Everything Instant On

 View Only
Back to discussions
Expand all | Collapse all

Shared Services is not really sharing - likely mDNS problem

  • 1.  Shared Services is not really sharing - likely mDNS problem

    Posted 11-12-2024 05:25 AM
    Edited by Datniha 11-19-2024 03:00 AM

    Hi

    I have a setup with my own Opnsense router an Aruba ION switch (1930) and two access points (AP25) all devices managed via the cloud. I have separated my LAN into three VLAN's; one for my trusted home devices and one for IOT devices and a guest vlan. 

    In the IOT vlan I have among other devices two Apple TVs. The Apple TVs serve as my HomeKit controllers, with multiple other devices linked. I am facing the problem that I cannot control my Apple TVs from our iPhones using the Remote.app unless I on the router turn on UDP broadcast relay on my router - relaying mDNS request between the IOT and HOME vlan. However turning on the mDNS replicator ruins my network almost instantly. Wireshark analysis shows that my network is becoming congested with mDNS traffic causing a reduced network "health" (dropping from 100% to less than 50% - both wired and wireless devices are impacted). This happens regardless of "Shared Services" being turned on or off for all networks. I suspect that the HP ION devices relays some of the packages, and infinite mDNS loops happens.

    I want to truly turn off mDNS relays on all devices or the "shared services" function to actually support more protocols. BTW, Airplay does seem to work when "Shared Services" are enabled for devices supporting this.

    Any advice to solve this problem is much appreciated. 

    As a curiosum AirPrint does not work either out of the box from my HOME vlan for my HP laser printer being on my IOT vlan. Internet Printing Protocol does work, though. To get AirPrint to work, I have for my local unbound DNS forwarder added the following lines of configurational data; replace <printer-name> and local IP address XX.XX.XX.XX. Something similar for my Apple TVs could come in handy but I have yet found a workable solution.

    Any help or pointers is very much appreciated.

    local-data: "<printer-name>.home.arpa A XX.XX.XX.XX"
    local-data: "_printer._tcp.home.arpa PTR _<printer-name>._printer._tcp.home.arpa."
    local-data: "_<printer-name>._printer._tcp.home.arpa SRV 0 0 631 <printer-name>.home.arpa."

    local-data: "_printer._tcp.home.arpa PTR _<printer-name>._universal._sub._ipp._tcp.home.arpa."
    local-data: "_universal._sub._ipp._tcp.home.arpa PTR _<printer-name>._universal._sub._ipp._tcp.home.arpa."
    local-data: "_universal._sub._ipps._tcp.home.arpa PTR _<printer-name>._universal._sub._ipp._tcp.home.arpa."
    local-data: "_<printer-name>._universal._sub._ipp._tcp.home.arpa SRV 0 0 631 <printer-name>.home.arpa."
    local-data: "_<printer-name>._universal._sub._ipp._tcp.home.arpa TXT txtvers=1 qtotal=1 adminurl=https://<printer-name>.home.arpa ty=<printer-name>"

    local-data: "_printer._tcp.home.arpa PTR _<printer-name>._pdl-datastream._tcp.home.arpa."
    local-data: "_pdl-datastream._tcp.home.arpa PTR _<printer-name>._pdl-datastream._tcp.home.arpa."
    local-data: "_<printer-name>._pdl-datastream._tcp.home.arpa SRV 0 0 9100 <printer-name>.home.arpa."
    local-data: "_<printer-name>._pdl-datastream._tcp.home.arpa TXT txtvers=1 qtotal=1 adminurl=https://<printer-name>.home.arpa ty=<printer-name>"
    local-data: "_printer._tcp.home.arpa PTR _<printer-name>._ipp._tcp.home.arpa."
    local-data: "_ipp._tcp.home.arpa PTR _<printer-name>._ipp._tcp.home.arpa."
    local-data: "_<printer-name>._ipp._tcp.home.arpa SRV 0 0 80 <printer-name>.home.arpa."
    local-data: "_<printer-name>._ipp._tcp.home.arpa TXT txtvers=1 qtotal=1 adminurl=https://<printer-name>.home.arpa ty=<printer-name>"
    local-data: "_printer._tcp.home.arpa PTR _<printer-name>._ipps._tcp.home.arpa."
    local-data: "_ipps._tcp.home.arpa PTR _<printer-name>._ipps._tcp.home.arpa."
    local-data: "_<printer-name>._ipps._tcp.home.arpa SRV 0 0 443 <printer-name>.home.arpa."
    local-data: "_<printer-name>._ipps._tcp.home.arpa TXT txtvers=1 qtotal=1 adminurl=https://<printer-name>.home.arpa ty=<printer-name>"


    ------------------------------
    /Datniha
    ------------------------------



  • 2.  RE: Shared Services is not really sharing - likely mDNS problem

    Posted 11-18-2024 04:16 PM

    Hi All,

    same setup also for my home network. OPNSense router, some 1930 switches and some AP25. Different VLAN with different devices and services, if I tunr on mDNS repeater ruins my network almost instantly. I check all the config and try to disable all the related options (QoS optimization, IGMP snooping and so on).

    Please help to solve with a workaround in the dns configuration or to develop a way to turn off mDNS repeater on Instant On devices. 

    Thanks

    Riccardo



    ------------------------------
    Riccardo Bertoli
    ------------------------------



  • 3.  RE: Shared Services is not really sharing - likely mDNS problem

    Posted 11-19-2024 02:58 AM
    Edited by Datniha 11-19-2024 03:34 AM
    Hi Riccardo,
    I have found a workaround, and it works perfectly fine. It requires you to have all the access points on the same subnet (which I think is given since cloud managed Aruba ION access points are fixed on LAN/VLAN1). In my case the subnet is x.x.1.0/24. Furthermore, no other (IOT) devices using mDNS should be on this VLAN.
    You will then modify the configuration file of the mdns-repeater application. I will not in this post go into details, but you can find my suggestion in this post:
    Currently, I have no firewall rules defined to block mDNS traffic (except the default ones), and only the blocklist defined in the configuration file, and it works perfectly. No drop-out. Very stable (so far -  🤞)!
    Good luck.
    PS: let me know if it works for you too.
    PPS: No need for having additional entries for unbound... this is resolved once the multicast DNS is relayed between the networks.


    ------------------------------
    /Datniha
    ------------------------------

    Original Message


  • 4.  RE: Shared Services is not really sharing - likely mDNS problem

    Posted 11-22-2024 05:15 PM

    Many Thanks Datniha. Well Done!

    Good Luck!



    ------------------------------
    Riccardo Bertoli
    ------------------------------

    Original Message


  • 5.  RE: Shared Services is not really sharing - likely mDNS problem

    Posted 11-23-2024 09:46 AM
    Edited by Doug 11-23-2024 09:48 AM

    Aruba removed the option to globally disable shared services functionality in 3.x. I similarly saw issues, even without an MDNS relay, because I had a few VLANs bridged together and the APs were amplifying each other. See this thread: https://community.arubainstanton.com/discussion/disabling-shared-services.

    Someone from Aruba's engineering team disabled shared services for my site, which fixed my problems. I still have no global toggle for shared services, so if I ever wanted to use it, I'd have to contact engineering to re-enable it. Not sure why they won't allow users to control the feature anymore.



    ------------------------------
    Doug Hoffman
    ------------------------------



  • 6.  RE: Shared Services is not really sharing - likely mDNS problem

    Posted 11-24-2024 10:26 AM

    Thanks Dough,

    Yes,- I saw your post. Thanks :-)

    I am in contact with Aruba support. Let see how it goes. I am still working on a couple pull requests to opnsense since others may have similar problems. 

    /Dough



    ------------------------------
    /Datniha
    ------------------------------

    Original Message


  • 7.  RE: Shared Services is not really sharing - likely mDNS problem

    Posted 11-24-2024 04:01 PM

    Thanks for all. How can I contact Aruba support to deactivate Shared Services?

    Thanks

    R



    ------------------------------
    Riccardo Bertoli
    ------------------------------

    Original Message


  • 8.  RE: Shared Services is not really sharing - likely mDNS problem

    Posted 11-25-2024 03:26 PM

    Hi Riccardo, I just called HPE support. They created a case (it took forever). Have heard a couple of times from the support engineer. He told me

    "We have new firmware release 3.1 by this week or next week, where you will have the option to disable or enable the shared service."

    This sounds promising. I am awaiting to see if this will solve my problem. If not my pull request to the mens-repeater is now finally submitted...



    ------------------------------
    /Datniha
    ------------------------------

    Original Message


  • 9.  RE: Shared Services is not really sharing - likely mDNS problem

    Posted 11-25-2024 03:40 PM

    Shared Services can now be disabled by everyone in the new Instant On v3.1.0 portal:

    https://portal.instant-on.hpe.com/


    Original Message


  • 10.  RE: Shared Services is not really sharing - likely mDNS problem

    Posted 11-26-2024 03:11 PM

    I can confirm that the recent update in the Aruba ION app and website indeed makes it possible to disable all mDNS relaying in access points. This is really nice! I will pursue the possibility to blacklist a subnet or host in the mDNS Repeater implementation in Opnsense - you might want to mute a single host or a range og hosts.

    Kudos to HP for this recent update! Thank you.



    ------------------------------
    /Datniha
    ------------------------------

    Original Message


  • 11.  RE: Shared Services is not really sharing - likely mDNS problem

    Posted 11-26-2024 03:25 PM

    Yes, I can confirm too. Really nice.

    Thanks HPE! Well done.

    Thanks Datniha!



    ------------------------------
    Riccardo Bertoli
    ------------------------------

    Original Message


Related Content