Howdy Sonos Community!
I spent a lot of time researching the topic of placing Sonos devices in a separate IOT network/vlan and still being able to control them from the “secure” vlan/network and was not coming up with a definitive method for doing it. The general advice was “No”. And while I agree with the advice, the boss does not always agree. This setup provides more isolation than nothing. The method would likely work for other SSDP devices or could be adopted to mDNS as well. Your mileage may vary.
- solder2000
Disclaimer:
I make no assertions to the overall security of this configuration. Required traffic is defined and limited as much as possible. But ultimately you’re punching large holes in the firewall. Please read and understand what you're doing to your network. The setup this was copied from is more involved, but the relevant configuration pieces are below.
Assumptions:
- Sonos devices are using reserved ip addresses from the dhcp server.
- Insecure and secure networks are different networks/vlans connected to and routed to the internet by the same ASA
- Secure hosts have unrestricted access to talk to insecure hosts
- Insecure hosts have no access to secure hosts
Known Limitations:
- All hosts on the insecure network will see any SSDP multicast traffic from the secure network
- The Sonos devices need to reply to the multicast traffic, which requires opening all the ephemeral ports. Else the reply is blocked.
- If one of the Sonos device's IP is hijacked, the hijacker will be allowed to send packets to the Sonos control ports and any ephemeral ports of devices on the secure network.
The Configuration:
Enable multicast routing
multicast-routing
For reference, interfaces with disabled pim on the wan and other interfaces not participating
interface GigabitEthernet1/1
nameif wan
security-level 0
no pim
# sonos are here
interface GigabitEthernet1/2
nameif insecure_lan
security-level 33
# rest of net here
interface GigabitEthernet1/8
nameif secure_lan
security-level 100
Various objects used by the acls and nat
# network objects
object network net_secure
subnet 192.168.2.0 255.255.255.0
object network net_insecure
subnet 192.168.20.0 255.255.255.0
# SSDP related objects
object service SSDP
service udp destination range 1900 1901
description Simple Service Discovery Protocol
object service bidir-ephemeral
service udp source range 32768 65535 destination range 32768 65535
description bidir ephemeral port range
object network obj_ssdp
host 239.255.255.250
object network net_multicast
range 224.0.0.0 239.255.255.255
# sonos service objects
object service sonos-3400-tcp
service tcp destination range 3400 3401
description Sonos App Control TCP/3400-3401
object-group service sonos-control
service-object object sonos-3400-tcp
service-object object bidir-ephemeral
# sonos network objects
object network obj_sonos_arc
host 192.168.20.131
description Sonos Arc
object network obj_sonos_move
host 192.168.20.199
description Sonos Move
object-group network sonos
network-object object obj_sonos_arc
network-object object obj_sonos_move
ACLs (order matters)
# interface group definitions
access-group insecure_lan_access_in in interface insecure_lan
access-group secure_lan_access_in in interface secure_lan
# allow Sonos devices to communicate back to secure networks
access-list insecure_lan_access_in extended permit object-group sonos-control object-group sonos object net_secure
# block the rest of the traffic from insecure to secure
access-list insecure_lan_access_in extended deny ip any object net_secure
# block insecure multicast traffic
access-list insecure_lan_access_in extended deny ip any object net_multicast
# allow ssdp traffic in from the secure net
access-list secure_lan_access_in extended permit object SSDP any object obj_ssdp
# block the rest of the multicast nets
access-list secure_lan_access_in extended deny ip any object net_multicast
Multicast route
# route the multicast outbound from secure to insecure
mroute 192.168.2.0 255.255.255.0 secure_lan dense insecure_lan
NATs
# dynamic nat Sonos devices sending ssdp replies and http notify's to secure net
nat (insecure_lan,secure_lan) source dynamic Sonos interface destination static net_secure net_secure
# dynamic nat all secure traffic headed to the insecure net
nat (secure_lan,insecure_lan) source dynamic any interface