The complete SSDP + mDNS solution for network segmentation

nicob · Tue Jul 04, 2023 2:06 pm

Issue at Hand
If you've segmented your network, you may have encountered difficulty utilizing Chromecast, Airplay, or similar IoT devices that rely on mDNS / Bonjour / ZeroConf or SSDP. This is due to these protocols not being routable or filterable. Numerous individuals face this issue, and while there are several solutions out there, none are entirely foolproof from a security perspective. Issues often include bi-directional traffic reflection, lack of filter options, absence of IPv6 support, and no session tracking.

However, I've devised a solution I believe encompasses the best of all possible remedies. It incorporates several different strategies, all created with RouterOS in mind.

What is our Objective?

Assume we have segmented networks in the following manner:

A client network, comprising your PCs, laptops, and family smartphones.
A guest network, comprising smartphones and other devices of your visitors.
An IoT network, consisting of your Chromecast, Airplay, and other IoT devices.

The goal is to utilize our IoT devices from our client network, but only a select number of devices within the IoT network should be accessible from the guest network. We don't want to facilitate mDNS/SSDP from the IoT network to the client or guest network. Additionally, we want to prevent guests from using mDNS/SSDP to access the client network (and vice versa).

Proposed Solution
The Bonjour-reflector I've developed is an upgraded version of another project, with added protocols such as SSDP.

Key features include:

Detailed control over your advertised IoT devices based on MAC-addresses. Access can be set on a per-device basis.
Protocol inspection for a better understanding of SSDP and mDNS. It can distinguish between query responses and advertisements.
Session tracking, ensuring that it tracks which ports are being used for each session and only permits traffic to flow in the appropriate direction.
IPv6 support, facilitating usage with both IPv6 and IPv4.
A single binary.
Compact size, taking up only ~8MB of space.

It should be compatible with most arm(64) + CHR Mikrotiks. For a comprehensive guide, please refer to the markdown on Github.

The howto: https://github.com/nberlee/bonjour-refl ... /README.md

If you have any queries, don't hesitate to reach out. I'm here to assist!

rsvdl · Tue Jul 04, 2023 3:38 pm

Thanks so much for this!

Avahi was giving me a lot of headaches. This solution seems to have no problem at all reflecting my Chromecast and printers across VLANs.

Also a nice bonus is that you can choose which devices get reflected!

It fixed my issue so that I can now see my Chromecast and Apple TV devices on my Clients VLAN while they are in my IOT vlan

P.S.

This container is only 8MB

BlackBurn · Tue Jul 18, 2023 9:45 am

This is really awesome.

The setup was fairly easy, however requires a reboot to get into container mode.

Configuration might look a bit challenging, however once you got the hang of it it is straight forward.

I've some Apple TVs, Denon and Sonos devices configured for reflection and works really well.

It is very fast and responsive, I used the Palo Alto Networks bonjour reflector option on the firewall before, but it seems not to reflect everything (ssdp?).
When I open for example the Sonos app on my phone all Sonos devices are there within a second, before this took a while and sometime I had to kill and re-open the app.

Really worth to give a shot !

mvz71 · Thu Aug 24, 2023 5:29 pm

Thank you very much for this great work.

I was able to set everything up, but unfortunately it does not work. I get the following error message in the log file:

"level=error msg=Unable to remove the hardware vlan filter (rx-vlan-filter): unsupported feature "rx-vlan-filter".

I must admit that I am a beginner and not a VLAN expert, but do you have any idea how I can overcome this hurdle?

Thu Aug 24, 2023 7:01 pm

I get the following error message in the log file:

I doubt that message appeared after the very last step in this complicated setup. It's my bet it occurred about ¼ of the way into the process, in this step, where it sets up the VETH with bridge VLAN filtering disabled.

This shaky bet of mine is based on two facts:

Not all RouterOS devices support bridge VLAN filtering. (See the yellow caution box below the target of the prior link.) You can't disable something that doesn't even exist on the host platform.
Your diagnosis is vague, not even telling us details like which RouterOS device you tried this on, permitting me to speculate freely on this point.

There's a chance I've nailed it by luck. If so, then I think it's worth pulling the bridge VLAN filtering bits out of the tutorial and trying to make it work using whatever alternative VLAN filtering mechanism your device supports instead. I have no doubt that this tutorial's basic ideas work best with hardware bridge VLAN filtering, but I doubt it's absolutely essential.

If that doesn't work, or if I've missed the mark, the way to elicit stronger guesses is to provide details to found them upon rather than rely on superior levels of mind-reading and luck than what I've been able to bring to bear.

nicob · Thu Aug 24, 2023 7:27 pm

Thank you very much for this great work.

You are very welcome! I learned a lot about SSDP and mDNS and packet layers in general when making this.

I was able to set everything up, but unfortunately it does not work. I get the following error message in the log file:

"level=error msg=Unable to remove the hardware vlan filter (rx-vlan-filter): unsupported feature "rx-vlan-filter".

Sorry for this confusing error. You may simply ignore it. Is isn't relevant for Mikrotik routers as it is not connected to a hardware port. It is only needed when directly connected to a physical NIC, so for example on a linux host. the Veth interface on RouterOS does not need this...

I will make some code to first check if its even needed to set this nic feature.

I must admit that I am a beginner and not a VLAN expert, but do you have any idea how I can overcome this hurdle?

Please see if you see packets coming in with Packet Sniffer, see https://github.com/nberlee/bonjour-refl ... -reflected
If you do not see packets with destination 239.255.255.250:1900 or 224.0.0.251:5353 then you know your bridge isn't receiving or forwarding it to the veth port.

If you do see those packets, start the container in verbose mode by adding

/bonjour-reflector -verbose

to Cmd in the container settings
This will log any packet it needs to process.

novy · Sat Sep 02, 2023 1:21 am

hi having issues at network setup:
3. Add veth1-reflector as tagged port to the vlans you want to use.

what am i doing wrong? running on RB5009UG+S+
thanks in advance!

brg3466 · Thu Sep 07, 2023 9:39 pm

@nicob,
Thank you for the great work ! I tried on hAP ax2 (v 7.11.2). My goal is to let apple TV ( vlan10) available to vlan12 network.

The topology is: Router <-> CRS328 <-> hAP ax2, ether1 on ax2 is set as trunk port.

But after getting reflector running, my phone (vlan 12) still cannot see apple TV (vlan10) on the airplay. With packet sniffer, I can see packets going in but not coming out.
Could you please take a look into my config and point me to the right direction ? Thank you !

debug message in log as below:

10:44:41 container,info,debug importing remote image: ghcr.io/nberlee/bonjour-reflector, tag: main
10:44:42 container,info,debug getting layer sha256:2933017b37c42456cc855d00ebcf94b175e0de81c01313003007e689708edfa4
10:44:44 container,info,debug layer sha256:2933017b37c42456cc855d00ebcf94b175e0de81c01313003007e689708edfa4 downloaded
10:44:48 container,info,debug import successful, container 3ec97e5e-b2cb-4158-b9bf-2f64d31ad593
10:44:54 container,info,debug 2023/09/07 17:44:54 maxprocs: Leaving GOMAXPROCS=4: CPU quota undefined

The configuration on the arm64 machine is as follows:

/interface veth
add address=127.1.0.10/32 gateway=127.1.0.1 gateway6="" name=veth1-reflector

/interface/bridge/port/add bridge=bridge1 edge=yes frame-types=admit-only-vlan-tagged \
ingress-filtering=no interface=veth1-reflector learn=yes multicast-router=permanent \
point-to-point=yes pvid=999

/interface bridge vlan
add bridge=bridge1 tagged=sfp3-crs312,bridge1,eth5-AP-GR_Closet,veth1-reflector vlan-ids=10
add bridge=bridge1 tagged=sfp3-crs312,bridge1,eth5-AP-GR_Closet,veth1-reflector vlan-ids=12
add bridge=bridge1 comment="management vlan" tagged=bridge1,sfp3-crs312,eth5-AP-GR_Closet vlan-ids=99

/container config set registry-url=https://ghcr.io tmpdir=nvme1-part1/pull

/container mounts add dst=/config name=reflector-config src=/nvme1-part1/bonjour
/system logging add topics=container
/container/add remote-image=ghcr.io/nberlee/bonjour-reflector:main int=veth1-reflector \
root-dir=nvme1-part1/bonjour/reflector mounts=reflector-config envlist=bonjour_envs logging=yes \
start-on-boot="yes" comment="bonjour-reflector"

### config.toml -- upload this file to /nvme1-part1/bonjour
net_interface = "eth0"

[devices]

[devices."BC:34:00:A0:30:A8"]
description = "Apple tv"
origin_pool = 10
shared_pools = [12]

[vlan]

[vlan.10]
ip_source = "10.10.10.254"

[vlan.12]
ip_source = "10.12.12.254"

nicob · Thu Sep 07, 2023 11:54 pm

net_interface = "eth0"

[devices]
[devices."DC:56:E7:45:BC:CF"]
description = "BSMT ATV"
origin_pool = 13
shared_pools = [10, 12]

[vlan]
[vlan.10]
ip_source = "10.10.10.254"

[vlan.12]
ip_source = "10.12.12.254"

[vlan.13]
ip_source = "10.13.13.254"

Thank you for putting the effort in in providing me with great context!
This all looks ok... If the following is true
[*] 10.13.0/12/13.254 NOT in use by any other device or themikrotik. If you ping the ip on the same network as a client , you should not get a response, however, `arp -a` should give you the mac addresss of the veth.
[*] Doublecheck the mac adress

With packet sniffer, I can see packets going in but not coming out.

This is great! Are these packets with destination 239.255.255.250:1900 or 224.0.0.251:5353 ?
If yes, now run the container with a different cmd `/bonjour-reflector -verbose`, then stop and start it, you should at least see in the logs with `packet received:`

Not sure if it is because the reflector has to be installed on Router instead of the ax2 ?

Its fine either way, I have it on my router (CCR2004), but I also could have it somewhere else. but there are two main things to keep in mind.
The router on where bonjour-reflector runs should see all the multicast traffic and upstream ports should have unknown-multicast=yes. And you should not run multiple bonjour-reflectors in the same vlans.

nicob · Fri Sep 08, 2023 12:05 am

what am i doing wrong?

Sorry for my late reply... I didn't notice this message.

I was able to replicate this when, bridge-LAN does not exists or more likely when the vlan-id is unknown to the bridge, in this case 1 . The guide assumes

It assumes you have one bridge with vlans configured

So create the vlan on the bridge by assign it to a port, then follow step 3

brg3466 · Fri Sep 08, 2023 2:26 am

Thank you for putting the effort in in providing me with great context!
This all looks ok... If the following is true
[*] 10.13.0/12/13.254 NOT in use by any other device or themikrotik. If you ping the ip on the same network as a client , you should not get a response, however, `arp -a` should give you the mac addresss of the veth.
[*] Doublecheck the mac adress

With packet sniffer, I can see packets going in but not coming out.

This is great! Are these packets with destination 239.255.255.250:1900 or 224.0.0.251:5353 ?
If yes, now run the container with a different cmd `/bonjour-reflector -verbose`, then stop and start it, you should at least see in the logs with `packet received:`

#################################################################
Thank you for your reply !

#1 10.x.x.254 is NOT in use by any devices.
#2 What do you mean by "double check the mac address of veth1-reflector" ?
#3 yes, both 239.255.255.250:1902 and 224.0.0.251:5353 showed up in the dst.
#4 some logs after running /bonjour-reflector -verbose

novy · Fri Sep 08, 2023 2:44 am

what am i doing wrong?
Sorry for my late reply... I didn't notice this message.

I was able to replicate this when, bridge-LAN does not exists or more likely when the vlan-id is unknown to the bridge, in this case 1 . The guide assumes
It assumes you have one bridge with vlans configured
So create the vlan on the bridge by assign it to a port, then follow step 3

I believe i have it right

Note, that i backed up my config to the start point

brg3466 · Fri Sep 08, 2023 8:30 am

It finally worked if there is only one device to be available to another network.
i.e Apple TV (vlan10) can be available to network vlan12.

But when I want to add devices and add networks, it doesn't work. The only change I made is the config.toml file. And the error message is " Could not read configuration: duplicate tables".

something wrong with My config.toml file ?

net_interface = "eth0"

[devices]
    [devices."BC:34:00:A0:30:A8"]
    description = "Aries mini"
    origin_pool = 13
    shared_pools = [10, 12]
[devices]
    [devices."BC:34:00:A0:50:03"]
    description = "Altair"
    origin_pool = 13
    shared_pools = [10, 12]
[devices]
    [devices."DC:56:E7:45:BC:CF"]
    description = "Apple Tv Basement"
    origin_pool = 13
    shared_pools = [10, 12]

[vlan]
    [vlan.10]
    ip_source = "10.10.10.254"
    [vlan.12]
    ip_source = "10.12.12.254"
    [vlan.13]
    ip_source = "10.13.13.254"

nicob · Fri Sep 08, 2023 11:11 am

It finally worked if there is only one device to be available to another network.

Great!

something wrong with My config.toml file ?

Toml is sometimes confusing. [devices] needs defined only once. Use https://www.toml-lint.com for fast checking. The error messages may be implying errors on the line below...

This should work:

net_interface = "eth0"

[devices]
    [devices."BC:34:00:A0:30:A8"]
    description = "Aries mini"
    origin_pool = 13
    shared_pools = [10, 12]

    [devices."BC:34:00:A0:50:03"]
    description = "Altair"
    origin_pool = 13
    shared_pools = [10, 12]

    [devices."DC:56:E7:45:BC:CF"]
    description = "Apple Tv Basement"
    origin_pool = 13
    shared_pools = [10, 12]

[vlan]
    [vlan.10]
    ip_source = "10.10.10.254"
    [vlan.12]
    ip_source = "10.12.12.254"
    [vlan.13]
    ip_source = "10.13.13.254"

nicob · Fri Sep 08, 2023 12:10 pm

I believe i have it right Note, that i backed up my config to the start point

In step 3 you are actually editing vlans on the bridge to add the veth bridge port (see screenshot) to the corresponded vlans

Screenshot from 2023-09-08 11-06-54.png

To be aple to edit the ports, you need to have the vlan ids on the bridge.

novy · Fri Sep 08, 2023 6:57 pm

I believe i have it right Note, that i backed up my config to the start point
In step 3 you are actually editing vlans on the bridge to add the veth bridge port (see screenshot) to the corresponded vlans

Screenshot from 2023-09-08 11-06-54.png

To be aple to edit the ports, you need to have the vlan ids on the bridge.

OMG ... DID IT!!! Works like a charm! Many, many, many thanks! Great job!

brg3466 · Fri Sep 08, 2023 7:03 pm

something wrong with My config.toml file ?
Toml is sometimes confusing. [devices] needs defined only once. Use https://www.toml-lint.com for fast checking. The error messages may be implying errors on the line below...

This should work:
Code: Select all
net_interface = "eth0"

[devices]
    [devices."BC:34:00:A0:30:A8"]
    description = "Aries mini"
    origin_pool = 13
    shared_pools = [10, 12]

    [devices."BC:34:00:A0:50:03"]
    description = "Altair"
    origin_pool = 13
    shared_pools = [10, 12]

    [devices."DC:56:E7:45:BC:CF"]
    description = "Apple Tv Basement"
    origin_pool = 13
    shared_pools = [10, 12]

[vlan]
    [vlan.10]
    ip_source = "10.10.10.254"
    [vlan.12]
    ip_source = "10.12.12.254"
    [vlan.13]
    ip_source = "10.13.13.254"

My bad !!! [Devices] needs to be defined only ONCE ! Now it works perfectly !

Thank you so much for your help !

anro · Thu Nov 09, 2023 6:35 pm

First of all thanks for the great effort on putting this all together!

I encountered the following issue with this approach though:
Everything seem to work, I was able to successfully proxy an ikea hub / tv / chromecast speaker, but when container starts it kills the network performance.
Here is an iperf3 test from a client vlan to the outside world:

[  5]  40.00-41.00  sec  3.38 MBytes  28.3 Mbits/sec
[  5]  41.00-42.00  sec  4.66 MBytes  39.1 Mbits/sec
[  5]  42.00-43.00  sec  4.28 MBytes  35.9 Mbits/sec
[  5]  43.00-44.00  sec  3.09 MBytes  26.0 Mbits/sec
## container start
[  5]  44.00-45.00  sec  1.19 MBytes  9.96 Mbits/sec
[  5]  45.00-46.00  sec  16.0 KBytes   131 Kbits/sec
[  5]  46.00-47.00  sec  2.02 MBytes  16.9 Mbits/sec
[  5]  47.00-48.00  sec   688 KBytes  5.64 Mbits/sec
[  5]  48.00-49.00  sec   256 KBytes  2.10 Mbits/sec
[  5]  49.00-50.00  sec  48.0 KBytes   393 Kbits/sec
[  5]  50.00-51.00  sec  16.0 KBytes   131 Kbits/sec
[  5]  51.00-52.00  sec  32.0 KBytes   262 Kbits/sec
[  5]  52.00-53.00  sec  0.00 Bytes  0.00 bits/sec
[  5]  53.00-54.00  sec  32.0 KBytes   262 Kbits/sec
[  5]  54.00-55.00  sec  16.0 KBytes   131 Kbits/sec
[  5]  55.00-56.00  sec  32.0 KBytes   262 Kbits/sec
[  5]  56.00-57.00  sec  16.0 KBytes   131 Kbits/sec
[  5]  57.00-58.00  sec  48.0 KBytes   393 Kbits/sec
## container stop
[  5]  58.00-59.00  sec  1.39 MBytes  11.7 Mbits/sec
[  5]  59.00-60.00  sec  3.72 MBytes  31.2 Mbits/sec
[  5]  60.00-61.00  sec  4.00 MBytes  33.6 Mbits/sec

The same happens if I start a packet sniffer on the `veth1-reflector` or the main bridge. So it seems the problem is some sort of a global promisc mode that container enables? (I have a very vague understanding of how this all works in mikrotiks).
Switching works well though, client -> client is fast.

My setup:

model: RB5009UPr+S+
factory-firmware: 7.7
current-firmware: 7.9
upgrade-firmware: 7.11.2

veth:
14  RS  name="veth1-reflector" type="veth" mtu=1500 actual-mtu=1500 mac-address=8E:E9:9F:A3:75:28 ifname="veth16" ifindex=16 id=16 last-link-up-time=2023-11-09 17:22:48 link-downs=0

bridge bport:
 8     interface=veth1-reflector bridge=bridge_lan priority=0x80 path-cost=10 internal-path-cost=10 edge=yes point-to-point=yes learn=auto horizon=none auto-isolate=no restricted-role=no restricted-tcn=no pvid=999 
       frame-types=admit-only-vlan-tagged ingress-filtering=yes unknown-unicast-flood=yes unknown-multicast-flood=yes broadcast-flood=yes tag-stacking=no bpdu-guard=no trusted=no multicast-router=permanent 
       fast-leave=no

[admin@MikroTik] > /interface/bridge/vlan/ print
Columns: BRIDGE, VLAN-IDS, CURRENT-TAGGED, CURRENT-UNTAGGED
# BRIDGE      VLAN-IDS  CURRENT-TAGGED   CURRENT-UNTAGGED
;;; trusted lan
0 bridge_lan      2000  bridge_lan       ether3          
                        veth1-reflector  ether4          
                                         ether5          
                                         ether6          
                                         ether2          
;;; guest
1 bridge_lan      2100  bridge_lan                       
                        veth1-reflector                  
                        ether3                           
                        ether4                           
                        ether5                           
;;; iot
2 bridge_lan      2200  bridge_lan       ether7          
                        veth1-reflector  ether8          
                        ether3                           
                        ether4                           
                        ether5 
                       
[admin@MikroTik] > /container/ print detail
 0 ;;; bonjour-reflector
   name="201b3447-ccb5-490a-a7d8-ab4de86e17d6" tag="ghcr.io/nberlee/bonjour-reflector:main" os="linux" arch="arm64" interface=veth1-reflector root-dir=containers/reflector mounts=reflector-config dns="" workdir="/" 
   logging=yes status=stopped

--- config.toml:

net_interface = "eth0"

[devices]

    [devices."28:39:5E:42:93:C3"]
    description = "Samsung TV"
    origin_pool = 2200
    shared_pools = [2000, 2100]

    [devices."88:D0:39:2E:3A:F5"]
    description = "Polk"
    origin_pool = 2200
    shared_pools = [2000, 2100]

    [devices."58:D5:0A:B3:AA:51"]
    description = "Ikea hub"
    origin_pool = 2200
    shared_pools = [2000, 2100]

[vlan]

    [vlan.2000]
    ip_source = "192.168.200.253"

    [vlan.2100]
    ip_source = "192.168.201.253"

    [vlan.2200]
    ip_source = "192.168.202.253"

Any ideas?

btw, everything works with `ingress-filtering=yes` on the bridge port in my case.

nicob · Fri Nov 10, 2023 3:32 am

The same happens if I start a packet sniffer on the `veth1-reflector` or the main bridge.

what actually when using the packet sniffer is that all hardware offload temporarily is disabled. This is the only way the mikrotik controlplane can see the packets.

And this is a good clue. My first guess is that Hardware offload is disabled when you start the container. Please see if your bridge ports have an H flag. Or click all bridge ports and see if HW offload is on (in the bottom right of the window). And if this changes when starting, stopping the container.

Today 7.12 was released with some bridge fixed, two of the fixes:

*) bridge - fixed fast-path forwarding with HW offloaded vlan-filtering (introduced in v7.11);
*) bridge - fixed vlan-filtering stability with HW and non-HW offloaded ports (introduced in v7.10);

That could be related. I would suggest to update.

btw, everything works with `ingress-filtering=yes` on the bridge port in my case.

That is good news! It might have been broken when I put things together, let me see if I have some time next week to do new tests in 7.11/7.12 and update the guide.

anro · Fri Nov 10, 2023 10:34 pm

My first guess is that Hardware offload is disabled when you start the container. Please see if your bridge ports have an H flag. Or click all bridge ports and see if HW offload is on (in the bottom right of the window). And if this changes when starting, stopping the container.

Hw. Offload. stays on when I start the container. At least the indicator is there near each bridge port except for the veth1.
Also, CPU load stays very low - 1-2%, so it does not seem that it tries to process packets in software at all.

Upgrading to 7.12 did not help unfortunately =(

UpRunTech · Tue Jan 02, 2024 10:02 pm

Unless know you really need mDNS, devices like Chromecast and Apple TV use other discovery protocols (like DIAL and SSDP) that work with PIM-SM and, guess what, this feature has always been in ROS in the Routing menu and it's simple to set up! Try PIM-SM first before going down the container and AVAHI rabbit hole.

nicob · Tue Jan 02, 2024 10:33 pm

UpRunTech,

The title and introduction really describes what this project does. SSDP and mDNS/Bonjour/ZeroConf mostly use a TTL of 1 and most of them only like to accept source IPs from their own network. That is not possible with PIM-SM. Next to that, this solution has advanced filtering solutions which are described in the start post, you will likely need, otherwise why would you segment your network in the first place. Most use-cases, less traffic + more security are covered by this solution, whereas non of them are covered by mikrotik routing as it does not have layer 7 inspection for session recognition.

This solution is not targeted as a Multicast routing replacement, because it isn't. Or a dumb avahi repeater because its better. It a solution for service specific devices supporting SSDP, mDNS/Bonjour/ZeroConf on different networks with state-full sessions and L7 protocol security all in one container, one binary.

teleport · Tue Feb 13, 2024 12:50 am

Add veth1-reflector as tagged port to the vlans you want to use.

Change the bridge to your bridge and vlan-ids to the vlans you want to use.

Please note, these commands open an editor, to save the changes press ctrl+o to exit the editor. Interfaces are comma separated, so if you want to add multiple interfaces, add a comma between them.

/interface/bridge/vlan/edit [/interface/bridge/vlan/find bridge=bridge1 vlan-ids=100] tagged
/interface/bridge/vlan/edit [/interface/bridge/vlan/find bridge=bridge1 vlan-ids=101] tagged
/interface/bridge/vlan/edit [/interface/bridge/vlan/find bridge=bridge1 vlan-ids=103] tagged

when you have a switch chip device like RB450GX4, is the above setting still applicable or should it be done differently ?

From manual: https://help.mikrotik.com/docs/display/ ... NFiltering
Currently, CRS3xx, CRS5xx series switches, CCR2116, CCR2216 routers and RTL8367, 88E6393X, 88E6191X, 88E6190, MT7621 and MT7531 switch chips (since RouterOS v7) are capable of using bridge VLAN filtering and hardware offloading at the same time, other devices will not be able to use the benefits of a built-in switch chip when bridge VLAN filtering is enabled. Other devices should be configured according to the method described in the Basic VLAN switching guide. If an improper configuration method is used, your device can cause throughput issues in your network."

teleport · Thu Feb 15, 2024 3:06 am

while the above setup works with different vlans setup on the router, was wondering how to get it to work when router has wireguard enabled and me as road-warrior would like to use homekit (with an iphone) when connecting via wireguard from outside home.

teleport · Thu Feb 15, 2024 10:14 pm

have noticed that applehomekit has quirky behavior especially when you roam from wifi to cellular and back to same wifi (with vpn like protonvpn always enabled/on). it does not work correctly when you roam and come back to same wifi (on IOS)

dimm0k · Tue Mar 05, 2024 11:01 pm

fabulous work, was able to get this working well on my RB5009 and Google devices! only issue I ran into was the script at the end of the guide to have the container rebuilt and restarted - it didn't work at all and I'm not sure why. I was able to get it run manually. any suggestions would be appreciated!

Lokamaya · Thu Mar 07, 2024 8:19 am

The howto: https://github.com/nberlee/bonjour-refl ... /README.md

Thanks

toffifee · Fri Apr 05, 2024 1:11 am

the container works great; airplay, airprint and sonos are fine.
But in the log I find from timt to time a info message (no warning nor error). All in the high ports 46272, 52158, 59148. What does this mean? Is there anything to do to avoid this?

time=2024-04-04T15:22:38Z level=info msg=No matching SSDP session found with SSDP request/advertisement src port 46272.

The complete SSDP + mDNS solution for network segmentation

The complete SSDP + mDNS solution for network segmentation

Re: The complete SSDP + mDNS solution for network segmentation

Re: The complete SSDP + mDNS solution for network segmentation

Re: The complete SSDP + mDNS solution for network segmentation

Re: The complete SSDP + mDNS solution for network segmentation

Re: The complete SSDP + mDNS solution for network segmentation

Re: The complete SSDP + mDNS solution for network segmentation

Re: The complete SSDP + mDNS solution for network segmentation

Re: The complete SSDP + mDNS solution for network segmentation

Re: The complete SSDP + mDNS solution for network segmentation

Re: The complete SSDP + mDNS solution for network segmentation

Re: The complete SSDP + mDNS solution for network segmentation

Re: The complete SSDP + mDNS solution for network segmentation

Re: The complete SSDP + mDNS solution for network segmentation

Re: The complete SSDP + mDNS solution for network segmentation

Re: The complete SSDP + mDNS solution for network segmentation

Re: The complete SSDP + mDNS solution for network segmentation

Re: The complete SSDP + mDNS solution for network segmentation

Re: The complete SSDP + mDNS solution for network segmentation

Re: The complete SSDP + mDNS solution for network segmentation

Re: The complete SSDP + mDNS solution for network segmentation

Re: The complete SSDP + mDNS solution for network segmentation

Re: The complete SSDP + mDNS solution for network segmentation

Re: The complete SSDP + mDNS solution for network segmentation

Re: The complete SSDP + mDNS solution for network segmentation

Re: The complete SSDP + mDNS solution for network segmentation

Re: The complete SSDP + mDNS solution for network segmentation

Re: The complete SSDP + mDNS solution for network segmentation

Who is online