Apple TV Across Networks
--
How to make Apple TV work across network boundaries using iptables and mdns-repeater.
The Apple TV exists in somewhat of a gray area in a home network. It is both a media player which you might screencast to and a hub for HomeKit IoT devices. If you happen to segment those two networks for security reasons, where do you put the Apple TV? It has to be able to directly reach all the IoT devices but user devices should still be able to stream to it.
Typically these two networks are distinct subnets like 10.0.1.0/24 and 10.0.2.0/24. Let’s say 10.0.1.0/24 is the privileged “user” network with devices that want to stream content to an Apple TV but with an interest in not being exposed to the security issues coming from the10.0.2.0/24 unprivileged IoT network. Conversely, the Apple TV will need direct addressability to the myriad IoT devices in the 10.0.2.1/24 unprivileged network so you also want to put it there.
One answer to this conundrum is to put the Apple TV in a DMZ and then poke the necessary holes for the IoT and user networks. But if you are doing that, then the Apple TV is local to no network that uses it and your DMZ is Swiss cheese. So to simplify things, we could put the Apple TV directly on one of the two existing networks where port forwards are kept to a minimum.
Rather than locating the Apple TV on the 10.0.1.0/24 privileged network and adding blanket rules allowing any IoT device to get to the privileged network, it probably makes more sense to put the Apple TV on the 10.0.2.0/24 unprivileged IoT network and add a blanket rule for user devices to stream to it. In other words, keep the Apple TV where it can directly initiate network connections to the IoT devices and don’t allow it to send traffic to the user network unless it is in response to a user network request. This seems to most neatly fit with the way a HomeKit hub wants to operate (initiate network traffic directly to IoT devices) and the way an Apple TV should initiate connections back to the privileged network in response to streaming requests.
A similar quandary exists on a corporate network although not necessarily because the Apple TV is operating a HomeKit hub. You still need to jump the network divide and importantly make the mDNS traffic on one network show up on another. More on this later.
