Firewalla Gold: When my network is segmented, will I be able to use AirPlay and Chromecast across networks?

Follow

Comments

24 comments

  • Avatar
    Christopher J. Shaker

    Thank you for that post, and for the Clue!

    I also had to disable 'IGMP Snooping' on my Unifi controller to get my wife's PC to talk to her Kodak Verite printer. Thanks to Wireshark for telling me what was going on.
    I also disabled 'Block LAN to WLAN Multicast and Broadcast Data' as well.

    Doing that also fixed our Sonos devices, and also fixed air print. All of that had stopped working when I replaced our Google WiFi with Unifi access ports.

    Thank you again for the Clue!
    Chris Shaker

    2
    Comment actions Permalink
  • Avatar
    Firewalla

    Curious, was the "Block LAN to WLAN multicast" default on or added by you?

    0
    Comment actions Permalink
  • Avatar
    Christopher J. Shaker

    I don't remember anymore

    0
    Comment actions Permalink
  • Avatar
    Bob M

    This setup is working for me with Unifi Switches and AP's to the FWG in router mode. I can Airplay from my Main Lan to the Sonos Speakers on my IoT Vlan. But I can not get the Sonos iOS or Win10 app to work outside of the IoT Vlan. Anyone know if this is an issue with SSDP not being able to traverse networks without some sort of firewall rule?

    And to answer the Q above for me the "Block Lan to WLAN multicast" was unchecked by default on my unifi controller.

    1
    Comment actions Permalink
  • Avatar
    Michael Bierman

    I must be doing something wrong. I moved an Ethernet device to a vlan on my Unifi switch and changed the settings as above. But homekit is definitely not happy and I can’t see the homekit devices from the LAN.

    edit:

    More information about my specific use case: the device in question is now on a VLAN. It is a homekit bridge (security system). On the LAN are my homekit hubs.

    My config: 

    Firewalla Gold (router mode)  > UI Controller (on a NAS, for wifi only) one UI switch and one older Netgear managed switch)

    Do I have to open any ports between the VLANs?

    Any suggestions? @bob? @christopher?

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    Anyone know if this setting is relevant and what it should be set to? 

    Multicast Enhancement  (ON/OFF) Enable multicast enhancement (IGMPv3)
     
    Unifi controller > Settings > Wireless Networks 
    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    If I'm doing this as intended, this works by allowing traffic from the LAN to the secure "IoT" VLAN. But doesn't it leave open more than it needs to? It would be great Chromecast, AirPlay, Homekit, and AirPrint were Target apps in firewalla that could be enabled individually in rules explicitly between VLANs. This would allow explicit control over what can go over each VLAN in a very easy way. (e.g. I want to allow homekit but not AirPlay) 

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    FYI for UniFi users, you must have:

    • Block LAN to WLAN Multicast and Broadcast Data (OFF)
    • Enable multicast enhancement (IGMPv3) (ON) see step 1.f
    • IGMP Snooping is not required to be on
    Verified in ui controller 6.1.71 and 6.2.26
     
     
    So far I have settled for allowing my Apple TVs and my NAS (with the homebridge Controller running on it) to see my IoT VLAN. The IoT VLAN cannot see my LAN at all.

    I would like to lock things down even more, but for now this is better than anything I have been able to figure out so far. 

    Update
    After watching the Flows in FWG I realized some iOS devices were constantly attempting to reach the homekit devices on the IoT VLAN directly and being blocked. They then had to retry connecting to the AppleTVs and Homebridge instance (via iCloud?). So while it worked, it was causing a lot of bogus blocks and probably some latency of homekit so I simply granted my primary LAN access to the IoT VLAN. I am sure this can be locked down further. Ideas welcome.
    0
    Comment actions Permalink
  • Avatar
    prophetse7en

    I cant get this to work no matter what I try in combination with Unifi Switch/AP and Firewall Gold.

    Anyone have a step by step guide on how to use sonos/chromecast, airplay/spotify connect when devices are on different vlans?

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    @prophetse7en I have UniFi switch and APs working with Gold AirPlay, AirPrint, and Chromecast across VLANs. See https://help.firewalla.com/hc/en-us/articles/360049613014?page=1#comment_4760767441427  Looks like maybe the UI link I included changed? Try https://community.ui.com/questions/What-happened-to-Chromecast-Google-Home-help-article/ba48a840-5dae-482a-a236-3b00a37365e3#answer/18ed7fa8-d110-4238-a7ef-509b359b81d2 

    0
    Comment actions Permalink
  • Avatar
    prophetse7en

    @Michael Bierman
    I did follow your steps from before.

    Multicast and Broadcast Control - Disabled

    Multicast Enhancement - Enabled

    Tried with IGMP Snooping enabled and disabled

    Multicast DNS is not available in Unifi on Vlans, only on Default network where it is enabled.

    In my setup I have my airplay/casting devices on my Media/IOT Vlan, and the devices I am trying to play from are on my Home vlan.

    So I think everything should be correct from what you posted + this article 

    Can you please check one thing in Unifi settings? On the Vlans you created under networks, have you the "VLAN-Only Network" settings enabled? I think this is the reason I cant enable Multicast DNS for my networks in Unifi settings.

    0
    Comment actions Permalink
  • Avatar
    prophetse7en

    So I got airplay and casting to work, but I still cant reach my devices from the sonos app. Would be nice to set alarms etc from the app without logging on to my IoT network.

    Here they list ports to open to have app control, but I cant get it to work no matter how I configure the rules for those ports.

    Any suggestions on how the port rules should be between vlan IoT and Home for this to work?

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    @prophetse7en Did you try @Chris's tip above?

    I also disabled 'Block LAN to WLAN Multicast and Broadcast Data' as well.

    Doing that also fixed our Sonos devices, and also fixed air print. All of that had stopped working when I replaced our Google WiFi with Unifi access ports.

    0
    Comment actions Permalink
  • Avatar
    prophetse7en

    I dont have that option on my unifi controller

    Only Multicast Enhancement and Multicast and Broadcast Control.

    Edit: I think "Block LAN to WLAN Multicast and Broadcast Data" and "Multicast and Broadcast Control" is the same, and it is already disabled for me.

    0
    Comment actions Permalink
  • Avatar
    Client Support

    @prphetse7en if you are using the current UniFi controller, the old (not the new interface) go to Settings > Wireless Networks > Select the network(s) and find

    I don't know where it is in the new Interface. Just try the old interface for the purpose of the experiment. 

    0
    Comment actions Permalink
  • Avatar
    prophetse7en

    They renamed it. On the new interface it is called "Multicast and Broadcast Control". It is disabled.

    I think I need to start over. This time I will create a new ssid and vlan for sonos only and then try all the stuff suggested. This way I wont interfere with the rest of my network.

    Should Multicast DNS be enabled on firewalla and on unifi, or do you disable it on one of them? Maybe it is causing problems to have it enabled in unifi and firewalla?

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    @prophetse73n You definitely want to have mdns turned on on Firewalla. On Unifi, under Networks I have

    turned on on the segments I want to have access. i think I tried turning it off and I don't remember if it stopped working or not. 

    I couldn't find Multicast and Broadcast Control where did you see it? 

    0
    Comment actions Permalink
  • Avatar
    prophetse7en

    Lets see. On Unifi Controller:

    - Multicast DNS is not available when running VLANS only network. Then multicast DNS option is missing. I have to disable VLAN only for this option to be available.

    - Multicast and Broadcast control is under the different wifi names.

    I have tried everything. I just cant get my Sonos devices available in the Sonos app. I am about to give up and just put all Sonos devices in the Home Vlan. I might be missing a rule somewhere to get access between vlans. Dont know anymore lol

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    I don’t think you want the VLAN only option in this case. Just create a VLAN with no DHCP server in Unifi  

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    @prophetse7en See https://help.firewalla.com/hc/en-us/community/posts/4913683725715-Add-SSDP-reflector-

    0
    Comment actions Permalink
  • Avatar
    prophetse7en

    I tried both vlan options, same result.

    I will upvote the SSDP feature request

    0
    Comment actions Permalink
  • 0
    Comment actions Permalink
  • Avatar
    rob.fegley

    Is there support for routed interfaces to be configured explicitly as an IGMP querier, or implicitly by having the same interfaces supported as PIM router interfaces?

    Whenever I see the advice as “Disable XYZ snooping”, although that may currently be the only way to result in the desired behavior, is essentially taking the Layer 2 switch back a decade (or two) as it will then be flooding packets throughout a VLAN when XYZ Snooping was originally meant to constrain that type of traffic to only the “interested” endpoints. Although, for that snooping to work across more than one device, at least in the case of IGMP, needs for at least one IGMP Querier to exist within the VLAN. It would seem that IGMPv3 and Source-Specific Multicast support, for IPv4, would be more in tune with what many users need although the GitHubs for the various multicast relay/proxy packages may still be required in some cases where a certain consumer product/application REALLY does not intend to be used across subnets. Some times it feels like we are having to stack bandaids on top of bandaids in that many consumer connected products are implemented under a set of assumptions that every user has but a single subnet and all devices can reach all devices. From a convenience and market penetration perspective, it makes sense to build products this way. From a security perspective, especially given many protocols may be getting used outside of their original design intents, it almost makes sense to treat every device as belonging to a discrete VLAN and then create the necessary bridging, routing, and filtering rules to allow only the intended flows between known devices, perhaps not to the extent of something like Cisco Software-Defined Access, or TrustSec, but maybe a light version of that.

    Can segmentation be taken to that extent with Firewalla Gold, where the Gold can permit/deny traffic which is:
    (a) L2 multicast or broadcast with no sense of L3 but can work if reflected across an L3 boundary? (Reflected likely assumes L3 TTL is not decremented.)
    (b) L2 multicast or broadcast in nature, or link-local IPv4/v6 multicast, but has to be proxied to work across an L3 boundary? (Proxied assumes that Gold has to appear to be supporting half of each flow on the source/receiver VLANs.)
    (c) L3 in nature (IGMPv2/v3, or MLD) and may be naturally routed across a L3 boundary, because the Gold device is keeping IGMP and PIM, and/or MLD, states across all supported L3 interfaces?

    I am looking carefully at supplementing (perhaps eventually replacing) Meraki MX with Firewalla, while retaining MS/MR for LAN and WiFi.

    Thanks and regards,
    Rob

    1
    Comment actions Permalink

Please sign in to leave a comment.