06-18-2017 12:54 PM
Hello everyone. So im starting to segment my network.
i have a NAS server, which comtaints work related stuff(security) and also my personal photos movies etc.
i have 2 apple tv. and then we have some ipad and some iphones who randomly uploads pictures to the NAS.
the problem here is. Im going to make some home automation setup, which im going to put into a VLAN called "IOT" so they wont cause issues due to security patches not being made for those.
in the same round im going to have all our phones and ipad join the same VLAN.
Then my nas will be all "alone" on its own VLAN.
here is my question. HOW do i keep my nas on its own VLAN for safety reason but still allow my phones to upload to it, and allow out apple tv to stream from it..
i guess im going to need to static routing but wont a static route ruin the purpose of "security"?
if it will ruin the purpose of security isnt it possible for my phone to access the nas server from my external IP and going in that way.? i guess Hairpin can help me there, if i disable it? or am i wrong here?
is it possible to make multicast appear so i can airplay from a device in VLAN 10 to another device in VLAN 20?
any inputs @UBNT-cmb
06-26-2017 11:41 AM
06-27-2017 04:23 AM
Also, you may need the avahi setup, if you search google/forums there's a few examples of how to configure it and configure it to run at boot.
That'll allow bonjour to work between networks (apples broadcast discovery protocol)
06-27-2017 05:42 AM
Yes, you need an mDNS reflector in order to allow AirPlay and AirPrint to cross subnet boundaries. There's a way to do it with static DNS entries, but it's a real pain to set up. Are you using a USG? I believe it has Avahi on it, but it has to be enabled via CLI (search the forum...pretty sure I've seen instructions for it before). If not, you can create a VLAN trunk port on your switch that carries all VLANs between which you want to allow AirPlay/AirPrint, and plug in a Raspberry Pi or some other linux machine with Avahi installed. You'll need to configure vNICs on the Avahi machine so that it has an address in every subnet. Actually pretty simple to do.
06-30-2017 10:30 AM
Re: Airplay and Airprint Firewall Rules
02-09-2017 04:34 PM
If you have the USG and you want Bonjour/Airplay to work, for now you have to:
1) ssh into the USG and
2) do configure
3) set service mdns reflector
04-02-2018 03:49 AM - edited 04-02-2018 05:15 AM
I have done it in the following way using a USG...
Corporate LAN is 4.x network VLAN 4
Guest WiFi is 6.x network VLAN 6; Apple TVs live on the Guest network
LAN IN firewall rule allowing ALL Traffic from LAN Subnet (corporate) to access Apple TVs on Guest Network.
GUEST IN firewall rule allowing established/related traffic from Apple TV back to LAN Subnet.
Turn on mDNS. (The IPv4 group identifier for mDNS is 22.214.171.124 and the port 5353 UDP).
It was just that easy. Might be nice to restrict the rules to only the necessary ports, but this is pretty satisfactory. I have found a fairly complete list of ports that you might need, but for the purposes of Screen Sharing to the Apple TV from a Mac it used mDNS and port 7000 TCP. Audio sharing kicked off PTPv2 (UDP 320) and a high UDP port in the range of 49152-65535.
12-22-2018 07:07 PM
I was having all sorts of issues with Airplay across VLAN's.
My topology is two VLAN's, one for privilieged devices called LAN, and another for IOT, called MISC.
I have my airport express and apple TV on MISC.
I had set up the mDNS repeater, and opened port for mDNS to go both ways. Opened established/related both ways. Other than that, traffic from MISC is blocked to LAN.
Playing from a device on MISC to either audio output device works.
Playing from a device on LAN to one on MISC did not work.
It does see the devices on MISC, but initiating an airplay stream always failed after a 20s pause.
I opened all the standard airplay ports (listed in the prior post) from MISC to LAN.
Still not working.
Then I experimented with various port ranges.
When I opened the private port range 49152-65535 to both tcp and udp traffic, it worked.
The only 3 rules I ended up needing to keep it working were:
1. allow established/related back into LAN from MISC
2. allow mDNS traffic into LAN from MISC
3. allow TCP/UDP traffic from MISC to LAN ports 49152-65535
I wanted to share this solution because after hours of reading posts here, multiple times, I never saw this range of callback ports mentioned.
I hope it helps someone save some time and frustration!
2 weeks ago - last edited 2 weeks ago
For what its worth what I had to do was add a firewall rule to permit established/related traffic from my entertainment VLAN back to my main data vlan. I have everything blocked from the entertainment vlan -> the data vlan so I have to open holes. More info on my firewall rules can be found here http://www.jeffsloyer.io/post/sonos-usg-firewall-ports/ and http://www.jeffsloyer.io/post/apple-airplay-usg/.