT layer adds more latency (and possibly bandwidth limitations) and adds to the complexity of the overall structure, sometimes causing certain devices or services to have various issues as well. Instead, with VLANs you can set up as many distinct networks as desired and then use firewall rules to restrict and/or allow various connections between he networks (this can be implemented from wide open rulesets all the way to very specific, limited host/service connections, whatever is needed/desired). You'll still need to consider the mDNS related details even with VLANs, but the network configuration will be cleaner and more efficient.