PIMD configuration help

Stan · Dec 26, 2020, 1:59 AM

Girkers, thanks for your continuing support. I hope you're having a happy Christmas Day. My day is made happier because Sonos is working across networks again. I decided to take a look at my Unifi networks and access points. I made sure that the access points had Multicast Enhancement turned on and that the relevant networks had IGMP Snooping turned on. I made one change, and I can't remember for sure what it was, but it might have been Multicast Enhancement on one of the access points. It's now working with Avahi. So I wanted to leave this information available to anyone who stumbles across this post.
I plan to disable the new firewall rules one-by-one to see what breaks it, so I may be back. But I now feel more confident that I can recover if I break something.

Stan · Dec 26, 2020, 6:00 AM

Spoke too soon. It quit working before I had a chance to make any configuration changes. Fickle.

tman222 · Dec 26, 2020, 9:11 PM

@stan said in PIMD configuration help:

Spoke too soon. It quit working before I had a chance to make any configuration changes. Fickle.

I would also recommend giving udpbroadcastrelay a try, it's fairly straightforward to setup (less complexity than PIMD). I don't think Sonos will work with just Avahi. Hope this helps.

Stan · Dec 27, 2020, 9:00 PM

Girkers and tman222, thanks again for your help and suggestions. I was about to go down the "upbroadcastrelay" route when I decided to reboot pfSense. Rebooting was the important step that I neglected to do before.

For anyone interested in the details, I have a lot of ports open from my Sonos net to my secure net. See https://forum.netgate.com/topic/139218/sonos-speakers-and-applications-on-different-subnets-vlan-s/176. Check June 21, 2020 from BCinBC. I plan to begin closing ports to see how far I can get before breaking the solution.

I'm using PIMD: General tab, bind to all and everything else default; Interfaces tab, disable unwanted nets; BSR Candidates, default priority 5; RP Candidates, default priority 20; RP Addresses, none. Seven groups active in Status.

I'll probably change the General tab to bind to none and enable desired interfaces. Also, I added the 5 and 20 priorities during my lengthy journeys, but I'll probably delete them. Avahi is enabled, but I doubt that it's providing any benefit. I may try disabling it.

Final (I hope) word. After setting up PIMD, remember to reboot pfSense.

Stan · Aug 9, 2021, 7:37 PM

Final addendum: I made the changes suggested above, i.e., changed PIMD General tab to bind to none and on Interfaces tab enabled desired nets, and removed priorities from BSR Candidates and RP Candidates tabs. In addition, I disabled my firewall rules for the Sonos TCP and UDP ports.

The Sonos app still works, even after closing it in iOS and re-opening it. (Not sure I'd have the same result for a new installation of the Sonos app.)

I also disabled Avahi. So I seem to be relying only on PIMD.

iHaveAstream · Aug 9, 2021, 7:37 PM

@stan

I'd like to make UPnP work accross (two) VLANs and found this thread.
Basically there is my NAS in VLAN20 on which Twonky Server runs as a mediaserver.
In VLAN40 there is BubbleUPnP Server and some UPnP clients. Servers/Clients accross those VLANs can basically "see" each other.
VLANs are not managed on pfSense but my Switch (if this might be important?).

Currently I can only "see" the clients (Media Renderers) in BubbleUPnP Server, so those in same VLAN, but not my NAS which is the Media Server (via Twonky) and this is what I'd like to see here as well. I think PIMD would be the right tool to achieve this.

I've already installed current PIMD package on my pfSense 2.5.2 but I'm not sure about its correct config and I'm also not sure which FW rules to set manually (I'm not using "any allow" under LAN rules).

If you might could help me a bit, I'd be more than happy.

Cheers!

Stan · Aug 9, 2021, 8:34 PM

@iHaveAstream
I try to avoid UPnP, since it may open ports from the WAN on my firewall. Because of that, I'm not familiar with using UPnP to accomplish connectivity between subnets. Regarding PIMD, I just use the default settings.
Your post prompts me to update my "final addendum", because I had some new issues to resolve. I'm not sure if what I say there will help your situation. I'll post later today.

Stan · Aug 9, 2021, 9:32 PM

In a "final" final addendum, I thought I'd add some further observations, in order to address issues encountered since my final addendum.

As others have said, I think the problems and solutions are very dependent on the hardware and software being used, so here is my setup:

I'm using Unifi switches and Access Points, and running pfSense directly on Protectli hardware. I have a Sonos "Boost". There is an ethernet connection to the Boost, and all the 14 speakers are connected wirelessly through the Boost.

I have several VLANs, but the relevant ones are Data, Sonos, and Guests. Data is where my computers and iOS devices live. Sonos is where the Sonos Boost and speakers are. Guest is for my guest network, which is available only through the wireless access points.

My objective is to access the speakers from a Sonos Controller on the Data or Guest networks. That was working on the Data network, until I decided to add a VPN to my pfSense router. I was still able to connect the Sonos app with the speakers, but not instantly and the connection would frequently drop after a while.

Before addressing router settings, I'll mention Unifi settings. First, make sure that the relevant wireless networks (on Unifi APs) is set up as follows:
At “Multicast and Broadcast Filtering”, uncheck the box “Block LAN to WLAN Multicast and Broadcast Data”.
At “Multicast Enhancement”, check the box “Enable multicast enhancement (IGMPv3).
Guest Network: If access is from a guest network, make sure the Guest Access Control isn’t restricting the IP addresses that are needed (see below). On Unifi, the Post-Authorization Restrictions seem to override the Pre-Authorization Access. Delete the default Post-Authorization Restrictions (RFC 1918) and use pfSense for those restrictions. Although I haven't tested whether it's necessary, I added my Sonos System to the Pre-Authorization access (as well as my Printer network).

Using pfSense, I’m running PIMD. The PIMD settings don’t seem to make much difference. Defaults are OK. That had been working until (I think) I installed an Open VPN client on the firewall for a subset of the Data network and all of the Guest network.

@baf on a different thread "https://forum.netgate.com/topic/139218/sonos-speakers-and-applications-on-different-subnets-vlan-s/169" provided a key. Thanks @baf.

The resulting rule for Open VPN presumably prevented transmission to 224.0.0.0/24 (MDNS) and 239.255.255.250:1900 (SSDP), since it directs everything that gets to the rule to the Open VPN address and effectively blocks internal traffic. (This behavior is different from a rule which uses the default WAN address under advance settings, which doesn’t block internal traffic.)

The Sonos speakers are grouped under an alias named Sonos System. I had previously added rules for Sonos TCP and UDP ports from the Sonos System, to pass traffic with those ports to Data and Guest, and on the Guest network, to pass traffic to the Sonos System. The Data network is open, except for the Open VPN rule.

To make the Sonos app work on the Data and Guest networks, I added additional pass rules to the Data, Sonos and Guest networks to pass traffic to 224.0.0.0/24 (IGMP) and to 239.255.255.250:1900 (UDP). These addresses are presumably blocked by the rule directing traffic to the Open VPN client. (224.0.0.251:5353 (UDP) did not work. The Sonos app opened, but it soon lost connection.)

I had added VPN to the Sonos VLAN because I would use iOS devices there. But my plan now is to remove VPN from Sonos, and so the additional rules in the previous paragraph may not be needed there. (I assume my rule on RFC 1918 private addresses will not block the addresses passed by those rules.)

I hope this will be of use to someone.

Stan · Aug 9, 2021, 9:50 PM

@iHaveAstream
Some further thoughts about your situation. Using a switch to create VLANs and UPnP for connectivity has a certain attraction as being elegantly simple. However, if you're already running pfSense, I think you would have more effective control and fewer problems by adding the VLANs to pfSense, using firewall rules to accomplish your goals, and disabling UPnP. That would also avoid security issues associated with UPnP.

Stan · Aug 9, 2021, 10:05 PM

In reviewing my posts above, specifically the 12/27/20 final addendum, I need to add a correction. I am again using multiple UDP and TCP ports. While it was working at the time, it later stopped working. Maybe there were some "states" that stayed open for a while. Here are the ports I'm using (defined as aliases):
TCP:
80
443
445
3400:3401
3445
3500
4070
4444
1400
1443
7000
8080
5000:5001

For the Guest network, I also use TCP 32000:49152, to enable Airplay.

UDP:
136:139
1900:1901
2869
10243
10280:10284
5353
6969
3722
319:320
49152:65535

Also, I am running Avahi, which enables guest access to the Sonos speakers from their the Spotify app.

I'm sure the number of ports are overkill, but I haven't gone through the process of reducing ports to see what breaks.

iHaveAstream · Aug 11, 2021, 8:08 PM

@stan said in PIMD configuration help:

@iHaveAstream
Some further thoughts about your situation. Using a switch to create VLANs and UPnP for connectivity has a certain attraction as being elegantly simple. However, if you're already running pfSense, I think you would have more effective control and fewer problems by adding the VLANs to pfSense, using firewall rules to accomplish your goals, and disabling UPnP. That would also avoid security issues associated with UPnP.

thanks for your detailed replies. I'm gonna go thru it soon.

The reason why I decided to manage VLANs on L2 is because when done so on pfSense, there is the limit of 1 GB/s which is the bandwidth limit of the physical LAN port of the NIC...