9 Replies Latest reply: Jun 25, 2008 7:46 AM by aapl.crox
abrax5 Level 1 (0 points)
Hi there,

has anyone managed to get Bonjour / mDNS sharing working over Ipsec / L2tp Links? Can this be configured somehow? As far as I see it, ipsec / l2tp links appear as point-to-point devices which the mDNSresponder doesn't pick up for broadcasts - can this be enabled somehow?

Best regards,

  • orangekay Level 5 (4,085 points)
    Wide-Area Bonjour is not quite ready for prime-time I'm afraid. It can work, but only under extremely specific circumstances.
  • abrax5 Level 1 (0 points)
    Mhm, I wasn't talking about DNS based wide-area bonjour. I would rather like to know whether the traditional one with multicast DNS broadcasts in a subnet can be extended to work over a VPN link.
  • Dr. Mario Level 1 (5 points)
    This makes no sense to me. I have been researching this topic for a while, and the general consensus seems to be that Bonjour simply is not available over a VPN connection. Isn't the purpose of a VPN to join a computer securely to a remote network? The remote computer is connected to the corporate network via a VPN, is on the *same subnet* as the corporate network, and responds to broadcast PINGs sent to the broadcast address -- indicating to me, at least, that broadcast capability is present. Why, then, can't Bonjour broadcasts be sent to the remote computer?

    I have seen "solutions" detailing the use of Wide-Area Bonjour in other posts (see here: http://discussions.apple.com/thread.jspa?messageID=6917732), but this is unnecessary when the simple solution should be to forward Bonjour broadcasts to VPN-connected computers on the same subnet. I would really like to see this resolved.
  • orangekay Level 5 (4,085 points)
    See page 43 of Stuart Cheshire's book "Zero Configuration Networking, The Definitive Guide."
  • abrax5 Level 1 (0 points)
    The page you're referring to explains basic characteristics and the inner workings of mDNS, especially its assigned multicast addresses and so on. Could you explain how you see this helping to solve the original problem of mDNS not working over VPN links? - thanks in advance.

    I've debugged mDNSresponder a little bit and came to the conclusion that there are certain criteria for a network device to be picked up for mDNS communication. If this could be configured somehow or changed, this would be hugely helpful.
  • orangekay Level 5 (4,085 points)
    Paragraph 4:

    "Because and FF02::FB are in the link-local multicast ranges for IPv4 and IPv6, respectively, packets sent to these addresses are *never forwarded outside the local link* nor forwarded onto the local link from outside."

    See page 15 for the distinction between a local link and a subnet. Cisco has done some work on the issue of enabling multicasting over VPN, but I've never seen any of it personally and I have no idea if their implementation meets Bonjour's requirements.
  • abrax5 Level 1 (0 points)
    Thanks for the clarification. Then the question could be rephrased into: How can one establish a layer 2 virtual private network link using built-in components of Leopard. I think the section of the book you're citing is correct, but it doesn't address the fact the VPN interfaces can be "physical", too.

    I've seen the whole thing partially working over Tunnelblick/openvpn layer 2 tunnels. But I'd like to achieve the same without additional tools. In principle, mDNS itself isn't layer 2, but layer 3 - but mDNSresponders seems to use layer 2 interfaces only.
  • orangekay Level 5 (4,085 points)
    Using built-in components? I don't think you can, but someone on the network programming list might know better than I do.
  • aapl.crox Level 1 (0 points)
    if bonjour over vpn doesnt work then how does back to my mac does it? Pretty sure they just run leopard servers?