09-13-2016 10:39 PM - edited 09-13-2016 10:41 PM
Hi,
this is the scenario:
- a PA with two physical L3 interfaces (1 zone per interface, 1 subnet per interface, we call them A and B).
- I have a device in Subnet A which is an Airport thing with a printer attached. Devices in Subnet A they can discover the printer via the Apple Bonjour service
- Devices in Subnet B cannot discover the printer in subnet A
- Traffic from/to these two subnets is completely allowed, no restrictions whatsover, and no NAT.
- Both subnets and devices have the PA interface as default gateway
- i am running 7.1
What i did:
- in network-router, i edited the existing virtual router, went to "Multicast" and enabled Multicast. -
- RP Static, RP Interface is the Subnet A interface, RP Address the Subnet A interface address
- Group list: 224.0.0.0/4
- Remote Rendevous point: empty
Interfaces: Subnet A interface, Subnet B Interface IGMP/PIM enabled
- added policy from Subnet A zone and Subnet B zone to "Multicast" zone all allowed
- and committed
Still from Subnet B i cannot see the airport via the multicast Bonjour service. Ideas?
thanks heaps
09-15-2016 09:27 AM
By default, Bounjour only works in a single broadcast domain so it won't traverse the firewall.
To get Bonjour to work across subnets, you need to use wide area Bonjour by creating specific DNS entries.
09-20-2016 02:29 AM
thanks RFalconer.
after a lot more reading, i found out that Bonjour sets ttl=1 by default so crossing a router, although possible, will decrease ttl to 0 and the packet it is discarded. This is by design.
Multicast routing although possible, it will not serve this purpose hence it won't work.
The only way to handle this is to use a bonjour gateway which is a feature some vendors offer, like Aruba or Cisco Meraki.
05-24-2019 06:05 PM
How can this be accomplished? Can you forward local mDNS queries (224.0.0.251) to something routable (224.0.1.251)? Is that what you're suggesting to cross zones?
09-01-2020 10:34 PM
When will PAN-OS 10.0.1 be released?
09-02-2020 11:24 AM
Mid-September is the estimated target.
09-03-2020 08:53 PM
10.0.1 just landed, however this feature is only supported on PA-220, PA-800 and PA-3200... It is not supported on PA-VM.
09-14-2020 06:59 AM
Can You give some instructions please ? Is there any official paper ?
09-14-2020 07:06 AM
Documentation is here (afaik):
If you have an internal interface and a IoT Interface, you just need the bonjour reflector on both interfaces. it's possible up to 16if.
It works on ae and subinterfaces.
09-14-2020 07:08 AM
Thanks !, I miss that I hope it will work for HomeKit as well.
09-15-2020 03:41 AM
It does not work for me or I am doing something wrong,
name rx tx drop
----------------------------------------------------------
ethernet1/3.10 39 122 0
ethernet1/3.20 122 39 0
I looks like PA-220 reflecting Bonjur Packets - I made rule from LAN to IOT but there is no traffic,
I installed Bonjur Discovery app on Mac and I can See all devices but Mac home app or screen mirroring are not available,
should I do anything more then enable reflector and creating a rule ?
Maybe some DNS proxy trick, my dns is set up to some Internet Gateway right now.
09-15-2020 09:22 AM
Still no success,
I tried to compare mDns browser app from IOT vlan and user Lan and both are the same.
I spot that rule is not required because Pa-220 will forward 100% necessary traffic.
I am going to create support case for that I know that this is new thing for PA, still they need user feedback, and I need this functionality.
01-08-2021 02:57 AM
Hi There
Did the case reveal anything new? I enabled it on the two interfaces in question but have the same result.
Thank you and best regards
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
