Sonos & Windows 10 Firewall

enter image description here

Recently I had been having issues with my Sonos controller talking to my Local music library. Both of them installed on the same machine which is in VLAN 1, where as my speakers are on VLAN 2. I was receiving errors such as Error 1002, unable to connect to...., Cant find media etc.

I narrowed the issue down to Windows firewall blocking something even though I had already created "Allow" rules.

Turning off Windows Firewall fixed the issue and my Sonos Speakers could stream my local media library. However I'm not happy turning off a firewall, so started digging deeper.

I checked each individual Firewall which had automatically been created when installing and running the Sonos controller on the PC.

Bingo - I found under the Scope option that the Sonos Library and Sonos Controller firewall rule had an exemption that would only allow connections from devices on a local subnet and blocking anything from a remote IP /Subnet. Allowing all remote IP's or remote subnets fixed the issue but rather than leaving it open like this, I defined my 'remote subnet' of VLAN 2 in the list. This fixed my issue but also kept my firewall rule relevant.

enter image description here

To add further security I changed the "remote IP / Subnet address" from my VLAN 2 subnet to just the IP addresses of my Sonos Speakers on VLAN 2. Now the only devices able to access my Sonos local library are the Sonos Speakers.

Sonos, Unifi, VLAN and Firewalls.

enter image description here

Carrying on from a previous post - Unifi & Sonos VLANs. If you are like me and you have your Sonos Devices segregated on an IoT VLAN and the Sonos Controllers (iPhone etc) on a different VLAN then you will probably need to do some firewalling.

A little Background

VLANs are used for many reasons, segregating networks, preventing multicast packets traversing networks, security amongst other reasons. In this case I wanted all my IoT devices on its own network (VLAN) as there are many security risks with IoT devices and the a separate VLAN for my main LAN. With this I wanted to block all communication from IoT_VLAN to Main_VLAN, however I wanted my Main_VLAN to still be able to communicate with some devices on the IoT_VLAN i.e. Sonos Speakers.

So following on from the previous post where we setup the VLANs and IGMP-Proxying, we will now look at the Unifi Firewalls.

Firewalls work on rules and the rules work in descending order, i.e. if data hits the firewall it will check the rules from the top downwards until it finds a matching rule.

Firewall

In Unifi there are various Rule headings, WAN, LAN and Guest and each has a IN, OUT and LOCAL. For this guide we will be working with LAN IN - the data is coming from the LAN INTO the USG.

Lets create some rules, these will be in order Top to Bottom.

The first rule is created because when the Controller on Main_VLAN creates a connection with the Speaker on IoT_VLAN we want the speaker to be able to talk back to the controller, hence we create a rule to allow established connections but do not allow it to open new connections.

Name - Allow Established
Enabled - On
Rule Applied - Before pre-defined rules
Action - Accept
IPv4 Protocol - All
States - Established and Related
Source - Address group - Any
Destination - Address group - Any

Next Rule is to allow Sonos Speakers to contact Main_VLAN

Name - SONOS_To_Main_VLAN
Enabled - On
Rule Applied - Before predefined rules
Action - Accept
IPv4 Protocol - All
Address Group - Create a group with all the Sonos Speaker IP addresses
Destination - Network - Main_VLAN

Final rule is to block all other data from IoT_VLAN to Main_VLAN

Name - Block IoT_VLAN to Main_VLAN
Enabled - On
Rule Applied - Before predefined rules
Action - Drop
IPv4 protocol - All
Source - Network - IoT_VLAN
Destination - Network - Main_VLAN

And that's it. With these rules devices on IoT_VLAN shouldnt be able to contact devices on Main_VLAN, however Main_VLAN can still contact the Sonos Speakers.

This is what the Rule Page looks like

firewall rule

Disable Wifi on Sonos Devices

enter image description here

Disabling the WiFi Link on a Sonos Music Player

SonosNet

All Sonos players attempt to establish a peer-to-peer wireless mesh network known as SonosNet as soon as they are powered up. While this is convenient, there are several situations in which turning off this WiFi connection makes sense:

You own a single player that you connected directly to your home router with an Ethernet cable. You don't need the built-in SonosNet, so why not deactivate it to reduce power consumption and electromagnetic radiations.

SonosNet relies on the spanning tree protocol (aka STP) to function properly, so if your other network equipment doesn't support this functionality your entire network will be overloaded by broadcast storms and frequently crash.

Instead of upgrading your network it is much easier and cheaper to eliminate the source of the problem. You're worried about WiFi-Jacking. Why leave a backdoor in your network that can't be strongly secured? It is possible to switch on or off the wireless adapter of each Sonos player individually. Here's how in 3 simple steps.

Step 1: Finding the IP address of the device

From the Sonos controller, click on the "about my sonos system" menu. You should see something like this:

PLAY:5: Bedroom
Serial Number: 00-0E-58-2D-B0-C3:3 
Version: 4.2 (build 24071060) 
Hardware Version: 1.16.4.1-1 
IP Address: 192.168.1.27 
OTP: 1.1.1(1-16-4-zp5s-0.5)

In the example above, the address is 192.168.1.27. We'll refer to it as in the rest of this article.

Step 2: Checking the status of the Wifi link

Sonos provides a little known on the port 1400 of their players that you can access from any web browser at the following URL:

http://<sonos_ip>:1400/status/ifconfig

You should see something like this:

enter image description here

The entrie labeled 'eth0' and 'eth1' correspond to the 2 wired ports. The 'lo' and 'br0' interfaces are virtual networking devices used internally by the Linux kernel. The entry we're interested in is labeled 'ath0', which stands for Atheros device 0. Atheros is the manufacturer of the embedded WiFi chip.

Step 3: Disabling the link

To disable the WiFi link start by issuing the following HTTP request:

http://<sonos_ip>:1400/wifictrl?wifi=off

You should get the following answer:

wifictrl request succeeded HTTP 200 OK

You can also check that the link has indeed been disabled by going back to the status page. The 'ath0' entry should not be present anymore. The setting is not persistent, so if you happen to be unable to connect to your player after disabling the WiFi you can undo the change by power cycling the player.

If you want to disable the WiFi link for good, simply issue the following http request:

http://<sonos_ip>:1400/wifictrl?wifi=persist-off

The change will now be preserved even after an upgrade. If you ever need to connect the player wirelessly in the future you can turn the WiFi back on as follow:

http://<sonos_ip>:1400/wifictrl?wifi=on

Impact on power consumption

I measured the power consumption of several players with a wattmeter which is accurate to +/- 0.5 watt. Turning off the WiFi link reduces the power consumption of the players by about 2 Watts. Here are the results measured when the players are idle:

Play:5 -       
Wifi On = 6.5W      
Wifi Off = 4.5W

Connect -  
Wifi On = 4W            
Wifi Off = 2W

Unifi Sonos and VLANs

enter image description here

For the security consious out there you may have split your home network up into VLANs. If you've found this page by searching then you probably already know what a VLAN is and its purpose.

At home I have split my network into 4 VLANs.

VLAN1 - Main data VLAN for all my devices VLAN40 - VLAN for guests to use VLAN60 - Security VLAN, CCTV, alarms etc VLAN80 - IOT devices, internet of things, zwave, zigbee, sonos and home automation etc.

The idea of keeping IOT devices on a seperate VLAN to other devices is mainly for security. Most IOT devices are easily hackable and if this does happen they will only be able to access devices on VLAN80 and not my other devices.

Anyway this post will explain how to get the Sonos devices on VLAN80 to communicate with the controllers (iPhone, iPad, PC) on VLAN1.

With Unifi we need to enable igmp-proxy. To set it we need to SSH onto the USG.

and enter the following commands

configure
edit protocols igmp-proxy
set interface eth1.80 role downstream
set interface eth1.80 threshold 1
set interface eth1.80 alt-subnet 0.0.0.0/0
set interface eth1 role upstream
set interface eth1 threshold 1
set interface eth1 alt-subnet 0.0.0.0/0
exit
commit
save

eth1.80 = the VLAN of the sonos devices (IOT) eth1 = VLAN1 the main data VLAN with the Sonos controllers on.

I recommend restarting the igmp-proxy service on the USG. To do so enter the command

restart igmp-proxy

Now it is set, you will have to re-configure the Sonos Device with the controller.

With Unifi, the CLI commands arent persistent with a re-provision. To make the changes stick we need to use a config.gateway.json file

Its location is

C:\users\%username%\Ubiquiti Unifi\data\sites\default\

Edit the config.gateway.json file and enter the below

     {
"protocols": {
        "igmp-proxy": {
            "interface": {
                "eth1": {
                    "role": "upstream",
                    "threshold": "1",
                    "alt-subnet": "0.0.0.0/0"
                },
                "eth1.80": {
                    "role": "downstream",
                    "threshold": "1",
                    "alt-subnet": "0.0.0.0/0"
                }
            }
        }
    }
}

Obviously changing the VLAN numbers to what ever yours are.

Troubleshooting Ok well this didnt really work straight away for me.

To check that igmp is working you can issue the following commands

show ip multicast mfc

and

show ip multicast interfaces 

This should show any multicast data its source and where it is going. For example

enter image description here

On the top half you can see see the source and that some data is going from eth1 to eth1.80. However with the command Show IP multicast interfaces you can see that no multicast data is coming into eth1.80 interface, it seems to be going out on eth1 and into eth1.60. To resolve this I had to issue the restart igmp-proxy command to restart the service. A USG re-provision didnt work.

For creating Firewalls, see this post - Sonos, Unifi, Firewalls & VLANS