tl;dr — don’t forget to allow PTPv2 (319/udp) between your VLANs, especially if you have your Sonos devices separated from your audio sources
As the title implies, I’m on at least my third (internal) revision of my firewall rules since having segmented my home network into a number of VLANs. I’ll write another post on the network layout itself, but suffice to say I have the following VLANs with associated class C subnets:
For the record, I actually have more VLANs than these but they’re not relevant to this post.
For reference, I’m running a Ubiquiti stack including the UniFi Dream Machine Pro (UDM Pro), which hosts its own instance of the UniFi controller. All my hardware and controller software is up-to-date as of this post, so I hope this configuration works for others in similar situations. I can write another post on setting up VLANs if the internet needs yet-another-blog on VLANs.
I ended up creating three different flavors of firewall groups, with the following naming conventions:
- App-specific rules: these take the form of “App/protocol/target” to help me keep them straight. For example, “Sonos/tcp/dst” is the group for Sonos TCP ports that need to be allowed on the destination VLAN.
- Network-specific rules: these generally match the subnets of my VLANs but I also have a global “Private” rule for matching any LAN IP.
- Port-specific rules: these take the form of “Service/protocol” for services that need to be allowed between VLANs that aren’t specific to an application.
Prior to today, I had the following groups from the previous two revisions for Sonos:
- Sonos/tcp/src: 1443
- Sonos/tcp/dst: 3500, 3400, 3401, 445, 554, 3445, 3689, 4070, 4444, 1443, 3405, 3501
- Sonos/udp/src: 1900-1905, 136-139, 6969, 48000-65535
- Sonos/udp/dst: 136-139, 554, 1900-1905, 6969, 5353, 43674, 43761, 43418
Additionally, I had a couple groups for my Plex server:
- Plex/udp/dst: 1900, 32410-32414, 14645
- Plex/tcp/dst: 32400, 32469
These groups then get remixed into a number of firewall rules, all under “LAN In.” My first rule is a blanket
ANY --> ANY: allow established
followed by a permissive
Personal --> ANY: allow all
to allow trusted devices from my “Personal” VLAN to access devices on any of the other VLANs. At the bottom of the list (before the built-in rules), I have a blanket
ANY --> ANY: block all
that drops any remaining traffic, effectively isolating the VLANs by default.
In between those bookends, I have a number of allowances between my IoT VLAN (which houses all my Sonos devices) and my Personal VLAN (which includes all the media devices):
- allow Sonos/tcp/src from IoT to Personal
- allow Sonos/ucp/src from IoT to Personal
- allow IoT to Sonos/tcp/dst on Personal
- allow IoT to Sonos/udp/dst on Personal
- allow IoT to Plex/tcp/dst on Personal
- allow IoT to Plex/udp/dst on Personal
Clearly these could be tightened up but they’re good enough for now as I continue to debug connectivity issues caused by the network segmentation.
I’ve been fighting an intermittent issue where I couldn’t AirPlay audio from my phone (or another Personal device) to my Sonos Amp, which we only use occasionally. The bizarre part of the issue was that both the phone and Sonos thought that they were playing audio but no sound would come out of the speakers.
On a hunch, I figured it worked because of the ESTABLISHED rule but didn’t know what traffic was getting dropped (thereby preventing audio). A quick look in the UDM Pro firewall log (
/var/log/messages) showed this entry over and over:
user.warn kernel: IN=<IoT VLAN> OUT=<Personal VLAN> SRC=<Sonos Amp> DST=<iPhone> LEN=72 TOS=0x00 PREC=0x00 TTL=63 ID=18693 DF PROTO=UDP SPT=319 DPT=319 LEN=52
Wireshark confirmed the traffic and saved me the trouble of Googling the port number and protocol: Precision Time Protocol v2 (PTPv2), 319/udp. I can rationalize this after the fact: if the devices can’t negotiate a time reference, the audio may not be properly synchronized (or even decoded).
Thankfully, the organization I had above made this a quick fix. I added a “PTPv2/udp” group that included port 319 and then used that group in a new firewall rule:
IoT --> Personal: allow PTPv2 (319/udp)
where I allow traffic between 319/udp on the two VLANs. (Note that the Personal –> IoT path is covered by the blanket ALLOW from above).
I hope this saves someone from a similar headache when trying to mix Sonos and VLANs. Special thanks to everyone who put together previous posts from which I sourced my original list of ports and protocols.
I’ll get some links in here soon for posterity.
Edit: Sources added below
- Latest ports and protocols: https://www.reddit.com/r/Ubiquiti/comments/gu19sa/iot_vlan_settings_specific_to_sonos/
- Multicast Relay container: https://nerdygeek.uk/2020/06/09/a-tip-for-sonos-and-unifi-udm-pro-users/