Hi, I have a similar set-up to the last case you presentet. PfSense + third party managed switch + Unifi AP using unifi network application ( the multicast is checked). I have the avahi daemon package installed on PfSense with the default LAN + an IOT VLan. The firewall rules are from the LAN to access everything and IOT can access everything except the LAN. I am able to ping the devices that are on the IOT wifi from the Default wifi but no matter what I try the cast functionality does not work when trying to cast from Default to IOT. Any suggestions? Thank you!
@@radunastase1865 I just did a quick test but a similar setup works for me. Two things: first, the mDNS checkbox in UniFi Network Controller won't be effective for you because you are not using UniFi gateway; second, in the Avahi configuration in pfSense, did you enable the repeater? The repeating funcitonality is equivalant to the UniFi's mDNS checkbox.
Have you done any testing with Sonos speakers? I'm about 2 months away from setting up a new Unifi network with UDM-SE and trying to plan my VLAN strategy.
Potentially, but the third party firewall would need to support mDNS using something like Avahi. ... and it would have its own method of configuration (not the method shown here in UniFi Network).
If you look at the Wireshark capture at 10:50, the 4th packet shows the source is 192.168.66.1, which is Avahi on the UDM firewall repeating the request from 192.168.88.93 (packet 2). Then, packet 7 is the UDM interface at 192.168.88.1 repeating the reply from 192.168.66.203 (packet 5). That's what happens when mDNS is enabled on VLANs -- the firewall will listen on those VLANs for mDNS, and if it's heard, it will repeat it to the other VLANs that are configured.
PfSense has the avahi plug in, so yes in that respect. PfSense also has a UDP Broadcast Relay plug in that is a MDNS Repeater for UDP that will allow you to use SSDP protocol that sonos, Google/Chrome cast, etc use across vlans. UniFi still does not have this and only Apple works across vlans. Sorry android users, UniFi doesn’t care about us.
Hi d oyou need a network controller on gateway for MDNS, i have a scenario were at one school with unifi AP's and unifi switches were mdns does not work yet at another school with Aruba switches and unifi APs it does work, this is both in relation to the guest portal appearing and asking for vouchers. Also on the network tab on the cloud key/controller for the school that does not work it does not show or give me the option to add the vlan for the guest wifi? yet on another site on the controller it does?
I don't quite understand your scenarios and how they are related to mDNS. But for UniFi, the avahi runs on gateway so yes a UniFi gateway is required,; and to make settings a controller is required. However, it does not matter whether the controller is built into the gateway or not.
is it possible to allow mdns only for several devices? I've got 2 vlans with it's own apple tvs etc, but only one airprint printer. Just want to access the printer out of all vlans without seeing the other vlans apple tv.... drives me crazy :D Got the normal UDM^^
Since Unifi's mDNS setting is on VLAN level, I don't think what you want to achieve is possible by configuring UniFi network controller. However, as I know, avahi support reflect filter so that you can allow selected service names. So you may want to try a standallone avahi. Let me know if you are interested in a video about that.
Great video! How it's possible that I've the mDNS option disabled, an Apple TV 4K on IoT VLAN, a MacBook Pro on another VLAN and it still able to see the Apple TV and AirPlay to it?
Even though Apple TV can use Bluetooth only in some scenarios, but airplay needs wifi or Ethernet. Are you sure you rebooted your systems after disabling mDNS? And another possible reason is you gave other devices, such as Linux, which has avahi running as well.
@@hz777 Maybe I’ve found something strange in my default firewall configuration, the one that can’t be changed by user, I already have two rules “Internet in” and “Internet local” from “Any” source via “UDP” to destination “224.0.0.0/4”. It’s possible that this is the cause of AirPlay still working even with mDNS disabled?
Thank you for another great video! I work for a school district which is composed of three different campuses, we’ve deployed the two UXG-Pros and one UDM Pro among these three campuses (no site-to-site VPN is configured yet). Currently we are using simple WPA2 personal password only authentication for both the “Teacher” and “Student” WiFi networks. What would be the best authentication method other than simply giving out password on the Unifi ecosystem. We have about 200 Macbooks and 200 HP Chromes under the “Teacher” network. Had you already have a video for that? If not, could you please help me with this? Giving out WiFi password is pretty bad practice even if we don’t have any local server inside the network. Any help is very much appreciated!
You may want to implement WPA-Enterprise. Yes I do have a video about FreeRADIUS, but it's for pfSense and unifi AP, because if you use UniFi gateways, the implementation will be much simpler, so it may be not even worth a video :)
@@hz777Thank you for your response. I've watched that video. Did you mean I can utilize the Radius server inside the Unifi Gateways to fulfill the WPA Enterprise authentication? Does it use MAC addresses of the clients to authenticate? I haven't found many video for the setup process on UA-cam. Thanks again.
No, you do not need to use mac addresses. You need to maintain the authentications somehow (usernames & passwords), by either manually maintaining them in UniFi gateway, or integrating with external active directory. Of course the latter approach is desirable, but you know in many cases UniFi devices are half-baked enterprise devices, so you may have a lot of fun there.
@@hz777 When you mentioned that Unfi is half-baked enterprise grade, do you have other recommendation for networking systems? If budget is not a concern at all.
Sorry but I am not qualified to give that type of suggestions: I am a homelabber anyway :D What I know is pfSense is much better choice when it comes to gateway/firewall/router, for me a homelabber.
Such a great demo. Answered all my questions that I struggled to find online. Thank you!!
SSDP forwarding (with TTL incrementing) and multicast routing across site magic group would be amazing
What a great, detailed video!
Hi, I have a similar set-up to the last case you presentet. PfSense + third party managed switch + Unifi AP using unifi network application ( the multicast is checked). I have the avahi daemon package installed on PfSense with the default LAN + an IOT VLan. The firewall rules are from the LAN to access everything and IOT can access everything except the LAN. I am able to ping the devices that are on the IOT wifi from the Default wifi but no matter what I try the cast functionality does not work when trying to cast from Default to IOT. Any suggestions? Thank you!
It sounds to be a missing firewall rule to allow a specific type of traffic. Let me set up something similar in my lab environment and have a video.
Thank you, i`m looking forward to this video@@hz777
@@radunastase1865 I just did a quick test but a similar setup works for me.
Two things: first, the mDNS checkbox in UniFi Network Controller won't be effective for you because you are not using UniFi gateway; second, in the Avahi configuration in pfSense, did you enable the repeater? The repeating funcitonality is equivalant to the UniFi's mDNS checkbox.
Yes, the repeater is checked, maybe there is somthing wrong with my managed switch? Do i need to look into snooping settings?
@@hz777
Have you done any testing with Sonos speakers? I'm about 2 months away from setting up a new Unifi network with UDM-SE and trying to plan my VLAN strategy.
No. I don't own any Sonos speakers.
UDM SE is not able to do SSDP across vlans, so somethings don't work (e.g. printer discovering, casting from mobile to UA-cam TV app)
Can we expect the same results when you have third party firewall instead of unifi?
Potentially, but the third party firewall would need to support mDNS using something like Avahi.
... and it would have its own method of configuration (not the method shown here in UniFi Network).
If you look at the Wireshark capture at 10:50, the 4th packet shows the source is 192.168.66.1, which is Avahi on the UDM firewall repeating the request from 192.168.88.93 (packet 2). Then, packet 7 is the UDM interface at 192.168.88.1 repeating the reply from 192.168.66.203 (packet 5).
That's what happens when mDNS is enabled on VLANs -- the firewall will listen on those VLANs for mDNS, and if it's heard, it will repeat it to the other VLANs that are configured.
PfSense has the avahi plug in, so yes in that respect.
PfSense also has a UDP Broadcast Relay plug in that is a MDNS Repeater for UDP that will allow you to use SSDP protocol that sonos, Google/Chrome cast, etc use across vlans.
UniFi still does not have this and only Apple works across vlans. Sorry android users, UniFi doesn’t care about us.
Hi d oyou need a network controller on gateway for MDNS, i have a scenario were at one school with unifi AP's and unifi switches were mdns does not work yet at another school with Aruba switches and unifi APs it does work, this is both in relation to the guest portal appearing and asking for vouchers. Also on the network tab on the cloud key/controller for the school that does not work it does not show or give me the option to add the vlan for the guest wifi? yet on another site on the controller it does?
I don't quite understand your scenarios and how they are related to mDNS. But for UniFi, the avahi runs on gateway so yes a UniFi gateway is required,; and to make settings a controller is required. However, it does not matter whether the controller is built into the gateway or not.
is it possible to allow mdns only for several devices?
I've got 2 vlans with it's own apple tvs etc, but only one airprint printer. Just want to access the printer out of all vlans without seeing the other vlans apple tv.... drives me crazy :D
Got the normal UDM^^
Since Unifi's mDNS setting is on VLAN level, I don't think what you want to achieve is possible by configuring UniFi network controller. However, as I know, avahi support reflect filter so that you can allow selected service names. So you may want to try a standallone avahi. Let me know if you are interested in a video about that.
@@hz777 thanks for the quick reply! :)
For sure I’m interested in the avahi topic
Added to my backlogs :D
Great video! How it's possible that I've the mDNS option disabled, an Apple TV 4K on IoT VLAN, a MacBook Pro on another VLAN and it still able to see the Apple TV and AirPlay to it?
Even though Apple TV can use Bluetooth only in some scenarios, but airplay needs wifi or Ethernet. Are you sure you rebooted your systems after disabling mDNS? And another possible reason is you gave other devices, such as Linux, which has avahi running as well.
@@hz777 Mmmh I've different devices, Synology NAS, Intel NUC with Proxmox, maybe is for those that is working?
@@gmcinalli possibly.
@@hz777 I never thought about that…
@@hz777 Maybe I’ve found something strange in my default firewall configuration, the one that can’t be changed by user, I already have two rules “Internet in” and “Internet local” from “Any” source via “UDP” to destination “224.0.0.0/4”. It’s possible that this is the cause of AirPlay still working even with mDNS disabled?
Next up... SSDP? :)
If I remember it correctly, without "workaround", ssdp is designed not to work across vlan?
@@hz777 Enabling UPnP on WAN also enables minissdpd as a listener on UDP 1900 similar to the way mDNS enables avahi.
@@stevenmishosis that smart enabling upnp on the wan interface?
@@tonygerassi1502 Agree that generally wouldn't be wise, but it can be enabled without NAT Port Mapping Protocol.
For Mikrotik can use mDNS settings?
How to please.
The ROS does not have native support. You may either run a separate avahi or research bridge filter for mikrotik.
Thank you for another great video! I work for a school district which is composed of three different campuses, we’ve deployed the two UXG-Pros and one UDM Pro among these three campuses (no site-to-site VPN is configured yet). Currently we are using simple WPA2 personal password only authentication for both the “Teacher” and “Student” WiFi networks. What would be the best authentication method other than simply giving out password on the Unifi ecosystem. We have about 200 Macbooks and 200 HP Chromes under the “Teacher” network. Had you already have a video for that? If not, could you please help me with this? Giving out WiFi password is pretty bad practice even if we don’t have any local server inside the network. Any help is very much appreciated!
You may want to implement WPA-Enterprise. Yes I do have a video about FreeRADIUS, but it's for pfSense and unifi AP, because if you use UniFi gateways, the implementation will be much simpler, so it may be not even worth a video :)
@@hz777Thank you for your response. I've watched that video. Did you mean I can utilize the Radius server inside the Unifi Gateways to fulfill the WPA Enterprise authentication? Does it use MAC addresses of the clients to authenticate? I haven't found many video for the setup process on UA-cam. Thanks again.
No, you do not need to use mac addresses. You need to maintain the authentications somehow (usernames & passwords), by either manually maintaining them in UniFi gateway, or integrating with external active directory. Of course the latter approach is desirable, but you know in many cases UniFi devices are half-baked enterprise devices, so you may have a lot of fun there.
@@hz777 When you mentioned that Unfi is half-baked enterprise grade, do you have other recommendation for networking systems? If budget is not a concern at all.
Sorry but I am not qualified to give that type of suggestions: I am a homelabber anyway :D What I know is pfSense is much better choice when it comes to gateway/firewall/router, for me a homelabber.
I really wish ubiquiti would stop changing the damn UI layouts. ffs.