Spyke

Posts

opnsense·OPNsensebyDevious76

Need Help with UDP Broadcast Relay for SSDP in OPNsense

Hi There,

Please excuse the lenghty post, I wanted to explain/have all the information I can possibly write down

I've been trying to have "udpbroadcastrelay" plugin to relay SSDP (Simple Service Discovery Protocol) between two subnets, LAN and Bridge. However, I've hit a roadblock with this setup.

The peculiar thing is that mDNS (Multicast DNS) works flawlessly using the same plugin and setup!

I hope that someone can help shed some light on this issue and help me get SSDP relay working as smoothly as mDNS does in my setup. If anyone has experience with the "udpbroadcastrelay" plugin in OPNsense or has encountered a similar issue, your insights and guidance would be greatly appreciated. Thanks in advance for any assistance or suggestions!

SIDENOTE:-

I have used BOTH of :

- os-udpbroadcastrelay 1.0_3 (frpm repo)
- compiled from source (Github) so i can use --msearch option

  1. My Setup

    • Virtualized OPNsense in Proxmox
      • Pass-Through (WAN)
      • 2 VirtIO Interfaces (LAN & Bridge)
    • OPNsense Version: OPNsense 23.7.10_1-amd64 FreeBSD 13.2-RELEASE-p7
    • Proxmox Version: proxmox-ve: 8.1.0 (running kernel: 6.5.11-7-pve)

  2. Troubleshooting Attempts:

I've tried various solutions from different sources to resolve this issue, including:

  • HOW TO - Configure OPNsense for TV7 (init7) Multicast Stream

    LAN
    First we have to enable allow options on the default LAN rule Default allow LAN to any rule.

    • Navigate to Firewall -> Rules -> LAN
    • Edit the rule with the description "Default allow LAN to any rule" by clicking the pencil.
    • Scroll down until you see Advanced Options: and click on Show/Hide
    • Make sure that the allow options checkbox is checked
    • Click Save
    • Back on Overview click on Apply changes to enable the changed rule

  • [SOLVED] - Multicast bridge problem | Proxmox Support Forum

    maybe try to disable multicast snooping on bridges ?

    echo 0 > /sys/class/net/vmbrX/bridge/multicast_snooping

  • Multicast notes - Proxmox VE

    Linux: Disabling Multicast snooping on bridges

    Snooping should be enabled on either the router / switch or on the linux bridge, but it may not work if enabled on both. If you have a hosting provider that has igmp snooping enabled on the multicast switch, it may be necessary to disable snooping on the linux bridge. In that case use:

    post-up ( echo 1 > /sys/devices/virtual/net/$IFACE/bridge/multicast_querier )

    post-up ( echo 0 > /sys/class/net/$IFACE/bridge/multicast_snooping )

To help diagnose the issue effectively, here is what i managed to gather:

FW Ruleset

LAN Rule Set
ProtocolSourcePortDestinationPortGatewayScheduleDescription
IPv4LAN net*****Default allow LAN to any
Bridge Rule Set
ProtocolSourcePortDestinationPortGatewayScheduleDescription
IPv4Bridge net*****Allow Bridge to any rule (Manual Entry)
cat /tmp/rules.debug

LAN Rule Set
pass in log quick on vtnet0 inet from {(vtnet0:network)} to {any} keep state label "3070463c8d527cf93da451fa4f88c7cb" # Default allow LAN to any rule

Bridge Rule Set
 pass in log quick on vtnet1 inet from {(vtnet1:network)} to {any} keep state label "2681e3c4a046e0ab9b3ab64679df3edc" # Allow Bridge to any rule

Interfaces

igc0: flags=8963 metric 0 mtu 1500
	description: WAN (wan)
	options=4802028
	ether xx:xx:xx:xx:xx:xx
	inet 192.168.0.2 netmask 0xffffff00 broadcast 192.168.0.255
	media: Ethernet autoselect (1000baseT )
	status: active
	nd6 options=29
vtnet0: flags=8963 metric 0 mtu 1500
	description: LAN (lan)
	options=800a8
	ether xx:xx:xx:xx:xx:xx
	inet 192.168.100.3 netmask 0xffffff00 broadcast 192.168.100.255
	media: Ethernet autoselect (10Gbase-T )
	status: active
	nd6 options=29
vtnet1: flags=8963 metric 0 mtu 1500
	description: Bridge (opt1)
	options=800a8
	ether xx:xx:xx:xx:xx:xx
	inet 10.10.10.1 netmask 0xffffff00 broadcast 10.10.10.255
	media: Ethernet autoselect (10Gbase-T )
	status: active
	nd6 options=29

CLI USED

./udpbroadcastrelay -d -d --id 1 --port 1900 --dev vtnet1 --dev vtnet0 --multicast 239.255.255.250 --msearch dial

2023/12/29 21:48:17.555 <- [ 10.10.10.46:64321 -> 239.255.255.250:1900 (iface=vtnet1 len=438 tos=0x00 DSCP=0 ttl=4)
   Found NOTIFY search term upnp:rootdevice
2023/12/29 21:48:17.555 -> [ 10.10.10.46:64321 -> 239.255.255.250:1900 (iface=vtnet0 len=438 tos=0x04 DSCP=1 ttl=4)

2023/12/29 21:48:17.593 <- [ 10.10.10.46:52323 -> 239.255.255.250:1900 (iface=vtnet1 len=462 tos=0x00 DSCP=0 ttl=4)
   Found NOTIFY search term urn:schemas-sony-com:service:Party:1
2023/12/29 21:48:17.593 -> [ 10.10.10.46:52323 -> 239.255.255.250:1900 (iface=vtnet0 len=462 tos=0x04 DSCP=1 ttl=4)

2023/12/29 21:48:17.593 <- [ 10.10.10.46:64321 -> 239.255.255.250:1900 (iface=vtnet1 len=447 tos=0x00 DSCP=0 ttl=4)
   Found NOTIFY search term uuid:00000001-0000-1010-8000-045d4bdcbc2f
2023/12/29 21:48:17.593 -> [ 10.10.10.46:64321 -> 239.255.255.250:1900 (iface=vtnet0 len=447 tos=0x04 DSCP=1 ttl=4)

2023/12/29 21:48:17.614 <- [ 10.10.10.46:64321 -> 239.255.255.250:1900 (iface=vtnet1 len=490 tos=0x00 DSCP=0 ttl=4)
   Found NOTIFY search term urn:schemas-upnp-org:device:MediaServer:1
2023/12/29 21:48:17.614 -> [ 10.10.10.46:64321 -> 239.255.255.250:1900 (iface=vtnet0 len=490 tos=0x04 DSCP=1 ttl=4)

2023/12/29 21:48:17.637 <- [ 10.10.10.46:64321 -> 239.255.255.250:1900 (iface=vtnet1 len=502 tos=0x00 DSCP=0 ttl=4)
   Found NOTIFY search term urn:schemas-upnp-org:service:ContentDirectory:1
2023/12/29 21:48:17.637 -> [ 10.10.10.46:64321 -> 239.255.255.250:1900 (iface=vtnet0 len=502 tos=0x04 DSCP=1 ttl=4)

2023/12/29 21:48:17.663 <- [ 10.10.10.46:64321 -> 239.255.255.250:1900 (iface=vtnet1 len=504 tos=0x00 DSCP=0 ttl=4)
   Found NOTIFY search term urn:schemas-upnp-org:service:ConnectionManager:1
2023/12/29 21:48:17.663 -> [ 10.10.10.46:64321 -> 239.255.255.250:1900 (iface=vtnet0 len=504 tos=0x04 DSCP=1 ttl=4)

2023/12/29 21:48:18.315 <- [ 10.10.10.46:58092 -> 239.255.255.250:1900 (iface=vtnet1 len=283 tos=0x00 DSCP=0 ttl=4)
   Found M-SEARCH search term urn:schemas-upnp-org:device:MediaRenderer:1
   Applying default action FORWARD
2023/12/29 21:48:18.315 -> [ 10.10.10.46:58092 -> 239.255.255.250:1900 (iface=vtnet0 len=283 tos=0x04 DSCP=1 ttl=4)

2023/12/29 21:48:18.373 <- [ 10.10.10.46:58092 -> 239.255.255.250:1900 (iface=vtnet1 len=283 tos=0x00 DSCP=0 ttl=4)
   Found M-SEARCH search term urn:schemas-upnp-org:device:MediaRenderer:1
   Applying default action FORWARD
2023/12/29 21:48:18.373 -> [ 10.10.10.46:58092 -> 239.255.255.250:1900 (iface=vtnet0 len=283 tos=0x04 DSCP=1 ttl=4)

2023/12/29 21:48:18.460 <- [ 10.10.10.46:58092 -> 239.255.255.250:1900 (iface=vtnet1 len=283 tos=0x00 DSCP=0 ttl=4)
   Found M-SEARCH search term urn:schemas-upnp-org:device:MediaRenderer:1
   Applying default action FORWARD
2023/12/29 21:48:18.460 -> [ 10.10.10.46:58092 -> 239.255.255.250:1900 (iface=vtnet0 len=283 tos=0x04 DSCP=1 ttl=4)

2023/12/29 21:48:24.824 <- [ 192.168.100.76:35630 -> 239.255.255.250:1900 (iface=vtnet0 len=127 tos=0x00 DSCP=0 ttl=4)
   Found M-SEARCH search term urn:schemas-upnp-org:device:MediaServer:1
   Applying default action FORWARD
2023/12/29 21:48:24.824 -> [ 192.168.100.76:35630 -> 239.255.255.250:1900 (iface=vtnet1 len=127 tos=0x04 DSCP=1 ttl=4)

2023/12/29 21:48:24.924 <- [ 192.168.100.76:35630 -> 239.255.255.250:1900 (iface=vtnet0 len=127 tos=0x00 DSCP=0 ttl=4)
   Found M-SEARCH search term urn:schemas-upnp-org:device:MediaServer:1
   Applying default action FORWARD
2023/12/29 21:48:24.924 -> [ 192.168.100.76:35630 -> 239.255.255.250:1900 (iface=vtnet1 len=127 tos=0x04 DSCP=1 ttl=4)

2023/12/29 21:48:25.425 <- [ 192.168.100.76:35630 -> 239.255.255.250:1900 (iface=vtnet0 len=118 tos=0x00 DSCP=0 ttl=4)
   Found M-SEARCH search term urn:ses-com:device:SatIPServer:1
   Applying default action FORWARD
2023/12/29 21:48:25.425 -> [ 192.168.100.76:35630 -> 239.255.255.250:1900 (iface=vtnet1 len=118 tos=0x04 DSCP=1 ttl=4)

2023/12/29 21:48:25.525 <- [ 192.168.100.76:35630 -> 239.255.255.250:1900 (iface=vtnet0 len=118 tos=0x00 DSCP=0 ttl=4)
   Found M-SEARCH search term urn:ses-com:device:SatIPServer:1
   Applying default action FORWARD
2023/12/29 21:48:25.525 -> [ 192.168.100.76:35630 -> 239.255.255.250:1900 (iface=vtnet1 len=118 tos=0x04 DSCP=1 ttl=4)

2023/12/29 21:49:16.556 <- [ 10.10.10.46:50201 -> 239.255.255.250:1900 (iface=vtnet1 len=267 tos=0x00 DSCP=0 ttl=4)
   Found NOTIFY search term upnp:rootdevice
2023/12/29 21:49:16.556 -> [ 10.10.10.46:50201 -> 239.255.255.250:1900 (iface=vtnet0 len=267 tos=0x04 DSCP=1 ttl=4)

2023/12/29 21:49:16.577 <- [ 10.10.10.46:50201 -> 239.255.255.250:1900 (iface=vtnet1 len=276 tos=0x00 DSCP=0 ttl=4)
   Found NOTIFY search term uuid:00000004-0000-1010-8000-045d4bdcbc2f
2023/12/29 21:49:16.577 -> [ 10.10.10.46:50201 -> 239.255.255.250:1900 (iface=vtnet0 len=276 tos=0x04 DSCP=1 ttl=4)

Lan Wireshark Capture

No.TimeSourceDestinationProtocolLengthInfo
92009:13:01.20775610.10.10.46239.255.255.250SSDP349NOTIFY * HTTP/1.1
92109:13:01.22933610.10.10.46239.255.255.250SSDP349NOTIFY * HTTP/1.1
92209:13:01.290046192.168.100.75239.255.255.250SSDP217M-SEARCH * HTTP/1.1
92309:13:01.29270610.10.10.46192.168.100.75UDP35450201 → 59796 Len=312
92409:13:02.292100192.168.100.75239.255.255.250SSDP217M-SEARCH * HTTP/1.1
92509:13:02.29418710.10.10.46192.168.100.75UDP35450201 → 59796 Len=312
92609:13:03.308643192.168.100.75239.255.255.250SSDP217M-SEARCH * HTTP/1.1
92809:13:03.31087310.10.10.46192.168.100.75UDP35450201 → 59796 Len=312
92909:13:04.309797192.168.100.75239.255.255.250SSDP217M-SEARCH * HTTP/1.1
93009:13:04.31173910.10.10.46192.168.100.75UDP35450201 → 59796 Len=312
93209:13:04.803218192.168.100.75239.255.255.250SSDP143M-SEARCH * HTTP/1.1
93309:13:04.80501510.10.10.46192.168.100.75UDP30650201 → 53037 Len=264
93409:13:05.80070810.10.10.46192.168.100.75UDP30637333 → 53037 Len=264
93609:13:07.799676192.168.100.75239.255.255.250SSDP143M-SEARCH * HTTP/1.1
93709:13:07.80144910.10.10.46192.168.100.75UDP30650201 → 53037 Len=264
93809:13:08.04502910.10.10.46192.168.100.75UDP30637333 → 53037 Len=264
96209:13:10.807982192.168.100.75239.255.255.250SSDP143M-SEARCH * HTTP/1.1
96309:13:10.81101710.10.10.46192.168.100.75UDP30650201 → 53037 Len=264
96409:13:12.69535110.10.10.46192.168.100.75UDP30637333 → 53037 Len=264
106809:14:02.720283192.168.100.75239.255.255.250UDP112349620 → 3702 Len=1081
108009:14:02.977262192.168.100.75239.255.255.250UDP112349620 → 3702 Len=1081
111909:14:03.205658192.168.100.75239.255.255.250UDP66659260 → 3702 Len=624
115209:14:03.442876192.168.100.75239.255.255.250UDP112349620 → 3702 Len=1081
123709:14:03.907019192.168.100.75239.255.255.250UDP112349620 → 3702 Len=1081
128409:14:04.593450192.168.100.75239.255.255.250SSDP143M-SEARCH * HTTP/1.1
128509:14:04.59558010.10.10.46192.168.100.75UDP30650201 → 52272 Len=264
128609:14:04.608593192.168.100.75239.255.255.250SSDP179M-SEARCH * HTTP/1.1
130109:14:04.862324192.168.100.75239.255.255.250UDP66659260 → 3702 Len=624
132409:14:05.21544410.10.10.46192.168.100.75UDP30637333 → 52272 Len=264
137109:14:06.231131192.168.100.75239.255.255.250SSDP217M-SEARCH * HTTP/1.1
137209:14:06.23306810.10.10.46192.168.100.75UDP35450201 → 58452 Len=312
139209:14:06.865155192.168.100.75239.255.255.250UDP66659260 → 3702 Len=624
140109:14:07.232162192.168.100.75239.255.255.250SSDP217M-SEARCH * HTTP/1.1
140209:14:07.23442210.10.10.46192.168.100.75UDP35450201 → 58452 Len=312
140809:14:07.595062192.168.100.75239.255.255.250SSDP143M-SEARCH * HTTP/1.1
140909:14:07.59736910.10.10.46192.168.100.75UDP30650201 → 52272 Len=264
141009:14:07.610422192.168.100.75239.255.255.250SSDP179M-SEARCH * HTTP/1.1
144309:14:08.234467192.168.100.75239.255.255.250SSDP217M-SEARCH * HTTP/1.1
144409:14:08.234644192.168.100.75239.255.255.250SSDP143M-SEARCH * HTTP/1.1
144509:14:08.23680710.10.10.46192.168.100.75UDP35450201 → 58452 Len=312
144609:14:08.23753810.10.10.46192.168.100.75UDP30650201 → 52272 Len=264
144809:14:08.265899192.168.100.75239.255.255.250SSDP175M-SEARCH * HTTP/1.1
145009:14:08.297109192.168.100.75239.255.255.250SSDP169M-SEARCH * HTTP/1.1
145309:14:08.334904192.168.100.75239.255.255.250SSDP167M-SEARCH * HTTP/1.1
View original on lemmy.world
9
Comments

You reached the end