Firewall Rules for VLANs, v0.3

tl;dr — don’t forget to allow PTPv2 (319/udp) between your VLANs, especially if you have your Sonos devices separated from your audio sources

As the title implies, I’m on at least my third (internal) revision of my firewall rules since having segmented my home network into a number of VLANs. I’ll write another post on the network layout itself, but suffice to say I have the following VLANs with associated class C subnets:

  • Personal
  • Work
  • IoT
  • Guest

For the record, I actually have more VLANs than these but they’re not relevant to this post.

Prerequisites

For reference, I’m running a Ubiquiti stack including the UniFi Dream Machine Pro (UDM Pro), which hosts its own instance of the UniFi controller. All my hardware and controller software is up-to-date as of this post, so I hope this configuration works for others in similar situations. I can write another post on setting up VLANs if the internet needs yet-another-blog on VLANs.

Firewall Groups

I ended up creating three different flavors of firewall groups, with the following naming conventions:

  • App-specific rules: these take the form of “App/protocol/target” to help me keep them straight. For example, “Sonos/tcp/dst” is the group for Sonos TCP ports that need to be allowed on the destination VLAN.
  • Network-specific rules: these generally match the subnets of my VLANs but I also have a global “Private” rule for matching any LAN IP.
  • Port-specific rules: these take the form of “Service/protocol” for services that need to be allowed between VLANs that aren’t specific to an application.

Prior to today, I had the following groups from the previous two revisions for Sonos:

  • Sonos/tcp/src: 1443
  • Sonos/tcp/dst: 3500, 3400, 3401, 445, 554, 3445, 3689, 4070, 4444, 1443, 3405, 3501
  • Sonos/udp/src: 1900-1905, 136-139, 6969, 48000-65535
  • Sonos/udp/dst: 136-139, 554, 1900-1905, 6969, 5353, 43674, 43761, 43418

Additionally, I had a couple groups for my Plex server:

  • Plex/udp/dst: 1900, 32410-32414, 14645
  • Plex/tcp/dst: 32400, 32469

Firewall Rules

These groups then get remixed into a number of firewall rules, all under “LAN In.” My first rule is a blanket

ANY --> ANY: allow established

followed by a permissive

Personal --> ANY: allow all

to allow trusted devices from my “Personal” VLAN to access devices on any of the other VLANs. At the bottom of the list (before the built-in rules), I have a blanket

ANY --> ANY: block all

that drops any remaining traffic, effectively isolating the VLANs by default.

In between those bookends, I have a number of allowances between my IoT VLAN (which houses all my Sonos devices) and my Personal VLAN (which includes all the media devices):

  • allow Sonos/tcp/src from IoT to Personal
  • allow Sonos/ucp/src from IoT to Personal
  • allow IoT to Sonos/tcp/dst on Personal
  • allow IoT to Sonos/udp/dst on Personal
  • allow IoT to Plex/tcp/dst on Personal
  • allow IoT to Plex/udp/dst on Personal

Clearly these could be tightened up but they’re good enough for now as I continue to debug connectivity issues caused by the network segmentation.

WTF

I’ve been fighting an intermittent issue where I couldn’t AirPlay audio from my phone (or another Personal device) to my Sonos Amp, which we only use occasionally. The bizarre part of the issue was that both the phone and Sonos thought that they were playing audio but no sound would come out of the speakers.

On a hunch, I figured it worked because of the ESTABLISHED rule but didn’t know what traffic was getting dropped (thereby preventing audio). A quick look in the UDM Pro firewall log (/var/log/messages) showed this entry over and over:

user.warn kernel: IN=<IoT VLAN> OUT=<Personal VLAN> SRC=<Sonos Amp> DST=<iPhone> LEN=72 TOS=0x00 PREC=0x00 TTL=63 ID=18693 DF PROTO=UDP SPT=319 DPT=319 LEN=52

Wireshark confirmed the traffic and saved me the trouble of Googling the port number and protocol: Precision Time Protocol v2 (PTPv2), 319/udp. I can rationalize this after the fact: if the devices can’t negotiate a time reference, the audio may not be properly synchronized (or even decoded).

The Fix

Thankfully, the organization I had above made this a quick fix. I added a “PTPv2/udp” group that included port 319 and then used that group in a new firewall rule:

IoT --> Personal: allow PTPv2 (319/udp)

where I allow traffic between 319/udp on the two VLANs. (Note that the Personal –> IoT path is covered by the blanket ALLOW from above).

I hope this saves someone from a similar headache when trying to mix Sonos and VLANs. Special thanks to everyone who put together previous posts from which I sourced my original list of ports and protocols. I’ll get some links in here soon for posterity.

Edit: Sources added below

Sources

Published by jonbackhaus

Foodie, hacker, craftsman, budding audiophile. Tweets are my own.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: