Tunnel Apple AirPlay/Bonjour across zones in OpenWRT Firewall
(Updated: )
I’ve separated my wifi on my OpenWRT (18.06.2) router (Netgear R7800) in a guest zone and a lan zone for security purposes (well not really, I did it because it was possible). One service I want to allow from guest -> lan zone is Airplay, which uses multicast traffic (Bonjour). It turns out to be very simple to forward Airplay somewhat difficult to diagnose or get this working. In the end I made the AppleTV part of two zones by connecting LAN to local zone and WLAN to guest zone.
Some required steps include (but are not sufficient):
- Install avahi-utils, avahi-dbus-daemon, libavahi-client and libavahi-dbus-support as suggested by this post
- Forward ports from guest -> lan as listed by Apple
- Power cycle/reboot router, AppleTV, and clients (just to be sure)
- Profit! --> still doesn’t seem to work stable Unfortunately, I was not able to get this working with my Pioneer VSX-510 which supports AirPlay (v1) natively. Below I note some more details.
AirPlay Mechanics ¶
From what I’ve learned, the mechanics of establishing airplay are as follows:
- AirPlay server (e.g. AppleTV) broadcasts capabilities over mDNS, including IP/port info for clients
- OR: AirPlay client broadcasts request over mDNS, server responds including IP/port info
- Client connects (port/protocol unclear)
- Streaming happens If either 1 or 2 don’t work, something is wrong with mDNS broadcasting/reflecting. If 3 or 4 don’t work, something is wrong with the firewall rules.
Firewall rules ¶
I’m forwarding the ports below, which is probably too much. 10.0.0.10 is the IP of my AppleTV.
config rule
option target 'ACCEPT'
option src 'guest'
option name 'Allow-Guest-Airplay'
option dest 'lan'
option dest_ip '10.0.0.10'
list dest_port '80'
list dest_port '443'
list dest_port '554'
list dest_port '3689'
list dest_port '5353'
The guest zone is configured as follows:
config zone
option name 'guest'
option forward 'REJECT'
option output 'ACCEPT'
option network 'guest'
option input 'REJECT'
config forwarding
option dest 'wan'
option src 'guest'
Avahi ¶
Not sure what it does, this default config worked for me. Interestingly Airplay works even though ’enable-reflector=no’ (contrary to what sources listed below say). YMMV.
[server]
#host-name=foo
#domain-name=local
use-ipv4=yes
use-ipv6=yes
check-response-ttl=no
use-iff-running=no
[publish]
publish-addresses=yes
publish-hinfo=yes
publish-workstation=no
publish-domain=yes
#publish-dns-servers=192.168.1.1
#publish-resolv-conf-dns-servers=yes
[reflector]
enable-reflector=no
reflect-ipv=no
[rlimits]
#rlimit-as=
rlimit-core=0
rlimit-data=4194304
rlimit-fsize=0
rlimit-nofile=30
rlimit-stack=4194304
rlimit-nproc=3