DEV Community

Cover image for Make openSUSE work with Chromecast, getting to know your firewall zone in Linux.
Archer Allstars
Archer Allstars

Posted on

Make openSUSE work with Chromecast, getting to know your firewall zone in Linux.

You might find yourself having a hard time making Chromecast work on your openSUSE or Linux-box in general. Well, the issue lies in your firewall settings.

In this article, I will focus on firewalld, a zone-type firewall - rules based on zone, that's pre-installed in openSUSE, Fedora, etc. You can skip this article if you're using ufw that's pre-installed in Ubuntu.

Basically, all you need to do is:



nmcli connection modify 'YourConnectionName' connection.zone home


Enter fullscreen mode Exit fullscreen mode

This setting will change your connection to the home zone that will be more compromised than the default public zone, allowing you to connect with your Chromecast devices. This setting will also persist on reboot, so you only have to do it once. I will explain in detail below.


Do not change your device zone, change a connection zone instead

Zone on The Road

Why changing your device/interface zone is a bad idea? Let's assume that on this interface, a wireless card in your laptop, for example, you might use to connect to your home's wifi hotspot, your school's wifi hotspot, coffee shop's wifi hotspot, etc. Well, you wouldn't trust all those hotspots equally, would you? Yes, that's why changing your device/interface zone is a bad idea. And that's also the reason why the device/interface zone is set to public by default. It's needless to say that changing the default zone, or open a specific port range, would be the worst idea 😂

I recommend you change your most trusted connection zone, your home network, for example, to home, so you can use Chromecast on this network, along with many connection types that wouldn't work otherwise.


Knowing your current connection zone, and changing the zone

A Map

It's surprisingly hard to find your connection zone, as the zone is not presented in GNOME Settings (issue #1425), nor YaST Firewall. Google doesn't help much either. Here's how to find your zone before making any change.

  1. Finding your active connection name first: ```

nmcli connection show --active

      

     This will return something like:
     ```


NAME                UUID                           TYPE  DEVICE 
YourConnectionName  xxxxxxxxxxxxxxxxxxxxxxxxxxxxx  wifi  xxxxxx


Enter fullscreen mode Exit fullscreen mode
  
Enter fullscreen mode Exit fullscreen mode
  1. Finding its zone: ```

nmcli connection show 'YourConnectionName' | grep zone

      

     This will return: 
     ```


connection.zone:                        public


Enter fullscreen mode Exit fullscreen mode
  
Enter fullscreen mode Exit fullscreen mode
  1. Changing your connection zone to home ```

nmcli connection modify 'YourConnectionName' connection.zone home

      

4. Checking your connection zone again:
     ```


nmcli connection show 'YourConnectionName' | grep zone


Enter fullscreen mode Exit fullscreen mode
  

 It should return: 
 ```
Enter fullscreen mode Exit fullscreen mode

connection.zone: home


---

After this, you should be able to cast to Chromecast devices on openSUSE or any system with firewalld. It's worth to check whether you have the default allowed services on your home zone in YaST Firewall. You should have `dhcpv6-client`, `mdns`, `samba-client`, and `ssh` services on the allowed list.

I hope this helps.

---

**Cover** photo by **[Viktor Forgacs](https://unsplash.com/@sonance?utm_source=unsplash&utm_medium=referral&utm_content=creditCopyText)** on **[Unsplash](https://unsplash.com/s/photos/chrome?utm_source=unsplash&utm_medium=referral&utm_content=creditCopyText)**

**Zone on The Road** photo by **[David Clarke](https://unsplash.com/@thethinblackframe?utm_source=unsplash&utm_medium=referral&utm_content=creditCopyText)** on **[Unsplash](https://unsplash.com/s/photos/zone?utm_source=unsplash&utm_medium=referral&utm_content=creditCopyText)**

**A Map** photo by **[Hendrik Morkel](https://unsplash.com/@hendrikmorkel?utm_source=unsplash&utm_medium=referral&utm_content=creditCopyText)** on **[Unsplash](https://unsplash.com/s/photos/find?utm_source=unsplash&utm_medium=referral&utm_content=creditCopyText)**
Enter fullscreen mode Exit fullscreen mode

Top comments (6)

Collapse
 
xa3phod profile image
Daniel Lifshultz

Worked like a charm! Thanks!

Collapse
 
archerallstars profile image
Archer Allstars

Thanks! I'm glad it works out for you.

Collapse
 
sirlauncelot profile image
Jim Mills

This doesn't seem to work. I confirmed changing the connection to home, and that dhcpv6-client, mdns, samba-client, and ssh service are allowed in home. When I cast, it Chrome still doesn't see devices. When I turn off the firewall, it works fine. I also tried adding ssdp as well, but it doesn't help

Collapse
 
archerallstars profile image
Archer Allstars • Edited

Are you sure? I just tested again a minute ago, it's working as expected with firewall enabled.

Make sure your connection is in the zone home, and mdns is allowed. It won't work with VPN, make sure to disable it, or use split tunneling if available. This should be enough to make the cast to Chromecast. There's no need to allow ssdp.

Image description

If you don't use YaST, you might to try reloading your firewall after the change manually by:

sudo systemctl restart firewalld.service
Enter fullscreen mode Exit fullscreen mode
Collapse
 
sirlauncelot profile image
Jim Mills

Strangely I had to add "upnp-client" service to home. It seems like Roku is using it to advertise itself, which is what "ssdp" is typically used for. When I add unpnp-client, I now see 3 out of 4 devices I can cast to.

I need to do some more testing as I think I saw additional devices when I added "ssdp."

For testing, you need to do a full reload, "firewall-cmd --complete-reload", to kill off existing connections, or your changes might not be apparent. I'm not sure service stop/start will kill existing connections.

Using tshark, I also saw Roku using igmp. I had to add that service to OpenSUSE, as it isn't defined in "/usr/lib/firewalld/services". It doesn't seem to need it, but will check after a reboot. I'm not sure if there is some stuff with multicast connections and state that might be cached in the stack.

Define igmp for firewalld

cat < /usr/lib/firewalld/services/igmp.xml
<?xml version="1.0" encoding="utf-8"?>

igmp
IGMP


EOF
chown root:root /usr/lib/firewalld/services/igmp.xml
chmod 644 /usr/lib/firewalld/services/igmp.xml

Thread Thread
 
archerallstars profile image
Archer Allstars

Wow! Thanks! This is a very informative post. I'm glad it works out for you.