M-DNS applications between sub-nets (Apple TV AirPlay as an example)

Previously we configured firewall rules for getting out to the internet. now time for something trickier. Smart devices between VLANS.

Now for allot of these devices (Apple TV, Google Chromecast ect) use a service called M-DNS to communicate with other devices on the network. By default PFSense does not have a service to allow for M-DNS communication.

Installing and Configuring the M-DNS Service

Once you have logged into your PFSense router click on System > Package manager. 

Then click on Available Packages, and in Search Term put in Avahi and click on the install button on the right hand side. This will install the M-DNS service on your router. now we need to configure it to work.

When the install has completed go to Services > Avahi. You will see the below screen.

Now we need to configure the below settings.

Enable: Tick

Interfaces: Ctrl and click on the VLANS you want to use M-DNS server on.

Disable IPV6: Tick (very few things use IPV6 right now.

Enable Reflection: Tick this otherwise we wont be able to use services across subnets.

Enable Publishing: Untick this as it can share services you do not wish these services/devices to use.

Now we have the service running we need to create a firewall rule to allow the devices on the network to communicate with M-DNS.

As i mentioned before when creating firewall rules before Alias's are your friend as you can just create 1 firewall rule and then copy it to the other subnet, Also when you need to add new devices you can just add to the alias and it is added to every rule using that alias.

Action: Pass

Address family: IPV4

Protocol: UDP

Source: Single host or alias, Enter IP Alias containing devices you wish to use MDNS

Destination: Single host or alias, 224.0.0.251

Destination port range: I used a port alias containing port 5353

Description: something easy for you to identify with.

Then click save.

Now you need to be patient after adding a device to this rule as it wont necessarily pick anything up for around 30 mins to 1 hour in my experience.

Creating an internal firewall rule for airplay

As with before when investigating firewall rules the process is pretty much the same for this one, However unlike the internet we know where the traffic is going to and from so you can filter the traffic from the log to be just what you want.

Im not going to detail the investigative process again but you can read it by going here.

Now im just going to detail the ports i have found and what apple lists they are used for.

Now you can see while a couple of these do mention Airplay you do need to investigate for yourself as a few of these especially the last one where stopping me from streaming movies from iTunes to the apple TV.

I am now going to be creating a post that i will detail all of the rules that i have made and i will keep it updated as i add things to my network. Thats all for this week.