From 34a1314f8d9c4519511015c8555f1e03e1a8690d Mon Sep 17 00:00:00 2001 From: Erich Blume Date: Tue, 24 Feb 2026 20:49:31 -0800 Subject: [PATCH] Document AirPlay cross-VLAN firewall rules and fix rule ordering MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit AirPlay from Main to IoT VLAN (Samsung Frame TV) required adding established/related, AirPlay port, and dynamic reverse port rules — but the root cause was rule ordering (allows appended after blocks). Co-Authored-By: Claude Opus 4.6 --- docs/changelog.d/main.infra.md | 1 + .../plans/completed/segment-home-network.md | 31 +++++++++---------- docs/reference/infrastructure/unifi.md | 2 +- 3 files changed, 17 insertions(+), 17 deletions(-) create mode 100644 docs/changelog.d/main.infra.md diff --git a/docs/changelog.d/main.infra.md b/docs/changelog.d/main.infra.md new file mode 100644 index 0000000..1bf745e --- /dev/null +++ b/docs/changelog.d/main.infra.md @@ -0,0 +1 @@ +Document AirPlay cross-VLAN firewall rules for Samsung Frame TV (established/related, AirPlay ports, dynamic reverse) and fix rule ordering in segment-home-network plan. diff --git a/docs/how-to/plans/completed/segment-home-network.md b/docs/how-to/plans/completed/segment-home-network.md index 5aba61d..38663e5 100644 --- a/docs/how-to/plans/completed/segment-home-network.md +++ b/docs/how-to/plans/completed/segment-home-network.md @@ -1,6 +1,6 @@ --- title: "Plan: Segment Home Network" -modified: 2026-02-14 +modified: 2026-02-24 tags: - how-to - plans @@ -88,30 +88,29 @@ Configured at Settings → Policy Engine → Traffic & Firewall Rules, using Zon All three networks (Default, IoT, Guest) are in the **Internal** zone. Default inter-VLAN policy is **allow**, so we add **block** rules. **Rule ordering matters** — allow rules must come before matching block rules. Rules are combined where the UI supports multiple destinations. +**Reordering rules:** The default Traffic & Firewall Rules view may grey out the Reorder button. Use the **Policy Engine → zone matrix view** (grid icon in the left sidebar under Policy Engine) instead — this view allows reordering. + | # | Name | Action | Source | Destination | Protocol/Port | Notes | |---|------|--------|--------|-------------|---------------|-------| -| 1 | Guest → Main,IoT block | Block | Guest | Default + IoT | All | Internet-only isolation, combined into one rule | -| 2 | IoT → Main streaming allow | Allow | IoT | 192.168.1.99 (indri) | TCP 443, 8096 | Jellyfin direct (8096) and Caddy (443) — must be BEFORE the block rule | -| 3 | IoT → Main block | Block | IoT | Default | All | Protect NFS and trusted devices | +| 1 | Allow established/related | Allow | Any | Any | All (Return Traffic only) | Allows return traffic for initiated connections; must be first | +| 2 | IoT → Main streaming allow | Allow | IoT | 192.168.1.99 (indri) | TCP 443, 8096 | Jellyfin direct (8096) and Caddy (443) | +| 3 | Main → IoT AirPlay | Allow | Default | 192.168.3.62 (Frame TV) | TCP+UDP 80,443,554,3689,5000-5001,7000-7001,7100,5353,6001-6002,7010-7011 | AirPlay control and streaming; add more IoT IPs as needed | +| 4 | IoT AirPlay → Main reverse | Allow | 192.168.3.62 (Frame TV) | Default | TCP+UDP 49152-65535 | AirPlay dynamic reverse connections; scoped to TV IP only. May be unnecessary — see note below | +| 5 | Guest → Main,IoT block | Block | Guest | Default + IoT | All | Internet-only isolation, combined into one rule | +| 6 | IoT → Main block | Block | IoT | Default | All | Protect NFS and trusted devices | ### Notes on Firewall Rules -**IoT streaming:** Jellyfin listens on indri:8096 (HTTP). IoT devices (Frame TV) connect directly to `http://192.168.1.99:8096`. Rule 2 allows this specific port; all other Main network access from IoT is blocked by rule 3. The `*.ops.eblu.me` domain resolves to indri's Tailscale IP (100.x.x.x), which is unreachable from non-Tailscale devices, so IoT devices must use the LAN IP directly. +**Rule ordering is critical.** The zone-based policy engine evaluates rules by their index (display order). Allow rules placed after block rules are never reached. When creating new rules, they are appended at the end — use the zone matrix view to reorder them above the block rules. -**Indri static IP:** Set a DHCP reservation for indri at 192.168.1.99 in the UX7 client list to ensure the firewall rule remains valid. +**AirPlay across VLANs** requires: (1) mDNS reflector enabled on both networks for device discovery, (2) allow rules for AirPlay control ports from Main → TV, and (3) the established/related rule (rule 1) to allow return traffic. Rule 4 (dynamic reverse ports) was added during troubleshooting but may not be necessary — the original failure was caused by rule ordering (allow rules placed after block rules), not missing port rules. If tightening the firewall in the future, try disabling rule 4 and testing whether AirPlay still works with just the established/related rule. The TV IP (192.168.3.62) has a fixed DHCP reservation. + +**IoT streaming:** Jellyfin listens on indri:8096 (HTTP). IoT devices (Frame TV) connect directly to `http://192.168.1.99:8096`. Rule 2 allows this specific port; all other Main network access from IoT is blocked by rule 6. The `*.ops.eblu.me` domain resolves to indri's Tailscale IP (100.x.x.x), which is unreachable from non-Tailscale devices, so IoT devices must use the LAN IP directly. + +**DHCP reservations:** Indri at 192.168.1.99 and Frame TV at 192.168.3.62 — both have fixed IPs to ensure firewall rules remain valid. **NFS exports:** No changes needed to sifaka's NFS configuration. The exports whitelist `192.168.1.0/24` — after segmentation, only Main network devices are on that subnet. IoT (192.168.3.0/24) and Guest (192.168.2.0/24) can't reach NFS because they're on different subnets. The firewall rules provide defense-in-depth. -## Verification - -After applying the configuration: - -- [x] From Main device: internet works, can reach all services, can reach sifaka -- [x] From IoT device: internet works, can stream Jellyfin (8096), CANNOT reach sifaka -- [ ] From Guest device: internet works, CANNOT reach any internal service -- [ ] AirPlay/casting from Main to IoT TV works (mDNS reflector) -- [x] All wired devices (indri, sifaka, gilbert) unaffected on default VLAN - ## Future Considerations - **UnPoller** — add Prometheus metrics exporter for UniFi gear, integrates with existing Grafana stack diff --git a/docs/reference/infrastructure/unifi.md b/docs/reference/infrastructure/unifi.md index c848fdd..5c20ee9 100644 --- a/docs/reference/infrastructure/unifi.md +++ b/docs/reference/infrastructure/unifi.md @@ -1,6 +1,6 @@ --- title: UniFi -modified: 2026-02-14 +modified: 2026-02-24 tags: - infrastructure - networking