NWA50AX filtering / blocking Multicast (mDNS) traffic?
My NWA50AX Access Point is filtering/blocking Multicast (mDNS) traffic!
I have my NWA50AX connected via Ethernet to my broadband router in separate parts of the house, with both devices broadcasting the same SSID for a single home network throughout my house.
When connected directly to my broadband router (either wirelessly or over Ethernet) I can discover mDNS services broadcast by other devices on my network, but when switching to connect wirelessly to my NWA50AX, no mDNS services are visible any more, suggesting the NWA50AX is filtering them out.
How can I disable this filtering? Or is there a configuration that will force the AP to relay mDNS traffic?
All Replies
-
Hi @TomAP ,
Our access points include NWA50AX support mDNS and can transmit mDNS traffic to the multicast address 224.0.0.251 without dropping or filtering packets. However, this functionality is currently limited to devices within the same subnet. Please ensure that your device is on the same subnet and that Layer 2 isolation is disabled for your SSID.
For mDNS routing/relay functionality that enables mDNS forwarding across different VLANs, we have identified this as a requirement for future implementation in our firewall. You can find the idea about this concept in the provided link:
Support mDNS routing/relay on Zyxel firewall — Zyxel Community
Zyxel_Judy
0 -
Thanks @Zyxel_Judy,
Yes, both my router and Access Point are on the same subnet (255.255.255.0), and Layer 2 Isolation is disabled for my SSID in Nebula. Are there any other settings I can check? Or else, can you help me to debug why Multicast traffic is not being forwarded please?
0 -
Hi @TomAP ,
255.255.255.0 is a common subnet mask for IP networks, but this does not ensure that your broadband router, NWA50AX, and wireless clients are in the same subnet. Please verify this configuration.
If they are confirmed to be in the same subnet, but the wireless clients connected to the NWA50AX still do not receive mDNS packets, please help us by capturing packets on both the wired and wireless interfaces as described below and sharing the results with us.- To capture packets on the wired interface (eth0): packet-trace interface eth0 verbose-vvv
- To capture packets on the wireless interface (for example: wlan-2-1): packet-trace interface wlan-2-1 verbose-vvv. To know which WLAN interface, use this command: show wlan slot_name detail.
For example: I want to trace packets on the SSID 'WAC_Nami' that my devices connect to. The corresponding WLAN interface is 'wlan-2-1'
Zyxel_Judy
0 -
Thanks @Zyxel_Judy , packet captures sent to you via message - appreciate your investigations, many thanks!
0 -
Hi @TomAP ,
From the packet captures, we can see that mDNS queries are being received on both the
eth0
andwlan
interfaces, which indicates that the AP is not blocking this type of traffic. In particular, we observed_remotepairing._tcp.local.
, a service commonly associated with Apple devices such as AirPrint or HomePod.To help us better understand the situation, could you please provide the following details:
- mDNS Traffic Issue: Where did you expect to receive mDNS traffic but did not? What specific symptoms are you experiencing?
- Network Topology: What is your complete network topology, including all devices' IP addresses, subnet maskes?
- Nebula Configuration: What are your Nebula organization and site names?
By the way, please enable Zyxel support
Zyxel_Judy
0 -
Hi @Zyxel_judy,
Thanks, I'm using the dns-sd command to compare available services when connected to the AP vs when connected directly to my router.
When connected to the AP, I consistently get no results:
% dns-sd -t 5 -B Browsing for _http._tcp
DATE: ---Mon 02 Jun 2025---
14:52:43.659 ...STARTING...But if I then unplug the AP's ethernet cable and connect my computer directly to my router via this ethernet cable, I consistently find services being broadcast by other devices on my network:
% dns-sd -t 5 -B Browsing for _http._tcp
DATE: ---Mon 02 Jun 2025---
14:53:17.839 ...STARTING... Timestamp A/R Flags if Domain Service Type Instance Name
14:53:17.846 Add 3 15 local. _http._tcp. 64CFD910B77C@mysimplelink
14:53:17.846 Add 2 15 local. _http._tcp. tinysvcmdns responderThis led me to the conclusion that the AP is filtering this traffic.
I've enabled Zyxel Support Access - please take a look! Thanks!
0 -
Hi @TomAP ,
It seems the results differ between the dns-sd command and the packet capture.
After reviewing the packets and command results, we need to understand the network topology for both test scenarios:
- Laptop connected to NWA50AX's SSID
- Laptop connected directly to your broadband router via Ethernet cable
Please provide a complete network diagram showing all network devices and end devices with their IP addresses. This will help us investigate the issue thoroughly and reproduce the symptoms if needed.
Zyxel_Judy
0 -
Thanks @Zyxel_Judy, I've sent a diagram over to you by direct message.
0 -
Hi @TomAP ,
Thank you for sharing the network diagram and doing some tests.
After your device (192.168.0.35) disconnected from the NWA50AX's SSID, we captured packets on both the AP uplink and wlan-2-1.1 interfaces (see attachments on the private message). We've confirmed that the AP's wlan-2-1.1 interface is successfully receiving mDNS packets from 192.168.0.35, which indicates that the AP is not blocking or filtering multicast traffic.
For further investigation, we need your assistance with two tests:
1/ Wireshark capture on WiFi: When your laptop connects to the NWA50AX and there are mDNS traffic in the network, could you run Wireshark and capture traffic on the WiFi interface? This will help us verify whether the mDNS packets are reaching your device.
2/ DNS-SD test on router's WiFi: Please confirm whether the command
dns-sd -t 5 -B
returns results when your laptop is connected to the router's WiFi SSID. Previously, you shared the results when your laptop was connected to the router via Ethernet cable.Zyxel_Judy
0 -
Thanks @Zyxel_Judy , I've captured a side-by-side video capture of the eth0 and wlan interfaces and shared with you via private message. This clearly illustrates mdns packets received on eth0 NOT being forwarded on wlan. I think this answers your #1 question, since the mdns packets are not even leaving the AP's wlan interface.
And regarding your #2 question, yes I've run the dns-sd command from laptop connected to router's Wifi SSID - its the same result as when connected by ethernet - the mdns services are visible.
Please let me know if you need any more captures to investigate further. Thanks
0
Categories
- All Categories
- 434 Beta Program
- 2.6K Nebula
- 172 Nebula Ideas
- 117 Nebula Status and Incidents
- 6.1K Security
- 404 USG FLEX H Series
- 296 Security Ideas
- 1.5K Switch
- 78 Switch Ideas
- 1.2K Wireless
- 43 Wireless Ideas
- 6.7K Consumer Product
- 267 Service & License
- 412 News and Release
- 87 Security Advisories
- 31 Education Center
- 10 [Campaign] Zyxel Network Detective
- 4K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 83 Security Highlight