You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: abrax5
abrax5 Author
User level: Level 1
0 points

Bonjour/mDNS over IPSEC/L2TP?

Hi there,

has anyone managed to get Bonjour / mDNS sharing working over Ipsec / L2tp Links? Can this be configured somehow? As far as I see it, ipsec / l2tp links appear as point-to-point devices which the mDNSresponder doesn't pick up for broadcasts - can this be enabled somehow?

Best regards,

abrax5

Posted on Jun 6, 2008 2:16 PM

Reply
9 replies
User profile for user: Dr. Mario
Dr. Mario
User level: Level 1
10 points

Jun 7, 2008 2:10 PM in response to abrax5

This makes no sense to me. I have been researching this topic for a while, and the general consensus seems to be that Bonjour simply is not available over a VPN connection. Isn't the purpose of a VPN to join a computer securely to a remote network? The remote computer is connected to the corporate network via a VPN, is on the *same subnet* as the corporate network, and responds to broadcast PINGs sent to the broadcast address -- indicating to me, at least, that broadcast capability is present. Why, then, can't Bonjour broadcasts be sent to the remote computer?

I have seen "solutions" detailing the use of Wide-Area Bonjour in other posts (see here: http://discussions.apple.com/thread.jspa?messageID=6917732), but this is unnecessary when the simple solution should be to forward Bonjour broadcasts to VPN-connected computers on the same subnet. I would really like to see this resolved.
Reply
User profile for user: abrax5
abrax5 Author
User level: Level 1
0 points

Jun 10, 2008 11:21 AM in response to orangekay

The page you're referring to explains basic characteristics and the inner workings of mDNS, especially its assigned multicast addresses and so on. Could you explain how you see this helping to solve the original problem of mDNS not working over VPN links? - thanks in advance.

I've debugged mDNSresponder a little bit and came to the conclusion that there are certain criteria for a network device to be picked up for mDNS communication. If this could be configured somehow or changed, this would be hugely helpful.
Reply
User profile for user: orangekay
orangekay
User level: Level 5
4,085 points

Jun 10, 2008 1:05 PM in response to abrax5

Paragraph 4:

"Because 224.0.0.251 and FF02::FB are in the link-local multicast ranges for IPv4 and IPv6, respectively, packets sent to these addresses are *never forwarded outside the local link* nor forwarded onto the local link from outside."

See page 15 for the distinction between a local link and a subnet. Cisco has done some work on the issue of enabling multicasting over VPN, but I've never seen any of it personally and I have no idea if their implementation meets Bonjour's requirements.
Reply
User profile for user: abrax5
abrax5 Author
User level: Level 1
0 points

Jun 10, 2008 2:40 PM in response to orangekay

Thanks for the clarification. Then the question could be rephrased into: How can one establish a layer 2 virtual private network link using built-in components of Leopard. I think the section of the book you're citing is correct, but it doesn't address the fact the VPN interfaces can be "physical", too.

I've seen the whole thing partially working over Tunnelblick/openvpn layer 2 tunnels. But I'd like to achieve the same without additional tools. In principle, mDNS itself isn't layer 2, but layer 3 - but mDNSresponders seems to use layer 2 interfaces only.
Reply

Bonjour/mDNS over IPSEC/L2TP?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up