Can't get Sonos on VLAN to work for beans! Haaaaaalp! :)
I have tried EVERYTHING. Every combination of policies I can think of. Searched every forum I can think of. I can NOT make devices on my primary network work with my Sonos speakers on a VLAN. Here's the situation, maybe someone can help?
I have a Firewalla Purple running in-line between my Google Fiber internet and my Unifi network.
Networks set up on Firewalla
- Google Fiber (WAN)
- Primary (192.168.1.1/24)
- Streaming Media VLAN 20 (192.168.20.1/24)
- Smarthome VLAN 30 (192.168.30.1/24)
Networks set up on Unifi Network
- Primary (192.168.1.0/24) - Set as Corporate
- Streaming VLAN 20 (192.168.20.0/24) - Set as Corporate
- Smarthome VLAN 30 (192.168.30.0/24) - Set as VLAN Only
Wireless Networks:
- Primary (On Primary Network)
- Streaming (On Streaming VLAN)
- Smarthome (On Smarthome VLAN)
What do I need to do to get devices on my Primary network (my computers, tablets, smartphones) to see the Sonos speakers/system on the Streaming VLAN? I've tried all kinds of combinations of policies recommended all over the Internet, all to no avail.
Hallllp! :) And thanks in advance!
-
I actually somehow got it to work! I documented what I did below. I'd love feedback on what I did right, wrong, or otherwise! It's a lot but... here goes!
Create a LAN on your Firewalla firewall.
- Tap the Settings gear, then tap Features and tap Network.
- Tap Create Network.
- Tap Local Network.
- Complete the following steps:
- Tap Name and give your LAN a name. (e.g., myhome)
- Tap Type, then tap LAN.
- Tap the LAN interface icon.
- Tap IP Address and enter 192.168.1.1.
- Tap Subnet Mask and enter 255.255.255.0.
- Enable DHCP server.
5. Tap Save.
Create a VLAN for streaming media on your Firewalla firewall.
- Tap the Settings gear, then tap Features and tap Network.
- Tap Create Network.
- Tap Local Network.
- Complete the following steps:
- Tap Name and give your LAN a name. (e.g., myhome_streaming)
- Tap Type, then tap VLAN.
- Tap VLAN ID and enter 20.
- Tap the LAN interface icon.
- Tap IP Address and enter 192.168.20.1.
- Tap Subnet Mask and enter 255.255.255.0.
- Enable DHCP server.
- Disable IPv6.
5. Tap Save.
Create a device group for your Sonos speakers on your Firewalla firewall.
- Tap Devices.
- Tap Create Group.
- Enter Sonos as the Group Name.
- Tap Add Device.
- Tap each of your Sonos speakers.
- Tap Save.
Enable static IP addresses for Sonos speakers on your Firewalla firewall.
- Tap Devices, Sonos, Devices, then perform the following steps for each Sonos speaker:
- Tap a Sonos device in the list of devices.
- Tap the IP address.
- Tap Reserved.
2. Tap the back arrow to return to the list of devices in the Sonos group.
Enable mDNS reflectors on your Firewalla firewall.
- Tap the Settings gear.
- Tap Advanced, Configurations, then tap mDNS Reflector.
- Enable mDNS Reflector on your LAN and on your streaming media VLAN
Create rules for your Sonos speakers group on your Firewalla firewall.
- Tap Devices, Sonos, Rules, then tap Add Rule.
- Create rules for ports as follows:
Protocol
Remote Port
Action
Matching
On
Direction
Schedule
TCP
- 80
- 443
- 445
- 3455
- 1400
- 1443
- 3400
- 3401
- 3500
- 4070
- 4444
- 7000
Allow
Remote Port
Group: Sonos
Bi-directional
Always
UDP
- 136-139
- 1900-1901
- 2869
- 5353
- 6969
- 10243
- 10280
- 10284
Allow
Remote Port
Group: Sonos
Bi-directional
Always
Both
- 319-320
- 30000-
60000
Allow
Remote Port
Group: Sonos
Bi-directional
Always
Create a LAN in your Unifi Network Controller.
- Click the Settings gear.
- Click Networks, then click Create New Network.
- Complete the following steps:
- Name your network. (e.g., myhome)
- Enter the IP address of the LAN you created on your Firewalla firewall in Host Address.
- Select 24 in Hostmask.
- Click Manual next to Advanced Configuration.
- Click Standard for Network Type.
- Click Enable IGMP Snooping.
- Click Enable Multicast DNS.
- Select None for DHCP Mode.
4. Click Add Network.
Create a VLAN for streaming media in your Unifi Network Controller.
- Click the Settings gear.
- Click Networks, then click Create New Network.
- Complete the following steps:
- Name your network. (e.g., myhome_streaming)
- Enter the IP address of the VLAN you created on your Firewalla firewall in Host Address.
- Select 24 in Hostmask.
- Click Manual next to Advanced Configuration.
- Enter the VLAN ID you created on your Firewalla firewall in the VLAN ID box.
- Click Standard for Network Type.
- Click Enable IGMP Snooping.
- Click Enable Multicast DNS.
- Select None for DHCP Mode.
4. Click Add Network.
Set the Spanning Tree Protocol for your networks.
- Click the Settings gear.
- Click Networks.
- Click STP for Spanning Tree under Global Switch Settings.
- Click Apply Changes.
Create a WiFi network in your Unifi Network Controller.
- Click the Settings gear.
- Click WiFi, then click Create New WiFi Network.
- Complete the following steps:
- Name your WiFi network. (e.g., myhome)
- Enter a password for your WiFi network.
- Select the network associated with your LAN. (e.g., myhome)
- Select your broadcasting APs, as desired.
- Click Manual next to Advanced Configuration.
- Enable the 2.4 GHz and 5 GHz WiFi bands.
- Select Standard for WiFi Type.
- Enable Band Steering.
- Enable Proxy ARP.
- Click Auto for 802.11 DTIM Period.
- Select your desired security protocols.
- Disable PMF.
4. Click Add WiFi Network.
Create a WiFi network for streaming media in your Unifi Network Controller.
- Click the Settings gear.
- Click WiFi, then click Create New WiFi Network.
- Complete the following steps:
- Name your WiFi network. (e.g., myhome_streaming)
- Enter a password for your WiFi network.
- Select the network associated with your VLAN. (e.g., myhome_streaming)
- Select your broadcasting APs, as desired.
- Click Manual next to Advanced Configuration.
- Enable the 2.4 GHz band only.
- Select Standard for WiFi Type.
- Enable Band Steering.
- Enable Proxy ARP.
- Click Auto for 802.11 DTIM Period.
- Select your desired security protocols.
- Disable PMF.
4. Click Add WiFi Network.
Create a TCP Port Group for your Sonos speakers in your Unifi Network Controller.
- Click the Settings gear.
- Click Profiles, then click Create New Group.
- Name the profile Sonos TCP Ports.
- Click Port Group.
- Enter 3400, then click Add.
- Enter 3401, then click Add.
- Enter 6500, then click Add.
- Click Apply Changes.
Create a UDP Port Group for your Sonos speakers in your Unifi Network Controller.
- Click the Settings gear.
- Click Profiles, then click Create New Group.
- Name the profile Sonos UDP Ports.
- Click Port Group.
- Enter 1900, then click Add.
- Enter 1901, then click Add.
- Enter 1902, then click add.
- Click Apply Changes.
Create an IP group for your LAN in your Unifi Network Controller.
- Click the Settings gear.
- Click Profiles, then click Create New Group.
- Name the profile “LAN.”
- Click IPv4 Address/Subnet.
- Enter 192.168.1.0/24 and click Add.
- Click Apply Changes.
Create an IP group for your streaming media VLAN in your Unifi Network Controller.
- Click the Settings gear.
- Click Profiles, then click Create New Group.
- Name the profile “Streaming Media.”
- Click IPv4 Address/Subnet.
- Enter 192.168.20.0/24 and click Add.
- Click Apply Changes.
Create an IP group for your Sonos speakers in your Unifi Network Controller.
- Click the Settings gear.
- Click Profiles, then click Create New Group.
- Name the profile “Sonos Speakers.”
- Click IPv4 Address/Subnet.
- Enter the static IP address of a Sonos speaker and click Add. Continue entering the static IP addresses of each of your Sonos speakers.
- Click Apply Changes.
Create an IP group for Private IPs in your Unifi Network Controller.
- Click the Settings gear.
- Click Profiles, then click Create New Group.
- Name the profile “RFC1918_Private_IPs”
- Click IPv4 Address/Subnet.
- Enter 10.0.0.0/8 and click Add.
- Enter 172.16.0.0/12 and click Add.
- Enter 192.168.0.0/16 and click Add.
- Click Apply Changes.
Create Firewall Rules in your Unifi Network Controller.
- Click the Settings gear.
- Click Firewall & Security
- Click Create New Rule and create rules for each of the following in the order below:
Allow all Established/Related traffic
Type
LAN in
Description
Allow All Established/Related Traffic
Rule Applied
Before Predefined Rules
Action
Accept
IPv4 Protocol
All
Source Type
Port/IP Group
Source IPv4 Address Group
Any
Source Port Group
Any
Source MAC Address
Destination Type
Port/IP Group
Destination IPv4 Address Group
Any
Destination Port Group
Any
States
- Match State Established
- Match State Related
IPsec
Don’t match on IPsec packets
Logging
Allow LAN to access all VLANs
Type
LAN in
Description
Allow LAN to Access all VLANs
Rule Applied
Before Predefined Rules
Action
Accept
IPv4 Protocol
All
Source Type
Network
Source IPv4 Address Group
LAN
Source Port Group
IPv4 Subnet
Source MAC Address
Destination Type
Port/IP Group
Destination IPv4 Address Group
RFC1918_Private_IPs
Destination Port Group
Any
States
IPsec
Don’t match on IPsec packets
Logging
Allow Sonos speakers to LAN (TCP)
Type
LAN in
Description
Allow Sonos speakers to LAN (TCP)
Rule Applied
Before Predefined Rules
Action
Accept
IPv4 Protocol
TCP
Source Type
Port/IP Group
Source IPv4 Address Group
Sonos Speakers
Source Port Group
Any
Source MAC Address
Destination Type
Port/IP Group
Destination IPv4 Address Group
LAN
Destination Port Group
Sonos TCP Ports
States
IPsec
Don’t match on IPsec packets
Logging
Allow Sonos speakers to LAN (UDP)
Type
LAN in
Description
Allow Sonos speakers to LAN (UDP)
Rule Applied
Before Predefined Rules
Action
Accept
IPv4 Protocol
UDP
Source Type
Port/IP Group
Source IPv4 Address Group
Sonos Speakers
Source Port Group
Any
Source MAC Address
Destination Type
Port/IP Group
Destination IPv4 Address Group
LAN
Destination Port Group
Sonos UDP Ports
States
IPsec
Don’t match on IPsec packets
Logging
Block all inter-VLAN communication
Type
LAN in
Description
Block all inter-VLAN communication
Rule Applied
Before Predefined Rules
Action
Drop
IPv4 Protocol
All
Source Type
Port/IP Group
Source IPv4 Address Group
RFC1918_Private_IPs
Source Port Group
Any
Source MAC Address
Destination Type
Port/IP Group
Destination IPv4 Address Group
RFC1918_Private_IPs
Destination Port Group
Any
States
IPsec
Don’t match on IPsec packets
Logging
Enabled (optional)
-
I ended up just moving my Sonos devices to the same VLAN as the rest of my devices. Was the only way I could get it working reliably. The same issue would happen with me: it would work, then stop working, then work again.
My research led it to be something to do with supporting multicast across a VLAN and Sonos not enjoying that experience.
-
Right; after some back and forth, I have got this working perfectly so thought i'd share.
Unifi AP, Unifi Switch, Firewalla & Sonos
Sonos working across VLAN's- Static assign all sonos devices via Firewalla
- Ensure static IP has been assigned; reboot or reconnect Sonos devices
- Create a Sonos Group on Firewalla
- Move all Sonos devices to this group
Now, here comes the magic
Goto to your Network or Group where you want to access your Sonos from e.g. Main WiFi or whatever VLAN;
Select Rules
Add Rule
Action: Allow
Matching: Set a Target ( IP address of Sonos device/s OR Target List with all Sonos IP's) - I created a target list with all my sonos devices
On: Should already be populated
Direction: Bi-directtional
SaveThen goto your Sonos group
Select Rules
Add Rule
Action: Allow
Matching: Traffic to your network where you want to access from
On: Group Sonos (should already be populated with group name)
Save
You may depening on your setup need to allow msmetrics.ws.sonos.com as per belowThen go all the way to the bottom of the rules and select All Devices
Select All Devices
Add Rules
Action: Allow
Matching: Domain
msmetrics.ws.sonos.com
On: All Devices or selective devices (leave that to you to decide)
Direction: Outbound Only
if required, you could restrict via src/dst IP and dst TCP/UDP ports instead of allowing all ports.
Going to test few more things and see if this continues to work; but so far, played around for a while with rules to break it, disabled the rules for it to stop working, re-enabled rule to start back again.All the usual multicast and mDNS reflector needs to be enabled
Please sign in to leave a comment.
Comments
10 comments