See connections between two devices across two VLAN's

I'm trying to setup some firewall rules between my LAN and IoT VLANs so that I can cast audio/video from my LAN devices to devices in the IoT VLAN. I'm also hoping to setup HomeAssistant to centrally control everything which will be run from a ARM based PC in another VLAN. Apart from that, the firewall will be fairly strict on the IoT VLAN.

I had a look at some of the discussions on the forums about using Chromecast devices across VLANs etc and found one particular thread here. Unfortunately I had no luck with the firewall rules listed and I didn't want to leave full inter-VLAN zone-forwarding from the LAN to IoT VLAN.

A couple of weeks ago I decided to use the switch port-mirroring option found under Network > Switch > Enable mirroring of incoming packets/Enable mirroring of outgoing packets designating a port on the back of my Linksys WRT1900ACSv2, enabling two way zone forwarding between the LAN and IoT VLAN and utilising Wireshark to see the connections between the two devices. I used the following filter rules in Wireshark:


ip.src==192.168.5.245 && ip.dst==192.168.7.133

Initially this actually worked and I could see TCP and UDP ports going between those two devices. However, for some reason I can't see any TCP/UDP traffic in Wireshark any more , only mDNS etc.

/etc/config/network

config interface 'loopback'
option ifname 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'

config globals 'globals'
option ula_prefix 'fdfd:1057:ecab::/48'

config interface 'lan'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option ip6assign '60'
option ipaddr '192.168.5.1'
option ifname 'eth0.5'

config interface 'wan'
option ifname 'eth1.10'
option proto 'pppoe'
option password ''
option ipv6 'auto'
option username '
'
option mtu '1492'

config switch
option name 'switch0'
option reset '1'
option enable_vlan '1'

config switch_vlan
option device 'switch0'
option vlan '1'
option vid '1'
option ports '3 4t 5t'

config switch_vlan
option device 'switch0'
option vlan '2'
option vid '10'
option ports '4t 6t'

config switch_vlan
option device 'switch0'
option vlan '3'
option vid '5'
option ports '0 4t 5t'

config switch_vlan
option device 'switch0'
option vlan '4'
option vid '7'
option ports '4t 5t'

config interface 'admin'
option ifname 'eth0.1'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.240'
option broadcast '192.168.1.15'
option type 'bridge'
option igmp_snooping '1'

config interface 'iot'
option type 'bridge'
option proto 'static'
option netmask '255.255.255.0'
option ipaddr '192.168.7.1'
option ifname 'eth0.7'

/etc/config/firewall

config defaults
option input 'DROP'
option forward 'REJECT'
option output 'DROP'

config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'

config zone
option name 'wan'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
list network 'wan'
option input 'ACCEPT'
option forward 'ACCEPT'

config forwarding
option src 'lan'
option dest 'wan'

config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'

config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'

config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option src_ip 'fc00::/6'
option dest_ip 'fc00::/6'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'

config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'

config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'

config include
option path '/etc/firewall.user'

config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
option family 'any'
option reload '1'

config zone
option name 'admin'
option output 'ACCEPT'
list network 'admin'
option input 'REJECT'
option forward 'REJECT'

config zone
option name 'iot'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'iot'

config forwarding
option dest 'wan'
option src 'iot'

config rule
option src '*'
option name 'allow-mDNS'
option target 'ACCEPT'
list dest_ip '224.0.0.251'
option dest_port '5353'
list proto 'udp'
option enabled '0'

config rule
option src '*'
option name 'Allow-mDNS'
option target 'ACCEPT'
list dest_ip '239.255.255.250'
option dest_port '1900'
list proto 'udp'
option enabled '0'

config forwarding
option dest 'iot'
option src 'lan'

config forwarding
option dest 'lan'
option src 'iot'

config forwarding
option dest 'admin'
option src 'lan'

config forwarding
option dest 'lan'
option src 'admin'

/etc/avahi/avahi-daemon.conf

[server]
#host-name=foo
domain-name=local
use-ipv4=yes
use-ipv6=no
check-response-ttl=no
use-iff-running=no
allow-interfaces=br-lan,br-iot

[publish]
publish-addresses=yes
publish-hinfo=yes
publish-workstation=no
publish-domain=yes
#publish-dns-servers=192.168.1.1
#publish-resolv-conf-dns-servers=yes

[wide-area]
enable-wide-area=no

[reflector]
enable-reflector=yes
reflect-ipv=no

[rlimits]
#rlimit-as=
rlimit-core=0
rlimit-data=4194304
rlimit-fsize=0
rlimit-nofile=30
rlimit-stack=4194304
rlimit-nproc=3

Running tcpdump on eth0 gives me similar results.

killall tcpdump; tcpdump -n -i eth0

On the other hand, if I go to to Status > Realtime Graphs > Connections I can see TCP/UDP ports on the two devices, some of which have the same ports in Wireshark when it was working.

Currently the Avahi service and the mDNS traffic rules are disabled and the Inter-VLAN zone forwarding is allowing the Chromecast devices to be discoverable from the other VLAN. Ideally, the full Inter-VLAN zone forwarding will be removed and I will need to rely on Avahi and/or mDNS traffic rules for devices across VLANs to discover each other.

mDNS is only for client discoverability therefore there will be a data port in which traffic routes through. This is where I would like to utilise Wireshark to see the connections and work out what ports I will need to open on the firewall.

iptables -I FORWARD -s 192.168.5.245/32 -d 192.168.7.133/32 -m limit --limit 5/sec -j LOG --log-prefix "mylog : "

You should see everything you need in the logs (protocols and ports):

root@OpenWrt:~# logread -e mylog
Wed Jun 16 11:36:25 2021 kern.warn kernel: [27366.475165] mylog : IN=eth0.192 OUT=br-lan MAC= SRC=192.168.192.16 DST=192.168.92.85 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=9326 DF PROTO=TCP SPT=49357 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0

I'll give that a go.

Is there a reason why the port-mirroring isn't working? As an alternative could I use ARP spoofing to see the traffic?

I have no idea. It should work as well as tcpdump (if you select the right interface).

It would be much more complicated than just logging the traffic, using iptables.