Forward mDns from one subnet to another

forwardingmdns

Is there an ipfw rule that can easily forward mDns packets from one subnet to another? I have a Snow Leopard Server machine serving as the gateway between the two subnets and would like for machines in each subnet to see the services available in the other subnet. The gateway machine is already confirmed as configured correctly such that packets route correctly between the two subnets (ping works, traceroute shows the subnet hop, etc). My problem in designing a ipfw rule is that I don't know how to instruct that I would like multicast packets addressed to 224.0.0.251:5353 on en0 to be addressed to the same ip/port but on fw0 (the other interface). I attempted a rule such as

fwd 192.168.10.1 log udp from 192.168.1.0/24 to 224.0.0.251 recv en1

to force the packet to hop over to the other interface (from en1 to fw0), but no dice. The ipfw log shows that the rule is being triggered by packets, but tcpdump isn't showing any packets on the other interface. Also, the only other firewall rules in place are the divert port 8668 and rule #65535 "allow any to any".

Any suggestions? Thanks.

Best Answer

I've tried to have this work as expected for a long time.

All I found is that these multicast packets will not cross subnets.

However, the only real solution I have found is to use an mDNS Reflector daemon such as avahi-daemon on a system which spans across subnets.

It also sounds like you could benefit from Wide Area Bonjour which is designed for large corporations to broadcast Bonjour / mDNS traffic across subnets.

See http://discussions.apple.com/thread.jspa?threadID=1251044

Related Solutions

Ssh-agent forwarding and sudo to another user

As you mentioned, the environment variables are removed by sudo, for security reasons.

But fortunately sudo is quite configurable: you can tell it precisely which environment variables you want to keep thanks to the env_keep configuration option in /etc/sudoers.

For agent forwarding, you need to keep the SSH_AUTH_SOCK environment variable. To do so, simply edit your /etc/sudoers configuration file (always using visudo) and set the env_keep option to the appropriate users. If you want this option to be set for all users, use the Defaults line like this:

Defaults    env_keep+=SSH_AUTH_SOCK

man sudoers for more details.

You should now be able to do something like this (provided user1's public key is present in ~/.ssh/authorized_keys in user1@serverA and user2@serverB, and serverA's /etc/sudoers file is setup as indicated above):

user1@mymachine> eval `ssh-agent`  # starts ssh-agent
user1@mymachine> ssh-add           # add user1's key to agent (requires pwd)
user1@mymachine> ssh -A serverA    # no pwd required + agent forwarding activated
user1@serverA> sudo su - user2     # sudo keeps agent forwarding active :-)
user2@serverA> ssh serverB         # goto user2@serverB w/o typing pwd again...
user2@serverB>                     # ...because forwarding still works

Bonjour/mDNS Broadcast across subnets

Although you can do “wide-area Bonjour” (that is, Bonjour over an ordinary DNS domain with dynamic registration enabled, rather than Bonjour over multicast DNS), most built-in Mac OS X stuff isn’t designed for using it — principally because wide-area Bonjour is designed for advertising services over something more diverse than just a couple of subnets.

Theoretically, though, you could configure a router to pass packets bound for the multicast group 224.0.0.251 between your two subnets, which should do the right thing — assuming you don’t have NAT involved. Whether and how you can do this depends on the type of router you have sitting between the wireless and wired networks.

Best Answer

Related Solutions

Ssh-agent forwarding and sudo to another user

Bonjour/mDNS Broadcast across subnets

Related Topic