Sonos speakers and applications on different subnets (VLAN's)

Qinn

@denix Could you post the messages you receive from PIMD and could you post the config file of PIMD

A VLAN that is not tagged is not a VLAN ;) , but tagging or not should not really matter as tagging happens when it leaves the subnet and traverses the switch.

denix

@Qinn sorry if my explanation wasn't very clear. Yes, I was trying to say that LAN carries both VLAN-tagged traffic, as well as untagged.

Originally I had all Sonos speakers in a separate VLAN10 tagged subnet, while other devices including Android controller app in untagged LAN.

Tired of trying to make it work, I ended up placing WiFi devices into own VLAN40 tagged subnet. Now testing PIMD with VLAN10 <-> VLAN40 and still no luck.

VLAN10 = 192.168.10.0/24 (Sonos speakers)
VLAN40 = 192.168.40.0/24 (Android control app)

pfSense has IP of x.x.x.1 on each interface. Both subnets are fully open to each other for unidirectional traffic.

Here's my config (tried many different variants of enabling/disabling different options):

phyint igb0 disable
phyint igb1 disable
phyint igb2 disable
phyint igb3 disable
phyint igb1.10 enable
phyint igb1.20 disable
phyint igb1.30 disable
phyint igb1.40 enable
bsr-candidate priority 5
rp-candidate time 30 priority 20
group-prefix 224.0.0.0 masklen 4
spt-threshold packets 0 interval 100

Starting pimd -d:

debug level 0xffffffff (dvmrp_detail,dvmrp_prunes,dvmrp_routes,dvmrp_neighbors,dvmrp_timers,igmp_proto,igmp_timers,igmp_members,trace,timeout,packets,interfaces,kernel,cache,rsrr,pim_detail,pim_hello,pim_register,pim_join_prune,pim_bootstrap,pim_asserts,pim_cand_rp,pim_routes,pim_timers,pim_rpf)
22:58:33.455 pimd version 2.3.2 starting ...
22:58:33.455 Got 262144 byte send buffer size in 0 iterations
22:58:33.455 Got 262144 byte recv buffer size in 0 iterations
22:58:33.455 Got 262144 byte send buffer size in 0 iterations
22:58:33.455 Got 262144 byte recv buffer size in 0 iterations
22:58:33.455 Getting vifs from kernel
22:58:33.455 Installing igb0 (x.x.x.x on subnet x.x.x/24) as vif #0 - rate 0
22:58:33.455 Installing igb1 (192.168.0.1 on subnet 192.168) as vif #1 - rate 0
22:58:33.455 Installing igb2 (192.168.13.1 on subnet 192.168.13) as vif #2 - rate 0
22:58:33.455 Installing igb3 (192.168.255.1 on subnet 192.168.255) as vif #3 - rate 0
22:58:33.455 Installing igb1.10 (192.168.10.1 on subnet 192.168.10) as vif #4 - rate 0
22:58:33.455 Installing igb1.20 (192.168.20.1 on subnet 192.168.20) as vif #5 - rate 0
22:58:33.455 Installing igb1.30 (192.168.30.1 on subnet 192.168.30) as vif #6 - rate 0
22:58:33.455 Installing igb1.40 (192.168.40.1 on subnet 192.168.40) as vif #7 - rate 0
22:58:33.455 Getting vifs from /var/etc/pimd.conf
22:58:33.455 Local Cand-BSR address 192.168.40.1, priority 5
22:58:33.455 Local Cand-RP address 192.168.40.1, priority 20, interval 30 sec
22:58:33.455 spt-threshold packets 0 interval 100
22:58:33.455 Local static RP: 169.254.0.1, group 232.0.0.0/8
22:58:33.455 IGMP query interval  : 12 sec
22:58:33.455 IGMP querier timeout : 41 sec
22:58:33.455 Interface igb0 is DISABLED; vif #0 out of service
22:58:33.455 Interface igb1 is DISABLED; vif #1 out of service
22:58:33.455 Interface igb2 is DISABLED; vif #2 out of service
22:58:33.455 Interface igb3 is DISABLED; vif #3 out of service
22:58:33.455 Interface igb1.10 comes up; vif #4 now in service
22:58:33.456 query_groups(): Sending IGMP v3 query on igb1.10
22:58:33.456 Send IGMP Membership Query     from 192.168.10.1 to 224.0.0.1
22:58:33.456 SENT    36 bytes IGMP Membership Query     from 192.168.10.1    to 224.0.0.1
22:58:33.456 SENT    46 bytes PIM v2 Hello              from 192.168.10.1    to 224.0.0.13
22:58:33.456 Interface igb1.20 is DISABLED; vif #5 out of service
22:58:33.456 Interface igb1.30 is DISABLED; vif #6 out of service
22:58:33.456 Interface igb1.40 comes up; vif #7 now in service
22:58:33.456 query_groups(): Sending IGMP v3 query on igb1.40
22:58:33.456 Send IGMP Membership Query     from 192.168.40.1 to 224.0.0.1
22:58:33.456 SENT    36 bytes IGMP Membership Query     from 192.168.40.1    to 224.0.0.1
22:58:33.456 SENT    46 bytes PIM v2 Hello              from 192.168.40.1    to 224.0.0.13
22:58:33.456 Interface register_vif0 comes up; vif #8 now in service
Virtual Interface Table ======================================================
Vif  Local Address    Subnet              Thresh  Flags      Neighbors
---  ---------------  ------------------  ------  ---------  -----------------
  0  x.x.x.x          x.x.x/24                 1  DISABLED
  1  192.168.0.1      192.168                  1  DISABLED
  2  192.168.13.1     192.168.13               1  DISABLED
  3  192.168.255.1    192.168.255              1  DISABLED
  4  192.168.10.1     192.168.10               1  DR NO-NBR
  5  192.168.20.1     192.168.20               1  DISABLED
  6  192.168.30.1     192.168.30               1  DISABLED
  7  192.168.40.1     192.168.40               1  DR NO-NBR
  8  192.168.10.1     register_vif0            1 

And here's a sample output from running pimd with -d option when there's a traffic:

Candidate Rendezvous-Point Set ===============================================
RP address       Incoming  Group Prefix        Priority  Holdtime
---------------  --------  ------------------  --------  ---------------------
192.168.40.1     8         224/4               20        50      
169.254.0.1      0         232/8               1         65535   
------------------------------------------------------------------------------
Current BSR address: 192.168.40.1

22:37:31.848 Cache miss, src 192.168.40.10, dst 239.255.255.250, iif 7
22:37:31.848 create group entry, group 239.255.255.250
22:37:31.848 create source entry, source 192.168.40.10
22:37:31.848 move_kernel_cache: SG
22:37:32.326 Cache miss, src 192.168.10.16, dst 239.255.255.250, iif 4
22:37:32.326 create source entry, source 192.168.10.16
22:37:32.326 move_kernel_cache: SG
22:37:32.340 Cache miss, src 192.168.10.15, dst 239.255.255.250, iif 4
22:37:32.340 create source entry, source 192.168.10.15
22:37:32.340 move_kernel_cache: SG
22:37:32.660 Cache miss, src 192.168.10.14, dst 239.255.255.250, iif 4
22:37:32.660 create source entry, source 192.168.10.14
22:37:32.660 move_kernel_cache: SG
22:37:32.916 Cache miss, src 192.168.10.13, dst 239.255.255.250, iif 4
22:37:32.916 create source entry, source 192.168.10.13
22:37:32.916 move_kernel_cache: SG
22:37:33.005 Cache miss, src 192.168.10.21, dst 239.255.255.250, iif 4
22:37:33.005 create source entry, source 192.168.10.21
22:37:33.005 move_kernel_cache: SG
22:37:33.185 Cache miss, src 192.168.10.17, dst 239.255.255.250, iif 4
22:37:33.185 create source entry, source 192.168.10.17
22:37:33.185 move_kernel_cache: SG
22:37:34.274 Cache miss, src 192.168.40.10, dst 239.255.255.250, iif 7

Virtual Interface Table ======================================================
Vif  Local Address    Subnet              Thresh  Flags      Neighbors
---  ---------------  ------------------  ------  ---------  -----------------
  0  x.x.x.x          x.x.x/24                 1  DISABLED
  1  192.168.0.1      192.168                  1  DISABLED
  2  192.168.13.1     192.168.13               1  DISABLED
  3  192.168.255.1    192.168.255              1  DISABLED
  4  192.168.10.1     192.168.10               1  DR NO-NBR
  5  192.168.20.1     192.168.20               1  DISABLED
  6  192.168.30.1     192.168.30               1  DISABLED
  7  192.168.40.1     192.168.40               1  DR NO-NBR
  8  192.168.10.1     register_vif0            1 

 Vif  SSM Group        Sources             


Multicast Routing Table ======================================================
--------------------------------- (*,*,G) ------------------------------------
Number of Groups: 0
Number of Cache MIRRORs: 0
------------------------------------------------------------------------------

The log above clearly shows some traffic where 192.168.10.13-17 are Sonos speakers and 192.168.40.10 is my Android phone with Sonos control app trying to find them. I still get "We can't connect to Sonos". And somehow Multicast Routing Table is empty anyway.

Any ideas? Thanks!

Qinn

@denix I will try to look into it this weekend, btw the tagging should not matter, tagging is only there in the trunk and when it leaves the subnet, so LAN or VLAN should not matter.
I don't know why you used "enable" in the config file, as by default all interfaces are enabled and as you can see in my config I disabled all but the subnet that holds the Sonos speakers and the other subnet that holds the Sonos applications.

denix

@Qinn how do you have your Sonos speakers connected to the network? Do you use Bridge or Boost? Do you connect them Wirelessly or with Ethernet cable?

Qinn

@denix said in Sonos speakers and applications on different subnets (VLAN's):

@Qinn how do you have your Sonos speakers connected to the network? Do you use Bridge or Boost? Do you connect them Wirelessly or with Ethernet cable?

Neither all Sonos devices connect to a AP, so by WiFi and there is no bridge or boost from Sonos. In total there are 3 Sonos Play:1, 1 Play:3 and a Sonos Connect:AMP. On this AP there are 5 SSIDs's each with it's own VLAN ID (so isolation) IP's are (as it is a AP) assigned by the DHCP server from pfSense.

denix

@Qinn did you have to re-pair Sonos and the controller once you got your network and pfSense setup?

Nothing seems to work on my end. Unfortunately I don't have WiFi that can do VLAN, so isolation is done on a switch. WiFi connects to one of the ports that gets tagged, so everything wireless goes to that VLAN. I had most of my Sonos speakers wired, so once I isolated their ports to another VLAN, they dutifully got new IPs from pfSense's DHCP server for that segment. Running PIMD between those VLAN segments and the controller doesn't see the speakers.

I even ended up resetting the controller, and one of the spare Sonos:1 speakers. I paired them up, but the speaker got onto the the WiFi SSID and the same VLAN as the controller. That works, but the speaker now sits on the WiFi VLAN and refuses to connect with a cable to go into own dedicated VLAN... Tried pairing a Bridge, but since it's wired, it can never get detected by the controller, since they are in separate VLANs. PIMD doesn't seem to help a bit.

Can't get it to work, no matter what I try. Any help would be greatly appreciated! Thanks.

Qinn

@denix Could you draw the setup of your network?

Rai80

@denix Did you enable the "Allow packets with IP options to pass. Otherwise they are blocked by default. This is usually only seen with multicast traffic" rule in the advanced options in your Firewall rules?

denix

@Rai80 bingo!

That was it. Once I enabled that option in Firewall Rules for each VLAN segment configured in PIMD, I started seeing a lot more traffic in PIMD debug.

One more thing - all the above works with existing setup. Creating new Sonos network or adding new speakers doesn't work, as I read somewhere that pressing Play/Pause and Volume+ buttons doesn't get propagated between segments over multicast.

Since I already reset the controller, I needed one more step: I brought up a temporary WiFi SSID on the same VLAN as Sonos speakers, connect my Android phone to that WiFi and setup the Controller. After that, moving it back to the main WiFi SSID works and it still sees and controls speakers on a separate VLAN with PIMD running.

Now I'm happy. Thanks everyone for all the help!

PS. Would be nice to figure out how to setup new Sonos speakers w/o using the temporary SSID...

Qinn

Nice that it works, but then I have to adapt the how to, as I explicitly mentioned that "allow IP options" was not needed and I can confirm that here I don't need to allow it, but my Sonos applications are not running on Andriod. Well, personally I don't understand why this is needed be that as it may, but the proof is in the pudding.

I added a second note to file.

Note 2: below is reported that on Android devices "Allow IP options" in the Advanced Options of the firewall rules is needed to enable to make it work, so if you don't have success, please try to enable it.

@denix now that it is working, can you confirm that when you quit PIMD, you can still connect to the Sonos speakers?

denix

@Qinn yes, seems to be still working w/o PIMD running.

I also need to lock down the firewall between VLANs - currently I have those completely open to each other. Need to close and punch holes according to this list:
https://support.sonos.com/s/article/688

TCP/IP:
80 (Internet Radio, updates and registration)
443 (Rhapsody, Napster, and SiriusXM)
445 (CIFS)
3400 (incoming UPnP events - Sonos Controller App for Mac or PC)
3401 (Sonos Controller App for iOS)
3445 (OS X / Windows File Sharing)
3500 (Sonos Controller App for Android)
4070 (Spotify incoming events)
4444 (Sonos update process)

UDP:
136-139 (NetBIOS)
1900 (UPnP events and device detection)
1901 (UPnP responses)
2869, 10243, 10280-10284 (Windows Media Player NSS)
5353 (Spotify Control)
6969 (Initial configuration)

Qinn

@denix That was my conclusion also, thanks you have tested it, it seems that the applications save the addresses of the Sonos speaker for unicast, it's been 3 months that PIMD has been running and I can still access the speakers.

pr3dict

I'm at a loss... I think my issue is related to the TTL being set as 1 coming from the device sending the SSPD multicast. PIMD is setup exactly how you have it above and I'm still not seeing the traffic get through.

Does anyone know if there is a way to change the TTL for this type of traffic?

Qinn

@pr3dict said in Sonos speakers and applications on different subnets (VLAN's):

I'm at a loss... I think my issue is related to the TTL being set as 1 coming from the device sending the SSPD multicast. PIMD is setup exactly how you have it above and I'm still not seeing the traffic get through.

Does anyone know if there is a way to change the TTL for this type of traffic?

Why do think this and what does a debug or log show?

chewsie

This post is deleted!

alexbond93

I tried to follow your guide (which is very clear and detailed), but I can't get it to work (not seeing any traffic).

Do you think it could be related to this https://forum.netgate.com/topic/140596/multicast-routing (TL;DR No IPv4 MROUTING kernel support.)?

Qinn

@alexbond93 can you see pimd is running and config it so that, the interfaces carreing the vlan's containing speakers and the one containing Sonos software, are not disabled? Btw did you take a look at the remark @denix Apr 2, 2019, 12:57 AM I personally not needed it, but it seems to help him?

spaceboy

unfortunately i couldn't get this to work. from my pfsense i have a wired vlan to a wireless AP to which all IOT including Sonos speakers are attached. main LAN VLAN goes to a unifi edgeswitch and then onto all other devices either wired or through another wireless AP.

i got pimd installed and configured it just to disable the WAN interface. i could see pimd in top but couldnt ever get the Sonos speakers to show up in the Sonos app on a pc on LAN.

i didn't set anything related to ip settings on the firewall rules as suggested. my guess is its something in the edge switch blocking it but i've given up for now. hopefully Sonos fix this in a future update

JKnott

@pr3dict said in Sonos speakers and applications on different subnets (VLAN's):

m at a loss... I think my issue is related to the TTL being set as 1 coming from the device sending the SSPD multicast. PIMD is setup exactly how you have it above and I'm still not seeing the traffic get through.

If TTL is set to 1 it's because the packet is not intended to be routed. This is often the case with multicast. So, when that packet tries to go through a router, the TTL will decrement to 0 and the packet discarded.

chpalmer

Thanks for the work here everyone!

I have a couple of cases where I need to traverse multiple routers with multicast. There might be a way to use pfsense for this after all. Right now its Cisco.

Think simulcast audio. https://www.gatesair.com/products/transport/public-safety-govt-communications

There are at least a couple other systems in the radio world that utilize multicast across subnets to distribute ROIP.