SOLVED: SONOS across multiple VLANS
-
Here's the simple walk through. Hope it helps.
Also, if anyone sees something insecure in this solution please chip in!Problem
I think my case is pretty typical:
- I have multiple SSIDs each on their own subnet.
- I have some Sonos speakers on an "IOT subnet".
- My main personal devices are connected to a "Secure subnet" that has firewall rules allowing it to reach this IOT subnet (but not the other way around).
- I'm fully able to ping the Sonos speakers from my devices on the main subnet. However, the speakers never show up in the list of available speakers to airplay to when I'm connected to the "Secure subnet". If I switch wifi and connect one of my computers to the "IOT subnet", then they show up as available speakers. But I do not want my computers connecting directly to the IOT subnet, now do I want to spend my time switching wifi networks when I want to airplay something.
Solution
Step 1: Enable Multicast Traffic
1. Enable IGMP Proxy on pfSense:
- Go to Services > IGMP Proxy.
- Click Add under “IGMP Proxy”.
- Set the following:
- Interface: Choose your “IOT subnet” interface.
- Type: Set to “Upstream”.
- Networks: Add the subnet range for the IOT subnet (e.g., 192.168.20.0/24).
- Add another entry:
- Interface: Choose your “Secure subnet” interface.
- Type: Set to “Downstream”.
- Networks: Add the subnet range for the Secure subnet (e.g., 192.168.10.0/24).
2. Enable Avahi Daemon (mDNS Repeater) on pfSense:
- Go to Services > Avahi.
- Check the box to Enable the mDNS repeater.
- Under Interfaces, select both your “Secure subnet” and “IOT subnet” interfaces.
- Save the configuration.
Step 2: Configure Firewall Rules
1. Allow Multicast Traffic on the Secure Subnet:
- Go to Firewall > Rules.
- Select your “Secure subnet” interface.
- Click Add to create a new rule.
- Set the following:
- Action: Pass
- Interface: Your “Secure subnet” interface.
- Protocol: UDP
- Source: Any
- Destination: Network
- Destination Address: Your “IOT subnet” (e.g., 192.168.20.0/24)
- Destination Port Range: 5353 (both from and to)
- Save and apply the rule.
2. Allow Multicast Traffic on the IOT Subnet:
- Select your “IOT subnet” interface.
- Click Add to create a new rule.
- Set the following:
- Action: Pass
- Interface: Your “IOT subnet” interface.
- Protocol: UDP
- Source: Any
- Destination: Network
- Destination Address: Your “Secure subnet” (e.g., 192.168.10.0/24)
- Destination Port Range: 5353 (both from and to)
- Save and apply the rule.
Step 3: Restart The Services
- This should do it.
-
C CharlesT referenced this topic on
-
@CharlesT Excellent writeup, and very very good you took your time to relay this information to the forum after you found a solution.
NB: I think you mistakenly switched upstream and downstream in your text - at least you have IOT as downstream and SECURE as upstream in the screendump.
-
@keyser good eye! You're right. I've tried both configurations and both seem to work. However, pfSense states that you can only set one upstream interface whereas you can set multiple downstream ones. Hence, if you want to be able to reach the Sonos speakers from a third subnet you would need to make the IOT subnet the upstream interface.
I'm unsure why switching them around seems to have no effect. Maybe someone who knows can comment.
-
@CharlesT Thank you very much for this!
-
@CharlesT Thank you for the walkthrough! One day the connection between my Arc and my phone in two vlans stopped working, and your set up worked partially for me. The Sonos app on the Iphone works fine and sees the Arc, but the app on my android phone still can't seem to find it. Would you have any idea why? And I'm curious where you find out about port 5353? Thanks in advance.
-
Same here. Works fine with Apple and Windows but not Android. No connection with android phones which would be nice. Any ideas?
Thanks,
Jonna -
@jonna99 Same here. Used to work flawlessly, but stops working recently
