Incrementing TTL by "1"

Hi there!
I've been trying for days now to get dlna devices visible from one subnet to another. I tried this tutorial:

But it seems to me, that incrementing the ttl values by 1 does not work.
What i tried is /etc/firewall.user

# SSDP: Increase DLNA Broadcast TTL
iptables -t mangle -A PREROUTING -i br-IoT -d 239.255.255.250 -j TTL --ttl-inc 1
iptables -t mangle -A PREROUTING -i br-home -d 239.255.255.250 -j TTL --ttl-inc 1

But it seems not to work. As far as i found out it is due to fw4 which does not support iptables rules like this.
How can i manage, that my packages get an higher ttl values so that the survive getting out of the subnet?

Best Benjamin.

As far is I got to know, nftables does not yet support --ttl-inc ...

You can create value map to imitate inc-ttl. You need to inc-ttl in forward table, because unaltered input packets are good with ttl1

Sorry but I do not really get what i should try.... Where and how should i do this? In /etc/config/firewall ?

You can add your rules via include files like in

/etc/nftables.d/*nft

is included right inside

table inet fw4 {
   # HERE
)

I just pointed you where unimplemented inc-ttl is to be found. It was never part of generated ruleset, just that with fw3 single include is more prominent.

Since maps dont work rule is:

chain .... {
 hook ....
# retrieve that from `fw4 print` or `nft list ruleset`
( maybe ... iif $wan_devices,$iot_devices ) fib daddr type multicast ip ttl 1 ip ttl set 2
}

Okay. It is still a little obscure to me how such a rule should look like in /etc/nftable.d/*.ntf
Could you give me a a sample?
my devices are from the subnets are:
br-IoT and br-home

…And what do you mean by:

You can create value map to imitate inc-ttl. You need to inc-ttl in forward table, because unaltered input packets are good with ttl1

Thanks! Best, Benjamin.

map .. typeof ip ttl : ip ttl can be defined but can not be used.

Error: payload statement for this expression is not supported
  ip ttl set ip ttl map @ttl-inc

/etc/nftables.d/whatever.nft

        chain mangle_prerouting {
                type filter hook prerouting priority mangle; policy accept;
                iifname { "br-IoT", "br-home"} fib daddr type multicast ip ttl 1 counter ip ttl set 2
      }

Restore traceroute and make it somewhat lighter.

        chain mangle_prerouting {
                type filter hook prerouting priority mangle; policy accept;
                meta nfproto ipv4 meta l4proto udp iifname { "br-IoT", "br-home"} fib daddr type multicast ip ttl 1 counter ip ttl set 2
      }

Thanks for the help! I put the rules and restarted the firewall (and the router to be sure).
How can i check if the new rules are working (i still cannot see the dlna device cross subnets...)

By the way…here is my smcroute.conf

root@OpenWrt:~# cat /etc/smcroute.conf
# Enable bridge interfaces for smcroute use
br-IoT enable # IoT Devices
br-home enable # Server (DMZ)

# Allowed routing for IPv4
mgroup from br-home source 192.168.xx.xx group 239.255.255.250
mroute from br-home source 192.168.xx.xx group 239.255.255.250 to br-IoT
mgroup from br-IoT group 239.255.255.250
mroute from br-IoT group 239.255.255.250 to br-home

And my firewall rules:

config zone 'IoT'
        option name 'IoT'
        option network 'IoT'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        list device 'br-IoT'

config forwarding 'IoT_wan'
        option src 'IoT'
        option dest 'wan'

config rule 'IoT_dns'
        option name 'Allow-DNS-IoT'
        option src 'IoT'
        option dest_port '53'
        option proto 'tcp udp'
        option target 'ACCEPT'

config rule 'IoT_dhcp'
        option name 'Allow-DHCP-IoT'
        option src 'IoT'
        option dest_port '67 68'
        option proto 'udp'
        option family 'ipv4'
        option target 'ACCEPT'

config forwarding
        option src 'IoT'
        option dest 'DMZ'

config forwarding
        option src 'DMZ'
        option dest 'IoT'

config rule
        option name 'allow_iot_dmz_ssdp'
        option dest_port '1900'
        option src 'IoT'
        option dest 'DMZ'
        option target 'ACCEPT'
        list proto 'udp'
        list dest_ip '239.255.255.250'

config rule
        option name 'allow_IoT_lan_ssdp'
        option dest_port '1900'
        option dest 'lan'
        option target 'ACCEPT'
        list proto 'udp'
        option src 'IoT'
        list dest_ip '239.255.255.250'

config rule
        option name 'allow_dmz_iot_ssdp'
        option dest_port '1900'
        option src 'DMZ'
        option dest 'IoT'
        option target 'ACCEPT'
        list proto 'udp'
        list dest_ip '239.255.255.250'

config rule
        option name 'allow_dmz_lan_ssdp'
        option dest_port '1900'
        option src 'DMZ'
        option dest 'lan'
        option target 'ACCEPT'
        list proto 'udp'
        list dest_ip '239.255.255.250'

config rule
        option name 'allow_iot_dmz_ssdp_1800'
        option dest_port '1800'
        option src 'IoT'
        option dest 'DMZ'
        option target 'ACCEPT'
        list proto 'udp'
        list dest_ip '239.255.255.250'

config rule
        option name 'allow_IoT_lan_ssdp_1800'
        option dest_port '1800'
        option dest 'lan'
        option target 'ACCEPT'
        list proto 'udp'
        option src 'IoT'
        list dest_ip '239.255.255.250'

config rule
        option name 'allow_dmz_iot_ssdp_1800'
        option dest_port '1800'
        option src 'DMZ'
        option dest 'IoT'
        option target 'ACCEPT'
        list proto 'udp'
        list dest_ip '239.255.255.250'

config rule
        option name 'allow_dmz_lan_ssdp_1800'
        option dest_port '1800'
        option src 'DMZ'
        option dest 'lan'
        option target 'ACCEPT'
        list proto 'udp'
        list dest_ip '239.255.255.250'

config rule
        option name 'allow_iot_srv_nas_dlna_http'
        option src 'IoT'
        option dest 'DMZ'
        list dest_ip '192.168.xx.xx'
        option target 'ACCEPT'
        list proto 'tcp'
        option dest_port 'MYPORT'

br-home is a seperated into vlans and the device for the DMZ where the server is and the subnet (DMZ) which should receive the ssdp packages from the dlna device, which is in the IoT subnet.Hopefully this makes sense...

does counter grow in "nft list ruleset`?

tcpdump -n -v -v -i <intetface where packets exit> port 1900

and try "ssdp discovery" from other subnet, packets must exit this interface.

root@OpenWrt:~# tcpdump -n -v -v -i br-IoT port 1900
tcpdump: listening on br-IoT, link-type EN10MB (Ethernet), snapshot length 262144 bytes
13:05:16.033442 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 318)
    192.168.xx.xx.46847 > 255.255.255.255.1900: [udp sum ok] UDP, length 290
13:05:16.145539 IP (tos 0x0, ttl 4, id 0, offset 0, flags [DF], proto UDP (17), length 365)
    192.168.xx.xx.44734 > 239.255.255.250.1900: [udp sum ok] UDP, length 337
13:05:16.275746 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 365)
    192.168.xx.xx.46847 > 255.255.255.255.1900: [udp sum ok] UDP, length 337
13:05:16.275787 IP (tos 0x0, ttl 4, id 0, offset 0, flags [DF], proto UDP (17), length 363)
    192.168.xx.xx.37685 > 239.255.255.250.1900: [udp sum ok] UDP, length 335
13:05:16.275837 IP (tos 0x0, ttl 4, id 0, offset 0, flags [DF], proto UDP (17), length 375)
    192.168.xx.xx.44322 > 239.255.255.250.1900: [udp sum ok] UDP, length 347
13:05:16.275879 IP (tos 0x0, ttl 4, id 0, offset 0, flags [DF], proto UDP (17), length 373)
    192.168.xx.xx.41055 > 239.255.255.250.1900: [udp sum ok] UDP, length 345
13:05:16.275924 IP (tos 0x0, ttl 4, id 0, offset 0, flags [DF], proto UDP (17), length 357)
    192.168.xx.xx.39478 > 239.255.255.250.1900: [udp sum ok] UDP, length 329
13:05:31.386137 IP (tos 0x0, ttl 4, id 0, offset 0, flags [DF], proto UDP (17), length 309)
    192.168.xx.xx.46632 > 239.255.255.250.1900: [udp sum ok] UDP, length 281
13:05:31.498549 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 309)
    192.168.xx.xx.42025 > 255.255.255.255.1900: [udp sum ok] UDP, length 281
13:05:31.630198 IP (tos 0x0, ttl 4, id 0, offset 0, flags [DF], proto UDP (17), length 318)
    192.168.xx.xx.46632 > 239.255.255.250.1900: [udp sum ok] UDP, length 290
13:05:31.716802 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto UDP (17), length 318)
    192.168.xx.xx.42025 > 255.255.255.255.1900: [udp sum ok] UDP, length 290

gssdp-discover does not find any dlna device...Thanks!

Besides: Do i need to take the vlans or the general device for the smcroute? I have multiple vlans on br-home (br-home.55, br-home.13, etc.)…

Yes, smcroute needs to forward between all vlans where multicast is used.
ie here packet exits but no return is generated.

Additionally - do not enable igmp snooping in switches.

And also tcpdump on random wired client and random wireless client IF the multicast packet arrives.

I translated ttl+1 rule, for the rest "i dont know" , as much as I set up multicast i did it with minimal interceptions in openwrt side - ie bridge, same subnet etc.
SSDP is http-in-udp , response will come from target IP directly, it is a tough work with tcpsump as the related responses in no way grip into conntrack states.

Just to narrow the issue a little bit down:
Am i right, that the problem lies within:

1. smcroute
2. ttl raising with fw4
3. or: firewall restrictions

As to 1 & 2 I have put logs and stuff here:

Does this seem alright?

How do we know?

Your tcpdump shows ttl 4 , so first 2 are out of scope, ie operating correctly.

So you think, that smcroute is correctly configured and also the ttl raising is working correctly?

…I can still not find the device from br-home.30 although i can ping it (with avahi-browse -a and gssdp-discover )

There is no chance multicast (subject to be allowed by fw rules) expires in the router before forwarding.

So you think it has to do with firewall rules, that i cannot see the dlna device from br-home.30?

I applied a huge expensive crystal ball to only information you provided - tcpdump output - and still no idea.

i guess we look into the same ball

Any hint where to start?