Advisory: Sophos Endpoint "Your connection isn't private" after reboot. Policy settings can be returned to normal. See: KB-000045954 for the latest updates.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

how to enable chromecast on Sophos XG

Hello,

I need your help for making chromecast work again on my LAN. I had to restrict the protocols on my LAN.

 My current setup is: Sophos XG, all devices on the LAN are allowed to use: http, https, smtp, smtps, imap, ping:

As a result, the chromecast stick cannot be accessed by my ipad or similar devices. He has been assigend a static LAN IP address - 192.168.2.8

There are no vlans defined that would separate Wifi from LAN etc.

On other threads here in this forum, especially that one I found the ports necessary to be opened up for my chromecast stick:  

 How do I enable multicast to allow communication to Google Chromecast across VLANs? 

  • Allow high UDP ports both incoming and outgoing. "High ports" are the local ports usually ranging 32768-61000.   - done
  • Allow both TCP ports 8008 and 8009 outbound to the Chromecast device.  - done

I did this by adding a separate rule to "rules and policies" specifically for chromecast only: (currently rule status OFF as it didn´t work when enabled and until it´s not configured properly)

the "chromecast ports" I defined as such:

Is that properly done?

But how can I configure the next one required?

  • Allow the special SSDP packets outbound (which is UDP traffic to the multicast IP 239.255.255.250, destination port 1900) which is used to check for other Google devices in the same network. Google devices reply with the Source IP to this packet.

Please, I need a step by step guide on how to configure that please: I cannot find any menu where I could enter a specific IP address for allowing chromecast to use it or block it.

And will these be sufficient so that I can access the chromecast stick via an ipad on my LAN to tell him what to stream?

Many thanks, 

Alex.



This thread was automatically locked due to age.
Parents
  • And will these be sufficient so that I can access the chromecast stick via an ipad on my LAN to tell him what to stream?

    No. You must allow DNS also, otherwise the Chromecast cannot perform lookups for sites.

    EDIT. I see that you want it to be accessible by devices on your LAN. If you are trying to control the Chromecast from your iPad to watch content online, you will need to add DNS to the allowed services in the firewall rule.

    I am not asking for a problem with web access by chromecast. I am asking one step before - I cannot reach chromecast within my LAN.

    You can reach it since it replies to ping commands. That means it's on the same network. As a result, the issue is almost certainly DNS related since it is not in the allowed services, unless you have an allow rule below that allows DNS outbound from your LAN/WiFi to the WAN.

  • Alan,

    that did the trick! Just allowed DNS, now everything works.

    Many thanks and best regards!

    Alex.

  • I'm glad it worked out. Now you know about allowing DNS.Relaxed One other thing you should consider is that a firewall rule is not need for devices on your LAN to access other devices on your LAN, since the data doesn't go through the firewall except for special circumstances, such as using inter-VLANs.

    The long reason is because a switch operates on layer 2 of the OSI model, which deals with the MAC addresses of the devices connected to it instead of their IP addresses (the router, layer 3), and the switch "knows" where to send data from one device to the other based on which device has the correct MAC address. 

    EDIT: I don't want to confuse you. I firewall rule IS needed for devices coming from the LAN zone going to the WAN zone. Not from the LAN zone to the LAN zone.

Reply
  • I'm glad it worked out. Now you know about allowing DNS.Relaxed One other thing you should consider is that a firewall rule is not need for devices on your LAN to access other devices on your LAN, since the data doesn't go through the firewall except for special circumstances, such as using inter-VLANs.

    The long reason is because a switch operates on layer 2 of the OSI model, which deals with the MAC addresses of the devices connected to it instead of their IP addresses (the router, layer 3), and the switch "knows" where to send data from one device to the other based on which device has the correct MAC address. 

    EDIT: I don't want to confuse you. I firewall rule IS needed for devices coming from the LAN zone going to the WAN zone. Not from the LAN zone to the LAN zone.

Children
No Data