Mac – Share Time Machine disk to WAN through the Asus router


My Asus Router (Blue Cave) has the ability to let its disk act as a Time Machine capsule. For computers on its LAN, that works just fine. You can see the disk advertised (via Bonjour?) in the sidebar of Finder, select it via Time Machine, and back up.

Upstream from the Asus router and its LAN is another Mac, which provides them internet. The WAN IP for the router is and its parent Mac has the IP On parent mac, I mount afp://router.wan.ip, but can't just mount it without hassle from the Bonjour advertisement.

I'm having a lot of trouble backing up to the disk from both simultaneously. It's as if mounting on the one "steals" the disk from the other. They end up telling me they want to do a new backup and they don't have access to delete their .sparsebundle.purgeable and I should probably run first aid on the disk.

Per @klanomath's request, the network architecture is as follows:

modem to internet (internet IP space)
wired router (
mac mini (  sharing internet via pf static NAT
network adapter (en4) (
asus w/ network disk (, serving  
macbook (

Best Answer

It would be really nice to properly forward Bonjour or whatever is allowing it to be visible in the Finder sidebar (have already tried forwarding 1900,5300,5351,5353 to

This is not how Bonjour/Zeroconf was intended to function.

Bonjour only works within a single broadcast domain, which is usually a small area, without special DNS configuration. macOS, Bonjour for Windows and AirPort Base Stations may be configured to use Wide Area Bonjour which allows for wide area service discovery via an appropriately configured DNS server.

Emphasis mine.

Bonjour is a broadcast protocol meaning while on the subnet, it will broadcast out a message to see who responds. The key here is that it doesn't know the IP addresses of any machine (service) until it responds back. That's how Finder puts it in the sidebar as you describe.

You can't just enable Bonjour on the WAN or the Internet for that matter. MIT's IT knowledgebase sums it up:

"While ZEROCONF and Bonjour work well on home or small business networks, they are not compatible with large enterprise networks which can frequently have thousands of devices in the same wireless address space. ZEROCONF relies on multicast traffic to discover devices on the network, which exhibits crippling performance and load issues on large enterprise network implementations. Even if it were enabled on the network, results would be slow to return and potentially return lists of hundreds of devices to choose from, which can be unmanageable on devices such as iPhones or iPads."

Just for the sake of argument... if you were able to send out your broadcast packets over the Internet (via WAN), your ISP would most certainly block it because of the massive amount of traffic you would be generating.

Bonjour is basically DNS

It not about port forwarding "Bonjour." It's much more than that. Currently, you don't "port forward" DNS ports. Bonjour is a "DNS method".

You don't port forward DNS from your ISP to your computers so you can look up a domain. Your router either assigns the DNS servers during DHCP so you can query hosts/domains directly or acts as a relay to forward them to the actual DNS servers.

What does this mean?

(Remember the emphasized text at the beginning of this answer?) Technically speaking, you can get Bonjour to search another domain by adding that domain record into DNS (you're telling Bonjour to go search somewhere else). However, it requires the following:

If this is something you're willing to do, then start with learning BIND.

Connecting to Time Machine Shares

To connect to an internal AFP share so you can "Time Machine" across the network, you need to open those ports. See: What ports need to be open for netatalk to work as a Time Machine server on my LAN?

In my cursory reading of the Asus router manual, (IMO) it's not capable of this level port forwarding.

Personally, I would set up a VPN between to the two networks, routing all traffic through the VPN thus making it my subnet. Bonjour traffic will traverse the VPN "autodiscovering" everything. AFP will be immediately accessible as all traffic traverses the VPN without impediment of the firewall; meaning no port forwarding.

Bottom Line

This is not an effective nor productive solution. Time Machine was designed to work on the local network. Backups to a network connected Time Capsule over Gigabit can take hours. Significantly longer over WiFi. Connecting over the Internet at speeds that sometimes don't even reach 1/10 of that speed would take an eternity.

To get Bonjour service discovery setup to connect an AFP share to share a Time Capsule will require a ton of expended effort for hardly any results, if at all.