This is a guide for getting mDNS (Bonjour) and SSDP (for DLNA) working across a Wireguard interface linking two Mikrotik routers running ROS7.7 or greater without needing fluff like IGMP Proxy/PIM/Avahi/Containers.

The attachment below shows the implementation. Bold above the flag symbol indicates actual interfaces. The heavy vertical lines are a shared network layer.

The routers' bridges are not using VLAN-filtering as it's usually not necessary in this case for home routers.


Wireguard

Side A:

Side B:

This is a typical Wireguard config, don't forget to allow your firewall to accept UDP on port 13231 on the input chain for Wireguard traffic.

In this case I have set the MTU to 1412 down from the default 1420 as one side of the link uses PPPoE. You will need to adjust this to suit your connection.
The routes are needed of course so each router can find the subnet on the opposing side.


EoIP

Side A:
Side B:

Here we set up the EoIP interface. No IPSEC is needed as it runs through the Wireguard link.

Don't forget to add the EoIP port to the main bridge at each end.

Side A and B:


Bridge Filtering

At this stage both bridges are linked in the broadcast domain which will be a disaster if left unfiltered. Any broadcasts including DHCP requests and replies will flow both ways.

We just want to let mDNS and SSDP broadcasts through and absolutely nothing else and this can be done by using the Bridge Filter - I think a powerful feature of ROS usually forgotten lying in a dusty corner.

Side A and B:

This filtering will preserve the ethernet frames' source MAC addresses which start with 01: and are needed to ensure proper flooding on the networks at the other side.

mDNS traffic both ways seems to all be done with broadcasts. The contents of the mDNS packets will contain IP addresses of the services and once a client learns of the service will communicate over the normal Wireguard route on layer 3.

SSDP (DLNA) discovery traffic is a broadcast from the client to find out what servers are available. The server replies with a unicast message on layer 3 to that client by sending a UDP packet back to the source IP and UDP port the client send the broadcast from.

In my case the DLNA server is MythTV but due to a security issue from 2014 it now only replies to client broadcasts from the subnets it's a member of. Other DLNA servers might have the same behaviour. I had to make some DSTNAT and SRCNAT rules to fool it.

On the router as the same side as MythTV I had these NAT rules.

The router at that side has a gateway address of 172.16.100.254 so for my own clarity I added an address of 172.16.100.253. The TV on the other side is 172.16.200.237, MythTV is 172.16.100.200.

The src-nat rule makes the TV's IP address appear to come from the same subnet as the MythTV when the discovery broadcast comes through. It still preserves the MAC frame source address of 01:etc. so it can be flooded to the subnet.

The dst-nat rule takes the unicast reply from MythTV which thinks it's replying to 172.16.100.253 (the routers other address) and rewrites it to the TV's address which then goes over Wireguard. Any further communication between MythTV and the TV Client is done over the normally routed unicast and doesn't need NATting.


Using this example as a framework you could possibly use the following substitutions but it's out of the scope of this document.
EoIP: VLANX, VPLS (?), OpenVPN TAP
Wireguard: L2TP, PPP, IPSec, OpenVPN TUN


References:

Wireguard: https://help.mikrotik.com/docs/display/ROS/WireGuard
EoIP: https://help.mikrotik.com/docs/display/ROS/EoIP
Bridge Firewall: https://help.mikrotik.com/docs/display/ ... geFirewall
mDNS: https://en.wikipedia.org/wiki/Multicast_DNS
SSDP: https://en.wikipedia.org/wiki/Simple_Se ... y_Protocol
Forum discussion: viewtopic.php?p=985190&hilit=mdns#p985190

Interesting thread! Good to use to check similar work done here --> viewtopic.php?t=194646
Where Solution 5 addresses mDSN and at the bottom of the post I linked to this thread.
The diagram is very nice!

Hi, I'm very interested in this project, just one question: in your example you forward mDNS / SSDP traffic to a specific IP. How can I make all subnets receive this traffic instead of a single IP ? (I'm no ROS expert )

Hi, I'm very interested in this project, just one question: in your example you forward mDNS / SSDP traffic to a specific IP. How can I make all subnets receive this traffic instead of a single IP ? (I'm no ROS expert )

I had to do this just for MythTV. It doesn't respond to client broadcasts if they are not on the same subnet(s) as MythTV itself so I had to fool it with the extra NAT rules using the router as a kind of proxy address to make it appear the broadcast came from a device on the same subnet.

Other SSDP/DLNA servers might not have this issue - you'd have to do it case by case. I tested it the other day and watched some recorded TV come from my house on the LG TV using it's built in Picture/Video viewer app. If SSDP is working the server appears as an option to browse in the app.

I can confirm that everything works at least as far as DLNA is concerned. My home LAN has a DLNA server (Synology NAS) connected with an AC2 HAP. In my house in the mountains I have a HAP AC3 LTE to which I connected a 2010 Samsung TV and...Perfect !!

I saw my NAS appear in the list of input devices and I could browse movies without problems

I have passed an EoIP in Wireguard and applied the rules in the firewall bridge.

Request:

1. Why can't I see the RB of the remote LAN in WinBox?
2. With this great trick of yours is it possible to use those applications like LAN Messenger or even create a LAN party with a game via LAN where the server is on one LAN and the clients are on the opposite one?