search

alsmith / multicast-relay

Relay multicast and broadcast packets between interfaces.
GNU General Public License v3.0
304 stars 47 forks source link

Added support for SSDP unicast #14

Closed yo8192 closed 5 years ago

yo8192 commented 5 years ago

Add support for SSDP unicast.

The queries are sent over multicast, and the answers are sent in unicast. With these changes multicast-relay will listen for the unicast messages on a specific port (UDP 1901) (on the IP specified by the new '--ssdpUnicastAddr' command line argument), and relay/proxy them to the requester. This way it is possible to have decent firewall rules, instead of leaving everything open as random ports are typically used, which is what you would want to do when multicast-relay is used between a DMZ zone, with untrusted equipments -- e.g. random small appliances around the home --, and the LAN for trusted equipments -- e.g. personal computer and phones.

See http://buildingskb.schneider-electric.com/view.php?AID=15197 for an introduction to the protocol.

I use this on a OpenWRT router with a command as: multicast-relay.py --foreground --verbose --interfaces br-lan br-lan_dmz --noSonosDiscovery --homebrewNetifaces --ifNameStructLen=32 --ssdpUnicastAddr 192.168.2.1

Also added some unit tests on the new code that was added (using the pytest framework).

kidhasmoxy commented 4 years ago

@yo8192 Can you give more information on how this should be implemented?

For example, given a DMZ and LAN, where firewall prohibits DMZ from accessing LAN. Should we supply the ip address of the adapter connected to the DMZ?

Does that mean we don't have to create a firewall rule, or just one that allows traffic originating from the DMZ adapter UDP on 1901?

yo8192 commented 4 years ago

@kidhasmoxy yes that's right, --ssdpUnicastAddr should be set to the DMZ IP of the device multicast-relay runs on -- I'll assume here that this is a router (e.g. OpenWRT).

The INPUT firewall rules you'll need are:

That only covers the SSDP search/response. You may obviously need other rules to allow your LAN device to then connect to your DMZ device, if you don't already have a blanket rule such as allowing all connections initiated from the LAN to the DMZ.

BTW if anyone ever need to troubleshoot these things, I found running commands such as: ssh yourOpenWRTrouter "tcpdump -i br-dmz -U -s0 -w - -n udp and not host 224.0.0.251" | wireshark -k -i - from your computer/laptop a nice way to do it.