Announcement

**dashpuppy** · 06-22-2022, 04:07 PM

Originally posted by willquill View Post

Okay so I literally just started using Untangle yesterday. Happy convert from OPNsense so far. My network got more complicated, and I was having a very hard time with OPNsense firewall rules between VLANs/subnets. So far, the grass is greener over here! Looks like I can even get away with the free tier if I really wanted to, though I'm starting to explore policies a bit, and I'm loving the pie charts.

Anyway, I found a closed thread on this forum regarding mDNS, and a user said they wrote an Ansible playbook to get mDNS working in Untangle. They didn't post a link to the playbook, but they wrote some instructions. I adapted them into a playbook, and it works!!!

I'm happy to say that with a little bit of Ansible prep work (documented in my GitHub repo at willquill/untangle-mdns), it will be working with a single command that looks like this:

Code:

ansible-playbook -i hosts -l untanglenodes untangle-mdns.yml

I wrote the repo to be user friendly for anyone using macOS, Rocky Linux 8, or openSUSE. You can find the repo here: (https)://github.com/willquill/untangle-mdns

It uses the MIT License and is totally free for the community.

What works:

* iPhone on internal/trust vlan/subnet
* Sonos and Apple TVs on IoT vlan/subnet
* iPhone can use AirPlay 2 with Sonos and Apple TVs
* The Spotify app in iOS can also play to Sonos/Apple TV

I did not have to create a UDP 5353 firewall rule between the subnets, though all traffic between the subnets is blocked.

If any forum admins are reading this, I am a new user with 0 posts, so I can't post links. It would be great if you could whitelist GitHub links at least.

Some key phrases for the googles:

mdns with untangle
get mdns to work with untangle
mdns in untangle
multicast dns with untangle

Nice work, i know one of the guys is bugging me about this :P on our discord channel

He might like this !

**jcoehoorn** · 06-23-2022, 07:17 AM

Come back after the next major Untangle upgrade (17.0 or later) and let us know if the changes stick or if the Untangle update reverts them.

**willquill** · 06-23-2022, 07:46 AM

I spoke too soon on the Sonos thing. And I can't edit my OP

Sonos needs an IGMP proxy on the firewall, which I haven't figured out yet.

I was thinking of going back to OPNsense, but I decided screw it, Sonos is going on my main wifi network with the rest of my phones/tablets/laptops.

The fix in my OP allows for mDNS, which I think means that Airplay should work flawlessly. But Sonos will not.

A resources for Sonos IGMP proxy, which as far as I can tell no one has solved for Untangle yet: (https)(www).packetmischief.ca/2021/08/04/operating-sonos-speakers-in-a-multi-vlan-network/

**willquill** · 06-23-2022, 07:52 AM

Originally posted by jcoehoorn View Post

Come back after the next major Untangle upgrade (17.0 or later) and let us know if the changes stick or if the Untangle update reverts them.

Will do. That's the reason I did it via an Ansible playbook instead of doing it manually on the Untangle box. Whether Untangle gets updated or even factory reset, all I have to do is use the "ssh-copy-id" command followed by the "ansible-playbook" command and it should just work again (after restoring my Untangle settings, of course, since I specify the interfaces).

**diothar** · 06-24-2022, 08:28 PM

Thank you. I’ll be giving this a shot this weekend. I’m coming off opnsense and love everything Untangle does so much more, but It boggles my mind that they still haven’t added mdns despite it being the number 2 feature request.

Thank you for pointing me here, dashpuppy

**diothar** · 06-25-2022, 12:06 AM

I went through the process of installing ansible and getting it working
(by the way, I ran into an issue where I would get version 2.9.6 installed and your yaml wouldn't work.

had to add
sudo apt-add-repository ppa:ansible/ansible
and do an update after adding that repo, and then I got 2.12.2 and that version ran the playbook.

I'm not able to ping across my subnets still.
For my test, I had my laptop hardwired, on a specific subnet.
Joined my iphone on my wifi on a new subnet

I could ping my iphone's IP address from my original vlan
I could not ping joshuas-iphone.local from my original vlan to my new vlan

put my laptop on the wifi, which swapped out the vlans for me
at that point, I could ping joshuas-iphone.local

So I'm not traversing subnets with avahi yet.
I checked the /etc/avahi/avahi-daemon.conf on untangle and I do see it took my customizations regarding the eth1.25 and eth1.69 which are the two vlans I'm working with. So I do know the playbook got the configs moved over.

There's a ton of commented out settings, such as dns, resolv, etc. Should I modify that?
Might be nice to install avahi-browse as part of the playbook for troubleshooting as well.

Any thoughts?

(mods: I know this is unsupported, but I'm extremely frustrated that we've been asking for mdns reflection for years now with barely a response from the untangle team. I'm about to switch firewalls to one that supports this natively).

**diothar** · 06-25-2022, 01:41 PM

edit: I went ahead and opened an issue up on your github, it felt the more appropriate place to submit it.

**willquill** · 06-27-2022, 09:24 AM

Originally posted by diothar View Post

I went through the process of installing ansible and getting it working
(by the way, I ran into an issue where I would get version 2.9.6 installed and your yaml wouldn't work.

had to add
sudo apt-add-repository ppa:ansible/ansible
and do an update after adding that repo, and then I got 2.12.2 and that version ran the playbook.

I'm not able to ping across my subnets still.
For my test, I had my laptop hardwired, on a specific subnet.
Joined my iphone on my wifi on a new subnet

I could ping my iphone's IP address from my original vlan
I could not ping joshuas-iphone.local from my original vlan to my new vlan

put my laptop on the wifi, which swapped out the vlans for me
at that point, I could ping joshuas-iphone.local

So I'm not traversing subnets with avahi yet.
I checked the /etc/avahi/avahi-daemon.conf on untangle and I do see it took my customizations regarding the eth1.25 and eth1.69 which are the two vlans I'm working with. So I do know the playbook got the configs moved over.

There's a ton of commented out settings, such as dns, resolv, etc. Should I modify that?
Might be nice to install avahi-browse as part of the playbook for troubleshooting as well.

Any thoughts?

(mods: I know this is unsupported, but I'm extremely frustrated that we've been asking for mdns reflection for years now with barely a response from the untangle team. I'm about to switch firewalls to one that supports this natively).

First, I responded to your GitHub issue. Thank you for creating it there! That will help others find the info more easily.

Here's what I posted to GitHub:

Hi @diothar! I don't use Airprint across VLANs, but I did some research, and it looks like simply setting a few things in `/etc/avahi/avahi-daemon.conf`, which is all this playbook does, is not enough to get Airprint working.

My research suggests you will need to create a file in the `/etc/avahi/services` directory. You can call it anything you want, and give it a `.service` extension. So you might create `/etc/avahi/services/airprint.service`, and you populate it with some XML content. I found this 12 year old (!) thread, which has instructions on what to do: (https)://(www).finnie.org/2010/11/13/airprint-and-linux/

If you get it working, would you mind letting me know in this issue thread, and even going so far as creating a pull request with your change for this repo so that others can benefit from your development to fix Airprint?

If you don't want to mess with the repo stuff, would you please let me know how you resolved it so that I may update the playbook code as well as the README with the new information?

With regard to this - "I'm not able to ping across my subnets still." - that is expected behavior, as my playbook only enables mDNS on the various interfaces. It does not create any firewall rules or allow any specific TCP/UDP ports or ICMP traffic. You should be able to get ping working across the subnets with a firewall rule or a filter rule in Config > Network > Filter Rules that allows the ICMP protocol between subnets.

Ping uses the ICMP protocol and operates at layer 3, so it wouldn't have anything to do with VLANs, specifically - it only cares about subnets, like allowing ICMP from 192.168.10.0/24 to 192.168.69.0/24. There's no way to allow ICMP from "VLAN 10 to VLAN 69" as VLANs operate at layer 2 via tagged frames (as opposed to network packets).

**donhwyo** · 06-27-2022, 09:33 AM

Got a link to that github?

**willquill** · 06-27-2022, 11:37 AM

Originally posted by donhwyo View Post

Got a link to that github?

I still can't post links here - not enough posts, but I put the obfuscated URL in my OP that started this thread. Here it is again: (https)://github.com/willquill/untangle-mdns

**jcoffin** · 06-27-2022, 11:44 AM

Originally posted by donhwyo View Post

Got a link to that github?

https://github.com/willquill/untangle-mdns

**dashpuppy** · 06-27-2022, 11:44 AM

Originally posted by willquill View Post

I still can't post links here - not enough posts, but I put the obfuscated URL in my OP that started this thread. Here it is again: https://github.com/willquill/untangle-mdns

Fixed

**willquill** · 06-27-2022, 04:04 PM

I just updated the GitHub repo so the Ansible playbook will now install libnss-mdns for hostname resolution as well as avahi-browse for troubleshooting. I also added a troubleshooting section to my README and a note that you must enable UDP 5353 between the subnets as well.

I confirmed that avahi-browse is functional and that libnss-mdns made the required changes after running the playbook, but I'm unable to resolve hostnames. So I think some more work is needed to make this fully functional, but it's on its way there.

For the sake of all of our time and not duplicating things, I'm going to stop updating this thread with every little update. You can visit and subscribe to the issue where this is being discussed for any further updates: https://github.com/willquill/untangle-mdns/issues/1

Once this issue is fully resolved, I'll update this thread if it's still open.

**diothar** · 07-06-2022, 01:48 PM

The link to github is in his first post, he just couldn't post it without obfuscating it. But it's there. To close the loop here, I got the ansible to work but was struggling with the reflection amongst the subnets.

I ended up installing avahi on a linux distro and got it working from that box instead of untangle. I do wish untangle would start supporting mdns reflection from the firewall, though.

Announcement

I wrote an Ansible playbook to get mDNS working with Untangle

I wrote an Ansible playbook to get mDNS working with Untangle

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment