Network-Segmentation and mDNS (Bonjour & AirPrint)

By Andreas Walker 19 Mar, 2022

Nowadays, all network administrators should know that flat network structures are particularly not a good idea. It is common practice to move multifunction devices and printers into seperate network segments and make them accessible to the user via the print server only. The problem is that AirPrint no longer works when printers are segmented into their own subnets. The printers are no longer found on mobile devices such as iPhones and iPads, even if you set up routing between the client and printer networks and open all ports from the client network to the printer network.

The cause of the problem is that AirPrint finds the printers with mDNS (called Bonjour in Apple jargon). Multicast DNS (this is the full name of mDNS) is, as the name suggests, a multicast protocol. In principle, with a multicast query, all compatible devices populate which services are offered under which port. Since multicast queries are not routed by default, the query from the client network never gets forwardet to the printer network despite routing.

The solution for this problem are mDNS reflectors. Some firewalls (e.g. UniFi USGs) already have this integrated and enabled by default. With others (e.g. OpenWrt), the function can be installed or configured later.

Some firewall manufacturers (e.g. Sophos XG) do not support mDNS reflectors. In this case you have to use a small Linux VM with a network interface in the client network as well as in the printer network. Avahi has proven to be a good mDNS reflector. Below is a short tutorial for the installation of an Avahi mDNS reflector on an Ubuntu Server VM.

Installation of Avahi – Step by Step

Step 1: Install Ubuntu Server

Install Ubuntu Server. I recommend to install openSSH as well, this simplifies the administration. If DHCP is available in the printer network as well as in the client network, the server can be installed in the default settings without any problems. Otherwise the interfaces have to be configured.

Step 2: Install Avahi

Install Avahi and some supportive packages.

$ sudo apt-get install avahi-daemon avahi-utils

Step 3: Configure Avahi

By default, avahi is an mDNS server and advertises its own services. The mDNS Reflector function is disabled by default and commented out in the configuration. The configuration can be edited with any editor (here nano).

$ sudo nano /etc/avahi/avahi-daemon.conf

following lines need to be changed

[server]
...
use-ipv4=yes
use-ipv6=yes

...

[reflector]
#enable-reflector=no
#reflect-ipv=no

into something like

[server]
...
use-ipv4=yes
use-ipv6=no

...

[reflector]
enable-reflector=yes
#reflect-ipv=no

In many manuals you can find the restriction of network interfaces via the parameter “allow-interfaces=…” However, this is not necessary if the server is only active as mDNS Reflector.

Step 4: Open mDNS port

mDNS uses UDP port 5353, which still needs to be opened on the Ubuntu firewall:

$ sudo ufw allow 5353/udp

Step 5: Disable IPv6

In IPv4-only networks, it is recommended to permanently disable the IPv6 feature of Ubuntu. For Ubuntu servers, this is done with the additional “ipv6.disable=1” flag in the grub configuration. To do this, edit the grub configuration with an editor like nano:

$ sudo nano /etc/default/grub

Change the line

GRUB_CMDLINE_LINUX_DEFAULT=""

to

GRUB_CMDLINE_LINUX_DEFAULT="ipv6.disable=1"

Then update the Grub configuration with following command:

$ sudo update-grub

Step 6: Reboot of the Server

After a server reboot, IPv6 is disabled and the new configuration of Avahi is active. If you like to change the configuration of the Avahi service without rebooting the whole server, you could use following command to restart the Avahi service:

$ sudo service avahi-daemon restart

Diagnose

A genious diagnostic tool for Windows clients is the Bonjour Browser from Hobbyist Software. It displays the found Bonjour services clearly. In addition, the browser is also suitable for finding the ports to be opened (e.g. TCP 631 for the Internet Printing Protocol / IPP).

Hobbyist Software's Bonjour browser displays found mDNS services.
Hobbyist Software’s Bonjour browser displays found mDNS services.

You could also use the browser integrated in Avahi:

$ avahi-browse -a

What else needs to be done?

Since avahi only acts as a mDNS reflector, the clients that want to use AirPrint basically need a route into the target network of the printers. The whole segmentation becomes rather useless if you open all ports on the firewall to the printer network again. Therefore it makes sense to use a Bonjour crawler to search for the published ports and open them. In my specific case following ports had to be opened:

ProtocolPortService?
TCP9100Printer PDL Data Stream
TCP631IPP (Internet Printing Protocol)
TCP515LPD (Line Printer Daemon)?
TCP80HTTP (Partly used for scanning-services)
TCP8080HTTP-ALT (Partly used for scanning-services)
TCP443HTTPS (Partly used for scanning-services)
TCP40080HTTP/Scan (on some Toshiba Printers)
TCP40443HTTPS/Scan (on some Toshiba Printers)
Non-exhaustive port list for Apple AirPrint

LPD is probably not needed. The protocol is advertised by all printers via mDNS, but I am not sure if this is used for AirPrint or for printing from macOS.

Used Sources:

Andreas Walker completed an apprenticeship in gastronomy and worked in this industry for almost 15 years. In addition to his work in the hospitality industry, he built up a small IT company and supported small SMEs in IT projects in his spare time. Over time, he slipped into the IT of his employer and managed the site IT of a business hotel of the internationally active hotel chain IHG. In the summer of 2019, he graduated with an Advanced Federal Diploma of Higher Education in Information Technology. Since spring 2019, Andreas Walker is working for a local IT provider in the canton of Glarus as a system engineer, where he primarily supports SME customers.