App option for fixed IP devices on another network

[antipope]

I have a network environment with multiple VLANs (including virtual wifi APs). The Mini is on our home network, but I would like to be able to access it from a Windows application on my desktop in my work network. The answer would be a list of fixed IP's in the application (and optional local network scanning). Of course the Minis need to stay put in the home network IP space, which is currently a bit difficult with a changing DHCP client id, but that is another issue.

Requested feature: an editable list of device IP addresses on Mobile and Desktop apps + option to turn off local network scan.

 

[onlyoneme]

I have a network environment with multiple VLANs (including virtual wifi APs). The Mini is on our home network, but I would like to be able to access it from a Windows application on my desktop in my work network. The answer would be a list of fixed IP's in the application (and optional local network scanning). Of course the Minis need to stay put in the home network IP space, which is currently a bit difficult with a changing DHCP client id, but that is another issue.

Requested feature: an editable list of device IP addresses on Mobile and Desktop apps + option to turn off local network scan.

Isn't it easier to define access rules across VLANs on the router/switch?

What do you mean by a "changing DHCP client id"? MAC address seems to be static.

 

[Greyspace]

Yeah, a quick pcap looks like mDNS is used to locate _linkplay._tcp.local devices. The question then is if you feel comfortable allowing the 224.0.0.251 multicast to be forwarded/proxied between your VLANs, and more importantly what are you using to segment your network and how much work is it going to be to relay multicasts between them and obviously any ACL/rules. I did this for some airplay devices years ago, and it was hours of trial and error. There are some good articles about mDNS/Bonjour out there if you feel like diving in. Good luck!

 

[onlyoneme]

mDNS repeater plus fw rules for mDNS multicast on 5353 work well on edgerouter.

 

[antipope]

Isn't it easier to define access rules across VLANs on the router/switch?

What do you mean by a "changing DHCP client id"? MAC address seems to be static.

One reason for having separate VLANs in the first place is to limit non-unicast traffic such as broadcasts and multicasts (and responses) between networks with different policies. Even though having the router pass multicasts or having a mDNS proxy might technically work, it sort of defies the purpose of having VLANs in the first place. Besides, one should expect the unexpected when using protocols for something else than what they were originally designed for,

Having both fixed-ip and service discovery available is a tried-and-tested concept from LMS/Squeezebox ecosystem, which enables placing players in separate physical locations without having to worry about anything else than unicast IP. It just works.

About the DHCP client id: client id is a feature of the DHCP protocol. It has something to do with simplifying use of BOOTP, but I am not well-versed enough in either of the protocols to say anything non-obvious about the subject. Wiim Mini seems to send a non-constant 19-octet something as client id having a MAC address as the last six octets. It is the only host in my network doing that, all other DHCP clients have a 7-octet client id (1:MAC-address) (might be auto-generated at the server).

All I know is that the changing DHCP client id seems to be causing my DHCP server to assign a new IP address for every unique client id. This behavior is unique to the Wiim Mini, all the other IPs stay put on the DHCP server when declared static.

 

[fugue]

mDNS repeater plus fw rules for mDNS multicast on 5353 work well on edgerouter.

@onlyoneme Sorry to bring this up again. I have Edgerouter 4 and I am trying to make the WiiM desktop app to work across VLANs.
I enabled the mDNS repeater by adding eth1 and eth2 in Config Tree > service > mdns > repeater. But I can't figure out exaclty what to do with the firewall rule "mDNS multicast on 5353" you mentioned. Would you please explain a bit more? Thanks in advance.

 

[onlyoneme]

@onlyoneme Sorry to bring this up again. I have Edgerouter 4 and I am trying to make the WiiM desktop app to work across VLANs.
I enabled the mDNS repeater by adding eth1 and eth2 in Config Tree > service > mdns > repeater. But I can't figure out exaclty what to do with the firewall rule "mDNS multicast on 5353" you mentioned. Would you please explain a bit more? Thanks in advance.

I assume your eth1 and eth2 interfaces are real ones, so you need to specify a virtual one assigned to the vlan as well in the mDNS repeater options.
Firewall rule for the UDP and source :5353, destination 224.0.0.251:5353 created in the vlan to "local" ruleset is the next step as the communication here is being dropped by default in my setup.

 

[fugue]

I assume your eth1 and eth2 interfaces are real ones, so you need to specify a virtual one assigned to the vlan as well in the mDNS repeater options.
Firewall rule for the UDP and source :5353, destination 224.0.0.251:5353 created in the vlan to "local" ruleset is the next step as the communication here is being dropped by default in my setup.

Yes eth1 and eth2 are physical ports. And this is how I have in mDNS sectio
Sorry I am not versed in networking. Do you mean I need to create VLANs for eth1 and eth2?

And this is the Firewall rule. Does it look ok? Thanks again!!

 

[onlyoneme]

VLANs usually work in their own subnets so you would need to create a VLAN interface over the physical one, something similar to the ones below:




And mDNS rules would be created in the context of such interfaces:





I assume here that VLAN flow control is on the router level.

 

[robca]

I just received my WiiM Pro and love it so far.

The only thing I'd like to figure out is how to use it on my "segregated IoT network" (vlan). I don't trust IoT devices on my main network, so I created a separate network in my AsusWRT Merlin RT68U, and the traffic between those devices and the main network is managed by iptables rules. So far, all the devices on the IoT network can only access the internet, but cannot be reached by devices from the main network, or reach devices in the main network.

I set up the WiiM with a fixed IP (which has downsides, but manageable) and I enabled the mDNS redirector using the built-in Avahi, which runs by default

Do you have the equivalent of the above rules for iptables? The Merlin firmware is basically a Linux machine that allows to do things that are not doable with the GUI. I'm not sure how I can enable "mDNS multicast on 5353" using iptables

EDIT: I'm having problems with the Avahi configuration, but I think I got the iptables part. My vlan is on br1 and the WiiM address is 192.168.20.170. I think I need the below

# allow devices on main LAN to access WiiM on IoT vlan
iptables -I FORWARD -i br0 -o br1 -d 192.168.20.170 -j ACCEPT

With this, the great WiiM Watcher Chrome extension works perfectly (I think it was developed by @onlyoneme, thanks so much for that!)

Then a subset of the below

# allow mDNS traffic between networks
iptables -I INPUT -i br1 -p udp -m multiport --dport 5353 -j ACCEPT
iptables -I FORWARD -i br1 -p udp -m multiport --dport 5353 -j ACCEPT

iptables -I INPUT -i br1 -p tcp -m multiport --dport 5353 -j ACCEPT
iptables -I FORWARD -i br1 -p tcp -m multiport --dport 5353 -j ACCEPT

 

[onlyoneme]

With this, the great WiiM Watcher Chrome extension works perfectly (I think it was developed by @onlyoneme, thanks so much for that!)

No, it's @cc_rider code.

 

[robca]

No, it's @cc_rider code.

My bad. Thanks @cc_rider then

Just in case someone else reads this in the future, this is what I did to make it work. For reference, I'm using a series of scripts in AsusWRT Merlin to make the Vlan work across multiple routers https://www.snbforums.com/threads/rt-ac68u-guest-networks-in-ap-mode-using-vlan-and-iptables.64172/

My main network is br0, IoT vlan is br1. WiiM uses fixed IP 192.168.20.170

Must add avahi-daemon.conf.add file to /jffs/configs to change the avahi configuration and enable the redirector. AsusWRT Merlin already enables Avahi, btw.

admin@RT-AC68U-7BA8:/tmp/home/root# cat /jffs/configs/avahi-daemon.conf.add

[reflector]
enable-reflector=yes

Then add the ability for devices on the main LAN to access WiiM and finally allow multicast to work across vlans (br0 and br1). I'm using a script in /jffs/scripts/firewall-start and added

# WiiM configuration begins
# make WiiM reachable from LAN (one way)
iptables -D FORWARD -i br0 -o br1 -d 192.168.20.170 -j ACCEPT >/dev/null 2>&1
iptables -I FORWARD -i br0 -o br1 -d 192.168.20.170 -j ACCEPT

# forward multicast on port 5353 between networks
iptables -D INPUT -i br1 -p udp -m multiport --dport 5353 -j ACCEPT >/dev/null 2>&1
iptables -I INPUT -i br1 -p udp -m multiport --dport 5353 -j ACCEPT
iptables -D INPUT -i br1 -p tcp -m multiport --dport 5353 -j ACCEPT >/dev/null 2>&1
iptables -I INPUT -i br1 -p tcp -m multiport --dport 5353 -j ACCEPT
#end WiiM configuration

I'm deleting the rule from iptables in case firewall-start is called once more, to avoid problems (the -D lines)

I can now use the WiiM app on the main lan controlling WiiM on the IoT network.