I've seen the numerous requests for password/access control of Sonos devices... I understand this is not a feature and likely not planned to be included. Not a big deal...
However, I run the IT department of a business and want to install Sonos here. I've already hooked up the Sonos: Connect and it works great. However, I would like to block all access to the Sonos (via App/Program/etc...) in a firewall to keep random customers/visitors/etc... from changing the audio to whatever they want.
I've tried blocking access between devices on the network and the IP address of the Connect, but apps and desktops can still connect without issues. Does anyone know how devices connect to the Sonos and how I could look into blocking this access? I am not looking for firewall-specific instructions (I can handle configuration)... but I'm at a loss on the communication between apps and the Sonos itself...
Maybe the apps connect to Sonos servers then bounce back to the device?
Any help would be appreciated.
This topic has been closed for further comments. You can use the search bar to find a similar topic, or create a new one by clicking Create Topic at the top of the page.
Where is the firewall? If it's in an external gateway it's unlikely to have any effect on traffic within a local subnet.
Sonos controllers will be able to discover hardware devices on their local subnet. They simply use SSDP, a part of UPnP (though the initial registration of a controller with a system has some proprietary elements). To stop that you'd need to put your 'random customers/visitors/etc' on a different subnet from Sonos.
Sonos controllers will be able to discover hardware devices on their local subnet. They simply use SSDP, a part of UPnP (though the initial registration of a controller with a system has some proprietary elements). To stop that you'd need to put your 'random customers/visitors/etc' on a different subnet from Sonos.
Thanks for the reply. The firewall is an external gateway, but I can assign different subnets and control traffic between them. So you're essentially saying that communication between app and device is direct? There's no external communication I need to control? e.g. if I split into subnets and allow only certain communications between, that will control the situation?
The control communication between Sonos app and player is local. (We won't get into all the complexity of cloud-based control; that's just another option.)
Split into subnets, but why would you actually need to allow communications between them? Keep all the visitors on a 'guest' subnet. Keep your own devices, which you want to control Sonos, on the same private subnet as the players.
Split into subnets, but why would you actually need to allow communications between them? Keep all the visitors on a 'guest' subnet. Keep your own devices, which you want to control Sonos, on the same private subnet as the players.
Mainly because we have different levels of people that connect to different nets. We already have a visitor/guest subnet that's entirely separate, but there's also an internet network that's used by contractors and staff alike... I want literally no one but me to have access to the music. I still need to have access to the greater network, however, to do other tasks related to servers and devices on the main network.
Thus, subnet and rules to allow my MAC address access may be the only way?
Thus, subnet and rules to allow my MAC address access may be the only way?
Sonos can work across subnets. Have a look at this thread: https://en.community.sonos.com/troubleshooting-228999/multiple-subnets-vlans-and-sonos-workable-clavister-solution-30950
If you only want access for yourself, I suggest setting up one vlan for you and sonos, because that will be easier to configure. Then allow any traffic from that vlan to the rest of the network.
If you feel that sonos is a potential attack vector, then look into how you can restrict the Sonos gear from reaching other parts of your network (by giving it its own vlan different from your management vlan) . That however need you to deal with multicast/broadcast relaying.
Restriction to a vlan would be controlled via physical connections or a dedicated SSID if wireless I assume, so no MAC rules should be needed. They provide very little security anyway.
If you feel that sonos is a potential attack vector, then look into how you can restrict the Sonos gear from reaching other parts of your network (by giving it its own vlan different from your management vlan) . That however need you to deal with multicast/broadcast relaying.
Restriction to a vlan would be controlled via physical connections or a dedicated SSID if wireless I assume, so no MAC rules should be needed. They provide very little security anyway.
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.