Skip to main content
I just wanted to share my findings in this, since I have installed a Sonos system at work where we have a segmented vlan-separated network here, which we have locked down pretty hard.



So this is what I have needed to do for opening up for Sonos, and the scenario is the following



4 vlans

vlan 3, 4, 5 consists of desktop computers and wireless clients.



vlan 6 is a guest network, fully open to internet, but has no regular access to anything else in the office (until now).



I put the Sonos players on vlan6, to give them full access to internet. It is behind NAT.



From computer/wireless (3-5) networks to vlan6:



TCP port 1400 (Sonos control)



From vlan 6 TO vlan3-5:



TCP port 3400, 3500 (upnp events)

UDP port 1900-1905 (upnp discovery returns)



Now, the final piece of the puzzle was the multicast used for finding the players. We use a Clavister firewall, which support something they call SAT multiplex rules (other vendors might have similar functionality but call it something different). This means that it can catch multicast transmissions from one net, and retransmit them on multiple nets. I used this to "relay" the multicast signal from vlan3-5 onto vlan 6. I didn't do the opposite, since that only seems necessary when setting up new controllers (the mute + VOL+ sequence). Today I can attach the controllers by temporarily add computers to vlan6.



So, the firewall needed an Allow rule for the multicast address 239.255.255.250, port 1900 (this is UDP). Then a Multiplex SAT which would catch this multicast IP and port, and then select the interfaces it would relay them to (in this case, vlan6). There was also an option that "Multicast traffic must have been requests using IGMP before it's beeing forwarded" which I unchecked, since I didn't know if the players actually do that.



I'm guessing this is beyond the scope of regular users, but for business environments it may come in handy.



Cheers
Seems like system updates requires additional ports in addition to this FAQ:



https://sonos.custhelp.com/app/answers/detail/a_id/206



port 4444 (TCP) from the client (controller) to the players also needs to be available it seems, otherwise you will get an error 1013 when trying to update.
I know it's been 3 years since this post, but I wanted to pass a huge THANK YOU for posting this information. I've recently setup VLANs to isolate/segregate traffic on my network and after moving my SONOS system into it's own VLAN, it was no longer accessible from my devices. I found this thread through some searching and it had the information needed to make it all work again.



I'll add the additional find that if anyone is doing this with VLANs and using Linux as your router, instead of the SAT/multiplex rules above, what you need is igmpproxy installed to allow the multicast packets to forward from one broadcast domain to another. That coupled with the ports and other information jishi has above and it works brilliantly!
I know it's been 3 years since this post, but I wanted to pass a huge THANK YOU for posting this information. I've recently setup VLANs to isolate/segregate traffic on my network and after moving my SONOS system into it's own VLAN, it was no longer accessible from my devices. I found this thread through some searching and it had the information needed to make it all work again.



I'll add the additional find that if anyone is doing this with VLANs and using Linux as your router, instead of the SAT/multiplex rules above, what you need is igmpproxy installed to allow the multicast packets to forward from one broadcast domain to another. That coupled with the ports and other information jishi has above and it works brilliantly!




Hi - do you have any more details on this ? I have been trying for hours to get this working with igmpproxy and just can't work it out. !
I was having the same issue and the igmp-proxy was the key i needed.



igmp proxy gets set up on a router device that is attached to the network where your sonos is, and to the network where your clients are.

igmp proxy needs to be configured with the sonos facing interface as "upstream". there can be only one upstream and it is a required paramter.

igmp proxy needs to be configured with the client facing interface as "downstream"

you can have multiple downstream interfaces, but at least one is required.



That's about it at the most basic... there are other options you can configure to tune it to your needs.



https://manned.org/igmpproxy.conf.5



note that in my case, my internal networks are not firewalled (yet), just routed, so once igmp proxy was set up, everything else worked. I will take a look at the ports/protocols listed here and see about locking things down more, so thanks!
Hi there... This is a great discussion. I was able to get Sonos to traverse subnets using igmp proxy. However (and I think this may be a correction to the above message), the Sonos system seems to need to be on the downstream interface, not the upstream one. This is counterintuitive but it's the only way I was able to get it to work. I lost many hairs realizing this.



For me, this creates a dilemma... I would like to have more than one additional subnet able to connect to Sonos. More specifically, I have a kids' subnet, a guest subnet, and VPN connections (so I can control from work... Don't ask... ) on their own subnets that I would like to connect. As it stands, I can only choose one subnet beyond the one that Sonos resides on because igmp allows only one upstream interface (via pfsense).



If anyone has any ideas, I'm very interested. (ie... Could udp-broadcast-relay help? Not sure if it helps with igmp...)



Thanks!
Let me add some story to this section.

I've been hussling for a couple of days now and at last, i've managed to stream from diffrent subnets to the SONOS.



Small notes from what i've observed:



- You need to have(MUST for the AIRPLAY!!!) a bonjour-gateway installed in your network, this should be in all the subnets where you want to stream from(aka guest,office vlans) and 'TO' (aka the multimedia subnet)

This is due to the network packets of Apple devices which are having TTL of 1, which will not survive the routing from 1 subnet to another.



- You need to enable PIM dense-mode on between these subnets. This is to discover the SONOS from your phone.



- There are some FW-rules you need to apply:



SRC STREAM-DEVICE - DST-BROADCAST (224.0.0.0/4)

IGMP

UDP1900



SRC STREAM-DEVICE - DST STREAM-DEVICE-BROADCAST (x.x.x.255 for an /24)

UDP6969



SRC SONOS - DST STREAM-DEVICE:

TCP-3401

UDP-1901

UDP30000-60000

TCP30000-60000



SRC STREAM DEVICE - DST SONOS:

UDP319-320

TCP30000-60000

TCP7000

TCP1443

TCP1400

TCP1900

UDP30000-60000



You can make sure for no backdoors on your bonjour-gateway, dont configure, gateways and block most common port from ANY to the bnjr-gtwy.



I hope this will help someone, as i've struggled for days, to get it work!