From 4e726a4963b5cfeb4ebf83cb1593cb9c485fbbee Mon Sep 17 00:00:00 2001 From: Kaloyan Danchev Date: Fri, 13 Feb 2026 18:28:55 +0200 Subject: [PATCH] Add cross-VLAN casting docs, update device assignments - New doc: 11-CROSS-VLAN-CASTING.md with full MikroTik config (firewall rules, FastTrack exclusion, mDNS, IGMP proxy, AirPlay/Chromecast troubleshooting) - Update device IPs: LG TV .40/.41, Chromecast .42 - Move HP printer from VLAN 40 to VLAN 30 at .30 Co-Authored-By: Claude Opus 4.6 --- docs/06-VLAN-DEVICE-ASSIGNMENT.md | 14 +-- docs/11-CROSS-VLAN-CASTING.md | 167 ++++++++++++++++++++++++++++++ 2 files changed, 175 insertions(+), 6 deletions(-) create mode 100644 docs/11-CROSS-VLAN-CASTING.md diff --git a/docs/06-VLAN-DEVICE-ASSIGNMENT.md b/docs/06-VLAN-DEVICE-ASSIGNMENT.md index f16589f..9475fb6 100644 --- a/docs/06-VLAN-DEVICE-ASSIGNMENT.md +++ b/docs/06-VLAN-DEVICE-ASSIGNMENT.md @@ -67,9 +67,10 @@ | IP | MAC Address | Device | Location | Comment | |----|-------------|--------|----------|---------| | 192.168.30.10 | 50:2C:C6:7A:55:39 | Air Conditioner | Living Room | GREE Electric | -| 192.168.30.11 | B0:37:95:79:AF:9B | LG TV | Living Room | LAN (not connected) | -| 192.168.30.12 | DC:03:98:6B:5A:3A | LG TV | Living Room | WiFi (active) | -| 192.168.30.13 | D0:E7:82:F7:65:DD | Chromecast | Living Room | Streaming | +| 192.168.30.30 | 64:4E:D7:D8:43:3E | HP LaserJet M110w | Office | WiFi printer | +| 192.168.30.40 | B0:37:95:79:AF:9B | LG TV (Ethernet) | Living Room | Use ONE interface only for AirPlay | +| 192.168.30.41 | DC:03:98:6B:5A:3A | LG TV (WiFi) | Living Room | Use ONE interface only for AirPlay | +| 192.168.30.42 | D0:E7:82:F7:65:DD | Chromecast | Living Room | Requires WPA2+AES (no TKIP) | | 192.168.30.14 | B0:4A:39:3F:9A:14 | Roborock S7 Vacuum | Living Room | Needs cloud access | | 192.168.30.20 | 94:27:70:1E:0C:EE | Bosch Smart Oven | Kitchen | Home Connect app | | 192.168.30.21 | C8:D7:78:40:65:40 | Bosch Dishwasher | Kitchen | Home Connect app | @@ -95,7 +96,7 @@ | IP | MAC Address | Device | Purpose | Comment | |----|-------------|--------|---------|---------| -| 192.168.40.19 | 64:4E:D7:D8:43:3E | HP LaserJet | Network printer | Wired connection | +| — | — | — | — | Printer moved to VLAN 30 | --- @@ -140,7 +141,8 @@ A4:D1:D2:7B:52:BE Compusbg iPad **VLAN 30 - IoT:** ``` -B0:37:95:79:AF:9B LG TV (LAN) +64:4E:D7:D8:43:3E HP LaserJet M110w +B0:37:95:79:AF:9B LG TV (Ethernet) DC:03:98:6B:5A:3A LG TV (WiFi) D0:E7:82:F7:65:DD Chromecast B0:4A:39:3F:9A:14 Roborock Vacuum @@ -163,7 +165,7 @@ FC:D5:D9:EB:6A:82 Settop Box (LAN) **VLAN 40 - Servers:** ``` -64:4E:D7:D8:43:3E HP LaserJet +(empty - printer moved to VLAN 30) ``` **VLAN 50 - Guest:** diff --git a/docs/11-CROSS-VLAN-CASTING.md b/docs/11-CROSS-VLAN-CASTING.md new file mode 100644 index 0000000..a10c49f --- /dev/null +++ b/docs/11-CROSS-VLAN-CASTING.md @@ -0,0 +1,167 @@ +# Cross-VLAN Casting & Streaming + +Configuration for casting/streaming from VLANs 10 (Mgmt), 20 (Trusted), and 25 (Kids) to devices on VLAN 30 (IoT). + +## Casting Devices + +| Device | MAC (Ethernet) | MAC (WiFi) | Static IP | VLAN | +|--------|---------------|------------|-----------|------| +| LG TV (webOS) | B0:37:95:79:AF:9B | DC:03:98:6B:5A:3A | .40 (eth) / .41 (wifi) | 30 | +| Chromecast | — | D0:E7:82:F7:65:DD | .42 | 30 | + +All IPs in subnet `192.168.30.0/24`. + +## What Works + +| Feature | From VLAN 20/25/10 | Notes | +|---------|-------------------|-------| +| AirPlay (Mac → LG TV) | Yes | TV must use ONE interface only (see below) | +| Smart View (Samsung → LG TV) | Yes | Works without issues | +| YouTube Cast (phone → TV/Chromecast) | Yes | Via TV Link Code, not device discovery | +| Chromecast casting | Yes | Requires mDNS repeater | + +## What Doesn't Work + +| Feature | Reason | +|---------|--------| +| LG ThinQ remote app | Client-side subnet check — app refuses if phone and TV are on different subnets. No workaround. | + +## MikroTik Configuration + +### 1. Address List + +```routeros +/ip/firewall/address-list +add list=casting-devices address=192.168.30.40 comment="LG TV Ethernet" +add list=casting-devices address=192.168.30.41 comment="LG TV WiFi" +add list=casting-devices address=192.168.30.42 comment="Chromecast" +``` + +### 2. Firewall Rules (Forward Chain) + +Bidirectional rules — casting devices need to initiate connections back (AirPlay uses separate UDP channels for timing/control). + +```routeros +/ip/firewall/filter +# Forward: source VLANs → IoT +add chain=forward action=accept src-address=192.168.20.0/24 dst-address=192.168.30.0/24 comment="Allow Trusted to IoT (casting)" +add chain=forward action=accept src-address=192.168.25.0/24 dst-address=192.168.30.0/24 comment="Allow Kids to IoT (casting)" +add chain=forward action=accept src-address=192.168.10.0/24 dst-address=192.168.30.0/24 comment="Allow Mgmt to IoT" + +# Return: casting devices → source VLANs +add chain=forward action=accept src-address-list=casting-devices dst-address=192.168.20.0/24 comment="Allow casting devices to Trusted (casting return)" +add chain=forward action=accept src-address-list=casting-devices dst-address=192.168.25.0/24 comment="Allow casting devices to Kids (casting return)" +add chain=forward action=accept src-address-list=casting-devices dst-address=192.168.10.0/24 comment="Allow casting devices to Mgmt (casting return)" +``` + +These rules must be **before** the IoT block rules: +```routeros +# Block IoT → other VLANs (AFTER the return rules above) +add chain=forward action=drop src-address=192.168.30.0/24 dst-address=192.168.10.0/24 comment="Block IoT to Management" +add chain=forward action=drop src-address=192.168.30.0/24 dst-address=192.168.20.0/24 comment="Block IoT to Trusted" +``` + +### 3. FastTrack Exclusion (Mangle) + +FastTrack bypasses conntrack/firewall — must exclude inter-VLAN casting traffic. + +```routeros +/ip/firewall/mangle +add chain=forward action=mark-connection new-connection-mark=no-fasttrack passthrough=yes src-address=192.168.20.0/24 dst-address=192.168.30.0/24 comment="No FastTrack: Trusted<->IoT (casting)" +add chain=forward action=mark-connection new-connection-mark=no-fasttrack passthrough=yes src-address=192.168.30.0/24 dst-address=192.168.20.0/24 comment="No FastTrack: IoT<->Trusted (casting)" +add chain=forward action=mark-connection new-connection-mark=no-fasttrack passthrough=yes src-address=192.168.25.0/24 dst-address=192.168.30.0/24 comment="No FastTrack: Kids<->IoT (casting)" +add chain=forward action=mark-connection new-connection-mark=no-fasttrack passthrough=yes src-address=192.168.30.0/24 dst-address=192.168.25.0/24 comment="No FastTrack: IoT<->Kids (casting)" +add chain=forward action=mark-connection new-connection-mark=no-fasttrack passthrough=yes src-address=192.168.10.0/24 dst-address=192.168.30.0/24 comment="No FastTrack: Mgmt<->IoT (casting)" +add chain=forward action=mark-connection new-connection-mark=no-fasttrack passthrough=yes src-address=192.168.30.0/24 dst-address=192.168.10.0/24 comment="No FastTrack: IoT<->Mgmt (casting)" +``` + +FastTrack rule must use `connection-mark=no-mark`: +```routeros +/ip/firewall/filter +add chain=forward action=fasttrack-connection connection-state=established,related connection-mark=no-mark comment="defconf: fasttrack" +``` + +### 4. mDNS Repeater + +Enables cross-VLAN device discovery (AirPlay, Chromecast). + +```routeros +/ip/dns/set mdns-repeat-ifaces=1-vlan10-mgmt,2-vlan20-trusted,3-vlan25-family,4-vlan30-iot +``` + +### 5. IGMP Proxy + +Enables multicast forwarding (SSDP/UPnP discovery). + +```routeros +/routing/igmp-proxy/interface +add interface=4-vlan30-iot upstream=yes threshold=1 +add interface=2-vlan20-trusted upstream=no threshold=1 +add interface=3-vlan25-family upstream=no threshold=1 +add interface=1-vlan10-mgmt upstream=no threshold=1 +``` + +### 6. DHCP Static Leases + +```routeros +/ip/dhcp-server/lease +add address=192.168.30.40 mac-address=B0:37:95:79:AF:9B server=dhcp-vlan30 comment="LG TV Ethernet" +add address=192.168.30.41 mac-address=DC:03:98:6B:5A:3A server=dhcp-vlan30 comment="LG TV WiFi" +add address=192.168.30.42 mac-address=D0:E7:82:F7:65:DD server=dhcp-vlan30 comment="Chromecast" +``` + +### 7. WiFi Access List + +```routeros +/interface/wifi/access-list +add mac-address=DC:03:98:6B:5A:3A action=accept vlan-id=30 comment="LG TV WiFi" +add mac-address=D0:E7:82:F7:65:DD action=accept vlan-id=30 comment="Chromecast" +``` + +## Troubleshooting + +### AirPlay Black Screen on LG TV + +**Root cause**: LG TV connected via both Ethernet AND WiFi simultaneously. + +The TV advertises AirPlay via mDNS on one interface but streams on the other, creating asymmetric routing. The Mac connects to one IP, but the TV sends return traffic from a different IP. + +**Fix**: Use only ONE connection on the TV — either Ethernet or WiFi, not both. Disconnect the unused one in TV settings. + +- Ethernet MAC: `B0:37:95:79:AF:9B` → 192.168.30.40 +- WiFi MAC: `DC:03:98:6B:5A:3A` → 192.168.30.41 + +### Do NOT Use Masquerade NAT + +Masquerade (srcnat) was tried to make cross-VLAN traffic appear local. This breaks AirPlay because: + +- AirPlay negotiates separate UDP feedback channels (timing port 7010, control 6001, timing 6002) +- With masquerade, TV sends feedback to the router IP (192.168.30.1) instead of the Mac's real IP +- Result: control channel works but video/audio never arrives → black screen + +### Chromecast Setup Issues + +The Chromecast can only be set up via the Google Home app (no web interface). + +**Common setup failure**: Google Home app finds the Chromecast via Bluetooth, connects to its setup WiFi hotspot, but then says "Could not communicate with your Chromecast." + +**Fix** (on phone before setup): +1. Disable mobile data +2. Disable VPN +3. Turn off "Switch to mobile data when WiFi is unstable" +4. Enable Location services (required by Google Home) +5. Clear Google Home app cache + +**WiFi requirements**: Chromecast requires **WPA2 with AES/CCMP** encryption. It will NOT connect to networks using TKIP. The XTRM2 (2.4GHz) security profile was changed from TKIP to CCMP to support this: + +```routeros +/interface/wifi/security/set sec-xtrm2 encryption=ccmp +``` + +### VPN Interference + +If your Mac is connected to WireGuard VPN, the VPN overrides the default route — local traffic bypasses WiFi and goes through the VPN tunnel. Disconnect VPN before casting. + +### CAP VLAN Limit + +The CAP XL ac may show "maximum VLAN count for interface was reached." If a device can't connect to WiFi, try disabling the CAP interfaces temporarily to force connection to the HAP's radio directly.