Multicast DLNA

Installing and Using OpenWrt
1

Hello,

I know they are some topics about multicast and DLNA but it's don't work for me.

My smcroute.conf :


mgroup from DMZ group 239.255.255.250
mgroup from HOME group 239.255.255.250
mroute from DMZ group 239.255.255.250 to HOME
mroute from HOME group 239.255.255.250 to DMZ

My firewall.user :

iptables -t mangle -A PREROUTING -i HOME -d 224.0.0.0/4 -j TTL --ttl-inc 1
iptables -t mangle -A PREROUTING -i DMZ -d 224.0.0.0/4 -j TTL --ttl-inc 1
iptables -t mangle -A PREROUTING -i HOME -d 239.255.255.250 -j TTL --ttl-inc 1
iptables -t mangle -A PREROUTING -i DMZ -d 239.255.255.250 -j TTL --ttl-inc 1

My smcroutectl show routes :


(*,G) Template Rules
ROUTE (S,G)                                IIF   OIFS
(*, 239.255.255.250)                       DMZ   HOME
(*, 239.255.255.250)                       HOME  DMZ

Kernel MFC Table
ROUTE (S,G)                                IIF   OIFS
(10.0.0.3, 239.255.255.250)                DMZ   HOME
(10.0.1.1, 239.255.255.250)                HOME  DMZ
(10.0.1.251, 239.255.255.250)              HOME  DMZ
(10.0.1.252, 239.255.255.250)              HOME  DMZ
(10.0.0.2, 239.255.255.250)                DMZ   HOME
(10.0.1.11, 239.255.255.250)               HOME  DMZ

But I can't see my DLNA devices.

Someone have one idea ?

2

How have you set your firewall traffic rules?

Also what version of OpenWrt are you running?

1 Like
3

Thanks for you reply, my version : OpenWrt 22.03.1 r19777-2853b6d652 /

I have set my firewall to accept all to my DMZ and my HOME interface for tests.

I have found a problem :

root@OpenWrt:~# smcrouted -n
smcroute[12386]: SMCRoute v2.5.5
smcroute[12386]: IPv4 multicast routing API already in use: Address in use
smcroute[12386]: /etc/smcroute.conf line 69: mroute: inbound DMZ is not a known phyint
smcroute[12386]: /etc/smcroute.conf line 70: mroute: inbound HOME is not a known phyint
smcroute[12386]: Parse error in /etc/smcroute.conf
smcroute[12386]: Ready, waiting for client request or kernel event.

My ifconfig :

root@OpenWrt:~# ifconfig
DMZ       Link encap:Ethernet  HWaddr D8:EC:5E:44:01:4B
          inet addr:10.0.0.254  Bcast:10.0.0.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1231408 errors:0 dropped:0 overruns:0 frame:0
          TX packets:12422916 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:281851752 (268.7 MiB)  TX bytes:7765542373 (7.2 GiB)

HOME      Link encap:Ethernet  HWaddr D8:EC:5E:44:01:4B
          inet addr:10.0.1.254  Bcast:10.0.1.255  Mask:255.255.255.0
          inet6 addr: fe80::daec:5eff:fe44:14b/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:6159651 errors:0 dropped:63041 overruns:0 frame:0
          TX packets:15640950 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:922525087 (879.7 MiB)  TX bytes:31334937990 (29.1 GiB)

eth0      Link encap:Ethernet  HWaddr D8:EC:5E:44:01:4B
          UP BROADCAST RUNNING MULTICAST  MTU:1504  Metric:1
          RX packets:29164334 errors:14 dropped:0 overruns:0 frame:0
          TX packets:29491710 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:32916089793 (30.6 GiB)  TX bytes:24126426293 (22.4 GiB)
          Interrupt:37

lan1      Link encap:Ethernet  HWaddr D8:EC:5E:44:01:4B
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1345626 errors:0 dropped:0 overruns:0 frame:0
          TX packets:12421917 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:286566276 (273.2 MiB)  TX bytes:7765493779 (7.2 GiB)

lan2      Link encap:Ethernet  HWaddr D8:EC:5E:44:01:4B
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

lan3      Link encap:Ethernet  HWaddr D8:EC:5E:44:01:4B
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:5346351 errors:0 dropped:27 overruns:0 frame:0
          TX packets:10371537 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:747847105 (713.2 MiB)  TX bytes:15082031802 (14.0 GiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:18676 errors:0 dropped:0 overruns:0 frame:0
          TX packets:18676 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:4407111 (4.2 MiB)  TX bytes:4407111 (4.2 MiB)

wan       Link encap:Ethernet  HWaddr D8:EC:5E:44:01:4A
          inet addr:82.66.85.105  Bcast:82.66.85.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:22472357 errors:0 dropped:0 overruns:0 frame:0
          TX packets:6162621 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:31356718400 (29.2 GiB)  TX bytes:1008701265 (961.9 MiB)

wlan0     Link encap:Ethernet  HWaddr D8:EC:5E:44:01:4C
          inet addr:10.0.2.254  Bcast:10.0.2.255  Mask:255.255.255.0
          inet6 addr: fe80::daec:5eff:fe44:14c/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:12234061 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1018185 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:7591995890 (7.0 GiB)  TX bytes:138371255 (131.9 MiB)

wlan0-1   Link encap:Ethernet  HWaddr DA:EC:5E:44:01:4C
          inet addr:10.0.5.254  Bcast:10.0.5.255  Mask:255.255.255.240
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:21513 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:5262651 (5.0 MiB)

wlan0-2   Link encap:Ethernet  HWaddr DE:EC:5E:44:01:4C
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1738 errors:0 dropped:0 overruns:0 frame:0
          TX packets:39755 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:803921 (785.0 KiB)  TX bytes:10437224 (9.9 MiB)

wlan1     Link encap:Ethernet  HWaddr D8:EC:5E:44:01:4D
          inet6 addr: fe80::daec:5eff:fe44:14d/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:859768 errors:0 dropped:0 overruns:0 frame:0
          TX packets:11686879 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:189181764 (180.4 MiB)  TX bytes:16684671916 (15.5 GiB)

My smcroute.conf :

phyint HOME enable
phyint DMZ enable


mgroup from DMZ group 239.255.255.250
mgroup from HOME group 239.255.255.250
mroute from DMZ group 239.255.255.250 to HOME
mroute from HOME group 239.255.255.250 to DMZ
4

Is it working now?

5

No,

When I stop smcroute service I have :

root@OpenWrt:~# smcrouted -n
smcroute[16793]: SMCRoute v2.5.5
smcroute[16793]: Ready, waiting for client request or kernel event.

And when I start it :

root@OpenWrt:~# smcrouted -n
smcroute[16893]: SMCRoute v2.5.5
smcroute[16893]: IPv4 multicast routing API already in use: Address in use
smcroute[16893]: /etc/smcroute.conf line 69: mroute: inbound DMZ is not a known phyint
smcroute[16893]: /etc/smcroute.conf line 70: mroute: inbound HOME is not a known phyint
smcroute[16893]: Parse error in /etc/smcroute.conf
smcroute[16893]: Ready, waiting for client request or kernel event.

And I can't see my Synology DLNA server

6

It's strange that error is pointing to line 69 when you only approx 6 lines in your smcroute.conf.

Worth double checking you haven't got some previous text in the file or maybe even make a copy of that file and create a new smcroute.conf file and try it again

Mmmmm.....having said that I've just run smcrouted -n on my system and I also get similar error about interfaces not known as physical interfaces. However, the error does reference valid lines in my config file, plus my multicast routing is working ok.

So still worth checking your config file first

7

Yes because I have comment all the lines :


# smcroute.conf example
#
# The configuration file supports joining multicast groups, to use
# Layer-2 signaling so that switches and routers open up multicast
# traffic to your interfaces.  Leave is not supported, remove the
# mgroup and SIGHUP your daemon, or send a specific leave command.
#
# NOTE: Use of the mgroup command should be avoided if possible.
#       Instead configure "router ports" or similar on the switches
#       or bridges on your LAN.  This to have them direct all the
#       multicast to your router, or select groups if they have
#       such capabilities.  Usually MAC multicast filters exist.
#
#       Some switch manufacturers support mrdisc, RFC4286, which
#       SMCRoute can use to advertise itself on source interfaces.
#       If availble, use that instead of mgroup.
#
# Similarly supported is setting mroutes.  Removing mroutes is not
# supported, remove/comment out the mroute from the .conf file, or
# send a remove command with smcroutectl.
#
# Syntax:
#   phyint IFNAME <enable|disable> [mrdisc] [ttl-threshold <1-255>]
#   mgroup from IIF [source ADDR[/LEN]] group GROUP[/LEN]
#   mroute from IIF [source ADDR[/LEN]] group GROUP[/LEN] to OIF [OIF ...]
#   include /path/to/*.conf

# This example assumes smcrouted was started with the `-N` flag.
# Only enable interfaces required for inbound and outbound traffic.
#phyint eth0 enable ttl-threshold 11
#phyint eth1 enable ttl-threshold 3
#phyint eth2 enable ttl-threshold 5
#phyint virbr0 enable ttl-threshold 5

# Instruct the kernel to join the multicast group 225.1.2.3 on interface
# eth0.  Then add an mroute of the same multicast stream, from the host
# 192.168.1.42 on interface eth0 and forward to eth1 and eth2.
#mgroup from eth0                     group 225.1.2.3
#mroute from eth0 source 192.168.1.42 group 225.1.2.3 to eth1 eth2

# Similar example, but using source-specific group join
#mgroup from virbr0 source 192.168.123.110 group 225.1.2.4
#mroute from virbr0 source 192.168.123.110 group 225.1.2.4 to eth0

# Allow multicast for group 225.3.2.1, from ANY source, ingressing on
# interface eth0 to be forwarded to eth1 and eth2.  When the kernel
# receives a frame from unknown multicast sender, it asks smcrouted who
# use this "template" to match against, if the ingressing interface and
# group matches, smcrouted installs an (S,G) route in the kernel MFC.
#mgroup from eth0 group 225.3.2.1
#mroute from eth0 group 225.3.2.1 to eth1 eth2

# The previous is an example of the (*,G) support.  It is also possible
# to specify a range of such rules.
#mgroup from eth0 group 225.0.0.0/24
#mroute from eth0 group 225.0.0.0/24 to eth1 eth2

# Include any snippet in /etc/smcroute.d/, but please remember that
# all phyint statements must be read first.
include /etc/smcroute.d/*.conf

phyint HOME enable
phyint DMZ enable


mgroup from DMZ group 239.255.255.250
mgroup from HOME group 239.255.255.250
mroute from DMZ group 239.255.255.250 to HOME
mroute from HOME group 239.255.255.250 to DMZ

Can you show me your iptables and firewall settings ?

8

Here is my smcroute.conf file......

phyint br-home.10 enable ttl-threshold 1
phyint br-home.20 enable ttl-threshold 1
# phyint br-home.30 enable ttl-threshold 1

mgroup from br-home.20 group 239.255.255.250
mgroup from br-home.20 group 239.255.255.249
mgroup from br-home.20 group 239.255.90.90

mgroup from br-home.10 group 239.255.255.250
mgroup from br-home.10 group 239.255.255.249
mgroup from br-home.10 group 239.255.90.90

# mgroup from br-home.30 group 239.255.255.250
# mgroup from br-home.30 group 239.255.255.249
# mgroup from br-home.30 group 239.255.90.90

mroute from br-home.20 source 192.168.2.40 group 239.255.255.250 to br-home.10
mroute from br-home.20 source 192.168.2.40 group 239.255.255.249 to br-home.10
mroute from br-home.20 source 192.168.2.40 group 239.255.90.90 to br-home.10

# mroute from br-home.20 source 192.168.2.40 group 239.255.255.250 to br-home.30
# mroute from br-home.20 source 192.168.2.40 group 239.255.255.249 to br-home.30
# mroute from br-home.20 source 192.168.2.40 group 239.255.90.90 to br-home.30

# Asset Configuration
mroute from br-home.20 source 192.168.2.62 group 239.255.255.250 to br-home.10

# Bubble Configuration
# mroute from br-home.20 source 192.168.2.28 group 239.255.255.250 to br-home.10
# this rule is an attempt to get bubble working...re Linn Kazoo saying waiting for NDS
# mroute from br-home.20 source 192.168.2.25 group 239.255.255.250 to br-home.10

mroute from br-home.10 source 192.168.1.0/24 group 239.255.255.250 to br-home.20
mroute from br-home.10 source 192.168.1.0/24 group 239.255.255.249 to br-home.20
mroute from br-home.10 source 192.168.1.0/24 group 239.255.90.90 to br-home.20

# mroute from br-home.10 source 192.168.1.0/24 group 239.255.255.250 to br-home.30
# mroute from br-home.10 source 192.168.1.0/24 group 239.255.255.249 to br-home.30
# mroute from br-home.10 source 192.168.1.0/24 group 239.255.90.90 to br-home.30

include /etc/smcroute.d/*.conf

You realize that the version of OpenWrt you are using doesn't use iptables any more? You can can still use the firewall.user file but you have to specify the following in /etc/config/firewall

config include
        option path '/etc/firewall.user'
        option fw4_compatible '1'

I have actually used nft rules rather than iptables for my multicast set up but yours should work if you have compatability set in /etc/config/firewall

Here's an extract from my firewall file that addresses the multicast traffic rules``

config rule
        option name 'Allow Multicast#1'
        list proto 'udp'
        option src 'HIFI'
        list src_ip '192.168.2.40'
        list dest_ip '239.255.255.250'
        list dest_ip '239.255.255.249'
        list dest_ip '239.255.90.90'
        option dest_port '1900'
        option target 'ACCEPT'
        option family 'ipv4'
        option dest 'HOME'

config rule
        option name 'Allow Multicast#2'
        option family 'ipv4'
        list proto 'udp'
        option src 'HIFI'
        list src_ip '192.168.2.40'
        list dest_ip '239.255.255.250'
        list dest_ip '239.255.255.249'
        list dest_ip '239.255.90.90'
        option dest_port '9003'
        option target 'ACCEPT'
        option dest 'HOME'

Just for clarification my HOME network (192.168.1.0/24) can send anything it wants into the HIFI network but the HIFI network (192.168.2.0/24) needs specific rules to communicate back into HOME

If after addressing all the above it still doesn't work then try changing the iptables ttl rule from "--ttl-inc 1" to "--ttl-set 34" as I seem to recall maybe I had an issue with inc command?

9

Ok I have now :

phyint HOME enable ttl-threshold 1
phyint DMZ enable ttl-threshold 1


mgroup from DMZ group 239.255.255.250
mgroup from HOME group 239.255.255.250
mroute from DMZ group 239.255.255.250 to HOME
mroute from HOME group 239.255.255.250 to DMZ

I have add config on my firewall to use iptables but if they is not use I don't want to keep it.

My firewall :

config rule
        option src 'DMZ'
        option dest 'HOME'
        option target 'ACCEPT'

config rule
        option name 'TEST'
        option src 'HOME'
        option dest 'DMZ'
        option target 'ACCEPT'

For test and it's don't work anyway.

What is the best way to use firewall without iptables ? Can you help me to convert my iptables to nft ?

10

Can you post your firewall config file here please

11

Yes, it's not a good firewall because I'm testing some things :


config defaults
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'DMZ'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'DMZ'

config zone
	option input 'ACCEPT'
	option output 'ACCEPT'
	option name 'WAN'
	option masq '1'
	option forward 'ACCEPT'
	list network 'wan'

config forwarding
	option src 'DMZ'
	option dest 'WAN'

config rule
	option name 'ALL'
	option dest 'WAN'
	option target 'ACCEPT'
	option src '*'
	list proto 'all'

config forwarding
	option src 'HOME'
	option dest 'WAN'

config forwarding
	option src 'WAN'
	option dest 'HOME'

config rule
	option name 'ALL /'
	option src 'WAN'
	option dest '*'
	option target 'ACCEPT'
	list proto 'all'

config forwarding
	option src 'DMZ'
	option dest 'HOME'

config zone
	option name 'HOME'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'HOME'

config redirect
	option dest 'DMZ'
	option target 'DNAT'
	option name 'REVERSE PROXY'
	option src 'WAN'
	option src_dport '443'
	option dest_port '443'
	option dest_ip '10.0.0.5'

config redirect
	option dest 'DMZ'
	option target 'DNAT'
	option name 'REVERSE PROXY 80'
	option src 'WAN'
	option src_dport '80'
	option dest_port '80'
	list proto 'tcp'
	option dest_ip '10.0.0.5'
	option enabled '0'

config zone
	option name 'GUEST'
	option output 'ACCEPT'
	option forward 'REJECT'
	option input 'REJECT'
	list network 'Guest'

config forwarding
	option src 'GUEST'
	option dest 'WAN'

config rule
	option name 'GUEST DNS'
	option src 'GUEST'
	option dest_port '53'
	option target 'ACCEPT'

config rule
	option name 'GUEST DHCP'
	list proto 'udp'
	option src 'GUEST'
	option dest_port '67-68'
	option target 'ACCEPT'

config redirect
	option dest 'DMZ'
	option target 'DNAT'
	option name 'PLEX'
	option src 'WAN'
	option src_dport '32400'
	option dest_ip '10.0.0.2'
	option dest_port '32400'
	list proto 'tcp'
	list proto 'udp'

config rule
	option name 'ALL_DMZ'
	option target 'ACCEPT'
	option src 'IoT'
	option dest 'DMZ'

config redirect
	option target 'DNAT'
	option name 'OPENWRT'
	list proto 'tcp'
	option src 'WAN'
	option src_dport '666'
	option dest_ip '10.0.0.254'
	option dest_port '80'
	option enabled '0'

config zone
	option name 'IoT'
	option output 'ACCEPT'
	list network 'IoT'
	option input 'ACCEPT'
	option forward 'ACCEPT'

config forwarding
	option src 'DMZ'
	option dest 'IoT'

config forwarding
	option src 'HOME'
	option dest 'DMZ'

config forwarding
	option src 'IoT'
	option dest 'DMZ'

config forwarding
	option src 'WAN'
	option dest 'DMZ'

config forwarding
	option src 'WAN'
	option dest 'GUEST'

config forwarding
	option src 'WAN'
	option dest 'IoT'

config forwarding
	option src 'IoT'
	option dest 'HOME'

config forwarding
	option src 'HOME'
	option dest 'IoT'

config rule
	option name 'ALL_DMZ'
	option src 'DMZ'
	option dest 'IoT'
	option target 'ACCEPT'

config rule
	option name 'ALL_IOT'
	option src 'WAN'
	option dest 'IoT'
	option target 'ACCEPT'

config rule
	option name 'ALL_IOT'
	option src 'IoT'
	option dest 'WAN'
	option target 'ACCEPT'

config redirect
	option dest 'DMZ'
	option target 'DNAT'
	option name 'SSH'
	list proto 'tcp'
	option src 'WAN'
	option src_dport '80'
	option dest_ip '10.0.0.9'
	option dest_port '66'
	option src_ip '193.49.190.200'

config forwarding
	option src 'IoT'
	option dest 'WAN'

config rule
	option src 'DMZ'
	option dest 'HOME'
	option target 'ACCEPT'

config rule
	option name 'TEST'
	option src 'HOME'
	option dest 'DMZ'
	option target 'ACCEPT'

config rule
	option name 'Allow-mDNS'
	list proto 'udp'
	option src 'HOME'
	option src_port '5353'
	option dest 'DMZ'
	list dest_ip '224.0.0.251'
	option dest_port '5353'
	option target 'ACCEPT'

I have deleted config include option path '/etc/firewall.user' option fw4_compatible '1'

I'm searching about nft now.

Maybe can you share you nft rules ?

12

This is what is in my firewall.user file

# nft add rules to inet family of fw4 table of prerouting chain to manipulate ttl value  

nft add rule inet fw4 prerouting iifname "br-home.10" ip daddr 239.255.255.250 ip ttl set 34
nft add rule inet fw4 prerouting iifname "br-home.20" ip daddr 239.255.255.250 ip ttl set 34

nft add rule inet fw4 prerouting iifname "br-home.10" ip daddr 239.255.255.249 ip ttl set 34
nft add rule inet fw4 prerouting iifname "br-home.10" ip daddr 239.255.255.249 ip ttl set 34

nft add rule inet fw4 prerouting iifname "br-home.10" ip daddr 239.255.90.90 ip ttl set 34
nft add rule inet fw4 prerouting iifname "br-home.10" ip daddr 239.255.90.90 ip ttl set 34

I'm pretty sure you won't get mDNS working through smcroute. Try changing your firewall specific rule to be SSDP specific

13

I would leave the following in your firewall config file regardless of whether you specify iptables or nft rules in your firewall.user file

config include
        option path '/etc/firewall.user'
        option fw4_compatible '1'
14

Can you explain about SSDP ?

To resume, now I have on my firewall.user :

# nft add rules to inet family of fw4 table of prerouting chain to manipulate ttl value

nft add rule inet fw4 prerouting iifname "HOME" ip daddr 239.255.255.250 ip ttl set 34
nft add rule inet fw4 prerouting iifname "DMZ" ip daddr 239.255.255.250 ip ttl set 34

The end to my firewall settings :

config rule
        option src 'DMZ'
        option dest 'HOME'
        option target 'ACCEPT'

config rule
        option name 'TEST'
        option src 'HOME'
        option dest 'DMZ'
        option target 'ACCEPT'

config rule
        option name 'Allow-mDNS'
        list proto 'udp'
        option src 'HOME'
        option src_port '5353'
        option dest 'DMZ'
        list dest_ip '224.0.0.251'
        option dest_port '5353'
        option target 'ACCEPT'

config include
        option path '/etc/firewall.user'
        option fw4_compatible '1'

And smcroute.conf :

phyint HOME enable ttl-threshold 1
phyint DMZ enable ttl-threshold 1


mgroup from DMZ group 239.255.255.250
mgroup from HOME group 239.255.255.250
mroute from DMZ group 239.255.255.250 to HOME
mroute from HOME group 239.255.255.250 to DMZ

My HOME and DMZ are a bridged interface with IGMP_snooping true.

It's not working, and I don't know why

15

Ok so DLNA uses SSDP (Simple Service Discovery Protocol) to discover end points for streaming and advertising services. It uses the multicast address 239.255.255.250 to announce services. This is always done over UDP/1900

So I would play with your firewall traffic rules to see if you can get it to work by specifying some specific hosts. I wouldn't assume that just because you have a forwarding rule between 2 zones that the multicasts will automatically get through. They might but I've never tried it I always specify exact addresses to be allowed through firewall

Might be worth running tcpdump on the different interfaces to see what's going on both sides of the firewall

16

Mhmm :

phyint HOME enable ttl-threshold 1
phyint DMZ enable ttl-threshold 1


mgroup from DMZ group 239.255.255.250
mgroup from HOME group 239.255.255.250

mroute from DMZ source 10.0.0.2 group 239.255.255.250 to HOME
mroute from HOME group source 10.0.1.0/24 239.255.255.250 to DMZ

10.0.0.2 is my DLNA server and 10.0.1.0 my lan with client.

Don't work too...

I would let all multicast, can I change 239.255.255.250 by 224.0.0.0/4 ?

17

So your DLNA server is on the DMZ network and your client is on the HOME network, is that correct?

What's the actual IP address of the client?

What are you using as the DLNA server?

18

Yes, my client is 10.0.1.1 for example.

My DLNA is a NAS Synology with 10.0.0.2 IP.

It can see only his own subnet :

image
image786×431 10.4 KB

19

Your second mroute command in the smcroute.conf file doesn't look correct try this....


mroute from HOME source 10.0.1.0/24 group 239.255.255.250 to DMZ
20

Assuming you allow all traffic to flow from your HOME network into the DMZ then you will need the following rule in your firewall config...

config rule
        option family 'ipv4'
        list proto 'udp'
        option src 'DMZ'
        list src_ip '10.0.0.2'
        option dest 'HOME'
        list dest_ip '239.255.255.250'
        option dest_port '1900'
        option target 'ACCEPT'
        option name 'Multicast Test'