Can Chromecast devices be made to work *with* AP Isolation?

Traveler · Dec 24, 2016, 6:54 PM

Everything I read suggests that Chromecast devices must have Wifi access point isolation turned off to work: https://support.google.com/chromecast/answer/3213084?hl=en

AP isolation is sort of important in this era of IoT devices as a threat source… So I would like to explore how to enable isolation and provide a routed connection to the Chromecast through the pfsense box.

Is there some clever way to do something like enable access to the Avahi service for discovery and then expose the Chromecast device with rules that allow connections to it without letting it scan and connect to arbitrary other resources?

I'm using the Netgate SG-4860 so lots of ports to play with and have a managed switch connected as well for VLANs.

Derelict · Dec 24, 2016, 7:30 PM

How about you post the specifics about exactly what Chromecast needs to function so people don't have to research it to answer you?

Traveler · Dec 24, 2016, 7:46 PM

@Derelict:

How about you post the specifics about exactly what Chromecast needs to function so people don't have to research it to answer you?

I'm certainly willing to. I thought I would see if someone else had already traveled the path or knew that it isn't possible so don't bother.

It uses mDNS for device discovery: https://en.wikipedia.org/wiki/Chromecast#Device_discovery_protocols

johnpoz · Dec 25, 2016, 12:47 PM

"AP isolation is sort of important in this era of IoT devices as a threat source.."

While I agree with isolation and monitoring of these iot devices. Doesn't really mean they have to be isolated from all other wifi devices. For example my nest and protect talk to each other - you kind of want them on the same network.

Your wifi remote might need to talk to the thing you want to remote that is also wifi..

Things that need to talk to each other need to be on the same segment, be it wired or wifi network.

Derelict · Dec 25, 2016, 5:50 PM

So install Avahi and deny all but those two network interfaces. Does it work? There aren't a lot of knobs there. Just leave the defaults.

You also need to be sure whatever side actually makes connections to the other has the firewall rules necessary on the interface the connections are being made from. No idea which way that is with Chromecast.