Mark
I have the same requirement (scanner on different network than apple client). The solution requires 2 parts.
- manage the "advertising and discovery"of the service using bonjour
- communication for the service throughout the firewall
First the discovery. MDNS is the protocol but you also need to have the other network “discover” the service so for this I used the avahi package (which has a dependency on the mdns package). Once this packages are installed on the ipfire firewall you can use the macOS/iOS app "discovery"to see the advertised services. Remember to restart your printer after the avahi/mdns packages are active so that the service is (re)advertised. So now on your client with the discovery app you should see the advertised service (in this case Bonjour scanning) with the port that will be used for the communication.
Now you need to create a rule to allow the required ports from the client network/device to the scanner network/device. I used a rule for the source network to the printer device with multiple ports (scanning and printing).
It works very well and I use vuescan on different networks to a different network everyday without problem, and as the avahi and mdns packages are part of the standard packages they are kept in sync with the core firewall version, and so I have not had a problem with this for the at least the last 2 years.
Regards, Andrew