Fw4: stateful matching of multicast responses?

Hi,

I have two VLANs, br-iot and br-lan. In br-iot I have a TV (LG) that I want to cast to from devices in br-lan.

br-iot is isolated from br-lan (br-lan can connect to br-iot, but not vice versa).

I've successfully setup smcroute and have been able to change the ttl so that packets can cross VLAN boundaries.

The issue is that after the TV has received a discover-request like so:

22:47:40.098961 IP (tos 0x0, ttl 31, id 39083, offset 0, flags [DF], proto UDP (17), length 123)
    pc.lan.46268 > 239.255.255.250.1900: UDP, length 95
E..{..@..._............l.gS.M-SEARCH * HTTP/1.1
HOST: 239.255.255.250:1900
MAN: "ssdp:discover"
MX: 20
ST: ssdp:all

The TV sends the answer to the UDP port the request originated from (46268 in this example):

22:47:41.100573 IP (tos 0x0, ttl 64, id 37786, offset 0, flags [DF], proto UDP (17), length 273)
    tv1.lan.37558 > pc.lan.46268: UDP, length 245
E.....@.@...
.gf............HTTP/1.1 200 OK
Location: http://10.1.103.102:1807/
Cache-Control: max-age=1800
Server: WebOS/4.1.0 UPnP/1.0
EXT: 
USN: uuid:eae041c0-eaad-3abd-2174-51beed8c81bc::upnp:rootdevice
ST: upnp:rootdevice
Date: Sat, 28 Oct 2023 20:47:40 GMT

That port is blocked by the firewall and so the pc never receives a response.

I can either

  1. Punch a barn sized hole into the firewall
  2. Track the connections from br-lan->br-iot and open the ports from which the requests originated.

I am of course leaning heavily towards number two and I have found this example, but it uses iptables.

$ ipset create upnp hash:ip,port timeout 3
$ iptables -A OUTPUT -d 239.255.255.250/32 -p udp -m udp --dport 1900 -j SET --add-set upnp src,src --exist
$ iptables -A INPUT -p udp -m set --match-set upnp dst,dst -j ACCEPT

Can anybody tell me how I can realize this with fw4?

https://github.com/mqus/nft-rules/blob/master/files/SSDP_client.md

In your case it should be something like this:

nft add set inet fw4 ssdp_out {type inet_service \; timeout 5s \;}
nft insert rule inet fw4 forward iifname "br-iot" oifname "br-lan" udp dport @ssdp_out counter accept
nft insert rule inet fw4 forward ip daddr 239.255.255.250 udp dport 1900 set add udp sport @ssdp_out

Thank you!

That seems to work. I can see the response traffic on the correct interface in tcpdump now :slight_smile: I haven't solved my multicast problem completely, but this really helped me, thank you!

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.