infrastructure/docs/11-CROSS-VLAN-CASTING.md

# Cross-VLAN Casting & Streaming

Configuration for casting/streaming from VLANs 10 (Mgmt), 20 (Trusted), and 25 (Kids) to devices on VLAN 30 (IoT).

## Casting Devices

| Device | MAC (Ethernet) | MAC (WiFi) | Static IP | VLAN |
|--------|---------------|------------|-----------|------|
| LG TV (webOS) | B0:37:95:79:AF:9B | DC:03:98:6B:5A:3A | .40 (eth) / .41 (wifi) | 30 |
| Chromecast | — | D0:E7:82:F7:65:DD | .42 | 30 |

All IPs in subnet `192.168.30.0/24`.

## What Works

| Feature | From VLAN 20/25/10 | Notes |
|---------|-------------------|-------|
| AirPlay (Mac → LG TV) | Yes | TV must use ONE interface only (see below) |
| Smart View (Samsung → LG TV) | Yes | Works without issues |
| YouTube Cast (phone → TV/Chromecast) | Yes | Via TV Link Code, not device discovery |
| Chromecast casting | Yes | Requires mDNS repeater |

## What Doesn't Work

| Feature | Reason |
|---------|--------|
| LG ThinQ remote app | Client-side subnet check — app refuses if phone and TV are on different subnets. No workaround. |

## MikroTik Configuration

### 1. Address List

```routeros
/ip/firewall/address-list
add list=casting-devices address=192.168.30.40 comment="LG TV Ethernet"
add list=casting-devices address=192.168.30.41 comment="LG TV WiFi"
add list=casting-devices address=192.168.30.42 comment="Chromecast"
```

### 2. Firewall Rules (Forward Chain)

Bidirectional rules — casting devices need to initiate connections back (AirPlay uses separate UDP channels for timing/control).

```routeros
/ip/firewall/filter
# Forward: source VLANs → IoT
add chain=forward action=accept src-address=192.168.20.0/24 dst-address=192.168.30.0/24 comment="Allow Trusted to IoT (casting)"
add chain=forward action=accept src-address=192.168.25.0/24 dst-address=192.168.30.0/24 comment="Allow Kids to IoT (casting)"
add chain=forward action=accept src-address=192.168.10.0/24 dst-address=192.168.30.0/24 comment="Allow Mgmt to IoT"

# Return: casting devices → source VLANs
add chain=forward action=accept src-address-list=casting-devices dst-address=192.168.20.0/24 comment="Allow casting devices to Trusted (casting return)"
add chain=forward action=accept src-address-list=casting-devices dst-address=192.168.25.0/24 comment="Allow casting devices to Kids (casting return)"
add chain=forward action=accept src-address-list=casting-devices dst-address=192.168.10.0/24 comment="Allow casting devices to Mgmt (casting return)"
```

These rules must be **before** the IoT block rules:
```routeros
# Block IoT → other VLANs (AFTER the return rules above)
add chain=forward action=drop src-address=192.168.30.0/24 dst-address=192.168.10.0/24 comment="Block IoT to Management"
add chain=forward action=drop src-address=192.168.30.0/24 dst-address=192.168.20.0/24 comment="Block IoT to Trusted"
```

### 3. FastTrack Exclusion (Mangle)

FastTrack bypasses conntrack/firewall — must exclude inter-VLAN casting traffic.

```routeros
/ip/firewall/mangle
add chain=forward action=mark-connection new-connection-mark=no-fasttrack passthrough=yes src-address=192.168.20.0/24 dst-address=192.168.30.0/24 comment="No FastTrack: Trusted<->IoT (casting)"
add chain=forward action=mark-connection new-connection-mark=no-fasttrack passthrough=yes src-address=192.168.30.0/24 dst-address=192.168.20.0/24 comment="No FastTrack: IoT<->Trusted (casting)"
add chain=forward action=mark-connection new-connection-mark=no-fasttrack passthrough=yes src-address=192.168.25.0/24 dst-address=192.168.30.0/24 comment="No FastTrack: Kids<->IoT (casting)"
add chain=forward action=mark-connection new-connection-mark=no-fasttrack passthrough=yes src-address=192.168.30.0/24 dst-address=192.168.25.0/24 comment="No FastTrack: IoT<->Kids (casting)"
add chain=forward action=mark-connection new-connection-mark=no-fasttrack passthrough=yes src-address=192.168.10.0/24 dst-address=192.168.30.0/24 comment="No FastTrack: Mgmt<->IoT (casting)"
add chain=forward action=mark-connection new-connection-mark=no-fasttrack passthrough=yes src-address=192.168.30.0/24 dst-address=192.168.10.0/24 comment="No FastTrack: IoT<->Mgmt (casting)"
```

FastTrack rule must use `connection-mark=no-mark`:
```routeros
/ip/firewall/filter
add chain=forward action=fasttrack-connection connection-state=established,related connection-mark=no-mark comment="defconf: fasttrack"
```

### 4. mDNS Repeater

Enables cross-VLAN device discovery (AirPlay, Chromecast).

```routeros
/ip/dns/set mdns-repeat-ifaces=1-vlan10-mgmt,2-vlan20-trusted,3-vlan25-family,4-vlan30-iot
```

### 5. IGMP Proxy

Enables multicast forwarding (SSDP/UPnP discovery).

```routeros
/routing/igmp-proxy/interface
add interface=4-vlan30-iot upstream=yes threshold=1
add interface=2-vlan20-trusted upstream=no threshold=1
add interface=3-vlan25-family upstream=no threshold=1
add interface=1-vlan10-mgmt upstream=no threshold=1
```

### 6. DHCP Static Leases

```routeros
/ip/dhcp-server/lease
add address=192.168.30.40 mac-address=B0:37:95:79:AF:9B server=dhcp-vlan30 comment="LG TV Ethernet"
add address=192.168.30.41 mac-address=DC:03:98:6B:5A:3A server=dhcp-vlan30 comment="LG TV WiFi"
add address=192.168.30.42 mac-address=D0:E7:82:F7:65:DD server=dhcp-vlan30 comment="Chromecast"
```

### 7. WiFi Access List

```routeros
/interface/wifi/access-list
add mac-address=DC:03:98:6B:5A:3A action=accept vlan-id=30 comment="LG TV WiFi"
add mac-address=D0:E7:82:F7:65:DD action=accept vlan-id=30 comment="Chromecast"
```

## Troubleshooting

### AirPlay Black Screen on LG TV

**Root cause**: LG TV connected via both Ethernet AND WiFi simultaneously.

The TV advertises AirPlay via mDNS on one interface but streams on the other, creating asymmetric routing. The Mac connects to one IP, but the TV sends return traffic from a different IP.

**Fix**: Use only ONE connection on the TV — either Ethernet or WiFi, not both. Disconnect the unused one in TV settings.

- Ethernet MAC: `B0:37:95:79:AF:9B` → 192.168.30.40
- WiFi MAC: `DC:03:98:6B:5A:3A` → 192.168.30.41

### Do NOT Use Masquerade NAT

Masquerade (srcnat) was tried to make cross-VLAN traffic appear local. This breaks AirPlay because:

- AirPlay negotiates separate UDP feedback channels (timing port 7010, control 6001, timing 6002)
- With masquerade, TV sends feedback to the router IP (192.168.30.1) instead of the Mac's real IP
- Result: control channel works but video/audio never arrives → black screen

### Chromecast Setup Issues

The Chromecast can only be set up via the Google Home app (no web interface).

**Common setup failure**: Google Home app finds the Chromecast via Bluetooth, connects to its setup WiFi hotspot, but then says "Could not communicate with your Chromecast."

**Fix** (on phone before setup):
1. Disable mobile data
2. Disable VPN
3. Turn off "Switch to mobile data when WiFi is unstable"
4. Enable Location services (required by Google Home)
5. Clear Google Home app cache

**WiFi requirements**: Chromecast requires **WPA2 with AES/CCMP** encryption. It will NOT connect to networks using TKIP. The XTRM2 (2.4GHz) security profile was changed from TKIP to CCMP to support this:

```routeros
/interface/wifi/security/set sec-xtrm2 encryption=ccmp
```

### VPN Interference

If your Mac is connected to WireGuard VPN, the VPN overrides the default route — local traffic bypasses WiFi and goes through the VPN tunnel. Disconnect VPN before casting.

### CAP VLAN Limit

The CAP XL ac may show "maximum VLAN count for interface was reached." If a device can't connect to WiFi, try disabling the CAP interfaces temporarily to force connection to the HAP's radio directly.