HowTo: mDNS-repeater on MikroTik using container / Docker
Posted: Sat Mar 04, 2023 10:32 pm
I didn't find a howto on the forum so I wanted to share something back.
Apple Airplay or Airprint clients use multicast DNS to discover speakers & printers on the network.
mDNS uses the IP address 224.0.0.251, which is "administratively scoped" and does not leave the subnet.
"mdns-repeater" is a multicast DNS repeater for Linux which forwards / repeats mDNS-packets (UDP 5353) between broadcast domains.
This is all based on the great work of:
- https://github.com/TheMickeyMike/docker ... r-mikrotik
- https://github.com/geekman/mdns-repeater
- https://github.com/monstrenyatko/docker-mdns-repeater
- https://github.com/TheMickeyMike/docker ... r-mikrotik
Wireshark capture
Here you can see the mDNS query of an iPhone in vlan11-guest (192.168.66.103) which discovers an Airplay receiver (Belkin Soundform Connect with Name Neumann KH 120) in vlan1 (192.168.99.122): mdns-repeater debug output (-d) in container
Configuration
- MikroTik hAP AX3 with container enabled (https://help.mikrotik.com/docs/display/ROS/Container)
- bridge with vlan-filertering=yes (https://help.mikrotik.com/docs/display/ ... switchchip)
- vlan1 = default lan with Airplay & Airprint receivers
- vlan11-guest = guest VLAN for guests
- added the container interface (veth-trunk) to the bridge and configured as tagged members (PVID is irrelevant) of vlan1 and vlan11
Firewall
Your clients should now be able to discover printers & speakers but can't connect without allow rules in the firewall:
Apple Airplay or Airprint clients use multicast DNS to discover speakers & printers on the network.
mDNS uses the IP address 224.0.0.251, which is "administratively scoped" and does not leave the subnet.
"mdns-repeater" is a multicast DNS repeater for Linux which forwards / repeats mDNS-packets (UDP 5353) between broadcast domains.
This is all based on the great work of:
- https://github.com/TheMickeyMike/docker ... r-mikrotik
- https://github.com/geekman/mdns-repeater
- https://github.com/monstrenyatko/docker-mdns-repeater
- https://github.com/TheMickeyMike/docker ... r-mikrotik
Wireshark capture
Here you can see the mDNS query of an iPhone in vlan11-guest (192.168.66.103) which discovers an Airplay receiver (Belkin Soundform Connect with Name Neumann KH 120) in vlan1 (192.168.99.122): mdns-repeater debug output (-d) in container
Code: Select all
/container/shell number=1
/bin/mdns-repeater -f -d eth0.1 eth0.11
mdns-repeater: dev eth0.1 addr 192.168.99.111 mask 255.255.255.0 net 192.168.99.0
mdns-repeater: dev eth0.11 addr 192.168.66.114 mask 255.255.255.0 net 192.168.66.0
192.168.66.103 (45 bytes) -> eth0.1
192.168.66.103 (45 bytes) -> eth0.1
192.168.66.103 (90 bytes) -> eth0.1
192.168.99.122 (281 bytes) -> eth0.11
192.168.66.103 (45 bytes) -> eth0.1
192.168.99.122 (343 bytes) -> eth0.11
192.168.99.122 (424 bytes) -> eth0.11
192.168.66.103 (45 bytes) -> eth0.1
Configuration
- MikroTik hAP AX3 with container enabled (https://help.mikrotik.com/docs/display/ROS/Container)
- bridge with vlan-filertering=yes (https://help.mikrotik.com/docs/display/ ... switchchip)
- vlan1 = default lan with Airplay & Airprint receivers
- vlan11-guest = guest VLAN for guests
- added the container interface (veth-trunk) to the bridge and configured as tagged members (PVID is irrelevant) of vlan1 and vlan11
Code: Select all
### Interface VETH setup for container ###
# Give it any IP address from a space you'll never use
# The interface must have an IP assigned, otherwise the container wouldn't start ;-P
/interface veth
add address=172.17.0.3/24 comment="docker mdns-repeater interface for vlan 1 and 11" gateway=172.17.0.1 name=veth-trunk
### VLAN & Bridge Setup ###
/interface vlan
add comment="vlan1 LAN" interface=bridge1 name=vlan1-lan vlan-id=1
add comment="vlan11 Guest" interface=bridge1 name=vlan11-guest vlan-id=11
/interface bridge port
add bridge=bridge1 comment="docker mdns-repeater interface for vlan 1 and 11 PVID DOESN'T MATTER!" interface=veth-trunk
/interface bridge vlan
add bridge=bridge1 comment="vlan1 LAN" tagged=bridge1,vlan1-lan,veth-trunk vlan-ids=1
add bridge=bridge1 comment="vlan11 Guest" tagged=bridge1,vlan11-guest,ether1,ether2,veth-trunk vlan-ids=11
### Container Setup ###
# Limit RAM usage
/container config
set ram-high=256.0MiB registry-url=https://registry-1.docker.io tmpdir=usb1-part1/pull
# set vlan interfaces for container: eth0.1 = vlan1, eth0.11 = vlan11
/container envs
add comment="mdns-repeater (FLO-254)" key=REPEATER_INTERFACES name=repeater_envs value="eth0.1 eth0.11"
# External USB-SSD: usb1-part1
/container
add comment="mdns-repeater for vlan 1 & 11 " envlist=repeater_envs hostname=mdns-repeater interface=veth-trunk logging=yes root-dir=usb1-part1/mdns-repeater start-on-boot=yes
Firewall
Your clients should now be able to discover printers & speakers but can't connect without allow rules in the firewall:
Code: Select all
/ip/firewall/filter/print chain=Forward_vlan11_guest
3 ;;; from vlan11-guest > vlan1 Airplay Belkin Soundform
chain=Forward_vlan11_guest action=accept dst-address=192.168.99.122 log=yes log-prefix="vlan11-guest > AirPlay Belkin"
4 ;;; from vlan11-guest > vlan1 Airplay Apple TV
chain=Forward_vlan11_guest action=accept dst-address=192.168.99.104 log=yes log-prefix="vlan11-guest > AirPlay Apple TV"
5 ;;; from vlan11-guest > vlan1 KLARtext HP LJ P1102w - Internet Printing Protocol (IPP)
chain=Forward_vlan11_guest action=accept protocol=tcp dst-address=192.168.99.249 dst-port=631 log=yes log-prefix="vlan11-guest > KLARtext"