Airplay visible but won't connect to TV (Firewalla Gold+ and WiFi AP7)
Hi,
Pretty simple question. Not trying to connect to an Airplay device across different VLANs, or do anything fancy, and this all worked on my old, simple Netgear router, until the day I switched to the Firewalla plus AP7 WiFi combo.
I have a Samsung TV that accepts Apple Airplay connections, to stream stuff like my wife's Peloton to the TV. On my old Netgear Orbi Pro system, it worked fine. On my Firewalla AP7, it is visible for discovery on my phone, but when trying to connect, it eventually seems to time out and fail. I've reset everything and reconnected everything, including the TV, the iPhone in question (Apple relay/privacy stuff all off), and even the entire Firewalla network, itself. I turned off IPv6 and forced the WiFi network to be 2.4 GHz only, just in case. I have mDNS and SSDP enabled, just in case. I even tried disabling the entire default Ad-block and enabled 'emergency access' mode for the relevant WiFi network, turning off all my rules, and... nothing. Only thing I have that's 'weird' is Unbound enabled, with DNS over VPN, fallback to quad9.
What do? I've attached relevant screenshots.
-
Check following
1. Do you have device isolation enabled on the devices talking to each other.
2. Check VqLAN, make sure it is not blocking
3 Use 5ghz instead of 2.4 and see if it works or not
I assume both devices are on the same network? if not, put them on the same network and test again.
-
Thanks for the reply.
1: no, I see no such setting turned on for any of the devices, and haven’t even touched that setting in Firewalla in the few days I’ve had it.
2. No VqLAN is enabled.
3. Good thought - unfortunately, I tried both 2.4 and 5 GHz after my post and it wasn’t working.Yes, everything is on the same network in this case.
-
Update:
I found my wife’s iphone on the network device list, and then explicitly allowed bidirectional device connections between it and the Samsung TV. After that, Airplay was not only visible, but also successful in making a connection. Alas, I suspect I’ll have to force her phone to always keep the same MAC address on the network, which doesn’t bode well for guests ever trying to stream to the TV without me being around to help. It’s like the default is no intra-network connections for all devices on that network, but that’s not visible in any of the rules - so is it a hidden default?Do I have to explicitly set a rule to allow bidirectional traffic from the network, to the same network, to allow intra-device connections on the same network? Or is there some sort of default port blocking going on silently, that requires explicit device to individual device rules to be set?
Thanks for your help, again. Any clarification for this new customer would be great.
-
Is your wife's device on the same network as the Samsung TV? If it is, the LAN traffic doesn't go through it, I don't think even the allow rule will do anything, since it is applied at the "network" layer, only usable if both devices are on different networks. (Can you double-check if the IP address of the phone and the TV are on the same network? if they are, let me know, I can open a case and have a look at this strange behavior)
May I also know if other devices have the same problem?
-
Hi! Not sure if it was clear - yes, all on the same network. I can’t attach the screenshot, but they are absolutely on the same WiFi, same LAN, same VLAN, no microsegmentation, no VqLAN, no QOS stuff enabled. Like I’d said, I even suspended all my rules with emergency mode, and rebooted all devices. No issues with anything else functioning on that network, which is an IoT network; even Amazon echo Spotify casting stuff works, including to the same TV!
All system-wide Firewalla protections moved from strict to less strict, ‘default’ mode, too.
-
To anyone reading this, who may have been in the same boat: I believe I’ve solved my own problem, at least in part; I simply misunderstood the logic of the rules I had set by default for the network.
I had a rule in place for the IoT VLAN in question that blocked all traffic to and from all networks… and I had neglected to assume that it very much included that very VLAN, itself, in the block. Therefore, every device on that VLAN was essentially isolated from every other. The fact that somehow the Amazon echo devices I have had continued to function correctly with all the other IoT items in this initially poorly-implemented network is disturbing, but otherwise, it is no surprise everything else interacting (including AirPlay streaming on the same VLAN from one device to another) failed.
I had to put in a rule that explicitly allowed traffic to and from the same VLAN, given my previous rule disallowing all traffic to and from all networks, to essentially make an exception for said VLAN. To me, the mystery remains as to why on earth turning on ‘emergency mode’ for this VLAN did not seem to actually pause all my original poorly-implemented rules, as advertised.
Anyway, I fixed the rest of my VLAN rules for my whole network setup in a way that allows it to function in a tiered-access manner, where more-trusted VLANs had one-way access to less-trusted ones, but not the reverse. This is a networking model I found on the Firewalla forums on Reddit.
MDNS and SSDP relay enabled on all these now-corrected VLANs, with rules set up to allow outbound from trusted VLAN to target VLAN (but not the other way), now allow AirPlay to function correctly in that direction. Don’t be like me - think about the logic of all your rules in as strict a way as you can imagine… because it seems that’s the way Firewall does it.
Please sign in to leave a comment.
Comments
8 comments