Skip to main content

Dear Community;

 

I have read countless posts about IOT VLANs for Sonos speakers while having the controllers in iPhones/Android phones, ipads, etc on a separate VLAN. I believe it is a must ( minimum security practice) to protect my home NAS/servers.

However, reading the latest posts, it seems the new Sonos App ver 10.6 broke existing solution. Given this, what should I do? Any guides or best practices I should follow?

 

Here is what I have and what I have tried:

PFSense firewall with the following VLANS:

VLAN1: 192.168.10.x/24 with Windows 10 PCs

VLAN20 IOT: 192.168.20.x/24 with Sonos players

VLAN30 WIFI: 192.168.30.0/24 with iphone, ipads, laptops

I have tried AVAHI, IGMP Proxy, and PIMD …. none of them worked. It seems the broadcasts are registered but still the controller apps cannot find the speakers.  Yet, the iphone controller is the only that seems to be able to find the speakers ( previously configured and added to the app), so I can go from VLAN30 to VLAN20.

 

Is the above setup such an unusual network ?? Dont think so. Could anyone offer any hints ?

Seems like a lot of pain and aggravation for no actual gain, using an unsupported network topology. If you enjoy configuring network hardware, capturing network packets and analyzing them, go right ahead. If you just want to enjoy music (like I do), why bother.

I have an IP camera security system. All of those devices are on their own physical network, which required no crazy network configuration, just a separate router. Simple but effective.

What are the actual security concerns you are trying to fix here?


I have it working quite well. I have my Sonos speakers on my IOT VLAN, as they need to talk to my Alexa devices, and I didn't want the Alexa devices on my main network. 

 

I run a Ubiquity USG Router and Unifi Access Points.

 

I didn't need IGMP proxy, I do have a firewall rule that allows broadcasts/multicasts from my production subnet where my iPhone/iPad sit

 

239.255.255.250

224.0.0.251

255.255.255.255

 

Plus the sonos ports (not sure if all required, I need to revisit these as it did take me a while to set this up and the problem I had was my access points)

 

1400

3401

1443

1900

1901

1902

3400

3500

4444

6969

 

I can't use a device on my production network to add a new sonos device to the system, but that happens so rarely, Im happy putting my iPhone in the IOT network to add the device, and then reconnect it to my prod network to manage it. 


@controlav , agree it has been quite a lot of pain. While I am in the IT and security industry, there is a limit to the amount of time invested on this. Key points of interest for me:

1: contain IOT devices in their own cage, whether they are Sonos, TV, or any other junk on the network

2: Improve network performance through segmentation, in addition to network security.

3: Trying to adopt best practices, when SONOS came around, not many people considered home network segmentation so I get that this is not the “default” configuration. However, I am certainly not the only one out there, would be nice to have a little more “support” for the premium $$$ paid on these collection of 10 speakers.


I’m polishing off a guide to walk through setting up a UniFi firewall with Sonos, but you can probably steal the port numbers and incoming/outgoing rules from my rough draft:

https://www.reddit.com/r/Ubiquiti/comments/gpyude/basic_iot_vlan_setup_discussion/

and

https://www.reddit.com/r/Ubiquiti/comments/gu19sa/iot_vlan_settings_specific_to_sonos/


Hi @rorton can you let me know how you FW rules looks exactly?

If got some trouble to manage sonos on my mobile devices (on another vlan than sonos)

Thanks!