Technical Tip: AirPlay different configuration modes
| Description | This article describes how to configure AirPlay between FortiGate and FortiAP managed. |
| Scope | All FortiAP models. |
| Solution | AirPlay allows that Apple broadcast through the Wireless medium content like Video, Audio, Photos to Smart TVs using screen mirror, there are different use cases available to use under FortiGate along with FortiAP.
Case 1: Smart TV and Apple device should be connected under the same SSID Bridge, there are no firewall rules for Multicast on this mode, the default SSID configuration is enough:
Case 2: Smart TV and Apple device are connected each one with its own Bridge SSID, this example shows Smart TV connected on the Bridge SSID Airplay_AppleTV using VLAN2 with segment 192.2.1.0/24, the Apple device is connected to AirAppleTVIphone Bridge SSID using segment with VLAN3 192.3.1.0/24:
FortiGate # config wireless-controller bonjour-profile FortiGate (bonjour-profile) # FortiGate (bonjour-profile) # show full-configuration config wireless-controller bonjour-profile edit "BonjourTest" config policy-list edit 1 set description "From_vlan2AppleTV_to_vlan3iPhone" set from-vlan "2" set to-vlan "3" set services airplay end
FortiGate # config wireless-controller wtp FortiGate (wtp) # edit FP431FXXXXXXXX FortiGate (FP431FXXXXXXXX) # sho fu | grep bonjour set bonjour-profile "BonjourTest" end
Case 3: Smart TV is connected to Bridge SSID and Apple device connected to Tunnel SSID, at this point all steps done previously are necessary; in order to allow AirPlay communication successful on this case, the firewall policy must be created with bidirectional communication between the Tunnel SSID and Bridge SSID, also multicast configuration should be considered:
FortiGate # config system settings FortiGate (settings) # show full-configuration | grep multicast set multicast-forward enable set multicast-ttl-notchange enable end
FortiGate # config firewall multicast-policy FortiGate (multicast-policy) # show full-configuration config firewall multicast-policy edit 1 set status enable set logtraffic enable set srcintf "Test normal" <-----Tunnel SSID set dstintf "AirP_AppleTVBri" <----- Bridge SSID set srcaddr "all" set dstaddr "all" set snat disable set dnat 0.0.0.0 set action accept set protocol 17 set auto-asic-offload enable set start-port 1 set end-port 5353 next
edit 2 set status enable set logtraffic enable set srcintf "AirP_AppleTVBri" <----- Bridge SSID. set dstintf "Test normal" <----- Tunnel SSID. set srcaddr "all" set dstaddr "all" set snat disable set dnat 0.0.0.0 set action accept set protocol 17 set auto-asic-offload enable set start-port 1 set end-port 5353 next
FortiGate # config router multicast FortiGate # show full-configuration | grep multicast config router multicast set multicast-routing disable end
FortiGate # config firewall policy FortiGate (policy) # edit "73" FortiGate (73) # show config firewall policy config firewall policy edit 72 set name "AppleTVToTunnelSSID" set srcintf "AirPlaySegmApTV" set dstintf "Test normal" set action accept set srcaddr "all" set dstaddr "all" set schedule "always" set service "ALL" set logtraffic all next edit 73 set name "TunnelSSIDtoAirAppleTV" set srcintf "Test normal" set dstintf "AirPlaySegmApTV" set action accept set srcaddr "all" set dstaddr "all" set schedule "always" set service "ALL" set logtraffic all end
The final result under 3 cases is successful. Screen mirroring works as expected:
From a troubleshooting perspective, it is often useful to validate AirPlay traffic. With a sniffer from the FortiGate side pointing to port 5353 dedicated for Multicast mDNS, two-way communication must be observed:
FortiGate # diagnose sniffer packet any 'host 192.2.1.3 and port 5353' 6 0 a
At the same time, one sniffer should be used from the FortiAP side using port 5353. With these two points of view, there is more visibility where mDNS traffic is not allowed or which direction it is not sending the traffic to:
FortiAP-431F # diag_sniffer any 'port 5353' 6 0 a
Related article: |
