Propagate Bonjour services over multiple networks

Bonjour is a technology that announces services in the network. For example my printer announces its capabilities:
Another example are Web Sites in the local network that announce their web pages:
And last but not least, my Mac Mini which offers Screen Sharing via Bonjour.
If you want to have a full insight to all announced services, take a look at iNet which offers a nice browser for all services: 


Apple Airport Extreme Guest mode with a non-Apple (pfSense) router

I have running three Airport Extreme (4th and 5th generation) on all three levels of my house. One or two are not sufficient, because the construction of the house is not very friendly to Wifi signals. Using the Airport Configuration Utility the overview looks like this:
As you can see I have multiple Apple Airport Express devices spread over my house. All three Airport Extreme are configured the same except different names and IP addresses. They are connected via my Gigabit Ethernet backbone. They offer wireless network called "AirPort" with the same password, so all devices automatically roam between the devices. My router is a an Alix 2d13 board in a 19" case from Varia (with a second Alix board) running pfSense.

The Airport Extreme offers the possibility to activate a secondary Wifi offering a guest network.
This feature offers a secondary Wifi network with a dedicated name and password.

The traffic is routed strictly to the internet, so guests can have fast access to the internet without the possibility to infiltrate your network. So far so great. The documentation states that this feature only works if the Airport Extreme is either a router or there is another Airport Extreme in the same network. Neither is the case in my configuration. I still turned on the guest network and the behavior is: Nothing happens, no DHCP, no routing, nothing. Not surpring, because the DHCP service is run on pfSense where I never configured anything for a guest network.

The question is: Can I use this feature in my environment? The answer is: Yes! And here is how.

The real question is: How do the Airport Extremes share a single ethernet wiring for the main and the guest network. The solution is simple: VLAN tagging. Whereas the main Wifi uses untagged IP packets, the guest network uses a VLAN tag 1003. Not all routers are able to do VLAN tagging, this is the reason I use pfSense, because it surely can do this and much much more. In the main menu go to Interfaces, select (assign) and then VLAN.
You will probably see no interfaces, click on + to add one.
Choose the ethernet network for your normal LAN and Wifi, in my case this interface is called vr0. Give it a descriptive name.  Now click on Interfaces assignments and click +, to add a new interface. It is called OPTx by default, I changed the name to GST (for guest). Now there is one more interface is the main list:
Configure this interface:
In my case I use 10.10.0/24 for LAN and 10.10.1/24 for GST. Now we have
  • LAN on the Ethernet with untagged IP packets
  • GST on the same Ethernet with IP packets tagged with 1003
The two interfaces share the same ethernet, but can and will be configured separately. First we need a DHCP server. This is the existing DHCP server for LAN:
and now additionally for GST:
Clients connecting to the guest Wifi should get a DHCP address in the range to and appear in the lease list visible under Status and DHCP Leases. 
Add a rule that allows access to the internet:
The second rule routes all traffic to external via the interface GW_WAN which is Internet connection. With this rule active, all clients in the Guest Wifi should be able to fully access the internet. In the traffic graph you can see the activity on all networks:
The first rule actually allows access to my internal network. In order for this to work fully, we need a counter rule on the LAN interface:
It is up on you if you want to allow yours guests the access to your internal infrastructure. You can still allow this, but add more rules to forbid access to a specific device. You always have the advantage that your guests do not have to know your primary Wifi password. I hope this blog posts help you setup a similar environment. Feel free to add a comment or a question.