CubelaPetar/notes
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
584265c22c6f472c7656969d85e778e0a4ab5742
notes/projects/gg/avahi_mdns-reflector/prep/20250712-avahi-mdns-planning.md
Petar Cubela 584265c22c 20250907
2025-09-07 13:07:01 +02:00

5.2 KiB
Raw Blame History

Comprehensive Project Plan

Objective: Enable Avahi (mDNS) communication across VLANs using a Sophos XGS firewall and a Linux VM hosted on ESXi with VLAN trunking.

1. Project Overview

  • Firewall: Sophos XGS (enforces VLAN segmentation and allows 5353/UDP traffic).
  • Avahi Server: Linux VM on ESXi, receiving VLAN traffic via a physical trunk port.
  • Goal: Allow mDNS traffic (5353/UDP) between specified VLANs while maintaining VLAN isolation.

2. Key Requirements

  1. Firewall Configuration:
    • Allow UDP 5353 traffic between specified VLANs.
    • Enforce VLAN segmentation (no inter-VLAN communication by default).
  2. Network Infrastructure:
    • Physical Trunk Port: Switch provides tagged VLAN traffic to the ESXi host.
    • ESXi Host: Assigns VLAN tagging to the VMs virtual NIC.
    • Linux VM: Single interface receives trunked VLAN traffic.
  3. Avahi Server:
    • Installed on Linux VM.
    • Configured to act as an mDNS relay across VLANs.

3. Network Setup

A. Physical Layer

  1. Switch Configuration:
    • Configure a trunk port on the physical switch to carry all required VLANs (e.g., VLAN 10, VLAN 20).
    • Ensure the trunk port is connected to the ESXi host.

B. ESXi Host Configuration

  1. Port Group Setup:
    • Create a port group on the ESXi host for VLAN trunking.
    • Assign the VLANs (e.g., VLAN 10, VLAN 20) to the port group.
  2. VM Network Adapter:
    • Assign the VM a virtual NIC (vNIC) connected to the VLAN trunk port group.
    • Ensure the vNIC is configured to accept VLAN tags (no need for VLAN sub-interfaces).

C. Linux VM Configuration

  1. Interface Configuration:
    • Assign multiple IP addresses to the VMs interface (e.g., eth0 or vmbr0) for each VLAN. 
      auto eth0
iface eth0 inet static
    address 192.168.20.251
    netmask 255.255.255.0
    address 10.56.1.251
    netmask 255.255.255.0
    gateway 10.56.1.254
    • Ensure IPs are in different subnets (e.g., VLAN 10: 10.56.1.0/24, VLAN 20: 192.168.20.0/26).
  2. Routing:
    • Configure default gateway for the primary VLAN (e.g., 10.56.1.254).
    • Ensure routing tables allow traffic between VLANs.

4. Sophos XGS Firewall Configuration

  1. VLAN Segmentation:
    • Create VLANs on the Sophos XGS (e.g., VLAN 10, VLAN 20).
    • Assign interfaces to respective VLANs.
  2. Traffic Rules:
    • Allow UDP 5353 traffic between specified VLANs.
      • Example rule: 
        Source VLAN: VLAN 10  
Destination VLAN: VLAN 20  
Protocol: UDP  
Destination Port: 5353
    • Ensure no other traffic is allowed between VLANs unless explicitly permitted.

5. Avahi Server Setup

  1. Install Avahi:
    • Install Avahi on the Linux VM: 
      apt update && apt install avahi-daemon libnss-mdns
  2. Configure Avahi:
    • Ensure Avahi is set to broadcast mDNS packets across VLANs.
    • Adjust /etc/avahi/avahi-daemon.conf to allow broadcasting (if needed).
  3. Firewall Rules (Optional):
    • If the VMs host firewall blocks traffic, add rules to allow UDP 5353 between VLANs: 
      iptables -A FORWARD -s 10.56.1.0/24 -d 192.168.20.0/24 -p udp --dport 5353 -m state --state NEW,ESTABLISHED -j ACCEPT
  4. Verify Operation:
    • Test mDNS discovery between devices on different VLANs (e.g., ping, avahi-browse).

6. Testing & Validation

  1. Ping Test:
    • Confirm connectivity between devices on different VLANs via the Avahi VM.
  2. Firewall Rule Check:
    • Ensure Sophos XGS allows UDP 5353 traffic between VLANs.
  3. Avahi Discovery:
    • Use avahi-browse to verify mDNS services are visible across VLANs.
  4. Traffic Monitoring:
    • Use tools like tcpdump or Wireshark to confirm VLAN tagging and traffic flow.

7. Documentation & Maintenance

  1. Document VLAN Assignments:
    • Record VLAN IDs, IP ranges, and firewall rules for reference.
  2. Backup Configurations:
    • Save ESXi port group settings, Sophos XGS rules, and Avahi configurations.
  3. Regular Updates:
    • Keep the Linux VM and Avahi software updated to avoid vulnerabilities.

8. Known Considerations

  • Trunking Limitations: Ensure the physical switch and ESXi host support VLAN trunking.
  • Firewall Overlap: Avoid conflicting rules in Sophos XGS that could block mDNS traffic.
  • Performance: Monitor network bandwidth to ensure VLAN traffic does not saturate the link.

9. Success Criteria

  • mDNS Communication: Devices on different VLANs can discover and communicate via Avahi.
  • Firewall Compliance: Only allowed traffic (UDP 5353) is permitted between VLANs.
  • Network Isolation: VLAN segmentation is enforced, and only required traffic is allowed.

This plan ensures a secure, scalable, and functional mDNS relay solution across VLANs using Sophos XGS and an ESXi-hosted Avahi VM.

Reference in New Issue View Git Blame Copy Permalink