Restrict mDNS To Specific Subnets (Interfaces)

I have an isolated subnet in which Home Assistant communicates in. My isolated subnet (172.21.0.0/27) is for unencrypted communication. I have a Postfix mail server in a separate virtual machine. pfSense (172.21.0.9 sends unencrypted email to Postfix and I can receive email using an email client such as Dynamic DNS updates. Home Assistant can send an email to Postfix for notifications.

I have the firewall in my Linux container configured as such:

# Generated by xtables-save v1.8.3 on Fri Oct  4 00:44:35 2019
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -i eth2 -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A INPUT -i eth0 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o eth2 -p tcp -m tcp --dport 25 -j ACCEPT
-A OUTPUT -o eth1 -j ACCEPT
-A OUTPUT -o eth0 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
COMMIT
# Completed on Fri Oct  4 00:44:35 2019

However, pfSense logs and denies port 5353 with a broadcast destination address of 224.0.0.251 if I remember correctly. Anything 224.x.x.y and over is considered broadcast address for those who do not know.

The two interfaces I want Home Assistant to broadcast in are:

  1. 172.20.5.0/24 (wired)
  2. 172.20.10.0/24 (wireless)

None of the addresses assigned for the isolated subnet (172.21.0.0/27) had a default gateway. Incoming communication to pfSense is blocked unless I plan to setup Zabbix (SNMP server, for example). Again, this is used for unencrypted communication between multiple Linux containers and virtual machines. None of the broadcast traffic from Home Assistant need to be there in the isolated subnet, so is it possible to configure the discovery component to listen to the two listed interfaces above?

Am I making any sense?

1 Like