Watch Apple TV over secure guest WiFi

Create a guest SSID that allows access to Bonjour services like Apple TV while blocking access to the rest of your network.

Recently we looked at a great way to set up secure guest WiFi that works for most networks, and now want to expand on some other deployment scenarios. A common requirement for guest wireless is to allow guests to access Apple TVs. To accomplish this, Bonjour traffic must pass from the secure guest VLAN to the Apple TV VLAN. Fortunately, this doesn’t mean guest WiFi needs to be any less secure. Below we will set up a secure guest SSID with bonjour forwarding.

1. Put the guest SSID in Bridge mode

Normally NAT mode is recommended for customers setting up guest WiFi. NAT mode automatically isolates clients from each other and allows for a clean segmentation from the rest of your network (assuming firewall rules are in place). But this does not meet the needs of every deployment scenario. Due to the client isolation inherent in NAT mode, even an Apple TV on the same wireless network cannot communicate with wireless clients. In the screenshot below we put our SSID in Bridge mode, and pick a VLAN for the guest traffic.

Bridge-Mode-Guest-Access

 

2. Configure Bonjour forwarding

Bonjour traffic is multicast traffic, therefore it will only travel within its own VLAN/broadcast domain. Below we show how to configure Bonjour forwarding to send Bonjour multicast traffic to the VLAN where our services reside. For this discussion, I’ll assume all the Apple TV is on VLAN 10. Simply enter the service VLAN and select the service from the pre-populated list.

Configure-bonjour-forwarding

 

3. Set firewall rules allowing traffic to Bonjour services

Finally, we should lock down our guest SSID. Access control lists are enforced in order;  the first item will allow traffic to the IP address range of VLAN 10, the VLAN we assigned to the Apple TV. The second rule denies access to the “Local LAN”, dropping all traffic destined for class A, B, or C private IP addresses. The third rule allows access to everything else, giving guests access to internet resources. These rules will grant access to the resources needed (internet and Apple TV) while segmenting guest traffic from the rest of the network.

Firewall-rules-bonjour-forwarding

 

We have enabled guests to access Apple TV while isolating guest traffic from the rest of the network. Keep us posted on other use cases you’d like to see explained here or during our weekly webinars.