CubelaPetar/notes
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b79839500c80652b21f5828d938db1876bffe40f
notes/projects/gg/avahi_mdns-reflector/20250717-project-plan-scaling.md
Petar Cubela b79839500c 20250720 regular commit
2025-07-20 22:29:13 +02:00

6.4 KiB
Raw Blame History

Comprehensive Project Plan for VLAN Bridging with mDNS Proxy and Avahi Servers

1. Project Overview

Objective: Enable Apple devices in VLAN 15 and 19 to discover Apple TVs in VLAN 7 via Bonjour (mDNS) without requiring Layer 3 switches or VLAN routing on the Sophos firewall.
Key Requirements:

  • VLANs: Student (15), Teacher (19), AppleTV (7).
  • Subnets:
    • VLAN 15: 172.16.19.254/255.255.252.0
    • VLAN 19: 192.168.151.254/255.255.252.0
    • VLAN 7: 172.16.111.254/255.255.248.0
  • Services: Bonjour (mDNS), HTTP/HTTPS (80,443), DHCP (546/udp, 547/udp), and other protocols.
  • Tools:
    • Sophos XGS4300: DHCP server, firewall.
    • ESXi: Hypervisor for VMs.
    • Debian VMs: Avahi servers, mDNS proxy.
  • Switches: Level 2 (no IGMP snooping).
  • VM IPs: .250 in each VLAN (e.g., 172.16.19.250, 192.168.151.250, 172.16.111.250).

2. Network Architecture Design

A. VLAN Configuration (ESXi vSwitch)

  • vSwitch Setup:
    • Create a vSwitch (e.g., vSwitch0) with VLAN tags for each VLAN (15, 19, 7).
    • Assign VMs to this vSwitch with appropriate VLAN tags.
  • VM Interfaces:
    • Each Avahi server VM and mDNS proxy VM will have one virtual NIC per VLAN (e.g., VLAN 15, VLAN 19, VLAN 7).
    • Ensure untagged interfaces for management (optional).

B. VM Resource Allocation

  • Avahi Server VMs:
    • RAM: 1GB (minimal, as Avahi is lightweight).
    • CPU: 1 core.
    • Storage: 10GB (for OS and logs).
  • mDNS Proxy VM:
    • RAM: 2GB (to handle traffic forwarding).
    • CPU: 2 cores.
    • Storage: 20GB (for logs and configurations).

C. IP Addressing

  • Avahi Servers:
    • VLAN 15: 172.16.19.250
    • VLAN 19: 192.168.151.250
    • VLAN 7: 172.16.111.250
  • mDNS Proxy:
    • Assign a static IP (e.g., 172.16.111.251) in VLAN 7 (or use a management VLAN if needed).

3. Software and Configuration

A. Avahi Servers (Per VLAN)

  • OS: Debian 12 (Bookworm).
  • Installation: 
    apt update && apt install avahi-daemon avahi-utils
  • Configuration (/etc/avahi/avahi-daemon.conf):
    • Ensure host-name is set to the VM's hostname (e.g., avahi15).
    • Set domain-name to the local domain (e.g., local).
  • Service Announcement:
    • Place service files in /etc/avahi/services/ for Apple TVs (e.g., apple-tv.service).
    • Example apple-tv.service: 
      <service>
  <type>_http._tcp</type>
  <subtype>_apple-tv._sub</subtype>
  <port>80</port>
  <host>apple-tv.local</host>
</service>

B. mDNS Proxy (VM)

  • Software: Use mdnsproxy (not dnsmasq) for mDNS forwarding.
  • Installation: 
    apt update && apt install mdnsproxy
  • Configuration (/etc/mdnsproxy.conf):
    • Define forwarding rules between VLANs: 
      [forward]
172.16.19.250 192.168.151.250 172.16.111.250
192.168.151.250 172.16.19.250 172.16.111.250
172.16.111.250 172.16.19.250 192.168.151.250
    • Ensure UDP port 5353 is open for mDNS traffic.
  • Firewall Rules (Sophos XGS):
    • Allow UDP port 5353 between VLAN 15, 19, and 7.
    • Allow TCP/UDP ports 80, 443, 546, 547 for service access.

4. Firewall Configuration (Sophos XGS4300)

  • DHCP Server:
    • Assign IPs to VLANs 15, 19, and 7.
    • Ensure IP ranges match the subnets (e.g., VLAN 15: 172.16.19.252-254).
  • Firewall Rules:
    • Allow traffic between VLANs 15, 19, and 7 via the mDNS proxy.
    • Deny direct communication between VLANs (to enforce proxy routing).
    • Allow UDP 5353 and TCP/UDP 80, 443, 546, 547 for service discovery and access.

5. Testing and Validation

  • Step 1: Verify VLAN tagging on ESXi vSwitch. Use ovs-ofctl dump-ports to confirm VLAN tags.
  • Step 2: Test mDNS traffic with tcpdump on the mDNS proxy VM: 
    tcpdump -i eth1 port 5353
  • Step 3: Use Bonjour tools (e.g., dns-sd) to discover services: 
    dns-sd -B _http._tcp local
  • Step 4: Ensure Apple devices can access services via the proxy.
  • Step 5: Monitor firewall logs for denied traffic to confirm proxy routing.

6. Potential Hurdles and Solutions

Hurdle Solution
Level 2 Switches: No IGMP Snooping mDNS proxy bridges VLANs, so multicast traffic is handled by the proxy.
Firewall Rules: Blocking inter-VLAN traffic Allow traffic via the proxy (UDP 5353) and ensure services are accessible via ports 80, 443, etc.
VM IP Conflicts Assign static IPs in each VLAN (e.g., .250) to avoid DHCP conflicts.
mDNS Proxy Not Forwarding Verify mdnsproxy configuration and ensure VMs are connected to all VLANs.
Service Discovery Failures Test with dns-sd and ensure Avahi servers are correctly configured.

7. Resource Recommendations

  • ESXi Host:
    • At least 8GB RAM, 4 cores.
    • Ensure vSwitch is configured with VLAN tags.
  • VMs:
    • Avahi Servers: 1GB RAM, 1 core.
    • mDNS Proxy: 2GB RAM, 2 cores.
  • Storage:
    • Allocate 10-20GB per VM for OS, logs, and service files.

8. Final Notes

  • Scalability: Add more Avahi servers if needed, but ensure the mDNS proxy can handle increased traffic.
  • Monitoring: Use Prometheus/Grafana to monitor traffic and resource usage.
  • Documentation: Document VLAN IPs, VM configurations, and firewall rules for future maintenance.

9. Has Anything Been Missed?

  • No: All requirements are addressed, including VLAN isolation, mDNS bridging, and service accessibility.
  • Optional Enhancements:
    • Add load balancing for the mDNS proxy.
    • Use SNMP to monitor switch traffic.
    • Implement failover for critical services.

10. Conclusion

This setup is feasible and robust for your requirements. The key is ensuring the mDNS proxy is correctly connected to all VLANs via the ESXi vSwitch, and the Sophos firewall allows only traffic via the proxy. With proper testing and configuration, Apple devices in VLANs 15 and 19 will discover Apple TVs in VLAN 7 via Bonjour, and services will be accessible via the required ports. 🚀

Reference in New Issue View Git Blame Copy Permalink