LAN vs VLAN w/ unifi switch and UDM PRO

mr.singh · Apr 28, 2022, 10:58 PM

Hi, I am trying to understand what I am doing wrong.
I am simply trying to understand why Nvidia Shield and Chromecast works on LAN interface and NOT any VLAN.

All VLAN are created on Pfsense and configured on UNIFI switch.

I have a pfense as router and firewall
w/ POE unifi switch connected via 10G link and also a UDM PRO connected to the switch.

DHCP runs on pfsense and Network controller on UDM PRO with option 53 DHCP.

Any device on my LAN can ping and cast to both Shield and chromecast soundbar when everything is on LAN, but as soon as the devices are moved to a VLAN (both Shield and Soundbar and laptop wired via ethernet) That laptop can ping but cannot cast.

No blocking rules on VLAN.

Holding complicated question for later, but simply put why & how can debug this mystery that devices on LAN can cast but not on any VLAN.

johnpoz · Apr 28, 2022, 11:10 PM

@mr-singh said in LAN vs VLAN w/ unifi switch and UDM PRO:

how can debug this mystery

There is nothing to debug - casting like that requires devices to be on the same network..

You might be able to get them to work with avahi package, or the pimd package, etc. But those devices were not designed to work across networks..

mr.singh · Apr 28, 2022, 11:41 PM

@johnpoz Both laptop and chromecasts devices were tested on the vlan.

Not getting into cross vlan just yet

johnpoz · Apr 29, 2022, 3:11 AM

@mr-singh said in LAN vs VLAN w/ unifi switch and UDM PRO:

oth laptop and chromecasts devices were tested on the vlan.

Well that has ZERO to do with pfsense... Because pfsense has nothing to do with communication between devices on the same network/vlan.. Be it broadcast, multicast or unicast - pfsense is not involved with such conversations.

If your having issues with device doing whatever it they want to do on the same network, look to your wifi doing multicast filtering or has igmp snooping on and messing with such traffic, etc.

No blocking rules on VLAN.

You could have no rules on the vlan, you could block everything - not related because pfsense not involved at all... Turn pfsense off if you want.. pfsense is to get off a network/vlan - ie route to some other network.. Then firewall no you can not go to that IP on that other network, or yes you can talk to that IP on that other network on port xyz.. But devices on the same network/vlan talking to each other pfsense has no clue to those conversations... The most it could do would be to provide the devices dns..

mr.singh · Apr 29, 2022, 3:11 AM

@johnpoz so could this be related to unifi switches?

I have a PoE and flex mini switches deployed.

johnpoz · Apr 29, 2022, 4:21 PM

@mr-singh Are you doing igmp snooping in them or any other sort of filtering? I assume you have some wireless in there - prob more related to those..

I don't really have any unifi switches in my setup - I have one of the flex mini - got it to play with.. Its little, give you that. But overall feature set limited.. Its sitting on a shelf right now..

I could see where they could be useful, and guess if I was unifi across the board for switches already - and I needed a little one, would use them.

mr.singh · Apr 29, 2022, 4:21 PM

@johnpoz igmp snooping is enabled in UI controller, is there anything specific I need to do as well. On the IoT streaming VLAN there are only 2 devices to test. Laptop and nvidia shield.

I also have the Switch Flex, but only AP is on it.

johnpoz · Apr 29, 2022, 4:37 PM

@mr-singh try turning off igmp snooping.. This might prevent discovery because it can limit who sees multicast unless the client joins the group, etc.

So try turning it off, also their other multicast features - and see if that helps.

login-to-view

Also anything that might be doing L2 isolation could cause you grief

login-to-view

You might want to check over on their forums for info - like I said pfsense has nothing to do with such communication

mr.singh · May 17, 2022, 7:51 PM

@johnpoz The issue I don't understand is:
I created a VLAN 40 on both pfsense and unifi. DHCP setting works and I get the IP. No casting because when I search using chrome on the Win10 Laptop shield doesn't pop up. They both are on the same VLAN.

In Unifi switch, I specifically change the port profile to that of the specific VLAN network.

When the same devices are on "ALL" port profile, casting works both with wired and wireless clients with shield. So how is unifi blocking casting on VLAN ports

mr.singh · May 17, 2022, 9:13 PM

This post is deleted!

johnpoz · May 19, 2022, 4:06 AM

@mr-singh said in LAN vs VLAN w/ unifi switch and UDM PRO:

They both are on the same VLAN.

Again that has zero to do with pfsense - zero! Pfsense has nothing to do to block traffic happening between devices on the same switch or via an AP..

There is no way you could block multicast on an L2 network with pfsense even if you wanted to..

Unless pfsense was bridge between segments of an L2.. Say something like this

L2 --- interfaceA (pfsense bridge) ineterfaceB --- L2

mr.singh · May 19, 2022, 4:06 AM

@johnpoz Can DNS be an issue? My LAN interface has private 10.160.15.1/24 and IoT 11.160.30.1/24.

By any ways can these conflicting with anything?
I am also running pfblocker

johnpoz · May 19, 2022, 10:42 AM

@mr-singh if your trying to actually resolve something that doesn't resolve sure dns could be a problem.

Are you trying to access something via fully qualified domain name? host.domain.tld - if so does it resolve?

pfblocker has ZERO to do with some multicast discovery that happens on some L2 network.

I am not a fan of discovery stuff, but discovery protocols normally have nothing to do with dns, since that is not really discovery ;) They might send a mdns query, but that is on the L2 and all devices on the same L2 would see that traffic and pfsense has nothing to do with that.

mr.singh · May 19, 2022, 12:05 PM

@johnpoz I have a L3 unifi switch, but I am not using any of those features.

I was able to get a avahi reflector working on a rpi 4.

My desktop on the lan interface is able to see the entry via avahi browse but nothing pops in chrome

weird thing is my phone also on the LAN interface wifi(unifi ap) can see the chromecast device. But only my phone. Not any other wired or wirless devices like desktop and laptops

johnpoz · May 19, 2022, 12:23 PM

@mr-singh said in LAN vs VLAN w/ unifi switch and UDM PRO:

My desktop on the lan interface is able to see the entry via avahi browse but nothing pops in chrome

Well what ports are being used to actually cast? Those would have to be allowed, if a multicast stream wouldn't work - because avahi just allows for the discovery via mdns.

mr.singh · May 19, 2022, 12:36 PM

@johnpoz Since both my phone and desktop are on LAN and the phone can see the chromecast and cast to it and the desktop cannot.

doesn't that mean something is wrong somewhere?