Technical Tip: Chromecast and the FortiGate
Description
This article discusses Chromecast and the FortiGate.
Scope
FortiGate V7 and above.
Solution
Chromecast is a streaming digital media player delivered by Google. It uses the Discovery and Launch protocol (DIAL) to allow users to mirror content from handheld devices to the Chromecast, which would be plugged into a television set. Chromecast connectivity is via 802.11b/g/n (2.4 GHz only) and does not support 802.1x, so WPA2 personal (Pre-Shared Key) is required.
Clients discover Chromecast devices using SSDP (Simple Service Discovery Protocol), which involves sending a UDP packet to port 1900 on the multicast address 239.255.255.250. This address has a TTL set to 1, so it will not be routed across subnets.
Chromecast and FortiWifi/FortiAPs.
Chromecasts and other wireless devices connected to the same SSID should have no issues discovering each other as long as intra-SSID blocking is not enabled. SSIDs that are bridged to the AP interface also will have no issues with wired devices on that same bridged subnet.
In a corporate environment, there are a few things to consider:
The best way to limit access for users connecting to the same SSID is via Dynamic VLAN.
Here are the steps for successful Chromecast discovery and streaming:
Firewall policies between subnets must be created (Chromecast SSID <—> Employee SSID) both ways and without NAT enabled.
The FortiGate needs to be configured not to adjust TTL:
Clients discover Chromecast devices using SSDP (Simple Service Discovery Protocol), which involves sending a UDP packet to port 1900 on the multicast address 239.255.255.250. This address has a TTL set to 1, so it will not be routed across subnets.
Chromecast and FortiWifi/FortiAPs.
Chromecasts and other wireless devices connected to the same SSID should have no issues discovering each other as long as intra-SSID blocking is not enabled. SSIDs that are bridged to the AP interface also will have no issues with wired devices on that same bridged subnet.
In a corporate environment, there are a few things to consider:
- Wireless access is typically 802.1x, so the Chromecasts will be connecting to a different wireless network. Multicast forwarding will be required.
- It will be desirable to limit Chromecast access to prevent abuse; it is not wanted to have everyone on the wireless network have the ability to cast whatever they desire.
The best way to limit access for users connecting to the same SSID is via Dynamic VLAN.
Here are the steps for successful Chromecast discovery and streaming:
Firewall policies between subnets must be created (Chromecast SSID <—> Employee SSID) both ways and without NAT enabled.
The FortiGate needs to be configured not to adjust TTL:
config system settings
set multicast-ttl-notchange enable
end
set multicast-ttl-notchange enable
end
Multicast policies must be configured (this is where access can be restricted):
config firewall multicast-policy
edit 1
set srcintf "chromecasttest"
set dstintf "employeeWifi"
set srcaddr "all"
set dstaddr "all"
next
edit 2
set srcintf "employeeWifi"
set dstintf "chromecasttest"
set srcaddr "all"
set dstaddr "all"
next
end
edit 1
set srcintf "chromecasttest"
set dstintf "employeeWifi"
set srcaddr "all"
set dstaddr "all"
next
edit 2
set srcintf "employeeWifi"
set dstintf "chromecasttest"
set srcaddr "all"
set dstaddr "all"
next
end
With the above configuration, the Chromecast should be discovered by wireless/wired clients on other subnets.