This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM (bonjour) and Airport Express issue

Hi All

I just bought an airport express in order to use the airplay feature. I have connected via the ethernet port to my switch and set it up in bridge mode whilst turning wireless off. However, even though it gets DHCP address via UTM (same subnet as wifi internal clients and therefore no Multicast Routing (PIM-SM) needed ) I am not able to "detect" it via internal hosts

They are on the same subnet and therefore bonjour service should not be blocked.However, it doesn't work (even though I can ping the AE host from the wifi hosts)

Anyone had any experience with UTM and Bonjour services (Airport express)?

It seems that airport express is trying to contact UTM on port 1900 and 5351 (UPnP and NAT).Is this requirement for Bonjour service? I would expect to see UDP 5353 (multicast DNS) as destination and not source!

id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1.10" srcmac="88:1f:a1:3d:ee:94" dstmac="0:1a:8c:12:ea:e1" srcip="Airport Express" dstip="UTM" proto="17" length="30" tos="0x00" prec="0x00" ttl="255" srcport="5353" dstport="5351"
id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1.10" mark="0x31d7" app="471" srcmac="88:1f:a1:3d:ee:94" dstmac="0:1a:8c:12:ea:e1" srcip="Airport Express" dstip="UTM" proto="17" length="156" tos="0x00" prec="0x00" ttl="255" srcport="53288" dstport="1900"
id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1.10" srcmac="88:1f:a1:3d:ee:94" dstmac="0:1a:8c:12:ea:e1" srcip="Airport Express" dstip="UTM" proto="17" length="30" tos="0x00" prec="0x00" ttl="255" srcport="5353" dstport="5351"
id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1.10" mark="0x31d7" app="471" srcmac="88:1f:a1:3d:ee:94" dstmac="0:1a:8c:12:ea:e1" srcip="Airport Express" dstip="UTM" proto="17" length="156" tos="0x00" prec="0x00" ttl="255" srcport="64606" dstport="1900"
id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1.10" srcmac="88:1f:a1:3d:ee:94" dstmac="0:1a:8c:12:ea:e1" srcip="Airport Express" dstip="UTM" proto="17" length="30" tos="0x00" prec="0x00" ttl="255" srcport="5353" dstport="5351"
id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1.10" mark="0x31d7" app="471" srcmac="88:1f:a1:3d:ee:94" dstmac="0:1a:8c:12:ea:e1" srcip="Airport Express" dstip="UTM" proto="17" length="157" tos="0x00" prec="0x00" ttl="255" srcport="64606" dstport="1900"
id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1.10" srcmac="88:1f:a1:3d:ee:94" dstmac="0:1a:8c:12:ea:e1" srcip="Airport Express" dstip="UTM" proto="17" length="30" tos="0x00" prec="0x00" ttl="255" srcport="5353" dstport="5351"
id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1.10" mark="0x31d7" app="471" srcmac="88:1f:a1:3d:ee:94" dstmac="0:1a:8c:12:ea:e1" srcip="Airport Express" dstip="UTM" proto="17" length="156" tos="0x00" prec="0x00" ttl="255" srcport="64606" dstport="1900"
id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1.10" srcmac="88:1f:a1:3d:ee:94" dstmac="0:1a:8c:12:ea:e1" srcip="Airport Express" dstip="UTM" proto="17" length="30" tos="0x00" prec="0x00" ttl="255" srcport="5353" dstport="5351"
id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1.10" mark="0x31d7" app="471" srcmac="88:1f:a1:3d:ee:94" dstmac="0:1a:8c:12:ea:e1" srcip="Airport Express" dstip="UTM" proto="17" length="157" tos="0x00" prec="0x00" ttl="255" srcport="64606" dstport="1900"
id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1.10" srcmac="88:1f:a1:3d:ee:94" dstmac="0:1a:8c:12:ea:e1" srcip="Airport Express" dstip="UTM" proto="17" length="30" tos="0x00" prec="0x00" ttl="255" srcport="5353" dstport="5351"
id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1.10" mark="0x31d7" app="471" srcmac="88:1f:a1:3d:ee:94" dstmac="0:1a:8c:12:ea:e1" srcip="Airport Express" dstip="UTM" proto="17" length="156" tos="0x00" prec="0x00" ttl="255" srcport="64606" dstport="1900"
id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1.10" srcmac="88:1f:a1:3d:ee:94" dstmac="0:1a:8c:12:ea:e1" srcip="Airport Express" dstip="UTM" proto="17" length="30" tos="0x00" prec="0x00" ttl="255" srcport="5353" dstport="5351"
id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1.10" mark="0x31d7" app="471" srcmac="88:1f:a1:3d:ee:94" dstmac="0:1a:8c:12:ea:e1" srcip="Airport Express" dstip="UTM" proto="17" length="157" tos="0x00" prec="0x00" ttl="255" srcport="64606" dstport="1900"

Also port 192 (UDP) is been blocked by UTM. This port is related to airport extreme discovery (http://support.apple.com/kb/TS1629)

2013:10:27-00:57:03 stuffman ulogd[4568]: id="2001" severity="info" sys="SecureNet" sub="packetfilter" name="Packet dropped" action="drop" fwrule="60001" initf="eth1.10" srcmac="70:56:81:c2:3a:19" dstmac="0:1a:8c:12:ea:e1" srcip="" dstip="UTM" proto="17" length="32" tos="0x00" prec="0x00" ttl="64" srcport="65009" dstport="192"

Thanks

This thread was automatically locked due to age.

0 wingman over 11 years ago in reply to BarryG

Hi,

Where is the Astaro AP connected?

I think that all AP traffic goes through the UTM, at least in certain modes.

Barry

It might be something related to AE. I have configured a test wireless with WPA2 instead of WPA2 Enterprise and set AE to join it. I can see it from my MAC now. I will test and post back
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 11 years ago

I think that all AP traffic goes through the UTM, at least in certain modes.

I agree. The only time that it doesn't is when the destination IP is in the local subnet and the SSID is "Bridge to LAN" mode.

Cheers - Bob
Cancel
Vote Up 0 Vote Down

Cancel
0 wingman over 11 years ago

It seems that once I changed the AE bridge mode from "ethernet"(plugged into the switch) to "wireless-join network" , it worked fine as it joined the existing SSID from UTM. Not sure why this didn't work via ethernet though as the vlans were correct
Cancel
Vote Up 0 Vote Down

Cancel
0 rprengel over 11 years ago in reply to wingman

It seems that once I changed the AE bridge mode from "ethernet"(plugged into the switch) to "wireless-join network" , it worked fine as it joined the existing SSID from UTM. Not sure why this didn't work via ethernet though as the vlans were correct

Hallo,

do you know discovery. A nice and easy to use app for testing bonjour services.
In the past I had problems for month with apple-bonjour. A simple network-design without vlans etc. is a must have.

Ralf
Cancel
Vote Up 0 Vote Down

Cancel
0 William Warren over 11 years ago

unless you have the airport routed through the utm this should not be an issue. Try removing your bridge i wonder if you are having a broadcast domain conflict.
Cancel
Vote Up 0 Vote Down

Cancel
0 wingman over 11 years ago in reply to William Warren

unless you have the airport routed through the utm this should not be an issue. Try removing your bridge i wonder if you are having a broadcast domain conflict.

Hi William

AE was routed to UTM via a switch but it didn't seem to work.Maybe it was a switch issue. I have it connected via wireless and it works fine apart from some lag.

Thanks
Cancel
Vote Up 0 Vote Down

Cancel
0 William Warren over 11 years ago

Hi William

AE was routed to UTM via a switch but it didn't seem to work.Maybe it was a switch issue. I have it connected via wireless and it works fine apart from some lag.

Thanks

Bonjour doesn't work with vlans iirc...if that switch us doing vlans that's the issue...utm can't block something that doesn't pass through it
Cancel
Vote Up 0 Vote Down

Cancel
0 wingman over 11 years ago in reply to William Warren

Bonjour doesn't work with vlans iirc...if that switch us doing vlans that's the issue...utm can't block something that doesn't pass through it

But both ports are on the same vlan and therefore one broadcast domain. I am not routing between two different vlans
Cancel
Vote Up 0 Vote Down

Cancel