mDNS (Apple Bounjour) between two VLANs through a PA

Showing results for 
Search instead for 
Did you mean: 

mDNS (Apple Bounjour) between two VLANs through a PA

L2 Linker



this is the scenario:


- a PA with two physical L3 interfaces (1 zone per interface, 1 subnet per interface, we call them A and B).

- I have a device in Subnet A which is an Airport thing with a printer attached. Devices in Subnet A they can discover the printer via the Apple Bonjour service

- Devices in Subnet B cannot discover the printer in subnet A

- Traffic from/to these two subnets is completely allowed, no restrictions whatsover, and no NAT.

- Both subnets and devices have the PA interface as default gateway

- i am running 7.1


What i did:


- in network-router, i edited the existing virtual router, went to "Multicast" and enabled Multicast. - 

- RP Static, RP Interface is the Subnet A interface, RP Address the Subnet A interface address

- Group list:

- Remote Rendevous point: empty

Interfaces: Subnet A interface, Subnet B Interface IGMP/PIM enabled

- added policy from Subnet A zone and Subnet B zone to "Multicast" zone all allowed

- and committed


Still from Subnet B i cannot see the airport via the multicast Bonjour service. Ideas?


thanks heaps



Documentation is here (afaik):


If you have an internal interface and a IoT Interface, you just need the bonjour reflector on both interfaces.  it's possible up to 16if.

It works on ae and subinterfaces.

Thanks !, I miss that I hope it will work for HomeKit as well.

It does not work for me or I am doing something wrong, 


name rx tx drop
ethernet1/3.10 39 122 0
ethernet1/3.20 122 39 0 


I looks like PA-220 reflecting Bonjur Packets - I made rule from LAN to IOT but there is no traffic, 

I installed Bonjur Discovery app on Mac and I can See all devices but Mac home app or screen mirroring are not available, 

should I do anything more then enable reflector and creating a rule ?

Maybe some DNS proxy trick, my dns is set up to some Internet Gateway right now.

Still no success, 

I tried to compare mDns browser app from IOT vlan and user Lan and both are the same. 

I spot that rule is not required because Pa-220 will forward 100% necessary traffic. 

I am going to create support case for that I know that this is new thing for PA, still they need user feedback, and I need this functionality. 


Hi There


Did the case reveal anything new? I enabled it on the two interfaces in question but have the same result.

Thank you and best regards

There's no home like


You have to add valid access list, and remember to do it in both ways because many of this traffic is generated from both sides. 

Put application any and port any if You can for a start and then add discovered apps - it depends on what devices You have. 

If Home kit is purpose of Your setup You can leave only app center like Apple TV on lan side in accls. 



Jerzy Kołysz



I've allowed CLIENTS to APPLETV and APPLETV to CLIENTS Security Zone for ANY / ANY
but still no luck, what about the DNS setting that you've mentioned?



There's no home like

Lets speak abut this scenario

I suggest put IOT devices to IOT network and Apple TV to general network ( LAN ) 


then turn on Bonjur reflector, after that make ACL from lan zone to iot zone, and one more in opposite directions. 

if You will make two ACL instead of one You can add in destination Lan Your Apple TV.  and in src Lan in second ACL.

I have setup like that and it works. 

I suggest to put Apple tv to LAN because it usually needs Internet connection. 


Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!