Sonos speakers and applications on different subnets (VLAN's)
-
@edz said in Sonos speakers and applications on different subnets (VLAN's):
@jimp said in Sonos speakers and applications on different subnets (VLAN's):
Captive Portal would be my top suspect, followed by floating rules.
Hmm, I don't have Captive Portal enabled on pfSense, I'll check floating rules but I am seeing IGMP traffic coming in on my Sonos VLAN. I am receiving this error on 2 VLANs, one with hard wired Sonos speakers and the other on my WLAN VLAN. I'll check if Unifi is blocking any multicast traffic on WLAN, but I'm sure I turned this off previously as it caught me out when I setup Avahi.
The error you showed would be outgoing traffic blocked, not incoming. So you may see it enter that interface, but something is preventing pimd from transmitting. And the error suggests it's firewall-related, which means things like Captive Portal or floating rules. All traffic is allowed outbound by default so it must be something that's been configured on there.
-
Firewall rules you have made to pass multicast are UDP.. right?
-
@jimp said in Sonos speakers and applications on different subnets (VLAN's):
The error you showed would be outgoing traffic blocked, not incoming. So you may see it enter that interface, but something is preventing pimd from transmitting. And the error suggests it's firewall-related, which means things like Captive Portal or floating rules. All traffic is allowed outbound by default so it must be something that's been configured on there.
@chpalmer yes I am certain UDP was allowed on all interfaces.
Anyway...I took the brute force method - started from a fresh install and went back to 2.4.4. Followed the screenshots above and IT WORKED! Now running 2.4.5 RC and things are working great, thank you all :) -
As I had promised in an earlier post, I would like to share my experience using pimd pkg v0.0.2 configured with the same values as the manual installation. After spending hours selectively deleting and playing with these settings, I have come to a few modest conclusions. It should go without saying that your experience might not be the same due to your setup. My setup is relatively simple, I have my wired desktop clients, WiFi AP clients and Sonos devices each on separate interfaces and subnets. These are physical interfaces and not VLANs.
The "Tree Switch Threshold" settings which had been previously configured as "Threhold Type>Packets" and "SPT Interval>100" do not seem to be necessary. I went back to the default settings without any impact.
The BSR (Boot Strap Router) Candidates and RP (Rendezvous Point) Candidates settings, however, appear to both be critical. As a matter of fact, the Rendezvous Point address is actually listed in the status report under "RP Address" . A Rendezvous Point address does not appear to be selected without also setting the BSR Candidates values.
I did play around with changing the interface on these two settings. The description on both state "When set to "default", the feature is enabled without a specific interface, which will default to the highest available IP address." In my case, the highest interface address is the interface dedicated to my Sonos devices. I tried changing it to my LAN interface but it did not seem to make any difference. It still seemed to work. Although, it doesn't seem to impact my set-up I would be very interested in learning under what conditions one would chose one interface vs another. It might make a difference for someone else.
A question for @jimp . Should there be default settings for BSR Candidates and RP Candidates? There appears to be for the manual installation.
As all of this is completely new to me, I have made an attempt to educate myself as to exactly what these settings mean. Unfortunately, this stuff is way over may head and gets complicated quick . To quote @johnpoz "...routing multicast is pretty high level networking shit... " I would certainly agree. Maybe one of the fine members of this forum would be willing to offer us newbies a primer on this topic?
For those Sonos owners who are using Spotify, you no doubt have come to enjoy the ability to route your listening to a variety of devices including Sonos. Spotify calls this Spotify Connect. As a matter a fact, I generally access my Sonos devices when I am listening to Spotify via the Spotify app and not the Sonos controller app. What I have discovered is that (with my set up), Avahi is necessary for this to work across subnets. It does not work with pimd alone. Whether pimd is even needed I am a bit uncertain. I have not done extensive testing, but I have turned off pimd and Spotify Connect still discovers my Sonos system. My Sonos controller stops working but the Spotify App still works. I have tested this using the Spotify iOS app and both Linux and macOS desktop apps.
-
@wanabe said in Sonos speakers and applications on different subnets (VLAN's):
A question for @jimp . Should there be default settings for BSR Candidates and RP Candidates? There appears to be for the manual installation.
It's something we can consider. I didn't put anything in by default because originally the suggested configs earlier in this thread for pimd only mentioned enabling/disabling interfaces and nothing about BSR/RP/etc.
If I did make a change like that it would only affect brand new installs and not upgrades.
-
Thanks for all the good information here in this thread. Because of it I have a mostly working setup, however I don't know of anyone here can help me with the last pieces of my setup because I am using HEOS rather than SONOS. The Denon AVR app works across vlans but the HEOS app has a curious behavior. Each time I launch the app the first input that I provide the app gets executed but the UI doesn't update and it doesn't respond to further commands. I'd appreciate a little help on how to narrow down what configuration issue I may be having.
-
Hi @xeroiv , Sorry, I don't have a Heos Speaker to test this out for you, but suspect HEOS may have different ports that it is using?
Are you able to share your firewall rules on how you got the Denon AVR app to work across VLAN's?
@All - Thanks for sharing all your inputs thus far. However, I have only had limited success following inputs from this thread :
- Ability to manage my Sonos using the the Sonos Controller app on my LAN
- Unable to Airplay to Sonos devices from outside of the VLAN
- Lock screen controls on iOS don't work, but I suspect this is a Sonos App limitation, rather than anything to do with the firewall rules.
-
Hi all,
checking back in after 6 months or so. i see a lot of progress has been made and that now pimd is an official package. previously i couldnt get this to work but that would have been at least partly to my incomplete understanding of firewall rule requirements. currently i have enabled pimd on pfsense 2.4.5 and disabled WAN and OpenVPN interfaces. Leaving it binding to LAN, IOTVLAN and Guest Wifi. Currently i have firewall rules allowing everything (inluding ip options) from LAN to IOTVLAN (where the SONOS speakers reside) and Guestwifi and IOTVLAN. I plan to tighten these once PIMD is confirmed as working.
I also configured BSR and RP candidates as suggested on this page, priority 5 and 20 respectively.
But still no connection between a controller on LAN and the speakers on VLAN. Any suggestions on anything i can look at?
Really appreciate the work done so far and hopefully i can get the final bit over the line now!
Cheers!
-
just a note to confirm that shortly after posting the above i got it working. PIMD settings, Bind to All, disable on WAN and OpenVPN, nothing else. Set Sonos speakers to a fixed ip on the SONOS VLAN and i'm required to disable and re-enable wifi after opening the SONOS app. Other than that all good. Next step to tighten up the firewall rules. Thanks for implementing PIMD!
-
This was a slight pain to get going, so I figured I'd post my whole experience, since some folks seem to be hit or miss with it. I set up PIMD with Tree Switch Threshold type of packets, value of 0, interval of 100, I added a default BSR candidate with priority 5, and a default RP candidate with priority of 20. I'm not sure if these settings were necessary or not, as they didn't fix my issue.
The most important part for me was tuning in my firewall rules.
From the VLAN my Sonos devices are in (IoT vlan, so it's pretty locked down from local devices):
- I was already allowing UDP from IoT network to 224.0.0.251:5353 (for MDNS), with advanced: allow ip options
- Allow UDP from IoT network to 239.255.255.250:1900 (for SSDP), with advanced: allow ip options
- Allow TCP from Sonos (I created an alias to list out the devices) to my LAN VLAN on ports 3401 (iOS) and 3500 (Android). This was the important piece in getting the app to actually work.
- I also have another copy of the 3401/3500 rule allowing traffic to my guest VLAN as well.
My LAN VLAN is wide open, so no further configuration necessary there.
My guest VLAN is also locked down and disallowed from local services. The applicable firewall rules I have there are:
- Allow MDNS and SSDP (same as above)
- I had already configured port forwarding as necessary to allow AirPlay to my AirPlay devices (and included the Sonos devices in that list). I'm allowing TCP 80, 443, 554, 3689, 5000, 5297:5298, 7000:7100, and 49152:65535 as well as UDP 319:320, 554, 5298, 5350:5351, 7000:7100, and 49152:65535. I may try to tighten these up at some point.
- Additionally, to get airplay to work for guest devices to Sonos, I had to punch a hole allowing TCP 32000:49152 from the guest network towards the Sonos devices. For whatever reason, they start using random ports from 32000 for AirPlay versus my Apple devices that start at 49152.
I seem to have full access from the iOS Sonos app on my primary LAN and guest VLANs, as well as being able to AirPlay to the speaker as well.
Hopefully this helps someone. I saw a lot of discussion about PIMD settings, not sure how important those were as nothing worked until I started digging more and found out I need to allow Sonos to communicate back to the device running the app (https://felix-kling.de/blog/2019/sonos-dedicated-vlan.html).
-
Hi guys,
first off - I successfully run a setup where..
- the (Android) controller is in a "Trusted"-VLAN
- the SONOS speakers are in a "IoT"-VLAN
..by just adding a single, simple firewall-rule that allows "IoT" to communicate with "Trusted" over TCP/3500. "Trusted" can be considered as a standard "LAN" (so no specific rules).
No Avahi, no IGMP proxy, no pimd are utilized.
What I want to achieve:
I have a running openHAB installation in "LAN" and want to include my Sonos speakers with a specific binding, that uses device discovery via uPnP.What doesn't work:
As everything is working with the Android controller, but not with openHAB I now installed Avahi and pimd (as I learned that pimd doesn't replace Avahi) and configured everything as described in this thread. In pimd's status tab I can see various entries in the Multicast Routing Table, also in regards to my Sonos speakers - but only if I put an RP Address as mentioned earlier here.pfSense - 2.5.0-DEVELOPMENT
Avahi - 2.1_1
pimd - 0.0.2My questions:
- Do I really need to put two RP Addresses for each Sonos speaker (one for Unicast and one for Multicast)?
- As openHAB still doesn't find the speakers, is there any other way to "forward" that uPnP discovery from "LAN" to "IoT"?
Many thanks!
-
@Qinn said in Sonos speakers and applications on different subnets (VLAN's):
I have been looking for a solution to have Sonos speakers and applications work across VLAN's using pfSense…
I tried it, and it doesn’t work for me. I am wondering, whether you see anything wrong with this picture:
-
Why is it that I can only get this working when I open up ports 10284 all the way until 59999 from my Sonos VLAN to regular LAN?
I have all the regular Sonos ports open as well but without that massive range above, I cannot access my Sonos devices...
The only reason I thought to open those is because I noticed activity on those ports when using packet capture in my pfsense router and trying to connect to my Sonos devices.
What are these ports being used for and why do they seem to change each time I open the Sonos app on OSX and try to connect?!
Thanks in advance for your help and for all the great info in this thread.
-Andrew
-
That seems very unlikely. Are you sure you're not lookung at source ports from the LAN? Reply packets going back to them?
Steve
-
The package worked out for me also. In my case it facilitates the multicasting of my Onkyo Receiver over different VLANS, so I can use the Onkyo Remote app.
I have a "router-on-stick" set-up with a layer-3 switch. I wonder if and in which case it would be better to utilize the switch for multicasting. -
Does this work with the new Sonos S2 system?
I'm trying these settings without much success. Can anyone confirm that the new SONOS S2 software still works with these settings/ports/etc?
[Edit: Renamed 2.0 to S2]
-
OK. Wow!
Something I've wanted to be able to do for, what seems like, 5 years. Control Sonos across VLANs! Success!
But holy heck, do I need a LOT of ports open. I'd been looking at the ports that were required (Thanks @vacquah & @denix) and added them to to port alias lists. I made a UDP and TCP alias list and created two firewall rules, with allow options enabled. No dice.
I had to enable all of these ports to get it to work:
TCP: 80, 443,445,3400,3401,3445,3500,4070,4444,1400,1443,7000,8080,5000:5001,32000:49999
UDP: 136:139,1900,1901,2869,10243,10280:10284,5353,6969,3722,319:320You'll note these ports are familiar, but I discovered that reading https://felix-kling.de/blog/2019/sonos-dedicated-vlan.html said that you needed port 1400 & 1443, and it partially worked but I couldn't group speakers.
I then found this article when someone was trying to get their Unifi setup working, and discovered the additional ports to add (I've bolded them above).
Taken from the above link:
Sonos Control (Ports): 1400 and 4444
Sonos TCP (Ports): 445, 3401, 3445, 3500, 4070, 4444, 1400, 1443, 7000, 8080, 5000, 5001, 32000-49999
Sonos UDP (Ports): 136-139, 1900, 1901, 2869, 10243, 10280-10284, 5353, 6969, 3722, 319, 320Suddenly everything seems to work. At this point, I'm hoping to trim this down with this many ports open, is it really worth it to even try and firewall them?
However, I agree with @vacquah's comment:
I'd like to clean up that list of sonos ports. I think some of them are intended for outbound to sonos servers and some jsut for the internal lan. No need to open all those ports to my internal lan devices. So, id like to identify which ones are outbound and which ones are for the devices on the lan only.
PIMD is used across both of these VLANs. I forsee a lot of trial and error to whittle this list down.
-
This post is deleted! -
This post is deleted! -
I also finally looked into doing this after years of seeing people struggle with making it work. A friend did it and got most of the functionality by using Avahi alone, so that gave me the push I needed.
I have 9 Sonos devices, 4 of which are seen as 1 by the app (soundbar with sub and rears). I am running S2. I have Android, iOS and a Harmony that control the speakers. I use Spotify Connect. I have the Sonos on their own separate VLAN and my controllers on a trusted LAN.
With Avahi and some Firewall rules, I got my Android and iOS apps to control the devices. I ran into issues moving the Speakers to the SSID of the new isolated VLAN for them, but that's a different story. (Sonos speakers REALLY like to hang on to their DHCP leases unless you power cycle them).
The Sonos Controllers and Spotify Connect work great. I used a basic port list from Sonos originally and then went through the firewall logs to add any missing ones. The first I found were 1400 and 1443 that were not mentioned elsewhere and made a huge difference once allowed.
The one thing I did notice was the use of high UDP ports. The speakers kept trying to reach the iOS and Harmony controllers using random high UDP ports. I found that the devices on the trusted LAN were sending UPnP requests with the same high UDP ports that the speakers were responding to. So, for example, the Harmony IP was requesting port 58748 and then the speakers were trying to reach it on that same port. iOS app behavior was similar, but different high UDP port. I was seeing these in the Firewall logs as part of the default deny on the Sonos VLAN. I didn't want to open my rules to allow the large UDP range that would allow this to work.
I then realized that my soundbar was still hardwired, something I did to move the speakers over to the new SSID. With the soundbar hardwired, the SonosNET wireless network had become active, and the traffic was behaving like above on the iOS controller. Once I removed the ethernet cable from the soundbar, the iOS app stopped trying to connect using the random high ports and now uses 1400 and 1443 directly to the Speaker IPs it knows. So, something to keep in mind for those needing the high ports @BCinBC
The Harmony hub is still trying to do this UPnP method, and I haven't tried enabling UPnP in such a way that would only allow it between the VLANs (is that even possible). Would be nice to enable the high UDP port based on incoming packets and then remove after a certain amount of time.
The one issue I still have, and something that is probably not worth the hassle, is setting up a controller app for the first time from the trusted VLAN. This is now just going to be a side project since I can easily join the Sonos SSID and make it work.
To see if I could fix this, I installed PIMD and I can see my Trusted LAN devices in the table, and some speakers. I added all the static Sonos DHCP reservations as RP Addresses, but didn't add anything to BSR or RP Candidates. The functionality of my apps seems to be the same, so I am not sure what PIMD is doing for me here. I see Multicast traffic traversing the VLANs, join messages and all. So it's helping the Speakers and controllers communicate, but not helping with initial app setup.
Has anyone been able to get a new controller app (Android in my case) to connect to an existing Sonos system that is in a separate VLAN? Or does everyone just usually connect to that VLAN with the device running the controller, set it up, and then move back to the trusted VLAN?