Sonos across multiple IP subnets

  • 15 February 2013
  • 17 replies
  • 20511 views

It appears that the sonos system relies on a network broadcast to add components to the system. Unfortunately, this limits the system to a single IP subnet. Could enhancements be made to the compnents and software to allow for the system to exist across multiple subnets? Think of this as an advanced configuration for system administrators to do and not your average home/small business user. This would enable the sonos system to be utilized through enterprise deployments where multiple locations all have wide area network connectivity which would allow for control of all of the offices from a centralized location. Furthermore, additional basic security could be added to perhaps limit access to rooms.

This topic has been closed for further comments. You can use the search bar to find a similar topic, or create a new one by clicking Create Topic at the top of the page.

17 replies

Yeah, this single subnet limitation sucks. Specially if you are using more professional wired and wireless network equipment. I'm using a FortiGate Firewall with an attached Access Point. In a more secure setup you have different networks/subnet for wireless and lan. Like this you cannot connect the iPhone/Android remote to the Sonos System. I had to put the wireless and the wired interface into a virtual software switch on the Firewall to connect the remote successfully. This needs performance on the FW and i'm loosing the secure wired/wireless segmentation setup. On the other side i know a couple companies who are using Sonos for their different office rooms. They have to use a Sonos Control remote or the PC/MAC Software.
Hello Khai, What version of firmware do you have on your fortigate? (fortios version?) And which model do you have? My Fortigate 100D seems to be unable to do some of these commands
Hello Khai, What version of firmware do you have on your fortigate? (fortios version?) And which model do you have? My Fortigate 100D seems to be unable to do some of these commands
I am having a problem setting up my new playbar. It's on a different subnet as pre above and I am using a Fortiwifi FW80CM and also note I have access points connected to the fortiwifi. I have managed to successfully configure as per above by the CLI and I can connect to the Playbar. Straight after it connects and I go to the Sonos player I get "Your Sonos System was not found". I have the same result if I try the windows application or the Android App. Any ideas ?
Userlevel 2
Khai thanks for the Fortigate info. This works perfectly. That said, I've a wrinkle with my setup. Between my FortiAP wireless users and the Sonos gear is a Cisco 3640 router. Does anyone know how to get the Sonos packets through it as well?
Hi,

Thanks for the Fortigate info. Did have greate use of it when I made the same thing on my pfsense firewall. There are IGMP Proxy installed default.

So was easy to setup a proxy for the igmp that sonos are using.

Have the sonos on ip 10.0.5.40 that I wanted to use from 3 different net.
the setup lookls like this.



Don't forget to open the firewall to the ip of the sonos system.

/Stellan
Do we have a workaround for Sophos UTM?
Hi,

Thanks for the Fortigate info. Did have greate use of it when I made the same thing on my pfsense firewall. There are IGMP Proxy installed default.

So was easy to setup a proxy for the igmp that sonos are using.

Have the sonos on ip 10.0.5.40 that I wanted to use from 3 different net.
the setup lookls like this.



Don't forget to open the firewall to the ip of the sonos system.

/Stellan




So, I'm trying to get this working on a UBNT device. It's using igmp-proxy as well and the solution works. But it currently only works for one subnet. So I wonder, since you said you got your SONOS devices on a subnet and multiple other subnets that access those SONOS devices how exactly this is configured in pfsense?

The issue I have is that igmp-proxy may only have a single upstream interface. So in my case, I have

- device network, which the SONOS play devices are part of
- guest wifi, where guest can have their sonos app running
- internal wifi, where internal users can have their sonos app running

I can set e.g. the internal wifi as upstream interface and the device network as downstream interface. But then guest cannot connect to sonos. I played through all variants I could think of but I just can't get it to work on multiple subnets. Any ideas? Can you give me a cat of the igmp-proxy config pfsense produced in your case?
Could you explain abit more in deph to which of those networks you've shown in the screenshots your SONOS players are connected and to which networks you got SONOS controller (== sonos app) connected?



Off topic: using igmp just seems like a bad idea for this all together. I wonder why sonos is not using something as mDNS. Chromecast as well as Spotify (Connect) use mDNS and it's much easier to setup accross subnets. Also you have way better access control then with just proxing multicast packages across networks.
Hi,

Thanks for the Fortigate info. Did have greate use of it when I made the same thing on my pfsense firewall. There are IGMP Proxy installed default.

So was easy to setup a proxy for the igmp that sonos are using.

Have the sonos on ip 10.0.5.40 that I wanted to use from 3 different net.
the setup lookls like this.



Don't forget to open the firewall to the ip of the sonos system.

/Stellan



Stellan, can you please share your pfSense setup? I'm trying to get this to work on pfSense and have had no luck so far.

My setup:
- Primary LAN (with Sonos speakers) is 10.0.1.1/24
- Guest VLAN (wireless network via Ubiquiti Unifi AP and pfSense) is 10.0.100.1/24

From those (and countless other fragments of wisdom), here's what I can glean I need to be doing:
- allow TCP port 1400 from LAN to VLAN
- allow TCP port 3400, 3500 from VLAN to LAN
- allow UDP port 1900-1905 from VLAN to LAN
- set up IGMP proxy to enable multicast of 239.255.255.250 across the two networks
make sure I've got a switch that allows IGMP snooping (I do)

For purposes of testing I've just set up an allow all firewall rule, and I can confirm that VLAN clients can access the LAN. I suspect that my issue is with how I've got IGMP proxy configured, as this is where I haven't found a canonical reference. What I have set up is:

- WAN upstream 10.0.1.1/24, 10.0.100.1/24
- LAN downstream 10.0.1.1/24
- GUESTVLAN downstream 10.0.100.1/24

with an ALLOW rule on the WAN from any to UDP 239.0.0.0/4.

That's what I've got for now - I'm not sure how to test or troubleshoot from this point, or what to tweak. Any and all insight is greatly appreciated!

Darren
+1 for Stellan to please, please share your pfSense setup.

Our network has UniFi AP, UniFi USW (PoE switching), EdgeMax switch and pfSense.
I'd also like to partition the Sonos kit behind the firewall.. similar to masi's setup.

TIA,

Piers



Hi,

Thanks for the Fortigate info. Did have greate use of it when I made the same thing on my pfsense firewall. There are IGMP Proxy installed default.

So was easy to setup a proxy for the igmp that sonos are using.

Have the sonos on ip 10.0.5.40 that I wanted to use from 3 different net.
the setup lookls like this.



Don't forget to open the firewall to the ip of the sonos system.

/Stellan



Stellan, can you please share your pfSense setup? I'm trying to get this to work on pfSense and have had no luck so far.

My setup:
- Primary LAN (with Sonos speakers) is 10.0.1.1/24
- Guest VLAN (wireless network via Ubiquiti Unifi AP and pfSense) is 10.0.100.1/24

From those (and countless other fragments of wisdom), here's what I can glean I need to be doing:
- allow TCP port 1400 from LAN to VLAN
- allow TCP port 3400, 3500 from VLAN to LAN
- allow UDP port 1900-1905 from VLAN to LAN
- set up IGMP proxy to enable multicast of 239.255.255.250 across the two networks
make sure I've got a switch that allows IGMP snooping (I do)

For purposes of testing I've just set up an allow all firewall rule, and I can confirm that VLAN clients can access the LAN. I suspect that my issue is with how I've got IGMP proxy configured, as this is where I haven't found a canonical reference. What I have set up is:

- WAN upstream 10.0.1.1/24, 10.0.100.1/24
- LAN downstream 10.0.1.1/24
- GUESTVLAN downstream 10.0.100.1/24

with an ALLOW rule on the WAN from any to UDP 239.0.0.0/4.

That's what I've got for now - I'm not sure how to test or troubleshoot from this point, or what to tweak. Any and all insight is greatly appreciated!

Darren
It appears that the sonos system relies on a network broadcast to add components to the system. Unfortunately, this limits the system to a single IP subnet. Could enhancements be made to the compnents and software to allow for the system to exist across multiple subnets? Think of this as an advanced configuration for system administrators to do and not your average home/small business user. This would enable the sonos system to be utilized through enterprise deployments where multiple locations all have wide area network connectivity which would allow for control of all of the offices from a centralized location. Furthermore, additional basic security could be added to perhaps limit access to rooms.
Has this been addressed yet? I will be setting up sonos very soon in an enterprise environment. If it is a case of just forwarding multicast I should be good but it sounds like it needs stp. Thanks
Userlevel 1
Here's my working opnsense config for the common usecase of LAN and WLAN on different subnets, should be able to achieve the same on pfsense

Configure the IGMP Proxy
WLAN upstream 192.168.1.1/24 --Sonos controller clients
LAN downstream 192.168.0.1/24 --Sonos devices + controller clients

The important part that seems to be missing in the above guides is the firewall rule configuration, in advanced options
allow options must be checked

I have this checked for both firewall rules LAN to any and WLAN to any.
Just to add, I use high-end Cisco equipment (I'm an independent IT consultant) and I keep my Sonos speakers in one subnet and my phones and wired clients in another subnet just for them.

To get this to work, I had to enable IP Multicast Routing on the switch, and then turn on IP PIM Sparse-Dense Mode on those subnets. Once I did that the controllers in the client subnet could see all the speakers and interact with them.

The only catch is that when adding a new Sonos device the controller I am using to add it must be in the same subnet as the speaker - I imagine this is some type of security measure. I have a Windows VM I keep in that subnet running the Sonos app for when I need to do this.

So other than needing to be the same subnet when adding a speaker everything appears to work fine as long as you can route multicast - to work with Cisco enterprise switches you need to be running the IP Services featureset. The IGMP proxy would be another option. On non-enterprise grade equipment I have seen things like IPTV vlan types that would work similar to IGMP Proxy, where multicast traffic in one subnet is proxied to another.
The only catch is that when adding a new Sonos device the controller I am using to add it must be in the same subnet as the speaker - I imagine this is some type of security measure..

Might this be true during software updates, too? Have you done one since configuring all this?
The only catch is that when adding a new Sonos device the controller I am using to add it must be in the same subnet as the speaker - I imagine this is some type of security measure..

Might this be true during software updates, too? Have you done one since configuring all this?


I've done many in the year or two since I configured VLANs, never had a single issue with updates. I surmise that since it's not adding additional equipment there's no need to do a sequence that demonstrates that you have physical access to the device and you're also on the same subnet.
Badge
If you happen to have a Linux box that is doing your routing, then you might find this handy:

https://github.com/alsmith/ssdp-relay

I just got myself a set of Sonos speakers and I have a WPA2-Enterprise network using WPA-TLS keys for authentication.

I set up a hidden-SSID pre-shared key network hanging on a different subnet to support the Sonos speakers, as they don't support WPA2-Enterprise...

For the initial setup, the SSID needs to be un-hidden and I found that my iPhone needed to also sit on the same network, but after setup has been done you can go ahead and hide the SSID and move your telephone back to its original network. The SSDP relay means that everything can still discover itself.