Page 1 of 2 12 LastLast
Results 1 to 10 of 14
  1. #1
    Newbie
    Join Date
    Sep 2018
    Posts
    4

    Default mDNS Multicast - Possible Solution and risks

    Hi there,

    first of all let me start saying that I am not a professional admin. I am using untangle on my home network for a couple of reasons:

    1. I want to use the webfilter / firewall, etc. to control my childrenīs traffic
    2. I am using VLANs to prevent IOT-Devices from accessing my "core" LAN and my home-automation VLAN
    3. I am using the Tunnel-VPN to create some VPN-Tunnels through NordVPN for privacy reasons for some clients
    4. I am using the OpenVPN-Server to access my Network from the outside through OpenVPN

    I have put my Media Devices including my SONOS Boxes on a separate VLAN. That causes the problem, that my SONOS boxes can only be reached by clients, who are also in that exact same VLAN, but not from clients, who are in other VLANs.
    So I was looking for an mDNS solution on the untangle-server itself and came across a solution that works for me.

    I am sharing it so other folks who might have the same issue using Multicast/Bonjour across VLANs can also implement the solution, but I would be at the same time very grateful for any advice on how to harden against security risks and mitigiate any issues, that might arise from the solution that is described below.

    I found a python-script called multicast-relay, that can be downloaded and installed by cloning this GIT-repository:
    I cannot post links due to my low post count - please search on github for alsmith/multicast-relay

    I created a file in /etc/systemd/system to run as a service, so everytime untangle reloads, e.g. after re-configuring bypass-options, the multicast-relay script is restarted.

    In my example, the script is called multicast.service. here are the commands you need to use in order to create a functioning script:

    cd /etc/systemd/system
    nano multicast.service

    In the nano-Editor, use this config (assuming the script is under /root/multicast-relay:

    [Unit]
    Description=Multicast-Relay mDNS reflector script (or any other description that suits you)
    After=network-online.target
    StartLimitInterval=1

    [Service]
    Type=forking
    User=root
    ExecStart=/usr/bin/python /root/multicast-relay/multicast-relay.py --interfaces eth1 eht1.xx eth1.xy eth1. xz
    Restart=on-failure

    [Install]
    WantedBy=multi.user.target

    PRESS CTRL-X
    PRESS Y to save the script
    PRESS ENTER

    Be sure to replace eth1.xx etc. with the VLANs which you want the service to reflect multicast, e.g. eth1.10 for VLAN 10
    You can use other options as well, but I havenīt tested those

    After the file has been saved, you need to give it execute-rights by using this command:

    chmod +x multicast.service

    Last, add it to the system-services that run automatically by entering

    systemctl enable multicast

    and start the script with

    systemctl start multicast

    I would be thankful for your feedback and thoughts on how I can improve this script / harden it against security-issues.

    Thanks,
    Thomas
    Last edited by nolimits; 02-04-2020 at 12:05 PM.
    Jim.Alles and dfyoung like this.

  2. #2
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    9,741

    Default

    Also turn off automatic upgrades. At best the changes will be overwritten. At worst, the box will break on the upgrade to the next version.
    Jim.Alles likes this.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  3. #3
    Master Untangler
    Join Date
    Dec 2018
    Posts
    208

    Default

    I wish this could be addressed as well as a home user with the HomePro license.

    I understand it's not really useful for businesses, however, I have been advising a bunch of people to use Untangle at home so this would be another thing that I could point out that it has since pfSense has the ability and I really don't like pfSense.
    Jim.Alles and cholzer like this.

  4. #4
    Master Untangler
    Join Date
    Nov 2018
    Posts
    119

    Default

    Quote Originally Posted by nolimits View Post

    I have put my Media Devices including my SONOS Boxes on a separate VLAN. That causes the problem, that my SONOS boxes can only be reached by clients, who are also in that exact same VLAN, but not from clients, who are in other VLANs.
    So I was looking for an mDNS solution on the untangle-server itself and came across a solution that works for me.

    I am sharing it so other folks who might have the same issue using Multicast/Bonjour across VLANs can also implement the solution, but I would be at the same time very grateful for any advice on how to harden against security risks and mitigiate any issues, that might arise from the solution that is described below.
    I'm not very familiar how Multicast/Bonjour works on the network so it might be different, but let me explain.
    I have a NAS on 192.168.1.0/24 network. My home mobile devices (tablet, smart phones etc.) are on vLAN 172.16.10.0/27 network. I need my phone to access for example a Plex server which is on my NAS so I would be able to watch some movies and TV shows. I just created the following rule in Config-Filter Rules:
    Source address 172.16.10.4
    Destination Address 192.168.1.7
    Destination Port 32400
    and I have access to my Plex Server, I can watch movies, listen to the music etc.
    Hope this helped in a way.

  5. #5
    Newbie
    Join Date
    Sep 2018
    Posts
    4

    Default

    Quote Originally Posted by jlficken View Post
    I wish this could be addressed as well as a home user with the HomePro license.

    I understand it's not really useful for businesses, however, I have been advising a bunch of people to use Untangle at home so this would be another thing that I could point out that it has since pfSense has the ability and I really don't like pfSense.
    Hey Jl,

    iīm a home-user myself as well and this solution has been working really fine since Iīve implemented it. If you need help implementing it, just give me a shout. However, Iīm not liable if anything goes wrong :-)

    Best regards,
    Thomas

  6. #6
    Newbie
    Join Date
    Apr 2020
    Posts
    10

    Default

    To bad Untangle still did not have a good solution for this like avahi. Avahi is in Debian so implementing shouldn’t be that difficult.
    You solution is great. Could you give me an idea what kind of devices you working with? Only Sonos?
    Is there any difference in cpu or memory after this implementation ?
    What kind of firewall rules did you created to make this working?
    Thanks

  7. #7
    Newbie
    Join Date
    Apr 2020
    Posts
    5

    Default

    Thanks for putting this together. A couple of quick questions on the broader setup. Did you have to compile netifaces or did you use the homebrew option? Also did you setup Access Rules to allow the UDP traffic for Sonos through? You'd likely want 5353 and 6969 to supplement the default 1900.

    As for your service script, you may want to think about using the "simple" service type and the "--foreground" parameter for multicast relay. The python script won't fork that way and it will be easier to troubleshoot it, see logging, etc.

    Also may want to take advantage of the "--ssdpUnicastAddr" parameter on the relay so you can prevent unicast from your IoT to anything in your regular lan. That parameter plus an access rule on 1901 makes it so that IoT unicast responses go to the relay only and you can keep tighter firewall rules.
    Last edited by somerandomguy; 04-29-2020 at 07:45 AM.

  8. #8
    Newbie
    Join Date
    May 2020
    Posts
    2

    Default

    This solution is not working for me because Untangle V15 has not installed the Python netifaces package. It is also not possible to install this on V15. Or there is??

  9. #9
    Master Untangler CMcNaughton's Avatar
    Join Date
    Feb 2015
    Location
    Denver, CO
    Posts
    194

    Default

    Filter rules can get your VLANs talking, but mDNS is also our #2 feature request for the NGFW, currently. Go give it a vote, if you haven't already.

  10. #10
    Newbie
    Join Date
    May 2020
    Posts
    2

    Default

    Quote Originally Posted by CMcNaughton View Post
    Filter rules can get your VLANs talking, but mDNS is also our #2 feature request for the NGFW[/URL], currently. Go give it a vote, if you haven't already.
    I searched this forum but cannot find a solution how this filter rule need to be configured. Do you have an example?

Page 1 of 2 12 LastLast

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2