FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jjahanshahi
Staff
Staff
Description
This article discusses Chromecast and the FortiGate.

Solution
Chromecast is a streaming digital media player delivered by Google.  It uses the Discovery and Launch protocol (DIAL) to allow users to mirror content from handheld devices to the Chromecast which would be plugged into a television set.  Chromecast connectivity is via 802.11b/g/n (2.4GHz only) and does not support 802.1x so WPA2 personal (Preshared Key) is required.

Clients discover Chromecast devices using SSDP (simple service discovery protocol) which involves sending a UDP packet to port 1900 on multicast address 239.255.255.250, this address has a TTL set to 1 so will not be routed across subnets.

Chromecast and FortiWifi/FortiAPs

Chromecasts and other wireless devices connected to the same SSID should have no issues discovering each other as long as intra-SSID blocking is not enabled. SSIDs which are bridged to the AP interface also will have no issues with wired devices on that same bridged subnet.

In a corporate environment there are a few things to consider:
  • Wireless access is typically 802.1x so the Chromecasts will be connecting to a different wireless network.  Multicast forwarding will be required.
  • It will be desirable to limit Chromecast access to prevent abuse, you do not want everyone on the wireless network to have the ability to cast whatever they desire.

The best way to limit access for users connecting to the same SSID is via Dynamic VLAN.

Here are the steps for successful Chromecast discovery and streaming:

Firewall policies between subnets must be created (Chromecast SSID <—> Employee SSID) both ways and without NAT enabled.

The FortiGate needs to be configured to not adjust TTL:
config system settings
set multicast-ttl-notchange enable
end

Multicast policies must be configured (this is where access can be restricted):
config firewall multicast-policy
edit 1
set srcintf "chromecasttest"
set dstintf "employeeWifi"
set srcaddr "all"
set dstaddr "all"
next
edit 2
set srcintf "employeeWifi"
set dstintf "chromecasttest"
set srcaddr "all"
set dstaddr "all"
next
end

With the above configured the Chromecast should be discovered by wireless/wired clients on other subnets.

Internal Notes

Contributors