Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    SOLVED: SONOS across multiple VLANS

    Scheduled Pinned Locked Moved L2/Switching/VLANs
    10 Posts 8 Posters 4.0k Views 10 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C Offline
      CharlesT
      last edited by

      Here's the simple walk through. Hope it helps.
      Also, if anyone sees something insecure in this solution please chip in!

      Problem

      I think my case is pretty typical:

      • I have multiple SSIDs each on their own subnet.
      • I have some Sonos speakers on an "IOT subnet".
      • My main personal devices are connected to a "Secure subnet" that has firewall rules allowing it to reach this IOT subnet (but not the other way around).
      • I'm fully able to ping the Sonos speakers from my devices on the main subnet. However, the speakers never show up in the list of available speakers to airplay to when I'm connected to the "Secure subnet". If I switch wifi and connect one of my computers to the "IOT subnet", then they show up as available speakers. But I do not want my computers connecting directly to the IOT subnet, now do I want to spend my time switching wifi networks when I want to airplay something.

      Solution

      Step 1: Enable Multicast Traffic

      1. Enable IGMP Proxy on pfSense:

      • Go to Services > IGMP Proxy.
      • Click Add under “IGMP Proxy”.
      • Set the following:
      • Interface: Choose your “IOT subnet” interface.
      • Type: Set to “Upstream”.
      • Networks: Add the subnet range for the IOT subnet (e.g., 192.168.20.0/24).
      • Add another entry:
      • Interface: Choose your “Secure subnet” interface.
      • Type: Set to “Downstream”.
      • Networks: Add the subnet range for the Secure subnet (e.g., 192.168.10.0/24).

      2024-06-27 at 18.40.36.png

      2. Enable Avahi Daemon (mDNS Repeater) on pfSense:

      • Go to Services > Avahi.
      • Check the box to Enable the mDNS repeater.
      • Under Interfaces, select both your “Secure subnet” and “IOT subnet” interfaces.
      • Save the configuration.

      2024-06-27 at 18.40.57.png

      Step 2: Configure Firewall Rules

      1. Allow Multicast Traffic on the Secure Subnet:

      • Go to Firewall > Rules.
      • Select your “Secure subnet” interface.
      • Click Add to create a new rule.
      • Set the following:
      • Action: Pass
      • Interface: Your “Secure subnet” interface.
      • Protocol: UDP
      • Source: Any
      • Destination: Network
      • Destination Address: Your “IOT subnet” (e.g., 192.168.20.0/24)
      • Destination Port Range: 5353 (both from and to)
      • Save and apply the rule.

      2024-06-27 at 13.54.39.png

      2. Allow Multicast Traffic on the IOT Subnet:

      • Select your “IOT subnet” interface.
      • Click Add to create a new rule.
      • Set the following:
      • Action: Pass
      • Interface: Your “IOT subnet” interface.
      • Protocol: UDP
      • Source: Any
      • Destination: Network
      • Destination Address: Your “Secure subnet” (e.g., 192.168.10.0/24)
      • Destination Port Range: 5353 (both from and to)
      • Save and apply the rule.

      Step 3: Restart The Services

      • This should do it.
      keyserK S 2 Replies Last reply Reply Quote 2
      • C CharlesT referenced this topic on
      • keyserK Offline
        keyser Rebel Alliance @CharlesT
        last edited by

        @CharlesT Excellent writeup, and very very good you took your time to relay this information to the forum after you found a solution.

        NB: I think you mistakenly switched upstream and downstream in your text - at least you have IOT as downstream and SECURE as upstream in the screendump.

        Love the no fuss of using the official appliances :-)

        C 1 Reply Last reply Reply Quote 1
        • C Offline
          CharlesT @keyser
          last edited by

          @keyser good eye! You're right. I've tried both configurations and both seem to work. However, pfSense states that you can only set one upstream interface whereas you can set multiple downstream ones. Hence, if you want to be able to reach the Sonos speakers from a third subnet you would need to make the IOT subnet the upstream interface.

          I'm unsure why switching them around seems to have no effect. Maybe someone who knows can comment.

          2024-06-27 at 13.16.26.png

          1 Reply Last reply Reply Quote 0
          • S Offline
            sensewolf @CharlesT
            last edited by

            @CharlesT Thank you very much for this!

            1 Reply Last reply Reply Quote 1
            • N Offline
              ne_idet
              last edited by

              @CharlesT Thank you for the walkthrough! One day the connection between my Arc and my phone in two vlans stopped working, and your set up worked partially for me. The Sonos app on the Iphone works fine and sees the Arc, but the app on my android phone still can't seem to find it. Would you have any idea why? And I'm curious where you find out about port 5353? Thanks in advance.

              1 Reply Last reply Reply Quote 0
              • J Offline
                jonna99
                last edited by

                Same here. Works fine with Apple and Windows but not Android. No connection with android phones which would be nice. Any ideas?

                Thanks,
                Jonna

                Z 1 Reply Last reply Reply Quote 0
                • Z Offline
                  zombat @jonna99
                  last edited by

                  @jonna99 Same here. Used to work flawlessly, but stops working recently

                  1 Reply Last reply Reply Quote 0
                  • V Offline
                    vinceducat
                    last edited by

                    Hello use the technic with udpbroadcast relay package and same probleme only under android ...

                    does exist a solution

                    perhaps android doesnt have different search method...

                    1 Reply Last reply Reply Quote 0
                    • V Offline
                      vinceducat
                      last edited by

                      I have the same problerme with the technic with udpbroadcast package

                      only with android too

                      any solution ?

                      1 Reply Last reply Reply Quote 0
                      • D Offline
                        dkonigs
                        last edited by dkonigs

                        I'm not sure where to post this, as there are dozens of threads out there on this subject. They all involve some combination of Avahi, IGMP Proxy, Firewall rule changing, jumping jacks, yak shaving, and singing ring-around-the-rosie. And they all seemed to work for whoever posted them, at the time they posted them.

                        But they never work for me and I really have no idea how they actually worked for anyone else either. Maybe other factors were involved at the time, but I have no idea.

                        This is probably because Sonos discovery works by making an SSDP broadcast to the local subnet, and doesn't really use any of that other stuff. (Its been a long time since I looked at Sonos behavior in a packet sniffer, so I'll admit its possible it may have involved packets for those other protocols too at various points.) But really, the only solution is to relay those broadcast packets.

                        In any case, I finally found a solution last night that actually worked. It basically involved installing the "UDP Broadcast Relay" pfSense package, then configuring the two rules mentioned in this Reddit post:

                        https://www.reddit.com/r/PFSENSE/comments/rfs99r/setting_up_sonos_speakers_with_vlans_how_i_got/

                        (At the time I had Avahi enabled, but didn't have IGMP Proxy enabled, and my firewall was already configured to allow packets to pass between the VLANs. So I make no promises as to whether other stuff is also necessary.)

                        So I just want to drop this comment here, on the off chance it helps someone else in the future.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.