NWA50AX filtering / blocking Multicast (mDNS) traffic?

TomAP
TomAP Posts: 7  Freshman Member
First Comment Friend Collector

My NWA50AX Access Point is filtering/blocking Multicast (mDNS) traffic!

I have my NWA50AX connected via Ethernet to my broadband router in separate parts of the house, with both devices broadcasting the same SSID for a single home network throughout my house.

When connected directly to my broadband router (either wirelessly or over Ethernet) I can discover mDNS services broadcast by other devices on my network, but when switching to connect wirelessly to my NWA50AX, no mDNS services are visible any more, suggesting the NWA50AX is filtering them out.

How can I disable this filtering? Or is there a configuration that will force the AP to relay mDNS traffic?

«1

All Replies

  • Zyxel_Judy
    Zyxel_Judy Posts: 2,268  Zyxel Employee
    Zyxel Certified Network Engineer Level 2 - Nebula Zyxel Certified Network Engineer Level 2 - Switch Zyxel Certified Network Engineer Level 2 - Security Zyxel Certified Network Engineer Level 1 - Nebula
    edited May 15

    Hi @TomAP ,

    Our access points include NWA50AX support mDNS and can transmit mDNS traffic to the multicast address 224.0.0.251 without dropping or filtering packets. However, this functionality is currently limited to devices within the same subnet. Please ensure that your device is on the same subnet and that Layer 2 isolation is disabled for your SSID.

    For mDNS routing/relay functionality that enables mDNS forwarding across different VLANs, we have identified this as a requirement for future implementation in our firewall. You can find the idea about this concept in the provided link:

    Support mDNS routing/relay on Zyxel firewall — Zyxel Community

    Zyxel_Judy

  • TomAP
    TomAP Posts: 7  Freshman Member
    First Comment Friend Collector

    Thanks @Zyxel_Judy,

    Yes, both my router and Access Point are on the same subnet (255.255.255.0), and Layer 2 Isolation is disabled for my SSID in Nebula. Are there any other settings I can check? Or else, can you help me to debug why Multicast traffic is not being forwarded please?

  • Zyxel_Judy
    Zyxel_Judy Posts: 2,268  Zyxel Employee
    Zyxel Certified Network Engineer Level 2 - Nebula Zyxel Certified Network Engineer Level 2 - Switch Zyxel Certified Network Engineer Level 2 - Security Zyxel Certified Network Engineer Level 1 - Nebula

    Hi @TomAP ,

    255.255.255.0 is a common subnet mask for IP networks, but this does not ensure that your broadband router, NWA50AX, and wireless clients are in the same subnet. Please verify this configuration.
    If they are confirmed to be in the same subnet, but the wireless clients connected to the NWA50AX still do not receive mDNS packets, please help us by capturing packets on both the wired and wireless interfaces as described below and sharing the results with us.

    • To capture packets on the wired interface (eth0): packet-trace interface eth0 verbose-vvv
    • To capture packets on the wireless interface (for example: wlan-2-1): packet-trace interface wlan-2-1 verbose-vvv. To know which WLAN interface, use this command: show wlan slot_name detail.

    For example: I want to trace packets on the SSID 'WAC_Nami' that my devices connect to. The corresponding WLAN interface is 'wlan-2-1'

    2023-09-13 18 24 05.png

    Zyxel_Judy

  • TomAP
    TomAP Posts: 7  Freshman Member
    First Comment Friend Collector

    Thanks @Zyxel_Judy , packet captures sent to you via message - appreciate your investigations, many thanks!

  • Zyxel_Judy
    Zyxel_Judy Posts: 2,268  Zyxel Employee
    Zyxel Certified Network Engineer Level 2 - Nebula Zyxel Certified Network Engineer Level 2 - Switch Zyxel Certified Network Engineer Level 2 - Security Zyxel Certified Network Engineer Level 1 - Nebula

    Hi @TomAP ,

    From the packet captures, we can see that mDNS queries are being received on both the eth0 and wlan interfaces, which indicates that the AP is not blocking this type of traffic. In particular, we observed _remotepairing._tcp.local., a service commonly associated with Apple devices such as AirPrint or HomePod.

    To help us better understand the situation, could you please provide the following details:

    • mDNS Traffic Issue: Where did you expect to receive mDNS traffic but did not? What specific symptoms are you experiencing?
    • Network Topology: What is your complete network topology, including all devices' IP addresses, subnet maskes?
    • Nebula Configuration: What are your Nebula organization and site names?

    By the way, please enable Zyxel support

    Zyxel_Judy

  • TomAP
    TomAP Posts: 7  Freshman Member
    First Comment Friend Collector

    Hi @Zyxel_judy,

    Thanks, I'm using the dns-sd command to compare available services when connected to the AP vs when connected directly to my router.

    When connected to the AP, I consistently get no results:

    % dns-sd -t 5 -B
    Browsing for _http._tcp
    DATE: ---Mon 02 Jun 2025---
    14:52:43.659 ...STARTING...

    But if I then unplug the AP's ethernet cable and connect my computer directly to my router via this ethernet cable, I consistently find services being broadcast by other devices on my network:

    % dns-sd -t 5 -B
    Browsing for _http._tcp
    DATE: ---Mon 02 Jun 2025---
    14:53:17.839 ...STARTING... Timestamp A/R Flags if Domain Service Type Instance Name
    14:53:17.846 Add 3 15 local. _http._tcp. 64CFD910B77C@mysimplelink
    14:53:17.846 Add 2 15 local. _http._tcp. tinysvcmdns responder

    This led me to the conclusion that the AP is filtering this traffic.

    I've enabled Zyxel Support Access - please take a look! Thanks!

  • Zyxel_Judy
    Zyxel_Judy Posts: 2,268  Zyxel Employee
    Zyxel Certified Network Engineer Level 2 - Nebula Zyxel Certified Network Engineer Level 2 - Switch Zyxel Certified Network Engineer Level 2 - Security Zyxel Certified Network Engineer Level 1 - Nebula

    Hi @TomAP ,

    It seems the results differ between the dns-sd command and the packet capture.

    After reviewing the packets and command results, we need to understand the network topology for both test scenarios:

    1. Laptop connected to NWA50AX's SSID
    2. Laptop connected directly to your broadband router via Ethernet cable

    Please provide a complete network diagram showing all network devices and end devices with their IP addresses. This will help us investigate the issue thoroughly and reproduce the symptoms if needed.

    Zyxel_Judy

  • TomAP
    TomAP Posts: 7  Freshman Member
    First Comment Friend Collector

    Thanks @Zyxel_Judy, I've sent a diagram over to you by direct message.

  • Zyxel_Judy
    Zyxel_Judy Posts: 2,268  Zyxel Employee
    Zyxel Certified Network Engineer Level 2 - Nebula Zyxel Certified Network Engineer Level 2 - Switch Zyxel Certified Network Engineer Level 2 - Security Zyxel Certified Network Engineer Level 1 - Nebula

    Hi @TomAP

    Thank you for sharing the network diagram and doing some tests.

    After your device (192.168.0.35) disconnected from the NWA50AX's SSID, we captured packets on both the AP uplink and wlan-2-1.1 interfaces (see attachments on the private message). We've confirmed that the AP's wlan-2-1.1 interface is successfully receiving mDNS packets from 192.168.0.35, which indicates that the AP is not blocking or filtering multicast traffic.

    For further investigation, we need your assistance with two tests:

    1/ Wireshark capture on WiFi: When your laptop connects to the NWA50AX and there are mDNS traffic in the network, could you run Wireshark and capture traffic on the WiFi interface? This will help us verify whether the mDNS packets are reaching your device.

    image.png

    2/ DNS-SD test on router's WiFi: Please confirm whether the command dns-sd -t 5 -B returns results when your laptop is connected to the router's WiFi SSID. Previously, you shared the results when your laptop was connected to the router via Ethernet cable.

    Zyxel_Judy

  • TomAP
    TomAP Posts: 7  Freshman Member
    First Comment Friend Collector

    Thanks @Zyxel_Judy , I've captured a side-by-side video capture of the eth0 and wlan interfaces and shared with you via private message. This clearly illustrates mdns packets received on eth0 NOT being forwarded on wlan. I think this answers your #1 question, since the mdns packets are not even leaving the AP's wlan interface.

    And regarding your #2 question, yes I've run the dns-sd command from laptop connected to router's Wifi SSID - its the same result as when connected by ethernet - the mdns services are visible.

    Please let me know if you need any more captures to investigate further. Thanks

Nebula Tips & Tricks