Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 20 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 9660 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Devices in a security zone can't reach Chromecast in another zone using Multicast

Andres Miedzowicz

Hello,

 

I have a Google Chromecast connected to a subnet/VLAN in the Sophos XG105 firewall and my Workstations on another subnet on the same firewall. In order for the workstations to find the Chromecast, they send packets to the multicast IP 239.255.255.250 port 1900 (UDP) however, these packets are being blocked by the firewall.

 

I've enabled Multicast Routing under Configure > Routing and added some multicast routing statements for specific IPs in my LAN zone (where the workstations are) but the multicast packets are being blocked by the firewall. The Rule ID hit, according to the Log viewer, is ID 0 which is the implicit deny at the end of the rule list because it couldn't match any other rule.

 

I did add a rule allowing all traffic from my LAN zone to the zone where the Chromecast is but it's still being blocked. My guess is that the firewall doesn't know that the destination IP, 239.255.255.250 is part of the destination zone and that's why it doesn't hit any rule but I'm not sure if this is correct.

 

Does anyone know what could be wrong in this case?

 

Regards,

 

 



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to Andres Miedzowicz

    Try again, last post crashed.

    The XG does not know what to do with the multicast packets. Try changing your rule so the the IP  address of your chromecast box is used instead and also try changing the destination zone to LAN.

    Ian

  • 0 in reply to rfcat_vk

    The destination IP is the multicast address so what would changing the rule to the Chromcast's IP do in this case? The firewall won't match the packet with that rule because the IP doesn't match.

     

    I can't change the destination zone to LAN because the Chromecast is not in this zone. Even if I change the destination zone to the Chromecast one, it still denies the packet.

     

    Andres

  • 0 in reply to Andres Miedzowicz

    Hi Andres,

    you are confusing a couple of things. LAN is the internal definition of the networks unless you are using DMZ. LAN usually has all your internal networks if you check the NETWORK tab, ZONES. Any means you are trying to broadcast out your WAN interface which is usually considered a security risk.

    Please try putting the chromecast box IP address in the destination network.

    Ian

  • 0 in reply to rfcat_vk

    Hi Ian,

     

    thanks for that. The Chromecast is in its own Zone called "IoT" and it's of the type "LAN". I've changed the rule to specify the destination zone to the IoT and the destination network to be the Chromecast unicast IP or the multicast IP as well.

     

    Unfortunately, the firewall is still blocking the traffic.

     

    Andres

  • 0 in reply to Andres Miedzowicz

    Hi Andres,

    with the rule changes what do you see in logviewer?

    Ian

  • 0 in reply to rfcat_vk

    The same thing as before. The firewall rule matched is 0 (implicity Deny) with the Log Component saying "Appliance Access" when trying to reach the 239.255.255.250 address. Here's a screenshot.

     

     

    Andres

  • 0 in reply to Andres Miedzowicz

    Hi Andres,

    as a test change your firewall rule to 

    Source LAN network any destination LAN network any allow any protocol - log.

    Then review the logs to see what is actually being passed 

    Ian

  • 0 in reply to rfcat_vk

    Hi Ian,

     

    still no good. Same thing seen in the log viewer. Is it possible that the problem is that the firewall can't match the destination IP 239.255.255.250 to a network on any of the zones which is why it wouldn't match any rule and deny the packet?

     

    Andres

  • 0 in reply to Andres Miedzowicz

    Hi Andres,

    the firewall will never match that to a network, it is a broadcast (multicast) address. 

    Okay, I checked the web setup for chromecast, it only works with tablets and mobile phones. You  need to be on the same network as the chromecast device and it needs to be connected to a TV via USB.

    I hope that helps.

    Ian

  • 0 in reply to rfcat_vk

    Hi Ian,

     

    that was my point. Since this is multicast traffic, it won't match a network in any zone and I think that may be why the firewall is blocking it.

     

    I checked information on the Chromecast and other vendors use mDNS to route multicast traffic between networks so the Chromecast doesn't necessarily need to be on the same subnet. To do something similar in the XG, I've enabled Multicast routing and added explicit routes from some of the LAN IPs to the multicast address but that didn't seem to help. Firewall rules still block traffic.

     

    Andres