enabling the guest network to airprint to internal printers

20190528 - update

as of the latest stable release (4.0.42.10433) the steps described here are no longer applicable. further, the desired behavior does appear to be supported out of the box.

this information should be considered historical in nature.

overview

by default the ubiquity APs have a number of rules in place that prevent airprint and bonjour operation from working together nicely. the following is necessary to enable guest networks to reach airprint, etc. resources on different segments from the guest network. one would think that it would be sufficient to simply enable the necessary firewall rules, add a bonjour reflector and boom have it work. alas, it’s a little more involved than that.

configuration

external configuration steps

create the necessary (real) firewall rules to enable reachability to the internal resources as necessary.
- make this as granular as necessary
- you will need to be running a bonjour reflector (e.g.: avahi) in some form to enable the guestnet clients to learn about the resources which are on the infra networks.
add infra network to pre-approved list of networks
- from within the unifi interface under “Guest Control”, add the networks/IP addresses of the resources/printers you want the guest segment to have access to. this should also include things like specific DNS servers for resolving local resources, etc. local resource networks should be included here as well.

add custom EBTABLE entries for port 5353 traffic

on the server running unifi - under the [unifi_base]/data/sites/[site_name] directory, create a file, config.properties. the following entries are required in this file and are used by ebtables to allow port 5353 traffic across the access points. create a text file containing the following lines:

config.system_cfg.1=ebtables.3.cmd=-t nat -A GUESTIN -p 0x800 --ip-proto 17 --ip-dport 5353 -j ACCEPT
config.system_cfg.2=ebtables.3.cmd=-t nat -A GUESTOUT -p 0x800 --ip-proto 17 --ip-dport 5353 -j ACCEPT

delete multicast `DROP` statements in the access point configurations

this requires that you ssh to each access point. (use the unifi admin credentials created on setup.)
edit the /tmp/system.cfg file.
- delete the following two lines:

ebtables.??.cmd=-t nat -A GUESTIN -p 0x800 --ip-dst 224.0.0.0/4 -j DROP
ebtables.??.cmd=-t nat -A GUESTOUT -p 0x800 --ip-dst 224.0.0.0/4 -DROP

use the syswrapper.sh apply-config command
- the access point will restart and bonjour mcast discovery traffic will flow. note, this is traffic impacting, don’t do this if you have users who will be impacted.

operational notes

when an access point is upgraded the multicast DROP statements will reappear and bonjour traffic will again be blocked. you will need to re-remove the multicast DROP statements listed above to enable bonjour service to operate. yes, this means logging in again and editing the /tmp/system.cfg file as noted above.

ansible-playbook

just to make things easier i created an ansible playbook to automate the update process on the access points. after you do an AP software upgrade you can quickly remove the aforementioned ebtables entries with this playbook.

% ansible-playbook -k ubiquiti-bonjour.yml

you’ll need to provide the password you use for logging into the unifi controller on your network. this assumes that the username is the same as the host you’re on. the configuration and modification of this for your environment is left as an exercise for the reader.

20190528 - update#

overview#

configuration#

external configuration steps#

add custom EBTABLE entries for port 5353 traffic#

delete multicast DROP statements in the access point configurations#

operational notes#

ansible-playbook#

!!! USE AT YOUR OWN RISK !!!#