Suppose there is vlan A and vlan B and TV present in vlan B. Now how do I allow all devices present in vlan A access only TV in vlan B for Chromecast?
I don't want all devices in vlan A to access all devices in vlan B and vice versa. I want all devices in vlan A to access only my TV in vlan B for Chromecast.
My device is Linksys E8450 with latest stable OpenWrt.
If there is a solution, kindly please direct me to a guide as well because I am OpenWrt noob.
Any help is highly appreciated!
Assuming the VLANs are set up in separate firewall zones, it's just an allow firewall rule in VLAN A's zone allowing access to the TV's IP address. Assuming you're handing it a static IP.
But you have another issue: chromecast is based on multicast DNS traffic, which is usually not routed. So you'll need to add the avahi package to openwrt to reflect mDNS traffic between subnets. Do a search on openwrt avahi chromecast, it's been discussed frequently here, on reddit and lots of other places.
Edit: (Personally I keep things simple. My chromecast devices (TV, audio) are on the guest network, so they don't have access my LAN. 99% of the time when I cast anything, I do it from my iPhone, which by default is also on the guest network, because it doesn't really need LAN access. [And I don't trust Apple or half the apps on it, if we're being honest.]. On the rare occasion I want to cast from my laptop, I just switch to the guest network, cast, and then switch back. The TV also has routed access to an NFS server for media playback, but only to a specific read-only share.)
Installation:
opkg update && opkg install avahi-nodbus-daemon
Config:
[server]
host-name=foo
domain-name=local
use-ipv4=yes
use-ipv6=no
check-response-ttl=no
use-iff-running=no
disallow-other-stacks=yes
#update below XX with vlan A Id, YY with vlan B Id
allow-interfaces=br-lan.XX,br-lan.YY
[publish]
publish-addresses=yes
publish-hinfo=no
publish-workstation=no
publish-domain=yes
#publish-dns-servers=192.168.1.1
#publish-resolv-conf-dns-servers=yes
[reflector]
enable-reflector=yes
reflect-ipv=no
[rlimits]
# Allow IOT Chromecast
uci set firewall.@rule[-1].name='Allow IOT_Chromecast'
uci set firewall.@rule[-1].family='ipv4'
uci set firewall.@rule[-1].proto='udp'
uci set firewall.@rule[-1].src='IOT'
uci set firewall.@rule[-1].src_port='5353'
uci add_list firewall.@rule[-1].dest_ip='224.0.0.251'
uci set firewall.@rule[-1].dest_port='5353'
uci set firewall.@rule[-1].target='ACCEPT'
# Block IOT access to all networks
uci add firewall rule
uci set firewall.@rule[-1].name='Block IOT-to-All networks'
uci set firewall.@rule[-1].proto='all'
uci set firewall.@rule[-1].src='IOT'
uci set firewall.@rule[-1].dest='*'
uci add_list firewall.@rule[-1].dest_ip='192.168.1.0/24'
uci add_list firewall.@rule[-1].dest_ip='192.168.2.0/24'
uci add_list firewall.@rule[-1].dest_ip='fc00::/7'
uci add_list firewall.@rule[-1].dest_ip='fe80::/10'
uci set firewall.@rule[-1].target='DROP'
uci commit firewall
service firewall restart
Hi
I think your setup makes a lot of sense by being simple and effective. I am using avahi setup outlined lower, but liked yours better. One question though - do you keep your wifi clients isolated on the guest network? Or [somehow] selectively allow your phone to reach TV for casting?
I'd like to pursue this first and see if it works for me, but the problem in my case is I have my TV connected via Ethernet cable to the dumb AP. So now, how do I set it to guest network? By default, it goes to the VLAN where my server, HA etc. are present and not the guest network.
Configure dump AP with the same VLANs (vlan A and vlan B) as the main router. Establish a tagged connection between the main router and the dump AP. This way, the dump AP will handle the same VLANs (vlan A and vlan B) as the main router.
Set ethernet port on the dump AP (port where your TV is connected) to be untagged: to dispatch either vlan B or vlan A.
Where do I do this in luci? I set it up so many years back, I forgot
Good question. I don't bother to isolate guests: it's not important to me that guest clients be unable to reach each other. This kind of thing matters more if you're running an internet cafe or other public AP. In my home environment DMZ clients and the occasional houseguest don't really need to be protected from each other, they just need to be kept firewalled from the LAN.
But you're quite right, this arrangement would have problems if guests were isolated from each other. For one thing, my wifi Chromecast Audio dongles wouldn't be able to participate.
I have the same arrangement: my Chromecast TV dongle has the Google wired ethernet adapter and it's connected to an AP/switch (really a router running OpenWRT as an AP/switch only). br-lan is configured in the Bridge/VLAN Filtering tab to put one of the ports in VLAN 20, untagged. This results in the creation of a device br-lan.20. Network interface DMZ is configured to use br-lan.20. The guest wifi is joined to that network. Note that to make all this work you need to configure a port that will carry all your vlans to the router. And you don't need any firewall at all on this device, the router will handle all that. And yes, I should have mentioned that my dumb AP is running OpenWRT and while it's not routing or firewalling, it's not exactly "dumb" in this configuration either.
Please see this video (starting from 12min 10s), there is a great explanation:
I tried your setup and it doesn't work.
Avahai Config:
[server]
host-name=foo
domain-name=local
use-ipv4=yes
use-ipv6=no
check-response-ttl=no
use-iff-running=no
allow-interfaces=br-lan.99,br-lan.4
[publish]
publish-addresses=yes
publish-hinfo=yes
publish-workstation=no
publish-domain=yes
#publish-dns-servers=192.168.1.1
#publish-resolv-conf-dns-servers=yes
[reflector]
enable-reflector=yes
reflect-ipv=no
[rlimits]
#rlimit-as=
rlimit-core=0
rlimit-data=4194304
rlimit-fsize=0
rlimit-nofile=30
rlimit-stack=4194304
rlimit-nproc=3
Firewall config:
config defaults
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option synflood_protect '1'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list network 'lan'
config zone
option name 'wan'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
list network 'wan'
list network 'wan6'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option src 'wan'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-MLD'
option src 'wan'
option proto 'icmp'
option src_ip 'fe80::/10'
list icmp_type '130/0'
list icmp_type '131/0'
list icmp_type '132/0'
list icmp_type '143/0'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Input'
option src 'wan'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
list icmp_type 'router-solicitation'
list icmp_type 'neighbour-solicitation'
list icmp_type 'router-advertisement'
list icmp_type 'neighbour-advertisement'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-ICMPv6-Forward'
option src 'wan'
option dest '*'
option proto 'icmp'
list icmp_type 'echo-request'
list icmp_type 'echo-reply'
list icmp_type 'destination-unreachable'
list icmp_type 'packet-too-big'
list icmp_type 'time-exceeded'
list icmp_type 'bad-header'
list icmp_type 'unknown-header-type'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
config zone
option name 'guest'
option output 'ACCEPT'
option forward 'REJECT'
option input 'REJECT'
list network 'guest'
config forwarding
option src 'guest'
option dest 'wan'
config rule
option name 'guestDHCP'
list proto 'udp'
option src 'guest'
option dest_port '67'
option target 'ACCEPT'
config rule
option name 'guestDNS'
option src 'guest'
option dest_port '53'
option target 'ACCEPT'
config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
config rule
option name 'Allow_mdns_MotoTV_and_printer'
list proto 'udp'
option src '*'
option src_port '5353'
option dest_port '5353'
option target 'ACCEPT'
list dest_ip '224.0.0.251'
option family 'ipv4'
The last config is the mdns one I entered. I want to allow printer and Chromecast TV which are in br-lan-99 (lan) to br-lan-4 (guest).
With the current setup, I can cast audio in Spotify via Google cast option in the app from guest to lan but casting the phone screen via android 15 Pixel 8 pro settings doesn't work from guest to lan. Additionally, please tell me how to allow printer too.