Mentaven DevOps

Custom Network Monitoring

Mentacity Ventures DevOps
Home » Ubiquiti » Ubiquiti Unifi: mDNS and SSDP across VLANs

Ubiquiti Unifi: mDNS and SSDP across VLANs

By , last updated Leave a Comment

Unifi mDNS

After upgrading my home network from a flat layout to having VLAN functionality, I ran into a few issues.

In particular, I could no longer see the Roku devices on my new IoT VLAN from my Primary VLAN, which meant I couldn’t cast anything from my phone or tablet.

It took me quite a while to figure out how to make it work but eventually I did …

Contents

Recap

As a quick recap (more on my Unifi IoT VLAN here), I recently replaced some unmanaged D-Link 1G switches with Unifi USW-Lite-8-PoE and USW-Lite-16-PoE switches in order to add VLAN functionality.

I kept my Ubiquiti EdgeMax EdgeRouter 4 as the firewall/gateway, with a connection to two ISPs, and my Ubiquiti Unifi UAP-AC-LR as my AP.

I created a new IoT VLAN and moved all my non-Phone/Tablet/PC devices over to it.

Everything worked as expected … except mDNS and SSDP between the Primary VLAN and the IoT VLAN stopped working and I could no longer cast to my Rokus.

The Fix

After much digging, testing, and head-scratching, I was able to get it to work.

It turns out there are two different multicast protocols that can be used to cast to a streaming device:

  • mDNS: Multicast DNS
    • Destination Address: 224.0.0.251
    • Port: 5353 UDP
  • SSDP: Simple Service Discovery Protocol
    • Destination Address: 239.255.255.250
    • Port: 1900 UDP

Some streaming devices use just one protocol, and other devices may use the other protocol.

Because of this, I wasn’t able to fix my Rokus solely using the EdgeRouter. I had to set up a VLAN interface on my Raspberry Pi and have it straddle both VLANs.

Not ideal, but it works, and I was able to make it secure enough that I was satisfied with the result.

This is what it took:

  • EdgeRouter
    • Enable the mDNS repeater option for both the Primary VLAN and the IoT VLAN
    • Allow the mDNS port inbound to the EdgeRouter from the IoT VLAN
  • Raspberry Pi
    • Set up a VLAN sub-interface with access to the IoT VLAN
    • Firewall the new sub-interface to allow nothing in
    • Set up smcrouted to repeat SSDP multicast traffic from the Primary VLAN into the IoT VLAN

EdgeRouter Config

Below are the config lines that I used to enable the mDNS repeater function on the EdgeRouter.

Note that ‘STREAM_LOCAL’ is the firewall ruleset applied to the ‘local’ section of the inbound IoT VLAN interface.

   set firewall group port-group mDNS port 5353
   set firewall name STREAM_LOCAL rule 60 description mDNS
   set firewall name STREAM_LOCAL rule 60 destination group port-group mDNS
   set service mdns repeater interface bond0
   set service mdns repeater interface bond0.18

These lines:

  • Create a new port group called ‘mDNS’ that includes just port 5353, which is the mDNS multicast port
  • Allows port 5353 directly to the EdgeRouter (not the Internet, and not the Primary VLAN)
  • Enables the mDNS repeater service on the Primary VLAN interface (bond0) and the IoT VLAN interface (bond0.18)

With just these rules, some devices may start working. I found that my Chromecast worked just fine after these lines were added.

This EdgeRouter and Unifi mDNS fix wasn’t enough to get my Rokus working though.

Raspberry Pi Config

To get the Rokus working, I also had to somehow get SSDP working between the Primary VLAN and the IoT VLAN.

Unfortunately I couldn’t find a way to get the EdgeRouter to do this, so I turned to my trusty Rasbperry Pi.

The first thing I did was set up a VLAN sub-interface on the Pi, with an IP in the IoT VLAN range.

To do this, I added these lines to /etc/network/interfaces:

   auto eth0.18
   iface eth0.18 inet static
   address 172.30.2.4
   netmask 255.255.254.0

After a reboot, I could ping the EdgeRouter’s IP in the IoT VLAN.

Next, I installed smcroute:

   apt install smcroute

Then I added this config to /etc/smcroute.conf:

   phyint eth0 enable ttl-threshold 1
   phyint eth0.18 enable ttl-threshold 1
   mgroup from eth0 group 239.255.255.250
   mroute from eth0 group 239.255.255.250 to eth0.18

This tells smcrouted to listen for multicast destined for 239.255.255.250 on eth0 and to forward it out the eth0.18 interface.

Finally, I updated iptables to deny all traffic inbound on the eth0.18 interface and to allow forwarding from eth0 to eth0.18 on port 1900 UDP.

Once I started the smcrouted process, my Rokus started to show up on my phone and tablet as devices I could cast to, even from inside the Youtube app.

Leave a Reply

Your email address will not be published. Required fields are marked *