Sonos fully operational across VLANs (Updated Solution)

Hi,

I hope this helps those who are searching in vain for an answer to this as there is an awful lot of posts on the subject but nothing perfectly clear.

I had incorrectly posted an earlier similar solution here: Accessing Sonos from another LAN/VLAN but I just noticed it looks like a small part of it got chopped by accident.

Anyhoo I've since made a few tweaks and tested for serval weeks as at 23 Feb 2021 on 19.07.5 on WRT1900ACS.

I can confirm all Sonos features work perfectly from any Vlan with this below config as follows, adjust yours as required.....

Simple 2 Vlan Sonos setup..

br-iot

= Location of all IOT devices inc Sonos speakers/devices

br-lan

= Vlan from where lan users wish to control any Sonos devices in br-iot

1. Make sure all your Sonos devices are on static IPs or Reserved dhcp leases.

Don't go any further until you do this or you will despair!

2. Make sure local DNS is healthy in your network and commonly accessible from all Vlans.

Don't go any further until you check and confirm this or things will fail

3. Install mcproxy

either via command line or luci

4 Configre mcproxy

add the following to /etc/mcproxy.conf

config mcproxy 'mcproxy_file'
	option disabled '1'
	option respawn '1'
	option file '/etc/mcproxy.conf'

config mcproxy 'mcproxy'
	option disabled '0'
	option respawn '1'
	option protocol 'IGMPv3'

config instance
	option disabled '0'
	option name 'proxy1'
	list upstream 'br-iot'
	list downstream 'br-lan'

config instance
	option disabled '0'
	option name 'proxy2'
	list upstream 'br-lan'
	list downstream 'br-iot'

5 Add firewall rules

/etc/config/firewall

config rule
	option name 'Access-Sonos-From-User-VLAN'
	option dest 'iot'
	option src 'lan'
	option target 'ACCEPT'
	list dest_ip '#sonos device IPs here'
	list dest_ip '#sonos device IPs here'
	option family 'ipv4'
	list proto 'tcp'
	list proto 'udp'

config rule
	option name 'Allow-Sonos-Reply-To-User-VLAN-TCP'
	option dest 'lan'
	option src 'iot'
	option target 'ACCEPT'
	list src_ip 'sonos device IPs here'
	list src_ip 'sonos device IPs here'
	option family 'ipv4'
	list proto 'tcp'
	option dest_port '445 554 1443 3400 3401 3405 3445 3500 3501 3689 4070 4444 5297 5298'
	

config rule
	option name 'Allow-Sonos-Reply-To-User-VLAN-UDP'
	option dest 'lan'
	option src 'iot'
	option target 'ACCEPT'
	list src_ip 'sonos device IPs here'
	list src_ip 'sonos device IPs here'
	option family 'ipv4'
	option dest_port '136-139 554 1900-1905 5353 6969 30000-65535'
	list proto 'udp'

Restart and test

Notes:

There are many ways to manage Sonos firewall access but there are pitfalls with making your firewall too granular as with each update or new Sonos product comes occasional networking changes and I've found this approach too unworkable.

Instead I have split up inbound/reply access as separate TCP and UDP rules as per current Sonos products, sort of like a lowest common denominator of all required ports (tested on Beam/One/5/Arc/Playbase).

br-lan Vlan outbound rules need to be more loose as these occur over 10s of thousands of tcp/udp high ports which seem random. It would be very hard to lock these down or keep auditing with Wireshark after each update in any case.

The above is not perfect but it seems Sonos was never really designed with the intention of spanning multiple Vlan networks, which makes this a real challenge and why it doesnt appear designed to be terrbily helpful in letting you do this!

I dont like having to allow replies back to br-lan from Sonos devices over some 300000 high ports, but there's no other way to keep all Sonos functionality. Keeping your rules tightly linked only to specific Sonos IPs is a compromise, and an ok security level for most home networks, particularly if a segregated IOT vlan is in use to keep various IOT and Sonos things separate from any user data - as is the case here.

As I have Samba shares where music libraries are stored, this requires the the udp 136-139 and tcp 445 above. You may not want these ports included, and these can be safely omitted.

All Sonos functions should work for users in br-guest Vlan, this includes first time client app setup and new Sonos device auto-discovery and setup from a client app in the be-guest vlan. If you have issues work through your other firewall rules that may be in conflict.

Sonos documentation seems overly vague in specifying a succinct list of ports, nothing I could source via Sonos seemed accurate or complete - same for linux forums and such. I suspect Sonos really don't want to encourage people to span multiple networks due to performance and latency issues perhaps, as this could be such s simple config to figure out if it were better documented by them.