Mobile-to-TV casting across subnets



  • This is a tip to help others, not a question (apologies if posted in the wrong forum). After much trial-and-error, I've managed to configure pfsense to allow hosts in one subnet (e.g. mobile devices) to communicate with consumer media players in another subnet, including Google casting (eg YouTube to Smart TV). A quick search shows that many people have had trouble doing this, especially with Google apps; there are some other threads such as https://forum.netgate.com/topic/139218/sonos-speakers-and-applications-on-different-subnets-vlan-s with lots of useful details, but thought a summary may be useful for people.

    My setup:

    • Two VLANs (of relevance here):
      • VLAN2 (main VLAN, both wifi and ethernet), with hosts including Android/iOS mobile devices and a NAS.
      • VLAN4 (IoT VLAN, ethernet), with hosts including an LG Smart TV and two Denon HEOS audio players (which are to be controlled by devices in VLAN2 and are to play content from the NAS in VLAN2).
    • Standard configuration of one IP subnet per VLAN (no L2 bridging between VLANs).

    First problem: TV casting and HEOS audio control use multicast protocols (Multicast DNS and SSDP), which aren't routed across subnets by default.

    Solution:

    1. Install the PIMD package for multicast routing.
    2. Configure PIMD with default settings:
    • General tab: Enable, set Bind to None, leave the rest as default.
    • Interfaces: Add the interfaces for the two VLANs, each with Always Bind and other settings as default.
    • BSR Candidates: Create one entry with default settings.
    • RP Candidates: Create one entry with default settings.
    1. Enable firewall rules for multicast (on both VLAN interfaces):
    • Multicast DNS: IPv4 UDP SourceNet:* -> 224.0.0.251:5353 [advanced: allow IP options]
    • SSDP: IPv4 UDP SourceNet:* -> 239.255.255.250:1900 [advanced: allow IP options]
    • IGMP: IPv4 IGMP SourceNet:* -> : [advanced: allow IP options]
    1. Enable firewall rules for unicast TCP/UDP communication between controller hosts (mobile devices) and NAS in VLAN2 and media players/TV in VLAN4 (both directions).

    Note: I also tried the Avahi multicast DNS package, but that didn't solve the problem on its own (presumably because of the SSDP requirement as well), and once I'd set up PIMD as above Avahi wasn't required for my setup. But some threads suggested running both, so some other configurations may need it.

    With the above setup, I was able to control my HEOS players, and see my TV listed when clicking the cast icon in the YouTube app. However, casting still didn't work, due to...

    Second problem: YouTube (and probably other Google apps) set TTL to 1 on their SSDP multicast packets, preventing the router from forwarding them to the other subnet, even with PIMD up and running.

    Solution:

    1. Using Diagnostics->EditFile, take a copy of the pfsense firewall config script, /etc/inc/filter.inc
    2. Search for the section that adds a "scrub" rule to the pf config for each interface (see https://docstore.mik.ua/manuals/openbsd/faq/pf/scrub.html). In pfsense 2.4.5 this is a "foreach ($FilterIflist as $scrubif => $scrubcfg)" loop in a function called filter_generate_scrubing.
    3. Just before that section, add the following line to increase the TTL of SSDP packets to 2 (change "VLAN2" to the name of the interface that has the controlling devices, and "10.0.2.0" to the corresponding subnet):
      $scrubrules .= "scrub in on $VLAN2 inet proto udp from 10.0.2.0/24 to 239.255.255.250 port 1900 min-ttl 2 {$scrubnodf} {$scrubrnid} {$mssclamp} fragment reassemble\n";
    4. Add similar rules if you have other VLANs with controlling devices.
    5. Edit any firewall rule to regenerate the pf config (which you can check at /tmp/rules.debug).

    Hope this info is helpful to anyone in a similar situation.


Log in to reply