With OpenWrt Poco X3 Pro and Amazon FireTV stick Miracast can't be used (very likely Poco's fault)

I have a strange problem: Xiaomi Poco X3 Pro and Amazon Fire-TV Stick can't use Screen Mirroring. Same applys for Poco X3 NFC.
I have other devices and only this combination isn't working.
I know Screen Mirroring is used over Wifi-Direct and doesn't require any Wifi or Internetconnection at all. But it only works when Wifi-AP is EAP110v3 from TP-Link. Both devices are connected in the same SSID.
When disabling SSID on EAP110v3 and enabling SSID on as access point configured OpenWRT device, Screen Mirroring is not possible. Wifi is unencrypted and sniffing is easily possible from a third device in promiscious mode.
When establishing connection you see in Wireshark when it is working:

grafik1659×50 5.68 KB

When both devices are in the OpenWRT device MDNS is solely done on IPv6

grafik1518×65 8.33 KB

That might be the problem why there is no connection between FireTV-Stick and Xiaomi Poco X3 Pro.

So what is going on here that MDNS requests are not done via IPv4?

I tried already blanking out ULA IPv6 prefix, but that didn't help

grafik956×127 4.54 KB

Also mdns between devices is OK. Verified by dig -p 5353 @224.0.0.251 example.local this request is recorded by Wireshark.

Thanks for your help.

Please run the following commands (copy-paste the whole block) and paste the output here, using the "Preformatted text </> " button:

Remember to redact passwords, MAC addresses and any public IP addresses you may have

ubus call system board; \
uci export network; uci export wireless; \
uci export dhcp; uci export firewall; \
head -n -0 /etc/firewall.user

ubus call system board
{
        "kernel": "5.4.154",
        "hostname": "OpenWrt",
        "system": "MediaTek MT7628AN ver:1 eco:2",
        "model": "TP-Link TL-WR802N v4",
        "board_name": "tplink,tl-wr802n-v4",
        "release": {
                "distribution": "OpenWrt",
                "version": "21.02.1",
                "revision": "r16325-88151b8303",
                "target": "ramips/mt76x8",
                "description": "OpenWrt 21.02.1 r16325-88151b8303"
        }
}

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'dhcp'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '0'

config interface 'vlan19'
        option proto 'none'
        option device 'br-vlan19'
        option delegate '0'

config device
        option type 'bridge'
        option name 'br-vlan19'
        list ports 'eth0.19'
        option ipv6 '0'

package wireless

config wifi-device 'radio0'
        option type 'mac80211'
        option hwmode '11g'
        option path 'platform/10300000.wmac'
        option txpower '25'
        option country 'AU'
        option cell_density '1'
        option noscan '1'
        option htmode 'HT40'
        option channel '13'

config wifi-iface 'onlylocal'
        option device 'radio0'
        option mode 'ap'
        option ssid 'onlylocal'
        option encryption 'sae-mixed'
        option max_inactivity '3600'
        option key 'XXXXXX'
        option ieee80211r '1'
        option mobility_domain '2222'
        option ft_over_ds '0'
        option ft_psk_generate_local '1'
        option network 'lan'
        option ifname 'onlylocal'

config wifi-iface 'FreeWifi'
        option device 'radio0'
        option mode 'ap'
        option encryption 'none'
        option network 'vlan19'
        option ifname 'freewifi'
        option ssid 'FreeWifi'

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'
        option ra 'hybrid'
        option dhcpv6 'hybrid'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

DHCP-Server of OpenWRT is not used.

package firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled 'false'

config include
        option path '/etc/firewall.user'

This firewall configuration is untouched.

# This file is interpreted as shell script.
# Put your custom iptables rules here, they will
# be executed with each firewall (re-)start.

# Internal uci firewall chains are flushed and recreated on reload, so
# put custom rules into the root chains e.g. INPUT or FORWARD or into the
# special user chains, e.g. input_wan_rule or postrouting_lan_rule.


ip6tables -I INPUT -j DROP

iptables -I FORWARD ! -d 192.168.178.0/16 -m physdev --physdev-in onlylocal -m comment --comment "Only Lokal" -j REJECT
iptables -I FORWARD -s 192.168.178.64 -m physdev --physdev-in onlylocal -m comment --comment "This device is allowed to access inernet" -j ACCEPT
iptables -I FORWARD -d 255.255.255.255  -m comment --comment "Broadcast / DHCP" -j ACCEPT
iptables -I FORWARD -m physdev --physdev-in eth0.19  -m comment --comment "VLAN19" -j ACCEPT
iptables -I FORWARD -m physdev --physdev-out eth0.19  -m comment --comment "VLAN19" -j ACCEPT

I've also already tested (that way that it is first line of rules)

ip6tables -I INPUT -j ACCEPT
ip6tables -I FORWARD -j ACCEPT
iptables -I FORWARD -j ACCEPT

I'm investigating this the last 5 hours and it may also have something to do with that on stock firmware of TP-Link multicast / mdns traffic crosses VLAN boundaries, which is a nogo for me. See https://community.tp-link.com/en/business/forum/topic/520186?page=1
This may be the cause that there is IPv4 traffic and on OpenWRT, which behaves correctly, not.
I've also tested mdns resolution between wired network and wireless network of OpenWRT, that also works correct.

If you search for "poco X3 miracast not working" you find a lot of reports that there are a lot of problems. Especially this site is very interesting https://www.reddit.com/r/PocoPhones/comments/ntfgf3/cant_cast_poco_x3_pro_to_tv/
I've even tried multiple versions of Xiaomi Cast, including the latest version, but it still didn't work
Tried versions:

com.milink.service_12.4.7.0-12040700_minAPI24(arm64-v8a,armeabi-v7a)(nodpi)_apkmirror.com.apk
com.milink.service_12.4.8.11-12040811_minAPI24(arm64-v8a,armeabi-v7a)(nodpi)_apkmirror.com.apk
com.milink.service_13.0.0.0_rc3_release-13000006_minAPI24(arm64-v8a,armeabi-v7a)(nodpi)_apkmirror.com.apk

Another report in German, that it isn't working with FireTV stick and Poco X3 (but other user report that it is working) https://mi-forum.net/threads/screen-mirroring-cast.10862/

As already written for screen mirroring no network should be required. However on Poco X3 Pro Cast app turns on Bluetooth. Miracast seems really flawed on Poco X3 Pro. On a Samsung TV which has no network access at all but built-in mirror cast X3 Pro works. So this a really difficult problem to track down.

As a sidenote you don't need these firewall rules as you have vlan19 unmanaged:

I am not sure why is this here. Broadcasts don't traverse the router.

Also not sure what are these doing as you have configured a dumbAP, all it does is to bridge the wifi with the ethernet.

Regarding your issue, I don't see why connecting to the OpenWrt SSID is limiting the client to send mdns in IPv4. I mean the access point doesn't restrict the clients what to send. And the IPv6 addresses that you see in the wireshark are link local, which means that they are automatically configured from the OS of the device and irrelevant to the IPv6 configuration of OpenWrt.
In general the firewall is not going to block anything sent within the same broadcast domain. There could be wireless client isolation, but I don't see that enabled, and that would block everything, but you mentioned that other combinations of devices work fine.
Does firetv work with IPv6?

I need this rules, otherwise no IP from DHCP is assigned, this is because of installation of
kmod-br-netfilter

and

cat /etc/sysctl.conf
# Defaults are configured in /etc/sysctl.d/* and can be customized in this file

net.bridge.bridge-nf-call-iptables=1
net.ipv4.ip_forward = 0

I am not sure why is this here. Broadcasts don't traverse the router.

There is nothing routed. Everything is bridged and it is the same reason as above.

Also not sure what are these doing as you have configured a dumbAP, all it does is to bridge the wifi with the ethernet.

Same reason as above: kmod-br-netfilter

Regarding your issue, I don't see why connecting to the OpenWrt SSID is limiting the client to send mdns in IPv4. I mean the access point doesn't restrict the clients what to send. And the IPv6 addresses that you see in the wireshark are link local, which means that they are automatically configured from the OS of the device and irrelevant to the IPv6 configuration of OpenWrt.

I'm now pretty sure that additional IPv4 multicast are because of wrong behaviour of stock EAP110v3 outdoor firmware.

In general the firewall is not going to block anything sent within the same broadcast domain.

Generally yes, here not because of kmod-br-netfilter. Thats why I've tried allowing forwarding everything. And as already mentioned, Miracast doesn't need a Wifi connection to an AP at all.

Does firetv work with IPv6?

I don't know. I'm not using FireTV itself. I'm just using it as cheap Miracast receiver. FireTV stick has internet access and loads some default stuff, but I've never watched since I have some fake Amazon Account on the FireTV stick. This was necessary to get it working at all. Without internet access you can't even install the stick. For miracast this wouldn't be necessary at all. Shame on Amazon.

Is there any particular need for the kmod-br-netfilter?
Have you tried whether it works on a default installation of OpenWrt?

Is there any particular need for the kmod-br-netfilter?

Yes it is for

iptables -I FORWARD ! -d 192.168.178.0/16 -m physdev --physdev-in onlylocal -m comment --comment "Only Lokal" -j REJECT

so devices is SSID "OnlyLocal" can only access local IP adresses and can't access the internet. This makes it a lot easier then managing this in the internetrouter.

VLANs must be used, since FireTV-Stick is not allowed to access my home network, since I think it is highly possible that the collect Wifi passwords like google also trys to store them in their cloud as "backup". However I'll try this configuration without any mods.

Tried with removed kmod-br-netfilter and iptables-mod-physdev as well as custom firewall rules commented out. Still no connection. I mean FireTV stick is found and it shows connecting process, but it just hangs at establishing the connection. Exact same behaviour as before.

An older Redmi 4X works flawlessly with this FireTV stick.
I think Poco/Xiamomi did there something completly wrong and try to establish a network connection, but miracast is WiFi-Direct. They even tell that devices should be in the same Wifi, even turn bluetooth on. That isn't needed at all. When searching you find more complaints about this.

It might as well be because of the Pocophone.
I am out of ideas, therefore good luck with this issue.

It might as well be because of the Pocophone.

Indeed. I'm now quite sure about that. Especially when searching the internet about miracast issues with it.
I mean there might be some workarounds that could be done with OpenWRT but it is not worth it.
Poco even doesn't implement a resolution fix via Miracast, meaning that you have to zoom on TV that there are less black bars. But still some black bars remain. Really sucks. Samung does that a lot better.