Devices in a security zone can't reach Chromecast in another zone using Multicast

Hi Andres,

I think you need a firewall rule allowing UDP 1900 from your LAN to your secure LAN.

Ian

Hi Ian,

thanks for the reply but unfortunately that didn't work.

Andres

The rule would have to be at the top and not have MASQ enabled.

Ian

Thanks Ian, however, the log shows that the packet didn't match any of the current rules so it was denied due to rule ID 0 in the firewall which means that the new rule should be able to be positioned anywhere and it shouldn't make any difference.

Nevertheless, I tried your recommendation but it's still not working.

Andres

Hi Andres,

please post a full copy of the rule. The issue is more than likely the setup of the firewall rule.

Also please post a copy of the error messages from logviewer.

In the firewall rule what do you have enabled for IPS, Application  and web?

Ian

Here's the screenshot of the rule:

And the log viewer

The rule doesn't have IPS or any other type of filtering enabled.

Thanks

Andres

Try again, last post crashed.

The XG does not know what to do with the multicast packets. Try changing your rule so the the IP  address of your chromecast box is used instead and also try changing the destination zone to LAN.

Ian

The destination IP is the multicast address so what would changing the rule to the Chromcast's IP do in this case? The firewall won't match the packet with that rule because the IP doesn't match.

I can't change the destination zone to LAN because the Chromecast is not in this zone. Even if I change the destination zone to the Chromecast one, it still denies the packet.

Andres

The destination IP is the multicast address so what would changing the rule to the Chromcast's IP do in this case? The firewall won't match the packet with that rule because the IP doesn't match.

I can't change the destination zone to LAN because the Chromecast is not in this zone. Even if I change the destination zone to the Chromecast one, it still denies the packet.

Andres

Hi Andres,

you are confusing a couple of things. LAN is the internal definition of the networks unless you are using DMZ. LAN usually has all your internal networks if you check the NETWORK tab, ZONES. Any means you are trying to broadcast out your WAN interface which is usually considered a security risk.

Please try putting the chromecast box IP address in the destination network.

Ian

Hi Ian,

thanks for that. The Chromecast is in its own Zone called "IoT" and it's of the type "LAN". I've changed the rule to specify the destination zone to the IoT and the destination network to be the Chromecast unicast IP or the multicast IP as well.

Unfortunately, the firewall is still blocking the traffic.

Andres

Hi Andres,

with the rule changes what do you see in logviewer?

Ian

The same thing as before. The firewall rule matched is 0 (implicity Deny) with the Log Component saying "Appliance Access" when trying to reach the 239.255.255.250 address. Here's a screenshot.

Andres

Hi Andres,

as a test change your firewall rule to 

Source LAN network any destination LAN network any allow any protocol - log.

Then review the logs to see what is actually being passed 

Ian

Hi Ian,

still no good. Same thing seen in the log viewer. Is it possible that the problem is that the firewall can't match the destination IP 239.255.255.250 to a network on any of the zones which is why it wouldn't match any rule and deny the packet?

Andres

Hi Andres,

the firewall will never match that to a network, it is a broadcast (multicast) address. 

Okay, I checked the web setup for chromecast, it only works with tablets and mobile phones. You  need to be on the same network as the chromecast device and it needs to be connected to a TV via USB.

I hope that helps.

Ian

Hi Ian,

that was my point. Since this is multicast traffic, it won't match a network in any zone and I think that may be why the firewall is blocking it.

I checked information on the Chromecast and other vendors use mDNS to route multicast traffic between networks so the Chromecast doesn't necessarily need to be on the same subnet. To do something similar in the XG, I've enabled Multicast routing and added explicit routes from some of the LAN IPs to the multicast address but that didn't seem to help. Firewall rules still block traffic.

Andres

Hi Andres,

to get it going at this stage until a more knowledgeable forum member reads the thread you will need to have your devices on the same network.

I don't have any  multicast devices on my network to test various setups.

Ian

Hi Ian,

thanks for all your help so far. Hopefully someone will be able to shed some light on this.

Andres