Yes
Firewalla Gold has a built-in mDNS reflector, which forwards discovery messages across different segments; This will enable you to use AirPlay or Chromecast across different segments and still keeping your network secure.
If you are using a managed switch to segment your LAN/VLANs, you may need to do some additional configurations:
- Disable IGMP Snooping
- Disable MLD Snooping
Comments
24 comments
Thank you for that post, and for the Clue!
I also had to disable 'IGMP Snooping' on my Unifi controller to get my wife's PC to talk to her Kodak Verite printer. Thanks to Wireshark for telling me what was going on.
I also disabled 'Block LAN to WLAN Multicast and Broadcast Data' as well.
Doing that also fixed our Sonos devices, and also fixed air print. All of that had stopped working when I replaced our Google WiFi with Unifi access ports.
Thank you again for the Clue!
Chris Shaker
Curious, was the "Block LAN to WLAN multicast" default on or added by you?
I don't remember anymore
This setup is working for me with Unifi Switches and AP's to the FWG in router mode. I can Airplay from my Main Lan to the Sonos Speakers on my IoT Vlan. But I can not get the Sonos iOS or Win10 app to work outside of the IoT Vlan. Anyone know if this is an issue with SSDP not being able to traverse networks without some sort of firewall rule?
And to answer the Q above for me the "Block Lan to WLAN multicast" was unchecked by default on my unifi controller.
this may be useful. https://help.ui.com/hc/en-us/articles/360001004034-UniFi-Best-Practices-for-Managing-Chromecast-Google-Home-on-UniFi-Network
I must be doing something wrong. I moved an Ethernet device to a vlan on my Unifi switch and changed the settings as above. But homekit is definitely not happy and I can’t see the homekit devices from the LAN.
edit:
Do I have to open any ports between the VLANs?
Any suggestions? @bob? @christopher?
Anyone know if this setting is relevant and what it should be set to?
If I'm doing this as intended, this works by allowing traffic from the LAN to the secure "IoT" VLAN. But doesn't it leave open more than it needs to? It would be great Chromecast, AirPlay, Homekit, and AirPrint were Target apps in firewalla that could be enabled individually in rules explicitly between VLANs. This would allow explicit control over what can go over each VLAN in a very easy way. (e.g. I want to allow homekit but not AirPlay)
FYI for UniFi users, you must have:
I would like to lock things down even more, but for now this is better than anything I have been able to figure out so far.
I cant get this to work no matter what I try in combination with Unifi Switch/AP and Firewall Gold.
Anyone have a step by step guide on how to use sonos/chromecast, airplay/spotify connect when devices are on different vlans?
@prophetse7en I have UniFi switch and APs working with Gold AirPlay, AirPrint, and Chromecast across VLANs. See https://help.firewalla.com/hc/en-us/articles/360049613014?page=1#comment_4760767441427 Looks like maybe the UI link I included changed? Try https://community.ui.com/questions/What-happened-to-Chromecast-Google-Home-help-article/ba48a840-5dae-482a-a236-3b00a37365e3#answer/18ed7fa8-d110-4238-a7ef-509b359b81d2
@Michael Bierman
I did follow your steps from before.
Multicast and Broadcast Control - Disabled
Multicast Enhancement - Enabled
Tried with IGMP Snooping enabled and disabled
Multicast DNS is not available in Unifi on Vlans, only on Default network where it is enabled.
In my setup I have my airplay/casting devices on my Media/IOT Vlan, and the devices I am trying to play from are on my Home vlan.
So I think everything should be correct from what you posted + this article
Can you please check one thing in Unifi settings? On the Vlans you created under networks, have you the "VLAN-Only Network" settings enabled? I think this is the reason I cant enable Multicast DNS for my networks in Unifi settings.
So I got airplay and casting to work, but I still cant reach my devices from the sonos app. Would be nice to set alarms etc from the app without logging on to my IoT network.
Here they list ports to open to have app control, but I cant get it to work no matter how I configure the rules for those ports.
Any suggestions on how the port rules should be between vlan IoT and Home for this to work?
@prophetse7en Did you try @Chris's tip above?
I dont have that option on my unifi controller
Only Multicast Enhancement and Multicast and Broadcast Control.
Edit: I think "Block LAN to WLAN Multicast and Broadcast Data" and "Multicast and Broadcast Control" is the same, and it is already disabled for me.
@prphetse7en if you are using the current UniFi controller, the old (not the new interface) go to Settings > Wireless Networks > Select the network(s) and find
I don't know where it is in the new Interface. Just try the old interface for the purpose of the experiment.
They renamed it. On the new interface it is called "Multicast and Broadcast Control". It is disabled.
I think I need to start over. This time I will create a new ssid and vlan for sonos only and then try all the stuff suggested. This way I wont interfere with the rest of my network.
Should Multicast DNS be enabled on firewalla and on unifi, or do you disable it on one of them? Maybe it is causing problems to have it enabled in unifi and firewalla?
@prophetse73n You definitely want to have mdns turned on on Firewalla. On Unifi, under Networks I have
turned on on the segments I want to have access. i think I tried turning it off and I don't remember if it stopped working or not.
I couldn't find Multicast and Broadcast Control where did you see it?
Lets see. On Unifi Controller:
- Multicast DNS is not available when running VLANS only network. Then multicast DNS option is missing. I have to disable VLAN only for this option to be available.
- Multicast and Broadcast control is under the different wifi names.
I have tried everything. I just cant get my Sonos devices available in the Sonos app. I am about to give up and just put all Sonos devices in the Home Vlan. I might be missing a rule somewhere to get access between vlans. Dont know anymore lol
I don’t think you want the VLAN only option in this case. Just create a VLAN with no DHCP server in Unifi
https://community.ui.com/?code=63XPyp4PO25aJ3wSThVEt1Zvu2VRln&state=e8c44cd5-9aec-4c52-a6ae-2c6030611f87
@prophetse7en See https://help.firewalla.com/hc/en-us/community/posts/4913683725715-Add-SSDP-reflector-
I tried both vlan options, same result.
I will upvote the SSDP feature request
I just posted a workaround for SSDP relaying here: https://help.firewalla.com/hc/en-us/community/posts/8724680203923-Using-multicast-relay-to-do-SSDP-relaying-for-Roku-Sonos-Tivo-discovery
Is there support for routed interfaces to be configured explicitly as an IGMP querier, or implicitly by having the same interfaces supported as PIM router interfaces?
Whenever I see the advice as “Disable XYZ snooping”, although that may currently be the only way to result in the desired behavior, is essentially taking the Layer 2 switch back a decade (or two) as it will then be flooding packets throughout a VLAN when XYZ Snooping was originally meant to constrain that type of traffic to only the “interested” endpoints. Although, for that snooping to work across more than one device, at least in the case of IGMP, needs for at least one IGMP Querier to exist within the VLAN. It would seem that IGMPv3 and Source-Specific Multicast support, for IPv4, would be more in tune with what many users need although the GitHubs for the various multicast relay/proxy packages may still be required in some cases where a certain consumer product/application REALLY does not intend to be used across subnets. Some times it feels like we are having to stack bandaids on top of bandaids in that many consumer connected products are implemented under a set of assumptions that every user has but a single subnet and all devices can reach all devices. From a convenience and market penetration perspective, it makes sense to build products this way. From a security perspective, especially given many protocols may be getting used outside of their original design intents, it almost makes sense to treat every device as belonging to a discrete VLAN and then create the necessary bridging, routing, and filtering rules to allow only the intended flows between known devices, perhaps not to the extent of something like Cisco Software-Defined Access, or TrustSec, but maybe a light version of that.
Can segmentation be taken to that extent with Firewalla Gold, where the Gold can permit/deny traffic which is:
(a) L2 multicast or broadcast with no sense of L3 but can work if reflected across an L3 boundary? (Reflected likely assumes L3 TTL is not decremented.)
(b) L2 multicast or broadcast in nature, or link-local IPv4/v6 multicast, but has to be proxied to work across an L3 boundary? (Proxied assumes that Gold has to appear to be supporting half of each flow on the source/receiver VLANs.)
(c) L3 in nature (IGMPv2/v3, or MLD) and may be naturally routed across a L3 boundary, because the Gold device is keeping IGMP and PIM, and/or MLD, states across all supported L3 interfaces?
I am looking carefully at supplementing (perhaps eventually replacing) Meraki MX with Firewalla, while retaining MS/MR for LAN and WiFi.
Thanks and regards,
Rob
Please sign in to leave a comment.