SOLVED: SONOS across multiple VLANS
-
Here's the simple walk through. Hope it helps.
Also, if anyone sees something insecure in this solution please chip in!Problem
I think my case is pretty typical:
- I have multiple SSIDs each on their own subnet.
- I have some Sonos speakers on an "IOT subnet".
- My main personal devices are connected to a "Secure subnet" that has firewall rules allowing it to reach this IOT subnet (but not the other way around).
- I'm fully able to ping the Sonos speakers from my devices on the main subnet. However, the speakers never show up in the list of available speakers to airplay to when I'm connected to the "Secure subnet". If I switch wifi and connect one of my computers to the "IOT subnet", then they show up as available speakers. But I do not want my computers connecting directly to the IOT subnet, now do I want to spend my time switching wifi networks when I want to airplay something.
Solution
Step 1: Enable Multicast Traffic
1. Enable IGMP Proxy on pfSense:
- Go to Services > IGMP Proxy.
- Click Add under “IGMP Proxy”.
- Set the following:
- Interface: Choose your “IOT subnet” interface.
- Type: Set to “Upstream”.
- Networks: Add the subnet range for the IOT subnet (e.g., 192.168.20.0/24).
- Add another entry:
- Interface: Choose your “Secure subnet” interface.
- Type: Set to “Downstream”.
- Networks: Add the subnet range for the Secure subnet (e.g., 192.168.10.0/24).
2. Enable Avahi Daemon (mDNS Repeater) on pfSense:
- Go to Services > Avahi.
- Check the box to Enable the mDNS repeater.
- Under Interfaces, select both your “Secure subnet” and “IOT subnet” interfaces.
- Save the configuration.
Step 2: Configure Firewall Rules
1. Allow Multicast Traffic on the Secure Subnet:
- Go to Firewall > Rules.
- Select your “Secure subnet” interface.
- Click Add to create a new rule.
- Set the following:
- Action: Pass
- Interface: Your “Secure subnet” interface.
- Protocol: UDP
- Source: Any
- Destination: Network
- Destination Address: Your “IOT subnet” (e.g., 192.168.20.0/24)
- Destination Port Range: 5353 (both from and to)
- Save and apply the rule.
2. Allow Multicast Traffic on the IOT Subnet:
- Select your “IOT subnet” interface.
- Click Add to create a new rule.
- Set the following:
- Action: Pass
- Interface: Your “IOT subnet” interface.
- Protocol: UDP
- Source: Any
- Destination: Network
- Destination Address: Your “Secure subnet” (e.g., 192.168.10.0/24)
- Destination Port Range: 5353 (both from and to)
- Save and apply the rule.
Step 3: Restart The Services
- This should do it.
-
C CharlesT referenced this topic on Jun 27, 2024, 10:56 PM
-
@CharlesT Excellent writeup, and very very good you took your time to relay this information to the forum after you found a solution.
NB: I think you mistakenly switched upstream and downstream in your text - at least you have IOT as downstream and SECURE as upstream in the screendump.
-
@keyser good eye! You're right. I've tried both configurations and both seem to work. However, pfSense states that you can only set one upstream interface whereas you can set multiple downstream ones. Hence, if you want to be able to reach the Sonos speakers from a third subnet you would need to make the IOT subnet the upstream interface.
I'm unsure why switching them around seems to have no effect. Maybe someone who knows can comment.
-
@CharlesT Thank you very much for this!
-
@CharlesT Thank you for the walkthrough! One day the connection between my Arc and my phone in two vlans stopped working, and your set up worked partially for me. The Sonos app on the Iphone works fine and sees the Arc, but the app on my android phone still can't seem to find it. Would you have any idea why? And I'm curious where you find out about port 5353? Thanks in advance.
-
Same here. Works fine with Apple and Windows but not Android. No connection with android phones which would be nice. Any ideas?
Thanks,
Jonna -
@jonna99 Same here. Used to work flawlessly, but stops working recently
-
Hello use the technic with udpbroadcast relay package and same probleme only under android ...
does exist a solution
perhaps android doesnt have different search method...
-
I have the same problerme with the technic with udpbroadcast package
only with android too
any solution ?
-
I'm not sure where to post this, as there are dozens of threads out there on this subject. They all involve some combination of Avahi, IGMP Proxy, Firewall rule changing, jumping jacks, yak shaving, and singing ring-around-the-rosie. And they all seemed to work for whoever posted them, at the time they posted them.
But they never work for me and I really have no idea how they actually worked for anyone else either. Maybe other factors were involved at the time, but I have no idea.
This is probably because Sonos discovery works by making an SSDP broadcast to the local subnet, and doesn't really use any of that other stuff. (Its been a long time since I looked at Sonos behavior in a packet sniffer, so I'll admit its possible it may have involved packets for those other protocols too at various points.) But really, the only solution is to relay those broadcast packets.
In any case, I finally found a solution last night that actually worked. It basically involved installing the "UDP Broadcast Relay" pfSense package, then configuring the two rules mentioned in this Reddit post:
https://www.reddit.com/r/PFSENSE/comments/rfs99r/setting_up_sonos_speakers_with_vlans_how_i_got/
(At the time I had Avahi enabled, but didn't have IGMP Proxy enabled, and my firewall was already configured to allow packets to pass between the VLANs. So I make no promises as to whether other stuff is also necessary.)
So I just want to drop this comment here, on the off chance it helps someone else in the future.