Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




69 posts

Master Geek


# 255881 4-Sep-2019 11:55
Send private message quote this post

Hello everyone.

I have an interesting issue, which I believe is unique to me, or at least I can't find any information online about how to fix it.

 

I got a chromecast the other day, and since I have a slightly more complicated home network than most (VLANS) I went to put it on my IoT VLAN.

 

I then went to enable Mdns reflecting on my router (unifi) and hey presto, I could connect my PC to the chromecast across vlans.

 

I then went to start to lock down the firewalling for it to try achieve two thigns

 

1) I dont want all mdns queries going to all my vlans (EG I dont want my network printer being sent to my security vlan)

 

2) I want to control what VLANS certain devices can communicate with, (EG people on my guest network can see the chromecast so they can cast to it), but not see my printer for example

 

 

 

I set a few  rules in place to try and restrict this down, and it worked, my laptop could not see the chromecast, but my desktop can (assuming established rules are allowing it though)

 

however I can't seem to find what ports need forwarding where to allow it though.

 

Everyone online is asking about cross vlans, but nothing about firewalling / restricting.

 

Does anyone have any insite on how I can setup my rules to achieve what I want

 


As a side note: People say online "Just make a new VLAN and put the chrome cast there"
The problem is im out of SSID's on my wifi, and I dont really want a whole nother vlan for just 1 device.


Create new topic
28271 posts

Uber Geek

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  # 2310591 4-Sep-2019 13:19
Send private message quote this post

The Chromecast doesn't use "ports" - it uses broadcast and multicast DNS. 




69 posts

Master Geek


  # 2310593 4-Sep-2019 13:21
Send private message quote this post

sbiddle:

 

The Chromecast doesn't use "ports" - it uses broadcast and multicast DNS. 

 



I found an article on what ports is uses for discovery and Mirroring?
I assume they are wrong then?

If so how do I firewall it? Can I put firewall on the dns records? or do something with an internal DNS server?

Im new to Mdns so trying to figure out how it works and how its controllable


 
 
 
 


28271 posts

Uber Geek

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  # 2310607 4-Sep-2019 13:35
Send private message quote this post

I'll expand on that further - yes it does need a port to probe a device, but the mDNS service itself uses multicast to communicate with every device on the same layer 2 network. 

 

If your devices can't see the Chromecast it's because they're not going to be on the same layer 2 network, and likewise if you have multiple VLAN's then broadcast and mDNS traffic will only stay within that VLAN unless you're running a specific service to bridge layer 2 traffic between those different VLANs

 

 




69 posts

Master Geek


  # 2310610 4-Sep-2019 13:38
Send private message quote this post

sbiddle:

 

I'll expand on that further - yes it does need a port to probe a device, but the mDNS service itself uses multicast to communicate with every device on the same layer 2 network. 

 

If your devices can't see the Chromecast it's because they're not going to be on the same layer 2 network, and likewise if you have multiple VLAN's then broadcast and mDNS traffic will only stay within that VLAN unless you're running a specific service to bridge layer 2 traffic between those different VLANs

 

 

 



I understand the limitations around the broadcast and the same vlans, which is why I enabled the MDNS reflector on my router, which bypasses that.
The problem is it then does a broadcast everywhere, even as they say when you enable it, on the WAN interface.

I want to control that rebroadcasting both from a source perspective and a destination vlan 


22529 posts

Uber Geek

Trusted
Subscriber

  # 2310621 4-Sep-2019 13:52
Send private message quote this post

Im yet to find any decent solution for limiting MDNS stuff and automatically allowing the resulting IP connections between devices. I think its just in the too hard basket for router manufacturers to do anything but a global repeat everything everywhere on the MDNS





Richard rich.ms

6976 posts

Uber Geek

Trusted
Subscriber

  # 2310623 4-Sep-2019 13:55
Send private message quote this post

The best filter I have seen for mDNS reflector (which is all based on avahi) is on Aerohive, even there its fiddly to setup and there are limits to how many rules you can apply.

 

Cyril




69 posts

Master Geek


  # 2310626 4-Sep-2019 13:58
Send private message quote this post

richms:

 

Im yet to find any decent solution for limiting MDNS stuff and automatically allowing the resulting IP connections between devices. I think its just in the too hard basket for router manufacturers to do anything but a global repeat everything everywhere on the MDNS

 

 

 

 

I managed to block the MDNS from going though by blocking 5353 (and a few other ones)
I was just hoping I can put a firewall in place to say block these few ports from going into the router, so it doesnt hit the mdns reflector, but I can't find how to do that,

I guess ill just have to re-think my plan.

May do some packet captures on a seperate wifi and see whats actually going on to try understand it myself.


Create new topic



Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Arlo unveils its first video doorbell
Posted 21-Oct-2019 08:27


New Zealand students shortlisted for James Dyson Award
Posted 21-Oct-2019 08:18


Norton LifeLock Launches Norton 360
Posted 21-Oct-2019 08:11


Microsoft New Zealand Partner Awards results
Posted 18-Oct-2019 10:18


Logitech introduces new Made for Google keyboard and mouse devices
Posted 16-Oct-2019 13:36


MATTR launches to accelerate decentralised identity
Posted 16-Oct-2019 10:28


Vodafone X-Squad powers up for customers
Posted 16-Oct-2019 08:15


D Link ANZ launches EXO Smart Mesh Wi Fi Routers with McAfee protection
Posted 15-Oct-2019 11:31


Major Japanese retailer partners with smart New Zealand technology IMAGR
Posted 14-Oct-2019 10:29


Ola pioneers one-time passcode feature to fight rideshare fraud
Posted 14-Oct-2019 10:24


Spark Sport new home of NZC matches from 2020
Posted 10-Oct-2019 09:59


Meet Nola, Noel Leeming's new digital employee
Posted 4-Oct-2019 08:07


Registrations for Sprout Accelerator open for 2020 season
Posted 4-Oct-2019 08:02


Teletrac Navman welcomes AI tech leader Jens Meggers as new President
Posted 4-Oct-2019 07:41


Vodafone makes voice of 4G (VoLTE) official
Posted 4-Oct-2019 07:36



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.