Apple TV with VLC mDNS and a pfSense firewall

[eshwayri]

I run a multi-vlan home with traffic routing through a pfSense firewall. I get no unexpected entries in the pfSense log when the AppleTV is running. When I open the VLC app I immediately see some interesting connection attempts that I am curious about. I am not concerned about this being a trojan/hack attempt; just trying to understand what it is attempting to accomplish. These messages come before I even attempt to connect to/configure a connection, so I suspect its probably searching for resources. The connections observed:

TCP/443 to the FreeNAS servers which have SMB/CIFS/NFS shares, although as I said none are configured in VLC yet.
TCP/80 to one of the Active Directory (and DNS) servers, but interestingly not to the other AD servers. DFS?
TCP/8080 to the Ubiquiti Unfi Network Controller
TCP/80 to my Brother laser printer

I would bet it's also connecting to a bunch of other thing on its own VLAN, which is dedicated to media streaming resources; however, those don't pass through the firewall.

I suspect it is walking the AVAHI/mDNS records. Out of curiosity, what is it expecting to find on TCP ports 443, 80, and 8080 for each of those devices?

[eshwayri]

Yes, I confirmed this data is coming from the mDNS records. What I don't understand is why VLC would be interested in things like printers, let alone enough to try and connect to them. I won't post the entire dump, but the records look like this:

= ens192 IPv4 UniFi Network application (unifi_cedar-republic_com) Web Site local
hostname = [unifi-cedar-republic-com.local]
address = [192.168.221.4]
port = [8080]
txt = ["name=unifi.cedar-republic.com" "path=/"]

= ens192 IPv4 Brother MFC-8860DN Internet Printer local
hostname = [prn-8860dn.local]
address = [192.168.230.43]
port = [631]
txt = ["TBCP=F" "Transparent=T" "Binary=T" "PaperCustom=T" "Duplex=F" "Copies=T" "Color=F" "usb_MDL=MFC-8860DN" "usb_MFG=Brother" "priority=50" "adminurl=http://prn-8860dn.local./" "product=(Brother MFC-8860DN)" "ty=Brother MFC-8860DN" "rp=duerqxesz5090" "pdl=application/vnd.hp-PCL" "qtotal=1" "txtvers=1"]

= ens192 IPv4 maragor Secure Web Site local
hostname = [maragor.local]
address = [192.168.230.137]
port = [443]
txt = []

Isn't there some logic that limits what it is looking for in the mDNS records?

[fkuehne]

We are looking for SMB/CIFS/NFS shares using NETBIOS. Additionally, there is a Bonjour discovery of SMB, FTP, SFTP and NFS shares. Further, there is UPnP discovery of multimedia servers. Finally, we search for port 80 http servers via Bonjour to discover other VLC instances as that have WiFi Sharing of locally stored content enabled. That's why we connect to your printer to find-out that it doesn't offer any content to play.