Sonos speakers and applications on different subnets (VLAN's)

indigomirage

@sinbox_pfs

What are the prospects for turning the udp-relay into a pfSense package? I've wrestled with this for a few years, and had hoped PIMD would solve things (but no luck). I'm not quite savvy enough to run a non-package daemon on my router for anything beyond an experiment - just too many points of failure to factor in.

I'm glad to see so much success with this one.

sinbox_pfs

@indigomirage Based on the info I saw on the other thread, it looks like a request to include this as a package has been submitted, however, I'm unsure how long the process will take.

Like you I had tried unsuccessfully with PIMD and Avahi without complete success for the past 2 years. The process is easier than you think - esp if you follow the step by step instructions that @tman222 has posted above:

https://forum.netgate.com/topic/155698/how-can-i-get-this-udp-relay-package-for-casting-across-vlans/37

Basically, it involves copying the linked binary file (if you trust) or compile one on a FreeBSD VM on to pfSense's root folder. From there, all you need is the interface names from pfSense & you need to run the following commands from the terminal or Diagnostic>Command Prompt from the GUI (3 times, with a unique id each time). I have skipped a few important steps like taking a backup before you proceed & using ShellCMD to automate the execution of these when pfSense reboots.

For Enabling mDNS:

./udpbroadcastrelay --id 1 --port 5353 --dev igb1 --dev igb1.20 --multicast 224.0.0.251 -s 1.1.1.1 -f > /dev/null

For Sonos:

./udpbroadcastrelay --id 2 --port 1900 --dev igb1 --dev igb1.20 --multicast 239.255.255.250 -f > /dev/null

For LIFX:

./udpbroadcastrelay --id 3 --port 56700 --dev igb1 --dev igb1.20 -f > /dev/null

In my case, dev igb1 was my LAN and all my IoT/Sonos devices are in the dev igb1.20 VLAN

Qinn

@sinbox_pfs May I add that in some cases (like when you move the udpbroadcastrelay file to a Windows PC) you need to make the the file executable again, so if the file is grey and not red (pfSense uses the color red for executables) than

chmod 755 updbroadcastrelay

So I compiled and tested

udpbroadcastrelay 

...and can confirm that it works rather nice, if some of you are not getting PIMD working, then give it a try. Good luck.

shremi

@baf
Can you provide an image of the firewall rules ???

I am stuck at this part .... and i cant seem to get this to work

shremi

Can anyone take a look at how i configured things .

I cant get the speakers to work outside of the VLAN in the Sonos app.

i am attaching the pictures of how i configured things.

Stan

jimp,

I just wanted to thanks for your efforts with PIMD. I'm able to use the Sonos app on a secure network with the speakers on a VLAN, after several years of trying on Unifi and Untangle. I'm a recent convert to pfSense, but spent a few days trying to make this work. The key action for me was to reboot pfSense after I set up PIMD.

I had created extensive Sonos UDP and TCP pass rules following advice on multiple threads. I had enabled Avahi, all to no avail. When I rebooted, things worked. I've disabled Avahi and disabled the firewall UDP and TCP pass rules I have on the Sonos network. I seem to be relying only on PIMD.

My settings are all default, other than bind to none on the General tab and enabling desired interfaces on the Interfaces Tab. Multiple groups are listed on the Status tab.

I wish I had rebooted several days ago.

blasterspike

Hi @stan,
Thanks for reporting your experience with this.
I have to replicate what you have done:

From PIMD:
General - Default bind: Bind to None
Interfaces: I have added the 2 interfaces that should talk to each other. In my case LAN, where I have my trusted devices that can access all the other networks, and IOT, where I keep untrusted ones and their access it limite to internet only. For each one I have only selected Interface Binding = Always bind.
Then you haven't added anything else in "BSR Candidates", "RP Candidates" or "RP Addresses".
I haven't created any firewall rule as you have suggested.

Unfortunately this setup is not working for me.
I initially setup the Sonos devices by connecting to the same WiFi network of IOT but now when I open the Sonos App on my iOS device, I see all grayed out and after few seconds it tells me that there is a problem connecting to the devices.

I suspect that you have a different configuration somewhere than mine. Any suggestions?

Stan

Blasterspike, the setup described above worked for awhile, then didn't. I've re-configured to rely only on the firewall rules. I'm not relying on PIMD anymore; in fact, I've removed it from my system. I still do have Avahi running, but that's just to enable guests to access the Sonos speakers with their own Apple Music and Spotify applications.
I've created two port aliases, Sonos_TCP_Ports and Sonos_UDP_Ports. The firewall rules permit traffic from the subnet with Sonos speakers to the subnets from which I want access the speakers using those ports. I also have a rule on each of the subnets from which I want to access to the speakers to the subnet with the speakers using those ports. These rules also "Allow IP options" (Advanced Options in the rule).
My port aliases are probably overkill, since I added whatever I found in various comments, but haven't gone to the trouble to try to whittle down the ports to see when it stops working.
TCP ports: 80, 443, 445, 3400:3401, 3445, 3500, 4070, 4444, 1400, 1443, 7000, 8080, 5000:5001
UDP ports: 136:139, 1900:1901, 2869, 10243, 10280:10284, 5353, 6969, 3722, 319:320, 32000:60000
If you do this and it works and if you successfully whittle down the ports, I'd be interested to know what your reduced ports are.

pajinha

This thread is amazing and helped me get Sonos working with my VLAN's and in the process I learned a bunch of stuff.

For anyone still struggling with this I will give a warning of something that I am not sure anyone has referenced in the hundreds of replies.

Make sure that the interface where the VLAN'S is also added to the "enabled" interfaces. So lets say your VLAN is igb1.70, then you must also include igb1 otherwise it won't work.

Hope that helps.

trumee

@dennypage I had to use pimd to get HEOS app working on Android. Without PIMD, the app used to hang when I used Music>AV Inputs. The input used to change, but the app used to give an error. This webpage says that multicast traffic is used for HEOS.

dennypage

@trumee That webpage describes UPnP support, which is not required for local network HEOS use. UPnP is generally required for opening ports to allow use/control from outside the local network (WAN).

Avahi provides mDNS device discovery across local segments, which is all that is necessary for HEOS discovery. It's all point to point after discovery. Unfortunately, I can't speak to why you had an issue in your specific case.

Cloudless Smart Home

This post is deleted!

Cloudless Smart Home

@pajinha I don't understand your statement. all my interfaces and vlans are enabled. is that what you mean?

stephenw10

He is saying you must also enable the VLAN parent interface in PIMD. I have no way of testing that though.

Steve

Cloudless Smart Home

@stephenw10 ok, now that makes sense.

somerino

I've read almost the whole thread and now I'm unsure, if the effort is worth it.
Of course I like the idea of separating the clients from iot devices.

But from a security POV, is it necessary to do that?
Is enabling broadcasting and multicasting over VLANS safer, than just putting Sonos and Clients in the same network with the right rules?

stephenw10

It is safer. Is it necessary? Only you can decide that really.

It's not designed to work across subnets. I would guess the vast majority of Sonos users have one subnet with servers and clients on it and don't see issues.

The question is if some firmware update suddenly added all your smart speakers to a bot net what other things on your network would that expose? And what sort of risk is that?

Steve

somerino

@stephenw10
Thanks Stephe for the reply.

I'm a little bit overwhelmed by the thread itself. I don't know which solution works. Whether it's PIMPD, Avahi or the UDP relay.
I think the relay looks promising, but isn't in the package manager yet: https://redmine.pfsense.org/issues/10818 Will this be a thing?

@stephenw10 said in Sonos speakers and applications on different subnets (VLAN's):

Only you can decide that really

For myself, I'd be thrilled to work this out somehow. But sadly my company network has way bigger security holes to close :( I'll comeback to this thread, when I've time!

EDIT: I tried it with IGMP-Proxy, doesn't work

Qinn

I can only speak for myself and I don't like IoT's that are closed source, be it cam's, Sonos, smart power plugs etc. I have no idea what so ever what they (can) do and how well there operating system is maintained. As an example I have video door cam that has a telnet service running, no idea why this should be and why telnet is chosen and not SSH.

It's like your home, some use a burglar alarm system others only have lock, so each to his own ;)

somerino

@qinn

I totaly agree. To be honest, I wish I could trust some companies to do their homework. I can't and don't want to control everything by myself.