USG Flex 200 Airplay across VLAN1 and VLAN2

Options
IMD
IMD Posts: 3
Friend Collector
I am using an USG Flex 200.

Hotel configuration for airplay streaming to Airplay enabled TV's

On Vlan1 (192.168.1.x) my access point WAX510D are connected.

on VLan2 (192.168.2.x) Airplay enabled TV  is connected.

I can't manage to have Airplay working across Vlan1 and Vlan2.

Could some some help me in solving this problem with detailed explanations.

Thanks so much.

All Replies

  • Fred_77
    Fred_77 Posts: 115  Ally Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    Hi @IMD
    just a couple of questions: vlan1 only manages your AP's or is the vlan for your guest device?
    a security policy vlan1 > Vlan2 and Vlan2 > Vlan1  where all the needed ports/services are allowed ?

    Here a list of services for Airplay

     80    TCP HTTP  - AirPlay

     320   UDP PTPv2  - Precision Time Protocol

     443   TCP HTTPS   -  AirPlay

     554   UDP/TCP RTSP  - AirPlay

     1900  UDP SSDP   -  Bonjour

     3689  TCP DAAP   -  AirPlay

     5000  TCP  - Mirroring

     5297  TCP - Bonjour

     5298  TCP/UDP  - Bonjour

     5350  UDP     NAT Port Mapping Protocol Bonjour

     5351  UDP     NAT Port Mapping Protocol Bonjour

     49159 UDP MDNS (Windows) -  AirPlay / Bonjour

     49163 UDP MDNS (Windows) -  AirPlay / Bonjour

     

     tcp > port - 5000  (seen with music)

     tcp > port - 7001  (seen with video)

     tcp > port - 7000  (seen with picture/file)

     tcp > port - 7100  (seen with display-mirroring)

     udp > port - 7010  (seen with display-mirroring)

     udp > port - 7011  (seen with display-mirroring)

     tcp > port - 3689  (iTunes music sharing)

     tcp > port - 49152-65535 (dynamic ports) 

     udp > port - 49152-65535 (dynamic ports) 

     tcp > port  - 123  (so appletv can get time)

     udp > port  - 123  (so appletv can get time)


    Hope this can help


    Fred

  • IMD
    IMD Posts: 3
    Friend Collector
    Options
    Vlan1 is dedicated to  12  WAX510D for guest wifi.
    Vlan2 is dedicated to in room Airplay TV (20 set) connected by ethernet

    I did this for isolation BUT for exemple a client iPhone connected to wifi (vlan1) needs to have to possibility to stream to it's room TV set (vlan2).
  • Fred_77
    Fred_77 Posts: 115  Ally Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    Sorry for obvious questions...

    Have you created a zone for each vlan? Configuration>Object>Zone  (i.e. Vlan1_Zone; Vlan2_Zone)

    Did you make the association of the vlan with it's zone? Configuration>Interface>Vlan


    Have you Configured all the services listed above? (and grouped them...)

    Have you configured security policy

    Vlan1_Zone to Vlan2_Zone 
    ...
    Vlan2_Zone to Vlan1_Zone

    where services are allowed?

    Fred

  • Zyxel_James
    Zyxel_James Posts: 626  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    Hello @IMD,
    Airplay streaming only works when client and server are in the same IP subnet.
    If you would like to Airplay works across VLAN1 and VLAN2, the device must support multicast cross subnet routing. However, currently, ZyWall only supports IGMP proxy.

    I will raise this feature to the feature evaluation queue, thanks for your feedback.

    James.
  • Fred_77
    Fred_77 Posts: 115  Ally Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    Hi @Zyxel_James

    i did the same configuration a couple of years ago with an ATP200 in a B&B and it worked quite fine.

    Sorry i can't handle the davice any more, B&B closed due to a pandemy.

    Fred



  • IMD
    IMD Posts: 3
    Friend Collector
    Options
    @Fred_77
    Fist of all thank you very in trying help and solve my problem.

    I managed to do some of the tricks you ask but I still have to clarify the situation.

    1) USG Flex settings


    On Port P2 is wan1 First provider on optical fiber (192.168.1.1)
    On port P3 is wan2 Second provider on cable (192.168.0.1)

    I did a load balancing using spillover Method (and its works)

    Here is what I had in mind:

    I used Lan Port P4 (192.168.1.1) to a POE switch for 12 WAX510D fo the hotel whole wifi (grouped by floors)

    I used Lan Port P5 (192.168.2.1) to a Switch for 22 Sony TV set Apple and Google Enabled.
     (Manager of the hotel asked that a guest connected to wifi be able to stream to it's room TV set, each Sony TV set can be renamed Rom XX : easy to identify).

    Finally Lan port P6 (192.168.3.1) to a switch dedicated to internal use: Front desk computer, printer,
    video security, credit card reader and so on.



    What I did:
    In Configuration>Object>Service I created all the rules necessary for apple device (All prefixed by A_ )



    Then I grouped them:



    In Configuration> Security policy>



    With this setting it does not work an iPhone connect to wifi does not see the room01 
    TV set for Airplay.

    I surely did something wrong... but what ???

    I am also very confused by James message stating that it's impossible do multicast across the interface.. (the USG Flex 200, is really a good appliance and if it the case this really a missing feature for something which appears to be natural to do.) May be there is an other way to do it, and this where I need help.

    I do tank you for your help.

    Thierry - IMD

  • Zyxel_James
    Zyxel_James Posts: 626  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    edited June 2022
    Options
    Hello @IMD, @Fred_77,

    Airplay uses Multicast DNS (mDNS), implemented in Apple Bonjour, and Bonjour for acrossing different VLANs is not supported by ZyWall current design.
    The workaround that provided by @Fred_77 might work but we're not recommending it, not sure if it will meet other problems.
    Thank you.

    James
  • Fred_77
    Fred_77 Posts: 115  Ally Member
    First Anniversary 10 Comments Friend Collector First Answer
    Options
    i have to apologize, i forgot to mention that an addon was required:  an avahi proxy was needed to get around the limitation James was talking about. 
    It was a  virtual machine running on Synology nas with 2 nic (one for each vlan) and provided the multicast dns.

    However, the security aspect of this scenario must be taken into consideration

Security Highlight