Good news: this nice UDP broadcast relay is now available for the ER-X (and ER-X SFP).

Find attached the archive with the udp-bcast-relay recompiled for ER-X.

@britannic : feel free to take it and add to your archive or as alternative download for ER-X.

Thanks a lot for your support

ubnt-bcast-relay_ER-X.tgz

It's only been compiled and tested on the ERL MIPS64 and ER-X MIPS32SEL platforms, so unfortunately we don't have any feedback for you. Note that although the router configuration is integrated on those platforms, the binary, once compiled for a target platform, can be used in standalone mode, configured by command line arguments. 

@UBNT-afomins

Any chance this can be included in the new beta? I just tested this with Chromecast and a normal broadcast device and it worked flawlessly.

Specifically the ubnt-bcast-relay installation is the only thing needed to be added in the next release. I followed the directions from below

http://www.cron.dk/edgerouter-and-chromecast/ 

@slockner, no, bcast-relay will only relay a single specific port between ethernet interfaces. 

Hi @britannic and others.

Is there any list of what ports should be open for what types of service?

I have been looking at tcpdump for a while, but ended up with over 30 different ports, then had some storm issues, then decided to "throw away" a few as I wasnt sure which ones were really being effective etc....

I'd really like to know what to open for different things... esp since I guess not all lans need access to the same services, etc?

If anyone can help compile something or can give a guide of how to find correct ports from a tcpdump...?

Most examples are for play-fi, I saw some info for Sonos online, etc... but a "official" list which is sanctioned and tested by more users would be really neat... maybe as a wiki in the repo? or maybe even as a config option in the tree?  Instead of just ports we could use "service-aliases" of sorts?

just an idea to make the discovery quicker...

@roynasser, sounds like you are firewalling between your LANs, I find it is simpler to only open ports that carry an initial advertisment/broadcast and/or also the main port for a service and then set up rule sets like this:

    name int-mdx {
        default-action drop
        rule 1 {
            action accept
            description "Allow all connections"
            state {
                established enable
                new enable
                related enable
            }
        }
        rule 2 {
            action accept
            description "Allow established connections"
            state {
                established enable
                related enable
            }
        }
        rule 3 {
            action drop
            description "Drop invalid packets"
            state {
                invalid enable
            }
        }
        rule 510 {
            action accept
            description "Allow ICMP"
            protocol icmp
        }
        rule 3100 {
            action accept
            description "Allow SSH"
            destination {
                port ssh
            }
            protocol tcp
        }
    }

    name mdx-int {
        default-action drop
        rule 1 {
            action accept
            description "Allow all connections"
            state {
                established enable
                new enable
                related enable
            }
        }
        rule 2 {
            action accept
            description "Allow established connections"
            state {
                established enable
                related enable
            }
        }
        rule 3 {
            action drop
            description "Drop invalid packets"
            state {
                invalid enable
            }
        }
        rule 400 {
            action accept
            description "Allow mdx to offer access to media address group"
            source {
                group {
                    address-group media
                }
            }
        }
        rule 510 {
            action accept
            description "Allow ICMP"
            protocol icmp
        }
        rule 3100 {
            action accept
            description "Allow SSH"
            destination {
                port ssh
            }
            protocol tcp
        }
    }

Note that I am using zone based policies and IP groups. Once the initial connection is made from one of my media devices to my "int" LAN, any ports required afterward will be part of the same session and allowed by rule 2 in "mdx-int", since they will be related to the original connection:

        rule 2 {
            action accept
            description "Allow established connections"
            state {
                established enable
                related enable
            }
        }

What helped me the most in setting up the rules, was to enable default logging for the rule set and then monitoring the log to see what was being dropped during a media connection attempt and then add/amend rules as necessary.

Here's how to set logging for your firewall rule set:

set firewall name <YOUR RULESET NAME HERE> enable-default-log

To monitor the logs:

tail -f /var/log/messages

Hi @britannic thanks for the detailed comments.  I have not added any firewalling between networks.  Unless there is some by default (I'm away from the setup at the moment to double check).

My question was more general in terms of what ports should be forwarded between VLANs/ETHs in broadcast relay so I know which ones are important between which interffaces, etc...

Thanks! 

Hi,

I'm considering getting an EdgeRouter, especially after reading this article.  Any idea if this was integrated into the standard build, or if the install as described would still work?

It didn't get integrated, but still works on the latest version of EdgeOS (1.9.1). 

I'm using this for relaying UDP broadcasts from i/f switch0 to the IPSec/L2TP road-warrior connections (i/f l2tp0), for a mobile application listening to UDP broadcasts from some LAN devices (for device discovery).

The problem is that after a router reboot (or whenever there's no VPN connection and l2tp0 not visible), interface l2tp0 is not up and the service is not started.

ubnt@ubnt:/opt/vyatta/sbin$ sudo start-stop-daemon --start -v --make-pidfile --pidfile "/var/run/udp-bcast-relay.1.pid" --exec "/opt/vyatta/sbin/udp-bcast-relay" -- 1 7078 switch0 l2tp0
Starting /opt/vyatta/sbin/udp-bcast-relay...
ioctl(SIOCGIFINDEX): No such device

ubnt@ubnt:/opt/vyatta/sbin$ sudo ./udp-bcast-relay 1 7078 switch0 l2tp0
ioctl(SIOCGIFINDEX): No such device

So, in the router's CLI config l2tp0 is there, but the service won't come up. I thought about running a cron job, but if the L2TP session is dropped and goes back up, the UDP broadcasts won't be relayed; the process must be restarted manually.

The setup scripts were designed for static interfaces, so this falls outside of an easy fix. A VPN "up" script or cron job to kick off the udp broadcast relay once the link is active, is likely a good way to go. 

I agree. But the process should be also terminated when the VPN interface goes down. I noticed that if I disconnect from the VPN, the process keeps running in the background and, after reconnecting to the VPN, no broadcasts go through (I need to kill and start again the process).

I'll check how to have a script executed when an interface goes up or down.

I managed to do it with some simple linux scripts. I assume they'll have to be restored after an EdgeOS upgrade.

ubnt@ubnt:/etc/ppp/ip-up.d$ cat vpn-up-bcast

#!/bin/sh
/opt/vyatta/sbin/udp-bcast-relay -f 1 7078 switch0 l2tp0

ubnt@ubnt:/etc/ppp/ip-down.d$ cat vpn-down-bcast

#!/bin/sh
pkill -f udp-bcast-rela

Hi @britannic 

because of @spoon25 's great work I just realized that the reason for my bcast-relay not working was that I used your binary with an ER-X and didn't know about the incompatibility. Thanks a lot again for your very helpful troubleshooting in posts 94 and following, although it didn't fix it at that time, now with spoon25's ER-X binary everything works fine!! But thanks a ton for your huge patience in those days!

Just one last question: Can anyone confirm that the bcast-relay isn't affected by firewall rulesets? E.g. if I just want a single source ip to be able to send broadcasts that are relayed, the firewall ruleset doesn't seem to deny the others, neither in direction in nor in direction out. Does anyone have an idea about that?

Thanks a lot!!

Hi @DennisSchmitt ,

I'm not sure about the firewall as in my zone-based firewall the source zone to local (edgerouter) and from local to target zone directly allow any connection (as I use it to send wake-on-lan to few devices).

So didn't have to manage or test the case if the firewall play a role or not.

Will this work just for broadcasting a server to be viewed across Vlans?  I have 5 Vlans and want them all to be able to browse the same server (a Qnap NAS).