Hi there, I am learning so many things and enjoying OpenWrt greatly. It's a lot of fun. I hope to be brief in the following problem I am trying to solve.
My router is configured with two subnets, one (lan
, 192.168.1.0/24) is where my Chromecast (and Android TV Remote) lives and the other (wwan
, 192.168.52.0/24) is using a radio as WiFi client. I route all Chromecast traffic over VPN, unless from/to my two subnets using PBR (previous port).
In order to enable mDNS I have also followed this link and installed Avahi and added rules/routing for port 224.0.0.1:5353 UDP.
From the wwan
, I can see the advertised _googlecast._tcp
and _androidtvremote2._tcp
but I cannot connect to the Android TV Remote (from any app, but not even with plan openssl
, see below).
I thought it was a firewall problem so I opened the 6466-6467 ports according to this Android TV Remove v2 github link.
Still no luck, and here is the full conf. Any suggestion?
# cat /etc/config/network
config interface 'loopback'
option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
option ula_prefix 'QUUZ'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth1'
option igmp_snooping '1'
config interface 'lan'
option device 'br-lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
option ip6assign '60'
config interface 'wan'
option device 'eth0'
option proto 'dhcp'
config interface 'wan6'
option device 'eth0'
option proto 'dhcpv6'
config interface 'wwan'
option proto 'dhcp'
option ipaddr '192.168.52.251'
option netmask '255.255.255.0'
option gateway '192.168.52.1'
config interface 'wg0'
option proto 'wireguard'
option private_key 'XXX'
option listen_port '60333'
list addresses '10.13.128.153/24'
list dns '10.8.0.1'
option mtu '1390'
option force_link '1'
config wireguard_wg0
option description 'Imported peer configuration'
option public_key 'XXX'
list allowed_ips '0.0.0.0/0'
option persistent_keepalive '25'
option endpoint_host 'EXTERNAL IP'
option endpoint_port '1443'
# cat /etc/config//firewall
config defaults
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
option log '1'
option log_limit '10/second'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
list network 'wwan'
option log '1'
option log_limit '10/second'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option family 'ipv6'
option target 'ACCEPT'
list src_ip 'fe80::/10'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'vpn'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wg0'
config include 'pbr'
option fw4_compatible '1'
option type 'script'
option path '/usr/share/pbr/pbr.firewall.include'
config forwarding
option src 'lan'
option dest 'vpn'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-LUCI-wan'
list dest_ip '192.168.52.251'
option dest_port '443'
option target 'ACCEPT'
list proto 'tcp'
option family 'ipv4'
option src 'wan'
list src_ip '192.168.52.0/24'
config rule
option name 'Allow-SSH-wan'
list proto 'tcp'
list dest_ip '192.168.52.251'
option dest_port '22'
option target 'ACCEPT'
option family 'ipv4'
option src 'wan'
list src_ip '192.168.52.0/24'
config rule
option name 'Allow-Multicast-WAN'
list proto 'udp'
option src 'wan'
option src_port '5353'
list dest_ip '224.0.0.251'
option dest_port '5353'
option target 'ACCEPT'
option family 'ipv4'
list src_ip '192.168.52.0/24'
config rule
option name 'Allow-Multicast-LAN'
list proto 'udp'
option src 'lan'
option src_port '5353'
list dest_ip '224.0.0.251'
option dest_port '5353'
option target 'ACCEPT'
option family 'ipv4'
config redirect
option dest 'lan'
option target 'DNAT'
option name 'Android TV Remote'
option family 'ipv4'
option src 'wan'
option src_ip '192.168.52.0/24'
option src_dport '6466-6467'
option dest_port '6466-6467'
# cat /etc/config/pbr
config pbr 'config'
option enabled '1'
option verbosity '1'
option strict_enforcement '1'
option resolver_set 'dnsmasq.nftset'
option ipv6_enabled '0'
list ignored_interface 'vpnserver'
list ignored_interface 'wgserver'
option boot_timeout '0'
option rule_create_option 'add'
option procd_reload_delay '1'
option webui_show_ignore_target '1'
list webui_supported_protocol 'all'
list webui_supported_protocol 'tcp'
list webui_supported_protocol 'udp'
list webui_supported_protocol 'tcp udp'
list webui_supported_protocol 'icmp'
list webui_supported_protocol 'igmp'
config include
option path '/usr/share/pbr/pbr.user.aws'
option enabled '0'
config include
option path '/usr/share/pbr/pbr.user.netflix'
option enabled '0'
config policy
option name 'Ignore Home Traffic'
option interface 'ignore'
option dest_addr '192.168.52.0/24'
option src_addr '192.168.1.0/24'
config policy
option name 'Ignore Home Traffic 2'
option src_addr '192.168.52.0/24'
option dest_addr '192.168.1.0/24'
option interface 'ignore'
config policy
option name 'Multicast Ignore'
option src_port '5353'
option dest_addr '224.0.0.251'
option dest_port '5353'
option proto 'udp'
option interface 'ignore'
config policy
option name 'All Traffic over Wireguard'
option src_addr '0.0.0.0/0'
option interface 'wg0'