DEV Community

Cover image for Make openSUSE work with Chromecast, getting to know your firewall zone in Linux.
Archer Allstars
Archer Allstars

Posted on

Make openSUSE work with Chromecast, getting to know your firewall zone in Linux.

You might find yourself having a hard time making Chromecast work on your openSUSE or Linux-box in general. Well, the issue lies in your firewall settings.

In this article, I will focus on firewalld, a zone-type firewall - rules based on zone, that's pre-installed in openSUSE, Fedora, etc. You can skip this article if you're using ufw that's pre-installed in Ubuntu.

Basically, all you need to do is:

nmcli connection modify 'YourConnectionName' home
Enter fullscreen mode Exit fullscreen mode

This setting will change your connection to the home zone that will be more compromised than the default public zone, allowing you to connect with your Chromecast devices. This setting will also persist on reboot, so you only have to do it once. I will explain in detail below.

Do not change your device zone, change a connection zone instead

Zone on The Road

Why changing your device/interface zone is a bad idea? Let's assume that on this interface, a wireless card in your laptop, for example, you might use to connect to your home's wifi hotspot, your school's wifi hotspot, coffee shop's wifi hotspot, etc. Well, you wouldn't trust all those hotspots equally, would you? Yes, that's why changing your device/interface zone is a bad idea. And that's also the reason why the device/interface zone is set to public by default. It's needless to say that changing the default zone, or open a specific port range, would be the worst idea 😂

I recommend you change your most trusted connection zone, your home network, for example, to home, so you can use Chromecast on this network, along with many connection types that wouldn't work otherwise.

Knowing your current connection zone, and changing the zone

A Map

It's surprisingly hard to find your connection zone, as the zone is not presented in GNOME Settings (issue #1425), nor YaST Firewall. Google doesn't help much either. Here's how to find your zone before making any change.

  1. Finding your active connection name first:

    nmcli connection show --active


    This will return something like:

    NAME                UUID                           TYPE  DEVICE 
    YourConnectionName  xxxxxxxxxxxxxxxxxxxxxxxxxxxxx  wifi  xxxxxx


  2. Finding its zone:

    nmcli connection show 'YourConnectionName' | grep zone


    This will return:                        public


  3. Changing your connection zone to home

    nmcli connection modify 'YourConnectionName' home


  4. Checking your connection zone again:

    nmcli connection show 'YourConnectionName' | grep zone


    It should return:                        home

After this, you should be able to cast to Chromecast devices on openSUSE or any system with firewalld. It's worth to check whether you have the default allowed services on your home zone in YaST Firewall. You should have dhcpv6-client, mdns, samba-client, and ssh services on the allowed list.

I hope this helps.

Cover photo by Viktor Forgacs on Unsplash

Zone on The Road photo by David Clarke on Unsplash

A Map photo by Hendrik Morkel on Unsplash

Top comments (4)

sirlauncelot profile image
Jim Mills

This doesn't seem to work. I confirmed changing the connection to home, and that dhcpv6-client, mdns, samba-client, and ssh service are allowed in home. When I cast, it Chrome still doesn't see devices. When I turn off the firewall, it works fine. I also tried adding ssdp as well, but it doesn't help

archerallstars profile image
Archer Allstars • Edited

Are you sure? I just tested again a minute ago, it's working as expected with firewall enabled.

Make sure your connection is in the zone home, and mdns is allowed. It won't work with VPN, make sure to disable it, or use split tunneling if available. This should be enough to make the cast to Chromecast. There's no need to allow ssdp.

Image description

If you don't use YaST, you might to try reloading your firewall after the change manually by:

sudo systemctl restart firewalld.service
Enter fullscreen mode Exit fullscreen mode
sirlauncelot profile image
Jim Mills

Strangely I had to add "upnp-client" service to home. It seems like Roku is using it to advertise itself, which is what "ssdp" is typically used for. When I add unpnp-client, I now see 3 out of 4 devices I can cast to.

I need to do some more testing as I think I saw additional devices when I added "ssdp."

For testing, you need to do a full reload, "firewall-cmd --complete-reload", to kill off existing connections, or your changes might not be apparent. I'm not sure service stop/start will kill existing connections.

Using tshark, I also saw Roku using igmp. I had to add that service to OpenSUSE, as it isn't defined in "/usr/lib/firewalld/services". It doesn't seem to need it, but will check after a reboot. I'm not sure if there is some stuff with multicast connections and state that might be cached in the stack.

Define igmp for firewalld

cat < /usr/lib/firewalld/services/igmp.xml
<?xml version="1.0" encoding="utf-8"?>


chown root:root /usr/lib/firewalld/services/igmp.xml
chmod 644 /usr/lib/firewalld/services/igmp.xml

Thread Thread
archerallstars profile image
Archer Allstars

Wow! Thanks! This is a very informative post. I'm glad it works out for you.