I just wanted to share my findings in this, since I have installed a Sonos system at work where we have a segmented vlan-separated network here, which we have locked down pretty hard.
So this is what I have needed to do for opening up for Sonos, and the scenario is the following
vlan 3, 4, 5 consists of desktop computers and wireless clients.
vlan 6 is a guest network, fully open to internet, but has no regular access to anything else in the office (until now).
I put the Sonos players on vlan6, to give them full access to internet. It is behind NAT.
From computer/wireless (3-5) networks to vlan6:
TCP port 1400 (Sonos control)
From vlan 6 TO vlan3-5:
TCP port 3400, 3500 (upnp events)
UDP port 1900-1905 (upnp discovery returns)
Now, the final piece of the puzzle was the multicast used for finding the players. We use a Clavister firewall, which support something they call SAT multiplex rules (other vendors might have similar functionality but call it something different). This means that it can catch multicast transmissions from one net, and retransmit them on multiple nets. I used this to "relay" the multicast signal from vlan3-5 onto vlan 6. I didn't do the opposite, since that only seems necessary when setting up new controllers (the mute + VOL+ sequence). Today I can attach the controllers by temporarily add computers to vlan6.
So, the firewall needed an Allow rule for the multicast address 126.96.36.199, port 1900 (this is UDP). Then a Multiplex SAT which would catch this multicast IP and port, and then select the interfaces it would relay them to (in this case, vlan6). There was also an option that "Multicast traffic must have been requests using IGMP before it's beeing forwarded" which I unchecked, since I didn't know if the players actually do that.
I'm guessing this is beyond the scope of regular users, but for business environments it may come in handy.