Yes
Firewalla Gold has a built-in mDNS reflector, which forwards discovery messages across different segments; This will enable you to use AirPlay or Chromecast across different segments and still keeping your network secure.
If you are using a managed switch to segment your LAN/VLANs, you may need to do some additional configurations:
- Disable IGMP Snooping
- Disable MLD Snooping
Comments
22 comments
Thank you for that post, and for the Clue!
I also had to disable 'IGMP Snooping' on my Unifi controller to get my wife's PC to talk to her Kodak Verite printer. Thanks to Wireshark for telling me what was going on.
I also disabled 'Block LAN to WLAN Multicast and Broadcast Data' as well.
Doing that also fixed our Sonos devices, and also fixed air print. All of that had stopped working when I replaced our Google WiFi with Unifi access ports.
Thank you again for the Clue!
Chris Shaker
Curious, was the "Block LAN to WLAN multicast" default on or added by you?
I don't remember anymore
This setup is working for me with Unifi Switches and AP's to the FWG in router mode. I can Airplay from my Main Lan to the Sonos Speakers on my IoT Vlan. But I can not get the Sonos iOS or Win10 app to work outside of the IoT Vlan. Anyone know if this is an issue with SSDP not being able to traverse networks without some sort of firewall rule?
And to answer the Q above for me the "Block Lan to WLAN multicast" was unchecked by default on my unifi controller.
this may be useful. https://help.ui.com/hc/en-us/articles/360001004034-UniFi-Best-Practices-for-Managing-Chromecast-Google-Home-on-UniFi-Network
I must be doing something wrong. I moved an Ethernet device to a vlan on my Unifi switch and changed the settings as above. But homekit is definitely not happy and I can’t see the homekit devices from the LAN.
edit:
Do I have to open any ports between the VLANs?
Any suggestions? @bob? @christopher?
Anyone know if this setting is relevant and what it should be set to?
If I'm doing this as intended, this works by allowing traffic from the LAN to the secure "IoT" VLAN. But doesn't it leave open more than it needs to? It would be great Chromecast, AirPlay, Homekit, and AirPrint were Target apps in firewalla that could be enabled individually in rules explicitly between VLANs. This would allow explicit control over what can go over each VLAN in a very easy way. (e.g. I want to allow homekit but not AirPlay)
FYI for UniFi users, you must have:
I would like to lock things down even more, but for now this is better than anything I have been able to figure out so far.
I cant get this to work no matter what I try in combination with Unifi Switch/AP and Firewall Gold.
Anyone have a step by step guide on how to use sonos/chromecast, airplay/spotify connect when devices are on different vlans?
@prophetse7en I have UniFi switch and APs working with Gold AirPlay, AirPrint, and Chromecast across VLANs. See https://help.firewalla.com/hc/en-us/articles/360049613014?page=1#comment_4760767441427 Looks like maybe the UI link I included changed? Try https://community.ui.com/questions/What-happened-to-Chromecast-Google-Home-help-article/ba48a840-5dae-482a-a236-3b00a37365e3#answer/18ed7fa8-d110-4238-a7ef-509b359b81d2
@Michael Bierman
I did follow your steps from before.
Multicast and Broadcast Control - Disabled
Multicast Enhancement - Enabled
Tried with IGMP Snooping enabled and disabled
Multicast DNS is not available in Unifi on Vlans, only on Default network where it is enabled.
In my setup I have my airplay/casting devices on my Media/IOT Vlan, and the devices I am trying to play from are on my Home vlan.
So I think everything should be correct from what you posted + this article
Can you please check one thing in Unifi settings? On the Vlans you created under networks, have you the "VLAN-Only Network" settings enabled? I think this is the reason I cant enable Multicast DNS for my networks in Unifi settings.
So I got airplay and casting to work, but I still cant reach my devices from the sonos app. Would be nice to set alarms etc from the app without logging on to my IoT network.
Here they list ports to open to have app control, but I cant get it to work no matter how I configure the rules for those ports.
Any suggestions on how the port rules should be between vlan IoT and Home for this to work?
@prophetse7en Did you try @Chris's tip above?
I dont have that option on my unifi controller
Only Multicast Enhancement and Multicast and Broadcast Control.
Edit: I think "Block LAN to WLAN Multicast and Broadcast Data" and "Multicast and Broadcast Control" is the same, and it is already disabled for me.
@prphetse7en if you are using the current UniFi controller, the old (not the new interface) go to Settings > Wireless Networks > Select the network(s) and find
I don't know where it is in the new Interface. Just try the old interface for the purpose of the experiment.
They renamed it. On the new interface it is called "Multicast and Broadcast Control". It is disabled.
I think I need to start over. This time I will create a new ssid and vlan for sonos only and then try all the stuff suggested. This way I wont interfere with the rest of my network.
Should Multicast DNS be enabled on firewalla and on unifi, or do you disable it on one of them? Maybe it is causing problems to have it enabled in unifi and firewalla?
@prophetse73n You definitely want to have mdns turned on on Firewalla. On Unifi, under Networks I have
turned on on the segments I want to have access. i think I tried turning it off and I don't remember if it stopped working or not.
I couldn't find Multicast and Broadcast Control where did you see it?
Lets see. On Unifi Controller:
- Multicast DNS is not available when running VLANS only network. Then multicast DNS option is missing. I have to disable VLAN only for this option to be available.
- Multicast and Broadcast control is under the different wifi names.
I have tried everything. I just cant get my Sonos devices available in the Sonos app. I am about to give up and just put all Sonos devices in the Home Vlan. I might be missing a rule somewhere to get access between vlans. Dont know anymore lol
I don’t think you want the VLAN only option in this case. Just create a VLAN with no DHCP server in Unifi
https://community.ui.com/?code=63XPyp4PO25aJ3wSThVEt1Zvu2VRln&state=e8c44cd5-9aec-4c52-a6ae-2c6030611f87
@prophetse7en See https://help.firewalla.com/hc/en-us/community/posts/4913683725715-Add-SSDP-reflector-
I tried both vlan options, same result.
I will upvote the SSDP feature request
Please sign in to leave a comment.