Short version: is there a way to propagate mDNS/DNS-SD advertising from one subnet/zone/vlan to another? Long version: (notes added at end 10/5/22) Running own hardware with SPOS 18.0.6 Build 655. I wish to segment my network, with some “dodgier” devices (wifi plugs, Sonos, guest devices) on a separate subnet (maybe even a VLAN one day). However, some of these (nearly all actually) need some functioning mDNS to get connected to controllers, which of course will be on the main subnet. I know nothing more than a couple of hours browsing the internet has provided, but it seems like I should be able to get this to work if I can get multicasts at 224.0.0.251, even just UDP Port 5353, to be repeated on the other subnets Zone port. I have set up permissive symmetric interzone traffic rules at this stage, with target Zone Any, and including the 224.0.0.251 address in the list of target addresses. I have enabled multicast routing (which would seem to be the right sort of thing), and set up symmetric static routes from specific devices e.g. 1 Plug at 10.0.1.2 -> 224.0.0.251 -Source zone Dodgy Wifi -> Destination Port 1 (main) 1 Raspbery Pi at 10.0.0.10 -> 224.0.0.251 – Source Port 1 -> Destination Dodgy Wifi If I now watch via packet capture specifying “dst port 5353” I see lots of packets arriving from the Plug, which look like DNS type packets. However, they seem to be being dropped because they have “Status Violation, Reason Local_ACL”. Previously I have got round ACL violations using Device Access configuration. There is nothing obvious in Device Access that covers multicast, but I enabled “Dynamic Routing” in case! However, if I run “ avahi-browse ” on the Raspberry pi it never sees these packets, and the controller never sees the plug. Is there any way to overcome the “Violation”? ======================================================== Some further details - I noticed in the online documentation that the Administrator help says that the working range for multicast routing starts at 224.0.2.0 whereas the command line docs show 224.0.0.0, and obviously the first of those excludes the mDNS address - is the mDNS address disallowed by design - and why would that be? See https://community.sophos.com/product-documentation/i/feedback/inconsistency-of-manual-pages-for-multicast-routing Regards, Paul

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

mDNS/DNS-SD Routing between subnets

Short version: is there a way to propagate mDNS/DNS-SD advertising from one subnet/zone/vlan to another?

Long version: (notes added at end 10/5/22)

Running own hardware with SPOS 18.0.6 Build 655.

I wish to segment my network, with some “dodgier” devices (wifi plugs, Sonos, guest devices) on a separate subnet (maybe even a VLAN one day). However, some of these (nearly all actually) need some functioning mDNS to get connected to controllers, which of course will be on the main subnet.

I know nothing more than a couple of hours browsing the internet has provided, but it seems like I should be able to get this to work if I can get multicasts at 224.0.0.251, even just UDP Port 5353, to be repeated on the other subnets Zone port.

I have set up permissive symmetric interzone traffic rules at this stage, with target Zone Any, and including the 224.0.0.251 address in the list of target addresses.

I have enabled multicast routing (which would seem to be the right sort of thing), and set up symmetric static routes from specific devices e.g.

1 Plug at 10.0.1.2 -> 224.0.0.251 -Source zone Dodgy Wifi -> Destination Port 1 (main)
1 Raspbery Pi at 10.0.0.10 -> 224.0.0.251 – Source Port 1 -> Destination Dodgy Wifi

If I now watch via packet capture specifying “dst port 5353” I see lots of packets arriving from the Plug, which look like DNS type packets. However, they seem to be being dropped because they have “Status Violation, Reason Local_ACL”. Previously I have got round ACL violations using Device Access configuration. There is nothing obvious in Device Access that covers multicast, but I enabled “Dynamic Routing” in case!

However, if I run “avahi-browse” on the Raspberry pi it never sees these packets, and the controller never sees the plug.

Is there any way to overcome the “Violation”?

========================================================

Some further details - I noticed in the online documentation that the Administrator help says that the working range for multicast routing starts at 224.0.2.0 whereas the command line docs show 224.0.0.0, and obviously the first of those excludes the mDNS address - is the mDNS address disallowed by design - and why would that be?

See https://community.sophos.com/product-documentation/i/feedback/inconsistency-of-manual-pages-for-multicast-routing

Regards,

Paul

This thread was automatically locked due to age.

0 Paul McGinnie over 3 years ago

The thread https://community.sophos.com/sophos-xg-firewall/f/discussions/99687/multicast-mdns seems to suggest what I am asking about is impossible without a seperate multihomed VM acting as a specific bridge - is that true?
Cancel
Vote Up 0 Vote Down

Cancel

mDNS/DNS-SD Routing between subnets

Submitted a Tech Support Case lately from the Support Portal?