FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Andreas77_FTNT
Article Id 197431

Description
This article describes how to allow traffic from client device to Chromecast and vice versa.

Solution
Chromecast uses a set of protocols including DIAL, mDNS, SSDP and HTTP.
This usually works well on the same subnet, however when using different subnets and a FortiGate, the traffic will need to be allowed and NAT’ed.
The FortiGate needs to be configured to forward multicast packets and to not change the TTL.

# config system settings
    set multicast-ttl-notchange enable
    set multicast-forward enable
end

In this example, the following parameters are used:

1) Lan interface which includes a wifi SSID where the Chromecast is connected: Subnet 192.168.1.0/24
2) Internal5 interface where a PC with Chrome Browser is installed: Subnet 192.168.2.0/24

Create a custom address for SSDP multicast address:

# config firewall multicast-address
    edit "SSDP"
    set start-ip 239.255.255.250
    set end-ip 239.255.255.250
end

Configure the Multicast Policies:

# config firewall multicast-policy
    edit 1
        set srcintf "lan"
        set dstintf "internal5"
        set srcaddr "all"
        set dstaddr "Bonjour" SSDP"
        set snat enable
    next
    edit 2
        set srcintf "internal5"
        set dstintf "lan"
        set srcaddr "all"
        set dstaddr "Bonjour" "SSDP"
        set snat enable
    next
end

Note: “Bonjour” multicast address object is created by default on the FortiGate and the IP address used is the same as mDNS (224.0.0.251).

Custom port ranges can be configured to restrict the traffic to the Chromecast devices.

# config firewall service custom
edit "Chromecast UDP ports"
        set udp-portrange 32768-61000
    next
    edit "Chromecast HTTP ports"
        set tcp-portrange 8008-8009
    next
end

As well, one can create address objects for the Chromecast device and the PC VLAN:

# config firewall address
    edit "ChromecastDevice"
        set subnet 192.168.1.15 255.255.255.255
    next
    edit "PC_Subnet"
        set subnet 192.168.2.0 255.255.255.0
    next
end


Finally, the IPv4 policies for communication across subnets have to be created:

# config firewall policy
    edit 1
        set name "CC to PC_Subnet"
        set srcintf "lan"
        set dstintf "internal5"
        set srcaddr "ChromecastDevice"
        set dstaddr "PC_Subnet"
        set action accept
        set schedule "always"
        set service "Chromecast UDP ports" "Chromecast HTTP ports"
        set nat enable
    next
    edit 2
        set name " PC_Subnet to CC "
        set srcintf "internal5"
        set dstintf "lan"
        set srcaddr "PC_Subnet"
        set dstaddr "ChromecastDevice "
        set action accept
        set schedule "always"
        set service "Chromecast UDP ports" "Chromecast HTTP ports"
        set nat enable
    next
end

Now, the PC on another subnet should be able to cast to the Chromecast located on the other subnet.

Troubleshooting

Make sure no device in between is dropping multicast packets or has IGMP enabled. The Multicast packets should be coming to the FortiGate whenever the “Cast” button of Chrome is used. These packets can be sniffed using following command:

# diagnose sniffer packet internal5 “host 224.0.0.251” 4 0 l

 

 

Contributors