diothar
commented
2 years ago Open diothar opened 2 years ago
diothar
commented
2 years ago 
willquill
commented
2 years ago Hi @diothar! I don't use Airprint across VLANs, but I did some research, and it looks like simply setting a few things in /etc/avahi/avahi-daemon.conf, which is all this playbook does, is not enough to get Airprint working.
My research suggests you will need to create a file in the /etc/avahi/services directory. You can call it anything you want, and give it a .service extension. So you might create /etc/avahi/services/airprint.service, and you populate it with some XML content. I found this 12 year old (!) thread, which has instructions on what to do.
If you get it working, would you mind letting me know in this issue thread, and even going so far as creating a pull request with your change for this repo so that others can benefit from your development to fix Airprint?
If you don't want to mess with the repo stuff, would you please let me know how you resolved it so that I may update the playbook code as well as the README with the new information?
diothar
commented
2 years ago @willquill I will keep at it when I'm able to and will let you know when I have it working.
But, currently, I don't think my rebroadcasting is working at all.
I simplified my test to having my iphone join one of two wi-fi ssids. One on one subnet, one on the same trusted subnet. When on the trusted subnet, I can ping joshuas-iphone.local (and it shows up on my discovery app enumerating all mdns).
When I join the other wifi, on the other vlan, I cannot ping joshuas-iphone.local and discovery does not show any other mdns hostnames that it should- in theory- discover if redirection were working. I can ping it by ip address, though.
It would also be helpful if your ansible could add avahi-browse, I think that would be a good troubleshooting tool.
I've been working on and off to get untangle to work with mdns rebroadcasting for a few months, so I am happy to test anything you have- but do have very limited experience within the ansible framework.
willquill
commented
2 years ago I've been working on and off to get untangle to work with mdns rebroadcasting for a few months, so I am happy to test anything you have- but do have very limited experience within the ansible framework.
All I'm doing with Ansible is remotely and automatically executing all of the commands that you would normally do manually and locally on the Untangle box.
So if you document what commands to run, what services to install, what configurations you make to those services - all on your Untangle box, let me know what those changes are, and I will update the Ansible to do them automatically via the playbook.
I only did my mDNS test with iPhone to AppleTV across subnets/VLANs (iPhone on Trust, AppleTV on IoT), but let me do some further tests and see if I can solve some of the issues you are having.
diothar
commented
2 years ago @willquill What would you like to see to help you troubleshoot it? The syslog and firewall logs in untangle leave a bit to be desired regarding this daemon. I can provide a pcap, too. Also happy to join a zoom and show you around.
diothar
commented
2 years ago Check out: https://wiki.debian.org/Avahi Gives a bit more context. There might be a few more packages that should get installed.
I am happy to donate for your time. This has been a pet project for me for a while now.
willquill
commented
2 years ago @diothar Done! Do a git pull in your clone of my playbook git repository, and it should pull in my latest changes. Then you can re-run the ansible-playbook command. I also added a Troubleshooting section to the README.
Some of the newer notes:
What this playbook does:
avahi-browse for troubleshootinguntangle-mdns.yml allow you to specify which interfaces can broadcast Bonjour as Ansible variablesOutcome of playbook:
Important: You must also allow port 5353 on protocol UDP between the subnets used by the interfaces you specified in the playbook. This information is located on this page.
diothar
commented
2 years ago testing now
diothar
commented
2 years ago @willquill
PLAY [Setup mDNS] **
TASK [Gathering Facts] ***** ok: [untangle]
TASK [untangle-mdns : Check if avahi-daemon is installed (will say "OK" if not installed)] ***** ok: [untangle]
TASK [untangle-mdns : Add buster repository to sources list] *** skipping: [untangle]
TASK [untangle-mdns : Install python3-apt to use "ansible.builtin.apt"] **** skipping: [untangle]
TASK [untangle-mdns : Install the build dependencies for package "avahi-daemon"] *** skipping: [untangle]
TASK [untangle-mdns : Install avahi-daemon] **** skipping: [untangle]
TASK [untangle-mdns : Remove buster from /etc/apt/sources.list] **** skipping: [untangle]
TASK [untangle-mdns : Set allow-interfaces in /etc/avahi/avahi-daemon.conf] **** changed: [untangle]
TASK [untangle-mdns : Enable reflector in /etc/avahi/avahi-daemon.conf] **** changed: [untangle]
TASK [untangle-mdns : Install libnss-mdns for hostname resolution] ***** fatal: [untangle]: FAILED! => {"changed": true, "cmd": "apt update && apt install --no-install-recommends libnss-mdns -y -q", "delta": "0:00:00.467111", "end": "2022-06-27 18:58:35.421471", "msg": "non-zero return code", "rc": 100, "start": "2022-06-27 18:58:34.954360", "stderr": "\nWARNING: apt does not have a stable CLI interface. Use with caution in scripts.\n\nW: Conflicting distribution: http://updates.untangle.com/public/buster stable-165 InRelease (expected stable-165 but got ngfw-16.5.1)\n\nWARNING: apt does not have a stable CLI interface. Use with caution in scripts.\n\nE: Package 'libnss-mdns' has no installation candidate", "stderr_lines": ["", "WARNING: apt does not have a stable CLI interface. Use with caution in scripts.", "", "W: Conflicting distribution: http://updates.untangle.com/public/buster stable-165 InRelease (expected stable-165 but got ngfw-16.5.1)", "", "WARNING: apt does not have a stable CLI interface. Use with caution in scripts.", "", "E: Package 'libnss-mdns' has no installation candidate"], "stdout": "Hit:1 http://updates.untangle.com/public/buster stable-165 InRelease\nReading package lists...\nBuilding dependency tree...\nReading state information...\nAll packages are up to date.\nReading package lists...\nBuilding dependency tree...\nReading state information...\nPackage libnss-mdns is not available, but is referred to by another package.\nThis may mean that the package is missing, has been obsoleted, or\nis only available from another source", "stdout_lines": ["Hit:1 http://updates.untangle.com/public/buster stable-165 InRelease", "Reading package lists...", "Building dependency tree...", "Reading state information...", "All packages are up to date.", "Reading package lists...", "Building dependency tree...", "Reading state information...", "Package libnss-mdns is not available, but is referred to by another package.", "This may mean that the package is missing, has been obsoleted, or", "is only available from another source"]}
PLAY RECAP ***** untangle : ok=4 changed=2 unreachable=0 failed=1 skipped=5 rescued=0 ignored=0
diothar
commented
2 years ago I will fess up to learning ansible for this exact purpose, but I don’t think this updated config took. Couldn’t use Avahi-browse, for example.
willquill
commented
2 years ago @diothar I changed the playbook significantly. Try running it again, and it should successfully install avahi-daemon, libnss-mdns, and avahi-utils.
I expect to see services and hosts when I run avahi-browse -art | less on my Untangle box, but I'm not seeing them. Having installed the packages, ensured the services are running, and ensured the files are accurately configured, I don't yet understand why I can't see any services and hosts with the avahi-browse command.
diothar
commented
2 years ago @willquill Sorry- busy day at work. Wanted to get back to you since you've been on top of the responses. The ansible worked unlike yesterday, and now I have avahi-browse and such.
It's still not resolving across subnets, but I'll spend more time looking into it a bit later.
I am curious, though, do you get a .local output when you run the command: avahi-browse-domains
I only get: avahi-browse-domains
and I would assume I'd see a .local as well
diothar
commented
2 years ago one thing I noticed is avahi-browse -a hangs and never returns anything.
also, from untangle, I can't ping entrance.local, which does work on the same subnet.
[root @ untangle] /var/log # avahi-browse -a ^CGot SIGINT, quitting. [root @ untangle] /var/log # ping Entrance.local ping: Entrance.local: Name or service not known [root @ untangle] /var/log #
diothar
commented
2 years ago @willquill ok, progress.
I redid all firewall rules I had to allow all traffic between subnets (I'll lock it down after I get it working). Not everything is showing up (and I think some of that might be because the mdns devices may be using ipv6 and I'm only dealing with ipv4 rules right now.
But from untangle, I finally now have a few responses
[root @ untangle] /etc/avahi # avahi-browse -a
It's not everything by a long shot. But it's something.
diothar
commented
2 years ago although.... hmmm
[root @ untangle] /var/log # systemctl status avahi-daemon.service
Jun 28 22:49:58 untangle.casademorada.lan systemd[1]: Starting Avahi mDNS/DNS-SD Stack... Jun 28 22:49:58 untangle.casademorada.lan avahi-daemon[80467]: Daemon already running on PID 21126 Jun 28 22:49:58 untangle.casademorada.lan systemd[1]: avahi-daemon.service: Main process exited, code=exited, status=255/EXCEPTION Jun 28 22:49:58 untangle.casademorada.lan systemd[1]: avahi-daemon.service: Failed with result 'exit-code'. Jun 28 22:49:58 untangle.casademorada.lan systemd[1]: Failed to start Avahi mDNS/DNS-SD Stack. [root @ untangle] /var/log # history | grep systemctl
diothar
commented
2 years ago I've restarted the service- I'm getting
[root @ untangle] /etc # avahi-browse -va Server version: avahi 0.7; Host name: untangle.local E Ifce Prot Name Type Domain : Cache exhausted : All for now
What are your routes between subnets?
diothar
commented
2 years ago https://wiki.gentoo.org/wiki/Avahi note the: Check avahi-daemon is running and listen for 5353 UDP:
root #ss -ltunp | grep 5353 Output:
udp UNCONN 0 0 0.0.0.0:5353 0.0.0.0: users:(("avahi-daemon",pid=4072,fd=13)) udp UNCONN 0 0 :5353 : users:(("avahi-daemon",pid=4072,fd=14))
mine is:
[root @ untangle] /etc # ss -ltunp | grep 5353
udp UNCONN 0 0 0.0.0.0:5353 0.0.0.0: users:(("avahi-daemon",pid=90318,fd=12))
udp UNCONN 0 0 [::]:5353 [::]: users:(("avahi-daemon",pid=90318,fd=13))
and I don't know what the [::]5353 and [::]:* mean
willquill
commented
2 years ago @diothar I've got some news... I ended up abandoning Untangle to go back to OPNsense. With the mDNS and IGMP proxy plugins, I don't have to worry about any of this stuff. I might make Untangle a filtering/bridge device only, if I use it at all.
If you figure out what files need to be changed or what commands need to be run, let me know so I can incorporate them into my Untangle mDNS playbook.
diothar
commented
2 years ago Sorry to see you go. I am a fan of untangle, but I've opened support tickets and told them that they need to take mdns reflection more seriously. It's a huge hole in supporting prosumers.
Could you tell me more about what you're using the IGMP proxy stuff for with opnsense? I know it's important for homekit, but what did you find untangle lacking in it?
As an update for myself, I don't mind trying a bit longer to get it working, but I was testing while waiting to get a datto computer delivered that I bought off of Jason from the Youtube channel "Jason's Lab" (you spoke with him on the untangle forum). After spending so much time (many many many hours) trying to get it working with this on my nas in a docker container, a vm, and then your ansible, I threw a linux mint distro on the datto computer and once I worked out the vlans in linux, I had avahi working within 30 minutes on that distro.
willquill
commented
2 years ago Could you tell me more about what you're using the IGMP proxy stuff for with opnsense? I know it's important for homekit, but what did you find untangle lacking in it?
You need to use an IGMP proxy if your Sonos controllers (like the iOS app) and your Sonos players (the speakers) are on different VLANs as described here.
I put my Sonos on my main wifi - the same as my controllers (phone, tablet, desktop apps), but I wanted to make Sonos available for my guests as well, while continuing to isolate the guests on their own VLAN/subnet.
diothar
commented
2 years ago @willquill Ah, I'm not doing anything with Sonos. My use case is a few homepod minis, appletv (for airplay), and airprint (which avahi on my linux box is handling appropriately). Aside from that, IoT devices using mdns on a separate vlan. All of that is working with avahi on my linux box, although I'd love to tinker when I can to still try to get this working on untangle itself.
MP715
commented
2 years ago Will this work with Chromecast as well?
Thank you, I am very interested in getting this working. I'm frustrated Untangle doesn't have this support natively.
I set up this test: laptop on VLAN 10 (, third octet is 10) printer on VLAN 10 I'm able to airprint as expected.
Move laptop to VLAN69 (trusted, third octet is 69) printer on vlan 10 Cannot print.
syslog from untangle for when I first got the ansible working:
syslog:Jun 25 01:37:59 untangle ansible-ansible.legacy.command: Invoked with _rawparams=systemctl restart avahi-daemon.service uses_shell=True warn=False stdin_add_newline=True strip_empty_ends=True argv=None chdir=None executable=None creates=None removes =None stdin=None syslog:Jun 25 01:37:59 untangle avahi-daemon[98431]: Got SIGTERM, quitting. syslog:Jun 25 01:37:59 untangle avahi-daemon[98431]: Leaving mDNS multicast group on interface eth1.13.IPv4 with address 172.25.1 3.1. syslog:Jun 25 01:37:59 untangle avahi-daemon[98431]: Leaving mDNS multicast group on interface eth1.100.IPv4 with address 172.25. 100.1. syslog:Jun 25 01:37:59 untangle avahi-daemon[98431]: Leaving mDNS multicast group on interface eth1.69.IPv4 with address 172.25.6 9.1. syslog:Jun 25 01:37:59 untangle avahi-daemon[98431]: Leaving mDNS multicast group on interface eth1.25.IPv4 with address 172.25.2 5.1.
syslog:Jun 25 01:37:59 untangle avahi-daemon[98431]: Leaving mDNS multicast group on interface br.lxc.IPv4 with address 192.0.2.1 . syslog:Jun 25 01:37:59 untangle avahi-daemon[98431]: Leaving mDNS multicast group on interface eth1.IPv4 with address 172.25.10.1 . syslog:Jun 25 01:37:59 untangle avahi-daemon[98431]: Leaving mDNS multicast group on interface eth0.IPv4 with address REDACTED. syslog:Jun 25 01:37:59 untangle avahi-daemon[98431]: avahi-daemon 0.7 exiting. syslog:Jun 25 01:37:59 untangle systemd[1]: avahi-daemon.service: Succeeded. syslog:Jun 25 01:37:59 untangle avahi-daemon[98592]: Process 98431 died: No such process; trying to remove PID file. (/run/avahi- daemon//pid) syslog:Jun 25 01:37:59 untangle avahi-daemon[98592]: Found user 'avahi' (UID 120) and group 'avahi' (GID 126). syslog:Jun 25 01:37:59 untangle avahi-daemon[98592]: Successfully dropped root privileges. syslog:Jun 25 01:37:59 untangle avahi-daemon[98592]: avahi-daemon 0.7 starting up. syslog:Jun 25 01:37:59 untangle avahi-daemon[98592]: WARNING: No NSS support for mDNS detected, consider installing nss-mdns! syslog:Jun 25 01:37:59 untangle avahi-daemon[98592]: Successfully called chroot(). syslog:Jun 25 01:37:59 untangle avahi-daemon[98592]: Successfully dropped remaining capabilities. syslog:Jun 25 01:37:59 untangle avahi-daemon[98592]: No service file found in /etc/avahi/services. syslog:Jun 25 01:37:59 untangle avahi-daemon[98592]: Joining mDNS multicast group on interface eth1.69.IPv4 with address 172.25.6 9.1. syslog:Jun 25 01:37:59 untangle avahi-daemon[98592]: New relevant interface eth1.69.IPv4 for mDNS. syslog:Jun 25 01:37:59 untangle avahi-daemon[98592]: Joining mDNS multicast group on interface eth1.25.IPv4 with address 172.25.2 5.1. syslog:Jun 25 01:37:59 untangle avahi-daemon[98592]: New relevant interface eth1.25.IPv4 for mDNS. syslog:Jun 25 01:37:59 untangle avahi-daemon[98592]: Joining mDNS multicast group on interface eth1.IPv4 with address 172.25.10.1 . syslog:Jun 25 01:37:59 untangle avahi-daemon[98592]: New relevant interface eth1.IPv4 for mDNS. syslog:Jun 25 01:37:59 untangle avahi-daemon[98592]: Network interface enumeration completed. syslog:Jun 25 01:37:59 untangle avahi-daemon[98592]: Registering new address record for 172.25.69.1 on eth1.69.IPv4. syslog:Jun 25 01:37:59 untangle avahi-daemon[98592]: Registering new address record for 172.25.25.1 on eth1.25.IPv4. syslog:Jun 25 01:37:59 untangle avahi-daemon[98592]: Registering new address record for 172.25.10.1 on eth1.IPv4. syslog:Jun 25 01:37:59 untangle avahi-daemon[98592]: Server startup complete. Host name is untangle.local. Local service cookie i s 1389909760. syslog:Jun 25 01:47:44 untangle avahi-daemon[98592]: Files changed, reloading. syslog:Jun 25 01:47:44 untangle avahi-daemon[98592]: No service file found in /etc/avahi/services.
Wireshark does show traffic to 224.0.0.1 on both subnets, but doesn't seem to cross subnets. I can attach a wireshark pcap if you give me a safe place to upload it, I don't want to simply attach it here.