What i want is to separate my IOT and guest devices from my LAN.
That was the easy part but the thing is that i want to still use my chromecasts etc.
But no matter what is tried i doesn't work.
I installed AVAHI acording to a manual i found on the internet.
I edited the AVAHI file:
One thing to consider is whether the multicast TTL is causing you an issue, it might be that avahi gets around that problem but for normal multicast you have to adjust the TTL to route it through the firewall.
avahi-utils has some tools that may be of use to understand what's going on
also might be worth checking this out if you dont get anywhere with avahi.....
added these lines to the bottom smcroute.conf ( Used the interface names of my system.)
mgroup from LAN group 184.108.40.206
mgroup from VLAN2 group 220.127.116.11
mgroup from VLAN3 group 18.104.22.168
mroute from VLAN3 group 22.214.171.124 to LAN
mroute from VLAN3 group 126.96.36.199 to VLAN2
mroute from LAN group 188.8.131.52 to VLAN3
mroute from VLAN2 group 184.108.40.206 to VLAN3
Then i edited the firewall rules to match my system. But where can you add these firewall rules ?
I know i can edit my firewall rules in the config file.
iptables -t mangle -A PREROUTING -i LAN -d 220.127.116.11 -j TTL --ttl-inc 1
iptables -t mangle -A PREROUTING -i VLAN2 -d 18.104.22.168 -j TTL --ttl-inc 1
iptables -t mangle -A PREROUTING -i VLAN3 -d 22.214.171.124 -j TTL --ttl-inc 1
iptables -t mangle -A PREROUTING -i LAN -d 126.96.36.199/4 -j TTL --ttl-inc 1
iptables -t mangle -A PREROUTING -i VLAN2 -d 188.8.131.52/4 -j TTL --ttl-inc 1
iptables -t mangle -A PREROUTING -i VLAN3 -d 184.108.40.206/4 -j TTL --ttl-inc 1
Okay what i want is that my devices and quests can be on one VLAN and trusted users to be on another.
That is something that i accomplished with openwrt. But the problem is now that i have all off my devices on the other VLAN i can't give them commands to stream etc.
(devices used here are google devices,samsung tv and a ziggo receiver)
What i have read that the problem is because of the separation between lan multicast traffic is not passed through from one (V)LAN to the other (V)LAN. I have tried avahi with the right settings acoording to google. I have enable-reflector set to yes and add a firewall rule (see first post) and optionally specify witch interface are allowed to relay traffic. But that does not work in my case.
I am not an experienced user so i am happy with all the help there is.
I do not know if smcroute is the way to go but if it accomplishes what i need
If i am using FW3 or FW4 i do not know the R4S is running openwrt 22.03.2
I don't know the details of the devices you are using but you need to determine which protocol and multicast addresses they are using in the first instance. You can possibly simplify this by allowing all forwarding from your trusted LAN to your IOT LAN then just add specific traffic rules from IOT to the trusted LAN (which in all probability will just be multicast traffic). I have done something similar for SSDP so the following may help but is specific to my environment so will need some tweaking
Let's assume that the samsung tv is using SSDP to advertise it's services. You will need 3 things in place....
smcroute running with an appropriate config file
firewall traffic rules to allow the necessary traffic between the zones
firewall.user file in place to deal with TTL issue with SSDP multicasts
Here's an extract from my 'smcroute.conf' file that shows the layout for SSDP between two of my networks (br-home10 and br-home.20). This tells smcroute to pass the SSDP multicast in both directions between the two networks and includes one specific address and one specific subnet
phyint br-home.10 enable ttl-threshold 1
phyint br-home.20 enable ttl-threshold 1
mgroup from br-home.20 group 220.127.116.11
mgroup from br-home.10 group 18.104.22.168
mroute from br-home.20 source 192.168.2.40 group 22.214.171.124 to br-home.10
mroute from br-home.10 source 192.168.1.0/24 group 126.96.36.199 to br-home.20
Here is an example firewall traffic rule that allows SSDP multicasts to flow from the untrusted network to the trusted network. SSDP typically uses udp/1900
option family 'ipv4'
list proto 'udp'
option src 'HIFI'
list src_ip '192.168.2.40'
option dest 'HOME'
list dest_ip '188.8.131.52'
option dest_port '1900'
option target 'ACCEPT'
option name 'SSDP Multicast'
Based on the release you are using then you will be using FW4 which uses nftables and not iptables. I found the easiest way to address the TTL issue with FW4 was to do the following
Add this to the '/etc/config/firewall' file
option path '/etc/firewall.user'
option fw4_compatible '1'
Create '/etc/firewall.user' file and add these commands which basically increases the ttl to 34 for any traffic with the SSDP multicast address.
nft add rule inet fw4 prerouting iifname "br-home.10" ip daddr 184.108.40.206 ip ttl set 34
nft add rule inet fw4 prerouting iifname "br-home.20" ip daddr 220.127.116.11 ip ttl set 34
You might want to try this type of approach for one of the devices and see if you can get it to work (maybe the samsung if it does use SSDP)
mDNS won't work through smcroute, I don't use mDNS between networks but I would have thought avahi should work but not sure why it doesn't for you