Help with inter-VLAN multicast with smcroute

Installing and Using OpenWrt
1

I'm trying to get DLNA working across my VLANs.

My source device is on br-vpn (VLAN2) and my target device is on br-iot (VLAN4). Some have suggested that the easiest solution is to put them on the same VLAN, but this is not a possibility for me because the target device (a TV) needs to be on my ISP connection for proper geolocation and I would prefer to keep them isolated for other reasons.

br-vpn is assigned to the default lan firewall zone and br-iot is assigned to the iot firewall zone and I have enabled bi-directional forwarding between the zones.

I have installed and configured smcroute according to some of the guides I've read here or on blogs elsewhere, yet my devices still cannot communicate. When I move the devices to the same VLAN for testing, everything works properly so it does not appear to be a problem with the software using DLNA.

The only difference I can find between my setup and others that have had success is that I am using vpn-policy-routing to route everything from the br-vpn subnet (192.168.2.0/24) over my wireguard interface (wan is the default route). I was under the impression that anything happening on the LAN would not get sent out over the interface, but maybe that is not correct.

Any help with diagnosing would also be appreciated.

/etc/config/network:

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fdc2:9aea:13c1::/48'

config interface 'lan'
	option type 'bridge'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.1.1'
	option ip6assign '64'
	option ip6ifaceid '::1'
	option ifname 'eth1'
	option ip6hint '1'

config interface 'wan'
	option proto 'dhcp'
	option ifname 'eth0'

config interface 'wan6'
	option proto 'dhcpv6'
	option ifname 'eth0'
	option reqaddress 'try'
	option reqprefix '56'

config interface 'wireguard'
	option proto 'wireguard'
	list addresses 'X.X.X.X/32'
	option private_key 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'

config wireguard_wireguard
	option persistent_keepalive '25'
	option description 'vpn
	option public_key 'XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX'
	list allowed_ips '0.0.0.0/0'
	option endpoint_port 'XXXX'
	option endpoint_host 'X.X.X.X'

config interface 'vpn'
	option proto 'static'
	option type 'bridge'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'
	list dns 'X.X.X.X'
	option ifname 'eth1.2'

config interface 'dmz'
	option proto 'static'
	option type 'bridge'
	option ifname 'eth1.3'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'
	option ip6assign '64'
	option ip6ifaceid '::1'
	option ip6hint '3'

config interface 'iot'
	option proto 'static'
	option type 'bridge'
	option ifname 'eth1.4'
	option ipaddr '192.168.4.1'
	option ip6assign '64'
	option ip6hint '4'
	option ip6ifaceid '::1'
	option netmask '255.255.255.0'

/etc/config/firewall:

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'dmz'
	list network 'lan'
	list network 'vpn'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'
	list network 'wireguard'

config zone
	option name 'iot'
	option input 'ACCEPT'
	option output 'ACCEPT'
	list network 'iot'
	option masq '1'
	option forward 'ACCEPT'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config include
	option path '/etc/firewall.user'

config include 'miniupnpd'
	option type 'script'
	option path '/usr/share/miniupnpd/firewall.include'
	option family 'any'
	option reload '1'

config forwarding
	option src 'lan'
	option dest 'iot'

config forwarding
	option src 'iot'
	option dest 'wan'

/etc/firewall.user:

iptables -t mangle -A PREROUTING -i br-vpn -d 224.0.0.0/4 -j TTL --ttl-inc 1
iptables -t mangle -A PREROUTING -i br-iot -d 224.0.0.0/4 -j TTL --ttl-inc 1

/etc/smcroute.conf:

mgroup from br-iot group 239.255.255.250
mgroup from br-vpn group 239.255.255.250
mroute from br-iot group 239.255.255.250 to br-vpn
mroute from br-vpn group 239.255.255.250 to br-iot

smcroutectl show routes:

(*, 239.255.255.250)               br-vpn                    0          0  br-iot
(*, 239.255.255.250)               br-iot                    0          0  br-vpn
(192.168.4.9, 239.255.255.250)     br-iot                  228      60366  br-vpn
(192.168.2.10, 239.255.255.250)    br-vpn               230994   79267302  br-iot
(192.168.2.3, 239.255.255.250)     br-vpn               100497   42407760  br-iot
(192.168.2.4, 239.255.255.250)     br-vpn               279468  103257408  br-iot

/etc/config/vpn-policy-routing:

config policy
	option name 'vpn'
	option src_addr '192.168.2.0/24'
	option interface 'wireguard'

config vpn-policy-routing 'config'
	option strict_enforcement '1'
	option src_ipset '0'
	list supported_interface ''
	list ignored_interface 'vpnserver wgserver'
	option boot_timeout '30'
	option iptables_rule_option 'append'
	option iprule_enabled '0'
	option webui_chain_column '0'
	option webui_sorting '1'
	list webui_supported_protocol 'tcp'
	list webui_supported_protocol 'udp'
	list webui_supported_protocol 'tcp udp'
	list webui_supported_protocol 'icmp'
	list webui_supported_protocol 'all'
	option verbosity '1'
	option webui_enable_column '1'
	option webui_protocol_column '1'
	option dest_ipset '0'
	option webui_show_ignore_target '0'
	option resolver_ipset 'dnsmasq.ipset'
	option enabled '1'
	option ipv6_enabled '0'