SOLVED: SONOS across multiple VLANS

Networking & Firewalls
1

I searched these forums and the internet and there are a ton of different and often conflicting info.
Can anyone point me to the current way to get this working in pfSense ?

I think my case is pretty typical:

  • I have some Sonos speakers on an “IOT Network”.

  • My main personal devices are connected to a “Main Network” that has firewall rules allowing it to reach this IOT Network (but not the other way around).

  • I’m fully able to ping the Sonos speakers from my devices on the main network. However, the speakers never show up in the list of available speakers to airplay to when I’m connected to the “Main subnet”. If I switch wifi and connect one of my computers to the “IOT subnet”, then they show up as available speakers. But I do not want my computers connecting directly to the IOT subnet, now do I want to spend my time switching wifi networks when I want to airplay something.

2

look for SSDP and mDNS

1 Like
3

Here’s the simple walk through. Hope it helps.
Also, if anyone (@LTS_Tom maybe) sees something insecure in this solution please chip in!

Step 1: Enable Multicast Traffic

1. Enable IGMP Proxy on pfSense:

  • Go to Services > IGMP Proxy.
  • Click Add under “IGMP Proxy”.
  • Set the following:
  • Interface: Choose your “IOT subnet” interface.
  • Type: Set to “Upstream”.
  • Networks: Add the subnet range for the IOT subnet (e.g., 192.168.20.0/24).
  • Add another entry:
  • Interface: Choose your “Secure subnet” interface.
  • Type: Set to “Downstream”.
  • Networks: Add the subnet range for the Secure subnet (e.g., 192.168.10.0/24).

2024-06-27 at 18.40.36
2024-06-27 at 18.40.362886×960 146 KB

2. Enable Avahi Daemon (mDNS Repeater) on pfSense:

  • Go to Services > Avahi.
  • Check the box to Enable the mDNS repeater.
  • Under Interfaces, select both your “Secure subnet” and “IOT subnet” interfaces.
  • Save the configuration.
Step 2: Configure Firewall Rules

1. Allow Multicast Traffic on the Secure Subnet:

  • Go to Firewall > Rules.
  • Select your “Secure subnet” interface.
  • Click Add to create a new rule.
  • Set the following:
  • Action: Pass
  • Interface: Your “Secure subnet” interface.
  • Protocol: UDP
  • Source: Any
  • Destination: Network
  • Destination Address: Your “IOT subnet” (e.g., 192.168.20.0/24)
  • Destination Port Range: 5353 (both from and to)
  • Save and apply the rule.

2. Allow Multicast Traffic on the IOT Subnet:

  • Select your “IOT subnet” interface.
  • Click Add to create a new rule.
  • Set the following:
  • Action: Pass
  • Interface: Your “IOT subnet” interface.
  • Protocol: UDP
  • Source: Any
  • Destination: Network
  • Destination Address: Your “Secure subnet” (e.g., 192.168.10.0/24)
  • Destination Port Range: 5353 (both from and to)
  • Save and apply the rule.

Step 3: Restart The Services

  • This should do it.
4

A simpler solution can be implemented using the UDP Broadcast Relay package. This solution does not need IGMP Proxy and it does also not need AVAHI Daemon.

Step 1 Enable Multicast Traffic (replaces Step 1 in the solutoin by @smol )

  • create an instance
  • select the interfaces for the networks that should be able to speak SSDP to each other
  • set Spoof Source to Keep original
  • set Destination UDP port to 1900
  • set Multicast group to 239.255.255.250

Step 2: Configure Firewall Rules:
see Step 2 in the solution above by @smol