Mdns not working between VLAN's

snippem · December 10, 2022, 8:29pm

Hi everybody,
What i want is to separate my IOT and guest devices from my LAN.
That was the easy part but the thing is that i want to still use my chromecasts etc.
But no matter what is tried i doesn't work.
I installed AVAHI acording to a manual i found on the internet.
I edited the AVAHI file:

[server]
#host-name=foo
#domain-name=local
use-ipv4=yes
use-ipv6=yes
check-response-ttl=no
use-iff-running=no
allow-interfaces=br-lan,eth1.3,eth1.2

[publish]
publish-addresses=yes
publish-hinfo=yes
publish-workstation=no
publish-domain=yes
publish-dns-servers=192.168.2.4
#publish-resolv-conf-dns-servers=yes

[reflector]
enable-reflector=yes
reflect-ipv=no

[rlimits]
#rlimit-as=
rlimit-core=0
rlimit-data=4194304
rlimit-fsize=0
rlimit-nofile=30
rlimit-stack=4194304
rlimit-nproc=3

added 2 rules to my firewall ( posted al of my firewall rules just in case ).

config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'
	list network 'wan6'
	option masq6 '1'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option proto 'esp'
	option target 'ACCEPT'
	option dest 'LOCAL'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'
	option dest 'LOCAL'

config zone
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'LAN'
	list network 'VLAN2'
	list network 'WG0'
	option name 'LOCAL'

config zone
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'VLAN3'
	option name 'IOTgast'

config rule
	option name 'Allow-IOT-mDNS'
	option family 'ipv4'
	list proto 'udp'
	option src 'IOTgast'
	option src_port '5353'
	list dest_ip '224.0.0.251'
	option dest_port '5353'
	option target 'ACCEPT'

config rule
	option name 'Allow-IOT-mDNS6'
	option family 'ipv6'
	list proto 'udp'
	option src 'IOTgast'
	option src_port '5353'
	list dest_ip 'ff02::fb'
	option dest_port '5353'
	option target 'ACCEPT'

config forwarding
	option dest 'wan'
	option src 'LOCAL'

config forwarding
	option dest 'wan'
	option src 'IOTgast'

config forwarding
	option src 'LOCAL'
	option dest 'IOTgast'

config rule
	option name 'Allow-WireGuard'
	list proto 'udp'
	option src 'wan'
	option dest_port '51820'
	option target 'ACCEPT'

Hope there is someone who can help me solving my problem.

snippem · December 18, 2022, 11:37am

@trendy maybe if you have the time could you take a look at what i am doing wrong?
Or maybe there is another method to reflect mdns to multiple interfaces?

hogkite · December 18, 2022, 3:09pm

One thing to consider is whether the multicast TTL is causing you an issue, it might be that avahi gets around that problem but for normal multicast you have to adjust the TTL to route it through the firewall.

avahi-utils has some tools that may be of use to understand what's going on

also might be worth checking this out if you dont get anywhere with avahi.....

trendy · December 18, 2022, 5:57pm

snippem · December 18, 2022, 7:07pm

installed smcroute.

added these lines to the bottom smcroute.conf ( Used the interface names of my system.)

mgroup from LAN group 239.255.255.250
mgroup from VLAN2 group 239.255.255.250
mgroup from VLAN3 group 239.255.255.250
mroute from VLAN3 group 239.255.255.250 to LAN
mroute from VLAN3 group 239.255.255.250 to VLAN2
mroute from LAN group 239.255.255.250 to VLAN3
mroute from VLAN2 group 239.255.255.250 to VLAN3

Then i edited the firewall rules to match my system. But where can you add these firewall rules ?
I know i can edit my firewall rules in the config file.

iptables -t mangle -A PREROUTING -i LAN -d 239.255.255.250 -j TTL --ttl-inc 1
iptables -t mangle -A PREROUTING -i VLAN2 -d 239.255.255.250 -j TTL --ttl-inc 1
iptables -t mangle -A PREROUTING -i VLAN3 -d 239.255.255.250 -j TTL --ttl-inc 1
iptables -t mangle -A PREROUTING -i LAN -d 224.0.0.0/4 -j TTL --ttl-inc 1
iptables -t mangle -A PREROUTING -i VLAN2 -d 224.0.0.0/4 -j TTL --ttl-inc 1
iptables -t mangle -A PREROUTING -i VLAN3 -d 224.0.0.0/4 -j TTL --ttl-inc 1

hogkite · December 18, 2022, 7:12pm

Those addresses you have specified for smcroute are all SSDP addresses. I'm pretty sure you won't get mDNS working via smcroute as it won't forward the mDNS address, happy to be proved wrong.

With regards to the iptables rules are you using FW3 or FW4?

snippem · December 18, 2022, 7:52pm

Okay what i want is that my devices and quests can be on one VLAN and trusted users to be on another.
That is something that i accomplished with openwrt. But the problem is now that i have all off my devices on the other VLAN i can't give them commands to stream etc.
(devices used here are google devices,samsung tv and a ziggo receiver)
What i have read that the problem is because of the separation between lan multicast traffic is not passed through from one (V)LAN to the other (V)LAN. I have tried avahi with the right settings acoording to google. I have enable-reflector set to yes and add a firewall rule (see first post) and optionally specify witch interface are allowed to relay traffic. But that does not work in my case.
I am not an experienced user so i am happy with all the help there is.

I do not know if smcroute is the way to go but if it accomplishes what i need
If i am using FW3 or FW4 i do not know the R4S is running openwrt 22.03.2

hogkite · December 18, 2022, 9:52pm

I don't know the details of the devices you are using but you need to determine which protocol and multicast addresses they are using in the first instance. You can possibly simplify this by allowing all forwarding from your trusted LAN to your IOT LAN then just add specific traffic rules from IOT to the trusted LAN (which in all probability will just be multicast traffic). I have done something similar for SSDP so the following may help but is specific to my environment so will need some tweaking

Let's assume that the samsung tv is using SSDP to advertise it's services. You will need 3 things in place....

smcroute running with an appropriate config file
firewall traffic rules to allow the necessary traffic between the zones
firewall.user file in place to deal with TTL issue with SSDP multicasts

Here's an extract from my 'smcroute.conf' file that shows the layout for SSDP between two of my networks (br-home10 and br-home.20). This tells smcroute to pass the SSDP multicast in both directions between the two networks and includes one specific address and one specific subnet

phyint br-home.10 enable ttl-threshold 1
phyint br-home.20 enable ttl-threshold 1

mgroup from br-home.20 group 239.255.255.250
mgroup from br-home.10 group 239.255.255.250

mroute from br-home.20 source 192.168.2.40 group 239.255.255.250 to br-home.10
mroute from br-home.10 source 192.168.1.0/24 group 239.255.255.250 to br-home.20

include /etc/smcroute.d/*.conf

Here is an example firewall traffic rule that allows SSDP multicasts to flow from the untrusted network to the trusted network. SSDP typically uses udp/1900

config rule
        option family 'ipv4'
        list proto 'udp'
        option src 'HIFI'
        list src_ip '192.168.2.40'
        option dest 'HOME'
        list dest_ip '239.255.255.250'
        option dest_port '1900'
        option target 'ACCEPT'
        option name 'SSDP Multicast'

Based on the release you are using then you will be using FW4 which uses nftables and not iptables. I found the easiest way to address the TTL issue with FW4 was to do the following

Add this to the '/etc/config/firewall' file

config include
        option path '/etc/firewall.user'
        option fw4_compatible '1'

Create '/etc/firewall.user' file and add these commands which basically increases the ttl to 34 for any traffic with the SSDP multicast address.

nft add rule inet fw4 prerouting iifname "br-home.10" ip daddr 239.255.255.250 ip ttl set 34
nft add rule inet fw4 prerouting iifname "br-home.20" ip daddr 239.255.255.250 ip ttl set 34

You might want to try this type of approach for one of the devices and see if you can get it to work (maybe the samsung if it does use SSDP)

mDNS won't work through smcroute, I don't use mDNS between networks but I would have thought avahi should work but not sure why it doesn't for you