Broadcast between subnets
I have an an almost identical setup to the one detailed here:
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/wireless/ap_deployment_examples_vlans.html
I also have a policy to allow any traffic between the wired and wireless trusted networks.
This was to accomodate a move to Watchguard AP devices as previous APs were deprecated.
This has had the unfortunate effect of making all broadcast services unavailable to wireless clients, including many meeting room display units that allow casting - they all seem to use broadcast to allow clients to detect them and initiate connection. Many other services are also affected such as browsing for network shares.
The answer for most routers seems to be to allow broadcast by use of a helper address. I see that fireware has this to allow broadcast routing between BOVPN etc.
Can this be done between different trusted networks? I have a wired segment as our primary trusted plus VLAN10 for the trusted wifi segment. Previously these segments were bridged which happily allowed all of this broadcast stuff to work perfectly.
Or do I just need to dump these Watchguard APs and go back to another AP vendor?
Comments
There is no ability to route broadcast packets across WG firewall interfaces/segments/VLANs.
You can bridge a locally connected & managed WG AP to another firewall interface - just not using VLANs as in the above example.
I'm not sure if/how this can be done for a cloud managed WG AP as I have no experience with them.
I think I'm getting close to the answer here.
Rather than trying to maintain the 2 seperate Tusted segments (something that I thought was forced) it seems there is another way:
Following this VERY SIMILAR BUT SLIGHTLY DIFFERENT guide:
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/wireless/ap_vlan_about_c.html
Specifically: Change a Trusted or Optional Interface to a VLAN Interface
Now moved my wired/trusted segment to a VLAN interface type. Setting up a new SSID with the same VLAN has allowed a wifi client to pick up an address from DHCP in the same network. Some broadcast services seem to start working.
Going to do more investigation...
Another option is the simple AP setup - no VLANs needed:
AP Deployment with a Single SSID
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/wireless/ap_deployment_examples_single_ssid.html
Set up a Bridge group:
Have the AP firewall interface & the current trusted interface be members of the bridge group.
Assign a Network Interface to a Bridge
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/networksetup/net_config_bridge_assign_c.html