Port 5353 Being dropped on Blue0

For the past few weeks I’ve have been trying to solve this, with no luck.
I have a HP MFP and use Vuescan as the scanner software, Vuescan uses the Bonjour protocol to search for devices.
The HP MFP sits on the Blue Network (convenience of location), and can talk to everything using Vuescan on that network fine, but nothing using Vuescan on Green can see it. It does how ever work fine as a printer, and the webportal can be accessed from Green.

Running;
mdns-repeater -f blue0 green0
I can see the data being repeated form green0 to blue0, but there is nothing coming back.
In the firewall log is shows;
DROP_Wirelessinput blue0 UDP (IP Addresses) 5353

It would look like there is a Firewall rule, or option, that is blocking the reply, however even if I disable all firewall rules, it still does not connect, with data being dropped.

Is there a way to see or trace what rule is causing these packets to get dropped?
Or can someone point me at what I may be missing.

Thanks

Mark

1 Like

Hello Mark - I’ve been trying to solve a similar issue (Apple products only). I may take the easy way out and add a wi-fi for GREEN but that seems like cheating.

I haven’t learned enough to be dangerous (yet). But I’d be interested if someone has a solution or a good hint for this issue!

Jon

EDIT: is there nothing in the message log at /var/log/messages ?


EDIT1: I loaded up mdns-repeater and it seems to work A-OK for me from an iPhone on BLUE to an Apple TV on GREEN.

[root@ipfire ~]# mdns-repeater -f green0 blue0
mdns-repeater: dev green0 addr 192.168.60.1 mask 255.255.255.0 net 192.168.60.0
mdns-repeater: dev blue0 addr 192.168.65.1 mask 255.255.255.0 net 192.168.65.0
data from=192.168.65.141 size=169
repeating data to green0
data from=192.168.60.145 size=540
repeating data to blue0
data from=192.168.60.105 size=357
repeating data to blue0
data from=192.168.60.210 size=353
repeating data to blue0
^C
[root@ipfire ~]# 

I did have to create a firewall rule from BLUE to GREEN to get it to work (I did not try to make it port specific):

Thanks Jon for the ideas, makes sense what you did so gave it a try, but with no luck, even removing all other Firewall rules there was no change.
However, while doing this testing I did see some packets being being repeated to Green from Blue, but it was from my phone not the printer. The only difference I am aware of between my Phone and the Printer is the Printer is on a static DHCP lease.
Your idea of going through the messages, rather than via the web screen also gleamed some light too.
The DROP_Wirelessinput come form the IPtables, and I can see where, now I need to find the why.

I’m away for the week, but will read up on IPtables to understand better what is going on, and try some solutions next weekend.
Once I have it working or more information, I’ll give some information back as to what the solution was for my situation.,

I’ve always seen DROP_Wirelessinput messages since I started using the BLUE network. And for me, most all of them talk to port 5353.

Since I installed mdns-repeater yesterday I am not sure if this will help or not (I would guess not).

Here is a command that will look for DROP_Wirelessinput in the messages log:

grep DROP_Wirelessinput /var/log/messages

Mark

I have the same requirement (scanner on different network than apple client). The solution requires 2 parts.

  1. manage the "advertising and discovery"of the service using bonjour
  2. communication for the service throughout the firewall

First the discovery. MDNS is the protocol but you also need to have the other network “discover” the service so for this I used the avahi package (which has a dependency on the mdns package). Once this packages are installed on the ipfire firewall you can use the macOS/iOS app "discovery"to see the advertised services. Remember to restart your printer after the avahi/mdns packages are active so that the service is (re)advertised. So now on your client with the discovery app you should see the advertised service (in this case Bonjour scanning) with the port that will be used for the communication.

Now you need to create a rule to allow the required ports from the client network/device to the scanner network/device. I used a rule for the source network to the printer device with multiple ports (scanning and printing).

It works very well and I use vuescan on different networks to a different network everyday without problem, and as the avahi and mdns packages are part of the standard packages they are kept in sync with the core firewall version, and so I have not had a problem with this for the at least the last 2 years.

Regards, Andrew

1 Like