Need to access AppleTV connected to guest zone from LAN zone ... which traffic rules to setup?

I have a 4th gen Apple TV which I connected to my guest zone. I would like to allow access from devices on my LAN zone, but am unclear which traffic rules to setup to do so. My reasoning for putting the apple tv on the guest zone is to allow guests to our house on the guest zone to use it (airplay mostly) and to allow family members on the LAN zone to do the same.

I think I have 2 fundemantal questions:

  1. What are the minimal traffic rules I need to do this?
  2. Do I have the syntax in the traffic rule itself correct?

From reading this article, it seems that there are only 2 I need:

  • UDP port 5353 is needed for apple's bonjour service which I understand allows iOS devices to find the apple tv and for the apple tv to find them.
  • TCP port 3689 is needed if I want to share itunes libraries

I am assuming that:

  • bonjour service needs to go from LAN --> guest and from guest --> LAN
  • itunes sharing only needs to go from LAN --> guest

I would think the following would get it done, but I cannot see the apple tv from devices on the LAN zone with these two rules. Any suggestions are appreciated.


Bonjour only works within a single broadcast domain, which is usually a small area, without special DNS configuration. macOS, Bonjour for Windows and AirPort Base Stations may be configured to use Wide Area Bonjour which allows for wide area service discovery via an appropriately configured DNS server.

Since this is two different broadcast domains, I'm not certain that would work.

1 Like

Hmmmm.... it could also be that other ports/protocols are needed for this functionality as well. Would the following 2 traffic rules be the ultimate test of this?

  • Allow all traffic from a single ios device on LAN --> the apple tv on guest
  • Allow all traffic from the apple tv on guest --> a single ios device on the LAN


Those rules are for unicast.
Are you sure there's no broadcast/multicast?

1 Like

I am not sure at all :slight_smile: How can I create a multicast traffic rule to test this? I don't see that verbiage used under LuCi's Traffic Rules. Thanks!

I suggest to temporary put client and server in the same network use Wireshark on the client side.

1 Like

For that to work, would wireshark need to be running on the same device that is connecting to the apple TV? I have a linux laptop that could run wireshark, but only some iOS devices that could connect to the apple tv.

If you're looking for broadcast packets only, the device only needs to be on the same VLAN.

So my goal of allow devices on both LAN and guestzone to use it (airplay) would not be possible it would seem :frowning:

I am responding to your inquiry to @vgaetera. If you are uncertain if you're looking for broadcast packets, you can run Wireshark on the VLAN.

Regarding Bonjour protocol, it's my understanding that it uses multicast - therefore, if that's the case, your setup (using 2 different broadcast domains) will not work.

It should be possible to use Wireshark from another host when both hosts are connected to the same wireless network.
Also there're limitations for wired network:

@vgaetera - Thank you for the pointer. If @lleachii is correct that the needed service (bonjour) cannot operate across VLANs, what is the goal of the wireshark experiment?

@darksky I know this is an old topic, sorry to revive it. But I started here, and I found out the solution.

Did you tried avahi? It will broadcast bounjour to other vlans.

You just need to install the packages ( avahi-utils, avahi-dbus-daemon, libavahi-client and libavahi-dbus-support) and change or add the parameter enable-reflector=yes, to section [reflector] at config file /etc/avahi/avahi-daemon.conf

Hope this can help you, as it helped me.

I had some changes at the firewall, so I did not have to do any more changes, avahi worked almost out of the box.


1 Like


I haven't tried it. What firewall rules would be needed after avahi is configured as you show?

I think none. I changed nothing. I just had the ones that I already had to make guest zone to have access to Internet. But I have a different configuration: my apple tvs (and homepod) are at main lan zone, and I want guests have access to Apple TVs and/or HomePod.

I'm not sure if in your configuration any change is needed, but i think it will not be.


Necrobumping my own thread but here goes: I installed the avahi packages you mentioned and add set enable-reflector=yes in the config, still do not see the appletv from an iphone.

Appletv is in the guest zone and the iphone is in the LAN zone (VLANS in play).

I had to create a traffic rule for 5353/udp and now it works:

1 Like

Does this setup (avahi + forwarding 5353/udp from guestzone to router) present any security risks?

Good question.

Devices in Guest zone could learn about what devices and services are mDNS registered in the LAN, but if the firewall zones are set up correctly, non-autorized access from Guest to LAN should be blocked. But the info is leaked.

But I'm unclear as to what all traffic the avahi package is allowing, for sure broadcast mDNS packets, but for Airplay to work, surely there is other traffic. Is it limited to reaching the ATV only, or will it be able to reach any mDNS responsive device on the LAN?

I have further restricted the rule to a single IP (the appletv) if that makes a difference.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.