My access point broadcasts two wireless network - home and guest. Packets incoming from guest network are marked as vlan-guest.
I have my network configured in a following way:
- - access point is connected to eth10. The traffic from it can be vlan-guest or without vlan mark.
- ethernet ports (eth1-eth5) are using eth1 as a master.
- bridge contains following ports:- - eth1-master (which are ports 1 to 5)
- vlan-guest
- eth10
- - eth1-master (which are ports 1 to 5)
I want to block guest network from accessing my other devices, so I added following rules to the bridge:
Code: Select all
0 ;;; vlan-guest -> 10.1.100.x
chain=forward action=accept in-interface=vlan-guest
mac-protocol=ip dst-address=10.1.100.0/24 log=no
1 ;;; vlan-guest -> 239.255.255.250/32 (multicast)
chain=forward action=accept in-interface=vlan-guest
mac-protocol=ip dst-address=239.255.255.250/32 log=no
2 ;;; vlan-guest -> *
chain=forward action=drop in-interface=vlan-guest mac-protocol=ip
log=no I have 4 chromecasts audio:
10.1.100.2, 10.1.100.3, 10.1.100.4 and 10.1.100.5
and one smart TV with youtube app:
10.1.100.10
When a device connects for the first time to my guest network, it can cast to YouTube app, but cannot see any chromecast devices.
However when I remove last rule (block all traffic), allow my device to discover chromecasts, then add the rule again - the chromecasts audio are visible and I can cast to them.
This seems to be persistent (i.e. even after few days, the chromecasts are still accessible even when the rule is still added).
Chromecasts are connected via wifi, while TV is connected to eth port.
- - chromecasts are using wifi, while TV not - can this be a problem for some reason? Router needs to remove vlan mark before transmitting the data from vlan to other interface, so the rules should be also checked
- maybe there is a problem with protocol (should I allow all something else than ip?)
- maybe there is a problem with multicast protocol?
