Roku Discovery Across Subnets (UDP Broadcast Relay)

[coreyo]

I have 2 subnets: "LAN" and "VLAN_NoVPN". The latter is a VLAN. All internet traffic for LAN is routed through a wireguard VPN, and all traffic for VLAN_NoVPN is not. However, this likely has nothing to do with the issue. Each is on it's own subnet with a 16 bit prefix. I have my Rokus on the VLAN_NoVPN (because services like Netflix, Hulu, etc. have a nasty habit of blocking access from commercial IP addresses). Most of my computers, phones, etc. are connected to the main LAN so that their traffic is masked by the VPN. Unfortunately, I cannot seem to get casting to work across subnets. Devices on one network do not seem to be able to discover devices on the other subnet. Here's what I've done and the debugging that I've done so far:

1. There is currently no reason for privacy across the two subnets, so my firewall rules are quite liberal. Both the LAN an VLAN interfaces have a general "allow all" rule. To test, this clients from one subnet can ssh, ping, and generally connect to clients on the other subnet no problem. This is all working as expected.

2. I can confirm that udpbroadcastrelay is running as expected by inspecting the current processes:

Code Select Expand

root@opnsense:~ $ ps aux |grep udp
root     5126   0.0  0.0  12556   1924  -  S    18:06       0:00.09 /usr/local/sbin/udpbroadcastrelay --id 2 --dev re0 --dev re0_vlan100 --port 1900 --multicast 239.255.255.250 -f
root    31808   0.0  0.0  12556   1932  -  I    22:39       0:00.05 /usr/local/sbin/udpbroadcastrelay --id 3 --dev re0 --dev re0_vlan100 --port 137 -f
root    51337   0.0  0.0  12556   1924  -  I    22:39       0:00.02 /usr/local/sbin/udpbroadcastrelay --id 4 --dev re0 --dev re0_vlan100 --port 138 -f
root    69254   0.0  0.0  12556   1924  -  S    22:39       0:00.39 /usr/local/sbin/udpbroadcastrelay --id 1 --dev re0 --dev re0_vlan100 --port 5353 --multicast 224.0.0.251 -s 1.1.1.1 -f
root  35513   0.0  0.1  12636   2140  0  S+   22:02       0:00.01 grep udp

3. I can confirm all of the broadcast packets are seen across subnets. In this particular case, the client running tcpdump is on the LAN subnet, and the "KitchenRokuUltra" device is on the NoVPN_VLAN subnet.

Code Select Expand

:~$ sudo tcpdump -i eno2 | grep 239.255.255.250
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eno2, link-type EN10MB (Ethernet), capture size 262144 bytes
22:09:15.182499 IP 10.3.1.16.46502 > 239.255.255.250.1900: UDP, length 146
22:09:15.395361 IP KitchenRokuUltra.Homeslice.43948 > 239.255.255.250.1900: UDP, length 214
22:09:15.395362 IP KitchenRokuUltra.Homeslice.43948 > 239.255.255.250.1900: UDP, length 220
22:09:15.395362 IP KitchenRokuUltra.Homeslice.43948 > 239.255.255.250.1900: UDP, length 273
22:09:15.395363 IP KitchenRokuUltra.Homeslice.43948 > 239.255.255.250.1900: UDP, length 214
22:09:15.395363 IP KitchenRokuUltra.Homeslice.43948 > 239.255.255.250.1900: UDP, length 220

Unfortunately, when I launch Chrome or a mobile YouTube app from within one subnet, none of the Roku devices from the other subnet are discoverable. Do I need a separate rule to make inter-subnet Roku discovery work?

It should also be noted that many of the devices are connected to WiFi via my ubiquiti UniFi routers. I'm not sure if that makes any difference. Thanks in advance for any insights.

--- As A Side Note ---

The mDNS rule seems to be working just fine. Not only can I see google and chromecast devices from other subnets, but they are discoverable as intended by various devices on either subnet. Looking at tcpdump, I have noticed that some of the packets actually seem to be originating from the OPNSense router. Are those the packets that it's forwarding?

Code Select Expand

:~$ sudo tcpdump -i eno2 | grep 224.0.0.251
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eno2, link-type EN10MB (Ethernet), capture size 262144 bytes
21:57:35.009888 IP opnsense.Homeslice.mdns > 224.0.0.251.mdns: 0 PTR (QM)? _googlecast._tcp.local. (40)
21:57:35.221076 IP Google-Nest-Mini.Homeslice.mdns > 224.0.0.251.mdns: 0*- [0q] 1/0/3 PTR Google-Nest-Mini-4e96b3f5decfc1f3a9367e8c59d56b88._googlecast._tcp.local. (392)
21:57:35.221077 IP opnsense.Homeslice.mdns > 224.0.0.251.mdns: 0*- [0q] 1/0/3 PTR Google-Nest-