I'm setting up an HDHomeRun network-enabled TV tuner. I plan to put it on my IoT network, with a firewall between it and the home LAN on which I will have some clients.
Is there some equivalent I could do with an OpenWrt firewall rule, in the port forwarding configs? Perhaps with some firewall rules as well to allow the broadcast discovery and the unicast reply between the LAN and IOT firewall zones?
I found some hints on a stackexchange question: https://unix.stackexchange.com/questions/725567/forward-udp-broadcast-packet-with-nftables
and with that, I was able to create a custom nftable script. It won't work as a .nft file in /etc/nftables.d because it needs to be a netdev table rule instead of an ipv4/ipv6 rule, and the .nft files are included inside an internet table.
But it does work as a type nftables rule.
This table requires the kmod-nft-netdev package to be installed. Without that module, the nft command gives an error like this:
Error: Could not process rule: No such file or directory
pkttype broadcast ether type ip udp dport 65001 counter fwd to br-iot
^^^^^^^^^^^^^
Here's what I have in /etc/config/firewall:
config include 'hdhomerun'
option enabled '1'
option type 'nftables'
option path '/etc/nftables.d/hdhomerun.fw4'
option position 'ruleset-post'
and here's the script itself, which reflects broadcasts input on either br-lan or br-iot to the other:
table netdev hdhomerun_broadcast
delete table netdev hdhomerun_broadcast
table netdev hdhomerun_broadcast {
chain hdhomerun_lan { type filter hook ingress device br-lan priority 0;
pkttype broadcast ether type ip udp dport 65001 counter fwd to br-iot
}
chain hdhomerun_iot { type filter hook ingress device br-iot priority 0;
pkttype broadcast ether type ip udp dport 65001 counter fwd to br-lan
}
}