Tunnel Apple AirPlay/Bonjour across zones in OpenWRT Firewall
I’ve separated my wifi on my OpenWRT (18.06.2) router (Netgear R7800) in a guest zone and a lan zone for security purposes (well not really, I did it because it was possible). One service I want to allow from guest -> lan zone is Airplay, which uses multicast traffic (Bonjour). It turns out to be very simple to forward Airplay somewhat difficult to diagnose or get this working. In the end I made the AppleTV part of two zones by connecting LAN to local zone and WLAN to guest zone.
Some required steps include (but are not sufficient):
- Install avahi-utils, avahi-dbus-daemon, libavahi-client and libavahi-dbus-support as suggested by this post
- Forward ports from guest -> lan as listed by Apple
- Power cycle/reboot router, AppleTV, and clients (just to be sure)
- Profit! --> still doesn’t seem to work stable Unfortunately, I was not able to get this working with my Pioneer VSX-510 which supports AirPlay (v1) natively. Below I note some more details.
AirPlay Mechanics ¶
From what I’ve learned, the mechanics of establishing airplay are as follows:
- AirPlay server (e.g. AppleTV) broadcasts capabilities over mDNS, including IP/port info for clients
- OR: AirPlay client broadcasts request over mDNS, server responds including IP/port info
- Client connects (port/protocol unclear)
- Streaming happens If either 1 or 2 don’t work, something is wrong with mDNS broadcasting/reflecting. If 3 or 4 don’t work, something is wrong with the firewall rules.
Firewall rules ¶
I’m forwarding the ports below, which is probably too much. 10.0.0.10 is the IP of my AppleTV.
config rule option target 'ACCEPT' option src 'guest' option name 'Allow-Guest-Airplay' option dest 'lan' option dest_ip '10.0.0.10' list dest_port '80' list dest_port '443' list dest_port '554' list dest_port '3689' list dest_port '5353'
The guest zone is configured as follows:
config zone option name 'guest' option forward 'REJECT' option output 'ACCEPT' option network 'guest' option input 'REJECT' config forwarding option dest 'wan' option src 'guest'
Not sure what it does, this default config worked for me. Interestingly Airplay works even though ’enable-reflector=no’ (contrary to what sources listed below say). YMMV.
[server] #host-name=foo #domain-name=local use-ipv4=yes use-ipv6=yes check-response-ttl=no use-iff-running=no [publish] publish-addresses=yes publish-hinfo=yes publish-workstation=no publish-domain=yes #publish-dns-servers=192.168.1.1 #publish-resolv-conf-dns-servers=yes [reflector] enable-reflector=no reflect-ipv=no [rlimits] #rlimit-as= rlimit-core=0 rlimit-data=4194304 rlimit-fsize=0 rlimit-nofile=30 rlimit-stack=4194304 rlimit-nproc=3