Multicast works only after service start (JAIL)

[Ben]

Hi,

Im trying to set up AFP-shares and the FireFly iTunes-Server in two different jails to access them by my MacBook Client.

I set up both services with two different IPs which are part of my IP network. Right after starting up the FireFly-Server and the AFP-Jail (avahi) I can see both in Finder (central file-access-tool in MacOS X).

But when I restart my Client (Mac) the shares and the iTunes-Server wont show up again until I restart them.

The pf-firewall is configured to open all ports for my client IP. RDR-rules and NAT is not used for these jails as they have "external" IPs. Outgoing ports are open also.

Does anybody have an idea what I could do to solve this? It seems like an multicast problem. I have the same behaviour on a Windows Client, so I guess its not a Client issue.

Would be great if you could give me some hints.

Thanks a lot in advance,
Ben.

 

[lartza]

Same problem here, no solution for it. Samba and avahi in jail can't answer to multicasts at all, so you can see them only after they start.

There's only a bit of discussion here, all I've found:
http://lists.freebsd.org/pipermail/freebsd-jail/2009-July/000916.html

 

[SirDice]

Avahi and OS-X don't seem to like each other. Nothing to do with jails, firewalls or FreeBSD.

 

[tty23]

@SirDice: I have used Avahi and OS X for a while now, and it works perfectly, no problems at all. However, I did not try it inside a jail.

@Ben: Did you try to use a vnet/vimage jail? Those use their own network stack, I could imaging that this might work better. If you do not know what I am talking about, have a look at this thread: http://forums.freebsd.org/showthread.php?t=9006

 

[SirDice]

@SirDice: I have used Avahi and OS X for a while now, and it works perfectly, no problems at all. However, I did not try it inside a jail.

It seems to work for a while then it breaks. I have no idea why and all I get in the logs is avahi complaining about something my macbook pro sent. Too much hassle so I gave up on it.

 

[tty23]

@SirDice: This is strange, I run it for about a year now, no problems.

 

[lartza]

I have avahi in a jail <-> avahi outside a jail. Works a while, then breaks.

It's because jails can't receive multicasts from the network, though they can send them. I suspect that at first avahi sends its information for a while, then waits for a request to send more.

I can't see a jailed samba in the workgroup either for the same reason.

 

[jaxxed]

This is an old thread, but I am also trying to get avahi working inside the jail.

I note that it seems to a problem during bind, where the avahi server sees itself, and thinks that it's namespace is taken:

[root@wunderkraut] /# sudo /usr/local/sbin/avahi-daemon --debug
Found user 'avahi' (UID 558) and group 'avahi' (GID 558).
Successfully dropped root privileges.
avahi-daemon 0.6.29 starting up.
WARNING: No NSS support for mDNS detected, consider installing nss-mdns!
Loading service file /usr/local/etc/avahi/services/sftp-ssh.service.
Loading service file /usr/local/etc/avahi/services/ssh.service.
Joining mDNS multicast group on interface wlan0.IPv4 with address 192.168.129.202.
New relevant interface wlan0.IPv4 for mDNS.
Network interface enumeration completed.
Registering new address record for 192.168.129.202 on wlan0.IPv4.
Registering HINFO record with values 'AMD64'/'FREEBSD'.
Host name conflict, retrying with wunderkraut-2
Registering new address record for 192.168.129.202 on wlan0.IPv4.
Registering HINFO record with values 'AMD64'/'FREEBSD'.
Host name conflict, retrying with wunderkraut-3
Registering new address record for 192.168.129.202 on wlan0.IPv4.
Registering HINFO record with values 'AMD64'/'FREEBSD'.
Host name conflict, retrying with wunderkraut-4
Registering new address record for 192.168.129.202 on wlan0.IPv4.
Registering HINFO record with values 'AMD64'/'FREEBSD'.
Host name conflict, retrying with wunderkraut-5
Registering new address record for 192.168.129.202 on wlan0.IPv4.
Registering HINFO record with values 'AMD64'/'FREEBSD'.
Host name conflict, retrying with wunderkraut-6
Registering new address record for 192.168.129.202 on wlan0.IPv4.
Registering HINFO record with values 'AMD64'/'FREEBSD'.
Host name conflict, retrying with wunderkraut-7
Registering new address record for 192.168.129.202 on wlan0.IPv4.
Registering HINFO record with values 'AMD64'/'FREEBSD'.
Host name conflict, retrying with wunderkraut-8
Registering new address record for 192.168.129.202 on wlan0.IPv4.
Registering HINFO record with values 'AMD64'/'FREEBSD'.
^CGot SIGINT, quitting.
Leaving mDNS multicast group on interface wlan0.IPv4 with address 192.168.129.202.
avahi-daemon 0.6.29 exiting.

I verified that the host system doesn't have avahi reflection turned on, and played with some other settings, but the jail avahi only works if the host isn't avahi running.

I am on PCBSD (which I believe has no vimage in the kernel.

 

[tomgray]

Apologies to revive an old thread - I have been trying to resolve a similar sounding issue where I want to run netatalk (afp) and avahi in a jail and the AFP server is only visible in the Mac Finder for a few minutes after service start and only reappears by restarting avahi or netatalk.

I found a workaround inspired by this forum posting and this using PF.

This entry in /etc/pf.conf redirects all mDNS multicast traffic to the jail interface, where bge0 is the local LAN network interface and xxx.xxx.xxx.xxx is the IP address on that interface aliased to the jail.

rdr on bge0 proto udp \
  from any \
  to 224.0.0.251 port 5353 -> xxx.xxx.xxx.xxx port 5353

This has the affect that avahi now sees multicast requests from clients and send a response. I'm happy with this workaround as I'm planning to run all mDNS-related services out of this jail.

 

[jboy]

I found a workaround inspired by this forum posting and this using PF.

Thank you so much for this workaround! I tried to figure out how to solve this for a pretty long time. This solution is a little dirty but will serve its purpose until there is a clean solution for multicast in jail environments.

Jeremy

P.S.: is there something that makes jail multicast possible in 10.0 or 11.0?

 

[teh_fink]

rdr on bge0 proto udp \
  from any \
  to 224.0.0.251 port 5353 -> xxx.xxx.xxx.xxx port 5353

This has the affect that avahi now sees multicast requests from clients and send a response. I'm happy with this workaround as I'm planning to run all mDNS-related services out of this jail.

Thanks for this. Do you still have a working setup? I've been trying with FreeBSD 11.2 & iocage jails, but haven't had any luck.

 

[SirDice]

teh_fink this is a 10 year old thread (started in 2009!) that's been resurrected a couple of times already. Please open a new thread with your questions.