Chromecast audio/video between VLANs

tcsac · Apr 5, 2019, 4:46 AM

***Quick update - as mentioned below you now also need 8443, Google added that at some point and has basically nuked all documentation on the internet about port usage.

I've seen a few posts on this, but nobody covers it all - and most just tell you to put in blanket "allow everything" rules as a copout.

Step 1 - turn on Avahi. This is greatly simplified on the latest builds of PFsense - once installed you should just need:
Check the enable box
Select the interfaces you WANT broadcast traffic enabled on (on older versions you selected the excluded interfaces)
Check the box for "enable reflection"

that should be it for Avahi.

Step 2 - if you're like me and you've got a lot of devices, I STRONGLY suggest creating an alias for them:
Firewall >> Aliases
Name: whatever you want
Description: whatever you want
Type: hosts

Next put in the IP addresses of all your chromecast devices - if you haven't already you REALLY need to do static DHCP for all of them or it will be a nightmare.

Step 3:
Once this is done it's time for the firewall rules.
Go to the VLAN where you source hosts will be (not the VLAN where the chromecasts will be).
You'll need at least 5 rules.

Rule 1:
Action: Pass
Interface: Host VLAN
Address Family: IPv6
Protocol: UDP
Source: Any
Destination: single host or alias | ff02::fb | port 5353

Rule 2:
Action: Pass
Interface: Host VLAN
Address Family: IPv6
Protocol: UDP
Source: Any
Destination: single host or alias | ff02::fb | port 1900

Rule 3:
Action: Pass
Interface: Host VLAN
Address Family: IPv4
Protocol: UDP
Source: Any
Destination: single host or alias | 224.0.0.251 | port 5353

Rule 4:
Action: Pass
Interface: Host VLAN
Address Family: IPv4
Protocol: UDP
Source: Any
Destination: single host or alias | 224.0.0.251 | port 1900

Rule 5:
Action: Pass
Interface: Host VLAN
Address Family: IPv4
Protocol: TCP
Source: Any
Destination: single host or Alias | Chromecast Alias you created earlier | Port 8008-8009, 8443

Now, depending on how strict you want to be, you can set up Rule 5 to be restricted to only certain IPs on your Host VLAN vs. "any".

That should be it - you should be good to g.

This was directly from google as far as what ports chromecast uses:

Which ports does Chromecast use when connecting to external services?

HTTP:  TCP/80
HTTPS:  TCP/443
DNS:  UDP/53
SNTP:  UDP/123

Which ports are used by Chromecast to communicate with computer/phone/tablet in the same network?

SSDP:  UDP/1900/multicast
mDNS:  UDP/5353/multicast
TCP/8008
TCP/8009

Toube · Jan 6, 2020, 9:01 PM

Thanks for this.
I just got my Vlans for the iot network up and running.. for me it was enough to install avahi and enable it on the selected interfaces.

Now I can simply be logged on the LAN wifi and still be able to cast my 2 chromecast even if they are on different vlan / ip-space.

burntoc · Mar 1, 2020, 6:37 PM

@tcsac @Toube Do Google Home groups get populated across VLANS for you this way? I am able to cast to specific devices, but I can't see speaker groups unless I join the VLAN they're on.

burntoc · Aug 24, 2020, 7:30 AM

FYI to anyone still coming across this topic. I was able to solve my issue. Some of the details are found in feature request I opened once I realized the package fixed my issues:

https://redmine.pfsense.org/issues/10818

tman222 · Aug 24, 2020, 4:18 PM

@burntoc said in Chromecast audio/video between VLANs:

FYI to anyone still coming across this topic. I was able to solve my issue. Some of the details are found in feature request I opened once I realized the package fixed my issues:

https://redmine.pfsense.org/issues/10818

Hi @burntoc - I think adding a package is a great idea. Do you mind sharing some more details on how you are currently running UDP broadcast relaying manually? I'm interested in experimenting with this as well. Thanks in advance.

EDIT: I found your other thread here and followed instructions there - works great!

https://forum.netgate.com/topic/155698/how-can-i-get-this-udp-relay-package-for-casting-across-vlans

nedyah700 · Dec 30, 2020, 2:33 AM

This was very helpful! I had to add Port 8443 to Rule 5. Using a new Nest Hub and that port was preventing communication.

incognito · Jan 9, 2021, 2:09 PM

I can not get this working with a chromecast gen. 2

I have chromecast on a IOT VLAN.
In Avahi I have picked "allow" mode and picked the IoT VLAN and the regular LAN where my source phone is at.
Then clicked the repeat tickbox and set up my pfsense domain and hostname settings.

Then I have followed the rest of the instructions for firewall rules.

I still can not find the chromecast when trying to cast from my phone.. Any advice or anything?

incognito · Jan 9, 2021, 2:09 PM

@incognito said in Chromecast audio/video between VLANs:

I can not get this working with a chromecast gen. 2

I have chromecast on a IOT VLAN.
In Avahi I have picked "allow" mode and picked the IoT VLAN and the regular LAN where my source phone is at.
Then clicked the repeat tickbox and set up my pfsense domain and hostname settings.

Then I have followed the rest of the instructions for firewall rules.

I still can not find the chromecast when trying to cast from my phone.. Any advice or anything?

EDIT:
Actually it did work.. Seems like it took some time to get working. Maybe was a cache thing..

slugsshell · Mar 19, 2021, 3:17 PM

This post is deleted!

slugsshell · Mar 19, 2021, 7:26 PM

Hi,

thank you tcsac for your guide. This helped me out a lot.

I followed your setup guide, adjusted it a little to my needs.
For example I completely skipped the IPV6 part. On my pfSense setup I have deactivated IPv6 completely or at least all traffic is being blocked. Therefore I also checked the disallowed IPv6 Traffic in Avahi.

I had to allow an additional destination address 224.0.0.252 and port 5355 UDP after permitting the traffic to pass, I could see the chromecast residing in a different VLAN and Subnet.

At the end it turned out I only had to setup following rules:

Protocol: TCP
Source: VLANx (where streams originates from e.g. Mobile Phone)
Destination: Static DHCP addresses from chromecast in VLANy
Port: 8009

Protocol: UDP
Source: VLANx
Destination Address: 224.0.0.251 + 224.0.0.252
Ports: 5353 UDP (mDNS) + 5355 UDP (LLMNR)

Thanks again.
BR
Alex

Morphal · Dec 10, 2021, 7:27 PM

tl;dr: Allow UDP port 10008 also.

I have been using this setup for a while to cast my desktop from Google Chrome on one VLAN to a Chromecast on another VLAN, but today it suddenly stopped working. It worked fine yesterday but not today. Chrome would find the Chromecast, and if I tried to cast to it the TV attached to the Chromecast would show a blank screen for a few seconds like the cast was about to start, but then it would disconnect and Chrome would show that it's no longer casting.

In case anyone else has this problem, I also allowed UDP port 10008 through the firewall from the Chrome computer to the Chromecast and casting works again. I found this port number by doing a Wireshark capture. My guess is something probably changed in a recent Chrome and/or Chromecast update.

bartkowski · Dec 10, 2021, 7:51 PM

@morphal
I added this port, 8012, 10001, and 10101 back in March 2021 to my Chromecast alias. You may want to add those also, if not already.

Morphal · Dec 10, 2021, 8:43 PM

Oh OK thanks; I didn't know about those!

tcsac · Dec 11, 2021, 12:06 AM

@bartkowski UDP, TCP, or both? Presumably all UDP?

bartkowski · Dec 11, 2021, 12:20 AM

@tcsac i have both set in fw rule.

y2raza · Jul 16, 2023, 2:36 PM

@tcsac thank you for the instructions, this worked great and now I can cast YouTube from my mobile to my TV. However, the screen mirroring on my iPhone is still not displaying the TV which I have assigned a static IP. Any idea on how to fix that? TIA.