Does anyone have an idea how to handle connection tracking for Chromecast for the ip firewall?
Setup
What's working
What's not working
In this mode, The streaming host opens a connection to the Chromecast control port on 8008/8009. The Chromecast then creates a return connection from the Chromecast to the streaming host on port 8010. If I allow this port back on the firewall rules, the streaming works correctly.
Firewall rules
I would like to have the router firewall rules to only allow traffic back to the streaming host if a request is made to the control port.
i.e.
I had a few ideas, some of which might a combination, but not sure on the direction.
Ideally I'd like to only match the SYN packet, since after the connection is established, the normal connection tracking mechanism can handle the packets.
Setup
- Mikrotik Chateau series, latest ROS
- Two bridges configured. Full access between all bridge ports
- One bridge is for "trusted" hosts: work machines etc, other bridge is for "untrusted" hosts: appliances and Chromecast
- mDNS setup and working correctly. Forwarding allowed between bridge interfaces
- IP firewalls configured to allow "trusted" to connect to "untrusted" on destination port 8008-8009.
- Both bridges have internet access
What's working
- Devices on "trusted" can see the Chromecast on "untrusted"
- Devices can start streaming to the Chromecast in a mode where it is streaming from YouTube etc. I.e. The control message is sent via 8008/8009 and the Chromecast streams from the internet.
What's not working
- Local lan streaming (i.e. streaming from VLC)
In this mode, The streaming host opens a connection to the Chromecast control port on 8008/8009. The Chromecast then creates a return connection from the Chromecast to the streaming host on port 8010. If I allow this port back on the firewall rules, the streaming works correctly.
Firewall rules
I would like to have the router firewall rules to only allow traffic back to the streaming host if a request is made to the control port.
i.e.
- Streaming host on "trusted" creates a connection to the Chromecast on port 8008/8009
- Router allows Chromecast on "untrusted" traffic back only to the streaming host on port 8010
I had a few ideas, some of which might a combination, but not sure on the direction.
- A connection tracking helper. This is similar to TFTP in nature. I'm not sure if it's even possible to load a custom connection tracking helper.
- Using the mangle filters to mark the connection somehow.
- Putting the address in an address list using a firewall rule and then referencing that later. Only thing with this approach is that I'd like the connection close to remove the address from the address list, which doesn't seem possible. I know a timeout is possible, but then the timeout just depends on the length of the media being watched.
- Transforming the packet on via masquerade if the transformed packet matches the connection, allow the original (not sure if this is possible).
Ideally I'd like to only match the SYN packet, since after the connection is established, the normal connection tracking mechanism can handle the packets.
Statistics: Posted by kanwhoa — Tue Apr 01, 2025 8:06 am