Sonos speakers on a VLAN

Started by russellfolk, April 15, 2020, 12:11:34 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
April 15, 2020, 12:11:34 AM
Good afternoon,

This seems to be an age old question (one which I've followed a few of posts on this forum to get any progress) but maybe y'all can see what I'm missing.

I am trying desperately to get my Sonos (and soon Apple TV) to communicate across VLANs.

I had it working on a general IoT VLAN with the following rules in my IoT firewall settings:

* Pass (In) Protocol (IPv4+6 TCP) Source (IoT net) Port (*) Destination (DEVICES net) Port (1400, 3400, 3401, 3500) Gateway (*) Schedule (*)
* Pass (In) Protocol (IPv4+6 TCP) Source (IoT net) Port (*) Destination (LAN net) Port (1400, 3400, 3401, 3500) Gateway (*) Schedule (*)

I also installed the mdns-repeater plugin and enabled it with LAN, DEVICES, and IoT.

For the above setup, LAN is the untagged LAN network (igb0), DEVICES is VLAN 20 (igb0_vlan20), and IoT is VLAN 30 (igb0_vlan30).

Since then I have added VLAN 21, Media (igb0_vlan21). I reassigned the port on my UniFi Flex Mini (port 3) to be that VLAN profile and from there it goes to a default profile USW-PoE-24 (port 5) to the default profile OPNsense firewall (port 1).

I then changed the mdns-repeater plugin to add Media (igb0_vlan21)—I have since removed IoT to try more debugging—and copied the rules from the IoT section of the firewall over to the Media section. Nothing has worked. I have added rules, torn apart rules, etc. Rebooted every device (firewall, switches, Sonos) multiple times.

Where do I begin to look? Please help!
April 15, 2020, 02:24:02 AM #1 Last Edit: April 15, 2020, 02:26:01 AM by xofer
Try allowing UDP to 224.0.0.251 port 5353 from the network Apple TVs are sitting in. I don't know what Sonos uses, but Apple TV uses this to broadcast itself (mdns).
April 15, 2020, 02:53:51 AM #2
I've tried that.  :( It was a good thought, I saw it being blocked and tried to have it pass through. No luck. :(

I have logging on all my rules, so I don't get why I don't see the magical "blocked" thing I'm missing. 🤦🏻‍♂️

Current rules are attached (which should be allowing EVERYTHING at this point...)

mDNS_Broadcast: 224.0.0.251
mDNS_Port: 5353
SonosTcpAppControl: 1400,3400,3401,3500
SonosUdpAppControl: 1900,1901

Thanks! :)
April 15, 2020, 07:01:40 AM #3
You can search the forums for "udpbroadcastrelay", marjohn56 is currently building a plugin for it also supporting Sonos over VLANs
April 15, 2020, 11:34:31 AM #4
OPNsense 24.7 - Qotom Q355G4 - ISP - Squirrel 1Gbps.

Team Rebellion Member - If we've helped you remember to applaud
April 15, 2020, 02:38:11 PM #5
and now it's merged to devel .. shouldn't take too long now :)
April 16, 2020, 05:54:55 AM #6
@mimugmail, I found that last night and downloaded the Dropbox file! I'm going to start setting it up now!

@marjohn56, How would I update that going forward? How do you like to receive feedback?
April 16, 2020, 07:23:09 AM #7
@marjohn56, could I beg you your firewall rules and your broadcast settings for Sonos? I feel that I am getting close, but I now see a ton of random high ports on the Sonos when I try to configure. I don't want to just open everything, it sorta defeats the purpose. 🤦🏻‍♂️

Also, I did find a cosmetic issue with the plugin. See attached screen shots. This is running Safari Technology Preview [Release 104 (Safari 13.2, WebKit 15610.1.8.3)] with the rebellion theme.
April 16, 2020, 05:23:35 PM #8
Checked it with Firefox, Edge and Chrome, no issues here, also running the rebellion theme.


I have no specific port rules, my primary VLAN is allowed access to the IoT VLAN and not the other way around with exceptions for specific device, in my case Sky which allows all ports back to the primary VLAN, namely because I suspect that the ports are dynamic. Nivek uses Sonos and is also a Mac man so also uses Safari,  I'll shout him and get him to answer.
OPNsense 24.7 - Qotom Q355G4 - ISP - Squirrel 1Gbps.

Team Rebellion Member - If we've helped you remember to applaud
April 16, 2020, 06:06:19 PM #9 Last Edit: April 16, 2020, 06:21:17 PM by nivek1612
Ah yes the old Sonos ports and firewalls issue

A struggled as well and after googling, it came to the conclusion that Sonos doesn't play properly with ports. So even if you create rules for the ports Sonos claim that need it won't work across VLANs

So I went for a slightly less robust route but one that I'm pretty comfortable with

I have a few LANS but for this explanation, IOT is where Sonos sits and my Trusted devices (Mac, iPhones etc) are on LAN
I allow any LAN device to any other VLAN. But I only allow the Sonos players on IOT to access the Sonos Controllers (iPhones for me) by having a rule like this below

I block everything else from IOT out to any other VLAN


EDIT - Don't use Safari though hate it. Chrome for me. But I'll play later and let you know

EDIT 2 - used Safari see below looks okay to me
OPNsense 24.7.* on Qotom i5-5250U with AAISP FTTP 900/120
OPNsense 24.7.* on Qotom i7-4500U with Orange FR FTTP 1000/400

Team Rebellion Member
One of Marjohns TESTERS :-)
April 16, 2020, 08:52:08 PM #10 Last Edit: April 16, 2020, 08:57:55 PM by stefanpf
Sonos is a bitch :-)

A few hints from my setup

I use udpbroadcastrelay on port 1900(SSDP), 5353 (MDNS) and 6969 (Used by the initial Sonos setup)

As far a I remember I came out without highports up to the moment my wife wanted to use her audible app.

I restricted the highport rule from the speakers to the alias that holds the sonos controllers.

Sure my setup ain't perfect, but maybe it helps:

Code (UDPRelay) Select

<udpbroadcastrelays version="1.0.0">
      <udpbroadcastrelay uuid="557cb61a-a020-4793-9429-7668dddef74c">
        <enabled>1</enabled>
        <interfaces>lan,opt7</interfaces>
        <multicastaddress>239.255.255.250</multicastaddress>
        <sourceaddress/>
        <listenport>1900</listenport>
        <InstanceID>1</InstanceID>
        <description>SSDP Sonos TV Hue</description>
      </udpbroadcastrelay>
      <udpbroadcastrelay uuid="0a5f9b44-a848-4f9c-b0bc-d2ff89b250e2">
        <enabled>1</enabled>
        <interfaces>lan,opt7</interfaces>
        <multicastaddress>224.0.0.251</multicastaddress>
        <sourceaddress>1.1.1.1</sourceaddress>
        <listenport>5353</listenport>
        <InstanceID>2</InstanceID>
        <description>UPNP Hue</description>
      </udpbroadcastrelay>
      <udpbroadcastrelay uuid="58af3a1f-465e-4793-9eff-199b99cd1f5e">
        <enabled>1</enabled>
        <interfaces>lan,opt7</interfaces>
        <multicastaddress>239.255.255.250</multicastaddress>
        <sourceaddress/>
        <listenport>6969</listenport>
        <InstanceID>3</InstanceID>
        <description>Sonos Anfangskonfiguration</description>
      </udpbroadcastrelay>
    </udpbroadcastrelays>


Code (Aliases for reference) Select

    <aliases>
          <alias uuid="e521d9b2-9249-4f70-b122-b25df8db8ec3">
            <enabled>1</enabled>
            <name>P_Sonos_Controller_TCP</name>
            <type>port</type>
            <proto/>
            <counters>0</counters>
            <updatefreq/>
            <content>1400
1443
4444</content>
            <description>TCP Ports vom Controller zum Lautsprecher</description>
          </alias>
          <alias uuid="ab010fa7-5d8d-4f83-8a51-66261b226d00">
            <enabled>1</enabled>
            <name>P_Sonos_TCP</name>
            <type>port</type>
            <proto/>
            <counters>0</counters>
            <updatefreq/>
            <content>3400
3401
3500</content>
            <description>Sonos TCP Ports Lautsprecher zu Controller</description>
          </alias>
          <alias uuid="afb317f8-ef26-4fff-9e7e-bd4b7cd36337">
            <enabled>1</enabled>
            <name>P_Sonos_UDP</name>
            <type>port</type>
            <proto/>
            <counters>0</counters>
            <updatefreq/>
            <content>6969
1900:1905</content>
            <description>Sonos UDP Ports Lautsprecher zu Controller</description>
          </alias>
          <alias uuid="22b1538a-5e81-44ce-85b9-b9359bc8ad2f">
            <enabled>1</enabled>
            <name>Sonos_UDP2</name>
            <type>port</type>
            <proto/>
            <counters>0</counters>
            <updatefreq/>
            <content>1900
6969</content>
            <description/>
          </alias>
          <alias uuid="a40414d2-f32f-471a-bdd9-9c7d1e662f78">
            <enabled>1</enabled>
            <name>P_SSDP</name>
            <type>port</type>
            <proto/>
            <counters>0</counters>
            <updatefreq/>
            <content>1900</content>
            <description>SSDP UDP  1900</description>
          </alias>
          <alias uuid="3b5dd673-d7e2-46d3-9732-884a67d195b5">
            <enabled>1</enabled>
            <name>H_Sonos</name>
            <type>host</type>
            <proto/>
            <counters>0</counters>
            <updatefreq/>
            <content>10.11.23.210
10.11.23.211
10.11.23.212
10.11.23.213
10.11.23.214
192.168.49.1
10.11.23.215</content>
            <description>Sonos Speaker</description>
          </alias>
          <alias uuid="2767c8d7-e80c-4502-abc6-7c860a393ef7">
            <enabled>1</enabled>
            <name>P_MDNS</name>
            <type>port</type>
            <proto/>
            <counters>0</counters>
            <updatefreq/>
            <content>5353</content>
            <description/>
          </alias>
          <alias uuid="7306819b-4aae-494c-bd82-152bcf6c598c">
            <enabled>1</enabled>
            <name>P_HTTP_HTTPS</name>
            <type>port</type>
            <proto/>
            <counters>0</counters>
            <updatefreq/>
            <content>80
443</content>
            <description/>
          </alias>
          <alias uuid="f635b1e5-1f92-4d04-a200-e99226cd1cc7">
            <enabled>1</enabled>
            <name>H_SonosController</name>
            <type>host</type>
            <proto/>
            <counters>0</counters>
            <updatefreq/>
            <content>H_MI9T
H_Galaxy9
H_HuaweiGX8
H_SP001
H_WindowsTab</content>
            <description/>
          </alias>



Code (Rules) Select

<filter>
   <rule>
      <type>pass</type>
      <ipprotocol>inet</ipprotocol>
      <statetype>keep state</statetype>
      <descr>Sonos Setup (Speaker zu Controller)</descr>
      <direction>in</direction>
      <category>SONOS</category>
      <floating>yes</floating>
      <log>1</log>
      <quick>1</quick>
      <protocol>udp</protocol>
      <source>
        <address>H_Sonos</address>
      </source>
      <destination>
        <network>lan</network>
        <port>6969</port>
      </destination>
      <updated>
        <username>root@10.11.21.254</username>
        <time>1581761822.5349</time>
        <description>/firewall_rules_edit.php made changes</description>
      </updated>
      <created>
        <username>root@10.11.21.254</username>
        <time>1581761822.5349</time>
        <description>/firewall_rules_edit.php made changes</description>
      </created>
    </rule>
    <rule>
      <type>pass</type>
      <ipprotocol>inet</ipprotocol>
      <statetype>keep state</statetype>
      <descr>Sonos Setup (Controller zu Speaker)</descr>
      <direction>in</direction>
      <category>SONOS</category>
      <floating>yes</floating>
      <log>1</log>
      <quick>1</quick>
      <protocol>udp</protocol>
      <source>
        <network>lan</network>
      </source>
      <destination>
        <address>H_Sonos</address>
        <port>6969</port>
      </destination>
      <updated>
        <username>root@10.11.21.254</username>
        <time>1581762241.1712</time>
        <description>/firewall_rules_edit.php made changes</description>
      </updated>
      <created>
        <username>root@10.11.21.254</username>
        <time>1581762214.4773</time>
        <description>/firewall_rules_edit.php made changes</description>
      </created>
    </rule>
   <rule>
      <type>pass</type>
      <interface>lan</interface>
      <ipprotocol>inet</ipprotocol>
      <statetype>keep state</statetype>
      <descr>SSDP Multicast</descr>
      <direction>in</direction>
      <category>Sonos</category>
      <allowopts>1</allowopts>
      <quick>1</quick>
      <protocol>udp</protocol>
      <source>
        <any>1</any>
      </source>
      <destination>
        <address>239.255.255.250</address>
        <port>P_SSDP</port>
      </destination>
      <updated>
        <username>root@10.11.21.155</username>
        <time>1582392413.8701</time>
        <description>/firewall_rules_edit.php made changes</description>
      </updated>
      <created>
        <username>root@10.11.21.254</username>
        <time>1581752754.2206</time>
        <description>/firewall_rules_edit.php made changes</description>
      </created>
    </rule>
    <rule>
      <type>pass</type>
      <interface>lan</interface>
      <ipprotocol>inet</ipprotocol>
      <statetype>keep state</statetype>
      <descr>SSDP Sonos</descr>
      <direction>in</direction>
      <quick>1</quick>
      <protocol>udp</protocol>
      <source>
        <address>H_Sonos</address>
      </source>
      <destination>
        <any>1</any>
        <port>P_SSDP</port>
      </destination>
      <updated>
        <username>root@10.11.21.254</username>
        <time>1580846372.0546</time>
        <description>/firewall_rules_edit.php made changes</description>
      </updated>
      <created>
        <username>root@10.11.21.254</username>
        <time>1580846372.0546</time>
        <description>/firewall_rules_edit.php made changes</description>
      </created>
    </rule>
    <rule>

      <type>pass</type>
      <interface>lan</interface>
      <ipprotocol>inet</ipprotocol>
      <statetype>keep state</statetype>
      <descr>MDNS f. Spotify m. Sonos</descr>
      <direction>in</direction>
      <allowopts>1</allowopts>
      <quick>1</quick>
      <protocol>udp</protocol>
      <source>
        <address>H_SonosController</address>
      </source>
      <destination>
        <address>224.0.0.251</address>
        <port>P_MDNS</port>
      </destination>
      <updated>
        <username>root@10.11.21.101</username>
        <time>1582396474.989</time>
        <description>/firewall_rules_edit.php made changes</description>
      </updated>
      <created>
        <username>root@10.11.21.254</username>
        <time>1581763660.1383</time>
        <description>/firewall_rules_edit.php made changes</description>
      </created>
    </rule>

  <rule>
      <type>pass</type>
      <interface>lan</interface>
      <ipprotocol>inet</ipprotocol>
      <statetype>keep state</statetype>
      <descr>#Sonos  TCP Controller zu Lautsprecher</descr>
      <direction>in</direction>
      <category>SONOS</category>
      <allowopts>1</allowopts>
      <quick>1</quick>
      <protocol>tcp</protocol>
      <source>
        <address>H_SonosController</address>
      </source>
      <destination>
        <address>H_Sonos</address>
        <port>P_Sonos_Controller_TCP</port>
      </destination>
      <updated>
        <username>root@10.11.21.101</username>
        <time>1582396576.6225</time>
        <description>/firewall_rules_edit.php made changes</description>
      </updated>
      <created>
        <username>root@10.11.21.254</username>
        <time>1580637513.4949</time>
        <description>/firewall_rules_edit.php made changes</description>
      </created>
    </rule>

   <rule>
      <type>pass</type>
      <interface>opt7</interface>
      <ipprotocol>inet</ipprotocol>
      <statetype>keep state</statetype>
      <descr>MDNS f. Spotify m. Sonos</descr>
      <direction>in</direction>
      <category>Sonos</category>
      <allowopts>1</allowopts>
      <log>1</log>
      <quick>1</quick>
      <protocol>udp</protocol>
      <source>
        <address>H_Sonos</address>
      </source>
      <destination>
        <address>224.0.0.251</address>
        <port>P_MDNS</port>
      </destination>
      <updated>
        <username>root@fe80::e573:1f84:64bd:3d10</username>
        <time>1586515939.6648</time>
        <description>/firewall_rules_edit.php made changes</description>
      </updated>
      <created>
        <username>root@10.11.21.254</username>
        <time>1581752260.6259</time>
        <description>/firewall_rules_edit.php made changes</description>
      </created>
    </rule>

   <rule>
      <type>pass</type>
      <interface>opt7</interface>
      <ipprotocol>inet</ipprotocol>
      <statetype>keep state</statetype>
      <descr>SSDP</descr>
      <direction>in</direction>
      <allowopts>1</allowopts>
      <log>1</log>
      <quick>1</quick>
      <protocol>udp</protocol>
      <source>
        <network>lan</network>
      </source>
      <destination>
        <any>1</any>
        <port>P_SSDP</port>
      </destination>
      <updated>
        <username>root@10.11.21.155</username>
        <time>1582392300.2027</time>
        <description>/firewall_rules_edit.php made changes</description>
      </updated>
      <created>
        <username>root@10.11.21.254</username>
        <time>1580846215.0811</time>
        <description>/firewall_rules_edit.php made changes</description>
      </created>
    </rule>
    <rule>
      <type>pass</type>
      <interface>opt7</interface>
      <ipprotocol>inet</ipprotocol>
      <statetype>keep state</statetype>
      <descr>SSDP</descr>
      <direction>in</direction>
      <allowopts>1</allowopts>
      <quick>1</quick>
      <protocol>udp</protocol>
      <source>
        <network>opt7</network>
      </source>
      <destination>
        <any>1</any>
        <port>P_SSDP</port>
      </destination>
      <updated>
        <username>root@10.11.21.155</username>
        <time>1582392221.7059</time>
        <description>/firewall_rules_edit.php made changes</description>
      </updated>
      <created>
        <username>root@10.11.21.254</username>
        <time>1580795773.9516</time>
        <description>/firewall_rules_edit.php made changes</description>
      </created>
    </rule>
  <rule>
      <type>pass</type>
      <interface>opt7</interface>
      <ipprotocol>inet</ipprotocol>
      <statetype>keep state</statetype>
      <descr>#Sonos Speaker to Controller TCP</descr>
      <direction>in</direction>
      <category>Sonos</category>
      <allowopts>1</allowopts>
      <quick>1</quick>
      <protocol>tcp</protocol>
      <source>
        <address>H_Sonos</address>
      </source>
      <destination>
        <address>H_SonosController</address>
        <port>P_Sonos_TCP</port>
      </destination>
      <updated>
        <username>root@fe80::e573:1f84:64bd:3d10</username>
        <time>1586515999.4429</time>
        <description>/firewall_rules_edit.php made changes</description>
      </updated>
      <created>
        <username>root@10.11.21.254</username>
        <time>1580638374.0761</time>
        <description>/firewall_rules_edit.php made changes</description>
      </created>
    </rule>
    <rule>
      <type>pass</type>
      <interface>opt7</interface>
      <ipprotocol>inet</ipprotocol>
      <statetype>keep state</statetype>
      <descr>Sonos Setup Speaker zu Controller(Broadcast zu Relay)</descr>
      <direction>in</direction>
      <category>Sonos</category>
      <quick>1</quick>
      <protocol>udp</protocol>
      <source>
        <address>H_Sonos</address>
      </source>
      <destination>
        <address>255.255.255.255</address>
        <port>6969</port>
      </destination>
      <updated>
        <username>root@fe80::e573:1f84:64bd:3d10</username>
        <time>1586516014.4254</time>
        <description>/firewall_rules_edit.php made changes</description>
      </updated>
      <created>
        <username>root@10.11.21.254</username>
        <time>1581761591.3468</time>
        <description>/firewall_rules_edit.php made changes</description>
      </created>
    </rule>
    <rule>
      <type>pass</type>
      <interface>opt7</interface>
      <ipprotocol>inet</ipprotocol>
      <statetype>keep state</statetype>
      <descr>Sonos IGMP</descr>
      <direction>in</direction>
      <category>Sonos</category>
      <allowopts>1</allowopts>
      <quick>1</quick>
      <protocol>igmp</protocol>
      <source>
        <address>H_Sonos</address>
      </source>
      <destination>
        <any>1</any>
      </destination>
      <updated>
        <username>root@fe80::e573:1f84:64bd:3d10</username>
        <time>1586516029.7104</time>
        <description>/firewall_rules_edit.php made changes</description>
      </updated>
      <created>
        <username>root@10.11.21.254</username>
        <time>1582384864.7173</time>
        <description>/firewall_rules_edit.php made changes</description>
      </created>
    </rule>
    <rule>
      <type>pass</type>
      <interface>opt7</interface>
      <ipprotocol>inet</ipprotocol>
      <statetype>keep state</statetype>
      <descr>Sonos HighPorts 30000-65000 f audible</descr>
      <direction>in</direction>
      <category>Sonos</category>
      <log>1</log>
      <quick>1</quick>
      <protocol>udp</protocol>
      <source>
        <address>H_Sonos</address>
      </source>
      <destination>
        <address>H_SonosController</address>
        <port>30000-65000</port>
      </destination>
      <updated>
        <username>root@fe80::e573:1f84:64bd:3d10</username>
        <time>1586516046.5996</time>
        <description>/firewall_rules_edit.php made changes</description>
      </updated>
      <created>
        <username>root@10.11.21.155</username>
        <time>1582391358.3726</time>
        <description>/firewall_rules_edit.php made changes</description>
      </created>
    </rule>
   <rule>
      <type>pass</type>
      <interface>opt7</interface>
      <ipprotocol>inet</ipprotocol>
      <statetype>keep state</statetype>
      <descr>Sonos 2 Internet HTTP/S</descr>
      <direction>in</direction>
      <category>Sonos</category>
      <quick>1</quick>
      <protocol>tcp</protocol>
      <source>
        <address>H_Sonos</address>
      </source>
      <destination>
        <any>1</any>
        <port>P_HTTP_HTTPS</port>
      </destination>
      <updated>
        <username>root@2003:d1:8733:d121:2160:8666:ba03:54bb</username>
        <time>1586679343.5829</time>
        <description>/firewall_rules_edit.php made changes</description>
      </updated>
      <created>
        <username>root@10.11.21.254</username>
        <time>1581751455.8046</time>
        <description>/firewall_rules_edit.php made changes</description>
      </created>
    </rule>


      <type>pass</type>
      <interface>opt9</interface>
      <ipprotocol>inet6</ipprotocol>
      <statetype>keep state</statetype>
      <descr>Opnvpn</descr>
      <direction>in</direction>
      <log>1</log>
      <quick>1</quick>
      <protocol>udp</protocol>
      <source>
        <any>1</any>
      </source>
      <destination>
        <network>(self)</network>
        <port>1194</port>
      </destination>
      <updated>
        <username>root@fe80::7d90:ca3b:f31c:5050</username>
        <time>1586776848.7852</time>
        <description>/firewall_rules_edit.php made changes</description>
      </updated>
      <created>
        <username>root@fe80::7d90:ca3b:f31c:5050</username>
        <time>1586776848.7852</time>
        <description>/firewall_rules_edit.php made changes</description>
      </created>
    </rule>
  </filter>



Print
Go Up Pages1
User actions