Skip to content
 

Multicast routing UPnP traffic with Linux

I use my Linux desktop, which has both wired and wireless network adapters, to connect my Xbox 360 to the wireless network. My wireless driver (rt73usb in 2.6.28) does not support source address spoofing, which is needed for bridging, so I used routing instead. This broke UPnP IGD port forwarding, which uses multicast and doesn’t normally traverse a router. My solution: static multicast routing with smcroute.

My local network is 192.168.1.0/24, with my Wireless router/DSL modem at 192.168.1.1 connected to the Linux box via wlan0, and my Xbox 360 at 192.168.1.120 connected to the Linux box via eth0. I use proxy arp and a static route for 192.168.1.120 to make the routing work – I’ll discuss this more in a later post. For now just assume that unicast traffic is routed correctly.

Note that running UPnP on your gateway has security implications; disabling UPnP and setting up static port forwarding is a better solution when available. My Verizon branded Actiontec gt701-wg has a crap port forwarding setup that only allows me to forward ports to computers that it has discovered, and it never seemed to discover the 360 behind my Linux box. Also with multiple machines on the network and multiple applications requiring port forwarding for full functionality, static port forwarding can get very tedius.

I messed around with xorp, which supports multicast routing, with no success. A much simpler solution when only a few computers are involved is to setup static multicast routes with smcroute:

# start the daemon
smcroute -d
# add some routes
smcroute -a eth0 192.168.1.120 239.255.255.250 wlan0
smcroute -a wlan0 192.168.1.1 239.255.255.250 eth0

# If the packets have a TTL of 1, they will be dropped even when the multicast
# routing rules are correct. This ensures that the TTL will be high enough.
iptables -t mangle -A PREROUTING -i eth0 -d 239.255.255.250 -j TTL --ttl-inc 1
iptables -t mangle -A PREROUTING -i wlan0 -d 239.255.255.250 -j TTL --ttl-inc 1

UPnP port forwarding uses the 239.255.255.250 multicast group. The first smcroute -a command will forward any traffic coming in on eth0 from 192.168.1.120 to the multicast group 293.255.255.250 to the wlan0 interface. The second forwards traffic coming in on wlan0 from 192.168.1.1 to 239.255.255.250 to eth0. The second command probably isn’t required – the gateway does send out multicast announcements, but the 360 sends out a multicast query looking for a gateway regardless, and the response from the gateway is unicast, as is all remaining traffic. Note that you do not need to join the Linux box to any multicast groups for this to work.

I’m not sure if the iptables commands are necessary. I used the upnp client from miniupnp (upnpc) and my Linux laptop for the initial setup to make debugging easier, and upnpc sends packets with a TTL of 1 so the mangling was required. The Xbox 360 may use a higher TTL for the multicast packets. [upnpc can also be used to create port forwards for the 360, making multicast routing unnecessary, but that solution is less interesting.]

You can view the multicast routes, and how much they have been used, with the ip utility:

$ ip -s mroute
(192.168.1.1, 239.255.255.250)   Iif: wlan0      Oifs: eth0
345 packets, 133456 bytes
(192.168.1.120, 239.255.255.250) Iif: eth0       Oifs: wlan0
27 packets, 8362 bytes

Note that if a packet is dropped because the TTL is too low, it will still be included in the mroute packet count .

If you want to access a UPnP media server from a 360, then you will need to forward additional groups for the relavent IPs. Try 224.0.0.22; if that doesn’t work you will find tcpdump/wireshark with an “ip multicast” filter is very useful.

13 Comments

  1. eden says:

    Hi,

    I have a similar issue with multicast routing but my network is a little different.

    Mediatomb (192.168.5.1 eth0) ————— (192.168.5.254 eth0) Linux Gateway (192.168.7.254 wlan0) ——(192.168.7.1)Upnp client

    I want that upnp client receive the upnp information in order to discover upnp server.
    As your example i need multicast routing but the network are different in my case.

    I don’t know if it’s possible to do that ?

    Sorry for my english i’m french 😉

    Regards,

    eden.

  2. bda says:

    Hi eden,

    It should work for your setup – it’s actually simpler than the proxy-arp + static routes setup I was using. The important thing is being able to communicate between the two networks without NAT. You should be able to ping .5.1 from .7.1 and vice versa, without NAT changing the source addresses. It may be possible to get working with NAT but that makes things much more complicated. Then setup the multicast routing, but use the media server multicast address, which I think is 224.0.0.22, instead of 239.255.255.250..

    -bda

  3. Sumit Arora says:

    bda , May you explain below :

    Over OPENVPN – Forwarding of UPnP SSDP Multicast Packets from One Network to Another

    Network Configuration :

    (PC-A-Network-A – 192.168.60.X) –Switch(Router) — Internet (ISP) — Switch (Router) — (PC-B-Network-B – 192.168.10.X)

    What is happening ?

    libupnp device is running at PC-A-Network-A(192.168.60.128) and sending multicast packets(SSDP-Notify) at 239.255.255.250:1900

    libupnp ctrlpoint is running at PC-B Network-B(192.168.10.104) and sending multicast packets(SSDP-Msearch) at 239.255.255.250:1900

    OpenVPN Server is running at PC-B Network-B

    OpenVPN Client is running at PC-A Network-A

    (open VPN fully configured, as both network can ping each other)

    Via using smcroute ( from this : http://bda.ath.cx/blog/2009/01/24/multicast-routing-upnp-traffic-with-linux/), its possible
    to route PC-A-Network Packets to Network-B (SSDP-Multicast Packets), and vice versa.

    What is not hapening ?

    PC-A sending multicast SSDP Packets , and those are forwarded via openVPN to Network -B and vice versa, but no one accepts the multicast packets received from another network ?

    Is there any body can explain ?

    Do I need to configure iptables rules so that packet should be forwarded ? Or required to add some NAT rules or Is it possible to do this scenario ?

  4. bda says:

    Hi Sumit,

    I would expect that to work if no NAT is being done, but I don’t have a very deep understanding of multicast. With my setup the Xbox would appear to other computers on the network as a normal member of the same network. I never actually tested it across networks. Let us know if you find anything.

    -bda

  5. tkoun says:

    @eden, bda

    I confirm that on a similar network setup as eden’s with 2 subnets with a Synology media server (UPnP, DLNA) on one subnet and a Samsung smartTV on the other, bda’s solution works.
    Instead of a Linux box my router is a DD-WRT so I had to download the smcroute package from the OpenWRT package repo and copy the executable binary in the /jffs writeable partition.

    tkoun

  6. woops says:

    Hi tkoun,

    I have similar setup as yours. 2 subnets with a Synology media server on one subnet which is to be accessed by all kinds of devices on the other subnet. I use Zyxel USG20W as the router and firewall. Could you please post more details on how you route the UPnP multicast in your setup?

    Thanks,

    woopps

  7. Fraa Orolo says:

    Apparently SMCRoute has added some new features, allowing you to forget about the 192.168.1.X source addresses in the routes
    and instead use ANY address.
    This used to work only with Cisco switches and some other prof gear so far.

    https://github.com/troglobit/smcroute/blob/master/smcroute.conf

    this allows to directly forward any MCAST traffic to the SSDP group, which would even work with anonymous clients and
    media players on DHCP supplied addresses.

    Note: the media servers see the client multicasts as well (DISCOVER messages ) and answer with NOTIFY.

  8. tureface says:

    Hello bda,
    your post is very interesting because maybe i have a similar issue.
    I’m not very practical with Linux so sorry if i will put some incorrect question or incorrect detail.
    What i would like to do is route UDP multicast traffic from a IP interface to a wireless interface.
    So i have this traffic that is received by a BOX (it turs with UBUNTU) that has a wifi interface and IP interface.
    The UDP multicast traffic arrive at IP interface 10.0.0.0 (doing a TCPdump at 10.0.0.0 i can see 192.168.42.205 > 225.2.4.9:4000 UDP where 192.x.x.x is (i think) the source and 225.x.x.x is the multicast ID of the service).
    I would like to route this multicast traffic to the wifi interface (176.17.0.1).

    Can you help me?

    Thanks a lot for your time.

  9. bda says:

    Hi Tureface,

    First you’ll need to make sure smcroute and iptables are installed:

    sudo apt-get install smcroute iptables

    Assuming your wired ethernet interface is eth0, and wireless is wlan0 (you can use ifconfig to determine the actual interface names), I think something like this would work (as root or with sudo for each command):

    # start the daemon
    smcroute -d
    # add some routes
    smcroute -a eth0 192.168.42.205 225.2.4.9 wlan0

    # If the packets have a TTL of 1, they will be dropped even when the multicast
    # routing rules are correct. This ensures that the TTL will be high enough.
    iptables -t mangle -A PREROUTING -i eth0 -d 225.2.4.9 -j TTL –ttl-inc 1

    This assumes that all traffic multicast traffic is coming from 192.168.24.205. If it’s coming from multiple sources, you could add an smcroute -a line for each source. If it has a dynamic address, you could install the latest smcroute from source, that Fraa Orolo linked above, and specify 0.0.0.0 as the source, or change it to have a static address.

    Hope that helps, let us know if you get it working and what was required.

  10. arich57 says:

    @tkoun,

    Would you mind posting exactly what you did to get it working on a dd-wrt based router? I can’t seem to find a repo with smcroute for it.

    I’m trying to get it so I can vpn in through openvpn and have my client see a upnp server in the main network.

    Thanks.

  11. Andy says:

    hi Sumit Arora,

    If you want to sent multicast from one network to the other you need to configure OpenVPN in bridge mode (with TAP0 interfaces) instead of route mode.

    check this:

    http://docs.openvpn.net/how-to-tutorialsguides/virtual-platforms/site-to-site-layer-2-bridging-using-openvpn-access-server/

  12. John says:

    Hi,
    Finally some article with clarification of this issue. Although its quite old I’ll just try to get some response anyway.

    I have no idea what exactly to do, could you instruct me a little bit?
    I have a PC running Ubuntu Server 16.04 with a local ip 192.168.1.25 (connected to the dd-wrt router and internet). I’ve installed OpenVPN on it in order to access my media server remotely, but sure enough it cant be seen.
    So the network I have is: enp2s0 (192.168.1.25, Bcast 192.168.1.255, Mask 255.255.255.0 connected to the router) and tun0 (10.8.0.1, P-t-P 10.8.0.2, Mask 255.255.255.255) OpenVPN profile.

    How should I proceed with adding routes via smcroute? The setup described above confuses me on what to route with what.
    Should I touch any settings on the router, I think not, since the OpenVPN connects directly to the 192.168.1.25 machine?

    Thanks, John.

  13. Anoop says:

    Hi,

    I am trying to achieve something similar. I have two upnp server or br10 and upnp client device on br0. I tried the same I am not able to ping each other.

    root@Docsis-Gateway:~# ip -s mroute
    (192.168.6.101, 239.255.255.250) Iif: br10 Oifs: br0
    183 packets, 35712 bytes
    (192.168.165.200, 239.255.255.250) Iif: br0 Oifs: br10
    0 packets, 0 bytes
    (192.168.6.101, 239.255.255.250) Iif: unresolved
    root@Docsis-Gateway:~#

    it is showing that packets from “192.168.165.200” is zero. I dont know what the last line in that command means which says Iif is unresolved. What is wrong in my configuration?

    Thanks,
    Anoop

Leave a Reply