Fw4: How to increase ttl for SSDP

I divided my net into multiple VLANs and I am now trying to get casting/SSDP working across VLAN boundaries.

I have installed smcroute and am now working on increasing the ttl of the multicast packets. There is a ton of info on how to do this with iptables, but not so much for nft.

I have found this post, which basically just sets the ttl to a fixed number, but I am not certain how to adapt it to my situation and I am also not sure whether this is save? Doesn't a ttl of 64 mean that my multicast packets will leave my network?

I have a "safe" VLAN on bridge br-lan100 ( and two iot VLANs.

One with internet access: br-iot ( and one without: br-nonet (

How can I mangle the ttl of the multicast packets to/from those VLANs using fw4 in a safe manner?

as per that post in nftables there is no --ttl-inc equivalent. but you can use the formulas from the post.
formula 1) meta nfproto ipv4 oifname eth2 ip ttl set 64 which sets ttl to 64, obviously you can use other value, e.g. 5. or
formula 2) meta nfproto ipv4 iifname eth2 ip ttl 1 ip ttl set 5 which sets ttl to 5 if ttl was 1.

hope it helps.

Thanks! I opted for these entries in the (fw4_compatible") /etc/firewall.user:

nft add rule inet fw4 prerouting iifname "br-lan" ip daddr ip ttl set 30
nft add rule inet fw4 prerouting iifname "br-iot" ip daddr ip ttl set 30

It seems I celebrated too early.

I still can't see routed multicast traffic from my phone so I checked with tcpdump:

Current rules:

nft add rule inet fw4 mangle_forward iifname "br-lan" ip daddr ip ttl set 3
nft add rule inet fw4 mangle_forward oifname "br-lan" ip daddr ip ttl set 3
root@OpenWrt:~# tcpdump -i br-lan src host phone.lan and 'ip[8]<10' -v
tcpdump: listening on br-lan, link-type EN10MB (Ethernet), capture size 262144 bytes
00:00:56.045608 IP (tos 0x0, ttl 1, id 45970, offset 0, flags [DF], proto UDP (17), length 122)
    phone.lan.1900 > UDP, length 94

So the ttl of those packets is still 1, which would explain my issue with routing multicast traffic. Can you see why this rule isn't working? Thank you for your help!

If your phone is connected to the lan network, you are capturing traffic on the wrong interface, because tcpdump "sees" it before it is processed by netfilter/nft.

You should run tcpdump on the outbound interface (br-iot ?).

Although this should also work, move your rule to the mangle_prerouting chain.

Thanks, that worked!

I can now see my TV in the Netflix app, but can't see it in the Youtube app and neither app can stream to it. But alas progress :slight_smile:

I'll get some more data and create a new thread for the other problems. But thanks so much both of you, this helped a ton!

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.