Sonos fully operational across VLANs (Updated Solution)

Blowfly · February 23, 2021, 9:54am

Hi,

I hope this helps those who are searching in vain for an answer to this as there is an awful lot of posts on the subject but nothing perfectly clear.

Blowfly · February 23, 2021, 10:21am

I had incorrectly posted an earlier similar solution here: Accessing Sonos from another LAN/VLAN but I just noticed it looks like a small part of it got chopped by accident.

Anyhoo I've since made a few tweaks and tested for serval weeks as at 23 Feb 2021 on 19.07.5 on WRT1900ACS.

I can confirm all Sonos features work perfectly from any Vlan with this below config as follows, adjust yours as required.....

Simple 2 Vlan Sonos setup..

br-iot

= Location of all IOT devices inc Sonos speakers/devices

br-lan

= Vlan from where lan users wish to control any Sonos devices in br-iot

1. Make sure all your Sonos devices are on static IPs or Reserved dhcp leases.

Don't go any further until you do this or you will despair!

2. Make sure local DNS is healthy in your network and commonly accessible from all Vlans.

Don't go any further until you check and confirm this or things will fail

3. Install mcproxy

either via command line or luci

4 Configre mcproxy

add the following to /etc/mcproxy.conf

config mcproxy 'mcproxy_file'
	option disabled '1'
	option respawn '1'
	option file '/etc/mcproxy.conf'

config mcproxy 'mcproxy'
	option disabled '0'
	option respawn '1'
	option protocol 'IGMPv3'

config instance
	option disabled '0'
	option name 'proxy1'
	list upstream 'br-iot'
	list downstream 'br-lan'

config instance
	option disabled '0'
	option name 'proxy2'
	list upstream 'br-lan'
	list downstream 'br-iot'

5 Add firewall rules

/etc/config/firewall

config rule
	option name 'Access-Sonos-From-User-VLAN'
	option dest 'iot'
	option src 'lan'
	option target 'ACCEPT'
	list dest_ip '#sonos device IPs here'
	list dest_ip '#sonos device IPs here'
	option family 'ipv4'
	list proto 'tcp'
	list proto 'udp'

config rule
	option name 'Allow-Sonos-Reply-To-User-VLAN-TCP'
	option dest 'lan'
	option src 'iot'
	option target 'ACCEPT'
	list src_ip 'sonos device IPs here'
	list src_ip 'sonos device IPs here'
	option family 'ipv4'
	list proto 'tcp'
	option dest_port '445 554 1443 3400 3401 3405 3445 3500 3501 3689 4070 4444 5297 5298'
	

config rule
	option name 'Allow-Sonos-Reply-To-User-VLAN-UDP'
	option dest 'lan'
	option src 'iot'
	option target 'ACCEPT'
	list src_ip 'sonos device IPs here'
	list src_ip 'sonos device IPs here'
	option family 'ipv4'
	option dest_port '136-139 554 1900-1905 5353 6969 30000-65535'
	list proto 'udp'

Restart and test

Notes:

There are many ways to manage Sonos firewall access but there are pitfalls with making your firewall too granular as with each update or new Sonos product comes occasional networking changes and I've found this approach too unworkable.

Instead I have split up inbound/reply access as separate TCP and UDP rules as per current Sonos products, sort of like a lowest common denominator of all required ports (tested on Beam/One/5/Arc/Playbase).

br-lan Vlan outbound rules need to be more loose as these occur over 10s of thousands of tcp/udp high ports which seem random. It would be very hard to lock these down or keep auditing with Wireshark after each update in any case.

The above is not perfect but it seems Sonos was never really designed with the intention of spanning multiple Vlan networks, which makes this a real challenge and why it doesnt appear designed to be terrbily helpful in letting you do this!

I dont like having to allow replies back to br-lan from Sonos devices over some 300000 high ports, but there's no other way to keep all Sonos functionality. Keeping your rules tightly linked only to specific Sonos IPs is a compromise, and an ok security level for most home networks, particularly if a segregated IOT vlan is in use to keep various IOT and Sonos things separate from any user data - as is the case here.

As I have Samba shares where music libraries are stored, this requires the the udp 136-139 and tcp 445 above. You may not want these ports included, and these can be safely omitted.

All Sonos functions should work for users in br-guest Vlan, this includes first time client app setup and new Sonos device auto-discovery and setup from a client app in the be-guest vlan. If you have issues work through your other firewall rules that may be in conflict.

Sonos documentation seems overly vague in specifying a succinct list of ports, nothing I could source via Sonos seemed accurate or complete - same for linux forums and such. I suspect Sonos really don't want to encourage people to span multiple networks due to performance and latency issues perhaps, as this could be such s simple config to figure out if it were better documented by them.

realiti · April 19, 2021, 9:31am

Thank you very much for these details. I recently got a new router (Xiaomi Mi Router 4A gigabit). I wanted to configure it as second wireless AP (with adblock and SQM). It worked quite well. I am using a 21.02 snapshot build.

I've been following the sonos instructions carefully (and fiddled with it all Sunday). I just can't get it to work.
Tried multiple times double checked the firewall rules etc. MCProxy is also running but apart from that it's hard for me to troubleshoot.

My config: 5 Sonos speakers in WAN (the WAN port of the Xiaomi Router connects to another upstream Modem-Router which connects to DSL internet - Xiaomi Router gets 192.168.171.61 from this upstream subnet). Sonos Apps (controllers) shall work in Xiaomi's br-lan (192.168.9.X).

mcproxy:

# Use your own MCProxy config file disabled
config mcproxy 'mcproxy_file'
	option disabled '1'
	option respawn '1'
	option file '/etc/mcproxy.conf'

# Use OpenWrt UCI config enabled
config mcproxy 'mcproxy'
	option disabled '0'
	option respawn '1'
	option protocol 'IGMPv3'

config instance
	option disabled '0'
	option name 'proxy1'
	list upstream 'wan'
	list downstream 'br-lan'

config instance
	option disabled '0'
	option name 'proxy2'
	list upstream 'br-lan'
	list downstream 'wan'

Sonos Firewall Rules:

config rule
	option name 'SonosAccesAllow'
	option src 'lan'
	option dest 'wan'
	option target 'ACCEPT'
	option family 'ipv4'
	list dest_ip '192.168.171.32'
	list dest_ip '192.168.171.33'
	list dest_ip '192.168.171.34'
	list dest_ip '192.168.171.35'
	list dest_ip '192.168.171.36'
	list proto 'tcp'
	list proto 'udp'

config rule
	option name 'SonosRelayTCP'
	list proto 'tcp'
	option src 'wan'
	option dest 'lan'
	option target 'ACCEPT'
	option family 'ipv4'
	option dest_port '445 554 1400 1443 3400 3401 3405 3445 3500 3501 3689 4070 4444 5297 5289'
	list src_ip '192.168.171.32'
	list src_ip '192.168.171.33'
	list src_ip '192.168.171.34'
	list src_ip '192.168.171.35'
	list src_ip '192.168.171.36'

config rule
	option name 'SonosRelayUdp'
	list proto 'udp'
	option src 'wan'
	option dest 'lan'
	option dest_port '136-139 554 1900-1905 5353 6969 30000-65535'
	option target 'ACCEPT'
	option family 'ipv4'
	list src_ip '192.168.171.32'
	list src_ip '192.168.171.33'
	list src_ip '192.168.171.34'
	list src_ip '192.168.171.35'
        list src_ip '192.168.171.36'

I can ping the Sonos and show their /support/review HTML pages. But issue is: Sonos Controller App on iPhone i.e. 192.168.9.120 cannot control the speakers (throws error: "Unable to connect to Sonos.."). Any help troubleshooting this would be highly appreciated.

anon42915852 · November 3, 2022, 6:31pm

Did you get it to work? I currently have a similar problem and I don't know how to identify the error.

I have three different interfaces
HOME - eth0.1
IOT- eth0.2
GUEST - eth0.3

Home is the one where my iPhone is located at. The Sonos speakers are connected to the IOT network.

I added the following lines to /etc/config/mcproxy
Is this correct or do you really have to add it to /etc/mcproxy.conf?
What is the difference?

# Use your own MCProxy config file
config mcproxy 'mcproxy_file'
	option disabled '1'
	option respawn '1'
	option file '/etc/mcproxy.conf'

# Use OpenWrt UCI config
config mcproxy 'mcproxy'
	option disabled '0'
	option respawn '1'
	option protocol 'IGMPv3'

config instance
	option disabled '0'
	option name 'proxy1'
	list upstream 'IOT'
	list downstream 'LAN'

config instance
	option disabled '0'
	option name 'proxy2'
	list upstream 'LAN'
	list downstream 'IOT'

I also added to /etc/config/firewall the following lines:

config rule
    option name 'Access-Sonos-From-User-VLAN'
    option dest 'IoT'
    option src 'lan'
    option target 'ACCEPT'
    list dest_ip '192.168.102.128'
    list dest_ip '192.168.102.187'
    list dest_ip '192.168.102.198'
    list dest_ip '192.168.102.222'
    option family 'ipv4'
    list proto 'tcp'
    list proto 'udp'

config rule
    option name 'Allow-Sonos-Reply-To-User-VLAN-TCP'
    option dest 'lan'
    option src 'IoT'
    option target 'ACCEPT'
    list src_ip '192.168.102.128'
    list src_ip '192.168.102.187'
    list src_ip '192.168.102.198'
    list src_ip '192.168.102.222'
    option family 'ipv4'
    list proto 'tcp'
    option dest_port '445 554 1443 3400 3401 3405 3445 3500 3501 3689 4070 4444 5297 5298'


config rule
    option name 'Allow-Sonos-Reply-To-User-VLAN-UDP'
    option dest 'lan'
    option src 'IoT'
    option target 'ACCEPT'
    list src_ip '192.168.102.128'
    list src_ip '192.168.102.187'
    list src_ip '192.168.102.198'
    list src_ip '192.168.102.222'
    option family 'ipv4'
    option dest_port '136-139 554 1900-1905 5353 6969 30000-65535'
    list proto 'udp'

Unfortunately, I can't access the speakers (IOT) from the Sonos app (Home).
Do you have any tips on how I can identify the problem?

anon42915852 · November 6, 2022, 7:35am

Does really nobody have an idea?

irrelevant · March 1, 2023, 10:26am

it drives me crazy ... i am able to control 1 of 4 sonos speakers and also a phone at the same vlan. but 3 sonos speakers are missing ...
also i am able not to control from my phone my pc (other direction)

cuanb · March 26, 2023, 7:40am

This config worked for me for >6 months, and seems to have stopped since I recently upgraded my router to 22.03.3 (this is the only thing that has changed on my network that I can think of)

If anyone is still struggling with this - found a write up here that has got me up and running again:
Operating Sonos Speakers in a Multi-VLAN Network :: packetmischief.ca

I kept the config in place from Blowfly's write up, as this is in line with the instructions in the link too.
Configuring my firewall rules accordingly for my IoT and LAN zones for mcproxy as per the link, seems to now allow me to control my Sonos gear (in the IoT zone) from my phone (in the LAN zone)

Similar FW implementation applies to my avahi mDNS proxy service (this allows me to cast media to TV's and google speakers sitting in the IoT zone) link here:
Resolving mDNS across VLANs with Avahi on OpenWRT – Just another Linux geek (christophersmart.com)

thebub · September 26, 2023, 4:43am

Quite an old thread, but I still wanted to share my experience on this matter with you.

I didn’t get it to work with mcproxy, as apparently the UCI interface is broken. (Described in GitHub issues and also on the Wiki) I haven’t tried the explicit config file option yet.

In the end the solution for me was to use igmpproxy. However this didn’t work out of the box as well. For some reason someone decided the init script should create a firewall rule to block SSDP specifically. See here.
Unfortunately there is no real commit log for this repo, as it was migrated from an old SVN I guess and thus I don’t get the reason for explicitly blocking SSDP.

If you change the drop to accept in that init script, the device discovery starts working based on the described configuration.

thebub · September 26, 2023, 5:03am

@nbd You are listed as maintainer of that package. Do you have any idea why SSDP is blocked explicitly? Could we add a config parameter for choosing to allow SSDP? If so, i would create a pull request.

Blowfly · October 7, 2023, 9:19pm

Good effort @thebub, thats prob why I gave up on igmproxy a while back.

Yes, the details in the post worked fine until recent upgrades. I more recently moved to a new method with a python script to relay multicast:

Take a look here.
https://github.com/alsmith/multicast-relay

This script is quote ok with Sonos, but it can clash with other MDNS services such as elgato products that need a running avahi service or simialr running. Its also not maintained very much but the current commit works.

I need to upgrade soon, so I might try and revisit all this and make a new recipie or script to build what works again.

b-r-y · December 4, 2023, 11:50pm

Thanks for the guidance. I was able to reproduce the results and successfully implemented on my network!

I am using OpenWrt 22.03.5 r20134-5f15225c1e on Ubiquiti ER-X with igmpproxy 0.4.1.

stangri · December 5, 2023, 2:14am

If you're still up for it, I'd say create a PR so this issue will get more exposure/fix gets merged.

b-r-y · December 12, 2023, 12:12am

May be a tangential question - igmpproxy manual says there can be only one upstream but multiple downstreams. Yet to me it looks more like one would want to isolate the Sonos speakers in one vlan and control them from more (for example trusted phones/PCs and say internet blocked home assistant instance on iot vlan.) . Is this others have considered? Is there such a solution?

thebub · February 8, 2024, 12:20pm

I just started with the changes and setting up a environment to test my changes. Might take some time, as it will be my first contribution towards the OpenWRT project.