Netgate SG-1000 microFirewall

Author Topic: Sonos and VLANs  (Read 1465 times)

0 Members and 1 Guest are viewing this topic.

Offline darrendavid

  • Newbie
  • *
  • Posts: 20
  • Karma: +0/-0
    • View Profile
Sonos and VLANs
« on: July 18, 2017, 09:16:39 am »
    Hi all-

    I'd like to make my Sonos speakers accessible from a guest VLAN in my house. I've read several non-authoritative posts on this topic where folks have gotten it working, but nothing specifically lays out the exact steps for getting this working with pfSense. I'd love your help as I'm stuck!

    My setup:
    • Primary LAN (with Sonos speakers) is 10.0.1.1/24
    • Guest VLAN (wireless network via Ubiquiti Unifi AP and pfSense) is 10.0.100.1/24

    Various posts I've referenced:

    From those (and countless other fragments of wisdom), here's what I can glean I need to be doing:
    • allow TCP port 1400 from LAN to VLAN
    • allow TCP port 3400, 3500 from VLAN to LAN
    • allow UDP port 1900-1905 from VLAN to LAN
    • set up IGMP proxy to enable multicast of 239.255.255.250 across the two networks
    • make sure I've got a switch that allows IGMP snooping (I do)

    For purposes of testing I've just set up an allow all firewall rule, and I can confirm that VLAN clients can access the LAN. I suspect that my issue is with how I've got IGMP proxy configured, as this is where I haven't found a canonical reference. What I have set up is:

    • WAN   upstream   10.0.1.1/24, 10.0.100.1/24
    • LAN   downstream   10.0.1.1/24
    • GUESTVLAN   downstream   10.0.100.1/24

    with an ALLOW rule on the WAN from any to UDP 239.0.0.0/4.

    That's what I've got for now - I'm not sure how to test or troubleshoot from this point, or what to tweak. Any and all insight is greatly appreciated!

    Darren

Offline Syndrose

  • Newbie
  • *
  • Posts: 9
  • Karma: +0/-0
    • View Profile
Re: Sonos and VLANs
« Reply #1 on: July 18, 2017, 01:32:19 pm »
I personally don't have a Sonos, but there might be a simpler way.
I am assuming that Guest VLAN doesn't have access to your Primary LAN.
Since this is a home setup, I also assume that your security can be a little more relaxed than an enterprise environment.
What I would try  is make sure the Primary LAN can access the Guest VLAN, meaning don't create any rules to block it. After all it is your trusted network.
Give your Sonos a static IP address either manually or with a DHCP reservation. For the sake of an example say it is 10.0.1.5
Keep your IGMP settings as they are.
Then on your Guest VLAN firewall settings at the top create a rule:
Address Family: IPv4
Protocol: TCP/UDP
Source: Guest VLAN
Destination: Single Host/Alias   10.0.1.5 (or whatever you ended up making the Sonos Speaker).

That in theory should allow access from the Guest VLAN to only the Sonos speaker and not the rest of your primary VLAN.

Offline darrendavid

  • Newbie
  • *
  • Posts: 20
  • Karma: +0/-0
    • View Profile
Re: Sonos and VLANs
« Reply #2 on: July 19, 2017, 12:32:41 pm »
Appreciate the response. That's essentially what I have set up right now - Sonos units have static IPs and for purposes of testing I have given Guest VLAN complete and unfettered access to the LAN just to eliminate the firewall as a variable. Gust VLAN clients can successfully access hosts on LAN. All that said, the Sonos app does not discover the Sonos unit(s) from a client connected on the Guest VLAN. My gut tells me it's something with IGMP proxy since everything else is unblocked. Thoughts?

Offline jahonix

  • Hero Member
  • *****
  • Posts: 2613
  • Karma: +156/-27
  • volunteer since 2006
    • View Profile
Re: Sonos and VLANs
« Reply #3 on: July 19, 2017, 04:33:06 pm »
Device discovery might be something simple like a broadcast, which by its nature does not traverse subnets.

Your trusted search engine might come up with this result as well: https://github.com/gotwalt/sonos/wiki/Discovery
Chris


Offline darrendavid

  • Newbie
  • *
  • Posts: 20
  • Karma: +0/-0
    • View Profile
Re: Sonos and VLANs
« Reply #4 on: July 20, 2017, 07:41:27 pm »
Device discovery might be something simple like a broadcast, which by its nature does not traverse subnets.

My impression from reading the work of others trying to solve the same problem was that IGMP Proxy would handle rebroadcasting across the subnets. Is this  n errant interpretation of IGMP Proxy?

Offline jahonix

  • Hero Member
  • *****
  • Posts: 2613
  • Karma: +156/-27
  • volunteer since 2006
    • View Profile
Re: Sonos and VLANs
« Reply #5 on: July 21, 2017, 12:14:52 pm »
IGMP takes care of Multicasts, what we have is a Broadcast
https://en.wikipedia.org/wiki/Internet_Group_Management_Protocol
Chris


Offline darrendavid

  • Newbie
  • *
  • Posts: 20
  • Karma: +0/-0
    • View Profile
Re: Sonos and VLANs
« Reply #6 on: July 21, 2017, 12:43:26 pm »
OK, fair enough. Is there a simpler way to do this? Is there a way to lump folks on my guest wifi network into a specific block of IP addresses that I can set up specific firewall rules with? Using a VLAN was my first thought, but as mentioned this is a home network and ultimately if there's someone in my house they technically have physical access to all machines. I'm just trying to have a modicum of safety and would prefer to limit access to certain IPs from unknown visitors.

I guess one way to do it would be to set up static DHCP assignments to all /known/ clients and then any random IPs could get firewalled appropriately.

Thoughts?

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 10260
  • Karma: +1176/-313
    • View Profile
Re: Sonos and VLANs
« Reply #7 on: July 23, 2017, 12:34:58 am »
Any scheme like that would provide only an illusion of security since MAC addresses are so easily-spoofable. Better to give the password to a network that is allowed to access the private devices to those whom you want to be able to access them.

Alternately you could use 802.1x and set a dynamic VLAN for users based on what you want them to be able to access. Your gear would have to support it and you would need to know how to make that gear do that. It wouldn't be the firewall's job.

Seems like Sonos has some work to do.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline dglacey

  • Newbie
  • *
  • Posts: 3
  • Karma: +0/-0
    • View Profile
Re: Sonos and VLANs
« Reply #8 on: December 21, 2017, 05:52:01 am »
In case it helps others, I got this working by using the IGMP Proxy feature of pfSense

I have my SONOS players on the LAN and wanted to control them from an iPhone on a separate VLAN.

This is what I did:

1. go to Services/IGMP Proxy on pfSense
2. Click Add
3. Interace = WAN, Type = downstream interface, Network = 192.168.1.1/24 (this is my LAN subnet)
4. Click Save
2. Click Add
6. Interface = WAN, Type = upstream interface, Network = 192.168.2.1/24 (this is the VLAN subnet)
7. Add a rule to the VLAN subnet to allow all traffic.

This worked so long as the Gateway in the VLAN rule was set to Default. It would not work if I set the Gateway to a specific WAN interface.

I could now run the SONOS app on my iPhone connected to the VLAN and operate my SONOS players that were on the LAN.

Offline ResIpsa

  • Jr. Member
  • **
  • Posts: 43
  • Karma: +0/-0
    • View Profile
Re: Sonos and VLANs
« Reply #9 on: March 14, 2018, 09:01:55 pm »
I'm interested in getting this to work as well, but I am getting an error from igmpproxy.  Can you confirm that you set the Interface for both to WAN?  I have followed everything else in your example, but I get the following error:

Mar 14 22:00:27   igmpproxy   89344   There must be at least 2 Vif's where one is upstream.

igmpproxy will start if I change one of the interfaces away from WAN, but then Sonos doesn't work.