Established Member
Posts: 1,335
Registered: ‎05-25-2016
Kudos: 243
Solutions: 11

Airplay across VLAN. How to do?

Hello everyone. So im starting to segment my network.

 

i have a NAS server, which comtaints work related stuff(security) and also my personal photos movies etc.

 

 

i have 2 apple tv. and then we have some ipad and some iphones who randomly uploads pictures to the NAS.

 

the problem here is. Im going to make some home automation setup, which im going to put into a VLAN called "IOT" so they wont cause issues due to security patches not being made for those.

 

in the same round im going to have all our phones and ipad join the same VLAN.

 

Then my nas will be all "alone" on its own VLAN.

 

 

here is my question.  HOW do i keep my nas on its own VLAN for safety reason but still allow my phones to upload to it, and allow out apple tv to stream from it..

 

i guess im going to need to static routing but wont a static route ruin the purpose of "security"?

if it will ruin the purpose of security isnt it possible for my phone to access the nas server from my external IP and going in that way.? i guess Hairpin can help me there, if i disable it? or am i wrong here?

 

is it possible to make multicast appear so i can airplay from a device in VLAN 10 to another device in VLAN 20? 

 

 

any inputs @UBNT-cmb

 

 

Regular Member
Posts: 632
Registered: ‎06-26-2016
Kudos: 292
Solutions: 16

Re: Airplay across VLAN. How to do?

Yea, I don't think that will be very useful to you, to be honest. Why would you put the Apple devices in the IOT VLAN? Why not create another new VLAN called "Entertainment" and allow that one to talk to the NAS (or include the NAS)? It doesn't make much sense to segment the iOS devices, and then try to allow them to use zero-config networking (Bonjour/Airplay) IMO.
New Member
Posts: 28
Registered: ‎05-12-2015
Kudos: 1
Solutions: 1

Re: Airplay across VLAN. How to do?

Also, you may need the avahi setup, if you search google/forums there's a few examples of how to configure it and configure it to run at boot.

 

That'll allow bonjour to work between networks (apples broadcast discovery protocol)

Regular Member
Posts: 376
Registered: ‎04-24-2014
Kudos: 191
Solutions: 13

Re: Airplay across VLAN. How to do?

Yes, you need an mDNS reflector in order to allow AirPlay and AirPrint to cross subnet boundaries.  There's a way to do it with static DNS entries, but it's a real pain to set up.  Are you using a USG?  I believe it has Avahi on it, but it has to be enabled via CLI (search the forum...pretty sure I've seen instructions for it before).  If not, you can create a VLAN trunk port on your switch that carries all VLANs between which you want to allow AirPlay/AirPrint, and plug in a Raspberry Pi or some other linux machine with Avahi installed.  You'll need to configure vNICs on the Avahi machine so that it has an address in every subnet.  Actually pretty simple to do.

Highlighted
Regular Member
Posts: 632
Registered: ‎06-26-2016
Kudos: 292
Solutions: 16

Re: Airplay across VLAN. How to do?


Posts: 339
Registered: ‎06-26-2016
Kudos: 110
Solutions: 10
Re: Airplay and Airprint Firewall Rules
Options

‎02-09-2017 04:34 PM
If you have the USG and you want Bonjour/Airplay to work, for now you have to:
1) ssh into the USG and
2) do configure
3) set service mdns reflector
4) commit
5) save.
Member
Posts: 107
Registered: ‎11-24-2017
Kudos: 38
Solutions: 2

Airplay (Apple TVs) across VLANs. How to...

[ Edited ]

I have done it in the following way using a USG...

 

Corporate LAN is 4.x network VLAN 4

Guest WiFi is 6.x network VLAN 6; Apple TVs live on the Guest network

 

LAN IN firewall rule allowing ALL Traffic from LAN Subnet (corporate) to access Apple TVs on Guest Network.

GUEST IN firewall rule allowing established/related traffic from Apple TV back to LAN Subnet.

Turn on mDNS. (The IPv4 group identifier for mDNS is 224.0.0.251 and the port 5353 UDP).

 

It was just that easy. Might be nice to restrict the rules to only the necessary ports, but this is pretty satisfactory. I have found a fairly complete list of ports that you might need, but for the purposes of Screen Sharing to the Apple TV from a Mac it used mDNS and port 7000 TCP. Audio sharing kicked off PTPv2 (UDP 320) and a high UDP port in the range of 49152-65535.

   80    TCP HTTP  - AirPlay
 320   UDP PTPv2  - Precision Time Protocol
 443   TCP HTTPS   -  AirPlay
 554   UDP/TCP RTSP  - AirPlay
 1900  UDP SSDP   -  Bonjour
 3689  TCP DAAP   -  AirPlay
 5000  TCP  - Mirroring
 5297  TCP - Bonjour
 5298  TCP/UDP  - Bonjour
 5350  UDP     NAT Port Mapping Protocol Bonjour
 5351  UDP     NAT Port Mapping Protocol Bonjour
 49159 UDP MDNS (Windows) -  AirPlay / Bonjour
 49163 UDP MDNS (Windows) -  AirPlay / Bonjour
 
 tcp > port - 5000  (seen with music)
 tcp > port - 7001  (seen with video)
 tcp > port - 7000  (seen with picture/file)
 tcp > port - 7100  (seen with display-mirroring)
 udp > port - 7010  (seen with display-mirroring)
 udp > port - 7011  (seen with display-mirroring)
 tcp > port - 3689  (iTunes music sharing)
 tcp > port - 49152-65535 (dynamic ports) 
 udp > port - 49152-65535 (dynamic ports) 
 tcp > port  - 123  (so appletv can get time)
 udp > port  - 123  (so appletv can get time)
New Member
Posts: 11
Registered: ‎10-28-2016
Kudos: 2
Solutions: 1

Re: Airplay (Apple TVs) across VLANs. How to...

(Solution below)

I was having all sorts of issues with Airplay across VLAN's.

 

My topology is two VLAN's, one for privilieged devices called LAN, and another for IOT, called MISC.

 

I have my airport express and apple TV on MISC.

 

I had set up the mDNS repeater, and opened port for mDNS to go both ways. Opened established/related both ways. Other than that, traffic from MISC is blocked to LAN.

 

Playing from a device on MISC to either audio output device works.

 

Playing from a device on LAN to one on MISC did not work.

 

It does see the devices on MISC, but initiating an airplay stream always failed after a 20s pause.

 

I opened all the standard airplay ports (listed in the prior post) from MISC to LAN.

 

Still not working.

 

Then I experimented with various port ranges.

 

When I opened the private port range 49152-65535 to both tcp and udp traffic, it worked.

 

The only 3 rules I ended up needing to keep it working were:

1. allow established/related back into LAN from MISC

2. allow mDNS traffic into LAN from MISC

3. allow TCP/UDP traffic from MISC to LAN ports 49152-65535

 

I wanted to share this solution because after hours of reading posts here, multiple times, I never saw this range of callback ports mentioned.

 

I hope it helps someone save some time and frustration!

 

 

New Member
Posts: 7
Registered: ‎10-04-2016
Kudos: 45

Re: Airplay across VLAN. How to do?

[ Edited ]

bferrell Wow! This is perfect. Couldn't have made this any easier for USG owners

Member
Posts: 244
Registered: ‎07-27-2017
Kudos: 101
Solutions: 3

Re: Airplay across VLAN. How to do?

[ Edited ]

For what its worth what I had to do was add a firewall rule to permit established/related traffic from my entertainment VLAN back to my main data vlan.  I have everything blocked from the entertainment vlan -> the data vlan so I have to open holes.  More info on my firewall rules can be found here http://www.jeffsloyer.io/post/sonos-usg-firewall-ports/ and http://www.jeffsloyer.io/post/apple-airplay-usg/.