with everything I installed to allow ssdp between vlan 1 and vlan 3 turned off I
see this on my eth0/wan port
> 10:52:12.771398 IP 192.168.1.1.1900 > 239.255.255.250.1900: UDP, length 303
> 10:52:12.772782 IP 192.168.1.1.1900 > 239.255.255.250.1900: UDP, length 312
> 10:52:12.773930 IP 192.168.1.1.1900 > 239.255.255.250.1900: UDP, length 375
> 10:52:12.775009 IP 192.168.1.1.1900 > 239.255.255.250.1900: UDP, length 367
> 10:52:12.776149 IP 192.168.1.1.1900 > 239.255.255.250.1900: UDP, length 312
> 10:52:12.777309 IP 192.168.1.1.1900 > 239.255.255.250.1900: UDP, length 351
> 10:52:12.778389 IP 192.168.1.1.1900 > 239.255.255.250.1900: UDP, length 383
> 10:52:12.779509 IP 192.168.1.1.1900 > 239.255.255.250.1900: UDP, length 312
> 10:52:12.780709 IP 192.168.1.1.1900 > 239.255.255.250.1900: UDP, length 371
> 10:52:12.781310 IP 192.168.1.1.1900 > 239.255.255.250.1900: UDP, length 365
here is firewall
> config defaults
> option input 'ACCEPT'
> option output 'ACCEPT'
> option forward 'REJECT'
> option synflood_protect '1'
> option drop_invalid '1'
> option flow_offloading '1'
> option flow_offloading_hw '1'
>
> config zone
> option name 'vlan1'
> option input 'ACCEPT'
> option output 'ACCEPT'
> option forward 'ACCEPT'
> list network 'lan'
>
> config zone
> option name 'wan'
> option input 'REJECT'
> option output 'ACCEPT'
> option forward 'REJECT'
> option masq '1'
> option mtu_fix '1'
> list network 'wan'
>
> config forwarding
> option src 'vlan1'
> option dest 'wan'
>
> config rule
> option name 'Allow-DHCP-Renew'
> option src 'wan'
> option proto 'udp'
> option dest_port '68'
> option target 'ACCEPT'
> option family 'ipv4'
>
> config rule
> option name 'Allow-Ping-Wan'
> option family 'ipv4'
> list proto 'icmp'
> list icmp_type 'echo-request'
> option src 'wan'
> option target 'ACCEPT'
>
> config rule
> option name '3-to-dns-dhcp'
> option src 'vlan3'
> option dest_port '53 67'
> option target 'ACCEPT'
> option family 'ipv4'
>
> config rule
> option name 'media players to wan'
> option dest 'wan'
> option target 'REJECT'
> option family 'ipv4'
> option src 'vlan3'
> list proto 'all'
> list src_mac '00:05:CD:DA:92:56'
> list src_mac '00:22:6C:21:5A:30'
> list src_mac '54:60:09:FD:A4:80'
>
> config zone
> option name 'vlan3'
> option input 'ACCEPT'
> option output 'ACCEPT'
> option forward 'ACCEPT'
> list network 'lan3'
>
> config redirect
> option target 'DNAT'
> option name 'ntp-redirect-vlan1'
> option src 'vlan1'
> option src_dport '123'
> option dest_ip '10.10.10.1'
> list proto 'udp'
> option reflection '0'
> option dest 'vlan1'
>
> config redirect
> option target 'DNAT'
> option name 'ntp-redirect-vlan3'
> option src 'vlan3'
> option src_dport '123'
> option dest_ip '10.10.20.1'
> list proto 'udp'
> option reflection '0'
> option dest 'vlan3'
>
> config forwarding
> option src 'vlan3'
> option dest 'wan'
>
> config forwarding
> option src 'vlan1'
> option dest 'vlan3'
>
> config rule
> option name 'MDNS'
> option src 'vlan3'
> option src_port '5353'
> option dest_port '5353'
> option target 'ACCEPT'
> list proto 'udp'
> list dest_ip '224.0.0.251'
> list dest_ip 'ff02::fb'
>
>
> config rule
> option name 'Chromecast Ports '
> option src 'vlan3'
> option target 'ACCEPT'
> option dest_port '8008 8009 8010 32768-61000'
> list proto 'tcp'
> list proto 'udp'
> option dest '*'
> list src_mac 'E4:F0:42:A1:D2:36'
> list src_mac '54:60:09:FD:A4:80'
>
> config redirect 'dns_int_1'
> option name 'Intercept-DNS vlan1'
> option family 'ipv4'
> option proto 'tcp udp'
> option src 'vlan1'
> option src_dport '53'
> option target 'DNAT'
> option dest_ip '10.10.10.1'
> option dest 'vlan1'
>
> config redirect 'dns_int_3'
> option name 'Intercept-DNS vlan3'
> option family 'ipv4'
> option proto 'tcp udp'
> option src 'vlan3'
> option src_dport '53'
> option target 'DNAT'
> option dest_ip '10.10.20.1'
> option dest 'vlan3
and network
> config interface 'loopback'
> option device 'lo'
> option proto 'static'
> option ipaddr '127.0.0.1'
> option netmask '255.0.0.0'
>
> config globals 'globals'
> option ula_prefix 'fd97:0191:ac00::/48'
> option packet_steering '1'
>
> config device
> option name 'br-lan'
> option type 'bridge'
> option acceptlocal '1'
> list ports 'eth1'
> list ports 'eth2'
> list ports 'eth3'
> list ports 'eth4'
>
> config interface 'lan'
> option device 'br-lan.1'
> option proto 'static'
> option netmask '255.255.255.0'
> option ip6assign '60'
> option ipaddr '10.10.10.1'
> option igmp_snooping '0'
>
> config interface 'wan'
> option device 'eth0'
> option proto 'dhcp'
> option peerdns '0'
> list dns '1.1.1.1'
> list dns '1.0.0.1'
> option hostname 'DTES'
>
> config interface 'wan6'
> option proto 'none'
>
> config device
> option name 'eth1'
> option acceptlocal '1'
>
> config device
> option name 'eth2'
> option acceptlocal '1'
>
> config device
> option name 'eth3'
> option acceptlocal '1'
>
> config device
> option name 'eth4'
> option acceptlocal '1'
>
> config bridge-vlan
> option device 'br-lan'
> option vlan '1'
> list ports 'eth1:u*'
> list ports 'eth2:t'
> list ports 'eth3:t'
> list ports 'eth4:t'
>
> config bridge-vlan
> option device 'br-lan'
> option vlan '3'
> list ports 'eth2:t'
> list ports 'eth3:t'
> list ports 'eth4:t'
>
> config interface 'lan3'
> option proto 'static'
> option device 'br-lan.3'
> option ipaddr '10.10.20.1'
> option netmask '255.255.255.0'
> option ip6ifaceid '::1'
> option ip6assign '64'
> option igmp_snooping '0'