Airplay across VLANs - Half functional

Lhutz · May 1, 2025, 12:50am

I currently have a guest vlan and a lan vlan. My AppleTV devices live on the lan vlan, and I'd like clients on the guest vlan to be able to stream via airplay to the appletvs on the lan vlan.

I setup avahi to the point where guest devices can now see the appletvs as potention streaming targets. However, when one of these guest devices attempts to actually stream/connect to the appletv on the lan vlan, it simply fails/times out.

I've looked into this a bit and i'm completely stumped and haven't found any combo of firewall rules that completes my quest to enable guest devices to stream to my appletv devices. Anyone have a solution?

sfx2000 · May 1, 2025, 1:10am

On AppleTV - check the settings - "Airplay and HomeKit" -> "Allow Access" -> and play with the options...

"Everyone" is just that... and likely your best choice
"Anyone on the Same Network" - this is the LAN/VLAN it's hosted on
"Only People Sharing this Home" - that's an Apple ID thing

Going back to the first option - AirPlay leverages Apple's peer to peer implementation - ATV will always have that, even when wired up or over WiFi on a dedicated VLAN...

Apple Wireless Direct Link is what they use for AirPlay sharing...

Lhutz · May 1, 2025, 1:27am

That isn’t really what I’m looking for. Using the “Everyone” option will allow even my neighbors to connect to my Apple TV, which I definitely don’t want.

I’m looking for specific firewall rules to allow clients on a specific vlan to stream to airplay devices (such as appletvs) on another vlan.

sfx2000 · May 1, 2025, 1:32am

go to option three then...

and perhaps look at Conference Room Display...

If you're unhappy with this - perhaps consider a Roku, Amazon Fire, or Google device...

anyways - everything is on the LAN side of the firewall, even with VLAN's, so no amount of firewall magic is going to have affect...

sfx2000 · May 1, 2025, 1:40am

Airplay is only on the LAN - so your neighbors are not going to access it.

Lhutz · May 1, 2025, 1:46am

I know it’s possible, just looking for the proper firewall rules to pair with avahi. If anyone cares to share those, much appreciated.

sfx2000 · May 1, 2025, 1:49am

It's on the LAN, so there's no FW rules needed...

In fact, you don't even need to have avahi running on the gateway...

Lhutz · May 1, 2025, 1:52am

That’s not true. If you set allow access to “everyone”, you can see and connect to the device even if you’re not connected to the network (on LTE/5G with WiFi turned off, for example. Try it…

But again I’m really just looking for someone to chime in with the proper firewall rules to allow clients in one vlan to connect to Apple TVs in another vlan.

lleachii · May 1, 2025, 2:12am

And allowing forwarding between the two firewall zones doesn't work?

Lhutz · May 1, 2025, 11:29am

I likely haven’t set that up correctly. What specific rules would you expect?

lleachii · May 1, 2025, 11:31am

These are the rules. Are you using the web GUI or command line?

Do you need more specific directions - if so, for which?

Lhutz · May 1, 2025, 11:39am

I’m using the ui but am comfortable with either that or cli. How and where do I enter a rule to forward between the zones? Which ports am I forwarding?

sfx2000 · May 3, 2025, 2:40am

Tried it with a device not on the same icloud account over LTE and it does not work.

Bonjour/Avahi has always been around discovery on the same network...

Yes, it's been a problem for folks that want to have a guest network, but that's not really a problem - either you trust your guests, or you don't...

xize · May 3, 2025, 4:12am

You can use avahi just fine, you need avahi to make the router aka 0.0.0.0 the mirror of your multicast traffic.

This can be done by editing /etc/config/avahi-daemon.conf and add the following line:

enable-reflector=yes

Under the entry:

[reflector]

You can also limit interfaces by using:

allow-interfaces=br-lan.10,br-lan.2

Under the section [server]

Now the more complicated task is figuring out the firewalling.

If we break it down avahi listens on 0.0.0.0, on each interface this is the router ip where luci hosts, everytime a device talks on multicast range 224.0.0.x avahi will mirror this traffic to the other subnets, so with these settings you would see all multicast devices appear, but maybe you don't want that?

Then firewall rules and the allow-interfaces are needed for fine control.

Since there are a handfull devices and also different implementations i.e chromecast, airplay (last time I remember it used port 80/tcp), it would be easier to use tcpdump and analyze the multicast advertisement which destination port they want to use in the TXT area, it can aswell be 5353,5454,5443,8888,8443,1001.

tcpdump -i br-lan.x -v multicast or tcpdump -i br-lan.x -v multicast and host 192.168.2.4

with ifconfig you can see the generic naming of all interfaces, br-lan.x can also be just br-lan in your case.

The tcpdump can really help here also when such handshake gets made if another additional ports need to be forwarded by the firewall traffic rules👍

As optional side note for wireguard servers:

Avahi becomes more difficult if you would use a wireguard server for wifi, since wireguard officially doesn't support layer 2 you need to add a static multicast route on the server to 224.0.0.0/4 (you can make this range smaller), and on the client in allowedips you need also to add this route otherwise resolution won't be possible.

buz · May 4, 2025, 8:43am

I would also add that

avahi-browse -a -r -t

on the router will be helpful to see what mdns advertisements it sees. Once reflection is up, running it on the clients can also be helpful.

Personally, I also seem to need to allow mdns from the vlan so that packets can actually reach avahi-daemon:

config rule
        option name 'Allow-mDNS-In-vlan10'
        option src 'vlan10'
        option proto 'udp'
        option dest_port '5353'
        option dest_ip '224.0.0.251'
        option target 'ACCEPT'
        option family 'ipv4'

And if you need ipv6

config rule
        option name 'Allow-mDNS-in-vlan10-ipv6'
        option family 'ipv6'
        list proto 'udp'
        option src 'vlan10'
        list dest_ip 'ff02::fb'
        option dest_port '5353'
        option target 'ACCEPT'

FWIW, this works for chromecast and spotify connect for me, I don't use AirPlay

_FailSafe · May 5, 2025, 1:53pm

Hit this link and do a search for AirPlay. You should see around five specific ports that are leveraged by AirPlay.

In addition to the great info @xize and @buz already provided, there is an old thread where I provided some similar info and configuration for mDNS. You may find some of it useful: Bridging mDNS between networks - #2 by _FailSafe

One thing I would strongly recommend, however, is to define the deny-interfaces= setting in your Avahi config. Add your WAN facing interface(s) in that setting.

By default, Avahi will reflect to all local interfaces except loopback. I ran into an issue with my ISP where Avahi was sending out mDNS on my WAN iface and my ISP was shutting down my port for 20 seconds every time that happened. Was crazy hard to track down the issue at the time, though in hindsight it is obvious.

Anyway, save yourself some headache

Lhutz · May 5, 2025, 2:07pm

Thank you @xize, @buz, and @_FailSafe for all of the help!