• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Configuring UDP Broadcast Relay

Scheduled Pinned Locked Moved pfSense Packages
25 Posts 4 Posters 5.0k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • R
    RickyBaker @RickyBaker
    last edited by Sep 18, 2023, 3:21 PM

    @RickyBaker said in Configuring UDP Broadcast Relay:

    Do you actually need SSDP forwarded?

    I actually don't remember what I had that in for. It's possible I was just following another tutorial. Do you recommend removing that for collision prevention? or just for safety of not having something forwarded that doesn't need it?

    Also googling SSDP to try to jog my memory did no such thing. Maybe if you could pass on some common things that use it it'll jostle something loose:)

    R 1 Reply Last reply Sep 18, 2023, 3:46 PM Reply Quote 0
    • R
      RickyBaker @RickyBaker
      last edited by Sep 18, 2023, 3:46 PM

      @RickyBaker eh i think it was just from the tutorial that i used at first: https://iambartlett.com/blog/pfsense-chromecast-and-speaker-groups

      fd4e9c27-2b99-4804-a436-b512aa2294b7-image.png

      D C 2 Replies Last reply Sep 18, 2023, 11:11 PM Reply Quote 0
      • D
        dennypage @RickyBaker
        last edited by Sep 18, 2023, 10:56 PM

        @RickyBaker said in Configuring UDP Broadcast Relay:

        Do you recommend removing that for collision prevention? or just for safety of not having something forwarded that doesn't need it?

        Both. All sorts of potential issues if you run Avahi and also forward the multicast packets. And as a general rule, I very much recommend against forwarding things unless you absolutely need to. You set up the IOT VLAN for a reason, yes?

        @RickyBaker said in Configuring UDP Broadcast Relay:

        Would i FIRST need to remove the 5353 forward in UDP Broadcast relay?

        Absolutely.

        My overall advice is to remove everything from the relay, set up Avahi and test, then consider what you might want to add back into the relay.

        @RickyBaker said in Configuring UDP Broadcast Relay:

        So, I apologize but I really don't understand this point at all, and it sounds promising. What kind of things would have an "Avahi instance"? Is this something on a client device or in the networking equipment.

        In general I am referring to general purpose computers that have Avahi installed. That said, sometimes embedded systems use Avahi, and occasionally with old configurations that have caching enabled by default. VSSL was one such system, and I worked with them (years ago) to fix this.

        If you have systems that use Bonjour (such as Macs), and there is a caching instance of Avahi in the network, the systems will rename themselves with numeric suffixes ('myhost-2', 'myhost-3', 'myhost-4', etc.) because Avahi caching creates false name collisions.

        1 Reply Last reply Reply Quote 0
        • D
          dennypage @RickyBaker
          last edited by Sep 18, 2023, 11:11 PM

          @RickyBaker said in Configuring UDP Broadcast Relay:

          i think it was just from the tutorial that i used

          I don't have Chromecast, so I can't go through and evaluate all of it. But just looking quickly at the list, it seems to be a bit of a kitchen sink approach. I.E. these are ports that these devices use in some way, shape or form, so forward them all.

          This doesn't mean that it won't work, but that doesn't mean it's a good approach either. It's certainly not the approach a network security engineer would take.

          1 Reply Last reply Reply Quote 1
          • R
            RickyBaker @RickyBaker
            last edited by Sep 19, 2023, 12:01 PM

            @RickyBaker said in Configuring UDP Broadcast Relay:

            Logitech Harmony remote

            By googling "Logitech Harmony udp broadcast relay port multicast group" I found this port number and multicast group IP...and it worked! So i guess i just need to find that port number and group for any devices not working as expected across vlans. Anyone have any suggestions for tracking down the more obscure ones without a vibrant community?

            D 1 Reply Last reply Sep 19, 2023, 3:37 PM Reply Quote 0
            • D
              dennypage @RickyBaker
              last edited by Sep 19, 2023, 3:37 PM

              @RickyBaker said in Configuring UDP Broadcast Relay:

              Anyone have any suggestions for tracking down the more obscure ones without a vibrant community?

              This may be more of an answer than you were looking for...

              You can discover the ports in use by sniffing the appropriate interface on your firewall for multicast/broadcast packets originating from the host in question. Example:

              tcpdump -i igc0 \( broadcast or multicast \) and host myhost
              

              where 'igc0' is the interface you want to examine, and 'myhost' is the name of the host you want to see packets for.

              Multicast/broadcast discovery is usually unidirectional, meaning the multicast packets go from the server to the client, or from the client to the server server, but not both. In general, I would feel better about forwarding multicast packets from the trusted network to the untrusted network than the reverse.

              If your trusted devices are clients in the LAN, start looking there. See if your clients are sending any multicast packets, and if so on what port.

              If you don't find anything being sent by the clients, then look for packets being sent by the server on the untrusted network.

              Based on what you discover, you will be able to determine which multicast ports need forwarding, which hosts they need forwarding from, and set up your forwarding accordingly.

              If you have been hearing Mission Impossible music in your head while reading this, don't sweat it. It really isn't that bad. It may seem tedious at first, but you will learn a lot and have a much better idea of how things work when you are done. And if you add another device in the future, you'll know how to make it work yourself.

              NB: don't create a loop by forwarding the same port both directions.

              R 1 Reply Last reply Sep 20, 2023, 6:55 PM Reply Quote 2
              • R
                RickyBaker @dennypage
                last edited by Sep 20, 2023, 6:55 PM

                @dennypage said in Configuring UDP Broadcast Relay:

                If you have been hearing Mission Impossible music in your head while reading this, don't sweat it. It really isn't that bad. It may seem tedious at first, but you will learn a lot and have a much better idea of how things work when you are done. And if you add another device in the future, you'll know how to make it work yourself.

                NB: don't create a loop by forwarding the same port both directions.

                lol thank you very much, I'm gonna give it a try. I'm def going to straight up ignore a few of them that are just not needed (like the kodak projector that really only gets used OUTSIDE the house)

                @dennypage said in Configuring UDP Broadcast Relay:

                tcpdump -i igc0 ( broadcast or multicast ) and host myhost

                so i'm running this on a terminal of the pfsense? or on any PC that's on the LAN Wifi?

                D 1 Reply Last reply Sep 20, 2023, 11:03 PM Reply Quote 0
                • D
                  dennypage @RickyBaker
                  last edited by Sep 20, 2023, 11:03 PM

                  @RickyBaker said in Configuring UDP Broadcast Relay:

                  so i'm running this on a terminal of the pfsense? or on any PC that's on the LAN Wifi?

                  You would do the sniffing on the firewall. Assuming you have ssh enabled, that would be the best way.

                  1 Reply Last reply Reply Quote 0
                  • C
                    CloudNode @RickyBaker
                    last edited by Apr 25, 2024, 1:47 AM

                    @RickyBaker Sorry to wake this topic up but i have added the rules and I am still not able to cast to my fireTV (SSDP) which is on the IOT subnet and my phone is on LAN subnet
                    9da66aa5-6c25-4971-b2dd-3135c3f403e5-image.png

                    R 1 Reply Last reply Apr 26, 2024, 5:34 PM Reply Quote 0
                    • R
                      RickyBaker @CloudNode
                      last edited by Apr 26, 2024, 5:34 PM

                      @iptvcld what interface are these rules on? IoT? Here are my IoT rules in case they are helpful:

                      d65de5e4-f37f-439c-9831-62b3ef74c42b-image.png

                      C 1 Reply Last reply Apr 26, 2024, 6:50 PM Reply Quote 0
                      • C
                        CloudNode @RickyBaker
                        last edited by CloudNode Apr 26, 2024, 6:53 PM Apr 26, 2024, 6:50 PM

                        @RickyBaker thank you! Are you able to share the ports for this alias?
                        f0f750a9-fc6a-4482-a7f9-95f10b39239f-image.png

                        Also have you tested this to see if it works on any Amazon FireTV devices (if you have any) - those devices use SSDP protocol.

                        This is my IOT - i made an alias with all the IPS that are the CastingDevice and then the CastFromNetwork alias, i just out in the LAN net and Guest Net. But i want to block it a bit better using ports.
                        8f85ffd0-6daa-4240-b2cf-369d436e6faa-image.png

                        R 1 Reply Last reply Apr 28, 2024, 2:28 PM Reply Quote 0
                        • R
                          RickyBaker @CloudNode
                          last edited by Apr 28, 2024, 2:28 PM

                          @iptvcld sure:
                          53dc301f-f58d-43da-8e88-02d71a42fbf1-image.png

                          Never done anything with a fire, but I did get the Nvidia Shields to be operable across vlans...

                          C 1 Reply Last reply Apr 28, 2024, 2:33 PM Reply Quote 0
                          • C
                            CloudNode @RickyBaker
                            last edited by Apr 28, 2024, 2:33 PM

                            @RickyBaker thanks. The fire uses something called SSPD and not mdns but cannot locate the ports it needs yet.

                            R 1 Reply Last reply Apr 28, 2024, 2:49 PM Reply Quote 0
                            • R
                              RickyBaker @CloudNode
                              last edited by Apr 28, 2024, 2:49 PM

                              @iptvcld i'm sure there's a more eloquent and effective way to find out but I've actually just googled and messaged various companies to ask them what the udp forwarding port the app uses and been moderately successful. Can't get the the printer to reliably talk across the vlans but that could be a "printers are terrible" thing

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                                This community forum collects and processes your personal information.
                                consent.not_received