Ive watched your few videos how to setup Chromecast so they work across VLANs. I’ve enabled avahi (although the interface has changed since your videos).
I’ve also done a lot of other research on this topic and I have to say its quite confusing.
My problem – the method explained in the videos sometimes works but the real answer it seems is it just depends. My problem is that the chromecast will work for awhile and then out of the blue stop working for 4-5 minutes and then restart.
My setup is similar to yours with a pfsense router in front of a unifi network of switches and AC-Pros.
Avahi when activated on pfsense seems to allow mdns packets to be broadcast across VLANs, however this only controls the discovery portion. The actual services that need to be run – whether it needs video, or audio – well that depends on the firewall rules. With a very open firewall rule such as allow all from LAN to IOT network, no additional rules seem to be needed however if the firewall is more restrictive, certain ports need to be opened such as UDP 5353. I’ve also seen a lot of other threads mention that LAN needs to be able to access 18.104.22.168 udp 5353, upd 1900. I guess this depends on the application since the port numbers seem to very a little bit depending on who is supplying the information.
There also is potentially an issue with TTL being set at 1. I’ve read Chromecast and Apple appear to set there TTL at 1. From what I understand the TTL is decremented everytime the packet is routed and at TTL 0 the packet is dropped. This theoretically would seem to limit these packets to be confined to the LAN and not cross network boundaries. I’m aware in Linux its possible to use mangle and prerouting to increment the TTL, however it seems pf – or at least pf presented through the pfsense gui has no such capabilities. Despite all this theoretical discussion regarding TTL, it would seem in my case most of the packet are indeed being routed between the VLANs successfully about 70-80% of the time with a relatively wide open firewall rule. I’m not sure what’s happening the other 20-30% of the time with me looking at a blank screen on the chromecast. The device seems to be always discovered (for example on the iphone) but many times the screen will be black with no video or picture appearing on the screen.
I guess at the end of the day, its frustrating since the device is what I would call “unpredictable” when used in VLAN configurations. It seems I have no such problems when accessing the device on the same LAN.
I’m not sure if anyone else has any working suggestions or configurations…
Lastly within pfsense if your were going to block traffic from one VLAN to another (for example block IOT from accessing LAN), is it standard convention to put this rule within the IOT firewall ruleset(ie block all packets with destination LAN), or more conventional to put this rule within the LAN firewall ruleset (block all packets with source of IOT VLAN). It seems it doesn’t matter however is there some usually agreed upon convention?
And lastly x 2 – coming from iptables – I seem to be missing at least the concept of related/established packets. Usually you would have to enter a rule within iptables such as block all traffic from IOT network to LAN network except established packets allow to pass. Is there an equivalent type of notation in working with the pfsense firewall?
Sorry about the long post.