Skip to content

Latest commit

 

History

History
81 lines (47 loc) · 2.4 KB

unifi-casting-firewall-rules.md

File metadata and controls

81 lines (47 loc) · 2.4 KB
Raw

unifi-casting-firewall-rules.md

What: Configuraiton to Firewall and IP Groups needed to make Casting traffic flow and things cast OK.

Create 3 Groups under Settings > profiles > IP Groups

Create 4 groups

  • IPv4 Address Group
  • Name: RFC1918
  • Address values: 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8

  • IPv4 Address Group
  • Name: IP_Multicast
  • Address values: 224.0.0.0/4

  • Port Group
  • Name: Ports_Cast
  • Port values: 8008, 8009, 5353

  • IPv4 Address Group
  • Name: IP_Cast
  • Address values: <Will vary, but enter the IPv4 Address for example of your Speakers/TV. Device to CAST TO>

Create some firewall rules, Settings > Application Firewall > Firewall Rules

Create 3 Rules for LAN_IN

  • Allow RFC1918 to Address Group: IP_Multicast, Port Group: Ports_Cast

  • Allow RFC1918 to Address Group: IP_Cast, Port Group: Ports_Cast

  • Allow RFC1918 to Address Group: IP_Cast, Port Group: ANY, Protocol UDP


Place these 3 rules prior to any DROP rules you have made.

Testing

  • Tested from Chromium browser to Smart TV for Video/Audio (Netflix, Spotify).
  • Tested from iPad (iPad OS 16/17) to Smart TV for Video/Audio (Netflix, Spotify, Plex).
  • Tested from Android phone (Android OS v12) to Smart TV for Video/Audio (Netflix, YouTube, Spotify, Plex).
  • Works across VLAN's which are NOT Isolated (in Unifi network/wifi settings).

Notes on the Unifi OS - Network

  • You may need to add port TCP 1900 (SSDP) to the Group named Ports_Cast depending on your devices or possibly other ports in some cases.

  • For wifi settings, you may need to untick "Hotspot portal" as that will isolate the devices on that network from server if on your LAN.

  • For Network settings, you may need to untick "isoalation" as that will isolate the devices on that network from server if on your LAN.


  • If you are concerned about turning off "isolation", you could instead make firewall rules to block say "IOT" or "Kids" networks.
  • The above could be achieved blocking from Networks of say "IOT" to IPv4 Address Group named, RFC1918.
  • This would be a firewall rule you could name "Block InterVLAN Routing".

References

https://community.ui.com/questions/Chromecast-across-VLANS/c590a032-8931-49e9-b85e-70104d0b929c

https://support.google.com/chrome/a/answer/12256492?hl=en#:~:text=To%20contact%20a%20receiver%20to,UDP%20ports%201%20to%2065535.