CubelaPetar/notes
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b79839500c80652b21f5828d938db1876bffe40f
notes/projects/gg/avahi_mdns-reflector/20250712-avahi-mdns-planning.md
Petar Cubela 252a91dbcc ]
2025-07-15 15:36:24 +02:00

133 lines
5.2 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
### **Comprehensive Project Plan**
**Objective**: Enable Avahi (mDNS) communication across VLANs using a Sophos XGS firewall and a Linux VM hosted on ESXi with VLAN trunking.
---
### **1. Project Overview**
- **Firewall**: Sophos XGS (enforces VLAN segmentation and allows 5353/UDP traffic).
- **Avahi Server**: Linux VM on ESXi, receiving VLAN traffic via a physical trunk port.
- **Goal**: Allow mDNS traffic (5353/UDP) between specified VLANs while maintaining VLAN isolation.
---
### **2. Key Requirements**
1. **Firewall Configuration**:
- Allow **UDP 5353** traffic between specified VLANs.
- Enforce VLAN segmentation (no inter-VLAN communication by default).
2. **Network Infrastructure**:
- **Physical Trunk Port**: Switch provides tagged VLAN traffic to the ESXi host.
- **ESXi Host**: Assigns VLAN tagging to the VMs virtual NIC.
- **Linux VM**: Single interface receives trunked VLAN traffic.
3. **Avahi Server**:
- Installed on Linux VM.
- Configured to act as an mDNS relay across VLANs.
---
### **3. Network Setup**
#### **A. Physical Layer**
1. **Switch Configuration**:
- Configure a **trunk port** on the physical switch to carry all required VLANs (e.g., VLAN 10, VLAN 20).
- Ensure the trunk port is connected to the ESXi host.
#### **B. ESXi Host Configuration**
1. **Port Group Setup**:
- Create a **port group** on the ESXi host for VLAN trunking.
- Assign the VLANs (e.g., VLAN 10, VLAN 20) to the port group.
2. **VM Network Adapter**:
- Assign the VM a **virtual NIC (vNIC)** connected to the VLAN trunk port group.
- Ensure the vNIC is configured to **accept VLAN tags** (no need for VLAN sub-interfaces).
#### **C. Linux VM Configuration**
1. **Interface Configuration**:
- Assign **multiple IP addresses** to the VMs interface (e.g., `eth0` or `vmbr0`) for each VLAN.
```bash
auto eth0
iface eth0 inet static
address 192.168.20.251
netmask 255.255.255.0
address 10.56.1.251
netmask 255.255.255.0
gateway 10.56.1.254
```
- Ensure IPs are in **different subnets** (e.g., VLAN 10: `10.56.1.0/24`, VLAN 20: `192.168.20.0/26`).
2. **Routing**:
- Configure default gateway for the primary VLAN (e.g., `10.56.1.254`).
- Ensure routing tables allow traffic between VLANs.
---
### **4. Sophos XGS Firewall Configuration**
1. **VLAN Segmentation**:
- Create VLANs on the Sophos XGS (e.g., VLAN 10, VLAN 20).
- Assign interfaces to respective VLANs.
2. **Traffic Rules**:
- Allow **UDP 5353** traffic between specified VLANs.
- Example rule:
```
Source VLAN: VLAN 10
Destination VLAN: VLAN 20
Protocol: UDP
Destination Port: 5353
```
- Ensure **no other traffic** is allowed between VLANs unless explicitly permitted.
---
### **5. Avahi Server Setup**
1. **Install Avahi**:
- Install Avahi on the Linux VM:
```bash
apt update && apt install avahi-daemon libnss-mdns
```
2. **Configure Avahi**:
- Ensure Avahi is set to **broadcast mDNS packets** across VLANs.
- Adjust `/etc/avahi/avahi-daemon.conf` to allow broadcasting (if needed).
3. **Firewall Rules (Optional)**:
- If the VMs host firewall blocks traffic, add rules to allow **UDP 5353** between VLANs:
```bash
iptables -A FORWARD -s 10.56.1.0/24 -d 192.168.20.0/24 -p udp --dport 5353 -m state --state NEW,ESTABLISHED -j ACCEPT
```
4. **Verify Operation**:
- Test mDNS discovery between devices on different VLANs (e.g., ping, `avahi-browse`).
---
### **6. Testing & Validation**
1. **Ping Test**:
- Confirm connectivity between devices on different VLANs via the Avahi VM.
2. **Firewall Rule Check**:
- Ensure Sophos XGS allows **UDP 5353** traffic between VLANs.
3. **Avahi Discovery**:
- Use `avahi-browse` to verify mDNS services are visible across VLANs.
4. **Traffic Monitoring**:
- Use tools like `tcpdump` or Wireshark to confirm VLAN tagging and traffic flow.
---
### **7. Documentation & Maintenance**
1. **Document VLAN Assignments**:
- Record VLAN IDs, IP ranges, and firewall rules for reference.
2. **Backup Configurations**:
- Save ESXi port group settings, Sophos XGS rules, and Avahi configurations.
3. **Regular Updates**:
- Keep the Linux VM and Avahi software updated to avoid vulnerabilities.
---
### **8. Known Considerations**
- **Trunking Limitations**: Ensure the physical switch and ESXi host support VLAN trunking.
- **Firewall Overlap**: Avoid conflicting rules in Sophos XGS that could block mDNS traffic.
- **Performance**: Monitor network bandwidth to ensure VLAN traffic does not saturate the link.
---
### **9. Success Criteria**
- **mDNS Communication**: Devices on different VLANs can discover and communicate via Avahi.
- **Firewall Compliance**: Only allowed traffic (UDP 5353) is permitted between VLANs.
- **Network Isolation**: VLAN segmentation is enforced, and only required traffic is allowed.
---
This plan ensures a secure, scalable, and functional mDNS relay solution across VLANs using Sophos XGS and an ESXi-hosted Avahi VM.
Reference in New Issue View Git Blame Copy Permalink