If you've segmented your network, you may have encountered difficulty utilizing Chromecast, Airplay, or similar IoT devices that rely on mDNS / Bonjour / ZeroConf or SSDP. This is due to these protocols not being routable or filterable. Numerous individuals face this issue, and while there are several solutions out there, none are entirely foolproof from a security perspective. Issues often include bi-directional traffic reflection, lack of filter options, absence of IPv6 support, and no session tracking.
However, I've devised a solution I believe encompasses the best of all possible remedies. It incorporates several different strategies, all created with RouterOS in mind.
What is our Objective?
Assume we have segmented networks in the following manner:
- A client network, comprising your PCs, laptops, and family smartphones.
- A guest network, comprising smartphones and other devices of your visitors.
- An IoT network, consisting of your Chromecast, Airplay, and other IoT devices.
Proposed Solution
The Bonjour-reflector I've developed is an upgraded version of another project, with added protocols such as SSDP.
Key features include:
- Detailed control over your advertised IoT devices based on MAC-addresses. Access can be set on a per-device basis.
- Protocol inspection for a better understanding of SSDP and mDNS. It can distinguish between query responses and advertisements.
- Session tracking, ensuring that it tracks which ports are being used for each session and only permits traffic to flow in the appropriate direction.
- IPv6 support, facilitating usage with both IPv6 and IPv4.
- A single binary.
- Compact size, taking up only ~8MB of space.
The howto: https://github.com/nberlee/bonjour-refl ... /README.md
If you have any queries, don't hesitate to reach out. I'm here to assist!