Casting Apple, Google FireTV (mDNS SSPD)
-
Hello; I was wondering what the best practice to allow Multicast Apple, Google FireTV to work via VLANS.
I have a LAN vlan (100) and IOT (10) and Guest (99)
My casting devices are on the IOT vlan (10) and i am trying to cast something while on the LAN vlan (100) but the casting devices are not showing in the list to cast on. I have installed UDP Broadcast Relay and allowed LAN, IOT and GUEST interfaces and allowed port 5353 to 224.0.0.251 and port 1900 to 239.255.255.250.
Seems to be something in my rules that I need to allow as currently in my IOT rules i have a block to all other networks expect its own and it dont want IOT devices to cross talk and it seems like this is causing the issue but I am not sure how to relax this rule.
Thank you,
-
@iptvcld said in Casting Apple, Google FireTV (mDNS SSPD):
what the best practice to allow Multicast Apple, Google FireTV to work
The best approach, and simplest is to just cast while on the same network you want to cast too. These discovery and casting were never meant to be across vlans..
I have my tvs for example on a network, that I call my roku vlan. If I wanted to cast something from my phone or tablet to the TV, I would just connect to this network..
-
@johnpoz Makes sense, and might be the easiest thing to do but I am thinking what would my Guest do? I want them to be able to cast things while having an event, etc while at the same time them being on the Guest network.
The only thing I can think of, is to join these casting devices on my LAN vlan, since LAN has rule access to talk to any network. I wanted to keep these casting devices in iot and no cross talk but seems really tough..
Also it seems like casting works to Apple, Google devices but not TCL, Roku, FireTV
-
@iptvcld said in Casting Apple, Google FireTV (mDNS SSPD):
seems really tough..
I would say its more a PITA, and defeats the purpose of isolation in the first place.
Do you often have guests that come over and want to cast something to your TV? In all my years this has never been the case ever..
If I did have the need for this, I would just create a different ssid for these sorts of users, that is on the same vlan as my devices they would be casting too. This way you do not have to hand out your ssid you use for your devices, and they can temp while they are casting be on your iot network.
Possible PPSK, private psk would come in handy here.. Because different users/devices could have their own psk to join the network.. So you could have your devices all auth with same psk, but if the network is a PPSK you could have these guests use a different psk, and you would only need the one ssid to be broadcast.
In either method you could make this guest used psk simpler to type in, etc. or setup a qr code for them to use.. And if concerned about the complexity of the psk being low.. Just disable this access method when you don't have guest over.
-
@johnpoz Yeah i have guest that come over for parties and they want to be the "DJ" and use their own device to cast music videos on the TV.
I found some forums online saying the allowed all these high port numbers from their IOT and the allowed casting to work via VLAN. I tested and it works but it seems just too open still.
with this UDP Relay tool installed you would think, crossing VLANs with some relaxed rules would allow it. But I dont just want to open it up and at the same time, trying to keep it simple and secure
-
@johnpoz What i ended up doing for now is Enabled UDP Broadcast Relay for 5353 and 1900 for LAN, IOT and Guest
Created an Alias for CastingDevices: added the IPs for all my TVs
Created an Alias for CastFromNetworks: Added LAN Subnets and Guest SubnetsCreated an allow rule under IOT from CastingDevices to CastFromNetworks
This allows me to cast while on my main LAN Subnet and also while on the Guest Subnet to the TV IP's i have the in the CastingDevices alias while keeping them from cross talking to my other subnets.
I left the port as ANY as i am not sure what ports are required or else I would have created an Alias for that as well.
Does anyone have those ports or a better way for this soloution?
Thank you
-
@iptvcld said in Casting Apple, Google FireTV (mDNS SSPD):
and also while on the Guest Subnet t
where did you put those rules? How would that allow your guest network.. Your guest network is connecting to your LAN? Not much a guest network if it is.. Did you put that rule in floating tab?
What you allow between networks is up to you..
Those rules for 1900 and 50k-65k make no sense on the iot network..
What rules do you have on your guest network?
Rules are evaluated top down, first rule wins, no other rules are evaluated.. On the interface the traffic would enter pfsense from the network pfsense is attached too. To allow guest to cast to iot, the rules would have to be on the guest network.. Not on the iot interface.
Your description of your alias makes no sense to me - casting devices makes sense for a source. But cast from for destination does not make sense.. Cast to network would make sense for a destination alias.
You can setup discovery with like mdns or upnp.. But for the actual traffic I would only allow the port it would be casting too, and that sure wouldn't be all the ports between 50k and 65k.. That seems insane.... I would think its either port 8008 or maybe 8009 as the destination port to the chromecast IP..
-
@johnpoz My rule description looks like this. CastFromNetwork just means while on those 2 networks, i am able to cast. Now, if i knew more on what to put in for the destination then i would have closed it down some more but i am not sure what ports it needs.
My guest FW has this
Allowing guest to the casting devices only
-
@johnpoz said in Casting Apple, Google FireTV (mDNS SSPD):
Rules are evaluated top down, first rule wins, no other rules are evaluated.. On the interface the traffic would enter pfsense from the network pfsense is attached too. To allow guest to cast to iot, the rules would have to be on the guest network.. Not on the iot interface.
this is my IOT rules - i had to put this allow at the top as i dont allow cross talk to other networks.
-
@iptvcld said in Casting Apple, Google FireTV (mDNS SSPD):
CastFromNetwork just means while on those 2 networks
That wouldn't be the "destination" that would be the source.
Why would your casting player in your IOT subnet be making unsolicated connections to your casting device?
-
@johnpoz Maybe my description is off but my casting devices are all in the IOT network so i had to allow all the casting devices to be able to talk to the networks i want to cast from. So from TV1 to LAN Subnets and Guest SUbnets
-
@iptvcld that top rule on your iot network allows any of those casting devices to talk to anything on the 2 networks you have listed in castfrom.. They can do anything they want to any IP in those networks.
With such a rule, you sure are not Isolating your iot network.. Such rules pretty much make segmenting pointless and you might as well just run 1 flat network.
Wouldn't it be must more secure to just let your guest dj connect to your IOT network.. And lot less messy.. And then you can actually isolate your IOT network ;)
You understand as well that rule in that order allows anything in your IOT to talk to the pfsense webgui on those networks as well.
The only thing you should have to allow is your guest network to discover stuff on your iot.. And then 8008-8009 for v2 cast, and maybe 10008 for mirroring..
I have not looked into the details or sniff traffic while casting.. Because I would never setup such access.. If something wants to cast to my casting destination, I would put that something on the network of the casting destination.. Not create all kinds of holes in my L2 barrier for discover and then create some rule that wide opens up access into a network.. Which defeats the whole point of isolation in the first place.
-
@johnpoz I know its a bummer, i was really trying to make it work this way but yeah i can see that those casting devices (my TV's) can now cross talk to my LAN subnet which I really dont want them do.
There has to be a better way without providing my guest the password for iOT. If i had the port for casting then i can someone lock it down as then those TVs will have access to LAN subnet but only to those ports.
-
@iptvcld said in Casting Apple, Google FireTV (mDNS SSPD):
There has to be a better way without providing my guest the password for iOT.
Already went over how you can do that, create a different PSK for a different SSID that on your iot vlan. Or setup private psk (PPSK) that allows different psk for the same ssid.
Private or Personal PSK, is somewhat new and can differ in implementation for different vendors.. So simpler solution would be to just create another SSID with a guestpassword for the psk that is also attached to your iot network.
Now you can just turn that network on or off depending if you have guest djs over, and you could even change this psk between parties.. Much easier to lock that down to be honest..
What exactly are you using for your wifi? Some old wifi router, or an actual AP that supports vlans?
edit: Macgyver way to do it if your wifi APs don't support vlans would be to just use another wifi router as AP that is connected to your iot network and uses a different SSID than your normal iot psk. This could be done cheap with any old wifi router you have laying about, or just buying some 20$ wifi router off amazon. Nice thing with that, is you could just turn it off when not in use ;)
