This topic has been deleted. Only users with topic management privileges can see it.
S
Stan last edited by
New to pfSense and PIMD. Have Data and Sonos VLANs and Admin not as VLAN. Objective is to have phones on Data and Sonos system on Sonos. Ethernet connection to Sonos Boost is only link, but Boost and speakers all have IP addresses.
History of frustration: Started with Unifi USG and JSON file which worked, but only sporatically. Moved to Untangle which has no support if IGMP, so put phones on Sonos network. Decided to give pfSense a try as a virtual machine, using version 2.4.5-p1. Turned on IGMP, moved phone to Data net, and Sonos worked like a charm. I was estatic and decided to load pfSense on hardware where Untangle had been, but I installed 2.5.0. Turned on IGMP and Sonos can't be found from Data net. Enough venting.
Search led to PIMD. Installed package, but have no idea how to set it up. Enabled, selected Bind to All, Selected Data and Sonos as interfaces. BSR Candidates are Sonos, Data and Admin, with priorities 1,2,3, respectively. RP Candidates are the same three with the same priorities. Doesn't work.
I don't understand BSR or RP. Any help would be appreciated.
1 ReplyLast reply ReplyQuote0
S
Stan last edited by
I should have added that I have new firewall rules passing both PIM and IGMP protocols on both the Data and Sonos networks, in each case with "Allow IP options" checked.
1 ReplyLast reply ReplyQuote0
G
girkers last edited by
I had a similar problem when using my Chromecasts and looking around it was a familiar issue with Sonos users as well.
My search lead me to this: udpbroadcastrelay and it is simple and easy to use.
There is currently no Package for it, but someone has raised a feature request for it.
If you want to stick with a "package" you could also try Avahi which is much simplier than PIMD.
Hope this is of some help.
Girkers
1 ReplyLast reply ReplyQuote0
S
Stan last edited by
Girkers, thanks for mentioning Avahi. I had already tried that and it hadn't worked, so I disabled that to try PIMD. Your suggestion caused me to revisit Avahi. It didn't initially work, but this time I had more patience. It did work after 30 seconds or so. I guess I was just too impatient the first time.
G1 ReplyLast reply ReplyQuote0
S
Stan last edited by
Oh great. I killed the firewall rules to see if they were necessary with Avahi, and it stopped working. I added them back in and it's still not working. Talk about fickle.
1 ReplyLast reply ReplyQuote0
G
girkers @Stan last edited by
@stan
I was not getting great satisfaction from Avahi either and that is why I eventually went to udbroadcastrealy, it is simply and works.
With my firewall rules I turn on logging and you can actually see it working.
Have a look at this post as it has a binary to try: https://forum.netgate.com/post/936902
Hope it works out for you.
Cheers,
Girkers
1 ReplyLast reply ReplyQuote0
S
Stan last edited by
Girkers, thanks for your continuing support. I hope you're having a happy Christmas Day. My day is made happier because Sonos is working across networks again. I decided to take a look at my Unifi networks and access points. I made sure that the access points had Multicast Enhancement turned on and that the relevant networks had IGMP Snooping turned on. I made one change, and I can't remember for sure what it was, but it might have been Multicast Enhancement on one of the access points. It's now working with Avahi. So I wanted to leave this information available to anyone who stumbles across this post.
I plan to disable the new firewall rules one-by-one to see what breaks it, so I may be back. But I now feel more confident that I can recover if I break something.
1 ReplyLast reply ReplyQuote0
S
Stan last edited by
Spoke too soon. It quit working before I had a chance to make any configuration changes. Fickle.
T1 ReplyLast reply ReplyQuote0
T
tman222 @Stan last edited by
@stan said in PIMD configuration help:
Spoke too soon. It quit working before I had a chance to make any configuration changes. Fickle.
I would also recommend giving udpbroadcastrelay a try, it's fairly straightforward to setup (less complexity than PIMD). I don't think Sonos will work with just Avahi. Hope this helps.
1 ReplyLast reply ReplyQuote0
S
Stan last edited by
Girkers and tman222, thanks again for your help and suggestions. I was about to go down the "upbroadcastrelay" route when I decided to reboot pfSense. Rebooting was the important step that I neglected to do before.
For anyone interested in the details, I have a lot of ports open from my Sonos net to my secure net. See https://forum.netgate.com/topic/139218/sonos-speakers-and-applications-on-different-subnets-vlan-s/176. Check June 21, 2020 from BCinBC. I plan to begin closing ports to see how far I can get before breaking the solution.
I'm using PIMD: General tab, bind to all and everything else default; Interfaces tab, disable unwanted nets; BSR Candidates, default priority 5; RP Candidates, default priority 20; RP Addresses, none. Seven groups active in Status.
I'll probably change the General tab to bind to none and enable desired interfaces. Also, I added the 5 and 20 priorities during my lengthy journeys, but I'll probably delete them. Avahi is enabled, but I doubt that it's providing any benefit. I may try disabling it.
Final (I hope) word. After setting up PIMD, remember to reboot pfSense.
1 ReplyLast reply ReplyQuote0
S
Stan last edited by
Final addendum: I made the changes suggested above, i.e., changed PIMD General tab to bind to none and on Interfaces tab enabled desired nets, and removed priorities from BSR Candidates and RP Candidates tabs. In addition, I disabled my firewall rules for the Sonos TCP and UDP ports.
The Sonos app still works, even after closing it in iOS and re-opening it. (Not sure I'd have the same result for a new installation of the Sonos app.)
I also disabled Avahi. So I seem to be relying only on PIMD.
I1 ReplyLast reply ReplyQuote0
I
iHaveAstream @Stan last edited by
@stan
I'd like to make UPnP work accross (two) VLANs and found this thread.
Basically there is my NAS in VLAN20 on which Twonky Server runs as a mediaserver.
In VLAN40 there is BubbleUPnP Server and some UPnP clients. Servers/Clients accross those VLANs can basically "see" each other.
VLANs are not managed on pfSense but my Switch (if this might be important?).
Currently I can only "see" the clients (Media Renderers) in BubbleUPnP Server, so those in same VLAN, but not my NAS which is the Media Server (via Twonky) and this is what I'd like to see here as well. I think PIMD would be the right tool to achieve this.
I've already installed current PIMD package on my pfSense 2.5.2 but I'm not sure about its correct config and I'm also not sure which FW rules to set manually (I'm not using "any allow" under LAN rules).
If you might could help me a bit, I'd be more than happy.
Cheers!
1 ReplyLast reply ReplyQuote0
S
Stan last edited by
@iHaveAstream
I try to avoid UPnP, since it may open ports from the WAN on my firewall. Because of that, I'm not familiar with using UPnP to accomplish connectivity between subnets. Regarding PIMD, I just use the default settings.
Your post prompts me to update my "final addendum", because I had some new issues to resolve. I'm not sure if what I say there will help your situation. I'll post later today.
1 ReplyLast reply ReplyQuote0
S
Stan last edited by
In a "final" final addendum, I thought I'd add some further observations, in order to address issues encountered since my final addendum.
As others have said, I think the problems and solutions are very dependent on the hardware and software being used, so here is my setup:
I'm using Unifi switches and Access Points, and running pfSense directly on Protectli hardware. I have a Sonos "Boost". There is an ethernet connection to the Boost, and all the 14 speakers are connected wirelessly through the Boost.
I have several VLANs, but the relevant ones are Data, Sonos, and Guests. Data is where my computers and iOS devices live. Sonos is where the Sonos Boost and speakers are. Guest is for my guest network, which is available only through the wireless access points.
My objective is to access the speakers from a Sonos Controller on the Data or Guest networks. That was working on the Data network, until I decided to add a VPN to my pfSense router. I was still able to connect the Sonos app with the speakers, but not instantly and the connection would frequently drop after a while.
Before addressing router settings, I'll mention Unifi settings. First, make sure that the relevant wireless networks (on Unifi APs) is set up as follows:
At “Multicast and Broadcast Filtering”, uncheck the box “Block LAN to WLAN Multicast and Broadcast Data”.
At “Multicast Enhancement”, check the box “Enable multicast enhancement (IGMPv3).
Guest Network: If access is from a guest network, make sure the Guest Access Control isn’t restricting the IP addresses that are needed (see below). On Unifi, the Post-Authorization Restrictions seem to override the Pre-Authorization Access. Delete the default Post-Authorization Restrictions (RFC 1918) and use pfSense for those restrictions. Although I haven't tested whether it's necessary, I added my Sonos System to the Pre-Authorization access (as well as my Printer network).
Using pfSense, I’m running PIMD. The PIMD settings don’t seem to make much difference. Defaults are OK. That had been working until (I think) I installed an Open VPN client on the firewall for a subset of the Data network and all of the Guest network.
@baf on a different thread "https://forum.netgate.com/topic/139218/sonos-speakers-and-applications-on-different-subnets-vlan-s/169" provided a key. Thanks @baf.
The resulting rule for Open VPN presumably prevented transmission to 224.0.0.0/24 (MDNS) and 239.255.255.250:1900 (SSDP), since it directs everything that gets to the rule to the Open VPN address and effectively blocks internal traffic. (This behavior is different from a rule which uses the default WAN address under advance settings, which doesn’t block internal traffic.)
The Sonos speakers are grouped under an alias named Sonos System. I had previously added rules for Sonos TCP and UDP ports from the Sonos System, to pass traffic with those ports to Data and Guest, and on the Guest network, to pass traffic to the Sonos System. The Data network is open, except for the Open VPN rule.
To make the Sonos app work on the Data and Guest networks, I added additional pass rules to the Data, Sonos and Guest networks to pass traffic to 224.0.0.0/24 (IGMP) and to 239.255.255.250:1900 (UDP). These addresses are presumably blocked by the rule directing traffic to the Open VPN client. (224.0.0.251:5353 (UDP) did not work. The Sonos app opened, but it soon lost connection.)
I had added VPN to the Sonos VLAN because I would use iOS devices there. But my plan now is to remove VPN from Sonos, and so the additional rules in the previous paragraph may not be needed there. (I assume my rule on RFC 1918 private addresses will not block the addresses passed by those rules.)
I hope this will be of use to someone.
1 ReplyLast reply ReplyQuote0
S
Stan last edited by
@iHaveAstream
Some further thoughts about your situation. Using a switch to create VLANs and UPnP for connectivity has a certain attraction as being elegantly simple. However, if you're already running pfSense, I think you would have more effective control and fewer problems by adding the VLANs to pfSense, using firewall rules to accomplish your goals, and disabling UPnP. That would also avoid security issues associated with UPnP.
I1 ReplyLast reply ReplyQuote0
S
Stan last edited by
In reviewing my posts above, specifically the 12/27/20 final addendum, I need to add a correction. I am again using multiple UDP and TCP ports. While it was working at the time, it later stopped working. Maybe there were some "states" that stayed open for a while. Here are the ports I'm using (defined as aliases):
TCP:
80
443
445
3400:3401
3445
3500
4070
4444
1400
1443
7000
8080
5000:5001
For the Guest network, I also use TCP 32000:49152, to enable Airplay.
UDP:
136:139
1900:1901
2869
10243
10280:10284
5353
6969
3722
319:320
49152:65535
Also, I am running Avahi, which enables guest access to the Sonos speakers from their the Spotify app.
I'm sure the number of ports are overkill, but I haven't gone through the process of reducing ports to see what breaks.
1 ReplyLast reply ReplyQuote0
I
iHaveAstream @Stan last edited by
@stan said in PIMD configuration help:
@iHaveAstream
Some further thoughts about your situation. Using a switch to create VLANs and UPnP for connectivity has a certain attraction as being elegantly simple. However, if you're already running pfSense, I think you would have more effective control and fewer problems by adding the VLANs to pfSense, using firewall rules to accomplish your goals, and disabling UPnP. That would also avoid security issues associated with UPnP.
thanks for your detailed replies. I'm gonna go thru it soon.
The reason why I decided to manage VLANs on L2 is because when done so on pfSense, there is the limit of 1 GB/s which is the bandwidth limit of the physical LAN port of the NIC...
1 ReplyLast reply ReplyQuote0
