Casting Apple, Google FireTV (mDNS SSPD)
-
@johnpoz Yeah i have guest that come over for parties and they want to be the "DJ" and use their own device to cast music videos on the TV.
I found some forums online saying the allowed all these high port numbers from their IOT and the allowed casting to work via VLAN. I tested and it works but it seems just too open still.
with this UDP Relay tool installed you would think, crossing VLANs with some relaxed rules would allow it. But I dont just want to open it up and at the same time, trying to keep it simple and secure
-
@johnpoz What i ended up doing for now is Enabled UDP Broadcast Relay for 5353 and 1900 for LAN, IOT and Guest
Created an Alias for CastingDevices: added the IPs for all my TVs
Created an Alias for CastFromNetworks: Added LAN Subnets and Guest SubnetsCreated an allow rule under IOT from CastingDevices to CastFromNetworks
This allows me to cast while on my main LAN Subnet and also while on the Guest Subnet to the TV IP's i have the in the CastingDevices alias while keeping them from cross talking to my other subnets.
I left the port as ANY as i am not sure what ports are required or else I would have created an Alias for that as well.
Does anyone have those ports or a better way for this soloution?
Thank you
-
@iptvcld said in Casting Apple, Google FireTV (mDNS SSPD):
and also while on the Guest Subnet t
where did you put those rules? How would that allow your guest network.. Your guest network is connecting to your LAN? Not much a guest network if it is.. Did you put that rule in floating tab?
What you allow between networks is up to you..
Those rules for 1900 and 50k-65k make no sense on the iot network..
What rules do you have on your guest network?
Rules are evaluated top down, first rule wins, no other rules are evaluated.. On the interface the traffic would enter pfsense from the network pfsense is attached too. To allow guest to cast to iot, the rules would have to be on the guest network.. Not on the iot interface.
Your description of your alias makes no sense to me - casting devices makes sense for a source. But cast from for destination does not make sense.. Cast to network would make sense for a destination alias.
You can setup discovery with like mdns or upnp.. But for the actual traffic I would only allow the port it would be casting too, and that sure wouldn't be all the ports between 50k and 65k.. That seems insane.... I would think its either port 8008 or maybe 8009 as the destination port to the chromecast IP..
-
@johnpoz My rule description looks like this. CastFromNetwork just means while on those 2 networks, i am able to cast. Now, if i knew more on what to put in for the destination then i would have closed it down some more but i am not sure what ports it needs.
My guest FW has this
Allowing guest to the casting devices only
-
@johnpoz said in Casting Apple, Google FireTV (mDNS SSPD):
Rules are evaluated top down, first rule wins, no other rules are evaluated.. On the interface the traffic would enter pfsense from the network pfsense is attached too. To allow guest to cast to iot, the rules would have to be on the guest network.. Not on the iot interface.
this is my IOT rules - i had to put this allow at the top as i dont allow cross talk to other networks.
-
@iptvcld said in Casting Apple, Google FireTV (mDNS SSPD):
CastFromNetwork just means while on those 2 networks
That wouldn't be the "destination" that would be the source.
Why would your casting player in your IOT subnet be making unsolicated connections to your casting device?
-
@johnpoz Maybe my description is off but my casting devices are all in the IOT network so i had to allow all the casting devices to be able to talk to the networks i want to cast from. So from TV1 to LAN Subnets and Guest SUbnets
-
@iptvcld that top rule on your iot network allows any of those casting devices to talk to anything on the 2 networks you have listed in castfrom.. They can do anything they want to any IP in those networks.
With such a rule, you sure are not Isolating your iot network.. Such rules pretty much make segmenting pointless and you might as well just run 1 flat network.
Wouldn't it be must more secure to just let your guest dj connect to your IOT network.. And lot less messy.. And then you can actually isolate your IOT network ;)
You understand as well that rule in that order allows anything in your IOT to talk to the pfsense webgui on those networks as well.
The only thing you should have to allow is your guest network to discover stuff on your iot.. And then 8008-8009 for v2 cast, and maybe 10008 for mirroring..
I have not looked into the details or sniff traffic while casting.. Because I would never setup such access.. If something wants to cast to my casting destination, I would put that something on the network of the casting destination.. Not create all kinds of holes in my L2 barrier for discover and then create some rule that wide opens up access into a network.. Which defeats the whole point of isolation in the first place.
-
@johnpoz I know its a bummer, i was really trying to make it work this way but yeah i can see that those casting devices (my TV's) can now cross talk to my LAN subnet which I really dont want them do.
There has to be a better way without providing my guest the password for iOT. If i had the port for casting then i can someone lock it down as then those TVs will have access to LAN subnet but only to those ports.
-
@iptvcld said in Casting Apple, Google FireTV (mDNS SSPD):
There has to be a better way without providing my guest the password for iOT.
Already went over how you can do that, create a different PSK for a different SSID that on your iot vlan. Or setup private psk (PPSK) that allows different psk for the same ssid.
Private or Personal PSK, is somewhat new and can differ in implementation for different vendors.. So simpler solution would be to just create another SSID with a guestpassword for the psk that is also attached to your iot network.
Now you can just turn that network on or off depending if you have guest djs over, and you could even change this psk between parties.. Much easier to lock that down to be honest..
What exactly are you using for your wifi? Some old wifi router, or an actual AP that supports vlans?
edit: Macgyver way to do it if your wifi APs don't support vlans would be to just use another wifi router as AP that is connected to your iot network and uses a different SSID than your normal iot psk. This could be done cheap with any old wifi router you have laying about, or just buying some 20$ wifi router off amazon. Nice thing with that, is you could just turn it off when not in use ;)
