jazzymc/infrastructure
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
4e726a4963b5cfeb4ebf83cb1593cb9c485fbbee
infrastructure/docs/11-CROSS-VLAN-CASTING.md
Kaloyan Danchev 4e726a4963
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
Details
Add cross-VLAN casting docs, update device assignments 
- New doc: 11-CROSS-VLAN-CASTING.md with full MikroTik config
  (firewall rules, FastTrack exclusion, mDNS, IGMP proxy,
  AirPlay/Chromecast troubleshooting)
- Update device IPs: LG TV .40/.41, Chromecast .42
- Move HP printer from VLAN 40 to VLAN 30 at .30

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-13 18:28:55 +02:00

7.4 KiB
Raw Blame History

Cross-VLAN Casting & Streaming

Configuration for casting/streaming from VLANs 10 (Mgmt), 20 (Trusted), and 25 (Kids) to devices on VLAN 30 (IoT).

Casting Devices

Device MAC (Ethernet) MAC (WiFi) Static IP VLAN
LG TV (webOS) B0:37:95:79:AF:9B DC:03:98:6B:5A:3A .40 (eth) / .41 (wifi) 30
Chromecast D0:E7:82:F7:65:DD .42 30

All IPs in subnet 192.168.30.0/24.

What Works

Feature From VLAN 20/25/10 Notes
AirPlay (Mac → LG TV) Yes TV must use ONE interface only (see below)
Smart View (Samsung → LG TV) Yes Works without issues
YouTube Cast (phone → TV/Chromecast) Yes Via TV Link Code, not device discovery
Chromecast casting Yes Requires mDNS repeater

What Doesn't Work

Feature Reason
LG ThinQ remote app Client-side subnet check — app refuses if phone and TV are on different subnets. No workaround.

MikroTik Configuration

1. Address List

/ip/firewall/address-list
add list=casting-devices address=192.168.30.40 comment="LG TV Ethernet"
add list=casting-devices address=192.168.30.41 comment="LG TV WiFi"
add list=casting-devices address=192.168.30.42 comment="Chromecast"

2. Firewall Rules (Forward Chain)

Bidirectional rules — casting devices need to initiate connections back (AirPlay uses separate UDP channels for timing/control).

/ip/firewall/filter
# Forward: source VLANs → IoT
add chain=forward action=accept src-address=192.168.20.0/24 dst-address=192.168.30.0/24 comment="Allow Trusted to IoT (casting)"
add chain=forward action=accept src-address=192.168.25.0/24 dst-address=192.168.30.0/24 comment="Allow Kids to IoT (casting)"
add chain=forward action=accept src-address=192.168.10.0/24 dst-address=192.168.30.0/24 comment="Allow Mgmt to IoT"

# Return: casting devices → source VLANs
add chain=forward action=accept src-address-list=casting-devices dst-address=192.168.20.0/24 comment="Allow casting devices to Trusted (casting return)"
add chain=forward action=accept src-address-list=casting-devices dst-address=192.168.25.0/24 comment="Allow casting devices to Kids (casting return)"
add chain=forward action=accept src-address-list=casting-devices dst-address=192.168.10.0/24 comment="Allow casting devices to Mgmt (casting return)"

These rules must be before the IoT block rules:

# Block IoT → other VLANs (AFTER the return rules above)
add chain=forward action=drop src-address=192.168.30.0/24 dst-address=192.168.10.0/24 comment="Block IoT to Management"
add chain=forward action=drop src-address=192.168.30.0/24 dst-address=192.168.20.0/24 comment="Block IoT to Trusted"

3. FastTrack Exclusion (Mangle)

FastTrack bypasses conntrack/firewall — must exclude inter-VLAN casting traffic.

/ip/firewall/mangle
add chain=forward action=mark-connection new-connection-mark=no-fasttrack passthrough=yes src-address=192.168.20.0/24 dst-address=192.168.30.0/24 comment="No FastTrack: Trusted<->IoT (casting)"
add chain=forward action=mark-connection new-connection-mark=no-fasttrack passthrough=yes src-address=192.168.30.0/24 dst-address=192.168.20.0/24 comment="No FastTrack: IoT<->Trusted (casting)"
add chain=forward action=mark-connection new-connection-mark=no-fasttrack passthrough=yes src-address=192.168.25.0/24 dst-address=192.168.30.0/24 comment="No FastTrack: Kids<->IoT (casting)"
add chain=forward action=mark-connection new-connection-mark=no-fasttrack passthrough=yes src-address=192.168.30.0/24 dst-address=192.168.25.0/24 comment="No FastTrack: IoT<->Kids (casting)"
add chain=forward action=mark-connection new-connection-mark=no-fasttrack passthrough=yes src-address=192.168.10.0/24 dst-address=192.168.30.0/24 comment="No FastTrack: Mgmt<->IoT (casting)"
add chain=forward action=mark-connection new-connection-mark=no-fasttrack passthrough=yes src-address=192.168.30.0/24 dst-address=192.168.10.0/24 comment="No FastTrack: IoT<->Mgmt (casting)"

FastTrack rule must use connection-mark=no-mark:

/ip/firewall/filter
add chain=forward action=fasttrack-connection connection-state=established,related connection-mark=no-mark comment="defconf: fasttrack"

4. mDNS Repeater

Enables cross-VLAN device discovery (AirPlay, Chromecast).

/ip/dns/set mdns-repeat-ifaces=1-vlan10-mgmt,2-vlan20-trusted,3-vlan25-family,4-vlan30-iot

5. IGMP Proxy

Enables multicast forwarding (SSDP/UPnP discovery).

/routing/igmp-proxy/interface
add interface=4-vlan30-iot upstream=yes threshold=1
add interface=2-vlan20-trusted upstream=no threshold=1
add interface=3-vlan25-family upstream=no threshold=1
add interface=1-vlan10-mgmt upstream=no threshold=1

6. DHCP Static Leases

/ip/dhcp-server/lease
add address=192.168.30.40 mac-address=B0:37:95:79:AF:9B server=dhcp-vlan30 comment="LG TV Ethernet"
add address=192.168.30.41 mac-address=DC:03:98:6B:5A:3A server=dhcp-vlan30 comment="LG TV WiFi"
add address=192.168.30.42 mac-address=D0:E7:82:F7:65:DD server=dhcp-vlan30 comment="Chromecast"

7. WiFi Access List

/interface/wifi/access-list
add mac-address=DC:03:98:6B:5A:3A action=accept vlan-id=30 comment="LG TV WiFi"
add mac-address=D0:E7:82:F7:65:DD action=accept vlan-id=30 comment="Chromecast"

Troubleshooting

AirPlay Black Screen on LG TV

Root cause: LG TV connected via both Ethernet AND WiFi simultaneously.

The TV advertises AirPlay via mDNS on one interface but streams on the other, creating asymmetric routing. The Mac connects to one IP, but the TV sends return traffic from a different IP.

Fix: Use only ONE connection on the TV — either Ethernet or WiFi, not both. Disconnect the unused one in TV settings.

  • Ethernet MAC: B0:37:95:79:AF:9B → 192.168.30.40
  • WiFi MAC: DC:03:98:6B:5A:3A → 192.168.30.41

Do NOT Use Masquerade NAT

Masquerade (srcnat) was tried to make cross-VLAN traffic appear local. This breaks AirPlay because:

  • AirPlay negotiates separate UDP feedback channels (timing port 7010, control 6001, timing 6002)
  • With masquerade, TV sends feedback to the router IP (192.168.30.1) instead of the Mac's real IP
  • Result: control channel works but video/audio never arrives → black screen

Chromecast Setup Issues

The Chromecast can only be set up via the Google Home app (no web interface).

Common setup failure: Google Home app finds the Chromecast via Bluetooth, connects to its setup WiFi hotspot, but then says "Could not communicate with your Chromecast."

Fix (on phone before setup):

  1. Disable mobile data
  2. Disable VPN
  3. Turn off "Switch to mobile data when WiFi is unstable"
  4. Enable Location services (required by Google Home)
  5. Clear Google Home app cache

WiFi requirements: Chromecast requires WPA2 with AES/CCMP encryption. It will NOT connect to networks using TKIP. The XTRM2 (2.4GHz) security profile was changed from TKIP to CCMP to support this:

/interface/wifi/security/set sec-xtrm2 encryption=ccmp

VPN Interference

If your Mac is connected to WireGuard VPN, the VPN overrides the default route — local traffic bypasses WiFi and goes through the VPN tunnel. Disconnect VPN before casting.

CAP VLAN Limit

The CAP XL ac may show "maximum VLAN count for interface was reached." If a device can't connect to WiFi, try disabling the CAP interfaces temporarily to force connection to the HAP's radio directly.

Reference in New Issue View Git Blame Copy Permalink