Connect to Android TV Remote 2 in different subnet

ar9134 · October 14, 2023, 10:05pm

Hi there, I am learning so many things and enjoying OpenWrt greatly. It's a lot of fun. I hope to be brief in the following problem I am trying to solve.

My router is configured with two subnets, one (lan, 192.168.1.0/24) is where my Chromecast (and Android TV Remote) lives and the other (wwan, 192.168.52.0/24) is using a radio as WiFi client. I route all Chromecast traffic over VPN, unless from/to my two subnets using PBR (previous port).

In order to enable mDNS I have also followed this link and installed Avahi and added rules/routing for port 224.0.0.1:5353 UDP.

From the wwan, I can see the advertised _googlecast._tcp and _androidtvremote2._tcp but I cannot connect to the Android TV Remote (from any app, but not even with plan openssl, see below).

I thought it was a firewall problem so I opened the 6466-6467 ports according to this Android TV Remove v2 github link.

Still no luck, and here is the full conf. Any suggestion?

# cat /etc/config/network 

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'QUUZ'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth1'
	option igmp_snooping '1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config interface 'wan'
	option device 'eth0'
	option proto 'dhcp'

config interface 'wan6'
	option device 'eth0'
	option proto 'dhcpv6'

config interface 'wwan'
	option proto 'dhcp'
	option ipaddr '192.168.52.251'
	option netmask '255.255.255.0'
	option gateway '192.168.52.1'

config interface 'wg0'
	option proto 'wireguard'
	option private_key 'XXX'
	option listen_port '60333'
	list addresses '10.13.128.153/24'
	list dns '10.8.0.1'
	option mtu '1390'
	option force_link '1'

config wireguard_wg0
	option description 'Imported peer configuration'
	option public_key 'XXX'
	list allowed_ips '0.0.0.0/0'
	option persistent_keepalive '25'
	option endpoint_host 'EXTERNAL IP'
	option endpoint_port '1443'

# cat /etc/config//firewall 

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'
	option log '1'
	option log_limit '10/second'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'
	list network 'wwan'
	option log '1'
	option log_limit '10/second'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option family 'ipv6'
	option target 'ACCEPT'
	list src_ip 'fe80::/10'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'vpn'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wg0'

config include 'pbr'
	option fw4_compatible '1'
	option type 'script'
	option path '/usr/share/pbr/pbr.firewall.include'

config forwarding
	option src 'lan'
	option dest 'vpn'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-LUCI-wan'
	list dest_ip '192.168.52.251'
	option dest_port '443'
	option target 'ACCEPT'
	list proto 'tcp'
	option family 'ipv4'
	option src 'wan'
	list src_ip '192.168.52.0/24'

config rule
	option name 'Allow-SSH-wan'
	list proto 'tcp'
	list dest_ip '192.168.52.251'
	option dest_port '22'
	option target 'ACCEPT'
	option family 'ipv4'
	option src 'wan'
	list src_ip '192.168.52.0/24'

config rule
	option name 'Allow-Multicast-WAN'
	list proto 'udp'
	option src 'wan'
	option src_port '5353'
	list dest_ip '224.0.0.251'
	option dest_port '5353'
	option target 'ACCEPT'
	option family 'ipv4'
	list src_ip '192.168.52.0/24'

config rule
	option name 'Allow-Multicast-LAN'
	list proto 'udp'
	option src 'lan'
	option src_port '5353'
	list dest_ip '224.0.0.251'
	option dest_port '5353'
	option target 'ACCEPT'
	option family 'ipv4'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'Android TV Remote'
	option family 'ipv4'
	option src 'wan'
	option src_ip '192.168.52.0/24'
	option src_dport '6466-6467'
	option dest_port '6466-6467'

# cat /etc/config/pbr 

config pbr 'config'
	option enabled '1'
	option verbosity '1'
	option strict_enforcement '1'
	option resolver_set 'dnsmasq.nftset'
	option ipv6_enabled '0'
	list ignored_interface 'vpnserver'
	list ignored_interface 'wgserver'
	option boot_timeout '0'
	option rule_create_option 'add'
	option procd_reload_delay '1'
	option webui_show_ignore_target '1'
	list webui_supported_protocol 'all'
	list webui_supported_protocol 'tcp'
	list webui_supported_protocol 'udp'
	list webui_supported_protocol 'tcp udp'
	list webui_supported_protocol 'icmp'
	list webui_supported_protocol 'igmp'

config include
	option path '/usr/share/pbr/pbr.user.aws'
	option enabled '0'

config include
	option path '/usr/share/pbr/pbr.user.netflix'
	option enabled '0'

config policy
	option name 'Ignore Home Traffic'
	option interface 'ignore'
	option dest_addr '192.168.52.0/24'
	option src_addr '192.168.1.0/24'

config policy
	option name 'Ignore Home Traffic 2'
	option src_addr '192.168.52.0/24'
	option dest_addr '192.168.1.0/24'
	option interface 'ignore'

config policy
	option name 'Multicast Ignore'
	option src_port '5353'
	option dest_addr '224.0.0.251'
	option dest_port '5353'
	option proto 'udp'
	option interface 'ignore'

config policy
	option name 'All Traffic over Wireguard'
	option src_addr '0.0.0.0/0'
	option interface 'wg0'

trendy · October 14, 2023, 10:12pm

Have a look at this

ar9134 · October 14, 2023, 10:19pm

Ok I read that but it sounds like a slightly different issue cause according to the Android TV Remote v2 docs I found the connection to the remote is not multicast...if I understand things correctly.

trendy · October 16, 2023, 6:25am

You added rules/routing for 224.0.0.1 and you think it's not multicast?

egc · October 16, 2023, 8:39am

There is the firewall rule to allow mDNS which seems working.
But mDNS is for discovery.
Next you have to allow the actual traffic between remote and TV.
The rule below is probably not correct.
A simple traffic rule allowing traffic might do the trick?

ar9134:

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'Android TV Remote'
	option family 'ipv4'
	option src 'wan'
	option src_ip '192.168.52.0/24'
	option src_dport '6466-6467'
	option dest_port '6466-6467'

ar9134 · October 16, 2023, 7:38pm

I think you are right, that forwarding firewall rule was wrong. I got it working with the following firewall rules and pbr adjustments - I think they were likely both off.

# cat /etc/config/firewall
...
config rule
	option name 'Allow-Multicast-WAN'
	list proto 'udp'
	option src 'wan'
	option src_port '5353'
	list dest_ip '224.0.0.251'
	option dest_port '5353'
	option target 'ACCEPT'
	option family 'ipv4'
	list src_ip '192.168.52.0/24'

config rule
	option name 'Allow-Multicast-LAN'
	list proto 'udp'
	option src 'lan'
	option src_port '5353'
	list dest_ip '224.0.0.251'
	option dest_port '5353'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-TvRemote-Forward'
	list proto 'tcp'
	option src 'wan'
	list src_ip '192.168.52.0/24'
	option dest 'lan'
	option dest_port '6466-6467'
	option target 'ACCEPT'
	option family 'ipv4'

# cat /etc/config/pbr

config policy
	option name 'All Multicast'
	option dest_addr '224.0.0.0/4'
	option interface 'ignore'
	option proto 'udp'

config policy
	option name 'All Traffic over Wireguard'
	option src_addr '192.168.1.0/24'
	option interface 'wg0'
	option dest_addr '!192.168.52.0/24'

system · October 26, 2023, 7:39pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.