Folks,
I really appreciate your cooperation. I’m a bit stuck now with my goals:
1.) Wish to separate phones (VLAN1000) and other devices (like TV) with VLAN500
2.) Wish the phone (VLAN1000) to access the TV (VLAN500)
3.) Wish the TV (VLAN500) NOT access the phone (VLAN1000)
However, I wish to stream (cast) Spotify and YouTube to devices in VLAN500 from VLAN1000.
I didn’t see any problems during planning this, as VLAN1000 is generally allowed to access VLAN500.
The I came across with the problem: casting can’t find any devices. So googled it up, and found a nice “workaround” here: http://forum.mikrotik.com/t/mdns-between-vlans-with-just-bridge-filters-look-mum-no-containers/173295/1
I.e.: create macvlans under both VLAN500 and VLAN1000, add them to a virtual bridge (rejoin the 2 VLANs), then in bridge filter allow only mDNS to pass.
This solved Spotify’s casting problem: Spotify in VLAN1000 can find and control speakers in VLAN500. Good.
However, YouTube (generally LG TV) is another beast: it doesn’t (at least not the common way) use mDNS, but SSDP.
SSDP however starts with a multicast “M-SEARCH” message to 239.255.255.250 (from phone), then TV wants to send back a unicast UDP message to the phone. But this is (due to step3) not allowed.
No worries, I wanted to dynamically add devices sending this “M-SEARCH” (UDP1900 to 239.255.255.250) to a “caster” address-list, with timeout, and allow VLAN500 (TV) to access “casters”.
Manually added my phone to “casters”, and created the allow rule, and it works perfect.
What I can’t do, is to dynamically add devices to the caster list, because my firewall rule doesn’t get triggered with any multicast address at all:
/ip/firewall/add action=accept chain=forward dst-address=224.0.0.251 log=yes log-prefix="add them to list!"
But not a single packet hits this rule. (In case I log all interfaces, I can clearly see these packets with wireshark). Is there any trick which prevents my firewall to access these packets? Maybe due to bridge filters are accepting these?