by default the ubiquity APs have a number of rules in place that prevent airprint and bonjour operation from working together nicely. the following is necessary to enable guest networks to reach airprint, etc. resources on different segments from the guest network. one would think that it would be sufficient to simply enable the necessary firewall rules, add a bonjour reflector and boom have it work. alas, it’s a little more involved than that.
external configuration steps
- create the necessary (real) firewall rules to enable reachability to the internal resources as necessary.
- make this as granular as necessary
- you will need to be running a bonjour reflector (e.g.: avahi) in some form to enable the guestnet clients to learn about the resources which are on the infra networks.
- add infra network to pre-approved list of networks
- from within the unifi interface under “Guest Control”, add the networks/IP addresses of the resources/printers you want the guest segment to have access to. this should also include things like specific DNS servers for resolving local resources, etc. local resource networks should be included here as well.
add custom EBTABLE entries for port 5353 traffic
on the server running unifi - under the [unifi_base]/data/sites/[site_name] directory, create a file,
config.properties. the following entries are required in this file and are used by ebtables to allow port 5353 traffic across the access points. create a text file containing the following lines:
config.system_cfg.1=ebtables.3.cmd=-t nat -A GUESTIN -p 0x800 --ip-proto 17 --ip-dport 5353 -j ACCEPT config.system_cfg.2=ebtables.3.cmd=-t nat -A GUESTOUT -p 0x800 --ip-proto 17 --ip-dport 5353 -j ACCEPT
DROP statements in the access point configurations
- this requires that you
sshto each access point. (use the unifi admin credentials created on setup.)
- edit the
- delete the following two lines:
ebtables.??.cmd=-t nat -A GUESTIN -p 0x800 --ip-dst 220.127.116.11/4 -j DROP ebtables.??.cmd=-t nat -A GUESTOUT -p 0x800 --ip-dst 18.104.22.168/4 -DROP
- use the
- the access point will restart and bonjour mcast discovery traffic will flow. note, this is traffic impacting, don’t do this if you have users who will be impacted.
when an access point is upgraded the multicast
DROP statements will reappear and bonjour traffic will again be blocked. you will need to re-remove the multicast
DROP statements listed above to enable bonjour service to operate. yes, this means logging in again and editing the
/tmp/system.cfg file as noted above.
just to make things easier i created an ansible playbook to automate the update process on the access points. after you do an AP software upgrade you can quickly remove the aforementioned
ebtables entries with this playbook.
% ansible-playbook -k ubiquiti-bonjour.yml
you’ll need to provide the password you use for logging into the unifi controller on your network. this assumes that the username is the same as the host you’re on. the configuration and modification of this for your environment is left as an exercise for the reader.
!!! USE AT YOUR OWN RISK !!!