I have a 4th gen Apple TV which I connected to my guest zone. I would like to allow access from devices on my LAN zone, but am unclear which traffic rules to setup to do so. My reasoning for putting the apple tv on the guest zone is to allow guests to our house on the guest zone to use it (airplay mostly) and to allow family members on the LAN zone to do the same.
I think I have 2 fundemantal questions:
What are the minimal traffic rules I need to do this?
Do I have the syntax in the traffic rule itself correct?
From reading this article, it seems that there are only 2 I need:
UDP port 5353 is needed for apple's bonjour service which I understand allows iOS devices to find the apple tv and for the apple tv to find them.
TCP port 3689 is needed if I want to share itunes libraries
I am assuming that:
bonjour service needs to go from LAN --> guest and from guest --> LAN
itunes sharing only needs to go from LAN --> guest
I would think the following would get it done, but I cannot see the apple tv from devices on the LAN zone with these two rules. Any suggestions are appreciated.
Bonjour only works within a single broadcast domain, which is usually a small area, without special DNS configuration. macOS, Bonjour for Windows and AirPort Base Stations may be configured to use Wide Area Bonjour which allows for wide area service discovery via an appropriately configured DNS server.
Since this is two different broadcast domains, I'm not certain that would work.
For that to work, would wireshark need to be running on the same device that is connecting to the apple TV? I have a linux laptop that could run wireshark, but only some iOS devices that could connect to the apple tv.
@darksky I know this is an old topic, sorry to revive it. But I started here, and I found out the solution.
Did you tried avahi? It will broadcast bounjour to other vlans.
You just need to install the packages ( avahi-utils, avahi-dbus-daemon, libavahi-client and libavahi-dbus-support) and change or add the parameter enable-reflector=yes, to section [reflector] at config file /etc/avahi/avahi-daemon.conf
Hope this can help you, as it helped me.
I had some changes at the firewall, so I did not have to do any more changes, avahi worked almost out of the box.
I think none. I changed nothing. I just had the ones that I already had to make guest zone to have access to Internet. But I have a different configuration: my apple tvs (and homepod) are at main lan zone, and I want guests have access to Apple TVs and/or HomePod.
I'm not sure if in your configuration any change is needed, but i think it will not be.
Devices in Guest zone could learn about what devices and services are mDNS registered in the LAN, but if the firewall zones are set up correctly, non-autorized access from Guest to LAN should be blocked. But the info is leaked.
But I'm unclear as to what all traffic the avahi package is allowing, for sure broadcast mDNS packets, but for Airplay to work, surely there is other traffic. Is it limited to reaching the ATV only, or will it be able to reach any mDNS responsive device on the LAN?