Apple TVs and AirPlay can work across a segmented network without opening up holes on your network, sacrificing network security.
You just received an email from a frazzled IT Director dealing with a professor’s escalated ticket regarding devices unable to mirror their screens to a TV.
It’s near the end of the work day and you’re wondering what has changed. An IT technician stated it used to work just fine.
You can’t help but think you’re missing a lot of information but you begin troubleshooting.
It’s common for many environments to have a level of shadow IT. A department makes a large purchase of devices without verifying if they will operate the way they intend to use it on a complex enterprise network.
Bonjour with Apple TV is one of those technologies that never fails to give me large headaches.
Apple TVs, AirPlay and Bonjour were meant to be used on simple flat networks. Many found the functionality so easy to use that they were brought into the enterprise.
I’m going to go into how Apple TVs and AirPlay can work across a segmented network without sacrificing security by opening up holes on your network.
In my scenario I have the following pieces of equipment:
- Palo Alto Networks PA-820 firewall
- Network switch
- Mist AP45 access point broadcasting an SSID, Grogu, on VLAN 168
- iPhone 13 Pro
- Apple TV Model A1625 running tvOS 16.0 using Ethernet (no Wi-Fi connectivity) on VLAN 50
The PA-820 holds the gateways for our network. There is one existing rule allowing any Wi-Fi device to use SSL and web browsing to a Philips Hue bridge.
My iPhone 13 Pro will connect to an SSID called Grogu which will provide an IP in the 192.168.168.0/24 subnet.
The Apple TV will be connected to the network on the same switch as my access point but will get an IP on the 192.168.50.0/24 subnet associated to VLAN 50.
Both of these networks are segmented by the PA-820 and network switch.
Discovering the Apple TV
We must first talk about how we can secure an Apple TV from nefarious activity such as random AirPlay of inappropriate content. First of all, you should enable a passcode in order to AirPlay to an Apple TV. Second, don’t set Allow Access to Everyone. Limit it to Same Network.
Here’s what worked for me between subnets…
The Apple TV was set to Allow Access to the Same Network.
👆About Apple TV
An iOS or MacOS device can discover an Apple TV via bluetooth and Wi-Fi without ever using the network. Apple has this documented and I’ve verified it works as described.
The Apple TV advertises its AirPlay capabilities using Bluetooth Low Energy (BLE). An Apple device in close proximity is capable of connecting to the Apple TV. The other discovery method is peer-to-peer using Wi-Fi channels 149+1, 149,80 or 6.
My Apple devices were connected to the Wi-Fi network, Grogu. Because of the firewall, they were unable to detect the Apple TV. They weren’t even able to ping the IP.
But this is why I love the Palo Alto Networks firewalls. I created security policy to allow AirPlay traffic sourced from the Wi-Fi network to the Apple TV.
Source Zone: wifi
Source address: any
Destination Zone: iot
Destination Address: Apple TV
We can monitor the traffic from the Wi-Fi network to the Apple TV on the firewall and see that we are matching on the apple-airplay application to port 7000.
Without Bluetooth disabled, it would take a minute for my iOS phone to discover the Apple TV. But with Bluetooth enabled, discovery would be instant. Being in close proximity, the Apple TV advertised its AirPlay capabilities along with its IP address to my phone to allow quick discovery.
An Even Easier Way
If you don’t care to create a policy for all Apple TVs and you want to be a little less secure, you could simply enable Bonjour Reflector on the affected interfaces of the firewall. In my example, that would be the interface where the Apple TV resides and the interface for Wi-Fi.
Bonjour traffic will be sent between all interfaces with Bonjour Reflector enabled.
Personally, I like to be more deterministic and secure with the firewall policy rules. I can easily see the traffic and hit counters.