mDNS Relay behavior between segments (Wi-Fi Home ↔ IoT) and firewall rules

[2mmanu]

Hello everyone,

I’m testing a configuration with two Wi-Fi segments on my Keenetic Hero:

• Home (192.168.2.0/24)

• IoT (192.168.3.0/24)

Goal:

1. HomeKit devices connected to IoT should announce themselves via mDNS and be discoverable from Home.

2. No reverse opening: Home should not announce itself to IoT, and devices in IoT should not initiate communication toward Home.

Current setup:

• Relay multicast DNS enabled on both segments (Home and IoT).

• Firewall Home → IoT: ALLOW on “Any IP protocol”.

Problem:
Even with this configuration, devices in IoT are still not discovered from Home via dns-sd -B _hap._tcp.

Questions:

• Does the IoT segment need an explicit firewall rule to allow UDP to 224.0.0.251:5353 for the relay to pick up and forward mDNS packets?

• Does Keenetic’s mDNS Relay act as a true proxy between segments, or is there additional configuration required?

• Is it possible to limit the relay to one-way (IoT → Home) to avoid reverse discovery?

Any advice or insights from the community or Keenetic team would be greatly appreciated.

Thanks in advance!

[LazDev]

Hi,

I’m in the same situation with separate Home and IoT segments. Multicast relay is enabled, firewall rules are in place, but discovery from Home still doesn’t work. Did you manage to get it working on your side?