I watched Toms video about Avahi and the use of chromecasts in other subnets. I was wondering if this is still a safe solution in 2024.
Is the traffic from my IOT netwok to my main wifi network still blocked with the block rules i have in place and are the devices on the IOT network aware of the devices in my wifi network?
Thanks in advance!
I don’t see why you shouldn’t use Avahi anymore.
Yes. The Avahi daemon on pfSense doesn’t touch your firewall rules, all it does is repeat mDNS packets across subnets if you enable reflection. For, say, a phone in the main network to cast to a Chromecast in the IoT network, a rule must be present on the main network interface to allow the connection. Likewise, if there is no rule in the IoT network that allows connections to the main network, then the Chromecast cannot initiate a connection to any device in the main network.
Yes, if the devices in your main network send out mDNS packets, Avahi will relay them to the IoT network. You can limit which services are relayed, though. For example, you can limit it to only relay Chromecast discovery packets by setting
_googlecast._tcp.local as the only service under “Reflection Filtering”.
hey @paolo thanks for your extensive explenation!
In particular the limit of services I can relay is a good option I am going to use!
Besides chromecast, I also want to allow homekit and the broadcast from my Samsung television. Is there a way (or maybe a list somewhere), where I can lookup what the names of the services are that I need to allow?
I don’t know of any central resource for common mDNS service names.
Allright, I’m going to look it up. Thanks for your help!