Skip to main content

Allow Multicast Traffic Across VLANs

Scenario

You have multiple VLANs firewalled to segment your network. One such VLAN is an IOT VLAN, where any device considered to be an IOT device is a member of this VLAN.

In this VLAN, you have some Google products to which you wish to cast / stream audiovisual content, but your firewall rules are not tuned too allow the multicast and TCP and UDP traffic.

      .--------.
      |INTERNET|
      '----|---'
           |
        .--|--.
        | ISP |
        '--|--'
           |
          WAN (igb0)
      .----------.
      | FIREWALL |
      '----------'    
          LAN (igb1)
           |   igb1.10  - VLAN 10
           |   igb1.107 - IOT VLAN
  ,--------'                                  SSID: IOT_WIFI (VLAN 107)
  |   __________________                      @ ))) ............ ((( @
  |  |\______SWITCH_____\   .--------------.  |                      |
  |   \|["]___["]____["]|   | ACCESS POINT |--'              .---------------.
  |      |     |      |     '-------|------'                 | SMART SPEAKER |
  '------'     |      |             |                        '---------------'
         T   [PC1]    '-------------'
        10     U      T 
       107    10      107

In the diagram above, [PC1] wants to cast content to [SMART SPEAKER]

Initial Troubleshooting

In my environment, I'm using pfSense as the firewall to segment traffic, so use the tools and techniques as a frame of reference for your environment.

Required Information

  • PC1 is at 172.16.10.23
  • IOT VLAN is at 10.107.107.0/24

Multicast Repeater

Install the Avahi package on pfSense to allow repeating Multicast DNS traffic across VLANs. This is necessary for PC1 to be able to discover castable devices on the IOT VLAN.

image.pngSelect only the VLAN(s) that should be able to send and receive multicast traffic across VLANs

Procedure

  1. Temporarily allow traffic from PC1 to IOT VLAN in order to capture traffic
  2. In pfSense, go to Diagnostics > pfTop

image.pngStart off with an initial filter of: in and src net 172.16.10.23 and (dst net 224.0.0.0/4 or dst net 10.107.107.0/24)

Now, trigger an app on PC1 to begin discovering "castable" destinations

image.png
Immediately, we see the table populate with the mDNS traffic and a common port of TCP/8009

Solution

Modify the Firewall Rules

Floating Rule

Go to Firewall > Rules > Floating

I'm choosing a floating rule in this case, because it will make it much easier to whitelist additional interfaces / IPs to cast to IOT devices later. Allow as many ports / protocols as needed based on your troubleshooting above.

image.png
Click Add (down)

This firewall rule is going to allow any device in VLAN_10 subnet to cast traffic to VLAN_107. If you want to further restrict this ability to a smaller subset of devices, you could create a firewall alias with a list of whitelisted IPs and use that in the source field along with selected values in the Interface field where those IPs belong.

Edit Firewall Rule

  • Action: Pass
  • Disabled: ⏹️(unchecked)
  • Quick: ☑️(checked)
  • Interface: VLAN_10
  • Direction: in
  • Address Family: IPv4
  • Protocol: TCP

Source

  • Source: Any

Destination

  • Destination: VLAN_107 subnets
  • Destination: 8009

Extra Options

  • Log: Optional
  • Description: Allow casting to Google Devices (based on pftop)

image.png
Place the rule between markers for easy identification

Back to top