I've searched high and low, and whilst there are hints here and there, there doesn't seem to be a clear answer to this anywhere - (at least one that works.)
I operate a business from home, as such I have Sonos in one restricted Business VLAN while my family/ guests use another logically separated VLAN.
My requirement is to allow clients in either VLAN to be able to access Sonos. Of course, if one is connected to the business VLAN Sonos works fine, but I want family to be able to also share access to Sonos from their own VLAN too. (Moving Sonos into the family LAN is not the answer as this does not provide the dual LAN access required for reasons not relevant to discuss here .)
There are ZERO routing issues as I currently allow access to printers and other such devices in the business VLAN to family members to share via simple firewall rules, thus routing and firewalls are not the issue. For the record I've allowed any->any firewall communication between sonos devices and the family vlan)
I understand that Sonos additionally requires forwarding of multicast/igmp between VLANS or layer3 domains for cross network communication, but I cant find anyone who's successfully done this and written it down in any non-vague detail.
I've spent an expensive amount of time looking into igmpproxy, playing with upstream and downstream configs, IMGP snooping etc but I haven't found a working config.
Has anyone out there configured this successfully? and if so, could they please share their generic steps taken to allow sonos communication between two VLANS? I've seen so many people asking the same question, but not getting anywhere with it, so this solution would be a great addition to the forum
I'm running on Openwrt 18.06 on several wrt1900acs v2
leachii thanks for the response but I'm not sure there is any solution contained in the thread you've directed me to. The thread actually goes nowhere and references back to my own unanswered question.
My questions are actually NOT very similar in terms of detail as they ask for specifics around igmproxy and multicast, not how to join LANS and guest networks which is the thrust of the other thread you've forwarded.
Perhaps you could elaborate more on the very brief but unexplained multicast mention you make in the thread? My original question seeks a working igmp proxy config to allow multicast between two networks.
Blowfly. Apologies for digging this old thread up, but just in case it is helpful to someone. I have a similar case with multiple VLANs with Sonos devices on a "guest" VLAN and wanting to control from a "more secure" VLAN. Long story shorter, I spent way too much time failing with igmproxy. I was able to get some things to work but not all. In the end I switched to mcproxy and had it working quickly. It may not matter but I am running 19.07 on a WRT32X (very similar to your WRT1900ACS). If you have questions let me know and I can get you more info.
Hi thanks for taking the time for the response... sorry for the late reply also. I never did get this working so it would be fantastic if you could share your config with mcproxy!
Sorry again for the delays, I must have my notifications messed up. I'm not getting emails. Fair warning this has been long enough ago I am forgetting details I'm sure. I am sure I have extra things configed that aren't needed, but it is working as it sits.
Relevant parts about my environment.
2 VLANs. The VLANs are trunked over a few routers. All the config is on the main router. The trunking is probably is not important
The "guest" VLAN you'll see in the config as "guest" or "br-guest" its on 192.168.5.0/24. All the sonos devices (3 of them) are on this VLAN
The "secure" VLAN will be in the config as "lan" or "br-lan" and is on 192.168.0.0/24. There is a file server with media for sonos on this VLAN and controllers (phones, pcs)
Sonos devices on the guest VLAN can play music from the library (file server) on the secured VLAN
Controllers work from either VLAN
Sonos devices work as Spotify Connect devices from either VLAN
Here are what I think the key parts are
mcproxy for multicast proxies
avahi for mDNS - I think this was only needed for Spotify Connect and sonos works without, but can't remember for sure
FW rules
Here is the mcproxy config cat /etc/config/mcproxy
config mcproxy 'mcproxy'
option disabled '0'
option respawn '1'
option protocol 'IGMPv3'
config instance
option disabled '0'
option name 'proxy1'
list upstream 'br-GUEST'
list downstream 'br-lan'
Here is avahi config. No uci for this one, so this is cat /etc/avahi/avahi-daemon.conf
Now for the firewall. I think these are all the relavent ones cat /etc/config/firewall. Couple notes on a few of the IPs
192.168.5.50 is the "primary" sonos device
192.168.5.51 and 52 are the other sonos devices
192.168.0.13 is the file server with a music library shared
config rule
option target 'ACCEPT'
option src 'guest'
option proto 'udp'
option dest 'lan'
option family 'ipv4'
list src_ip '192.168.5.50'
option name 'Sonos to library share - UDP'
option dest_port '136-139'
list dest_ip '192.168.0.13'
config rule
option target 'ACCEPT'
option src 'guest'
option proto 'tcp'
option dest 'lan'
option family 'ipv4'
list src_ip '192.168.5.50'
option name 'Sonos to library share - TCP'
option dest_port '445 3445'
list dest_ip '192.168.0.13'
config rule
option target 'ACCEPT'
option src 'guest'
option name 'Sonos upnp events'
option proto 'tcp'
option family 'ipv4'
option dest 'lan'
option dest_port '3400 3401 3500'
config rule
option src 'guest'
option family 'ipv4'
option target 'ACCEPT'
option dest 'lan'
list proto 'udp'
option name 'Sonos discovery responses'
option dest_port '1900 1901'
config rule
option target 'ACCEPT'
option src 'guest'
option name 'Sonos upnp discover returns'
option proto 'udp'
option dest_port '1900-1905'
option family 'ipv4'
config rule
option src 'guest'
option dest 'lan'
option target 'ACCEPT'
option family 'ipv4'
list proto 'tcp'
option name 'Sonos device description returns'
option src_port '1400 4444'
config rule
option src 'guest'
option family 'ipv4'
option target 'ACCEPT'
option dest 'lan'
list proto 'udp'
option dest_port '49152-65535'
option name 'Sonos - Dynamic UDP'
list src_ip '192.168.5.50'
list src_ip '192.168.5.51'
list src_ip '192.168.5.52'
config rule
option dest_port '6969'
option src 'guest'
option name 'Sonos setup'
option dest 'lan'
option target 'ACCEPT'
list proto 'udp'
config rule
option src_port '5353'
option src 'guest'
option name 'Spotify Connect - from guest'
option family 'ipv4'
option target 'ACCEPT'
option dest_port '5353'
list proto 'udp'
config rule
option src_port '5353'
option src 'lan'
option name 'Spotify Connect - from LAN'
option family 'ipv4'
option target 'ACCEPT'
option dest_port '5353'
list proto 'udp'
Thanks @kapieyow. With your help I got this going no problem
I can confirm that MCProxy is all that is required for Sonos - no need to Avahi/bonjour/igmproxy as some other linux threads may suggest - I had no success there either.
I say MCProxy is all that is required with the caveat that each router's firewall mileage may also vary. According to wireshark the TCP/udp ports needed seems to be a slightly moving target between various Sonos versions.
Firewall config matters especially if you want to be able to use Sonos auto-discovery and not mess about with first connecting a client app or speaker device in the main Sonos LAN before then moving each device manually to the desired VLAN location. I've worked around all these issues with my config below.. Its been running perfectly for 3 months and zero connectivity issues, losses of functionality or glitches. Discovery works fine too.
(You could go harder with firewall rules of cournse, but due to variable and the complex mesh of Sonos network activity I've struck a balance between security and useablilty so as to avoid firiing up Wireshark every time Sonos updates.... Please feel free to suggest FW improvements! )
My setup is very simple.
br-lan = Location of sonos devices
br-guest = Lan from where I want to allow guests to be able to control sonos
/etc/mcproxy.conf ....
config mcproxy 'mcproxy_file'
option disabled '1'
option respawn '1'
option file '/etc/mcproxy.conf'
config mcproxy 'mcproxy'
option disabled '0'
option respawn '1'
option protocol 'IGMPv3'
config instance
option disabled '0'
option name 'proxy1'
list upstream 'br-lan'
list downstream 'br-guest'
config instance
option disabled '0'
option name 'proxy2'
list upstream 'br-guest'
list downstream 'br-lan'
/etc/config/firewall relevant rules...
config rule
option name 'Allow-Sonos-Guests'
option dest 'lan'
option src 'guest'
option name 'Allow-Sonos-Guest'
option target 'ACCEPT'
list dest_ip 'all of your.sonos.device.ips'
option family 'ipv4'
list proto 'tcp'
list proto 'udp'
config rule
option name 'Allow-Sonos-Reply-Guest-TCP'
option dest 'guest'
option src 'lan'
option target 'ACCEPT'
list src_ip 'all of your.sonos.device.ips'
option family 'ipv4'
list proto 'tcp'
option dest_port '445 554 1443 3400 3401 3405 3445 3500 3501 3689 4070 4444 5297 5298'
#Note: port 445 is in use as I'm using a samba share for local music storage
I've spent too long trying to solve this so I hope this helps someone else out!