After literally weeks of trying to figure out how to cast to my LG TV on another VLAN I finally got it figured out. I am planning on doing a write-up (somewhere here, if that is ok?), but before I do that it'd be great if somebody could check my firewall rules.
Network:
VLAN 1: br-lan
(192.168.178.0/24)
VLAN 100: br-lan100
(10.1.100.0/24)
These two VLANs are in a firewall zone called SafeZone
with forwarding between the zones enabled.
VLAN 103: br-iot
(10.1.103.0/24)
VLAN 104: br-nonet
(10.1.104.0/24)
These two VLANs are in a firewall zone called LessSafe
and can't talk to each other or to devices in SafeZone
. Devices in SafeZone
can talk to devices in LessSafe
.
100 and 104 don't play a role for casting, I am just mentioning them because their names appear in the rules.
The rules:
1. nft add rule inet fw4 mangle_prerouting iifname {"br-lan", "br-iot", "br-lan100", "br-nonet"} ip daddr 239.255.255.250 ip ttl 1 ip ttl set 2 # ssdp TTL mangling
2. nft add rule inet fw4 mangle_prerouting iifname {"br-lan", "br-iot", "br-lan100", "br-nonet"} ip daddr 224.0.0.251 ip ttl set 2 # mdns TTL mangling
3. nft add set inet fw4 ssdp_out {type inet_service \; timeout 5s \;}
4. nft insert rule inet fw4 forward iifname {"br-iot", "br-nonet"} oifname {"br-lan", "br-lan100"} udp dport @ssdp_out counter accept
5. nft insert rule inet fw4 forward iifname {"br-iot", "br-nonet"} oifname {"br-lan", "br-lan100"} tcp dport @ssdp_out counter accept
6. nft insert rule inet fw4 forward ip daddr 239.255.255.250 udp dport 1900 set add udp sport @ssdp_out
Rules 1 and 2 take care of TTL so that packages can traverse VLAN boundaries.
Rule 6 opens ssdp port 1900
on IP 239.255.255.250
for the initial request.
Rule 3 creates an ip set.
Rule 4 and 5:
Here is what I think they do: if a device in br-lan
connects to a device in br-iot
these rules add the port the device connected on to the ip set which then opens the firewall for 5 seconds so the device in br-iot
can talk back to the device in br-lan
.
I am not sure that's true though. Don't these rules open the firewall whether a request was made from br-lan
first or not?
Can rule 5 and 6 be written as one rule since they do the same except for the protocol?