Chromecast, DMZ & WPA-EAP

You may have recently seen the article about the FBI recommending that all IOT devices be placed onto their own networks for security purposes. The reason being that security in IoT devices has been notoriously bad and in some cases, non-existent.

That got me thinking about the chromecast that was sitting on my LAN and looking for solutions to make it more secure. The unfortunate thing about the chromecast is that it does not support WPA-EAP Security, only WPA-PSK. Lucky for me I also have an “Ultra” version which supports 4K and has an Ethernet port, without this Ethernet port I would be forced to dumb down my wifi to make the chromecast work.

What I found out, through much trial and error, is that chromecast uses mDNS to find the various network components needed to make the necessary connectivity. All of my attempts were failing due to the fact that the mDNS was not propagating across broadcast domains. The missing piece was “Avahi“, available in PfSense, which forwards mDNS requests across broadcast domains.

Once this package was in place, the chromecast was able to configure itself correctly in the wired DMZ portion of my network. Moreover, with the mDNS being forwarded across selected broadcast domains, WiFi clients are able to stream to the IoT device using the much more secure WPA-EAP protocol that is not supported via the wireless NIC on the chromecast, it only supports WPA-PSK.

This solution has the added benefit of allowing clients on the Guest WiFi (WPA-EAP VLAN99) to cast to the IoT device sitting in the DMZ. All of this is accomplished without enabling “Guest Mode” on the chromecast and without having to drop down to a less secure version of wifi security. Moreover, I found that I now have the ability to cast content from my PLEX server, connected over VPN , via LAN, DMZ, or the guest WiFi.

Therefore I’ve essentially setup my IoT device to work securely from 4 different networks while isolating it into a DMZ network with a little trial and error. Of course there are lots of firewall rules to make it all happen, if you want to know more head to the Home Lab section for the configuration specifics and some examples.