Sonos and VLANs

darrendavid

Device discovery might be something simple like a broadcast, which by its nature does not traverse subnets.

My impression from reading the work of others trying to solve the same problem was that IGMP Proxy would handle rebroadcasting across the subnets. Is this n errant interpretation of IGMP Proxy?

jahonix

IGMP takes care of Multicasts, what we have is a Broadcast
https://en.wikipedia.org/wiki/Internet_Group_Management_Protocol

darrendavid

OK, fair enough. Is there a simpler way to do this? Is there a way to lump folks on my guest wifi network into a specific block of IP addresses that I can set up specific firewall rules with? Using a VLAN was my first thought, but as mentioned this is a home network and ultimately if there's someone in my house they technically have physical access to all machines. I'm just trying to have a modicum of safety and would prefer to limit access to certain IPs from unknown visitors.

I guess one way to do it would be to set up static DHCP assignments to all /known/ clients and then any random IPs could get firewalled appropriately.

Thoughts?

Derelict

Any scheme like that would provide only an illusion of security since MAC addresses are so easily-spoofable. Better to give the password to a network that is allowed to access the private devices to those whom you want to be able to access them.

Alternately you could use 802.1x and set a dynamic VLAN for users based on what you want them to be able to access. Your gear would have to support it and you would need to know how to make that gear do that. It wouldn't be the firewall's job.

Seems like Sonos has some work to do.

dglacey

In case it helps others, I got this working by using the IGMP Proxy feature of pfSense

I have my SONOS players on the LAN and wanted to control them from an iPhone on a separate VLAN.

This is what I did:

1. go to Services/IGMP Proxy on pfSense
2. Click Add
3. Interace = WAN, Type = downstream interface, Network = 192.168.1.1/24 (this is my LAN subnet)
4. Click Save
2. Click Add
6. Interface = WAN, Type = upstream interface, Network = 192.168.2.1/24 (this is the VLAN subnet)
7. Add a rule to the VLAN subnet to allow all traffic.

This worked so long as the Gateway in the VLAN rule was set to Default. It would not work if I set the Gateway to a specific WAN interface.

I could now run the SONOS app on my iPhone connected to the VLAN and operate my SONOS players that were on the LAN.

ResIpsa

I'm interested in getting this to work as well, but I am getting an error from igmpproxy. Can you confirm that you set the Interface for both to WAN? I have followed everything else in your example, but I get the following error:

Mar 14 22:00:27 igmpproxy 89344 There must be at least 2 Vif's where one is upstream.

igmpproxy will start if I change one of the interfaces away from WAN, but then Sonos doesn't work.

Duckmuck

@resipsa

This thread is old. Just for reference, I got this to work.
My vlans have their own interfaces.

So create Proxy for:

Upstream for interface LAN
Interface =LAN
Type=upstream
Network=10.0.1.0/24

and downstreams for VLANS (ecxample vlan 20 and 100)

Interface =VL20_VPN
Type=downstream
Network=10.0.20.0/24

Interface=VL100_GUEST
Type=downstream
Network=10.0.100.0/24

Regards, D

Rai80

You can also try pimd:

https://forum.netgate.com/topic/138242/dlna-across-vlan-subnets-with-igmp-proxy-not-working/12

Duckmuck

Hi!

Still trying to find a optimal solution.

So using igmp proxy I get android device to succesfully use the sonos app, but IOS devices aren't working.
Using pimd I get both android and IOS devices to work, but Spotify Connect is not working.

Right now I'm back to putting all my sonos devices on the same vlan as my phones (removed from the IOT vlan). If anyone has gotten Spotify Connect to wrok with sonos across vlans it would be great to know how you did it.
I've seen a solution for unifi secure gateway, but can't get this to work with pfsense.

m4ttb1ss

@Duckmuck hey, I'm also trying to get my Sonos Setup working in different VLANs.

My Speakers are in VLAN IOT, subnet 10.0.2.0/24 (not really, but let's assume)
My phone which is supposed to be the controller is in LAN, subnet 10.0.1.0/24.

Which one do I have to setup as upstream and which one as downstream and which subnet has to be entered in which Interface. I see IGMP traffic in the general system logs, like group membership requests, but at the same time I see "IGMP came from myself, ignoring".

Would be appreciated if you could help out