Hi, all my tv’s and media devices are in vlan separated from my iphone(s). Beside Airplay I have Sonos and Chromecast. Both vlans got access to the internet, but my mgmt vlan can also access my media/infra vlan.
I’ve googled some and looks like mDNS and perhaps a service on my router can be a solution to this. But some says it’s all about firewall rules
What do you recommend? Thanks!
For discovery between separate networks for the Chromecast you need mDNS and for mediaplayers e.g. smcroute
Thanks, does apple tv fall under mediaplayers → smcroute? 
Yes, can configure avahi to do this… might be other options.
I’ve basically followed this guide; https://blog.christophersmart.com/2020/03/30/resolving-mdns-across-vlans-with-avahi-on-openwrt/
So it works fine for my AppleTv - great stuff!
Now my Samsung tv’s with airplay doesn’t work.
I dont have any strict firewall rules for testing. Avahi is running for all interaces. My iPhone can see airplay devices, connects, but after 5 seconds says ‘can’t connect to “samsung the frame”’ , same with another samsung tv.
What do you think?
avahi:
[server]
#host-name=foo
#domain-name=local
use-ipv4=yes
use-ipv6=yes
check-response-ttl=no
use-iff-running=no
[publish]
publish-addresses=yes
publish-hinfo=yes
publish-workstation=no
publish-domain=yes
#publish-dns-servers=192.168.1.1
#publish-resolv-conf-dns-servers=yes
[reflector]
enable-reflector=yes
reflect-ipv=no
[rlimits]
#rlimit-as=
rlimit-core=0
rlimit-data=4194304
rlimit-fsize=0
rlimit-nofile=30
rlimit-stack=4194304
rlimit-nproc=3
Firewall:
firewall.@rule[19]=rule
firewall.@rule[19].src='*'
firewall.@rule[19].name='mDNS avahi'
firewall.@rule[19].proto='udp'
firewall.@rule[19].src_port='5353'
firewall.@rule[19].dest_ip='224.0.0.251'
firewall.@rule[19].dest_port='5353'
firewall.@rule[19].target='ACCEPT'
I didn’t initially test if AppleTv was working so I will try to disable avahi and fw rules for mDNS and test again.
Hmm, it’s working fine on my AppleTV to airplay without avahi running and firewall rules are disabled. It doesnt behave like my Samsung tv’s. Strange but maybe not.
And after some le chat and chatgpt it seems like the samsung tv doesn’t respond to my iphone trying to airplay at all. Whenever I switch to the same vlan/wifi as the samsung tv airplay works fine.
Both machines tell me that this is a tizenOS (Samsung) implementation and nothing wrong with openwrt/routing/firewall.
Your samsung tv might be using DLNA/SSDP, to make that work between subnets you need e.g. smcroute
GNU nano 8.7 /etc/smcroute.conf
# such capabilities. Usually MAC multicast filters exist.
#
# Some switch manufacturers support mrdisc, RFC4286, which
# SMCRoute can use to advertise itself on source interfaces.
# If availble, use that instead of mgroup.
#
# Similarly supported is setting mroutes. Removing mroutes is not
# supported, remove/comment out the mroute from the .conf file, or
# send a remove command with smcroutectl.
#
# Syntax:
# phyint IFNAME <enable|disable> [mrdisc] [ttl-threshold <1-255>]
# mgroup from IIF [source ADDR[/LEN]] group GROUP[/LEN]
# mroute from IIF [source ADDR[/LEN]] group GROUP[/LEN] to OIF [OIF ...]
# include /path/to/*.conf
# This example assumes smcrouted was started with the `-N` flag.
# Only enable interfaces required for inbound and outbound traffic.
phyint eth0 enable ttl-threshold 11
phyint eth1 enable ttl-threshold 3
phyint eth2 enable ttl-threshold 5
phyint virbr0 enable ttl-threshold 5
# Instruct the kernel to join the multicast group 225.1.2.3 on interface
# eth0. Then add an mroute of the same multicast stream, from the host
# 192.168.1.42 on interface eth0 and forward to eth1 and eth2.
mgroup from eth0 group 225.1.2.3
mroute from eth0 source 192.168.1.42 group 225.1.2.3 to eth1 eth2
# Similar example, but using source-specific group join
mgroup from virbr0 source 192.168.123.110 group 225.1.2.4
mroute from virbr0 source 192.168.123.110 group 225.1.2.4 to eth0
# Allow multicast for group 225.3.2.1, from ANY source, ingressing on
# interface eth0 to be forwarded to eth1 and eth2. When the kernel
# receives a frame from unknown multicast sender, it asks smcrouted who
# use this "template" to match against, if the ingressing interface and
# group matches, smcrouted installs an (S,G) route in the kernel MFC.
mgroup from eth0 group 225.3.2.1
mroute from eth0 group 225.3.2.1 to eth1 eth2
# The previous is an example of the (*,G) support. It is also possible
# to specify a range of such rules.
mgroup from eth0 group 225.0.0.0/24
mroute from eth0 group 225.0.0.0/24 to eth1 eth2
# Include any snippet in /etc/smcroute.d/, but please remember that
# all phyint statements must be read first.
include /etc/smcroute.d/*.conf
# AirPlay: Route mDNS/SSDP multicast traffic between br-lan and br-infra
phyint br-lan enable
phyint br-infra enable
# Join multicast groups for mDNS/SSDP
mgroup from br-lan group 224.0.0.0/4
mgroup from br-infra group 224.0.0.0/4
# Route mDNS/SSDP traffic between VLANs
mroute from br-lan group 224.0.0.0/4 to br-infra
mroute from br-infra group 224.0.0.0/4 to br-lan
I’m not 100% sure about the interface names, since I got some help from le chat.
But interface name is infra (br-lan.10) and lan (br-lan.3)
Does this scmroute conf look correct?
I’ve tried to get help from chatgpt and le chat but so far all they say is that
phyint br-lan enable
phyint br-lan.10 enable
mgroup from br-lan group 224.0.0.0/4
mgroup from br-lan.10 group 224.0.0.0/4
# Ruter mDNS/SSDP
mroute from br-lan group 224.0.0.0/4 to br-lan.10
mroute from br-lan.10 group 224.0.0.0/4 to br-lan
ip -br link
eth0 UP
lan4@eth0 UP
lan3@eth0 UP
lan2@eth0 UP
lan1@eth0 UP
wan@eth0 UP
br-lan UP
br-lan.4@br-lan UP
br-lan.5@br-lan UP
br-lan.6@br-lan UP
br-lan.10@br-lan UP
br-lan.3@br-lan UP
I’ve enabled igmp snooping for bridge device infra and lan:
network.@device[5]=device
network.@device[5].type='bridge'
network.@device[5].name='br-infra'
network.@device[5].ports='br-lan.10'
network.@device[5].igmp_snooping='1'
network.@device[0]=device
network.@device[0].name='br-lan'
network.@device[0].type='bridge'
network.@device[0].ports='lan1' 'lan2' 'lan3' 'lan4'
network.@device[0].igmp_snooping='1'
smcroute fails after a short while:
Thu Feb 26 10:27:49 2026 daemon.err smcrouted[27366]: smcroute[27366]: Failed joining (*,224.0.0.0) on br-lan: No file descriptors available
Thu Feb 26 10:27:49 2026 daemon.err smcrouted[27366]: smcroute[27366]: Failed creating mc socket: No file descriptors available
Thu Feb 26 10:27:49 2026 daemon.err smcrouted[27366]: smcroute[27366]: Failed joining (*,224.0.0.0) on br-lan: No file descriptors available
Thu Feb 26 10:27:49 2026 daemon.err smcrouted[27366]: smcroute[27366]: Failed creating mc socket: No file descriptors available
Thu Feb 26 10:27:49 2026 daemon.err smcrouted[27366]: smcroute[27366]: Failed joining (*,224.0.0.0) on br-lan: No file descriptors available
Thu Feb 26 10:27:49 2026 daemon.err smcrouted[27366]: smcroute[27366]: Failed creating mc socket: No file descriptors available
Thu Feb 26 10:27:49 2026 daemon.err smcrouted[27366]: smcroute[27366]: Failed joining (*,224.0.0.0) on br-lan: No file descriptors available
Thu Feb 26 10:27:49 2026 daemon.err smcrouted[27366]: smcroute[27366]: Failed creating mc socket: No file descriptors available
Thu Feb 26 10:27:49 2026 daemon.err smcrouted[27366]: smcroute[27366]: Failed joining (*,224.0.0.0) on br-lan: No file descriptors available
Thu Feb 26 10:27:49 2026 daemon.err smcrouted[27366]: smcroute[27366]: Failed creating mc socket: No file descriptors available
Thu Feb 26 10:27:49 2026 daemon.err smcrouted[27366]: smcroute[27366]: Failed joining (*,224.0.0.0) on br-lan: No file descriptors available
Thu Feb 26 10:27:49 2026 daemon.err smcrouted[27366]: smcroute[27366]: Failed creating mc socket: No file descriptors available
Thu Feb 26 10:27:49 2026 daemon.err smcrouted[27366]: smcroute[27366]: Failed joining (*,224.0.0.0) on br-lan: No file descriptors available
Thu Feb 26 10:27:49 2026 daemon.err smcrouted[27366]: smcroute[27366]: Failed creating mc socket: No file descriptors available
Thu Feb 26 10:27:49 2026 daemon.err smcrouted[27366]: smcroute[27366]: Failed joining (*,224.0.0.0) on br-lan: No file descriptors available
Thu Feb 26 10:27:49 2026 daemon.err smcrouted[27366]: smcroute[27366]: Failed creating mc socket: No file descriptors available
Thu Feb 26 10:27:49 2026 daemon.err smcrouted[27366]: smcroute[27366]: Failed joining (*,224.0.0.0) on br-lan: No file descriptors available
Thu Feb 26 10:27:49 2026 daemon.err smcrouted[27366]: smcroute[27366]: Failed creating mc socket: No file descriptors available
Thu Feb 26 10:27:49 2026 daemon.err smcrouted[27366]: smcroute[27366]: Failed joining (*,224.0.0.0) on br-lan: No file descriptors available
Thu Feb 26 10:27:49 2026 daemon.err smcrouted[27366]: smcroute[27366]: Failed creating mc socket: No file descriptors available
Thu Feb 26 10:27:49 2026 daemon.err smcrouted[27366]: smcroute[27366]: Failed joining (*,224.0.0.0) on br-lan: No file descriptors available
Thu Feb 26 10:27:49 2026 daemon.err smcrouted[27366]: smcroute[27366]: Failed creating mc socket: No file descriptors available
Thu Feb 26 10:27:49 2026 daemon.err smcrouted[27366]: smcroute[27366]: Failed joining (*,224.0.0.0) on br-lan: No file descriptors available
Thu Feb 26 10:27:49 2026 daemon.err smcrouted[27366]: smcroute[27366]: Failed creating mc socket: No file descriptors available
nmap from pc on 192.168.0.0 network (lan)
nmap -Pn -p 7000 10.0.0.152
Starting Nmap 7.70 ( https://nmap.org ) at 2026-02-26 10:40 Vest-Europa (normaltid)
Nmap scan report for Samsung.lan (10.0.0.152)
Host is up.
PORT STATE SERVICE
7000/tcp filtered afs3-fileserver
Nmap done: 1 IP address (1 host up) scanned in 2.27 seconds
I am not an expert, but this is what I use for another router but of course the devices are different and it uses iptables instead of nftables:
Config file /etc/smcroute.conf
Help: smcroute -h
https://man.troglobit.com/man5/smcroute.conf.5.html
phyint br0 enable
phyint br1 enable
phyint vlan2 enable
mgroup from br0 group 239.255.255.250
mroute from br0 group 239.255.255.250 to br1 vlan2
mgroup from br1 group 239.255.255.250
mroute from br1 group 239.255.255.250 to br0 vlan2
mgroup from vlan2 group 239.255.255.250
mroute from vlan2 group 239.255.255.250 to br0 br1
iptables -t mangle -A PREROUTING -i br1 -d 239.255.255.250 -j TTL --ttl-inc 2
iptables -t mangle -A PREROUTING -i br0 -d 239.255.255.250 -j TTL --ttl-inc 5
iptables -t mangle -A PREROUTING -i $(get_wanface) -d 239.255.255.250 -j TTL --ttl-inc 5
iptables -I FORWARD -d 239.255.255.250 -j ACCEPT
Enable multicast on interfaces:
ip link set br0 multicast on
It looks like multicast is always enabled even if it is set to off in the GUI
Looks like mutlicast is enabled on all, yes. ip -br link all says mutlicast. Tried to use igmp to have less noise on my network but also hopefully to get smcroute to work. But strangely smcroute fails with the errors posted over.
Not sure what else to do here.
edit: I edited smcroute so it' matches yours now. Not sure what fw rules are needed but I’ve got a few for airplay already between lan and infra vlans.
edit 2: just realized that those mutlicast address are not for airplay. So yeah, I’m back to the following. Not sure I will be able to fix this issue at this point..
phyint br-lan enable
phyint br-lan.10 enable
mgroup from br-lan group 224.0.0.251
mgroup from br-lan.10 group 224.0.0.251
mroute from br-lan group 224.0.0.251 to br-lan.10
mroute from br-lan.10 group 224.0.0.251 to br-lan
The firewall rules are two fold first traffic must be allowed that is what the forward rules is for.
Second TTL must be increased as TTL is normally 1 so it will not survive routing which decreases TTL with 1.
As said I am not an expert 
No worries, thanks for your help anyway!
Hi again, follow up since I couldn’t let this rest.
I’ve made it work with the help of gemini and avahi daemon.
avahi config:
[server]
#host-name=foo
#domain-name=local
use-ipv4=yes
use-ipv6=no
check-response-ttl=no
use-iff-running=no
allow-interfaces=br-lan.3,br-lan.10
[publish]
publish-addresses=yes
publish-hinfo=yes
publish-workstation=no
publish-domain=yes
#publish-dns-servers=192.168.1.1
#publish-resolv-conf-dns-servers=yes
[reflector]
enable-reflector=yes
reflect-ipv=no
[rlimits]
#rlimit-as=
rlimit-core=0
rlimit-data=4194304
rlimit-fsize=0
rlimit-nofile=30
rlimit-stack=4194304
rlimit-nproc=3
Firewall rules:
config rule
option src 'infra'
option dest 'lan'
option name 'airplay samsung INFRA to LAN'
option dest_port '80 443 554 5000-5001 5353 7000 7100 8008-8009 49152-65535'
option target 'ACCEPT'
config rule
option src 'lan'
option dest 'infra'
option name 'airplay samsung tv LAN to INFRA'
option dest_port '80 443 554 5000-5001 5353 7000 7100 8008-8009 49152-65535'
option target 'ACCEPT'
config rule
option src 'lan'
option name 'Allow mutlicastDNS from LAN'
list proto 'udp'
option dest_port '5353'
option target 'ACCEPT'
config rule
option src 'infra'
option name 'Allow mutlicastDNS from INFRA'
list proto 'udp'
option dest_port '5353'
option target 'ACCEPT'
Useful to check with tcpdump -i any host my_iphone_ip and host samsung_tv to see what happens live.
Didn’t need smcroute for this, even though I’m sure it could be used somehow if you want a static mulicast route?
Thanks for helping Hopefully this can help someone in the future.