Sonos firewall rules unifi. , punch a lot of holes in the firewall between the networks.

Sonos firewall rules unifi. Any device on VLAN1 however can reach devices on VLAN30.
 


Sonos firewall rules unifi The Data network is open, except for the Open VPN rule. My main wifi is on lan, all sonos devices are on iot_2 (wifi 2. It's trying to stay in touch with players at 10. Then add the device to the harmony. All speakers work fine within the Sonos apps. The speaker live on my IoT VLAN and the phones are in the Trusted Subnets. Did have greate use of it when I made the same thing on my pfsense firewall. If you have some IoT devices (no Sonos) without any external programs like HomeBridge, the only rules you will need to concern yourself with are 2003 and 2012. I have included my firewall rules below. Any suggestions? Rule 3 setup: Allow packets on both TCP and UDP protocols, with only a destination port of 3389 specified Now proceed to add additional Firewall rules as necessary. Most firewalls, especially firewall and antivirus software, will work with Sonos without any extra configuration. UniFi config: 3 networks, configured as per pfsense CIDRS LAN IOT (VLAN ID 10) SONOS (VLAN ID 20) 3 SSIDS: LAN (laptops, phones, etc, that have the SONOS app and Spotify app) The above rules are currently 2012-2015 in my IoT VLAN rules spreadsheet (rules numbers may change) Feedback Requested: Are there any Roku users who need additional rules beyond my "Basic" setup plus these FOUR rules in order to make your Roku (and particularly the Roku app) do something you need? For a full overview of UniFi’s Traffic Management capabilities, see here. VLANs Assuming management VLAN is "Default", create two new VLANS: VLAN-Protect and VLAN IOT with different ID numbers (e. IoT Vlan hosts both Alexa devices and Sonos (10. I had previously added rules for Sonos TCP and UDP ports from the Sonos System, to pass traffic with those ports to Data and Guest, and on the Guest network, to pass traffic to the Sonos System. the LAN is 192. They help us to know which pages are the most and least popular and see how visitors move around the site. ” These are the extracts from my config, that works with both Chromecast and Sonos: firewall { all-ping enable broadcast-ping disable group { address-group Chromecasts { address 192. Each building has its own VLAN and wireless network. 11). I am fairly new with unifi, so still learning the system and all its settings. Smart home devices can help automate routine tasks that save you time and, in some cases money. For most users, we recommend creating Simple Rules. I like pfSense but I really want SPoG and you don't get that with pfSense. Ports are: 1400, 3400, 3401, 3500, 1900, 1901, 6969 Isolate devices VLAN Is that about right with the others being Feb 14, 2019 · Both the Internal and IOT VLAN are considered Corporate networks, with a firewall drop rule on new connections from the IOT network to my internal one. It's probably all in your firewall rules, but I was too lazy to sort that out. Does someone have an easy to understand written set of instructions on how to set up the firewall so WireGuard VPN connections to my UDM Pro LAN devices are accessible? My network is pretty simple. Disclaimer: I can only speak to Unifi as my system is entirely Unifi UnifiOS doesn’t handle firewall rules using specific IP addresses well vs rules that use an entire network/vlan. When I enable this, I have a working Sonos app but I cannot Airplay to Sonos. Dec 21, 2017 · I'm curious if I could set this up on my Unifi router. I have two choices: a working Sonos app but no Airplay to Sonos or a broken Sonos app and Airplay to Sonos. I was able to do it by switching all of my Sonos products to a fixed IP address, and adding them all to a group. LAN_OUT rules apply to traffic leaving the gateway on a LAN interface. This firewall rule should be created in the LAN_IN category. The rule at the moment allows all ports. The solution is to change all your UniFi switches to STP mode instead of RSTP. 4ghz), which is on the iot network. Thankfully, mine will work - my comment below shows i had a firewall rule issue (my ignorance, though i had tried it on and off) AND a bloody phone/app problem. I have my network setup so the Sonos Apps (controller app for both Android and iOS) does find and work with the Sonos speakers (players) by having the appropriate firewall rules to allow that traffic and allowing multicast broadcast messages between the separate VLANs. Apr 9, 2021 · I also have Sonos speakers, which need their own rules to function properly with your iPhone on a different subnet. Like 3 times a day my sonos app on iPhone says "Cant connect to your sonos network. If I make two other firewall rules that have a second phone IP communicating to an IP group and vice versa of only three Sonos IPs as I don't want that phone to see every Sonos Room that second phone's Sonos app can't see those speakers in the IP group but AirPlay seems to work and the other speakers that aren't in the IP group aren't able to Mar 19, 2023 · For now I have disabled all blocking firewall rules between subnets and it makes no difference. In the firewall section, LAN rules, I can grab the 6-dot icon to the left of the rule and move throughout the list. 253:1400 and 10. A switch two hops down from the root gets 16384 (4096x4). See the important update below on mDNS; Sonos controller can play music and updates what is playing on-screen. Firewall rules are evaluated in order, i. Plus it seemed a lot easier for me to make network/vlan rules vs individual device or device group rules. Unifi make it fairly simple, don’t get too creative with settings, etc. I'd also like to partition the Sonos kit behind the firewall. The ICMP Proxy is probably the most important bit of all of this. Step 3 – Adopt Devices. Feb 15, 2013 · Our network has UniFi AP, UniFi USW (PoE switching), EdgeMax switch and pfSense. Mar 27, 2021 · So not sure if the working on the vlan is a UNIFI issue or a SONOS issue - it is an issue. * to 10. I run a Ubiquity USG Router and Unifi Access Points. The lack of useful firewall logs is complete shit. 32) to mix wired an wireless Sonos devices: IoT Auto-Discovery (mDNS): on (likely required only if Sonos devices are segregated into a separate VLAN) Feb 11, 2019 · To get things working again you need to run a ICMP Proxy on your USG as well as turn on some additional firewall rules. 69, 70) If you can’t resolve an IP on your phone connecting to the IoT VLAN, you’ve got other issues in the setup. I was just looking through the firewall rules, and I don't see anything that would explicitly deny iot traffic from reaching my lan network. Everything works, but I now have 10 second delay in the Sonos app loading in my phone. There's no inherent difference between IPv4 and IPv6 inter-VLAN firewall rules. x. However, if you own any Sonos equipment in your home, you’ll potentially have trouble setting up your system in a way that both isolates the Sonos equipment the way you want it to and allows for continued control/communication with it through the Sonos app on a different network within your home. 190. My devices live in main, and shared devices (airplay) live in transport. Check out traffic rules. Add LAN IN firewall rule to allow mDNS (UDP 5353) across all networks. Add a rule to the VLAN subnet to allow all traffic. To achieve that I have set up a couple of LAN IN firewall rules. The Beam is hardwired into a Unifi 24 port switch in the basement below. 32) to mix wired an wireless Sonos devices: IoT Auto-Discovery (mDNS): on (likely required only if Sonos devices are segregated into a separate VLAN) When I create a new firewall rule, it gets created in the interface, but appears not to apply. I couldn’t seem to get the traffic rules to work well for multi Vlan segregation and communication. Firewall rules for the IoT interface where your Sonos speakers are located Jun 25, 2018 · I have firewall rules in place to block cross-VLAN communication but I do allow devices on the Home LAN to communicate with the IoT VLAN (the connection has to initiate on the Home LAN). 6. It's my understanding that Sonos does generate what would be considered "new" traffic. This may not be an issue for you on opensense. Unfortunately I don't have a Unifi device that I could use for testing Jun 9, 2022 · Added a firewall rule to block Teleport or VPN traffic from the rest of the network Setup UniFi VLANs. The default WAN Local rule is to drop, just like the default WAN in/out rules. Don’t make the IoT network a “guest” network, that’s stops devices talking to each other on that network which will break Sonos. I found those ports on this page: Configure your firewall to work with Sonos. The older Sonos products would disappear regularly from view from the Sonos Apps. I'll be making a few more posts soliciting input regarding specific IoT devices (Sonos, Roku, AirPlay, etc. Dec 11, 2017 · Pro tip for the firewall rule: If you have multiple Sonos devices, group them together within the address range of a smaller subnet size. You'll just duplicate the rules from "LAN" into "LAN v6". Built-in Firewall Zones. 🔥Amazon US Links🔥UniFi PoE Switches: • 16 Port Aug 31, 2020 · This guide assumes you already have your networks (primary, VLAN, etc) and WiFI networks already configured, in addition to firewall rules between them for standard access. It can definitely be done on Edge using mdns repeater, firewall rules, and some added community bits to do broadcast relay, but most of these posts in here nowadays are home users on Unifi, so who knows. x and lower) is the naming convention that is used. (You probably already have a rule that would block all access to the 1. The firewall rules are presented in the order that they should appear in your UniFi configuration. So, I may need to fix that. This resulted in my Sonos setup in the Living Room beeing almost completely wired, except for the Sub. Description of network: Main Vlan 1 hosts my iPhone (10. Ask if this is unclear. Created a rule to allow specific devices on secure subnet to talk to IoT and then a rule for IoT back to secure subnet only allowing ports 5353 (MDNS) and 319+320 for Sonos Firewalla is dedicated to making accessible cybersecurity solutions that are simple, affordable, and powerful. First my setup: Off of my EdgeRouter-4 is a 24-port Unifi Switch. . I have the speakers grouped and the relevant TCP/UDP ports configured and Firewall rules structured. I also have a couple of Echo Dots (3rd and 4th gen) that I put on the IoT network. BUT ALL ON SONOS for it being so incredibly hard to change wifi made 1000 times harder by the SONOS being so flakey at setup. e. Each unifi+sonos "solution" have its drawbacks unfortunately. So if your firewall is on 192. I am thinking of dropping the UDM-Pro and go with a non-Unifi firewall / gateway solution. xxx-192. Oct 1, 2020 · Firewall rules are created by going to the Settings > Firewall & Security > Firewall Rules in the UniFi controller. Side note: You can also skim down your rule to only allow traffic to port 8060 on the roku (8060 is the api port). Jan 14, 2022 · I have been having persistent, annoying and sustained issues with older Sonos devices dropping off of my WiFi network after a while. The udp broadcast relay actually bypasses the firewall, so adding the multicast ports to the firewall rules, or enabling 'allow options' to the IGMP rule aren't necessary. In their infinite wisdom sonos use multicast for the app on the phone to discover the sonso devices! You will need also to make sure you have the right firewall rules - the Sonos needs to be able to initiate IP connections from the sonos VLAN to the client VLAN. There are many forum and blog posts out there that describe (or attempt to describe) how to make this work, however all of the ones I read suffered from one or both of these problems: Their instructions had errors (eg, reversing the upstream and downstream I have IGMP snooping enabled as well as STP enabled globally. Do not wire any into your network. I have Sonos and Unifi, I keep it on the main LAN because I have heard that Sonos does not like VLANs and really does not like guest networks. Longtime Unifi user (UDM Pro, 4 APs, bunch of switches), but a complete newb with Sonos. Jun 15, 2023 · I have tried entering Firewall rules for various ports from all the threads that I have read but still nothing. This occurs entirely because Sonos used a very old standard of STP that, to cut a long story short, ends up advertising SONOSNET WiFi links as a high speed link to RSTP devices. 1/24, you would write a rule in that gateway's rules to block those ports on 192. The weird thing is that whilst now working on multiple Macs from the primary VLAN, it can be fixed temporarily on iOS by opening the Sonos app, and then toggling Wi-Fi from Control Centre. However, it doesn't appear to allow me to drag and drop to reorder, and I see no other way to change the rule order. Things that would require several Firewall Rules can be accomplished with a single Traffic Rule. Adjust firewall rules to allow inter-VLAN routing for taking between networks as required. , permit from SonosIPs on Oct 24, 2024 · A little while ago I had to change out my network controller and Firewall as they were legacy devices and no longer receiving security updates. Nov 6, 2020 · A perhaps simpler solution would be to keep Sonos on both LANs, and use firewall rules to block them from the VPN, but that would require static addressing of the Sonos speakers, and I prefer a more “out of the box” setup, as it makes adding speakers easier. 10 & 10. For reasons i dont understand Fortigate -> ICX7250 -> Unifi 24 port -> Unifi Flex -> Sonos on Port 3 of flex - is not blocked. 23. My firewall rules are configured to allow established and related con Apr 15, 2020 · But I only allow the Sonos players on IOT to access the Sonos Controllers (iPhones for me) by having a rule like this below I block everything else from IOT out to any other VLAN EDIT - Don't use Safari though hate it. All of the rules we will be creating are on the LAN-In portion of the firewall. Yes, there is an STP option, but it is simply passed on to UBIQUITI managed switches as a default. Disable SonosNet and Wi-Fi on all Sonos devices. I created the new subnet, made sure multicast DNS was ticked on both my secure subnet and new IoT subnet. 2. Probably prerequisites are python and (ideally) netifaces, but you might be able to get away with using the --homebrewNetifaces flag - there are additional instructions in the README-OpenWRT. But hopefully setting up a firewall rule for WAN IN/Out using the old interface fixes it for you. I've heard of people's struggles with Sonos on Unifi. Alternative solution you have is also good one. 0/24. For example, LAB_IN is applied to traffic entering the gateway from a LAN interface and destined for another network. Hi Everyone, If there is anyone who is hosting their Plex server on a Synology NAS, and also has Unifi for their home network, and your Plex server is properly configured to enable remote access, I would be grateful if you could provide me with details on your setup or a step-by-step guide on how you have it setup. Other networks have got their own specific firewall rules to allow access to transport devices LAN IN: I can airplay to the Sonos speakers perfectly and all is well in that life. This assumes your ISP does prefix delegation, and gives the UDMP a /56 or /60 that it can break apart into /64s on a one-subnet-per-VLAN basis. How to make your smart home network more secure by creating VLANs and firewall rules, with a step-by-step guide for how to do it. app (destination port TCP/3400 on my computer). I could now run the SONOS app on my iPhone connected to the VLAN and operate my SONOS players that were on the LAN. Both as Ubiquity 'Corporate' networks. Sep 25, 2024 · How to Setup VLAN and Firewall (and make it work with UniFi, Home Assistant, Sonos, and Echo) How to make your smart home network more secure by creating VLANs and firewall rules, with a step-by-step guide for how to do it. Then you have to set the priorities of each UniFi switch. If I "pause" the rule 2026 "Block Cam from LAN", I can again access the video footage from the Reolink app when connected to Main LAN wifi. Jun 20, 2018 · I'm trying to put my Sonos network in its own VLAN (security and better multicast control), however, I've noticed periodically I'm getting blocked high port number connections back to by devices running the controller software. source: phone IP and destination: Sonos VLAN or IP group with port group of Sonos Firewall ports Firewall rule two setup - source: Sonos VLAN or IP group and destination: phone IP with Sonos Firewall ports introduce some firewall rule(s) add additional Honeypot IPs introduce additional firewall rules (at this point those are not applied/visible via iptables) delete Honeypot IPs/deactivate honeypot (the chain still is active and keeps the original Honeypot ips despite of them being removed) Mar 12, 2021 · Does anyone know how to configure a firewall to allow SmartThings to discover and use Sonos speakers that are on a different VLAN from the SmartThings Hub? I am using ST New app and Sonos 2 controller with two Sonos One SL speakers and two Play:1 speakers. See below for a screenshot. So it was pretty simple. Any suggestions on what to use for the firewall? I am a former Network Engineer, and have experience with Unifi, Watchguard, Cisco, OPNsense, Sonicwall, WWRT-tomatoe, and some others. As in, if I create rule to explicitly reject traffic between two IPs, and tell it to apply before the default rules (Which would accept that traffic), the nodes can still pass traffic. External: For incoming traffic that is untrusted, or requires more strict control, such as general Internet traffic on the WAN, or a connection with a third-party VPN client service. 1, not 192. Digging further down the rabbit whole and double checking all multicast repeater/igmp-proxy settings; everything seems fine. I'm pretty grumpy after spending the better part of a day on this! You go to unifi software. once an earlier allow or block rule is matched, the remaining rules are skipped. Creating VLANs in UniFi exists out of a couple of steps because we not only have to create the different networks, but we also need to secure the VLANs. Our smart firewalls enable you to shield your business, manage kids' and employees' online activity, safely access the Internet while traveling, securely work from home, and more. TIA, Piers Hi, Thanks for the Fortigate info. b This successfully connects iPhone controller (both Sonos app & Spotify App) to the Sonos speaker. That is the reason I went with Sonos - it's designed for lazy people like me who want to just connect it and use it. I created a firewall rule “source: sonos device IPs → destination: any device on port 1400, 3400, 3401, 3500, 1900, 1901. Ensure all Sonos devices are wirelessly connected. But the traffic rules never fully replaced the advanced firewall rules. 4) Firewall rules So far still connection problems appear between sonos controllers or applications to the sonos devices, further some rules in the UDMP firewall are required. The problem with the existing firewall rules (in version 8. Nov 15, 2024 · Firewall rules execute from top to bottom, so as you create rules, you’ll have to add allow rules above deny rules or the traffic will be blocked. Also if the devices have a super short TTL it may not work as there is some latency added in the process. I am wondering if I have the Firewall rules setup correctly. Name: Block IoT network --> Trusted Network; Rule Applied: Before predefined rules; Action: Drop; IPv4 Protocol: All; Advanced Logging: Enable, by checking the box May 13, 2020 · Hi there, I just wanted to know if there’s anyone out there who managed to run openHAB and Sonos speakers in different subnets. It would not work if I set the Gateway to a specific WAN interface. The proxy will forward ICMP packets from one VLAN to another. This worked so long as the Gateway in the VLAN rule was set to Default. I have a single subnet and all of my access points (UAP-nanoHD and UAP-AC-Pro) are connected directly to a UDM Pro. Configuring UniFi Services “Traffic Rules work by creating Firewall Rules, and are thus interchangeable. If you do lock things down well I’d agree that it won’t be that insecure. 0 Hey. I mean, it takes a lot more work to figure out what is going on/why. If your firewall needs to be manually configured, make sure the ports listed below are open to the IP Jan 2, 2021 · My firewall rules were actually correct most of the time it’s only because I didn’t reboot the Sonos devices that things didn’t start working, which obviously makes it a little more difficult. The issue is some kind of bug between Sonos and UniFi where when the Sonos device moves from LAN to WLAN or vice versa things freak out and the device disappears. My logical network topology includes multiple VLANs, SSIDs, and IP subnets. Aug 2, 2021 · Firewall rules are setup for this VLAN that there is no access from the VLAN 30 network to the VLAN 1 network due to all the “phone home” activities these IoT devices typically participate in. Using a broadcast-relay service that I installed on the USG, and a allow discovery firewall rule for UDP port 65001, my phone is able to discover the tuner and watch TV no problem. 🍿 WATCH NEXThttps://youtu. All of the devices appear under the devices tab. 255. There Jan 2, 2019 · @vacquah said in Sonos speakers and applications on different subnets (VLAN's):. Add LAN IN rule to allow all traffic from trusted network to untrusted network. If you select "Lan In" you can tell different sources to drop, like vlans. ); what I am looking for is the ability to use the Sonos, Roku and other apps on the main LAN to communicate with these devices on the IoT VLAN. 16 whilst the Sonos app is still open. , punch a lot of holes in the firewall between the networks. Allow Outbound from Sonos to Main (TCP) Allow Outbound from Sonos to Main (UDP) Allow Inbound to Main from Sonos (TCP) Allow Inbound to Main from Sonos (UDP) What those rules actually mean are: Allow TCP traffic originating from only specific source ports on Sonos devices on the IoT VLAN to any destination port on the Main LAN What I'm wanting to do with this tool (specifically recommended by UI in the interface,) is to limit all traffic from IoT/Guest networks, then specifically open holes for shared equipment, like Sonos and printers. I was running a UniFi USG and a Gen 1 Cloudkey with a couple of UniFi Access Points. I just don't know enough about how Unifi blocks all traffic to twitter and others apps without blocking DNS inquiries or the specific IPs for all of those sites so I can't help with that. Here is where you describe the rules through the UI. I swapped out the controller and USG for a UniFi Express device and moved my network across. By doing this, I can create one firewall rule for network x. Edit 2 is how I currently have my Firewall Rules configured. Let’s look at the mentioned Rule 2003. My Airplay related firewall rules are as follows: I've got two relevant networks 'Main' and 'Transport'. 100). 245:1400. Move the device/roku to what subnet you want and add your firewall rule. 3. vNinja. I did use traffic rules to block internet on specific things for specific times. End moan. Just bought a Beam and two Sonos Ones for my office. i. I then created a rule that allows TCP and UDP from the Sonos group to my main LAN in my “LAN In” rules group. Sonos One (both in Sonos app and AirPlay), IKEA Symfonisk (AirPlay and Sonos app), Apple TV, AirPort Express, Samsung/LG TV. 20. However, I cannot for the life of me get the Alexa Sonos Skill to communicate with the Sonos speaker. Using TRs could reduce the number of FW rules you would need to create. Any device on VLAN1 however can reach devices on VLAN30. If I make two other firewall rules that have a second phone IP communicating to an IP group and vice versa of only three Sonos IPs as I don't want that phone to see every Sonos Room that second phone's Sonos app can't see those speakers in the IP group but AirPlay seems to work and the other speakers that aren't in the IP group aren't able to The Sonos devices on the Unifi 24 port (Fortigate -> ICX7250 -> Unifi 24 port) are blocked. I also have the Sonos Android APP. 1. However, I have it mostly working. 1 The linux VM I have running the above iptables rules is at 192. Default VLAN 10 (Unifi UDM/Switch/Flex XG/U6 Mesh AP Devices Only) Guest VLAN 20 Camera VLAN 30 IoT Network VLAN 40 Trusted Network VLAN 100 Lab Network 200 I have three Wifi networks Guest which is isloated Private which is VLAN 100 Iot which is VLAN 40 I have not setup any firewall rules as of yet so VLAN traffic should flow between networks. I've experience of Sonos causing a network loop between switches in a network that had zero Unifi devices. If your firewall needs to be manually configured, make sure the ports listed below are open to the IP I use firewall rules. Dec 12, 2024 · Traffic rules were added to make it easier to create firewall rules and it also allowed us to easily block individual devices, apps, domains, etc. Traffic Rules provide a much more intuitive interface that streamlines most common use-cases. Create a Simple rule. Hello! I've created numerous firewall rules on my UDM and would like to change up the order. UniFi Network 8. For example, I have my Sonos devices between x. The root switch (first off the PFSense) gets priority 4096. I also have a Unifi network comprised of 7 access points, two switches, and a firewall. Hosting sonos on wifi exclusively will result in broadcast eating into airtime so it's not scalable solution for larger sonos and/or networks with more access points. 2, UniFi Network Application 8. LAN Interface FW Rules. At this point, I added in Firewall rules to allow client devices behind my Home LAN interface access over SMTP, HTTP/HTTPS, RDP, NTP, Plex, DNS, UniFi, and Ring TCP/UDP Ports. That way they can see the Sonos, but not something like the NAS or the lights. So currently traffic between the VLAN's is allowed. Sonos speakers, for instance, just need a certain set of open ports (e. Using firewall rules with a corporate network lets you restrict the network as needed for your implementation. Introduction. There may be some routers which have a built-in mDNS proxy and firewall, but in all likelihood they'll probably dynamically open up whatever ports are requested, which undermines the concept of having a In the Program or Application rules, set the access for the Sonos application to Allowed. It appears to be an mDNS issue. 2) my Sonos speaker replies to my computer correctly (dst port udp/1901) 3) Sonos. When I disable the multicast-routing, I can Airplay to Sonos but the app is not working anymore. May 30, 2023 · The Sonos integration does not find my speaker because of that. And having to ship logs is so stupid. I am fine-tuning the firewall rules for the ports needed, as the current rules suggested in the guide above, are not much of security. I’m fully aware of the disclaimer in the binding-page, saying that there are troubles if someone tries to run the setup in different subnets. Only when i change my network connection to where the sonos lives i’m able to get As background, I have a UniFi network setup and 13 Sonos devices. My wife's phone works. Neither IGMP snooping nor IGMPv3 look to be required on your switches/APs. On my IoT network I have a doorbell/security cam. There are IGMP Proxy installed default. My external firewall is configured to forward to . I have mDNS and multicast enabled. If you have firewall rules then open lots of ports! TCP 3400,3401,3500,30000-65535, UDP 1900-1902,30000-65535 Seeking help with Sonos STP and Ubiquiti UniFi I also disabled all Firewall rules for the Protect VLAN except for "Protect VLAN to All Block". @qinn said in Sonos speakers and applications on different subnets (VLAN's):. I've set up a firewall rule for LAN In to drop all traffic from the IoT network to the default network (as I understand UniFi defaulta to allow all traffic between VLANs). Nontheless I’m successfully(!) running the Sonos controller in a different subnet than the speakers by opening specific With the way those firewall rules are configured in the walkthrough, there doesn't seem like a whole lot of point of putting the SONOS on a different vlan if you're just going to allow everything through anyway for that IP group. Set STP priorities on your switches. The workaround, I've found, is to have the devices on the same subnet. They should be able to access the Home Assistant instances to find and control the emulate Hue devices but nothing else. Take notice before upgrading. Certainly taken the shine off SONOS. Off of that switch are three other Unifi US-8 switches. g. Dec 24, 2020 · The Sonos speakers are grouped under an alias named Sonos System. Oct 14, 2020 · Firewall rule Lan in rule 2000 Source PC/Laptop VLAN Destination Sonos IP Accept everything; rule 2001 Source mobile devices VLAN Destination Sonos IP Accept everything; What i try, i’m not able to connect with the app (on android / ios / win10) to the Sonos. Creating ER-X firewall rule to block all other traffic from VLAN 10 to VLAN 1. I can ping the Sonos arc from either the iPhone or any computer on VLAN1. In the Sonos controller app , go to Settings (gear) > System > About My System Note each MAC address and which speaker it corresponds to. json and Unifi now say: This article is not applicable to the UniFi Dream Machine models, because all configurations are already available in the UniFi Network user interface. Under settings -> routing & firewall -> firewall tab. Let's fix it'. Apr 9, 2022 · Create block firewall rules for the IoT --> Trusted Network. They provide an intuitive interface that streamlines rule creation for common use-cases such as VLAN segmentation, application and domain filtering, or even bandwidth limiting. That's great! Yeah, can you add some more clarity at the type of firewall rules please? I haven't done much with unifi yet. The UniFi firewall includes several predefined, built-in zones to which networks and interfaces are associated. System > App FW > Traffic Rules. net has a great write-up on this already; though, I will probably write up my own guide after I finalize my own personal network. UniFi Gateways include a powerful Firewall engine to maximum security in your network architecture. It seems like the app is working to establish a new connection. By default, the UDM-Pro has full inter-VLAN communications enabled. com These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. xxx address 192. With UniFi Network fully updated, we can start with adopting our network devices: Open the UniFi Network App; Click on Devices; Click on Click to Adopt for each Jul 18, 2017 · 7. I just want to share what the only two Sonos FireWall Rules that I have look like in my setup for comparison purposes. 1 network, but that doesn't prevent someone from accessing the firewall GUI at the 20. The cameras now communicate with the UNVR inside a closed VLAN and I can still connect to UniFi Protect from the SFP+ side - and it's still a direct connection in the UniFi Protect iOS App since the SFP+ side is on the Default LAN. The following worked for me for Apple AirPlay, and I assume would work for Sonos too. Essentially, the iptables rules above are a straight proxy to the HDHomeRun box (which isn't the exciting part), along with rules to rewrite the QoS and TTL values that the HDHomeRun box sets (that is the exciting part). xxx description "Sonos Media Players" } network-group Home You can use the following settings (as of Sonos OS S2 13. Hope this makes sense. 10. The only possible firewall rules Chromecast users might need are discussed here and here and here. It looks like the control device has moved from 10. Unifi shows both of the latter two Sonos speakers connected to unifi wireless, so if they use SonosNet they must be doing both. I have another Sonos Play connected via WiFi and a Sonos Play:1 connected via WiFi. So I recently worked through this, after reading a bunch of docs, and thought I'd share my approach to VLANS and firewall rules for IOT devices. My Sonos system is working well and reliably in a VLAN (IoT) when When I do the same firewall rules setup for my iPhone AirPly works perfectly but have issues connecting to the speakers via the Sonos application. One of the things that I wanted to achieve was to wire all my devices where I can. Prior to upgrading firmware on Reolink NVR, I did not have to pause rule 2026 and I STILL had access to video footage from NVR (on "Cam" network). There's no way around that apart from perhaps installing an mDNS proxy with a leg in each VLAN, but that would obviate the use of a firewall. Same as hosting sonos exclusively on wifi. Sonos controller on MAIN subnet can see the system. Switches one level down get 4096x 2 = 8192. This post uses a file called gateway. The setup is a “classic” Sonos surround setup with a Playbar and two Play:1's (and the Sub). similar to masi's setup. I am definitely moving from Unifi. The main difference is that the "Guest Network" settings usually include client isolation so that devices on that network cannot communicate with each other in addition to being isolated from the main network. Stupid but it works. app then connects to the Sonos speaker on TCP/1400 and issues some http'ish requests, the first is to GET /xml/device_description. 0. I've had no luck figuring out how to configure the firewall in my UDM Pro router so that I can reach my QNAP NAS. Although you could setup a specific firewall rule to only allow specific source / destination addresses (between their phone/tablets and the sonos - with fixed IPs) and drop everything else, then schedule the kids wifi between civilized hours. Nov 10, 2020 · After quite a bit of work setting up my EdgeRouter-4 with firewall groups and rules, IGMP, mDNS, multi-cast (not blocked), and now RSTP/STP, I have a question from the post above. lan is . 100. This is crucial in getting Sonos to work on a multi-VLAN setup. 250 I'm currently working on a UniFi IoT VLAN setup guide, and previously made this post showing my current UniFi firewall rules. I currently have my Sonos on a separate VLAN with an IGMP proxy that lets me access it from my main VLAN. 168. The key is the multicast-routing enable or disable option. Apr 1, 2019 · The next step is creating a single firewall rule. I have my sonos devices on a separate VLAN (IoT VLAN) but to debug that it's a firewall issue, I've disabled all my firewall rules for the IoT and main VLAN. xml . 1 and you have a guest vlan at 192. The irony here is the Echo devices made this really easy. 177 and x. The order of the rules are important; they are Mar 28, 2023 · Using the excellent UniFi web interface, I created a few VLANs so I could easily segregate my IoT devices from the rest of the network. 4) The speaker also reaches back to Sonos. When it works, it’s great! However, over the past couple of weeks, it now takes the Sonos app about 10 seconds to connect to the system where it only used to take 2 or 3. Go into your historical device list in the UniFi controller and tell it to "forget" any devices you want to show up again and they will show up again. What I'd try here is: LAN In firewall rule from devices subnet to main subnet. However, if you wanna work the problem via FW rules you might be missing ‘Allow established and related connections’ FW rule, without this I don’t think your HL can respond. If your firewall needs to be manually configured, make sure the ports listed below are open to the IP Jul 24, 2022 · However the sonos s2 app was not able to find my sonos system. I placed this rule above my “Block Inter-VLAN Traffic” rule. Dec 6, 2020 · Unifi networking gear is currently some of the best Prosumer and SMB network gear around. It's taken a lot of work to get things rolling with IGMP proxying, tweaking firewall rules, and routing. This is generally used for cases where you want to punch holes (example: block all traffic from the IoT VLAN to the LAN VLAN, but allow one specific IoT device to access the LAN network). Obviously when I open the Sonos app on my phone, it can't find any devices until I connect my phone to the IoT wireless network. You can use the following settings (as of Sonos OS S2 13. The basic Chromecast functions I tested seem to work fine without any of the above three rules, but my final "Block" rule keeps logging attempts by the Chromecast to communicate with LAN clients using the ports for which I've created these three rules. Jul 3, 2019 · Warning: SSID overrides are no longer available in controller version 6. The Ones I believe are using SonosNet as surrounds talking to the Beam. When I researched it, firewall rules were what is needed in my intended use case. If I make two other firewall rules that have a second phone IP communicating to an IP group and vice versa of only three Sonos IPs as I don't want that phone to see every Sonos Room that second phone's Sonos app can't see those speakers in the IP group but AirPlay seems to work and the other speakers that aren't in the IP group aren't able to Dec 11, 2023 · Especially with the UniFi Dream Router or UniFi Express, that you often place insight, you might want to turn the screen off at night or lower the brightness. To realize the communication between client VLAN and the sonos VLAN following rules are required: May 22, 2020 · It's preserved here as written for those who still have older versions. However!!!! the Sonos App cannot for love nor money connect to the VLAN and thus the system. Create a rule for your desired outcome: Action: Speed Limit, Block, etc; Source: Choose a Network, Device, etc. The “problem” with UniFi is that inter-VLAN traffic is allowed by default. Enable Multicast DNS (mDNS) service on router. That was all… Accessing Sonos devices across VLANs on a Ubiquiti UDM network – pedrolamas. Aug 4, 2021 · In a throwback to the problems I dealt with using AirPlay across VLANs, I recently jumped through similar hoops for Sonos speakers. Also, note that the Dream Machine Pro’s network ports do not support STP. Defiantly prior to the mess. Wanted to tap the collective wisdom of this group. I did used to have the Sonos on the main network as it didn't work well across subnets but then moved them over to the IoT subnet after a few updates of Unifi seemed to fix it and its been great ever since. In the Program or Application rules, set the access for the Sonos application to Allowed. MDNS and IGMP are both enabled correctly. The rule that needs to be created is an allow rule that allows established/related traffic from your IoT VLAN (the VLAN that your Apple Airplay device is on) to the data VLAN (secure VLAN). Feb 17, 2020 · Setup a single Sonos device on the ‘new’ Sonos subnet … WIRED to reduce variables; Setup necessary firewall rules to route traffic (across the board: ANY protocol for starters) Setup multicast for discovery (controllers to device) and mDNS (device to controllers) Power cycled the whole shebang; Device snagged a DHCP address, YAY! I FINALLY fixed this as well by creating a WAN Local firewall rule to allow ICMP from Any to Any. Firewall rules I have created for iPhone but can only AirPlay and not be seen via Sonos app. And going further Fortigate -> ICX7250 -> Other ICX7250 -> Other Unifi Flex -> two sonos devices in flex are unblocked. I have a mix of Unifi AP network with a U6 Pro, an AC-Pro, and a nanoHD. I have port forward the firewall ports to the iPhone to see if that helps which it didn't but has a test when I enabled UPnP every works as expected. I plan on selling my UDM, my Unifi switch, and my Unifi AP -- all my Unifi gear. Firewall Rules: (note the ever increasing UDP range on the SONOS side!!!) SONOS Interface FW Rules. Firewall ports that Sonos uses. This is on a network driven entirely with Ubiquiti UniFI products (switches and access points connected to a UDM-Pro). All my other rules apply to the Sonos, Rokus, and AirPlay devices. Creating the ER-X firewall rule to allow new/established/related traffic from the Sonos IPs on the TCP and UDP ports from VLAN 10 to VLAN 1. In the Classic UI: UniFi OS--> Network--> Settings--> Routing & Firewall--> Firewall--> LAN IN--> + CREATE NEW RULE. config. I will use the Cloudkey Gen2+ to manage the Unifi solution. Best practice is to list allow rules with concise match criteria first, followed by block rules that block whatever wasn't matched before. After I created the rule, my iPhone is able to find my system. I didn't need IGMP proxy, I do have a firewall rule that allows broadcasts/multicasts from my production subnet where my iPhone/iPad sit 239. If mDNS is working and Established/Related is allowed back from the IoT VLAN, the Google products and Fire TV (which is also kind of a Google product) don't need anything else. yyy description "" } address-group Sonos { address 192. 176/28 on my LAN to block all of my Sonos devices easily. Jun 20, 2018 · If they get through a second time, it sounds like the unifi firewall is misbehaving. Are there any other settings or rules I should be looking to establish? I am just trying to remove the delay in the app May 24, 2020 · I have my Sonos speakers on my IOT VLAN, as they need to talk to my Alexa devices, and I didn't want the Alexa devices on my main network. If not, this could either be the firewall rules or mDNS, verify both. ) but wanted to start with a "basic" firewall rules set that I could refer to in those follow-up posts. Port/IP group for both. allowing established and related sessions from/to everywhere Nov 13, 2022 · I started using Ubiquiti Unifi Network Products (1xRouter, 1xSwitch, 2xAccess Points) in my Environment for Security reasons the Sonos Products were moved to a separate VLAN (IoT), since then I have problems controlling the Equipment. The Sonos seems to let the other speakers in a system actively impersonate the "main" speaker, and the result is the firewall blocking that traffic if you don't explicity allow every speaker's IP. The main point that I've found helps people understand the Unifi Firewall model is that the IN, OUT, and LOCAL rules are relative the the gateway/router. Do not daisy chain Sonos devices together using the same LAN port on a UniFi switch. Except this also drops ICMP which is used by the Echos to see each other on the network. Note: the devices themselves are working great (can stream on Roku, etc. md file. 9 (Official Release) To filter applications: Navigate to Settings > Security > Traffic & Firewall Rules. The speaker responds with an xml file.