This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM (bonjour) and Airport Express issue

Hi All

I just bought an airport express in order to use the airplay feature. I have connected via the ethernet port to my switch and set it up in bridge mode whilst turning wireless off. However, even though it gets DHCP address via UTM (same subnet as wifi internal clients and therefore no Multicast Routing (PIM-SM) needed ) I am not able to "detect" it via internal hosts

They are on the same subnet and therefore bonjour service should not be blocked.However, it doesn't work (even though I can ping the AE host from the wifi hosts)

Anyone had any experience with UTM and Bonjour services (Airport express)?

It seems that airport express is trying to contact UTM on port 1900 and 5351 (UPnP and NAT).Is this requirement for Bonjour service? I would expect to see UDP 5353 (multicast DNS) as destination and not source!

id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1.10" srcmac="88:1f:a1:3d:ee:94" dstmac="0:1a:8c:12:ea:e1" srcip="Airport Express" dstip="UTM" proto="17" length="30" tos="0x00" prec="0x00" ttl="255" srcport="5353" dstport="5351"
id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1.10" mark="0x31d7" app="471" srcmac="88:1f:a1:3d:ee:94" dstmac="0:1a:8c:12:ea:e1" srcip="Airport Express" dstip="UTM" proto="17" length="156" tos="0x00" prec="0x00" ttl="255" srcport="53288" dstport="1900"
id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1.10" srcmac="88:1f:a1:3d:ee:94" dstmac="0:1a:8c:12:ea:e1" srcip="Airport Express" dstip="UTM" proto="17" length="30" tos="0x00" prec="0x00" ttl="255" srcport="5353" dstport="5351"
id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1.10" mark="0x31d7" app="471" srcmac="88:1f:a1:3d:ee:94" dstmac="0:1a:8c:12:ea:e1" srcip="Airport Express" dstip="UTM" proto="17" length="156" tos="0x00" prec="0x00" ttl="255" srcport="64606" dstport="1900"
id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1.10" srcmac="88:1f:a1:3d:ee:94" dstmac="0:1a:8c:12:ea:e1" srcip="Airport Express" dstip="UTM" proto="17" length="30" tos="0x00" prec="0x00" ttl="255" srcport="5353" dstport="5351"
id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1.10" mark="0x31d7" app="471" srcmac="88:1f:a1:3d:ee:94" dstmac="0:1a:8c:12:ea:e1" srcip="Airport Express" dstip="UTM" proto="17" length="157" tos="0x00" prec="0x00" ttl="255" srcport="64606" dstport="1900"
id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1.10" srcmac="88:1f:a1:3d:ee:94" dstmac="0:1a:8c:12:ea:e1" srcip="Airport Express" dstip="UTM" proto="17" length="30" tos="0x00" prec="0x00" ttl="255" srcport="5353" dstport="5351"
id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1.10" mark="0x31d7" app="471" srcmac="88:1f:a1:3d:ee:94" dstmac="0:1a:8c:12:ea:e1" srcip="Airport Express" dstip="UTM" proto="17" length="156" tos="0x00" prec="0x00" ttl="255" srcport="64606" dstport="1900"
id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1.10" srcmac="88:1f:a1:3d:ee:94" dstmac="0:1a:8c:12:ea:e1" srcip="Airport Express" dstip="UTM" proto="17" length="30" tos="0x00" prec="0x00" ttl="255" srcport="5353" dstport="5351"
id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1.10" mark="0x31d7" app="471" srcmac="88:1f:a1:3d:ee:94" dstmac="0:1a:8c:12:ea:e1" srcip="Airport Express" dstip="UTM" proto="17" length="157" tos="0x00" prec="0x00" ttl="255" srcport="64606" dstport="1900"
id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1.10" srcmac="88:1f:a1:3d:ee:94" dstmac="0:1a:8c:12:ea:e1" srcip="Airport Express" dstip="UTM" proto="17" length="30" tos="0x00" prec="0x00" ttl="255" srcport="5353" dstport="5351"
id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1.10" mark="0x31d7" app="471" srcmac="88:1f:a1:3d:ee:94" dstmac="0:1a:8c:12:ea:e1" srcip="Airport Express" dstip="UTM" proto="17" length="156" tos="0x00" prec="0x00" ttl="255" srcport="64606" dstport="1900"
id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1.10" srcmac="88:1f:a1:3d:ee:94" dstmac="0:1a:8c:12:ea:e1" srcip="Airport Express" dstip="UTM" proto="17" length="30" tos="0x00" prec="0x00" ttl="255" srcport="5353" dstport="5351"
id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1.10" mark="0x31d7" app="471" srcmac="88:1f:a1:3d:ee:94" dstmac="0:1a:8c:12:ea:e1" srcip="Airport Express" dstip="UTM" proto="17" length="157" tos="0x00" prec="0x00" ttl="255" srcport="64606" dstport="1900"

Also port 192 (UDP) is been blocked by UTM. This port is related to airport extreme discovery (http://support.apple.com/kb/TS1629)

2013:10:27-00:57:03 stuffman ulogd[4568]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1.10" srcmac="70:56:81:c2:3a:19" dstmac="0:1a:8c:12:ea:e1" srcip="" dstip="UTM" proto="17" length="32" tos="0x00" prec="0x00" ttl="64" srcport="65009" dstport="192"

Thanks

This thread was automatically locked due to age.

0 BarryG over 11 years ago

Hi, is everything on a single lan?

If so, it should work and you can ignore or drop the broadcasts on the firewall.

If not, my understanding is that these protocols don't work over multiple lans without special proxies.

Barry
Cancel
Vote Up 0 Vote Down

Cancel
0 wingman over 11 years ago in reply to BarryG

Hi, is everything on a single lan?

If so, it should work and you can ignore or drop the broadcasts on the firewall.

If not, my understanding is that these protocols don't work over multiple lans without special proxies.

Barry

unfotunately it seems to be UTM related. I have connected the Airport Express directly to my dekstop and it works fine. It's only when it goes via the switch and UTM that it fails
Cancel
Vote Up 0 Vote Down

Cancel
0 BarryG over 11 years ago

Hi,

Are you running VLANs on the switch?

What exactly does it mean that the AE is in 'bridged' mode?

I don't know how Apple's mDNS works, but maybe you need to change something wrt the DNS settings on the UTM.

Barry
Cancel
Vote Up 0 Vote Down

Cancel
0 wingman over 11 years ago in reply to BarryG

Hi,

Are you running VLANs on the switch?

What exactly does it mean that the AE is in 'bridged' mode?

I don't know how Apple's mDNS works, but maybe you need to change something wrt the DNS settings on the UTM.

Barry

H Barry

AE in bridge mode means is that it can be used for airplay and not wireless (https://support.apple.com/kb/HT2272)

I am running vlan on the switch but Airport express is on the same vlan as wireless (they all have the same subnet ip range and I can ping AE from each host).
Cancel
Vote Up 0 Vote Down

Cancel
0 BarryG over 11 years ago

Hi, you probably need to disable client isolation on the UTM wireless settings.

Barry
Cancel
Vote Up 0 Vote Down

Cancel
0 wingman over 11 years ago

Hi Barry

I don't have client isolation enabled. Maybe UTM is not allowed to pass the bonjour packets?
Cancel
Vote Up 0 Vote Down

Cancel
0 wingman over 11 years ago

Do I need to enable multicast routing on my UTM?
Cancel
Vote Up 0 Vote Down

Cancel
0 BarryG over 11 years ago

Hi,

I don't know if multicast routing will help.

In your logs, is 'dstip="UTM"' the UTM's interface address or the broadcast address?

The UTM normally drops all broadcasts, but I'm not sure what it does with them on a wireless AP.

Is the AP in "Bridge to LAN/VLAN" mode or in another mode? Can you change the mode?

Barry
Cancel
Vote Up 0 Vote Down

Cancel
0 wingman over 11 years ago in reply to BarryG

Hi,

I don't know if multicast routing will help.

In your logs, is 'dstip="UTM"' the UTM's interface address or the broadcast address?

The UTM normally drops all broadcasts, but I'm not sure what it does with them on a wireless AP.

Is the AP in "Bridge to LAN/VLAN" mode or in another mode? Can you change the mode?

Barry

UTM is the actual internal IP of astaro (192.168.2.x). The mode is "bridged to vlan" as I would UTM to provide DHCP addresses to clients as well

I wouldn't expect it to be dropped via UTM though as the connection is via the switch. My desktop is connected to the switch directly (port 2).Port 5 is the AE. Both ports are on vlan 10
Cancel
Vote Up 0 Vote Down

Cancel
0 BarryG over 11 years ago

Hi,

Where is the Astaro AP connected?

I think that all AP traffic goes through the UTM, at least in certain modes.

Barry
Cancel
Vote Up 0 Vote Down

Cancel