Is OpenWrt forwarding SSDP or mDNS to WAN?

Hello. I need help troubleshooting something is not working as expected and I don't fully understand why.

Me and my neighbor share the same internet connection (we split the bill before you ask!). But I wanted privacy in my network, so I bought a WDR3600 and installed OpenWrt. Then I installed the package "Travelmate" which basically manages all the connection to my "Wireless WAN" (my neighbor's wifi). The wifi connection to my neighbor is in the WAN zone. So I have basically a double NAT.

(for more information about Travelmate see here: Travelmate support thread)

Up to now, everything works beautifully. I have my own WiFi Network and I'm sure (or at least I was!) that my devices where invisible for my neighbor behind my router (I don't want him to accidentally stream to my devices like chromecast).

BUT something strange came up and I can't understand WHY. When I open my Google Home app (on a phone connected to my router), I see my devices and I also see my neighbor chromecast!

I know (haven't tried it yet tho) that I can block all outbound traffic to privates IP (RFC1918) with a firewall rule. That should make my neighbor devices invisible to me. But what is keeping me awake is WHY I CAN SEE HIS CHROMECAST. I searched for the discovery protocol of chromecast and apparently it uses SSDP. But AFAIK the SSDP (UDP Multicast) shouldn't have been forwared to WAN. So why my phone discovered the chromecast on the WAN side?

Please help me understand. Thanks!

You NAT/ firewall your network, but it's WAN is still part of your neighbour's network - which means while you have access to their devices (as they're upstream), they only get to see the WAN IP/ MAC of your router.

Wold not that kill your link to the main router? Your gateway IP and LAN of the main router, so it is a private IP.

No sure really. But I have not tested yet. My rule is from LAN to WAN. But routed traffic would go from my router to main router. This is the rule I have to test (don't pay attention to the 192.168.100.1) :

I tested the rule but on another router on another place. So I have yet to find if this rule works ok for this particular case.

In my head, it should work, because firewall rules do not apply to traffic between both routers. Just to packets before they get "masqueraded". Sorry if this is to vague. I'm not sure how to explain it better. I will test this an report back.

But the problem is that this does not explain why my Google Home app discovered a device on the WAN side.

Yes, I fully undestand that. But can you tell me how the chromecast on the WAN side got discovered?

Ok. Just for the sake of solving this mistery I have to correct myself. The protocol chromecast is using NOW is mDNS.

I can guess that they phone home and your Google Home app accesses that information. Any and all devices behind your outermost NAT would have the same public IPv4 address.

Another possibility is that they are using IPv6 with public addresses and all devices are on the same prefix.

Installing tcpdump-mini and monitoring the traffic on your WAN would be able to quickly confirm if SSDP or mDNS traffic is "escaping" upstream. They should only be using link-local broadcast addresses (which tcpdump would also be able to confirm).

I will try tcpdump-mini. I'll report back with the results.

About the theory about "same public IP, same network for google" I thought about it and I THINK that it couldn't work like that, because lots of ISP give private IPs to clients, so they are effectively doing double NAT. If Google used that way of device discovery, all the chromecasts of all the clients of the same ISP (that gives privates ISPs) would appear on every Google Home app on that ISP network.

So, I still lean towards a discovery protocol that could be leaking outside to the WAN side. But I will try tcpdump-mini to understand better the problem.

Thanks for all your thoughts

Ok so. I had success but I have not solved the mistery. I used the firewall rule mentioned earlier and it effectively blocked all communication with my neighbor's devices and his chromecast does not appear anymore in my google home app. Internet connectivity still works perfectly.

I will try later tcpdump to investigate how this happened.

This makes me think, shouldn't OpenWrt by default drop all outgoing RFC1918 communications? I think that would be OK for most use cases. If anyone needs to talk to WAN devices using RFC1918 they could always disable the firewall rule.

That only makes sense as a border router.

All of my OpenWrt devices are interior and all deal with private addresses as valid destinations on their interfaces.

ISPs also have, or should have “ingress filtering” in place.

You are right Jeff!