Community discussions

MikroTik App
 
UpRunTech
Member Candidate
Member Candidate
Topic Author
Posts: 235
Joined: Fri Jul 27, 2012 12:11 pm

HOW TO: mDNS and SSDP over Wireguard

Sun Mar 26, 2023 12:47 am

This is a guide for getting mDNS (Bonjour) and SSDP (for DLNA) working across a Wireguard interface linking two Mikrotik routers running ROS7.7 or greater without needing fluff like IGMP Proxy/PIM/Avahi/Containers.

The attachment below shows the implementation. Bold above the flag symbol indicates actual interfaces. The heavy vertical lines are a shared network layer.

The routers' bridges are not using VLAN-filtering as it's usually not necessary in this case for home routers.


Wireguard

Side A:
/interface wireguard
add listen-port=13231 mtu=1412 name=Wireguard
/interface ireguard peers
add allowed-address=172.16.200.0/24 endpoint-address=site-b.com \
    endpoint-port=13231 interface=Wireguard public-key=\
    "<side a's public key>"

/ip route
add disabled=no distance=1 dst-address=172.16.200.0/24 gateway=Wireguard \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10

Side B:
/interface wireguard
add listen-port=13231 mtu=1412 name=Wireguard
/interface ireguard peers
add allowed-address=172.16.100.0/24 endpoint-address=site-a.com \
    endpoint-port=13231 interface=Wireguard public-key=\
    "<side b's public key>"

/ip route
add disabled=no distance=1 dst-address=172.16.100.0/24 gateway=Wireguard \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10

This is a typical Wireguard config, don't forget to allow your firewall to accept UDP on port 13231 on the input chain for Wireguard traffic.

In this case I have set the MTU to 1412 down from the default 1420 as one side of the link uses PPPoE. You will need to adjust this to suit your connection.
The routes are needed of course so each router can find the subnet on the opposing side.


EoIP

Side A:
/interface eoip
add !keepalive local-address=172.16.100.254 mtu=\
    1500 name=EoIP remote-address=172.16.200.254 tunnel-id=1

Side B:
/interface eoip
add !keepalive local-address=172.16.200.254 mtu=\
    1500 name=EoIP remote-address=172.16.100.254 tunnel-id=1

Here we set up the EoIP interface. No IPSEC is needed as it runs through the Wireguard link.

Don't forget to add the EoIP port to the main bridge at each end.

Side A and B:
/interface bridge port
add bridge=BridgeMain interface=EoIP


Bridge Filtering

At this stage both bridges are linked in the broadcast domain which will be a disaster if left unfiltered. Any broadcasts including DHCP requests and replies will flow both ways.

We just want to let mDNS and SSDP broadcasts through and absolutely nothing else and this can be done by using the Bridge Filter - I think a powerful feature of ROS usually forgotten lying in a dusty corner.

Side A and B:
/interface bridge filter
add action=accept chain=forward comment="Allow mDNS" dst-address=224.0.0.251/32 \
    dst-mac-address=01:00:5E:00:00:FB/FF:FF:FF:FF:FF:FF dst-port=5353 \
    ip-protocol=udp mac-protocol=ip out-interface=EoIP src-port=5353
add action=accept chain=forward comment="Allow SSDP" dst-address=239.255.255.250/32 \
    dst-mac-address=01:00:5E:7F:FF:FA/FF:FF:FF:FF:FF:FF dst-port=1900 \
    ip-protocol=udp log-prefix=SSDP mac-protocol=ip out-interface=EoIP
add action=drop chain=forward out-interface=EoIP
add action=drop chain=output out-interface=EoIP

This filtering will preserve the ethernet frames' source MAC addresses which start with 01: and are needed to ensure proper flooding on the networks at the other side.

mDNS traffic both ways seems to all be done with broadcasts. The contents of the mDNS packets will contain IP addresses of the services and once a client learns of the service will communicate over the normal Wireguard route on layer 3.

SSDP (DLNA) discovery traffic is a broadcast from the client to find out what servers are available. The server replies with a unicast message on layer 3 to that client by sending a UDP packet back to the source IP and UDP port the client send the broadcast from.

In my case the DLNA server is MythTV but due to a security issue from 2014 it now only replies to client broadcasts from the subnets it's a member of. Other DLNA servers might have the same behaviour. I had to make some DSTNAT and SRCNAT rules to fool it.

On the router as the same side as MythTV I had these NAT rules.

The router at that side has a gateway address of 172.16.100.254 so for my own clarity I added an address of 172.16.100.253. The TV on the other side is 172.16.200.237, MythTV is 172.16.100.200.

The src-nat rule makes the TV's IP address appear to come from the same subnet as the MythTV when the discovery broadcast comes through. It still preserves the MAC frame source address of 01:etc. so it can be flooded to the subnet.

The dst-nat rule takes the unicast reply from MythTV which thinks it's replying to 172.16.100.253 (the routers other address) and rewrites it to the TV's address which then goes over Wireguard. Any further communication between MythTV and the TV Client is done over the normally routed unicast and doesn't need NATting.

/ip firewall nat
add action=src-nat chain=srcnat comment="SSDP broadcast" dst-address=239.255.255.250 \
    src-address=172.16.200.237 to-addresses=172.16.100.253
add action=dst-nat chain=dstnat comment="SSDP unicast reply" dst-address=172.16.100.253 \
    src-address=172.16.100.200 to-addresses=172.16.200.237

Using this example as a framework you could possibly use the following substitutions but it's out of the scope of this document.
EoIP: VLANX, VPLS (?), OpenVPN TAP
Wireguard: L2TP, PPP, IPSec, OpenVPN TUN, GRE


References:

Wireguard: https://help.mikrotik.com/docs/display/ROS/WireGuard
EoIP: https://help.mikrotik.com/docs/display/ROS/EoIP
Bridge Firewall: https://help.mikrotik.com/docs/display/ ... geFirewall
mDNS: https://en.wikipedia.org/wiki/Multicast_DNS
SSDP: https://en.wikipedia.org/wiki/Simple_Se ... y_Protocol
Forum discussion: viewtopic.php?p=985190&hilit=mdns#p985190
You do not have the required permissions to view the files attached to this post.
Last edited by UpRunTech on Sat Jan 13, 2024 10:37 am, edited 1 time in total.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 20918
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: HOW TO: mDNS and SSDP over Wireguard

Sun Mar 26, 2023 2:55 am

Interesting thread! Good to use to check similar work done here --> viewtopic.php?t=194646
Where Solution 5 addresses mDSN and at the bottom of the post I linked to this thread.
The diagram is very nice!
 
Valerio5000
Member Candidate
Member Candidate
Posts: 101
Joined: Fri Dec 06, 2013 2:38 am

Re: HOW TO: mDNS and SSDP over Wireguard

Tue Apr 11, 2023 5:06 pm

Hi, I'm very interested in this project, just one question: in your example you forward mDNS / SSDP traffic to a specific IP. How can I make all subnets receive this traffic instead of a single IP ? (I'm no ROS expert :D )
 
UpRunTech
Member Candidate
Member Candidate
Topic Author
Posts: 235
Joined: Fri Jul 27, 2012 12:11 pm

Re: HOW TO: mDNS and SSDP over Wireguard

Wed Jun 07, 2023 11:21 pm

Hi, I'm very interested in this project, just one question: in your example you forward mDNS / SSDP traffic to a specific IP. How can I make all subnets receive this traffic instead of a single IP ? (I'm no ROS expert :D )
I had to do this just for MythTV. It doesn't respond to client broadcasts if they are not on the same subnet(s) as MythTV itself so I had to fool it with the extra NAT rules using the router as a kind of proxy address to make it appear the broadcast came from a device on the same subnet.

Other SSDP/DLNA servers might not have this issue - you'd have to do it case by case. I tested it the other day and watched some recorded TV come from my house on the LG TV using it's built in Picture/Video viewer app. If SSDP is working the server appears as an option to browse in the app.
 
Valerio5000
Member Candidate
Member Candidate
Posts: 101
Joined: Fri Dec 06, 2013 2:38 am

Re: HOW TO: mDNS and SSDP over Wireguard

Thu Aug 17, 2023 9:12 pm

I can confirm that everything works at least as far as DLNA is concerned. My home LAN has a DLNA server (Synology NAS) connected with an AC2 HAP. In my house in the mountains I have a HAP AC3 LTE to which I connected a 2010 Samsung TV and...Perfect !!

I saw my NAS appear in the list of input devices and I could browse movies without problems

I have passed an EoIP in Wireguard and applied the rules in the firewall bridge.

Request:

1. Why can't I see the RB of the remote LAN in WinBox?
2. With this great trick of yours is it possible to use those applications like LAN Messenger or even create a LAN party with a game via LAN where the server is on one LAN and the clients are on the opposite one?
 
UpRunTech
Member Candidate
Member Candidate
Topic Author
Posts: 235
Joined: Fri Jul 27, 2012 12:11 pm

Re: HOW TO: mDNS and SSDP over Wireguard

Tue Oct 03, 2023 10:55 pm

1) That uses a different discovery process, not mDNS or SSDP.
2) You'd have to investigate how those protocols work to see what bridge filtering and NATing you need to do.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 20918
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: HOW TO: mDNS and SSDP over Wireguard

Fri Oct 27, 2023 4:12 pm

Valerio, if you want to have LAN parties and more complex setups, suggest upgrading router to one that is zerotier capable, it would be perfect for your needs.
 
UpRunTech
Member Candidate
Member Candidate
Topic Author
Posts: 235
Joined: Fri Jul 27, 2012 12:11 pm

Re: HOW TO: mDNS and SSDP over Wireguard

Sat Oct 28, 2023 7:47 am

I have tested PIM-SM over this same Wireguard link (disabling EoIP of course) and found the following.
  • mDNS does not get routed by PIM as expected (as it's meant to be link-local only), even when adding in a static GMP for 224.0.0.251 on the Bridge and Wireguard interfaces on each side.
  • The Chromecasts are discovered using SSDP/DIAL which the device also supports and is PIM compatible. The Youtube app can see the CC on the other side and cast to it.
  • Windows' WSD printer discovery doesn't seem to work as even though it looks like it's PIM compatible. The spec. for the WS-Discovery process seems to imply it's Link-Local only.
I'll try Zerotier next.

* WDS discovery protocol page 8 - https://specs.xmlsoap.org/ws/2005/04/di ... covery.pdf
* DIAL v 2.2.1 page 8 http://www.dial-multiscreen.org/dial-pr ... cification
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 4013
Joined: Sun May 01, 2016 7:12 pm
Location: California
Contact:

Re: HOW TO: mDNS and SSDP over Wireguard

Sat Oct 28, 2023 4:53 pm

I'll try Zerotier next.
One approach for ZeroTier is to use the flow rules to restrict the network to ONLY multicast discovery (e.g. 224.0.0.0/24) & then bridge ZT interfaces to the desired VLAN.

This allow WG (which likely be faster) for the "normal" (unicast) traffic AFTER the mDNS has found the device. In most cast, the mDNS lookup results in a unicast IP address so all the WG setup/firewall/etc apply once mDNS found the device. In theory, you could have two/more ZeroTier interface to same "discovery ZT network" if you want to bridge mDNS/"multicast discovery" to add'l VLANs & since ZT's flow rules would limit to it to multicast, no loops should be possible.

More conceptual here, I haven't test this.
 
User avatar
nichky
Forum Guru
Forum Guru
Posts: 1370
Joined: Tue Jun 23, 2015 2:35 pm

Re: HOW TO: mDNS and SSDP over Wireguard

Mon Oct 30, 2023 5:49 am

/interface bridge filter
add action=accept chain=forward comment="Allow mDNS" dst-address=224.0.0.251/32 \
dst-mac-address=01:00:5E:00:00:FB/FF:FF:FF:FF:FF:FF dst-port=5353 \
ip-protocol=udp mac-protocol=ip out-interface=EoIP src-port=5353
add action=accept chain=forward comment="Allow SSDP" dst-address=239.255.255.250/32 \
dst-mac-address=01:00:5E:7F:FF:FA/FF:FF:FF:FF:FF:FF dst-port=1900 \
ip-protocol=udp log-prefix=SSDP mac-protocol=ip out-interface=EoIP
add action=drop chain=forward out-interface=EoIP
add action=drop chain=output out-interface=EoIP
Very nice.

just quck one , basically here you are allowing the mac address of particular devices.
that site A==B can get access to
 
UpRunTech
Member Candidate
Member Candidate
Topic Author
Posts: 235
Joined: Fri Jul 27, 2012 12:11 pm

Re: HOW TO: mDNS and SSDP over Wireguard

Wed Nov 01, 2023 10:58 pm

just quck one , basically here you are allowing the mac address of particular devices.
that site A==B can get access to
No, you'll notice it's a dst-mac-address and am being extra pedantic about making sure it the right multicast ethernet address associated with that multicast IP.

If you wanted to allow only certain src-mac's you'd have to packet mark them beforehand and then include that mark as a filter target into the above allow rules. The only lists in the bridge filter are interface lists which doesn't help here.
 
User avatar
nichky
Forum Guru
Forum Guru
Posts: 1370
Joined: Tue Jun 23, 2015 2:35 pm

Re: HOW TO: mDNS and SSDP over Wireguard

Thu Nov 02, 2023 3:49 am

we are waiting for the second part, with the Zerotier
 
Valerio5000
Member Candidate
Member Candidate
Posts: 101
Joined: Fri Dec 06, 2013 2:38 am

Re: HOW TO: mDNS and SSDP over Wireguard

Fri Nov 10, 2023 3:10 pm

Valerio, if you want to have LAN parties and more complex setups, suggest upgrading router to one that is zerotier capable, it would be perfect for your needs.
Thanks for the support !

My need would be to maintain different LAN subnets, each with its own DHCP server in order to make them independent.

Is this possible with Zerotier?
 
UpRunTech
Member Candidate
Member Candidate
Topic Author
Posts: 235
Joined: Fri Jul 27, 2012 12:11 pm

Re: HOW TO: mDNS and SSDP over Wireguard

Thu Feb 08, 2024 12:08 pm

I'll try Zerotier next.
One approach for ZeroTier is to use the flow rules to restrict the network to ONLY multicast discovery (e.g. 224.0.0.0/24) & then bridge ZT interfaces to the desired VLAN.

More conceptual here, I haven't test this.
I have switched from Wireguard to Zerotier on both Mikrotik routers in routed, not bridged mode.

I have resorted to reinstating the EoIP tunnel with the mDNS bridge filtering over the Zerotier link

As you say, you could put Zerotier in bridged mode and add it as a port on your main bridge at each end with filtering in Zerotier to only let mDNS broadcasts and maybe just ARP through plus the usual unicast traffic. I'll have to test it next.
 
Valerio5000
Member Candidate
Member Candidate
Posts: 101
Joined: Fri Dec 06, 2013 2:38 am

Re: HOW TO: mDNS and SSDP over Wireguard

Wed Feb 28, 2024 10:02 am



One approach for ZeroTier is to use the flow rules to restrict the network to ONLY multicast discovery (e.g. 224.0.0.0/24) & then bridge ZT interfaces to the desired VLAN.

More conceptual here, I haven't test this.
I have switched from Wireguard to Zerotier on both Mikrotik routers in routed, not bridged mode.

I have resorted to reinstating the EoIP tunnel with the mDNS bridge filtering over the Zerotier link

As you say, you could put Zerotier in bridged mode and add it as a port on your main bridge at each end with filtering in Zerotier to only let mDNS broadcasts and maybe just ARP through plus the usual unicast traffic. I'll have to test it next.
+1 ;)

Who is online

Users browsing this forum: No registered users and 2 guests