Bonjour, Inter-VLAN routing and tears...

jnick

2[H]4U
Joined
Sep 25, 2004
Messages
2,888
As recommended from other threads I made, I finally went ahead last month and purchased my new network gear. Ubiquiti ERL, UniFi and an HP 1810-24G managed switch.

I currently have it setup as follows:

Wired = VLAN2 = x.x.2.0/24
Wireless = VLAN3 = x.x.3.0/24

My Desktop PC is currently my "Media Server" of sorts, hosting all of my iTunes media and is wired. My Apple TV is currently wireless. See the problem? I didn't realize Bonjour is a multicast protocol limiting it to a single subnet. This becomes an issue! Is there any way to get bonjour to cross subnets so I can stream media from my PC to my Apple TV without me having to have my Desktop PC live on my wireless VLAN?

I know a few companies have Bonjour Gateways, however it appears to be specific to large enterprise companies, such as Cisco's WiFi solution, etc.

The whole reason I went with this setup is so I can separate the traffic from my wired and wireless devices. Unfortunately, this is pretty much no longer the case if everything has to live on one network! Any help is appreciated!
 

Jay_2

2[H]4U
Joined
Mar 20, 2006
Messages
3,583
on Cisco I would use ip pim sparse-dense-mode other than that I have no idea.
 

Arch

Gawd
Joined
Mar 9, 2000
Messages
822
This is not an "Apple" problem. This is a Bonjour protocol implementation detail. It's for local subnets, it's broadcast based, and uses multicast. You should look into wide-area discovery, this link, http://www.dns-sd.org , has some information on it.

Or...you know...you could just have one subnet at home and be done with this entirely.
 

mwarps

Supreme [H]ardness
Joined
Oct 6, 2002
Messages
7,045
Plug the Apple TV into an ethernet cord.
That was hard, wasn't it.

Or, get ready to slap all your bonjour services into local DNS (which is completely ridiculous, and probably won't work anyway)


Either that, or stop over-complicating your HOME NETWORK to the point where it doesn't work.
 

goodcooper

[H]F Junkie
Joined
Nov 4, 2005
Messages
9,768
Plug the Apple TV into an ethernet cord.
That was hard, wasn't it.

Or, get ready to slap all your bonjour services into local DNS (which is completely ridiculous, and probably won't work anyway)


Either that, or stop over-complicating your HOME NETWORK to the point where it doesn't work.

all of these things...


actually... to solve your problem i would probably just make 2 wireless networks on the unifi... one on your wired subnet, and hidden... and the other public with your wireless subnet... join your appletv to your hidden one
 

/usr/home

Supreme [H]ardness
Joined
Mar 18, 2008
Messages
6,160
Created a second SSID on the AP and tag it to your wired VLAN. Use that SSID only for your apple tv. Problem solved.

Also, Bonjour can blow me. What a POS.
 

Nicklebon

Gawd
Joined
May 22, 2006
Messages
738
Either that, or stop over-complicating your HOME NETWORK to the point where it doesn't work.

I would hardly call separating wired and wireless over complicated. It is, in fact, best practice and should always be done. The simple fact is most equipment manufacturers took a shortcut to make for lack router cpu early on and now people think that bridging wireless networks is preferred when in fact it is a horrible idea. Why would anyone dual home a device to a trusted network and an untrusted network, think your cell phone, with no protection is good idea?
 

goodcooper

[H]F Junkie
Joined
Nov 4, 2005
Messages
9,768
I would hardly call separating wired and wireless over complicated. It is, in fact, best practice and should always be done. The simple fact is most equipment manufacturers took a shortcut to make for lack router cpu early on and now people think that bridging wireless networks is preferred when in fact it is a horrible idea. Why would anyone dual home a device to a trusted network and an untrusted network, think your cell phone, with no protection is good idea?

i think any apparent wireless security problems are an acceptable risk in most users homes...

i'm sorry but a user has a wired printer on their network they want to be able to print to from wireless devices, they shouldn't need a degree in IT to set up the FW rules and etc... what OP is doing is another excellent example...

for PUBLIC wireless networks, there should be total user isolation so that wireless users can't access other wireless users, or any local resources, internet only (or even filtered internet only imo), sure, i agree with that.... i don't think that's what OP is trying to do...
 

nessus

2[H]4U
Joined
Jan 30, 2001
Messages
2,221
i think any apparent wireless security problems are an acceptable risk in most users homes...

Why? Android doesn't even have security in mind as a major design point. Google Android chief Sundar Pichai "We can not guarantee that Android is designed to be safe, the format was designed to give more freedom. When they talk about 90% of malware for Android, they must of course take into account the fact that it is the most used operating system in the world. If I had a company dedicated to malware, I would also be addressing my attacks on Android."


iOS isn't any better. The majority of wireless devices in my home are running one or the other.

I love my Roku's as well, but they have no need to be exposed to any of the traffic on the wired network where my important computing is done.

i'm sorry but a user has a wired printer on their network they want to be able to print to from wireless devices, they shouldn't need a degree in IT to set up the FW rules and etc... what OP is doing is another excellent example...

Its no problem to print from a wireless device to on one network to a printer attached to a wired network on another. If the networks are configured properly, all you need to do is supply the IP address of the printer. No degree required.

Most modern network print setup assistants will scan another network range for you to find the printer. If you don't know the specific IP of the printer, but know anything about the network to which it is attached, they'll find it.

For the broadcast type connection that Bonjour forces, supplying an IP as an alternative to make the connection isn't even possible. Just repeat, "Apple knows how to set stuff up better than me, I should do things as Apple specifies, Apple cares about my security" until you believe it, buy nothing but Apple stuff left in its default configuration and it will just work; at least until it hits n-2 revision and they drop security patching support after less than 4 years.
 

Nicklebon

Gawd
Joined
May 22, 2006
Messages
738
i think any apparent wireless security problems are an acceptable risk in most users homes...

i'm sorry but a user has a wired printer on their network they want to be able to print to from wireless devices, they shouldn't need a degree in IT to set up the FW rules and etc... what OP is doing is another excellent example...

It is precisely this attitude that is the major reason why home networks are the haven of botnets. Any device that you carry to a remote location and attach to a foreign network is suspect. Treating that device as trusted when you bring it home is simply beyond foolish. Best practices apply everywhere, in the home as well as the office The fact a user hasn't taken the time to educate themselves is not a valid reason to ignore best practice.

OP I'm not familiar with HP switches so I would suggest that you google the following:

bonjour routing
bonjour subnets

and apply what you discover there to your switch. There is lot of information available on how to accomplish what you want for other platforms so applying it in your environment should not be difficult.
 

aaronearles

[H]ard|Gawd
Joined
Aug 31, 2006
Messages
2,016
Assuming you have the ERL performing your inter-vlan routing, maybe you can use the dhcp-relay option to forward broadcast traffic in EdgeOS/Vyatta, similar to Cisco ip-helper. It appears to have a relay-options port setting for specifying what port to listen on.

Something like this:

configure
set service dhcp-relay interface ethX
set service dhcp-relay relay-options port 5353 (Appears you can only specify a single port, this could be a problem, never used Bonjour)
set service dhcp-relay server 192.168.3.255 (Assuming broadcast)
 

jnick

2[H]4U
Joined
Sep 25, 2004
Messages
2,888
Plug the Apple TV into an ethernet cord.
That was hard, wasn't it.

Or, get ready to slap all your bonjour services into local DNS (which is completely ridiculous, and probably won't work anyway)


Either that, or stop over-complicating your HOME NETWORK to the point where it doesn't work.

You sir, have no idea what I'm running on my home network or why. Therefore, you cannot comment on the complexity of my topology. In the meantime, let's look at your rather pointless solution. I run an ethernet line from my network closet to my apple TV and now I have iTunes sharing. GREAT! Except I just broke AirPlay for all of my wireless devices which also work off of Bonjour. Congratulations for a solution that creates ANOTHER problem. :rolleyes:

The answer was simple. Ubiquiti has a built in mdns service that I didn't realize. Enabled it and we are up and running. Took all of 30 seconds to type and save a command.

Thanks for all of the help, to everyone else.
 

aaronearles

[H]ard|Gawd
Joined
Aug 31, 2006
Messages
2,016
Lol, wish I had noticed the mdns service when I was looking at dhcp-relay. For future reference of others, would that command be simply: "set service mdns reflector" ?
 

jnick

2[H]4U
Joined
Sep 25, 2004
Messages
2,888
Correct:

Code:
configure
set service mdns reflector
commit
save
exit
 

goodcooper

[H]F Junkie
Joined
Nov 4, 2005
Messages
9,768
Its no problem to print from a wireless device to on one network to a printer attached to a wired network on another. If the networks are configured properly, all you need to do is supply the IP address of the printer. No degree required.

Most modern network print setup assistants will scan another network range for you to find the printer. If you don't know the specific IP of the printer, but know anything about the network to which it is attached, they'll find it.

so wait, you're advocating separate VLANs for wireless and wired networks with wide open routing and no firewalling?

what in the world is the point of that?
 

twistacatz

Limp Gawd
Joined
Jan 3, 2005
Messages
182
so wait, you're advocating separate VLANs for wireless and wired networks with wide open routing and no firewalling?

what in the world is the point of that?

I was thinking the same thing. Too many threads go in this direction, a lot of bad advice with no good basis.

To good cooper's point segmenting your network into different subnets is best practice in a work environment for obvious reasons. If you choose to do this at home because you want to beef up security you need a firewall or router that allows you to do firewall like ACL's between both VLANs to create rules that will only allow certain traffic. Otherwise your new setup is no more secure then having everything on one VLAN.

Also Nicklebon I don't think bridging networks on old routers was ever a CPU issue. It's more or less a simple route on any device. Honestly it was just a feature that manufactures didn't make available.

Just my 2 cents.
 

goodcooper

[H]F Junkie
Joined
Nov 4, 2005
Messages
9,768
I was thinking the same thing. Too many threads go in this direction, a lot of bad advice with no good basis.

To good cooper's point segmenting your network into different subnets is best practice in a work environment for obvious reasons. If you choose to do this at home because you want to beef up security you need a firewall or router that allows you to do firewall like ACL's between both VLANs to create rules that will only allow certain traffic. Otherwise your new setup is no more secure then having everything on one VLAN.

Also Nicklebon I don't think bridging networks on old routers was ever a CPU issue. It's more or less a simple route on any device. Honestly it was just a feature that manufactures didn't make available.

Just my 2 cents.

these guys are yelling about "YOU'RE WHATS WRONG WITH PEOPLE MAKING BOTNETS" and they're advocating security through obscurity, that's a perfect example of people regurgitating stuff someone told them without understanding it...

like the prevalence of botnets in the typical user's home has NOTHING to do with their unpatched box and deplorable browsing habits... it's because of nefarious neighborhood hackers who intercept their wifi's
 

twistacatz

Limp Gawd
Joined
Jan 3, 2005
Messages
182
these guys are yelling about "YOU'RE WHATS WRONG WITH PEOPLE MAKING BOTNETS" and they're advocating security through obscurity, that's a perfect example of people regurgitating stuff someone told them without understanding it...

like the prevalence of botnets in the typical user's home has NOTHING to do with their unpatched box and deplorable browsing habits... it's because of nefarious neighborhood hackers who intercept their wifi's

Well said... Usually I wouldn't even comment on a thread like this but I felt like I had to based on all of the BS security "advice" that was being offered.
 

Nicklebon

Gawd
Joined
May 22, 2006
Messages
738
these guys are yelling about "YOU'RE WHATS WRONG WITH PEOPLE MAKING BOTNETS" and they're advocating security through obscurity, that's a perfect example of people regurgitating stuff someone told them without understanding it...

like the prevalence of botnets in the typical user's home has NOTHING to do with their unpatched box and deplorable browsing habits... it's because of nefarious neighborhood hackers who intercept their wifi's

Since I am the only person in this thread to mention botnets ...

My point had nothing to do with neighbors, hackers or otherwise. It had to do with taking a laptop from a unsecured location such as your local Starbucks home and allowing it unfettered access to your local network. It also had to do with having dual homed devices such as your cell phone or 3g tablet being treated as trusted.

I certainly never advocated no firewall rules between the wired and wireless networks, just the opposite in fact. Also, at no point did I suggest obscurity.

I did and do advocate following best practice as that's what it is. It draws no distinction between my network at home and the networks of my customers.
 
Last edited:
Top