RoS 7.16 RC4 mDNS

mozerd · Tue Jul 02, 2024 4:48 pm

Anyone using this version got mDNS working? If YES please tell me how ...

I have CCR1009 with 5 vlans that's connected to my CRS326 switch where all my vlans reside either through ethernet or WiFi
I want my printer that is AirPrint capable and sitting in vlan100 to be accessed by any apple device siting in vlan20
This should be doable with mDNS but in my case the apple devices using vlan20 cannot communicate with the printer.

According to normis configuring mDNS is very simple
on my CCR1009 via terminal I issue:
/ip/dns set mdns-repeat-ifaces=vlan100,vlan20

is there something else thats needs to be configured using mDNS? because this does not work ... my apple devices cannot see the AirPrint capable printer

Amm0 · Tue Jul 02, 2024 5:10 pm

I've done a couple test and seems to work.

But since mDNS just provides an IP address, one way it can go wrong is if the firewall blocks the resulting connection.

On Mac (and some Linux and Windows with Bonjour installed), you can use:

 dns-sd -B _ipp._tcp

to see any mDNS records for printers (IPP), which help confirm mDNS is arriving.

mozerd · Wed Jul 03, 2024 6:11 pm

Thanks Amm0 ... I have not had any luck so far

My understanding is that mDNS is crucial for facilitating device discovery and communication within local networks without the need for a dedicated DNS server ... but Tik have not explained how that is implemented under RoS ... why introduce a new feature without some form of direction that is not puzzling .... rhetorically stated ...

Amm0 · Wed Jul 03, 2024 7:19 pm

AFAIK, it looks like RouterOS just copies the mDNS UDP packets between the selected interface.

It's roughly same approach as viewtopic.php?t=204025&hilit=mdns. Just implemented at a low-level.

Basically RouterOS will look for mDNS if configured in /ip/dns, then re-broadcast any mDNS the router gets on ANY of the mDNS interface to ALL of the configuration mDNS interfaces.

So it's not some flexible mDNS "router", at this point, it just copies/mirror/repeats everything bi-directionally. The reason why this get more complex is if you want to define "one-way" repeating (i.e. mDNS flows uni-directionally). Right now, basically, you can create ONE mDNS discovery zone, that "shares" everything between the interfaces configured in /ip/dns. Perhaps more is planned, but I think that's what it does in beta3.

Amm0 · Wed Jul 03, 2024 8:01 pm

In fairness, I did one test of this... between a remote EoIP to my folk house. If enable this 7.16 mDNS repeat in /ip/dns, I can see and control a Roku TV at least. So we'll have to wait for Mikrotik to say more on what it should do... All I can see is what a 15 minute tested showed

.

The remote EoIP and local network are both just in "LAN" interface-list, so there are no VLAN restrictions. If you restrict VLANs... you have to allow both mDNS for input, and whatever protocol used by the device in forward. That part isn't changed by repeating mDNS, the firewall still has to allow whatever traffic, even multicast.

While Apple AirPrint should work find being "repeated". I'm not sure AirPlay works if repeated due to DRM concerns - I dunno for sure (since a HomePod already deal with the apple things). So I didn't test AirPlay, but that not working, would not be a surprise. i.e. Apple AirPlay may need a src-nat NAT rule between VLANs (for AirPlay) since the source IP is unicast & I believe it enforces that AirPlay MUST be on same LAN. So repeating the mDNS doesn't help when trying to play music/movie – maybe this has changed. But testing AirPlay with this feature would not be a good "first test".

S8T8 · Wed Jul 03, 2024 9:25 pm

OT: @Amm0, have you connected two remote locations using EoIP with interface added to the Bridge (and eventually VLAN ID), or assigning an Address to EoIP and adding routing rule?
MTU? Mangle rules?
If you prefer I can be more specific with the question posting in viewtopic.php?t=206322

Amm0 · Wed Jul 03, 2024 10:21 pm

Correct, in my test case. There RB1100AHx4 that hangs on my LAN that I use for mainly for testing beta/devices from work. I have one EoIP link on that RB1100 that is a /interface/bridge/port on BOTH sides - it bridges my folk's remote LAN bridge (from a cAPac that acts as both the AP and router, with an EoIP tunnel (to RB1100)). On the RB1100, there is a /ip/dhcp-client that pull my folk's LAN IPs on to the RB1100, and one additional port is tagged to same VLAN as EoIP.

It seems to allow you set mDNS repeat on the EoIP interface, but unless both sides had that bridged with an /interface/vlan... I'm not sure there be a use case for repeating EoIP directly. Even though there is EoIP involved, it's bridged to a LAN/VLAN on both sides - so it's LAN/VLAN that needs to be included in mDNS repeating.

FWIW, While I have no need for printer between these "sites"... I did verify my Mac on my local LAN see my Mom's printer, a 100 miles away, after enabling the *VLAN* associated with the EoIP tunnel in mDNS in /ip/dns... I can printer a web page on my Mom's inkjet. Without repeating mDNS, the printer would not show up as an option in the Print Dialog. After it I pick the HP in the dropdown.

stuntard · Tue Sep 10, 2024 8:57 am

With the new mDNS Proxy feature, I should just be able to add the 2 VLAN interfaces I want to broadcast between in IP/DNS and it should work correct? I had communication between my phone and Google Nests work with PIM for ages and for some reason it just stopped working so I want to give mDNS a try

mozerd · Mon Sep 23, 2024 11:30 am

My understanding is that mDNS is crucial for facilitating device discovery and communication within local networks without the need for a dedicated DNS server ... but Tik have not explained how that is implemented under RoS ... why introduce a new feature without some form of direction that is not puzzling .... rhetorically stated ...

The key to success For Me using Tiks mDNS implementation was provided by @victorbayas in the following post
The following Firewall filter rule was all that was needed to get my 2 isolated VLANS to work with my Apple AirPrint capable printer

/ip firewall filter add action=accept chain=input comment="Allow mDNS" disabled=no dst-address=224.0.0.251 dst-port=5353 log-prefix=mDNS protocol=udp src-port=5353

Thank YOU @victorbayas
I did find that mDNS to be very chatty but that is expected

massinia · Tue Sep 24, 2024 5:11 pm

A question...
Do you think mDNS could work through a Wireguard tunnel?

I've been trying since this morning and it doesn't work, I would like to understand if it is a limitation of the wireguard protocol.

Amm0 · Tue Sep 24, 2024 6:28 pm

Wireguard does not support multicast, and mDNS needs multicast... so not possible. The mDNS support in 7.16 is just an "mDNS repeater", so the resulting "repeated" multicast can not be forwarded over WG.

And why I've long argued that /ip/dns should act as mDNS/DNS-SD "Discovery Proxy" to deal with mDNS per RFC-8766. Essentially that means that a regular DNS server can resolve multicast mDNS lookups, so RFC-8766 "discovery proxy" support for unicast DNS is what's needed for mDNS across subnet to work over WG, and compliant with Bonjour specs

Amm0 · Tue Sep 24, 2024 6:36 pm

FWIW, in a quick google, tailscale does NOT offer a solution to mDNS over WG either: https://github.com/tailscale/tailscale/issues/1013

massinia · Tue Sep 24, 2024 8:20 pm

Thank you Amm0, you are always a great help.
I'll try with another VPN...

Amm0 · Tue Sep 24, 2024 8:37 pm

I'll try with another VPN...

Well... the VPN does need to support multicast & that's the limiting factor to repeating mDNS. I don't think L2TP work with new mDNS proxy. So off top of my head, that be GRE+IPSec, EoIP+IPSec and ZeroTier - that should work with new mDNS repeater.

massinia · Tue Sep 24, 2024 9:08 pm

I was thinking about OpenVPN but now I see that the android/iOS app doesn't support TAP tunnel.

So off top of my head, that be GRE+IPSec, EoIP+IPSec and ZeroTier - that should work with new mDNS repeater.

OK, then I'll try with ZeroTier.
Thanks again

UpRunTech · Tue Sep 24, 2024 11:50 pm

Do you think mDNS could work through a Wireguard tunnel?

Yes you can but it doesn't use the new mDNS repeater function. See this topic. viewtopic.php?t=194842

Amm0 · Wed Sep 25, 2024 12:01 am

Do you think mDNS could work through a Wireguard tunnel?
Yes you can but it doesn't use the new mDNS repeater function. See this topic. viewtopic.php?t=194842

Well... that's true. But still need EoIP to add the multicast to WG – but you're right the EoIP can run over an existing WG tunnel (and skip the IPSec stuff that's built in to EoIP).

UpRunTech · Wed Sep 25, 2024 3:04 am

Yes you can but it doesn't use the new mDNS repeater function. See this topic. viewtopic.php?t=194842
Well... that's true. But still need EoIP to add the multicast to WG – but you're right the EoIP can run over an existing WG tunnel (and skip the IPSec stuff that's built in to EoIP).

Actually, I wonder, it just might work using the new mDNS repeater if:

* Both ends use EoIP over the Wireguard link (with no IPSEC).
* End A connects it's EoIP port to the bridge/VLAN of interest.
* End B *does not* connect it's EoIP port to a bridge - leave it isolated (actually you might need to put a DCHP client on it or set it's IP statically to have an valid IP address for end A's subnet).
* End B uses the new mDNS repeater with the dangling EoIP and a VLAN or Bridge interface as members.

Just a thought experiment but it might work. I'll try this experiment myself later when I have some time.

Amm0 · Wed Sep 25, 2024 3:43 am

Well... that's true. But still need EoIP to add the multicast to WG – but you're right the EoIP can run over an existing WG tunnel (and skip the IPSec stuff that's built in to EoIP).
* Both ends use EoIP over the Wireguard link (with no IPSEC).
* End A connects it's EoIP port to the bridge/VLAN of interest.
* End B *does not* connect it's EoIP port to a bridge - leave it isolated (actually you might need to put a DCHP client on it or set it's IP statically to have an valid IP address for end A's subnet).
* End B uses the new mDNS repeater with the dangling EoIP and a VLAN or Bridge interface as members.

Just a thought experiment but it might work. I'll try this experiment myself later when I have some time.

I guess theoretically that might work, but it gets confusing. If you just keep both side EoIP bridged, use new /ip/dns/mdns-repeat on EoIP (+ local LAN/VLAN) on each router, and apply more simplified bridge filter to DROP anything NOT port 5353 from over the bridged EoIP+WG link. And you could further tweak it to be a more generic "multicast bridge over WireGuard" (using EoIP connecting over the WG IPs and bridged to desired LANs) by changing the filter rules to allow more/all multicast.

broderick · Wed Sep 25, 2024 1:20 pm

....

I did find that mDNS to be very chatty but that is expected

I have just upgraded my MK to v.7.16, and I'd like to give this new mDNS feature a try.
A Jellyfin container running on my linux server is on VLAN 20, ip 172.16.20.25
My smart TV is on VLAN 30, ip 172.16.30.50. For the time being, the Smart TV can access media on the Jellyfin server only if I put both
on the same VLAN, but I don't want to do that for several reasons.
So, what should I do to make this mDNS works?
Thank you

broderick · Thu Sep 26, 2024 11:19 am

In spite of the new mDNS feature, I haven't yet managed to make multicast work between two VLANs, that is, between the jellyfin server and a few clients on another VLAN.

Kanzler · Thu Sep 26, 2024 11:31 am

Have you opened port 5353?

broderick · Thu Sep 26, 2024 12:21 pm

Have you opened port 5353?

Yes, I added this rule:

/ip firewall filter add action=accept chain=input comment="Allow mDNS" disabled=no dst-address=224.0.0.251 dst-port=5353 log-prefix=mDNS protocol=udp src-port=5353

Anyway, I disabled any reject or drop rule on the firewall temporarily. Same problem. It is like the multicast traffic doesn't propagate..maybe

mozerd · Thu Sep 26, 2024 12:37 pm

/ip firewall filter add action=accept chain=input comment="Allow mDNS" disabled=no dst-address=224.0.0.251 dst-port=5353 log-prefix=mDNS protocol=udp src-port=5353

In my highly restrictive local communication environment I had to add an addition forward rule like following:

/ip firewall filter add action=accept chain=forward comment="FORWARD FromDevices ToDevices" dst-address-list=ToDevices src-address-list=FromDevices

In my case I have 2 address lists [FromDevices ] [ToDevices] these lists populate IP address of hosts that need to communicate with each other
This rule would be placed just above FORWARD Drop all
That enabled multicast to work for the targeted VLANs and the hosts in question ...

broderick · Thu Sep 26, 2024 12:38 pm

Code: Select all
/ip firewall filter add action=accept chain=input comment="Allow mDNS" disabled=no dst-address=224.0.0.251 dst-port=5353 log-prefix=mDNS protocol=udp src-port=5353 
In my highly restrictive local communication environment I had to add an addition forward rule like following:
Code: Select all
/ip firewall filter add action=accept chain=forward comment="FORWARD FromDevices ToDevices" dst-address-list=ToDevices src-address-list=FromDevices
In my case I have 2 address lists [FromDevices ] [ToDevices] these lists populate IP address of hosts that need to communicate with each other
This rule would be placed just above FORWARD Drop all
That enabled multicast to work for the targeted VLANs and the devices in question ...

I had already added a forward rule between the server and the smart TV in different VLANs. Thanks

massinia · Thu Sep 26, 2024 12:40 pm

It works perfectly for me between two VLANs even without the rule

/ip firewall filter add action=accept chain=input comment="Allow mDNS" disabled=no dst-address=224.0.0.251 dst-port=5353 log-prefix=mDNS protocol=udp src-port=5353

I just created a forward rule to allow traffic between the two devices.
Are you using Windows for testing?
If so, temporarily disable the firewall.

broderick · Thu Sep 26, 2024 1:00 pm

It works perfectly for me between two VLANs even without the rule
Code: Select all
/ip firewall filter add action=accept chain=input comment="Allow mDNS" disabled=no dst-address=224.0.0.251 dst-port=5353 log-prefix=mDNS protocol=udp src-port=5353 
I just created a forward rule to allow traffic between the two devices.
Are you using Windows for testing?
If so, temporarily disable the firewall.

Nope. The server in which Jellyfin runs is a linux machine (firewall disabled) and the client is a smartv.

mozerd · Thu Sep 26, 2024 1:56 pm

Nope. The server in which Jellyfin runs is a linux machine (firewall disabled) and the client is a smartv.

I am not at all familiar with Jellyfin but in reading some stuff on the web I have hits stating that Jellyfin currently does not support multicasting ...

https://features.jellyfin.org/posts/172 ... ew-a-strea

I know that mDNS works well for me .... I know that most if not all Linux machines support multicasting but Jellyfin apparently does not but I could be wrong.

broderick · Thu Sep 26, 2024 2:49 pm

I am not at all familiar with Jellyfin but in reading some stuff on the web I have hits stating that Jellyfin currently does not support multicasting ...
https://features.jellyfin.org/posts/172 ... ew-a-strea
I know that mDNS works well for me .... I know that most if not all Linux machines support multicasting but Jellyfin apparently does not but I could be wrong.

I don't know. It could.
For the record Jellyfin runs a DLNA server.

optio · Thu Sep 26, 2024 5:21 pm

Tested new mdns-repeat-ifaces feature on ROS DNS using macOS and iOS screen mirroring (AirPlay) and cast from Google Chrome (Google Cast) from isolated VLAN to Android tv box on LAN and it works - discovery and streaming, but had to allow many ports on forward chain from vlan to TV box.

mozerd · Fri Sep 27, 2024 12:35 am

With the current implementation of mDNS I have my Sonos Speakers and Apple Airprint Printers all working flawlessly

Sonos and AirPrint Printer reside on vlan100 --- devices that need access to either one of these reside on vlan20 ...

Using the 2 firewall rules mentioned in my posting here ....

massinia · Fri Sep 27, 2024 12:40 am

Nope. The server in which Jellyfin runs is a linux machine (firewall disabled) and the client is a smartv.

Ah OK, then why do you use mDNS instead of PIM-SM for DLNA/UPnP?

optio · Fri Sep 27, 2024 1:29 am

Using the 2 firewall rules mentioned in my posting here ....

/ip firewall filter add action=accept chain=forward comment="FORWARD FromDevices ToDevices" dst-address-list=ToDevices src-address-list=FromDevices

This completely exposes hosts in list, more secure is to allow just needed ports for hosts in list.

broderick · Fri Sep 27, 2024 9:44 am

Nope. The server in which Jellyfin runs is a linux machine (firewall disabled) and the client is a smartv.
Ah OK, then why do you use mDNS instead of PIM-SM for DLNA/UPnP?

I gave it a try too. It didn't work.

mozerd · Fri Sep 27, 2024 10:29 am

This completely exposes hosts in list, more secure is to allow just needed ports for hosts in list.

in my situation I only allow one to one communication - nope, local hosts [and/or devices] are completely secure from each other unless permitted,

I'm always ready to learn, however ...

RoS 7.16 RC4 mDNS

RoS 7.16 RC4 mDNS

Re: RoS 7.16 beta3 mDNS

Re: RoS 7.16 beta3 mDNS

Re: RoS 7.16 beta3 mDNS

Re: RoS 7.16 beta3 mDNS

Re: RoS 7.16 beta3 mDNS

Re: RoS 7.16 beta3 mDNS

Re: RoS 7.16 beta3 mDNS

RoS 7.16 RC4 mDNS

Re: RoS 7.16 RC4 mDNS

Re: RoS 7.16 RC4 mDNS

Re: RoS 7.16 RC4 mDNS

Re: RoS 7.16 RC4 mDNS

Re: RoS 7.16 RC4 mDNS

Re: RoS 7.16 RC4 mDNS

Re: RoS 7.16 RC4 mDNS

Re: RoS 7.16 RC4 mDNS

Re: RoS 7.16 RC4 mDNS

Re: RoS 7.16 RC4 mDNS

Re: RoS 7.16 RC4 mDNS

Re: RoS 7.16 RC4 mDNS

Re: RoS 7.16 RC4 mDNS

Re: RoS 7.16 RC4 mDNS

Re: RoS 7.16 RC4 mDNS

Re: RoS 7.16 RC4 mDNS

Re: RoS 7.16 RC4 mDNS

Re: RoS 7.16 RC4 mDNS

Re: RoS 7.16 RC4 mDNS

Re: RoS 7.16 RC4 mDNS

Re: RoS 7.16 RC4 mDNS

Re: RoS 7.16 RC4 mDNS

Re: RoS 7.16 RC4 mDNS

Re: RoS 7.16 RC4 mDNS

Re: RoS 7.16 RC4 mDNS

Re: RoS 7.16 RC4 mDNS

Who is online