Yes
Firewalla Gold has a built-in mDNS reflector, which forwards discovery messages across different segments; This will enable you to use AirPlay or Chromecast across different segments and still keeping your network secure.
If you are using a managed switch to segment your LAN/VLANs, you may need to do some additional configurations:
- Disable IGMP Snooping
- Disable MLD Snooping
Comments
9 comments
Thank you for that post, and for the Clue!
I also had to disable 'IGMP Snooping' on my Unifi controller to get my wife's PC to talk to her Kodak Verite printer. Thanks to Wireshark for telling me what was going on.
I also disabled 'Block LAN to WLAN Multicast and Broadcast Data' as well.
Doing that also fixed our Sonos devices, and also fixed air print. All of that had stopped working when I replaced our Google WiFi with Unifi access ports.
Thank you again for the Clue!
Chris Shaker
Curious, was the "Block LAN to WLAN multicast" default on or added by you?
I don't remember anymore
This setup is working for me with Unifi Switches and AP's to the FWG in router mode. I can Airplay from my Main Lan to the Sonos Speakers on my IoT Vlan. But I can not get the Sonos iOS or Win10 app to work outside of the IoT Vlan. Anyone know if this is an issue with SSDP not being able to traverse networks without some sort of firewall rule?
And to answer the Q above for me the "Block Lan to WLAN multicast" was unchecked by default on my unifi controller.
this may be useful. https://help.ui.com/hc/en-us/articles/360001004034-UniFi-Best-Practices-for-Managing-Chromecast-Google-Home-on-UniFi-Network
I must be doing something wrong. I moved an Ethernet device to a vlan on my Unifi switch and changed the settings as above. But homekit is definitely not happy and I can’t see the homekit devices from the LAN.
edit:
Do I have to open any ports between the VLANs?
Any suggestions? @bob? @christopher?
Anyone know if this setting is relevant and what it should be set to?
If I'm doing this as intended, this works by allowing traffic from the LAN to the secure "IoT" VLAN. But doesn't it leave open more than it needs to? It would be great Chromecast, AirPlay, Homekit, and AirPrint were Target apps in firewalla that could be enabled individually in rules explicitly between VLANs. This would allow explicit control over what can go over each VLAN in a very easy way. (e.g. I want to allow homekit but not AirPlay)
FYI for UniFi users, you must have:
I would like to lock things down even more, but for now this is better than anything I have been able to figure out so far.
Please sign in to leave a comment.