this post was submitted on 01 Jan 2024
1 points (100.0% liked)

OPNsense

489 readers
1 users here now

All discussions about the open source, FreeBSD-based firewall called OPNsense.

founded 1 year ago
MODERATORS
 

Hi There,

Please excuse the lenghty post, I wanted to explain/have all the information I can possibly write down

I've been trying to have "udpbroadcastrelay" plugin to relay SSDP (Simple Service Discovery Protocol) between two subnets, LAN and Bridge. However, I've hit a roadblock with this setup.

The peculiar thing is that mDNS (Multicast DNS) works flawlessly using the same plugin and setup!

I hope that someone can help shed some light on this issue and help me get SSDP relay working as smoothly as mDNS does in my setup. If anyone has experience with the "udpbroadcastrelay" plugin in OPNsense or has encountered a similar issue, your insights and guidance would be greatly appreciated. Thanks in advance for any assistance or suggestions!

SIDENOTE:-

I have used BOTH of :

- os-udpbroadcastrelay 1.0_3 (frpm repo)
- compiled from source (Github) so i can use --msearch option
  1. My Setup

    • Virtualized OPNsense in Proxmox
      • Pass-Through (WAN)
      • 2 VirtIO Interfaces (LAN & Bridge)
    • OPNsense Version: OPNsense 23.7.10_1-amd64 FreeBSD 13.2-RELEASE-p7
    • Proxmox Version: proxmox-ve: 8.1.0 (running kernel: 6.5.11-7-pve)
  2. Troubleshooting Attempts:

I've tried various solutions from different sources to resolve this issue, including:

  • HOW TO - Configure OPNsense for TV7 (init7) Multicast Stream

    LAN
    First we have to enable allow options on the default LAN rule Default allow LAN to any rule.

    • Navigate to Firewall -> Rules -> LAN
    • Edit the rule with the description "Default allow LAN to any rule" by clicking the pencil.
    • Scroll down until you see Advanced Options: and click on Show/Hide
    • Make sure that the allow options checkbox is checked
    • Click Save
    • Back on Overview click on Apply changes to enable the changed rule
  • [SOLVED] - Multicast bridge problem | Proxmox Support Forum

    maybe try to disable multicast snooping on bridges ?

    echo 0 > /sys/class/net/vmbrX/bridge/multicast_snooping

  • Multicast notes - Proxmox VE

    Linux: Disabling Multicast snooping on bridges

    Snooping should be enabled on either the router / switch or on the linux bridge, but it may not work if enabled on both. If you have a hosting provider that has igmp snooping enabled on the multicast switch, it may be necessary to disable snooping on the linux bridge. In that case use:

    post-up ( echo 1 > /sys/devices/virtual/net/$IFACE/bridge/multicast_querier )

    post-up ( echo 0 > /sys/class/net/$IFACE/bridge/multicast_snooping )

To help diagnose the issue effectively, here is what i managed to gather:

FW Ruleset

LAN Rule Set
Protocol Source Port Destination Port Gateway Schedule Description
IPv4 LAN net * * * * * Default allow LAN to any
Bridge Rule Set
Protocol Source Port Destination Port Gateway Schedule Description
IPv4 Bridge net * * * * * Allow Bridge to any rule (Manual Entry)
cat /tmp/rules.debug

LAN Rule Set
pass in log quick on vtnet0 inet from {(vtnet0:network)} to {any} keep state label "3070463c8d527cf93da451fa4f88c7cb" # Default allow LAN to any rule

Bridge Rule Set
 pass in log quick on vtnet1 inet from {(vtnet1:network)} to {any} keep state label "2681e3c4a046e0ab9b3ab64679df3edc" # Allow Bridge to any rule

Interfaces

igc0: flags=8963 metric 0 mtu 1500
	description: WAN (wan)
	options=4802028
	ether xx:xx:xx:xx:xx:xx
	inet 192.168.0.2 netmask 0xffffff00 broadcast 192.168.0.255
	media: Ethernet autoselect (1000baseT )
	status: active
	nd6 options=29
vtnet0: flags=8963 metric 0 mtu 1500
	description: LAN (lan)
	options=800a8
	ether xx:xx:xx:xx:xx:xx
	inet 192.168.100.3 netmask 0xffffff00 broadcast 192.168.100.255
	media: Ethernet autoselect (10Gbase-T )
	status: active
	nd6 options=29
vtnet1: flags=8963 metric 0 mtu 1500
	description: Bridge (opt1)
	options=800a8
	ether xx:xx:xx:xx:xx:xx
	inet 10.10.10.1 netmask 0xffffff00 broadcast 10.10.10.255
	media: Ethernet autoselect (10Gbase-T )
	status: active
	nd6 options=29

CLI USED

./udpbroadcastrelay -d -d --id 1 --port 1900 --dev vtnet1 --dev vtnet0 --multicast 239.255.255.250 --msearch dial

2023/12/29 21:48:17.555 <- [ 10.10.10.46:64321 -> 239.255.255.250:1900 (iface=vtnet1 len=438 tos=0x00 DSCP=0 ttl=4)
   Found NOTIFY search term upnp:rootdevice
2023/12/29 21:48:17.555 -> [ 10.10.10.46:64321 -> 239.255.255.250:1900 (iface=vtnet0 len=438 tos=0x04 DSCP=1 ttl=4)

2023/12/29 21:48:17.593 <- [ 10.10.10.46:52323 -> 239.255.255.250:1900 (iface=vtnet1 len=462 tos=0x00 DSCP=0 ttl=4)
   Found NOTIFY search term urn:schemas-sony-com:service:Party:1
2023/12/29 21:48:17.593 -> [ 10.10.10.46:52323 -> 239.255.255.250:1900 (iface=vtnet0 len=462 tos=0x04 DSCP=1 ttl=4)

2023/12/29 21:48:17.593 <- [ 10.10.10.46:64321 -> 239.255.255.250:1900 (iface=vtnet1 len=447 tos=0x00 DSCP=0 ttl=4)
   Found NOTIFY search term uuid:00000001-0000-1010-8000-045d4bdcbc2f
2023/12/29 21:48:17.593 -> [ 10.10.10.46:64321 -> 239.255.255.250:1900 (iface=vtnet0 len=447 tos=0x04 DSCP=1 ttl=4)

2023/12/29 21:48:17.614 <- [ 10.10.10.46:64321 -> 239.255.255.250:1900 (iface=vtnet1 len=490 tos=0x00 DSCP=0 ttl=4)
   Found NOTIFY search term urn:schemas-upnp-org:device:MediaServer:1
2023/12/29 21:48:17.614 -> [ 10.10.10.46:64321 -> 239.255.255.250:1900 (iface=vtnet0 len=490 tos=0x04 DSCP=1 ttl=4)

2023/12/29 21:48:17.637 <- [ 10.10.10.46:64321 -> 239.255.255.250:1900 (iface=vtnet1 len=502 tos=0x00 DSCP=0 ttl=4)
   Found NOTIFY search term urn:schemas-upnp-org:service:ContentDirectory:1
2023/12/29 21:48:17.637 -> [ 10.10.10.46:64321 -> 239.255.255.250:1900 (iface=vtnet0 len=502 tos=0x04 DSCP=1 ttl=4)

2023/12/29 21:48:17.663 <- [ 10.10.10.46:64321 -> 239.255.255.250:1900 (iface=vtnet1 len=504 tos=0x00 DSCP=0 ttl=4)
   Found NOTIFY search term urn:schemas-upnp-org:service:ConnectionManager:1
2023/12/29 21:48:17.663 -> [ 10.10.10.46:64321 -> 239.255.255.250:1900 (iface=vtnet0 len=504 tos=0x04 DSCP=1 ttl=4)

2023/12/29 21:48:18.315 <- [ 10.10.10.46:58092 -> 239.255.255.250:1900 (iface=vtnet1 len=283 tos=0x00 DSCP=0 ttl=4)
   Found M-SEARCH search term urn:schemas-upnp-org:device:MediaRenderer:1
   Applying default action FORWARD
2023/12/29 21:48:18.315 -> [ 10.10.10.46:58092 -> 239.255.255.250:1900 (iface=vtnet0 len=283 tos=0x04 DSCP=1 ttl=4)

2023/12/29 21:48:18.373 <- [ 10.10.10.46:58092 -> 239.255.255.250:1900 (iface=vtnet1 len=283 tos=0x00 DSCP=0 ttl=4)
   Found M-SEARCH search term urn:schemas-upnp-org:device:MediaRenderer:1
   Applying default action FORWARD
2023/12/29 21:48:18.373 -> [ 10.10.10.46:58092 -> 239.255.255.250:1900 (iface=vtnet0 len=283 tos=0x04 DSCP=1 ttl=4)

2023/12/29 21:48:18.460 <- [ 10.10.10.46:58092 -> 239.255.255.250:1900 (iface=vtnet1 len=283 tos=0x00 DSCP=0 ttl=4)
   Found M-SEARCH search term urn:schemas-upnp-org:device:MediaRenderer:1
   Applying default action FORWARD
2023/12/29 21:48:18.460 -> [ 10.10.10.46:58092 -> 239.255.255.250:1900 (iface=vtnet0 len=283 tos=0x04 DSCP=1 ttl=4)

2023/12/29 21:48:24.824 <- [ 192.168.100.76:35630 -> 239.255.255.250:1900 (iface=vtnet0 len=127 tos=0x00 DSCP=0 ttl=4)
   Found M-SEARCH search term urn:schemas-upnp-org:device:MediaServer:1
   Applying default action FORWARD
2023/12/29 21:48:24.824 -> [ 192.168.100.76:35630 -> 239.255.255.250:1900 (iface=vtnet1 len=127 tos=0x04 DSCP=1 ttl=4)

2023/12/29 21:48:24.924 <- [ 192.168.100.76:35630 -> 239.255.255.250:1900 (iface=vtnet0 len=127 tos=0x00 DSCP=0 ttl=4)
   Found M-SEARCH search term urn:schemas-upnp-org:device:MediaServer:1
   Applying default action FORWARD
2023/12/29 21:48:24.924 -> [ 192.168.100.76:35630 -> 239.255.255.250:1900 (iface=vtnet1 len=127 tos=0x04 DSCP=1 ttl=4)

2023/12/29 21:48:25.425 <- [ 192.168.100.76:35630 -> 239.255.255.250:1900 (iface=vtnet0 len=118 tos=0x00 DSCP=0 ttl=4)
   Found M-SEARCH search term urn:ses-com:device:SatIPServer:1
   Applying default action FORWARD
2023/12/29 21:48:25.425 -> [ 192.168.100.76:35630 -> 239.255.255.250:1900 (iface=vtnet1 len=118 tos=0x04 DSCP=1 ttl=4)

2023/12/29 21:48:25.525 <- [ 192.168.100.76:35630 -> 239.255.255.250:1900 (iface=vtnet0 len=118 tos=0x00 DSCP=0 ttl=4)
   Found M-SEARCH search term urn:ses-com:device:SatIPServer:1
   Applying default action FORWARD
2023/12/29 21:48:25.525 -> [ 192.168.100.76:35630 -> 239.255.255.250:1900 (iface=vtnet1 len=118 tos=0x04 DSCP=1 ttl=4)

2023/12/29 21:49:16.556 <- [ 10.10.10.46:50201 -> 239.255.255.250:1900 (iface=vtnet1 len=267 tos=0x00 DSCP=0 ttl=4)
   Found NOTIFY search term upnp:rootdevice
2023/12/29 21:49:16.556 -> [ 10.10.10.46:50201 -> 239.255.255.250:1900 (iface=vtnet0 len=267 tos=0x04 DSCP=1 ttl=4)

2023/12/29 21:49:16.577 <- [ 10.10.10.46:50201 -> 239.255.255.250:1900 (iface=vtnet1 len=276 tos=0x00 DSCP=0 ttl=4)
   Found NOTIFY search term uuid:00000004-0000-1010-8000-045d4bdcbc2f
2023/12/29 21:49:16.577 -> [ 10.10.10.46:50201 -> 239.255.255.250:1900 (iface=vtnet0 len=276 tos=0x04 DSCP=1 ttl=4)

Lan Wireshark Capture

No. Time Source Destination Protocol Length Info
920 09:13:01.207756 10.10.10.46 239.255.255.250 SSDP 349 NOTIFY * HTTP/1.1
921 09:13:01.229336 10.10.10.46 239.255.255.250 SSDP 349 NOTIFY * HTTP/1.1
922 09:13:01.290046 192.168.100.75 239.255.255.250 SSDP 217 M-SEARCH * HTTP/1.1
923 09:13:01.292706 10.10.10.46 192.168.100.75 UDP 354 50201 → 59796 Len=312
924 09:13:02.292100 192.168.100.75 239.255.255.250 SSDP 217 M-SEARCH * HTTP/1.1
925 09:13:02.294187 10.10.10.46 192.168.100.75 UDP 354 50201 → 59796 Len=312
926 09:13:03.308643 192.168.100.75 239.255.255.250 SSDP 217 M-SEARCH * HTTP/1.1
928 09:13:03.310873 10.10.10.46 192.168.100.75 UDP 354 50201 → 59796 Len=312
929 09:13:04.309797 192.168.100.75 239.255.255.250 SSDP 217 M-SEARCH * HTTP/1.1
930 09:13:04.311739 10.10.10.46 192.168.100.75 UDP 354 50201 → 59796 Len=312
932 09:13:04.803218 192.168.100.75 239.255.255.250 SSDP 143 M-SEARCH * HTTP/1.1
933 09:13:04.805015 10.10.10.46 192.168.100.75 UDP 306 50201 → 53037 Len=264
934 09:13:05.800708 10.10.10.46 192.168.100.75 UDP 306 37333 → 53037 Len=264
936 09:13:07.799676 192.168.100.75 239.255.255.250 SSDP 143 M-SEARCH * HTTP/1.1
937 09:13:07.801449 10.10.10.46 192.168.100.75 UDP 306 50201 → 53037 Len=264
938 09:13:08.045029 10.10.10.46 192.168.100.75 UDP 306 37333 → 53037 Len=264
962 09:13:10.807982 192.168.100.75 239.255.255.250 SSDP 143 M-SEARCH * HTTP/1.1
963 09:13:10.811017 10.10.10.46 192.168.100.75 UDP 306 50201 → 53037 Len=264
964 09:13:12.695351 10.10.10.46 192.168.100.75 UDP 306 37333 → 53037 Len=264
1068 09:14:02.720283 192.168.100.75 239.255.255.250 UDP 1123 49620 → 3702 Len=1081
1080 09:14:02.977262 192.168.100.75 239.255.255.250 UDP 1123 49620 → 3702 Len=1081
1119 09:14:03.205658 192.168.100.75 239.255.255.250 UDP 666 59260 → 3702 Len=624
1152 09:14:03.442876 192.168.100.75 239.255.255.250 UDP 1123 49620 → 3702 Len=1081
1237 09:14:03.907019 192.168.100.75 239.255.255.250 UDP 1123 49620 → 3702 Len=1081
1284 09:14:04.593450 192.168.100.75 239.255.255.250 SSDP 143 M-SEARCH * HTTP/1.1
1285 09:14:04.595580 10.10.10.46 192.168.100.75 UDP 306 50201 → 52272 Len=264
1286 09:14:04.608593 192.168.100.75 239.255.255.250 SSDP 179 M-SEARCH * HTTP/1.1
1301 09:14:04.862324 192.168.100.75 239.255.255.250 UDP 666 59260 → 3702 Len=624
1324 09:14:05.215444 10.10.10.46 192.168.100.75 UDP 306 37333 → 52272 Len=264
1371 09:14:06.231131 192.168.100.75 239.255.255.250 SSDP 217 M-SEARCH * HTTP/1.1
1372 09:14:06.233068 10.10.10.46 192.168.100.75 UDP 354 50201 → 58452 Len=312
1392 09:14:06.865155 192.168.100.75 239.255.255.250 UDP 666 59260 → 3702 Len=624
1401 09:14:07.232162 192.168.100.75 239.255.255.250 SSDP 217 M-SEARCH * HTTP/1.1
1402 09:14:07.234422 10.10.10.46 192.168.100.75 UDP 354 50201 → 58452 Len=312
1408 09:14:07.595062 192.168.100.75 239.255.255.250 SSDP 143 M-SEARCH * HTTP/1.1
1409 09:14:07.597369 10.10.10.46 192.168.100.75 UDP 306 50201 → 52272 Len=264
1410 09:14:07.610422 192.168.100.75 239.255.255.250 SSDP 179 M-SEARCH * HTTP/1.1
1443 09:14:08.234467 192.168.100.75 239.255.255.250 SSDP 217 M-SEARCH * HTTP/1.1
1444 09:14:08.234644 192.168.100.75 239.255.255.250 SSDP 143 M-SEARCH * HTTP/1.1
1445 09:14:08.236807 10.10.10.46 192.168.100.75 UDP 354 50201 → 58452 Len=312
1446 09:14:08.237538 10.10.10.46 192.168.100.75 UDP 306 50201 → 52272 Len=264
1448 09:14:08.265899 192.168.100.75 239.255.255.250 SSDP 175 M-SEARCH * HTTP/1.1
1450 09:14:08.297109 192.168.100.75 239.255.255.250 SSDP 169 M-SEARCH * HTTP/1.1
1453 09:14:08.334904 192.168.100.75 239.255.255.250 SSDP 167 M-SEARCH * HTTP/1.1
no comments (yet)
sorted by: hot top controversial new old
there doesn't seem to be anything here