Restrict chromecast to certain devices

marawan31 · December 15, 2018, 8:41pm

Hi,

I am simply trying to restrict a couple of devices from accessing my chromecast on my network.
The rules I set at first didn't work for some reason and so I decided to keep it simple and try to block everyone and it still didn't work. Here is the rule I set:

config rule
option name 'ChromeCast'
option dest_ip '192.168.1.177'
option target 'REJECT'
option src 'lan'
option proto 'all'
option dest 'lan'

This rule sits on top of the list of rules so it should be hit first (I guess).

Things I have tried:

reboot router
reboot chromecast

I have a very simple setup with 1 lan and 1 wan interface with the default settings.
The wireless radio used by my chromecast is assigned to interface lan.

I would appreciate any thoughts on this.

Thanks

mikma · December 15, 2018, 9:30pm

The traffic you want to block may not be passing through the OpenWrt firewall. Traffic between devices on the same network usually is sent directly between the devices possibly forwarded by the switch but not handled by OpenWrt firewall.

I don't know the best way to solve this. I'm thinking about a bridging firewall but I haven't used that on OpenWrt.

marawan31 · December 15, 2018, 9:54pm

Thanks for your answer!
This makes perfect sense. I will figure something else out for my chromecast (probably move it to another interface and configure ttl)

Thanks again

marawan31 · December 16, 2018, 10:23pm

Hi,

I got this working and so i thought I'd share my exact use case and config so it could hopefully help someone in a similar dilemma.

First off, I have 2 chromecasts at home. One in the living room and one in my bedroom. The problem is that some of the time my family would mistakenly cast to mine and so it would either change what i was playing or simply start my TV and wake me up.

Meh solution:
I started with simply having two wifis at home and isolate my stuff on one. Pretty sure you guessed that this sucks since I'd have to switch wifi every time i wanted to cast something to my living room.

Final solution:
Using openwrt to isolate my two networks logically.
This wasn't simple because of a lot of things.

First let's start with some info about the chromecast:
It uses 239.255.255.250 as the multicast address for discovery.
It uses a ttl 1 on those packets.
So every device starts off with a packet to 239.255.255.250 with a ttl of 1 to discover the chromecast.
The chromecast would then answer back with a unicast address.

To make this work I started by installing those packages:
iptables-mod-ipopt
smcroute

This is my setup:
2 lan interfaces (br-lan and br-lan2) bridged to eth0.1
every interface is also bridged to a wifi interface of its own (thus having 2 wifi interfaces)
I also created two firewall zones (one for each lan interface br-lan and br-lan2) and enabled forwarding on both directions.

Then I configured smc route (file /etc/smcroute.conf) as such:

phyint br-lan enable
phyint br-lan2 enable

mgroup from br-lan2 group 239.255.255.250
mgroup from br-lan group 239.255.255.250

mroute from br-lan2 group 239.255.255.250 to br-lan
mroute from br-lan group 239.255.255.250 to br-lan2

I then assigned a static ip to the chromecast device and all the devices I wanted to permit access to my chromecast.

Then to work around the ttl issue I added custom firewall rules as such (on the custom rules tab of luci):

iptables -t mangle -A PREROUTING -i br-lan --destination 239.255.255.250 -j TTL --ttl-set 2
iptables -t mangle -A PREROUTING -i br-lan2 --destination 239.255.255.250 -j TTL --ttl-set 2

Then all that is left is to block all traffic going to or from the chromecast across the two lan interfaces as such (in the /etc/config/firewall):

config rule
        option proto 'all'
        option src 'lan2'
        option src_ip '<Chromecast IP>'
        option target 'REJECT'
        option name 'ChromecastReject1'
        option dest 'lan'

config rule
        option name 'ChromecastReject2'
        option proto 'all'
        option src 'lan'
        option dest 'lan2'
        option dest_ip '<Chromecast IP>'
        option target 'REJECT'

Then to allow access to Chromecast for a device I would add this on top of the firewall file (/etc/config/firewall):

config rule
        option target 'ACCEPT'
        option name 'ChromeCastAllow1'
        option proto 'all'
        option src 'lan'
        option src_ip '<device IP>'
        option dest 'lan2'

config rule
        option target 'ACCEPT'
        option name 'ChromecastAllow2'
        option proto 'all'
        option src 'lan2'
        option dest 'lan'
        option dest_ip '<device IP>'

I hope this helps someone!
If anyone wants to suggest a modification to make this simpler, please let me know as I am not an expert.

Regards,
Marwan

dlakelan · December 16, 2018, 11:03pm

Have one br-lan using vlans if needed and filter in the bridge using bridge netfilters, there are sysctl that make bridges call iptables during bridge forwarding

marawan31 · December 17, 2018, 12:39am

Do I need to enable the bridge module for this?

dlakelan · December 17, 2018, 1:15am

kmod-br-netfilter and some sysctls: https://wiki.libvirt.org/page/Net.bridge.bridge-nf-call_and_sysctl.conf

If you have the chromecasts connect to their own SSID and mix it into the bridge you can control who can send what to the chromecast by iptables filtering the bridge traffic.

marawan31 · December 17, 2018, 5:20am

Hi,

Thank you, it worked!
My new configuration:
Only 1 lan network with kmod-br-netfilter package.
Then restrict all lan traffic to/from my chromecast and only enable select devices.

Thanks again,
Marwan

hisham2630 · December 17, 2018, 9:02am

Congratulation!
can you paste your new config!
so it will benefit other people.

marawan31 · December 17, 2018, 5:24pm

Certainly, here are the steps to end up with a similar setup to mine:

First you need to install the kmod-br-netfilter package
Then add "net.bridge.bridge-nf-call-iptables=1" in the "/etc/sysctl.conf" file. I also added
"net.bridge.bridge-nf-call-arptables=0" and
"net.bridge.bridge-nf-call-ip6tables=0"
but if I understand correctly these are supposed to be disabled by default anyway (I could be wrong).
Run "sysctl -p" command
Add these firewall rules to block all devices on your lan from sending/receiving any data to the chromecast device (this assumes said devices and chromecast are on the lan firewall zone):

config rule
        option name 'RejectAllFromChromecast'
        option target 'REJECT'
        option proto 'all'
        option src 'lan'
        option dest 'lan'
        option src_ip '<Chromecast IP>'

config rule
        option name 'RejectAllToChromecast'
        option target 'REJECT'
        option proto 'all'
        option src 'lan'
        option dest 'lan'
        option dest_ip '<Chromecast IP>'

Allow only select devices to communicate to/from chromecast with these two rules (per device, must be above the reject rules in step 4):

config rule
        option name 'AllowDeviceToChromecast'
        option target 'ACCEPT'
        option proto 'all'
        option src 'lan'
        option dest 'lan'
        option src_ip '<device IP>'
        option dest_ip '<Chromecast IP>'

config rule
        option name 'AllowChromecastToDevice'
        option target 'ACCEPT'
        option proto 'all'
        option src 'lan'
        option dest 'lan'
        option src_ip '<Chromecast IP>'
        option dest_ip '<device IP>'

Remember that if you use these rules you need to reserve the ips of your chromecast as well as all allowed devices.
If you don't want to do that then you can probably add rules on the mac addresses instead, although I haven't tried that.

I hope this helps someone.

Regards,
Marwan

system · December 27, 2018, 5:33pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.