Upcoming Maintenance Alert:

The UBNT Community will be upgraded at 5pm MDT on April 25th. During this time the community forums will be set to read-only status.

Learn more

×
Reply
Highlighted
Regular Member
Posts: 621
Registered: ‎11-06-2013
Kudos: 211
Solutions: 24
Accepted Solution

AppleTV discovery across multiple networks

So I decided to tinker with my stuff at home after reading that the Airport Express I have puts the guest network on a VLAN of 1003.

I broke the bridge I was using, assigned eth0 as the private WiFi, eth0.1003 is the Guest WiFi, eth 1 is the LAN and eth2 is the WAN.

I blocked traffic from the Guest WiFi to everything except the internet and my printer.

Private WiFi: eth0 - 10.253.254.0/24

Public WiFi: eth0.1003 - 10.253.200.0/24

Private LAN: eth1 - 10.253.1.0/24

WAN: eth2 (DHCP)

Everything works fine, except I can no longer control the AppleTV with the Remote App on my iPhone/iPad, nor can I AirPlay stuff from my wireless devices (on the private network) to the AppleTV. I have full access to everything on the LAN from the wireless devices on the Private WiFi so I assume the problem is some kind of broadcast traffic rule that I need to setup.

firewall {
    all-ping enable
    broadcast-ping disable
    group {
        network-group Private_LAN {
            description "Private LAN Networks"
            network 10.253.1.0/24
            network 10.253.254.0/24
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name Guest_WiFi_IN {
        default-action accept
        description "Guest WiFi to Internet"
        rule 1 {
            action accept
            description "Allow Access to Printer"
            destination {
                address 10.253.254.7/32
            }
            log disable
            protocol tcp_udp
            state {
                established enable
                invalid disable
                new enable
                related enable
            }
        }
        rule 2 {
            action drop
            description "Deny Access to LAN Networks"
            destination {
                group {
                    network-group Private_LAN
                }
            }
            log disable
        }
    }
    name Guest_WiFi_LOCAL {
        default-action accept
        description "Guest WiFi to Router"
        rule 1 {
            action drop
            description "Deny Access to LAN Networks"
            destination {
                group {
                    network-group Private_LAN
                }
            }
            log disable
            protocol all
        }
    }
    name LAN_IN {
        default-action accept
        description "Wired LAN to Internet"
    }
    name LAN_LOCAL {
        default-action accept
        description "Wired LAN to Router"
    }
    name WAN_IN {
        default-action drop
        description "Internet to Internal Networks"
        rule 1 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            log enable
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "Internet to Router"
        rule 1 {
            action accept
            state {
                established enable
                related enable
            }
        }
        rule 2 {
            action drop
            log enable
            state {
                invalid enable
            }
        }
        rule 5 {
            action accept
            description "ICMP 50/m"
            limit {
                burst 1
                rate 50/minute
            }
            log enable
            protocol icmp
        }
        rule 6 {
            action accept
            description "Accept OpenVPN Connections"
            destination {
                group {
                    address-group ADDRv4_eth2
                }
                port 1194
            }
            log disable
            protocol udp
            state {
                established enable
                invalid disable
                new enable
                related enable
            }
        }
    }
    name WLAN_IN {
        default-action accept
        description "Wired LAN to Internet"
    }
    name WLAN_LOCAL {
        default-action accept
        description "Wired LAN to Router"
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address 10.253.254.1/24
        description "Wireless LAN"
        duplex auto
        firewall {
            in {
                name WLAN_IN
            }
            local {
                name WLAN_LOCAL
            }
        }
        speed auto
        vif 1003 {
            address 10.253.200.1/24
            description "Apple WiFi Guest VLAN"
            firewall {
                in {
                    name Guest_WiFi_IN
                }
                local {
                    name Guest_WiFi_LOCAL
                }
            }
            mtu 1500
        }
    }
    ethernet eth1 {
        address 10.253.1.1/24
        description "Wired LAN"
        duplex auto
        firewall {
            in {
                name LAN_IN
            }
            local {
                name LAN_LOCAL
            }
        }
        speed auto
    }
    ethernet eth2 {
        address dhcp
        description "Charter WAN"
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        speed auto
    }
    loopback lo {
    }
    openvpn vtun0 {
        encryption aes128
        mode server
        openvpn-option --tls-server
        openvpn-option "--proto udp"
        openvpn-option "--port 1194"
        openvpn-option "--push dhcp-option DNS 10.253.1.1"
        openvpn-option "--push route 10.253.1.1 255.255.255.0"
        openvpn-option "--tun-mtu 1400"
        openvpn-option --persist-key
        openvpn-option --persist-tun
        openvpn-option --persist-local-ip
        openvpn-option --persist-remote-ip
        openvpn-option "--keepalive 8 30"
        openvpn-option --comp-lzo
        openvpn-option --duplicate-cn
        openvpn-option "--plugin /usr/lib/openvpn/openvpn-auth-pam.so login"
        openvpn-option "--client-cert-not-required --username-as-common-name"
        openvpn-option "--verb 1"
        openvpn-option --client-to-client
        openvpn-option "--user nobody --group nogroup"
        server {
            subnet 10.253.2.0/24
            topology subnet
        }
        tls {
            ca-cert-file /config/auth/openvpn/keys/ca.crt
            cert-file /config/auth/openvpn/keys/
            dh-file /config/auth/openvpn/keys/dh2048.pem
            key-file /config/auth/openvpn/keys/
        }
    }
    openvpn vtun1 {
        local-address 10.250.254.2 {
        }
        local-port 1199
        mode site-to-site
        openvpn-option --comp-lzo
        remote-address 10.250.254.1
        remote-host 
        remote-port 1199
        shared-secret-key-file 
    }
    openvpn vtun5 {
        description ""
        local-address 10.202.9.253 {
        }
        local-port 1195
        mode site-to-site
        openvpn-option --comp-lzo
        remote-address 10.202.9.254
        remote-host 
        remote-port 1195
        shared-secret-key-file 
    }
    openvpn vtun6 {
        description ""
        local-address 10.202.9.251 {
        }
        local-port 1196
        mode site-to-site
        openvpn-option --comp-lzo
        remote-address 10.202.9.252
        remote-host 
        remote-port 1196
        shared-secret-key-file 
    }
    openvpn vtun7 {
        description ""
        local-address 10.202.9.250 {
        }
        local-port 1198
        mode site-to-site
        openvpn-option --comp-lzo
        remote-address 10.202.9.249
        remote-host 
        remote-port 1198
        shared-secret-key-file 
    }
    openvpn vtun9 {
        description ""
        local-address 10.202.9.104 {
        }
        local-port 1197
        mode site-to-site
        openvpn-option --comp-lzo
        remote-address 10.202.9.4
        remote-host 
        remote-port 1197
        shared-secret-key-file 
    }
}
port-forward {
    auto-firewall enable
    hairpin-nat enable
    lan-interface eth1
    rule 1 {
        description Torrent
        forward-to {
            address 10.253.1.20
        }
        original-port 24706
        protocol tcp
    }
    rule 2 {
        description Webserver
        forward-to {
            address 10.253.1.4
        }
        original-port 80
        protocol tcp
    }
    wan-interface eth2
}
protocols {
    static {
        interface-route 10.202.0.0/23 {
            next-hop-interface vtun9 {
            }
        }
        interface-route 10.202.10.0/24 {
            next-hop-interface vtun5 {
            }
        }
        interface-route 10.202.20.0/24 {
            next-hop-interface vtun6 {
            }
        }
        interface-route 10.202.30.0/24 {
            next-hop-interface vtun7 {
            }
        }
        interface-route 10.253.1.0/24 {
            next-hop-interface vtun6 {
            }
        }
        interface-route 10.254.0.0/24 {
            next-hop-interface vtun1 {
            }
        }
    }
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name Guest-WiFi {
            authoritative disable
            subnet 10.253.200.0/24 {
                default-router 10.253.200.1
                dns-server 10.253.200.1
                dns-server 8.8.8.8
                lease 86400
                start 10.253.200.10 {
                    stop 10.253.200.254
                }
            }
        }
        shared-network-name LAN-eth1 {
            authoritative disable
            description "LAN Network - eth1"
            subnet 10.253.1.0/24 {
                default-router 10.253.1.1
                dns-server 10.253.1.1
                dns-server 8.8.8.8
                lease 86400
                ntp-server 10.253.1.1
                start 10.253.1.31 {
                    stop 10.253.1.254
                }
                static-mapping LS-BACKUP {
                    ip-address 10.253.1.6
                    mac-address 4c:e6:76:00:d8:bb
                }
                static-mapping LivingRoom-AppleTV {
                    ip-address 10.253.1.11
                    mac-address 9c:20:7b:e9:33:bb
                }
                static-mapping MacBookPro {
                    ip-address 10.253.1.21
                    mac-address 68:a8:6d:50:8b:5c
                }
                static-mapping NX510 {
                    ip-address 10.253.1.8
                    mac-address 00:00:48:85:71:a2
                }
                static-mapping OBi110 {
                    ip-address 10.253.1.5
                    mac-address 9c:ad:ef:00:22:aa
                }
                static-mapping T38G {
                    ip-address 10.253.1.9
                    mac-address 00:15:65:49:5a:34
                }
                static-mapping jar64 {
                    ip-address 10.253.1.20
                    mac-address 00:25:64:8c:7a:63
                }
                static-mapping vm-mbp-win8 {
                    ip-address 10.253.1.22
                    mac-address 00:1c:42:ec:c9:6c
                }
                static-mapping web {
                    ip-address 10.253.1.4
                    mac-address 00:19:d1:65:28:96
                }
                time-server 10.253.1.1
            }
        }
        shared-network-name WLAN-eth0 {
            authoritative disable
            description "WLAN Network - eth0"
            subnet 10.253.254.0/24 {
                default-router 10.253.254.1
                dns-server 10.253.254.1
                lease 86400
                start 10.253.254.11 {
                    stop 10.253.254.254
                }
                static-mapping CLP-315W {
                    ip-address 10.253.254.7
                    mac-address 00:15:99:3a:47:b3
                }
                static-mapping airport-express {
                    ip-address 10.253.254.3
                    mac-address 20:c9:d0:99:5c:91
                }
            }
        }
    }
    dns {
        dynamic {
            interface eth2 {
                service dyndns {
                    host-name 
                    login sorvani
                    password 
                }
            }
        }
        forwarding {
            cache-size 150
            listen-on eth0
            listen-on eth1
            listen-on eth0.1003
            system
        }
    }
    gui {
        https-port 443
        listen-address 10.253.1.1
    }
    nat {
        rule 5011 {
            outbound-interface eth2
            type masquerade
        }
    }
    snmp {
        community public {
            authorization ro
        }
    }
    ssh {
        listen-address 10.253.1.1
        port 22
        protocol-version v2
    }
}
system {
    conntrack {
        expect-table-size 4096
        hash-size 4096
        table-size 32768
        tcp {
            half-open-connections 512
            loose enable
            max-retrans 3
        }
    }
    host-name sorvani
    ipv6 {
        disable
    }
    name-server 208.67.222.222
    name-server 208.67.220.220
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    offload {
        ipsec enable
        ipv4 {
            forwarding enable
        }
        ipv6 {
            forwarding disable
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone America/Chicago
}
traffic-policy {
    rate-control MaxUpload {
        bandwidth 3800kbit
        burst 15k
        latency 50ms
    }
}


/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:conntrack@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@3:nat@3:qos@1:quagga@2:system@4:ubnt-pptp@1:ubnt-util@1:vrrp@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v1.4.1.4648309.140310.1607 */

 


Accepted Solutions
Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5372
Solutions: 1655
Contributions: 2

Re: AppleTV discovery across multiple networks


sorvani wrote:
Since it does, then consider this a feature request to let us restrict the mDNS to specific interfaces.

Yeah for the initial implementation I only added the basic functionality, and additional settings such as interface specification has been discussed before and may be added later. Thanks for the feedback!

View solution in original post


All Replies
Regular Member
Posts: 621
Registered: ‎11-06-2013
Kudos: 211
Solutions: 24

Re: AppleTV discovery across multiple networks

I found this: http://support.apple.com/kb/ts1741

That says: If you have a firewall enabled on your router or computer, make sure that the firewall is not blocking communication between Remote and your iTunes or Apple TV. Remote uses TCP port 3689 and UDP port 5353 to communicate with your iTunes or Apple TV.

I know I have open communications, but I think there is something else missing here for initial discovery.

Previous Employee
Posts: 10,504
Registered: ‎06-09-2011
Kudos: 3044
Solutions: 945
Contributions: 16

Re: AppleTV discovery across multiple networks

You might try:

configure
set service mdns reflector
commit
save
exit

 

EdgeMAX Router Software Development
Member
Posts: 269
Registered: ‎03-19-2014
Kudos: 21
Solutions: 1

Re: AppleTV discovery across multiple networks

[ Edited ]

well, its relly on lot of multicast stuff, starting from Avahi and to Airplay Express -related RAOP Tivo-ized fork of RTP.

and many other stuff, actually make whole thing kinda messy in "best traditions of Apple".

Regular Member
Posts: 621
Registered: ‎11-06-2013
Kudos: 211
Solutions: 24

Re: AppleTV discovery across multiple networks


UBNT-stig wrote:

You might try:

configure
set service mdns reflector
commit
save
exit

 


This worked for the remote control. Haven't done any airplay yet. Of note, I was able to see (not expected) the AppleTV from the Guest WiFi, but was unable to connect to it (as I would expect).

Member
Posts: 264
Registered: ‎04-01-2014
Kudos: 40
Solutions: 3

Re: AppleTV discovery across multiple networks

You should srsly embed this in the GUI somewhere under uPNP or something, this saved my day Man Happy


TechConnect.nl | GameConnect.net | FuzionRadio.FM | Plex.tv
Regular Member
Posts: 399
Registered: ‎01-21-2014
Kudos: 126
Solutions: 32

Re: AppleTV discovery across multiple networks

It would be great if you can choose per interface. This way you can have the benifits of the service on local interfaces but don't have to worry about your guest interfaces. 

Regular Member
Posts: 621
Registered: ‎11-06-2013
Kudos: 211
Solutions: 24

Re: AppleTV discovery across multiple networks

@UBNT-stig What mDNS is being used? I did a little reading up and it seems that http://avahi.org/ supports restricting the interfaces.

Previous Employee
Posts: 10,504
Registered: ‎06-09-2011
Kudos: 3044
Solutions: 945
Contributions: 16

Re: AppleTV discovery across multiple networks


sorvani wrote:

@UBNT-stig What mDNS is being used? I did a little reading up and it seems that http://avahi.org/ supports restricting the interfaces.


Here's how to find out:

ubnt@ubnt:~$ cat /opt/vyatta/share/vyatta-cfg/templates/service/mdns/reflector/node.def
priority: 900
help: mDNS reflector service
end:
    sudo sed -i 's/^.*enable-reflector=.*$/enable-reflector=yes/' \
        /etc/avahi/avahi-daemon.conf
    if [ "$COMMIT_ACTION" == DELETE ]; then
        sudo /etc/init.d/avahi-daemon stop
        sudo /etc/init.d/dbus stop
    else
        sudo /etc/init.d/dbus start
        sudo /etc/init.d/avahi-daemon start
    fi

 

EdgeMAX Router Software Development
Regular Member
Posts: 621
Registered: ‎11-06-2013
Kudos: 211
Solutions: 24

Re: AppleTV discovery across multiple networks

Since it does, then consider this a feature request to let us restrict the mDNS to specific interfaces.
Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5372
Solutions: 1655
Contributions: 2

Re: AppleTV discovery across multiple networks


sorvani wrote:
Since it does, then consider this a feature request to let us restrict the mDNS to specific interfaces.

Yeah for the initial implementation I only added the basic functionality, and additional settings such as interface specification has been discussed before and may be added later. Thanks for the feedback!

New Member
Posts: 4
Registered: ‎01-25-2016
Kudos: 1

Re: AppleTV discovery across multiple networks

Is restricting the interfaces possible by now?  I'm on 1.8beta

New Member
Posts: 35
Registered: ‎08-25-2016
Kudos: 2

Re: AppleTV discovery across multiple networks


UBNT-stig wrote:

You might try:

configure
set service mdns reflector
commit
save
exit

 


Does this work on Unifi routers?

Regular Member
Posts: 359
Registered: ‎07-22-2016
Kudos: 140
Solutions: 20

Re: AppleTV discovery across multiple networks


simpsn wrote:

Does this work on Unifi routers?


Try it and see. If it doesn't work, all you have to do is reboot the device, and it will revert back.

New Member
Posts: 35
Registered: ‎08-25-2016
Kudos: 2

Re: AppleTV discovery across multiple networks


ilkevinli wrote:

simpsn wrote:

Does this work on Unifi routers?


Try it and see. If it doesn't work, all you have to do is reboot the device, and it will revert back.


If I had my own workbench setup I would, I hesitate to tinker on my live deployment with this small school just in case something goes awry.

Regular Member
Posts: 359
Registered: ‎07-22-2016
Kudos: 140
Solutions: 20

Re: AppleTV discovery across multiple networks


simpsn wrote:

ilkevinli wrote:

simpsn wrote:

Does this work on Unifi routers?


Try it and see. If it doesn't work, all you have to do is reboot the device, and it will revert back.


If I had my own workbench setup I would, I hesitate to tinker on my live deployment with this small school just in case something goes awry.


Ahhh. Got you.

New Member
Posts: 35
Registered: ‎08-25-2016
Kudos: 2

Re: AppleTV discovery across multiple networks


sorvani wrote:

UBNT-stig wrote:

You might try:

configure
set service mdns reflector
commit
save
exit

 


This worked for the remote control. Haven't done any airplay yet. Of note, I was able to see (not expected) the AppleTV from the Guest WiFi, but was unable to connect to it (as I would expect).


Did you figure out how to hide the Apple devices?

Reply