What have I been puzzling over on and off for the last few weeks? Enabling AirPlay discovery across VLANs.
The school I work at has been deploying Apple TVs to a lot of classrooms in the last several months, initially to solve a problem that Apple themselves had caused with buggy firmware for the Thunderbolt ports on their new MacBooks. Our teachers rely a lot on projectors, and the fact that around 30 of our teachers were suddenly unable to project from their brand new computers caused a huge problem. Enter Apple TV. The fact that you can use an Apple TV to mirror your computer’s display wirelessly was a huge hit with a lot of teachers who were tired of having to plug and unplug cables every time they wanted to put something up on the projector. Of course, the introduction of around 30 Apple TVs was not without its problems as well, especially as our wireless network started taking a hit from all the added traffic, especially when teachers wanted to stream video from their computer (over wireless) onto the Apple TV in their room (never mind the fact that Apple TVs have Netflix, Youtube, and Vimeo apps installed which would allow users to cut out the middleman of the computer).
Along with the influx of Apple TVs has come a wave of iPads and a lot of smart people thinking about educational uses for iPads.
Now all of this is great, and a lot of the kinks have been worked out or are being worked out by getting the Apple TVs hooked up to ethernet ports rather than going over the wire and by trying to figure out who still needs Apple TVs since the release of Apple’s Thunderbolt firmware 1.1 update, which solved the problem that got us so many Apple TVs in the first place. The big problem now is figuring out how to make our Apple TVs available to guest presenters during conferences and the like.
Our network is split up into several VLANs based on function, with students and faculty on networks that have their access controlled by a RADIUS server that looks at MAC addresses. We also have a WPA2-secured guest network for guests (duh). For individual guests who need access to functions on the access-controlled networks, it’s not too difficult to put their MAC in the system temporarily and remove them again when they leave, but that becomes impractical with high volumes of guests on campus. Logistically, it’s just too difficult to collect a thousand MAC addresses or even just a hundred for all the presenters at a conference, let alone spending the time, even with a script automating the process, to add and later remove all these clients from our RADIUS server.
Now if things were simple, we could just put a temporary hole in the firewall to allow traffic between the guest network and the network that has our Apple TVs on it. Unfortunately, Apple, in their desire to make everything as simple as possible, uses Bonjour (their implementation of multicast DNS) to make AirPlay-capable devices work together with almost zero user-intervention. Bonjour advertisement and discovery messages go out over link-local multicast, making it impossible, at least in an IPv4 setting, to ever get them out beyond Layer 2.
So what’s the solution?
Avahi is a FOSS implementation of mDNS that can, with the flip of a boolean switch in its config file, can reflect Bonjour packets between subnets.
I’m still reading through documentation and seeing how Avahi can be implemented in our network with as little extra strain to the infrastructure as possible, but in the mean time, here are a couple of articles touching on the subject from packetmischief.ca and Prolixium dot com.