Apple TV Across Networks

How to make Apple TV work across network boundaries using iptables and mdns-repeater.

Apple TV HD

The Apple TV exists in somewhat of a gray area in a home network. It is both a media player which you might screencast to and a hub for HomeKit IoT devices. If you happen to segment those two networks for security reasons, where do you put the Apple TV? It has to be able to directly reach all the IoT devices but user devices should still be able to stream to it.

Typically these two networks are distinct subnets like 10.0.1.0/24 and 10.0.2.0/24. Let’s say 10.0.1.0/24 is the privileged “user” network with devices that want to stream content to an Apple TV but with an interest in not being exposed to the security issues coming from the10.0.2.0/24 unprivileged IoT network. Conversely, the Apple TV will need direct addressability to the myriad IoT devices in the 10.0.2.1/24 unprivileged network so you also want to put it there.

One answer to this conundrum is to put the Apple TV in a DMZ and then poke the necessary holes for the IoT and user networks. But if you are doing that, then the Apple TV is local to no network that uses it and your DMZ is Swiss cheese. So to simplify things, we could put the Apple TV directly on one of the two existing networks where port forwards are kept to a minimum.

Rather than locating the Apple TV on the 10.0.1.0/24 privileged network and adding blanket rules allowing any IoT device to get to the privileged network, it probably makes more sense to put the Apple TV on the 10.0.2.0/24 unprivileged IoT network and add a blanket rule for user devices to stream to it. In other words, keep the Apple TV where it can directly initiate network connections to the IoT devices and don’t allow it to send traffic to the user network unless it is in response to a user network request. This seems to most neatly fit with the way a HomeKit hub wants to operate (initiate network traffic directly to IoT devices) and the way an Apple TV should initiate connections back to the privileged network in response to streaming requests.

A similar quandary exists on a corporate network although not necessarily because the Apple TV is operating a HomeKit hub. You still need to jump the network divide and importantly make the mDNS traffic on one network show up on another. More on this later.

The best way to do this (if it were possible) would be for the AppleTV to exist simultaneously on both networks. As Apple TVs only have one Ethernet port, that’s not going to work out of the box. Presumably Apple could either allow the Apple TV to use both Ethernet and WiFi at the same time or add 802.1Q VLAN support to the Ethernet port. Alas, I don’t have the kind of sway within Apple to get any of this done! (not even close)

So we’re left poking some holes between networks. Let’s look at how we might do that.

Apple TV Streaming Ports

In order to support streaming from users on a privileged network to an Apple TV on an unprivileged network, you might allow unrestricted privileged traffic to the Apple TV and then support initiation of traffic and related traffic from these ports back to the privileged network:

TCP port 3689
TCP port 5000
TCP port 7000
UDP port 7010
UDP port 7011
UDP ports 49152 through 65535
TCP port 32400
UDP port 1900
TCP port 3005
UDP port 5353
TCP port 32469
UDP port 32410
UDP port 32412
UDP port 32413
UDP port 32414

This is how that might boil down to iptables commands if the Apple TV IP is 10.0.2.10 on the 10.0.2.0/24 unprivileged network and 10.0.1.0/24 is the privileged network:

# privileged -> unprivileged - allow all traffic
iptables -A FORWARD -s 10.0.1.0/24 -d 10.0.2.0/24
# unprivileged -> privileged - allow NEW traffic by port
iptables -A FORWARD -s 10.0.2.10/32 -d 10.0.2.0/24 -p tcp -m tcp --dport 3689 -m state --state NEW -j ACCEPT
iptables -A FORWARD -s 10.0.2.10/32 -d 10.0.2.0/24 -p tcp -m tcp --dport 5000 -m state --state NEW -j ACCEPTiptables -A FORWARD -s 10.0.2.10/32 -d 10.0.2.0/24 -p tcp -m tcp --dport 7000 -m state --state NEW -j ACCEPTiptables -A FORWARD -s 10.0.2.10/32 -d 10.0.2.0/24 -p tcp -m tcp --dport 7001 -m state --state NEW -j ACCEPTiptables -A FORWARD -s 10.0.2.10/32 -d 10.0.2.0/24 -p tcp -m tcp --dport 7100 -m state --state NEW -j ACCEPTiptables -A FORWARD -s 10.0.2.10/32 -d 10.0.2.0/24 -p udp -m udp --dport 7010 -j ACCEPTiptables -A FORWARD -s 10.0.2.10/32 -d 10.0.2.0/24 -p udp -m udp --dport 7011 -j ACCEPTiptables -A FORWARD -s 10.0.2.10/32 -d 10.0.2.0/24 -p udp -m multiport --dports 49152:65535 -j ACCEPTiptables -A FORWARD -s 10.0.2.10/32 -d 10.0.2.0/24 -p tcp -m tcp --dport 32400 -m state --state NEW -j ACCEPTiptables -A FORWARD -s 10.0.2.10/32 -d 10.0.2.0/24 -p udp -m udp --dport 1900 -j ACCEPTiptables -A FORWARD -s 10.0.2.10/32 -d 10.0.2.0/24 -p tcp -m tcp --dport 3005 -m state --state NEW -j ACCEPTiptables -A FORWARD -s 10.0.2.10/32 -d 10.0.2.0/24 -p udp -m udp --dport 5353 -j ACCEPTiptables -A FORWARD -s 10.0.2.10/32 -d 10.0.2.0/24 -p tcp -m tcp --dport 32469 -m state --state NEW -j ACCEPTiptables -A FORWARD -s 10.0.2.10/32 -d 10.0.2.0/24 -p udp -m udp --dport 32410 -j ACCEPTiptables -A FORWARD -s 10.0.2.10/32 -d 10.0.2.0/24 -p udp -m udp --dport 32412 -j ACCEPTiptables -A FORWARD -s 10.0.2.10/32 -d 10.0.2.0/24 -p udp -m udp --dport 32413 -j ACCEPTiptables -A FORWARD -s 10.0.2.10/32 -d 10.0.2.0/24 -p udp -m udp --dport 32414 -j ACCEPT# unprivileged -> privileged - allow all RELATED traffic
iptables -A FORWARD -s 10.0.2.10/32 -d 10.0.2.0/24 -m state --state RELATED,ESTABLISHED -j ACCEPT

OK so now we can stream to the Apple TV on an unprivileged network but we still have one major issue left to deal with. How do devices on the privileged network find the Apple TV on the unprivileged network? mDNS broadcasts won’t just magically jump from one network to another.

Bridging mDNS Broadcasts

If you are using Linux to route your networks (which I assume you are if you are using iptables) then you can use a simple little app called mdns-repeater (https://github.com/anders94/mdns-repeater — my changes are only logging related) that can bridge mDNS broadcasts across multiple ethernet interfaces.

Once compiled up, invoke mdns-repeater passing the interfaces you want to bridge. When an mDNS broadcast is received on one interface, it will be copied to all the other interfaces in the list. In our example, eth0 is the 10.0.1.0/24 privileged network and eth1 is the 10.0.2.0/24 unprivileged network.

mdns-repeater -f eth0 eth1

The output will look something like this as mDNS packets come in:

10.0.2.217 (384 bytes) -> eth0
10.0.2.13 (384 bytes) -> eth0
10.0.2.141 (240 bytes) -> eth0
10.0.1.252 (320 bytes) -> eth1
10.0.1.236 (213 bytes) -> eth1
10.0.1.41 (623 bytes) -> eth1
10.0.1.41 (402 bytes) -> eth1
10.0.1.41 (594 bytes) -> eth1
10.0.1.11 (339 bytes) -> eth1
10.0.1.11 (379 bytes) -> eth1
10.0.1.11 (359 bytes) -> eth1
10.0.1.11 (355 bytes) -> eth1
10.0.1.11 (358 bytes) -> eth1

Now, users on the 10.0.1.0/24 privileged network should be able to find the Apple TV on the 10.0.2.0/24 unprivileged network. With the port forwarding above (and a little bit of luck) you should be able to stream media to the Apple TV!

Monitoring

If you run into any issues, watching what is happening between the networks can help you narrow down and solve connectivity issues. tcpdump is your friend here. It is not uncommon for Apple to add or remove ports so watching what is happening is probably good practice.

tcpdump -n -i eth1 host 10.0.2.10

This will dump all the traffic to and from 10.0.2.10 so you can see what’s happening. You might also want to issue a similar command for the IP of the sending device to see what is being sent but not “crossing the divide” properly. This and some googling is how I figured out most of the required ports.

Another tool that is fun to watch is iftop which gives you a realtime view of the traffic across the interfaces. Just invoke it with no arguments.

Conclusion

Using iptables and mdns-repeater you can make an Apple TV on an unprivileged network findable and usable on a privileged network. Forwarding a collection of TCP and UDP ports as well as echoing mDNS broadcasts between the networks is all that is necessary to make this work.

Applied CBDC Research @ the Federal Reserve — fmr Circle.com, Bandwidth.com. MIT / Podcaster / Runner / Helicopter Pilot

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store