Sonos across VLANs?

RackKing · Sun Oct 11, 2015 3:00 pm

Any ideas for getting Sonos to work across VLANs where the speaker is on the main network, but the app is running on a device connected Wi-Fi and is on a different Guest VLAN?

Can this be done via firewall rules or something else. I am just not sure what sonos needs. Any help would be appreciated.

Thanks in advance.

dandrzejewski · Mon Oct 12, 2015 4:30 am

Sonos uses multicast. You will need to install the multicast package and enable PIM.

Sitron · Mon Oct 12, 2015 12:40 pm

I do not think this is possible, unless you are able to forward whatever Sonos needs between your VLAN's. Sonos assumes that all devices, including the controller is on the same IP-network. If I understand correctly, that is their security to not let anyone access your Sonos: You have to be connected the the same network that the Sonos-devices is.

magchiel · Fri Jul 29, 2016 2:24 pm

Apologies for reviving this older thread, but actually (after research and experimenting) I just got this working (many thanks to this post on the Sonos forums).

Turns out it's actually quite easy using PIM in the multicast package and some minimal firewall rules. Below a slightly altered version of my configuration.

/routing pim interface
add interface=[PLAYER_VLAN]
add interface=[CONTROLLER_VLAN]

/ip firewall filter
add chain=forward comment="Forward Sonos multicast traffic" dst-address=239.255.255.250
add chain=forward comment="Forward Sonos remote control events to players" in-interface=[CONTROLLER_VLAN] out-interface=[PLAYER_VLAN] dst-port=1400,4444 protocol=tcp
add chain=forward comment="Forward Sonos remote control events from players" in-interface=[PLAYER_VLAN] out-interface=[CONTROLLER_VLAN] dst-port=3400,3401,3500 protocol=tcp
add chain=forward comment="Forward Sonos UPnP device discovery events from players" in-interface=[PLAYER_VLAN] out-interface=[CONTROLLER_VLAN] 10.28.40.0/24 dst-port=1900,1901 protocol=udp

Of course you can modify the matching criteria to your needs or default drop rules (e.g. IP based or tighter multicast control). See https://sonos.custhelp.com/app/answers/ ... /692#ports for more details on Sonos port usage.

soap · Sat Apr 15, 2017 2:33 pm

Hi

I am trying to get this working, but it won´t work

My MT is confiured in switched mode, hence no brigde. ether1 is master port for the switch.
vlan2 for guest network is working just fine. ( vlans configured on ether1 interface)
192.168.9.0/24 is the network for ether1
192.168.22.0/24 is the network for vlan2

I Copied above information with the bolded addon ( otherwice the IPaddress was giving an error)
/routing pim interface
add interface=ether1
add interface=vlan2

/ip firewall filter
add chain=forward comment="Forward Sonos multicast traffic" dst-address=239.255.255.250
add chain=forward comment="Forward Sonos remote control events to players" in-interface=vlan2 out-interface=ether1 dst-port=1400,4444 protocol=tcp
add chain=forward comment="Forward Sonos remote control events from players" in-interface=ether1 out-interface=vlan2 dst-port=3400,3401,3500 protocol=tcp
add chain=forward comment="Forward Sonos UPnP device discovery events from players" in-interface=ether1 out-interface=vlan2 dst-address=192.168.9.0/ dst-port=1900,1901 protocol=udp

None of the rules are triggered when starting a controller on the guest wlan(vlan2)

What version of IGMP shoult the interface be in? V1,2,3?
Should I add alternative subnets in the interfaces? ( I have tried various settings)

Please help!

ryanwilkinson · Sun Jul 09, 2017 9:34 pm

So - I needed to do this and was able to get it to work. I made a little script. You can edit the first 4 lines and copy/paste the whole thing and the rest is taken care of.

First: You need to download the additional packages for your version, then install the "multicast..." package and reboot. This will give you the /routing/pim option.
Second: edit the first 4 lines of the script (code below) to be correct for your situation.

:global ifControl "ether1-master-local" <- This is the name of the VLAN you will have the controller on (av or iDevice)
:global ifSonos "ether23-slave-local" <- This is the name of the VLAN the Sonos players will sit on
:global netControl "10.0.1.0/24" <- this is the network that your controlling device VLAN is on
:global plcBefore "6" <- Where you want the scripts to start adding to in your firewall.

Third: Open a terminal and ssh into the router. Copy and paste the full set of code below and hit enter.
Fourth: You may need to restart the Sonos app or device to get it to fully register and be recognized by the player/router but it will work. Kick on some music and enjoy.

:global ifControl “ether1-master-local”
:global ifSonos “ether23-slave-local”
:global netControl “10.0.1.0/24”
:global plcBefore “6”

/routing pim interface
add interface=$ifSonos
add interface=$ifControl

/ip firewall filter
add chain=forward comment="Forward Sonos multicast traffic" dst-address=239.255.255.250 place-before=$plcBefore
add chain=forward comment="Forward Sonos remote control events to players" in-interface=$ifControl out-interface=$ifSonos dst-port=1400,4444 protocol=tcp place-before=$plcBefore
add chain=forward comment="Forward Sonos remote control events from players" in-interface=$ifSonos out-interface=$ifControl dst-port=3400,3401,3500 protocol=tcp place-before=$plcBefore
add chain=forward comment="Forward Sonos UPnP device discovery events from players" in-interface=$ifSonos out-interface=$ifControl dst-address=$netControl dst-port=1900,1901 protocol=udp place-before=$plcBefore

/system script environment
remove [find name="ifControl"]
remove [find name="ifSonos"]
remove [find name="netControl"]
remove [find name="plcBefore"]

Spartacus · Mon Jun 25, 2018 11:44 pm

Hi,
i found this thread and I would like to implement this for my Sonos - System. I have controller on different vlans (vlan10, vlan20 and vlan99) and all the players are on vlan30. But I do not understand the "netControll" in the following configuration:

:global ifControl "ether1-master-local" <- This is the name of the VLAN you will have the controller on (av or iDevice)

this is the vlan for the controllers (for me vlan10,vlan20 and vlan99; i think I need three forward lines, each for every vlan)

:global ifSonos "ether23-slave-local" <- This is the name of the VLAN the Sonos players will sit on

this is the vlan of the players, for me vlan30

:global netControl "10.0.1.0/24" <- this is the network that your controlling device VLAN is on

and this is what I do not understand. Is this the list of subnets for vlan10, vlan20 and vlan99?

Thanks,
Christian

florid · Tue Nov 13, 2018 11:43 pm

I recently implemented the same for Sonos by using igmp-proxy not PIM.
Just need to add the interfaces into igmp-proxy and set which one is upstream, then apply the firewall rules for allowing UPnP traffic. That's it.
According to Mikrotik Wiki igmp proxy is slightly lightweight than PIM, that's why I prefer this.

RackKing · Wed Nov 14, 2018 12:03 am

Thank you for.posting this - could you expand a little bit? a sample config would help me get my head wrapped around it. Turning on igmp proxy on the interfaces but I have never use the other features.

Thanks for any help.

anav · Wed Nov 14, 2018 2:50 pm

Not familiar with Sonos, but most of the smart devices I use thus far reach back to their cloud and do not talk to each other over the home network.
Is Sonos that different, and are there are any others like it?
Nice thread as I was thinking of smark speakers for Black Friday sales and was comparing the echo plus 2nd generation to the Sonos One (one or pair or play 5 unit)
With only device it seems it wouldnt matter but if populating with more later...........

RackKing · Tue Dec 04, 2018 2:05 pm

Hi anav -

Sorry for the late reply.

Yes the sonos is very different and relies the controller PC or app to see broadcast/multicast traffic in order to work. Control is all local and the services come through the cloud. They can create there own hidden "sonosnet" wi-fi mesh on 2.4 which can be disastrous in certain environments - constant loud talking. From a security and traffic standpoint I think it makes sense to put it on its own subnet, you just have to jump through some hoops to make it work. I am not a fan of allowing UPnP traffic so I think the PIM package is my solution. If possible I like to hardwire these and shut the wifi off.... rarely does the system allow.

Sonos if very polished, works great and the speakers are pretty good. Great selection of online music services to choose from. Integrates nicely with smart devices like Alexa. In a past life I was an A/V integrator so if you have questions I will try to help.

Cheers

anav · Tue Dec 04, 2018 2:29 pm

Thanks RackKing, but I do not imagine I will need anything special.
We will have only one sonos (play 5) in the kitchen area. One of the reasons I chose this device is that it is NOT microphone enabled.
In fact, not sure I want to have any live mikes in the house LOL. At least the SONOS could be controlled in that manner in the future with an echo hockey puck.
My expectation is that most times it will be controlled by smart phone.
Are you saying that the smart phone and the SONOS will have to be on the same VLAN in the house??

RackKing · Tue Dec 04, 2018 2:57 pm

Are you saying that the smart phone and the SONOS will have to be on the same VLAN in the house??

Yes. Unless you implement either of the two solutions above (properly configured igmp-proxy or PIM) thus allowing you to connect controllers PCs, iPhone app, etc... with Sonos equipment Connects, Amps, Play One, etc... across VLANs.

A potential home use case is you may have a kids wlan setup on a different VLAN for say DNS, scheduling, etc... and you have Sonos gear on the "main" network. The kid vlan cannot control the Sonos gear in the man vlan which makes them upset if they have a Play One in their room and only mom and dad can pick there music

.

Controlling Sonos from an alexa/echo is pretty neat. Sonos provides much better sound quality (imho) than any alexa/echo device today. Sonos with built in Alexa seems like a good combination. Add some lights into the mix and voice controlled "smart" home control becomes pretty compelling for some.

For security and traffic reasons, I see them segregated from production networks in larger environments.

anav · Tue Dec 04, 2018 8:15 pm

Well it also has air play so one can play directly from the iphone over wifi (ones apple music) or I suppose use the sonos app to play radio stations or playslists from the iphone as well.

My question is if I know the IP address of the sonos then to for the spouse to control the sonos wouldnt it just be a firewall forward rule.

add chain=forward action=accept sourceip(iphone), destinationip(SONOSplay5),

ilovepancakes · Sun Aug 25, 2019 4:37 pm

I recently implemented the same for Sonos by using igmp-proxy not PIM.
Just need to add the interfaces into igmp-proxy and set which one is upstream, then apply the firewall rules for allowing UPnP traffic. That's it.
According to Mikrotik Wiki igmp proxy is slightly lightweight than PIM, that's why I prefer this.

@florid Could you elaborate on this setup a little bit more and how you got it working and the firewall rules you used?

Anybody else use this method and have it working or is PIM method the better way?

ilovepancakes · Sat Sep 07, 2019 6:21 pm

So - I needed to do this and was able to get it to work. I made a little script. You can edit the first 4 lines and copy/paste the whole thing and the rest is taken care of.

First: You need to download the additional packages for your version, then install the "multicast..." package and reboot. This will give you the /routing/pim option.
Second: edit the first 4 lines of the script (code below) to be correct for your situation.

:global ifControl "ether1-master-local" <- This is the name of the VLAN you will have the controller on (av or iDevice)
:global ifSonos "ether23-slave-local" <- This is the name of the VLAN the Sonos players will sit on
:global netControl "10.0.1.0/24" <- this is the network that your controlling device VLAN is on
:global plcBefore "6" <- Where you want the scripts to start adding to in your firewall.

Third: Open a terminal and ssh into the router. Copy and paste the full set of code below and hit enter.
Fourth: You may need to restart the Sonos app or device to get it to fully register and be recognized by the player/router but it will work. Kick on some music and enjoy.
Code: Select all
:global ifControl “ether1-master-local”
:global ifSonos “ether23-slave-local”
:global netControl “10.0.1.0/24”
:global plcBefore “6”

/routing pim interface
add interface=$ifSonos
add interface=$ifControl

/ip firewall filter
add chain=forward comment="Forward Sonos multicast traffic" dst-address=239.255.255.250 place-before=$plcBefore
add chain=forward comment="Forward Sonos remote control events to players" in-interface=$ifControl out-interface=$ifSonos dst-port=1400,4444 protocol=tcp place-before=$plcBefore
add chain=forward comment="Forward Sonos remote control events from players" in-interface=$ifSonos out-interface=$ifControl dst-port=3400,3401,3500 protocol=tcp place-before=$plcBefore
add chain=forward comment="Forward Sonos UPnP device discovery events from players" in-interface=$ifSonos out-interface=$ifControl dst-address=$netControl dst-port=1900,1901 protocol=udp place-before=$plcBefore

/system script environment
remove [find name="ifControl"]
remove [find name="ifSonos"]
remove [find name="netControl"]
remove [find name="plcBefore"]

Confirming that this method works easily as described!

Spartacus · Wed Oct 30, 2019 10:18 pm

Hi,
I have Sonos players in VLAN99, PIM is active and FW rules are also implemented. It works, but not very well. A new controller can only be added to the system, if i put it temporarily in VLN99 . Same with SW-Updates. I cannot start SW-Updates from the "Controller-VLAN10, only if the controller is in the player VLAN.

I have configured manually, not via script. Maybe I missed something, Can someone please confirm, that SW Updates work fine from Controller VLAN?

Thanks,
Spartacus

ilovepancakes · Wed Oct 30, 2019 10:30 pm

Hi,
I have Sonos players in VLAN99, PIM is active and FW rules are also implemented. It works, but not very well. A new controller can only be added to the system, if i put it temporarily in VLN99 . Same with SW-Updates. I cannot start SW-Updates from the "Controller-VLAN10, only if the controller is in the player VLAN.

I have configured manually, not via script. Maybe I missed something, Can someone please confirm, that SW Updates work fine from Controller VLAN?

Thanks,
Spartacus

You added both vlan interfaces to PIM module? I would double check the firewall rules and make sure they are exactly like if the script did it. I did it manually without script too and I am pretty sure a software update worked in the past however I have not tried an update recently.

Spartacus · Wed Oct 30, 2019 10:59 pm

Hi,
thanks for quick reply! Yes, VLAN30, VLAN10 and the other Controller VLAN is configured in PIM

PIM.png

I will check Rules tomorrow again, and will let you know! Maybe I do not see my issues!

But please check in parallel, if you can add a new controller in the Controller VLAN, or if you can update the Sonos. 10.5 is online!

Spartacus.

xvo · Wed Oct 30, 2019 11:52 pm

Follow the link to sonos forum from this early post: viewtopic.php?f=2&t=101244#p549825
There is a comment, that tcp/4444 also need to be opened for software updates to work.

Spartacus · Thu Oct 31, 2019 12:24 pm

Hi all,
thanks for support. I checked my rules and everything is like described in this thread...Maybe my issue is in annother details, which I did not mention!

The RB3011 is the Router but all Sonos Devices are attached to an Cisco SG350x-Switch. I followed this thread:
https://support.sonos.com/s/article/2118?language=en_US.
Maybe something wrong with Multicast-Settings on the Switch.
Ideas?

Christian

xvo · Thu Oct 31, 2019 2:44 pm

Maybe something wrong with Multicast-Settings on the Switch.

Could be.
Try testing without a switch to understand whether Mikrotik or Cisco is causing the problem.

Spartacus · Fri Jan 03, 2020 2:34 pm

Hi all,
sorry for responding so late.

I´ve checked the it now without Cisco-Switch and it is not working very well!

My Sonos Players are in Subnet vlan30 and the Controller are in vlan10. I have cofigured vlan10 and vlan30 directley on MT-Router Ports as an untagged vlan and i have connected a Windows-PC and a Sonos Play 3.
A freshe installed Windows controller on (vlan10: ether3) cannot connect to the Sonos-Network (vlan30: ether2). Windows tells me, that there is no existing Sonos-network. If I put player and controller into the same Subnet (VLAN30) everything works, and controlloer finds the Sonos-network. Once controller is connected to the Sonos-Network, I can move the Controller back into vlan10 and it works also.
Please note:
ether3 = vlan10 = 172.16.10.0/24
ether2 = vlan30 = 172.16.30.0/24

Here is an extract from my Mikrotik-config. Maybe someone can tell me, what is going wrong! I am trying since months, but I cannot find any issues in the configuration

Regards,
Christian

/interface vlan
add comment=Office interface=br_vlan name=vlan10 vlan-id=10
add comment=Sonos interface=br_vlan name=vlan30 vlan-id=30

/interface list
add name="Sonos Control"

/interface list member
add comment=SONOS interface=vlan10 list="Sonos Control"


/interface bridge vlan
add bridge=br_vlan comment=Office tagged=sfp1,br_vlan,vlan10 untagged=ether3 vlan-ids=10
add bridge=br_vlan comment=Sonos tagged=sfp1,br_vlan,vlan30,ether8 untagged=ether2 vlan-ids=30

/ip firewall address-list
add address=172.16.10.0/24 list=SonosControl

/ip firewall filter
add action=accept chain=forward comment=\
    "SONOS. Forward UPnP Device Discovery events from Players" \
    dst-address-list=SonosControl dst-port=1900,1901 in-interface=vlan30 \
    protocol=udp
add action=accept chain=forward comment=\
    "SONOS: Forward Contoller events  from Players" dst-port=3400,3401,3500,4444 in-interface=vlan30 out-interface-list=\
    "Sonos Control" protocol=tcp
add action=accept chain=forward comment=\
    "SONOS: forward  Controller events to Players" dst-port=1400,4444 \
    in-interface-list="Sonos Control" out-interface=vlan30 protocol=tcp
add action=accept chain=forward comment="SONOS: forward Multicast traffic" \
    dst-address=239.255.255.250 log-prefix=MultiCast
	
/routing pim interface
add comment="Sonos player" interface=vlan30
add interface=vlan10
add comment="Sonos Clients" interface=vlan50
/routing pim rp
add address=172.16.30.1

Spartacus · Sun Jan 05, 2020 4:37 pm

Hi,
it´s me again.
I see that two FW-rules are not working because package counter is 0. But I do not know why!

add chain=forward comment="Forward Sonos multicast traffic" dst-address=239.255.255.250 place-before=$plcBefore
add chain=forward comment="Forward Sonos UPnP device discovery events from players" in-interface=$ifSonos out-interface=$ifControl dst-address=$netControl dst-port=1900,1901 protocol=udp

in-interface is vlan30 which is configured on the bridge with vlan-filtering, also vlan10 which configured in the same way.

I gues something with multicast routing is not working. Can someone help here?

Christian

ilovepancakes · Fri Jan 10, 2020 1:58 am

Hi,
it´s me again.
I see that two FW-rules are not working because package counter is 0. But I do not know why!
Code: Select all
add chain=forward comment="Forward Sonos multicast traffic" dst-address=239.255.255.250 place-before=$plcBefore
add chain=forward comment="Forward Sonos UPnP device discovery events from players" in-interface=$ifSonos out-interface=$ifControl dst-address=$netControl dst-port=1900,1901 protocol=udp 
in-interface is vlan30 which is configured on the bridge with vlan-filtering, also vlan10 which configured in the same way.

I gues something with multicast routing is not working. Can someone help here?

Christian

I don't know if this matters, but your routing PIM section in the previous post... I don't have anything in my "RP" section of that, and it works fine. If you remove the RP entry completly does it work? I have the two vlans (sonos and control) added to interface tab in PIM and that's it.

Spartacus · Fri Jan 10, 2020 2:28 pm

Hi all,
thank you for your reply, but it doesn´t change anything if I remove the RP.

What I noticed is, that the SONOS players use different UDP-Ports for communication if they try to connect to a controller. I saw a lot of upd -FW-drops in a range between 30000-60000.
If I open this range, connection to a controller is possibe. This is very interesting, because I do not find any documents about this "higher" udp-Port communication and I am not sure why this only happens to my system and others can connect to controllers with the standard port configuration.

Can someone please confirm, that he can connect a new Sonos Windows or Android Controller to the SONOS-Net Environment, without additional configuration? I can only do that, if I allow all udp-Ports in my FW rules.

Christiam

ilovepancakes · Fri Jan 10, 2020 4:53 pm

Hi all,
thank you for your reply, but it doesn´t change anything if I remove the RP.

What I noticed is, that the SONOS players use different UDP-Ports for communication if they try to connect to a controller. I saw a lot of upd -FW-drops in a range between 30000-60000.
If I open this range, connection to a controller is possibe. This is very interesting, because I do not find any documents about this "higher" udp-Port communication and I am not sure why this only happens to my system and others can connect to controllers with the standard port configuration.

Can someone please confirm, that he can connect a new Sonos Windows or Android Controller to the SONOS-Net Environment, without additional configuration? I can only do that, if I allow all udp-Ports in my FW rules.

Christiam

My Windows and Android controllers are on same vlan as sonos players but my Mac controller is on a different vlan and that can connect to players, with the setup I mentioned in my above posts that works, confirming that the original instructions posted on this thread worked with just modifications for my vlan names and numbers being different.

Spartacus · Fri Jan 10, 2020 9:27 pm

Hi,
only one last question!

If you reset the controller on your MAC (disconnect from SONOS-Net), and if you then try to register the controller again to your existing SONOS-System. Does this work with the setup above, if your MAC is in a different Subnet than the Players?

If you can test this,, it would be great!

Thanks,
Christian

ilovepancakes · Fri Jan 10, 2020 10:10 pm

Hi,
only one last question!

If you reset the controller on your MAC (disconnect from SONOS-Net), and if you then try to register the controller again to your existing SONOS-System. Does this work with the setup above, if your MAC is in a different Subnet than the Players?

If you can test this,, it would be great!

Thanks,
Christian

My Mac is already in a different subnet than the players, that is what works already. By Sonos-NET do you mean the WiFi network that the players create that you can connect to? Because that is what you are doing then maybe that is the problem. My devices whether they are on same vlan/subnet as players or not, are using regular WiFi connections or Wired Ethernet. No controller device is connected to the Sonos-NET WiFi network that the players create themselves.

Spartacus · Fri Jan 10, 2020 10:39 pm

Hi,
we talk at cross purposes

My players are all connected to the LAN by Ethernet. The players are in vlan30, the controller in vlan10
FW between vlan10 and vlan30 is setup as above! Everything works, once controller is registered.

BUT:
If you start a fresh installed controller software on a client, the Sonos software asks you "do you want to connet to a new Sonos Sytem, or do you want to connect to an existing Sonos System". And if you choose "connect to an existings Sonos System" the SW connects to your players and you can see the players the rooms etc.

In my Configuration:
This works only, if controller and player are in the same subnet, it works not, if controller and player are in different subnets with the FW-rules above.. I only wanted to know, if someone can add fresh installed controllers to the existing Sonos System, if players and controllers are in different Subnets.

You can test this, if you select "reset controller" in the Sonos-SW under "help.". (german version: Hilfe->Controller zurücksetzen)

Controller.png

Christian

ilovepancakes · Sat Jan 11, 2020 8:30 pm

Hi,
we talk at cross purposes

My players are all connected to the LAN by Ethernet. The players are in vlan30, the controller in vlan10
FW between vlan10 and vlan30 is setup as above! Everything works, once controller is registered.

BUT:
If you start a fresh installed controller software on a client, the Sonos software asks you "do you want to connet to a new Sonos Sytem, or do you want to connect to an existing Sonos System". And if you choose "connect to an existings Sonos System" the SW connects to your players and you can see the players the rooms etc.

In my Configuration:
This works only, if controller and player are in the same subnet, it works not, if controller and player are in different subnets with the FW-rules above.. I only wanted to know, if someone can add fresh installed controllers to the existing Sonos System, if players and controllers are in different Subnets.

You can test this, if you select "reset controller" in the Sonos-SW under "help.". (german version: Hilfe->Controller zurücksetzen)
Controller.png
Christian

Ahh okay, I don't want to mess with actually trying it on the Mac since it's working BUT I installed a windows 10 VM on my Mac and tried to connect a new install of sonos controller for windows and it would not find the players, just like you say. I am fairly certain that when I did the Mac months ago it did work, so maybe a recent update changed something where it can't make the initial connection unless on same vlan as players. I am guessing also if it work when you open that large range of UDP ports, that maybe the software is using a randomly open port for connections so there is nothing you can open to predict that except a large range.

Spartacus · Sat Jan 11, 2020 8:59 pm

Hi ilovepancakes,
thank you so much for this test! I thought I was going crazy! None undestood my issues, but now, I have the certainty that only "operation-mode" will work with the FW-rules above!

BTW:
I also noticed, that you are not able to make Sonos Updates from a controller in a diffrent Subnet! It would be great, if you can test this also (next time when Sonos provides an update) from a controller outside the player network!

Seems to be that the FW-rule-set is not complete!

Regards,
Christian

ilovepancakes · Wed Jan 15, 2020 2:09 am

Hi ilovepancakes,
thank you so much for this test! I thought I was going crazy! None undestood my issues, but now, I have the certainty that only "operation-mode" will work with the FW-rules above!

BTW:
I also noticed, that you are not able to make Sonos Updates from a controller in a diffrent Subnet! It would be great, if you can test this also (next time when Sonos provides an update) from a controller outside the player network!

Seems to be that the FW-rule-set is not complete!

Regards,
Christian

I tried an update and it didn't work, although I tried update from controller on same vlan as players and it still seemed to fail so not sure what is going on.

ilovepancakes · Mon Jun 01, 2020 11:59 pm

Anybody have this working still? It seems Sonos controller for Mac/PC updated and broke this from working. I always had to join the controller software while connected to the same VLAN as players, however then switching WiFi networks to different VLAN, the controller still saw and controlled the players.

Now, if I do the same, when I launch the controller while PC/Mac is on another VLAN from the players, it actually sees the players and data and controls them for 2 seconds, then Sonos controller pops open an overlay saying WiFi network has changed and to change back to previous one the players are on. But it shows the players and works for a few seconds before this overlay comes up and then blocks access!! It's almost like it stills works but Sonos put a block on the controller from working if WiFi network is a different name.

Tested using ethernet instead of WiFi too and same result. So it really seems like the controller still has a connection to players and works across VLAN but Sonos has this overlay that covers up the interface if WiFi name or ethernet network changed.

anav · Tue Jun 02, 2020 2:05 am

Not the greatest news - my solution - put a sticky on the SONOS that says, "Use SSID XXXX from smartphone".

ilovepancakes · Tue Jun 02, 2020 2:27 am

Not the greatest news - my solution - put a sticky on the SONOS that says, "Use SSID XXXX from smartphone".

lol, yeah well I have been using this method to control Sonos from my main PC which is on a management VLAN. Guess Sonos wants to start enforcing the app actually being on same WiFi SSID or same ethernet subnet even if the players are found and displayed. Would be great if there was some way to trick the app into thinking it's still on the same network.

Spartacus · Tue Jun 02, 2020 12:46 pm

Hi all,
I have the same issue with the PC Controller on Windows when the PC is in a different VLAN than SONOS Players. I am a little bit frustrated that the Controller App cannot find the System anymore. I do not have the isses from an Android Phone. Does anybody know the differences between Windows App and Android regarding the starting procedure? Both systems are in the same Controller VLAN and Players are all in the SONOS VLAN. Have nearly all Players on Ethernet (cable) and only 2 or 3 in WLAN without SonosNet at different AccessPoints. (cAP AC).

I checked with wireshark on the PC and it seems to be that the Controller App is listening to a Broadcast 255.255.255.255.255 which is send out by the players. And of courde this cannot be routed to the Controller VLAN (or does anybody has an idea how to make this happen?). The Multicast packages 239.255.255.255.250 are passing the Subnet-Borders, I can see it in Wireshark.

Who can help with it?

Spartacus

ilovepancakes · Wed Jun 03, 2020 2:34 am

I was able to get control working again using latest sonos software controller and firmware versions by opening up UDP ports 32000-65535 from sonos players to my controller PC. A tip on the Sonos forums led me to check out the firewall logs and find out that random UDP ports are used now each time controller launches, so opening this range solved the issue.

I really wonder what these ports are used for though because like I said previously, when they aren't open, control still works for 2-3 seconds after launching app on PC but then app complains about wifi network changing and it blocks the control screen with it's popup.

Spartacus · Wed Jun 03, 2020 10:50 am

Hi,
thanks for reply. But for me, that cannot be the case. I have no FW-rules between the Subnets and all the traffic is allowed. So for me it is annother issue, why this is not working.
Before the last MT-Update everythink works fine but since 6.46.6 it doesn´t work anymore. Sonos Controller is also up2date.

GrasDK · Fri Jun 02, 2023 11:17 pm

Update 2023-06-05: Fixed some formatting in the post

I was able to get control working again using latest sonos software controller and firmware versions by opening up UDP ports 32000-65535 from sonos players to my controller PC.

I can second this symptom and solution. Found out by watching communication on wireshark on a controller on same subnet as the Sonos Playback devices.

I have my Sonos Playback devices and most controllers on the same VLAN. But I do have a single controller on my Admin VLAN and it became a challenge to make it work as well as the other controllers.

So a total solution for me (Sonos S1 - the old version) is:

Open UDP ports 1900,32000-65535 from all Sonos Playback Devices to Controllers (or their respective interfaces if you prefer)
Open TCP port 3400 from all Sonos Playback Devices to Controllers (or their respective interfaces if you prefer)
Open TCP ports 1400, 1443, 4444 from Controllers to all Sonos Playback Devices (or their respective interfaces if you prefer)

Explanation:

UDP port 1900 is UPnP discovery, the high ports (32000-65535) are the proprietary ones also mentioned by ilovepancakes - actually, I found 50000-65535 to be enough.
TCP port 3400 is among other things used to alert the controller of the player's presense
TCP port 1400 seems to be control commands to the player
TCP port 4444 is used for updates
TCP port 1443 is not always in use, but some encryption handshake is going on between Controller and Playback device when it's used. I saw it used in connection with updates (port 4444)

Only thing left in my case was to setup IGMP proxy, to allow the Controllers' multicast announcement to transfer from it's VLAN to the VLAN that Sonos is on. IGMP proxy is enough for this, as long as you do not have Controllers on multiple VLANs, because the Controller interface needs to be upstream, and there can be only one upstream. I understand that PIM SM is another way you can solve this problem, but I haven't tried that yet.

Short setup recap:

VLAN called Home has the Sonos Playback Devices
VLAN called HomeAdmin has the Controller I wanted to connect.
Controller and Sonos devices have statically assigned IP adresses, so I can make address lists (makes it possible to keep a rule fixed, while adding new devices - just update the address list).

Below, you will find Winbox screenshots of the relevant parts.
Static leases:

MikroTikSonosDHCP.jpg

Address lists (sorry for the confusion, I forgot to remove the controller's old IP from the list - shame on me. There should have been only 1 IP as per my explanation):

MikroTikSonosAdrList.jpg

Filter rules:

MikroTikSonosFilterRules.jpg

IGMP Proxy:

MikroTikIGMPProxy.jpg

I hope this helps someone. Took me a while to figure out.

I will post a full config, when I'm finished. My firewall isn't ready for scrutiny yet

PS: RouterOS is version 7.8 on an RB5009

mjbnz · Wed Jun 07, 2023 1:40 am

So a total solution for me (Sonos S1 - the old version) is:

My system is S2, and I found the following rules along with the IGMP proxy is sufficient:

Allow UDP ports 1900,32000-49999 from all Sonos Playback Devices to Controllers
Allow TCP ports 3500,32000-65535 from all Sonos Playback Devices to Controllers

I don't restrict traffic from the controller VLAN to the IoT VLAN, just the other direction, so some experimentation will be required for the other direction if you block that.

Thanks for your reply GrasDK, that was much simpler than I expected - I wasn't really looking forward to NIH'ing the mdns-repeater docker container.

GrasDK · Sat Jun 10, 2023 1:37 pm

You're welcome. And thanks for your update as well. It makes sense that S2 would use TCP port 3500 instead of 3400, since S1 and S2 have different implementations