Multicast / DLNA over subnets

Installing and Using OpenWrt
1

I've been looking into this for days, visiting so many pages. But I can't figure it out. I'm not entirely new to many things: I know my way around SSH and winSCP, though I do prefer a GUI if available. I have followed (and understood) some step-by-step instructions on firewalls. But the workings of VLans, iptables etc are new to me. So now and then I feel like I'm just copy-pasting code, not understanding what it does. I'm at the point where I realise this subject is too complicated to solve with trial and error when following some internet posts. So, having said that:

I have a few subnets / vlans (created using this page). Relevant are:
br-lan with our phones, laptops
br-IoT with smart plugs, smart TV, Google Nests, printer

My goal: I want to be able to use the devices on br-IoT from br-lan. So I can print and cast etc. But without all the smart devices being able to snoop around in my LAN.

At first, I thought just allowing lan to forward to IoT (as well as WAN) would do the trick. How naive I was :blush:
My main problems:

  • Sources are scattered. I haven't been able to find step-by-step instructions on how to get this working.
  • Pages I do find are not specific enough for my knowledge. If somebody says "just add this-and-that to iptables and it worked" it will take me hours to find out how to do that. If I install smcroute should I enable and start it? If so, how? etc.

So I have spent the past hour to find how to add iptables as mentioned in this post, but haven't been able to figure it out. But then I read here that since OpenWRT 23.05 you shouldn't (or can't?) use iptables anymore).

Some things I have done:

  • installed avahi (initially nodbus, removed that and tried dbus after) as mentioned here and here
  • installed smcroute (to add the mgroup lines mentioned here)

I thought/hoped that putting IoT stuff on their own vlan without hindering how they work would have been quite common and neatly documented these days, just like creating guest wifi.

Anyhow: Any pointers are more than welcome!

Running OpenWRT OpenWrt 23.05

PS: My apologies if I sound too frustrated!

1 Like
2

Here is some good info

https://iyzana.site/discovery/

4 Likes
3

That sure helped a lot... But not enough I'm afraid :frowning:

[Update: After checking everything below I noticed starting or reloading avahi wasn't mentioned on the page. After doing that it worked! I decided not to remove it though, it might help me/somebody in the future]

I'll explain what I did/share my configuration:

I have [Network, Interfaces] lan and IoT
and [Network, Devices]: br-iot and br-lan

image
image539×269 13.6 KB

Following the page you mentioned https://iyzana.site/discovery/ I have

Configured firewall:

image
image958×229 14.7 KB

(for the moment I also accepted input/output/forward from IoT to wan)

Configured avahi-deamon
Note: I couldn't find avahi-deamon in [System, Software], so I installed avahi-dbus-daemon

/etc/avahi/avahi-daemon.conf:

[server]
#host-name=foo
#domain-name=local
use-ipv4=yes
use-ipv6=yes
check-response-ttl=no
use-iff-running=no
allow-interfaces=br-lan,br-iot

[publish]
publish-addresses=yes
publish-hinfo=yes
publish-workstation=no
publish-domain=yes
#publish-dns-servers=192.168.1.1
#publish-resolv-conf-dns-servers=yes

[reflector]
enable-reflector=yes
reflect-ipv=no

[rlimits]
#rlimit-as=
rlimit-core=0
rlimit-data=4194304
rlimit-fsize=0
rlimit-nofile=30
rlimit-stack=4194304
rlimit-nproc=3

Allowed iot-mDNS in firewall (from any zone for the moment):
image

Installed and configured smcroute
Added to /etc/smcroute.conf:

mgroup from br-lan group 239.255.255.250
mroute from br-lan group 239.255.255.250 to br-iot

Created and edited /etc/config/firewall.user
(also including the edits needed for " Allowing replies" and "UDP Broadcast")

# increase multicast ttl
nft add rule inet fw4 prerouting \
  iifname "br-lan" ip daddr 239.255.255.250 udp dport 1900 \
  ip ttl set 2

#Allowing replies
nft add set inet fw4 ssdp \{ \
  type ipv4_addr . inet_proto . inet_service\; \
  timeout 3s\; \
\}

nft insert rule inet fw4 forward \
  oifname "br-iot" ip daddr 239.255.255.250 udp dport 1900 \
  add @ssdp \{ ip saddr . ip protocol . udp sport \}

# accept forwarded packets if their destination ip and
# destination port are in the ssdp set

nft insert rule inet fw4 forward \
  iifname "br-iot" ip daddr . ip protocol . udp dport @ssdp \
  accept

# for UDP Broadcasts

nft add set inet fw4 udp_broadcast \{ \
  type ipv4_addr . inet_proto . inet_service\; \
  timeout 3s\; \
\}

nft insert rule inet fw4 \
  output oifname "br-iot" \
  ip daddr "192.168.3.255" ip protocol udp \
  add @udp_broadcast \{ ip saddr . ip protocol . udp sport \}

nft insert rule inet fw4 forward \
  iifname "br-iot" \
  ip daddr . ip protocol . udp dport @udp_broadcast \
  accept

Edited /etc/config/firewall
Added this to the top of the file:

config include 'user'
	option type 'script'
	option path '/etc/config/firewall.user'
	option fw4_compatible '1'

Reloaded stuff:
/etc/init.d/smcroute reload
/etc/init.d/firewall reload

My testing procedure:
Login with my phone to my wifi-iot. Open Soundcloud app, hit Cast
This shows several smart devices (google nests, smart tv, some audio groups I have created)
When I login to wifi-lan and do the same nothing shows up.
When I switch back again everything pops up within a second

Since it didn't work I thought I might also need UDP Broadcasts. But I'm not certain!

Installed and configured udp-broadcast-relay-redux
Here I got a bit confused. On https://iyzana.site/discovery/ it said:

This is a configuration example for the LIFX protocol on port:

config udp_broadcast_relay_redux
       option id 1
       option port 56700
       list network lan
       list network guest

But on https://github.com/udp-redux/udp-broadcast-relay-redux#example there was nothing on things like list network. Instead dev did seem to be an argument.
One of the examples is mDNS / Multicast DNS (Chromecast Discovery + Bonjour + More)
But I wasn't sure if/how I could use the (entire) code given in the config file
./udp-broadcast-relay-redux --id 1 --port 5353 --dev eth0 --dev eth1 --multicast 224.0.0.251 -s 1.1.1.1

Should the multicast argument be included? And if to, that same IP or the one used in smcroute 239.255.255.250? And is the -s 1.1.1.1 necessary?
With some trial and error (running /etc/init.d/udp-broadcast-relay-redux reload returned Validation failed most of the time, until I tried this config:

config udp_broadcast_relay_redux
       option id 1
       option port 5353
       list network iot
       list network lan
4

On my system udp_broadcast_relay_redux is not started correctly by init .
I have to start it manually via a rc.local entry

/usr/sbin/udp-broadcast-relay-redux -f --id 1 --port 65001 --dev br-lan.1 --dev br-lan.3

In my case port 65001 is for my hdhomerun device

5

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.