Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 20 replies
  • Answers 1 answer
  • Subscribers 28 subscribers
  • Views 9670 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Devices in a security zone can't reach Chromecast in another zone using Multicast

Andres Miedzowicz

Hello,

 

I have a Google Chromecast connected to a subnet/VLAN in the Sophos XG105 firewall and my Workstations on another subnet on the same firewall. In order for the workstations to find the Chromecast, they send packets to the multicast IP 239.255.255.250 port 1900 (UDP) however, these packets are being blocked by the firewall.

 

I've enabled Multicast Routing under Configure > Routing and added some multicast routing statements for specific IPs in my LAN zone (where the workstations are) but the multicast packets are being blocked by the firewall. The Rule ID hit, according to the Log viewer, is ID 0 which is the implicit deny at the end of the rule list because it couldn't match any other rule.

 

I did add a rule allowing all traffic from my LAN zone to the zone where the Chromecast is but it's still being blocked. My guess is that the firewall doesn't know that the destination IP, 239.255.255.250 is part of the destination zone and that's why it doesn't hit any rule but I'm not sure if this is correct.

 

Does anyone know what could be wrong in this case?

 

Regards,

 

 



This thread was automatically locked due to age.
Parents
  • 0

    Hi Andres,

    I think you need a firewall rule allowing UDP 1900 from your LAN to your secure LAN.

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    Hi Ian,

     

    thanks for the reply but unfortunately that didn't work.

     

    Andres

  • 0 in reply to Andres Miedzowicz

    The rule would have to be at the top and not have MASQ enabled.

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    Thanks Ian, however, the log shows that the packet didn't match any of the current rules so it was denied due to rule ID 0 in the firewall which means that the new rule should be able to be positioned anywhere and it shouldn't make any difference.

     

    Nevertheless, I tried your recommendation but it's still not working.

     

    Andres

  • 0 in reply to Andres Miedzowicz

    Hi Andres,

    please post a full copy of the rule. The issue is more than likely the setup of the firewall rule.

    Also please post a copy of the error messages from logviewer.

    In the firewall rule what do you have enabled for IPS, Application  and web?

     

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    Here's the screenshot of the rule:

     

     

    And the log viewer

     


     

    The rule doesn't have IPS or any other type of filtering enabled.

     

    Thanks

     

    Andres

  • 0 in reply to Andres Miedzowicz

    Try again, last post crashed.

    The XG does not know what to do with the multicast packets. Try changing your rule so the the IP  address of your chromecast box is used instead and also try changing the destination zone to LAN.

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    The destination IP is the multicast address so what would changing the rule to the Chromcast's IP do in this case? The firewall won't match the packet with that rule because the IP doesn't match.

     

    I can't change the destination zone to LAN because the Chromecast is not in this zone. Even if I change the destination zone to the Chromecast one, it still denies the packet.

     

    Andres

  • 0 in reply to Andres Miedzowicz

    Hi Andres,

    you are confusing a couple of things. LAN is the internal definition of the networks unless you are using DMZ. LAN usually has all your internal networks if you check the NETWORK tab, ZONES. Any means you are trying to broadcast out your WAN interface which is usually considered a security risk.

    Please try putting the chromecast box IP address in the destination network.

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    Hi Ian,

     

    thanks for that. The Chromecast is in its own Zone called "IoT" and it's of the type "LAN". I've changed the rule to specify the destination zone to the IoT and the destination network to be the Chromecast unicast IP or the multicast IP as well.

     

    Unfortunately, the firewall is still blocking the traffic.

     

    Andres

Reply
  • 0 in reply to rfcat_vk

    Hi Ian,

     

    thanks for that. The Chromecast is in its own Zone called "IoT" and it's of the type "LAN". I've changed the rule to specify the destination zone to the IoT and the destination network to be the Chromecast unicast IP or the multicast IP as well.

     

    Unfortunately, the firewall is still blocking the traffic.

     

    Andres

Children
Cookie Information Banner