### **Comprehensive Project Plan** **Objective**: Enable Avahi (mDNS) communication across VLANs using a Sophos XGS firewall and a Linux VM hosted on ESXi with VLAN trunking. --- ### **1. Project Overview** - **Firewall**: Sophos XGS (enforces VLAN segmentation and allows 5353/UDP traffic). - **Avahi Server**: Linux VM on ESXi, receiving VLAN traffic via a physical trunk port. - **Goal**: Allow mDNS traffic (5353/UDP) between specified VLANs while maintaining VLAN isolation. --- ### **2. Key Requirements** 1. **Firewall Configuration**: - Allow **UDP 5353** traffic between specified VLANs. - Enforce VLAN segmentation (no inter-VLAN communication by default). 2. **Network Infrastructure**: - **Physical Trunk Port**: Switch provides tagged VLAN traffic to the ESXi host. - **ESXi Host**: Assigns VLAN tagging to the VM’s virtual NIC. - **Linux VM**: Single interface receives trunked VLAN traffic. 3. **Avahi Server**: - Installed on Linux VM. - Configured to act as an mDNS relay across VLANs. --- ### **3. Network Setup** #### **A. Physical Layer** 1. **Switch Configuration**: - Configure a **trunk port** on the physical switch to carry all required VLANs (e.g., VLAN 10, VLAN 20). - Ensure the trunk port is connected to the ESXi host. #### **B. ESXi Host Configuration** 1. **Port Group Setup**: - Create a **port group** on the ESXi host for VLAN trunking. - Assign the VLANs (e.g., VLAN 10, VLAN 20) to the port group. 2. **VM Network Adapter**: - Assign the VM a **virtual NIC (vNIC)** connected to the VLAN trunk port group. - Ensure the vNIC is configured to **accept VLAN tags** (no need for VLAN sub-interfaces). #### **C. Linux VM Configuration** 1. **Interface Configuration**: - Assign **multiple IP addresses** to the VM’s interface (e.g., `eth0` or `vmbr0`) for each VLAN. ```bash auto eth0 iface eth0 inet static address 192.168.20.251 netmask 255.255.255.0 address 10.56.1.251 netmask 255.255.255.0 gateway 10.56.1.254 ``` - Ensure IPs are in **different subnets** (e.g., VLAN 10: `10.56.1.0/24`, VLAN 20: `192.168.20.0/26`). 2. **Routing**: - Configure default gateway for the primary VLAN (e.g., `10.56.1.254`). - Ensure routing tables allow traffic between VLANs. --- ### **4. Sophos XGS Firewall Configuration** 1. **VLAN Segmentation**: - Create VLANs on the Sophos XGS (e.g., VLAN 10, VLAN 20). - Assign interfaces to respective VLANs. 2. **Traffic Rules**: - Allow **UDP 5353** traffic between specified VLANs. - Example rule: ``` Source VLAN: VLAN 10 Destination VLAN: VLAN 20 Protocol: UDP Destination Port: 5353 ``` - Ensure **no other traffic** is allowed between VLANs unless explicitly permitted. --- ### **5. Avahi Server Setup** 1. **Install Avahi**: - Install Avahi on the Linux VM: ```bash apt update && apt install avahi-daemon libnss-mdns ``` 2. **Configure Avahi**: - Ensure Avahi is set to **broadcast mDNS packets** across VLANs. - Adjust `/etc/avahi/avahi-daemon.conf` to allow broadcasting (if needed). 3. **Firewall Rules (Optional)**: - If the VM’s host firewall blocks traffic, add rules to allow **UDP 5353** between VLANs: ```bash iptables -A FORWARD -s 10.56.1.0/24 -d 192.168.20.0/24 -p udp --dport 5353 -m state --state NEW,ESTABLISHED -j ACCEPT ``` 4. **Verify Operation**: - Test mDNS discovery between devices on different VLANs (e.g., ping, `avahi-browse`). --- ### **6. Testing & Validation** 1. **Ping Test**: - Confirm connectivity between devices on different VLANs via the Avahi VM. 2. **Firewall Rule Check**: - Ensure Sophos XGS allows **UDP 5353** traffic between VLANs. 3. **Avahi Discovery**: - Use `avahi-browse` to verify mDNS services are visible across VLANs. 4. **Traffic Monitoring**: - Use tools like `tcpdump` or Wireshark to confirm VLAN tagging and traffic flow. --- ### **7. Documentation & Maintenance** 1. **Document VLAN Assignments**: - Record VLAN IDs, IP ranges, and firewall rules for reference. 2. **Backup Configurations**: - Save ESXi port group settings, Sophos XGS rules, and Avahi configurations. 3. **Regular Updates**: - Keep the Linux VM and Avahi software updated to avoid vulnerabilities. --- ### **8. Known Considerations** - **Trunking Limitations**: Ensure the physical switch and ESXi host support VLAN trunking. - **Firewall Overlap**: Avoid conflicting rules in Sophos XGS that could block mDNS traffic. - **Performance**: Monitor network bandwidth to ensure VLAN traffic does not saturate the link. --- ### **9. Success Criteria** - **mDNS Communication**: Devices on different VLANs can discover and communicate via Avahi. - **Firewall Compliance**: Only allowed traffic (UDP 5353) is permitted between VLANs. - **Network Isolation**: VLAN segmentation is enforced, and only required traffic is allowed. --- This plan ensures a secure, scalable, and functional mDNS relay solution across VLANs using Sophos XGS and an ESXi-hosted Avahi VM.