Products Firewalla Blue Firewalla Gold Firewalla Blue Plus Firewalla Red

Articles in this section

See more

Firewalla Gold: when network is segmented, will I be able to use AirPlay, and Chromcast cross networks?

Avatar
Firewalla
  • Updated
Follow

Yes

Firewalla Gold has a built-in mDNS reflector, which forwards discovery messages across different segments;  This will enable you to use AirPlay or Chromecast across different segments and still keeping your network secure.

If you are using a managed switch to segment your LAN/VLANs, you may need to do some additional configurations:

  • Disable IGMP Snooping
  • Disable MLD Snooping

mceclip0.png

 

 

mceclip0.png 

Related articles

Comments

9 comments

Sort by Date Votes
  • Avatar
    Christopher J. Shaker
    • Edited

    Thank you for that post, and for the Clue!

    I also had to disable 'IGMP Snooping' on my Unifi controller to get my wife's PC to talk to her Kodak Verite printer. Thanks to Wireshark for telling me what was going on.
    I also disabled 'Block LAN to WLAN Multicast and Broadcast Data' as well.

    Doing that also fixed our Sonos devices, and also fixed air print. All of that had stopped working when I replaced our Google WiFi with Unifi access ports.

    Thank you again for the Clue!
    Chris Shaker

    1
    Comment actions Permalink
  • Avatar
    Firewalla

    Curious, was the "Block LAN to WLAN multicast" default on or added by you?

    0
    Comment actions Permalink
  • Avatar
    Christopher J. Shaker

    I don't remember anymore

    0
    Comment actions Permalink
  • Avatar
    Bob M

    This setup is working for me with Unifi Switches and AP's to the FWG in router mode. I can Airplay from my Main Lan to the Sonos Speakers on my IoT Vlan. But I can not get the Sonos iOS or Win10 app to work outside of the IoT Vlan. Anyone know if this is an issue with SSDP not being able to traverse networks without some sort of firewall rule?

    And to answer the Q above for me the "Block Lan to WLAN multicast" was unchecked by default on my unifi controller.

    1
    Comment actions Permalink
  • Avatar
    Michael Bierman

    this may be useful. https://help.ui.com/hc/en-us/articles/360001004034-UniFi-Best-Practices-for-Managing-Chromecast-Google-Home-on-UniFi-Network

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman
    • Edited

    I must be doing something wrong. I moved an Ethernet device to a vlan on my Unifi switch and changed the settings as above. But homekit is definitely not happy and I can’t see the homekit devices from the LAN.

    edit:

    More information about my specific use case: the device in question is now on a VLAN. It is a homekit bridge (security system). On the LAN are my homekit hubs.

    My config: 

    Firewalla Gold (router mode)  > UI Controller (on a NAS, for wifi only) one UI switch and one older Netgear managed switch)

    Do I have to open any ports between the VLANs?

    Any suggestions? @bob? @christopher?

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman
    • Edited

    Anyone know if this setting is relevant and what it should be set to? 

    Multicast Enhancement  (ON/OFF) Enable multicast enhancement (IGMPv3)
     
    Unifi controller > Settings > Wireless Networks 
    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    If I'm doing this as intended, this works by allowing traffic from the LAN to the secure "IoT" VLAN. But doesn't it leave open more than it needs to? It would be great Chromecast, AirPlay, Homekit, and AirPrint were Target apps in firewalla that could be enabled individually in rules explicitly between VLANs. This would allow explicit control over what can go over each VLAN in a very easy way. (e.g. I want to allow homekit but not AirPlay) 

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman
    • Edited

    FYI for UniFi users, you must have:

    • Block LAN to WLAN Multicast and Broadcast Data (OFF)
    • Enable multicast enhancement (IGMPv3) (ON) see step 1.f
    • IGMP Snooping is not required to be on
    Verified in ui controller 6.1.71 and 6.2.26
     
     
    So far I have settled for allowing my Apple TVs and my NAS (with the homebridge Controller running on it) to see my IoT VLAN. The IoT VLAN cannot see my LAN at all.

    I would like to lock things down even more, but for now this is better than anything I have been able to figure out so far. 

    Update
    After watching the Flows in FWG I realized some iOS devices were constantly attempting to reach the homekit devices on the IoT VLAN directly and being blocked. They then had to retry connecting to the AppleTVs and Homebridge instance (via iCloud?). So while it worked, it was causing a lot of bogus blocks and probably some latency of homekit so I simply granted my primary LAN access to the IoT VLAN. I am sure this can be locked down further. Ideas welcome.
    0
    Comment actions Permalink

Please sign in to leave a comment.