Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Can Chromecast devices be made to work *with* AP Isolation?

    Scheduled Pinned Locked Moved
    Wireless
    3
    5
    1.8k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      Traveler
      last edited by

      Everything I read suggests that Chromecast devices must have Wifi access point isolation turned off to work: https://support.google.com/chromecast/answer/3213084?hl=en

      AP isolation is sort of important in this era of IoT devices as a threat source…  So I would like to explore how to enable isolation and provide a routed connection to the Chromecast through the pfsense box.

      Is there some clever way to do something like enable access to the Avahi service for discovery and then expose the Chromecast device with rules that allow connections to it without letting it scan and connect to arbitrary other resources?

      I'm using the Netgate SG-4860 so lots of ports to play with and have a managed switch connected as well for VLANs.

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        How about you post the specifics about exactly what Chromecast needs to function so people don't have to research it to answer you?

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • T
          Traveler
          last edited by

          @Derelict:

          How about you post the specifics about exactly what Chromecast needs to function so people don't have to research it to answer you?

          I'm certainly willing to.  I thought I would see if someone else had already traveled the path or knew that it isn't possible so don't bother.

          It uses mDNS for device discovery: https://en.wikipedia.org/wiki/Chromecast#Device_discovery_protocols

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            "AP isolation is sort of important in this era of IoT devices as a threat source.."

            While I agree with isolation and monitoring of these iot devices.  Doesn't really mean they have to be isolated from all other wifi devices.  For example my nest and protect talk to each other - you kind of want them on the same network.

            Your wifi remote might need to talk to the thing you want to remote that is also wifi..

            Things that need to talk to each other need to be on the same segment, be it wired or wifi network.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.03 | Lab VMs 2.7.2, 24.03

            1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate
              last edited by

              So install Avahi and deny all but those two network interfaces. Does it work? There aren't a lot of knobs there. Just leave the defaults.

              You also need to be sure whatever side actually makes connections to the other has the firewall rules necessary on the interface the connections are being made from. No idea which way that is with Chromecast.

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • First post
                Last post