Skip to main content
Answered

Network Firewall Requirements for Segregated IoT Network

  • January 2, 2021
  • 8 replies
  • 3004 views
M
Forum|alt.badge.img+3

Hi,

With the ever increasing SMART home adoption and the lack of security from the 10’s if not 100’s of IoT devices that are being installed in peoples homes and offices it is a real surprise that segregating Sonos devices onto their own subnet is such a challenge. I am an advanced IT Pro with over 20 years of experience in the industry and have spent hours and hours trying to get my Sonos devices to work on a segregated IoT network.

I have implemented mDNS repeater’s and IGMP Proxies but I still can’t get my clients on my main network to communicate with Sonos devices on the IoT network.

I have read hundreds of old posts and I understand that the App Control requires the following port openings:

 

Source: Sonos App Control on LAN - Destination: Sonos Players on IoT LAN

TCP: 1400, 1443 (SSL)

 

Source: Sonos Players on IoT - Destination: Sonos App Control/ Media Servers on LAN

TCP: 3500, 3400-3402 (App Control)

          4444 (System Updates)

UDP: 6969 (Sonos Setup)

          1900-1901 (App Control)

 

With the increased focus on security I am surprised Sonos hasn’t provided guidance on this issue. If anyone can provide an up to date guide that works with the Sonos S2 controller I would be very grateful.

This is of particular relevance for people who use Sonos with a Home Theater setup and AppleTV. Especially when AppleTV is designed as the hub for Apples “HomeKit” smart hub controller of all Homekit IoT devices. It therefore makes sense to have the AppleTV and IoT devices on the same subnet and when using Sonos Arc for Home Theater it make sense to have the Sonos on the same IoT subnet.

Best answer by myatix

Hi Stanley,

I just thought I would let you know that I finally got this to work on my Ubiquiti Unifi/ EdgeRouter setup using separate VLAN subnets.

The only issue I have left is that for some reason the App on my windows 10 machine won’t connect.

All my iPhones and tablets and other devices work fine on the Main LAN, while my AppleTV and Sonos is now on the IOT VLAN. :grinning: Exactly as I wanted and as specified above.

I just need to work out the last little bit…

Which network port is used when a new device connects to a Sonos setup? 


Oh ya… 

Who ever says you are shooting hundreds of holes in your firewall to get this to work is wrong if you set it up wisely. If you reserve addresses for you devices and only open for specific ports to specific IP’s then it’s actually very secure. Plus you have to remember this is internal traffic between 2 subnets, it is not as if you are opening ports into the outside world.

One of the hardest things about getting this implementation to work is that it would appear that the Sonos devices don’t pickup the port changes straight away and therefore require a reboot. My firewall rules were actually correct most of the time it’s only because I didn’t reboot the Sonos devices that things didn’t start working, which obviously makes it a little more difficult.

 

This topic has been closed for further comments. You can use the search bar to find a similar topic, or create a new one by clicking Create Topic at the top of the page.

8 replies

ratty
  • ratty
  • 31405 replies
  • January 2, 2021

With the increased focus on security I am surprised Sonos hasn’t provided guidance on this issue.

The official guidance:

Sonos system requirements

General requirements

  • High speed wired internet connection such as cable, fiber, or DSL
  • WiFi router
  • Sonos app and all Sonos products are on the same subnet

Whilst some have had success operating between subnets it simply isn’t a supported configuration.

M
Forum|alt.badge.img+3
  • myatix
  • Author
  • Producer I
  • 19 replies
  • January 2, 2021

OK… But that is basically saying that Sonos is not concerned about their clients data security and privacy or any IoT device security flaws that could potentially be installed on a network?

As Sonos is an Apple partner I am very surprised that that they recommend that all IoT HomeKit supported devices including the Sonos Home Theater should be on the same subnet as clients private data networks. If you think about all the privacy laws including CCPA, GDPR and ISO27001 and the security vulnerabilities seen in numerous IoT devices, I think it is very strange that Sonos doesn’t consider their clients data privacy and security a priority.

It wouldn’t be difficult for Sonos to provide a detailed set of guidance to assist clients with detailed segregated network setup.


If anyone who has achieved this setup on a Ubiquiti network recently I would really appreciate any input?
 


 

ratty
  • ratty
  • 31405 replies
  • January 2, 2021

Sonos relies on UPnP, and in particular SSDP for the controllers to locate devices. This assumes a flat subnet, as is typically the case in most domestic settings. 

The cloud-based control path, as used by the voice assistants and some direct ‘casting’ from native streaming apps, can however work between subnets. 

 

It wouldn’t be difficult for Sonos to provide a detailed set of guidance to assist clients with detailed segregated network setup.

That would imply official support, which as I say is lacking. I dare say that Sonos technical support have quite enough on their hands dealing with users’ ‘simple’ network problems to want to deal with such complex setups. 

That said, there are various threads here detailing the forwarding rules that some users have found to work between subnets.

Stanley_4
  • Stanley_4
  • Lead Maestro
  • 12292 replies
  • January 3, 2021

I look at it differently, anybody poking holes in their firewall between LANs is not concerned about security.

I would never consider giving my IOT LAN access to my other local networks! Sonos, my SMB v1 music NAS and my controllers all reside on the same subnet and have no access to my other stuff.

Seriously, if you are going to poke a bunch of holes in your inter-LAN protection why even bother using a different LAN for the IOT stuff? I thought the whole idea was to keep the iffy stuff away from the important stuff.

M
Forum|alt.badge.img+3
  • myatix
  • Author
  • Producer I
  • 19 replies
  • January 3, 2021

@Stanley_4 I see you argument but that just doesn’t work with an AppleTV as a Homekit hub. Apple has specifically designed the AppleTV to be the main hub in their Homekit IoT SMART Home setup. 

Sonos has partnered with Apple and Sonos delivers several Home Theater products which logically should be used together with the AppleTV. I am sure we can all agree on this so far… :) 

This is where things get tricky….

 

So you have an AppleTV that should work with a Home Theater Setup especially from a company partnered with Apple, such as the Sonos ARC, Beam, PlayBar etc

 

BUT…

 

You also have an AppleTV as your main Homekit hub for all “Apple Home” IoT devices…

IoT devices a notoriously unsecure but you are using the AppleTV to control these devices.

So you put the AppleTV in a segregated IoT subnet with all the other IoT devices… That definitely makes sense…

 

Now you have a Sonos Home Theater setup… Where do you put that?

Considering it also has Alexa and Google Assistant plus all the above I would say it makes sense to put it on the IoT subnet…

 

I would say it is very logical to put the Sonos on the IoT network in this scenario, together with all IoT devices… Not such a strange scenario if you use an Apple Homekit as your IoT SMART hub.

 

Not to mention splitting network loads from 4K TV signals and other multi media services that can impact your main LAN containing your priority clients.

 

It makes sense because of the services offered by the devices, privacy, security and network loads as far as I can see and funnily enough I am not the only one thinking along these tracks.

 

Anyway thanks for your input but what I was looking for was anyone who has successfully implemented this recently, because sonos obviously doesn’t plan to support such a setup which I don’t understand based on the above. There are a lot of articles on the net but most of them a quite old and don’t work anymore...

Stanley_4
  • Stanley_4
  • Lead Maestro
  • 12292 replies
  • January 4, 2021

Good luck, I spent a lot of time looking at the issue for my mostly non-Apple setup and the simple solution for me was just putting my Sonos, SMBv1 NAS, tablets and phones on the IOT LAN.

 

M
Forum|alt.badge.img+3
  • myatix
  • Author
  • Producer I
  • 19 replies
  • Answer
  • January 6, 2021

Hi Stanley,

I just thought I would let you know that I finally got this to work on my Ubiquiti Unifi/ EdgeRouter setup using separate VLAN subnets.

The only issue I have left is that for some reason the App on my windows 10 machine won’t connect.

All my iPhones and tablets and other devices work fine on the Main LAN, while my AppleTV and Sonos is now on the IOT VLAN. :grinning: Exactly as I wanted and as specified above.

I just need to work out the last little bit…

Which network port is used when a new device connects to a Sonos setup? 


Oh ya… 

Who ever says you are shooting hundreds of holes in your firewall to get this to work is wrong if you set it up wisely. If you reserve addresses for you devices and only open for specific ports to specific IP’s then it’s actually very secure. Plus you have to remember this is internal traffic between 2 subnets, it is not as if you are opening ports into the outside world.

One of the hardest things about getting this implementation to work is that it would appear that the Sonos devices don’t pickup the port changes straight away and therefore require a reboot. My firewall rules were actually correct most of the time it’s only because I didn’t reboot the Sonos devices that things didn’t start working, which obviously makes it a little more difficult.

 

Stanley_4
  • Stanley_4
  • Lead Maestro
  • 12292 replies
  • January 6, 2021

If you do lock things down well I’d agree that it won’t be that insecure. I still wouldn’t do it though.

What many do is just keep opening things up until Sonos works, that is usually not good.

Terms & ConditionsCookie settingsAccessibility statement