I have been struggling to make DLNA work through wireguard. My cenario is: Oracle (ubuntu linux) > Mikrotik (home-side).
The VPN tunnel is working pretty good. All ports and IPS are authorized and I can access a lot of services, as if they were being running locally (netxcloud, unrealircd [ircd server] and so on).
The problem is DLNA. I’ve searched a lot and I was unable to find a solution for that.
As far as I searched, the best solution would be VXLAN, but I couldn’t do it.
My cenario is:
- Oracle WG ip: 192.168.2.2 (ubuntu server);
- Mikrotik WG ip: 192.168.2.1;
- My home mikrotik IP: 192.168.1.1;
The VPN tunnel (wireguard connection) is established and pretty working.
Does anyone can help me?
Sorry for my bad english.. I am brazillian.
I would apreciate a lot if someone could give me a tip to what to do…
Hi there!
I’ve already tried IGMP Proxy, following step-by-step of this guide (Mikrotik documentation), but even with Chatgpt help, my local network (mikrotik) couldn’t reach the other side (linux-side). With Chatgpt help, I could do some tests, but IGMP Proxy always returns 100% lost packages, and even when the devices try to request DLNA, they are showed in ip:8200 as “device unknown” or something like that.
As far I as noticed, the problem with IGMP proxy has something to do with the configuration of alternative-subnets or due to DLNA broadcast through wireguard tunnel (wg0 interface or smcroute configuration problem, both on linux).
Chatgpt suggested me to try PIM SM (failed), IGMP proxy (failed) and, then, VXLAN through wireguard (the only solution that I didn’t try, due to lack of knowledges, but I will try).
do you have allowed traffic on wireguard in the allowed-address section?
What do you mean by “allowed-address section”?
As I have mentioned, I am able to access pretty much everything on Oracle-side (vps-side) over wireguard.
The problem is accessing DLNA. Chatgpt told me that it’s not easy to make mDNS (Bonjour) and SSDP (for DLNA) working over wireguard…
There here is my MT configuration:
2025-07-02 21:48:37 by RouterOS 7.19.2
software id = XXXXXXXXXXXXX
model = CRS125-24G-1S-2HnD
serial number = XXXXXXXXXXXXX
/interface bridge
add admin-mac=XXXXXXXXXXXXX auto-mac=no comment=Bridge fast-forward=no
igmp-snooping=yes igmp-version=3 last-member-query-count=5
multicast-querier=yes name=bridge-local port-cost-mode=short
startup-query-count=5
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=0 band=2ghz-b/g/n channel-width=
20/40mhz-Ce country=brazil disabled=no distance=indoors frequency=auto
frequency-mode=manual-txpower mode=ap-bridge ssid=NortonTik
station-roaming=enabled wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether1 ] comment=“Oi Fibra” name=ether1-gateway
rx-flow-control=on tx-flow-control=on
set [ find default-name=ether2 ] comment=“Casa 1015” name=ether2-master-local
rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether3 ] comment=“DVR: 985” name=ether3-slave-local
set [ find default-name=ether4 ] comment=“Orange Pi” name=ether4-slave-local
set [ find default-name=ether5 ] comment=“NAS: D-Link” name=
ether5-slave-local
set [ find default-name=ether6 ] name=ether6-slave-local
set [ find default-name=ether7 ] name=ether7-slave-local
set [ find default-name=ether8 ] comment=Norton-LiteBeam name=
ether8-slave-local
set [ find default-name=sfp1 ] name=sfp1-slave-local
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
add name=WAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=
dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.1.21-192.168.1.254
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp authoritative=after-2sec-delay interface=bridge-local
lease-time=10m name=default
/ip smb users
set [ find default=yes ] disabled=yes
/port
set 0 name=serial0
/ppp profile
add bridge-learning=no name=OVPN-client use-compression=no use-encryption=yes
use-mpls=no
/queue type
set 5 pcq-limit=128000KiB pcq-rate=300k
set 6 pcq-limit=300000KiB pcq-rate=1M
/routing bgp template
set default disabled=no output.network=bgp-networks
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/interface bridge filter
add action=accept chain=forward comment=mDNS disabled=yes dst-address=
224.0.0.251/32 dst-mac-address=01:00:5E:7F:FF:FA/FF:FF:FF:FF:FF:FF
dst-port=5353 ip-protocol=udp mac-protocol=ip out-interface=
ether1-gateway
add action=accept chain=forward comment=SSDP disabled=yes dst-address=
239.255.255.250/32 dst-mac-address=01:00:5E:7F:FF:FA/FF:FF:FF:FF:FF:FF
dst-port=1900 ip-protocol=udp mac-protocol=ip out-interface=
ether1-gateway
/interface bridge port
add bridge=bridge-local hw=no ingress-filtering=no interface=
ether2-master-local internal-path-cost=10 path-cost=10
add bridge=bridge-local ingress-filtering=no interface=wlan1
internal-path-cost=10 path-cost=10
add bridge=bridge-local hw=no ingress-filtering=no interface=
ether3-slave-local internal-path-cost=10 path-cost=10
add bridge=bridge-local hw=no ingress-filtering=no interface=
ether4-slave-local internal-path-cost=10 path-cost=10
add bridge=bridge-local hw=no ingress-filtering=no interface=
ether5-slave-local internal-path-cost=10 path-cost=10
add bridge=bridge-local hw=no ingress-filtering=no interface=
ether6-slave-local internal-path-cost=10 path-cost=10
add bridge=bridge-local hw=no ingress-filtering=no interface=
ether7-slave-local internal-path-cost=10 path-cost=10
add bridge=bridge-local hw=no ingress-filtering=no interface=
ether8-slave-local internal-path-cost=10 path-cost=10
add bridge=bridge-local hw=no ingress-filtering=no interface=sfp1-slave-local
internal-path-cost=10 path-cost=10
add bridge=bridge-local interface=*26
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=discover
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes forward=no max-neighbor-entries=1024
soft-max-neighbor-entries=1023
/interface l2tp-server server
set use-ipsec=yes
/interface list member
add interface=wlan1 list=discover
add interface=ether2-master-local list=discover
add interface=ether3-slave-local list=discover
add interface=ether4-slave-local list=discover
add interface=sfp1-slave-local list=discover
add interface=bridge-local list=discover
add interface=bridge-local list=mactel
add interface=ether1-gateway list=WAN
/interface ovpn-server server
add auth=sha1,md5 mac-address=FE:0F:66:BD:3A:20 name=ovpn-server1
/interface sstp-server server
set default-profile=default-encryption
/interface wireguard peers
add allowed-address=192.168.0.0/16,224.0.0.0/4 endpoint-address=
XXXXXXXXXXXXXXXX endpoint-port=13231 interface=wireguard1 name=peer4
persistent-keepalive=25s public-key=
“XXXXXXXXXXXXXXXX”
/ip address
add address=192.168.1.1/24 comment=“default configuration” interface=
bridge-local network=192.168.1.0
add address=192.168.2.1/24 interface=wireguard1 network=192.168.2.0
/ip arp
add address=192.168.0.1 interface=ether1-gateway mac-address=
XXXXXXXXXXXXX
/ip dhcp-client
add comment=“default configuration” interface=ether1-gateway
/ip dhcp-server network
add address=192.168.1.0/24 comment=“default configuration” gateway=
192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.1.1 name=router type=A
/ip firewall address-list
add address=XXXXXXXXXXXXX comment=MPAP list=NASviaWAN
add address=XXXXXXXXXXXXX comment=“Oracle Cloud” list=NASviaWAN
/ip firewall filter
add action=accept chain=input comment=WireGuard dst-port=13231 protocol=udp
src-address=XXXXXXXXXXXXX
add action=accept chain=input comment=“Wireguard: entrada” in-interface=
wireguard1 src-address=192.168.2.2
add action=accept chain=input comment=“Geral: Conexoes estabelecidas”
connection-state=established
add action=accept chain=input comment=“Mikrotik via WAN” disabled=yes
dst-address-type=“” dst-port=8084-8089 protocol=tcp
add action=accept chain=input comment=“Geral: Ping na WAN” protocol=icmp
add action=accept chain=input comment=“Geral: Conexoes relacionadas”
connection-state=related
add action=accept chain=forward comment=“Forward - Bridge > Wireguard”
in-interface=bridge-local out-interface=wireguard1
add action=accept chain=forward comment=“Forward - Wireguard > Bridge”
in-interface=wireguard1 out-interface=bridge-local
add action=fasttrack-connection chain=forward comment=
“Geral: Redirecionamento” connection-state=established,related
hw-offload=yes
add action=accept chain=forward comment=
“Geral: Conexoes estabelecidas e relacionadas” connection-state=
established,related
add action=drop chain=forward comment=
“Geral: Redirecionamento - Conexoes invalidas” connection-state=invalid
add action=drop chain=forward comment=
“Geral: Conexoes novas - Exceto destinadas a internet”
connection-nat-state=!dstnat connection-state=new in-interface=
ether1-gateway
add action=drop chain=input comment=
“Geral: Conexoes que nao venham da lista MACTEL” in-interface-list=
!mactel
/ip firewall mangle
add action=change-ttl chain=prerouting disabled=yes dst-address=224.0.0.0/4
new-ttl=increment:2
/ip firewall nat
add action=masquerade chain=srcnat comment=WAN out-interface=ether1-gateway
out-interface-list=WAN
add action=dst-nat chain=dstnat comment=“WAN: Mikrotik” disabled=yes
dst-address=192.168.100.4 dst-port=8291 protocol=tcp src-address-list=
NASviaWAN to-addresses=192.168.1.1 to-ports=8084
add action=dst-nat chain=dstnat comment=“WAN: NAS/H90” disabled=yes
dst-address-type=“” dst-port=8085 protocol=tcp src-address-list=NASviaWAN
to-addresses=192.168.1.65 to-ports=445
add action=dst-nat chain=dstnat comment=“WAN: H200” disabled=yes dst-address=
192.168.100.2 dst-port=8086 protocol=tcp src-address-list=NASviaWAN
to-addresses=192.168.1.66 to-ports=445
add action=dst-nat chain=dstnat comment=“WAN: OrangePI/SSH” disabled=yes
dst-port=8088 protocol=tcp src-address-list=NASviaWAN to-addresses=
192.168.1.10 to-ports=22
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add disabled=no dst-address=239.0.0.0/8 gateway=bridge-local routing-table=
main suppress-hw-offload=no
/ip service
set ftp disabled=yes
set www port=8084
set api disabled=yes
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/pub
/lcd
set backlight-timeout=1m enabled=no touch-screen=disabled
/lcd interface pages
set 0 interfaces=wlan1
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/routing igmp-proxy
set quick-leave=yes
/routing igmp-proxy interface
add alternative-subnets=0.0.0.0/0 disabled=yes interface=wireguard1
threshold=0 upstream=yes
add alternative-subnets=0.0.0.0/0 disabled=yes interface=bridge-local
threshold=0
/routing ospf area
add disabled=yes instance=*1 name=backbone-v2
/system clock
set time-zone-name=America/Sao_Paulo
/system logging
set 0 action=disk disabled=yes
set 1 action=disk
set 2 action=disk
set 3 action=disk
add action=remote
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
/tool romon
set enabled=yes id=00:00:00:00:00:01
/tool sniffer
set filter-interface=wireguard1
HI, everybody! Great news: I’ve done it: DLNA through Wireguard (Linux [upstream interface] > MIkrotik [downstream interface])!
My scenario is described above and I’ve tried hundreds of suggestions, but none went successful (igmp proxy, pim, eoip [I had issues with linux-side], firewall rules [input, forward and output]). Nothing worked!
So, after chatting for hours and hours with chatgpt, it suggested me to use VXLAN over wireguard. I will list/point what I have done to make it work:
- Scenario: my mikrotik lan: 192.168.1.0/24; wireguard/mikrotik: 192.168.2.1; wireguard/linux: 192.168.2.2;
- Then, I created a VXLAN in both side, setting up the following config:
a) Mikrotik: local-address: 192.168.2.1; remote-address 192.168.2.2;
b) Linux: local-address: 192.168.2.2; remote-address: 192.168.2.1;
- Even doing that, DLNA wasnt’ working.
- Then, chatgpt suggested me to do this in linux-side (steps needed to work):
a) Create a bridge;
b) Include the VXLAN interface into the bridge;
c) In the /etc/minidlna.conf, set the network interface as br0 (the bridge i’ve created);
d) Now, these are the most important steps/informations:
- The vxlans interfaces, in both side, have no IP and have no group or interface set (as far as I learned and was taught by chatgpt, DLNA uses both multicast and unicast, so indicating a group and interface would make vxlan works only in multicast mode, not in both);
- The bridge, in linux-side, was set a IP, but not any IP: It only worked when I set a 192.168.1.* IP. Chatgpt explained that saying that “silly devices” would only search DLNA within the corresponding network ip range (192.168.1.0/24, in my case);
- I had some issues and tried some solutions simultaneously, so I will write them here, in case of being necessary to make DLNA work:
a) Firewall rules were applied in both side, only to allow general traffic/protocols in both side, taking into consideration only the wireguard interface; i didnt applied any rules related to bridge or vxlan interfaces;
b) I didnt use igmp proxy, Pim SM or any of these tools on mikrotik-side or linux-side; DLNA is pure;
c) I’ve edited /etc/smcroute.conf, and thats my config:
phyint br0 enable
phyint wg0 enable
mgroup from br0 group 239.255.255.250
mroute from br0 group 239.255.255.250 to wg0
And that’s it!