Unterschiede

Hier werden die Unterschiede zwischen zwei Versionen angezeigt.

--- unifi:sonos:firewall [2023/10/11 14:38] – angelegt max
+++ unifi:sonos:firewall [Unbekanntes Datum] (aktuell) – Externe Bearbeitung (Unbekanntes Datum) 127.0.0.1
@@ Zeile 1: / Zeile 1: @@
+====== UniFi Sonos Firewall Regeln ======
+Im folgenden wird das einrichten der Firewall Regeln behandelt.
+Diese Sektion danke ich dem UniFi Forum.
+Da die Antwort Ursprünglich in Englisch kam, werde ich diese so übernehmen:
+Initial setup:
+- In addition to your default WiFi network (which is not associated to a VLAN), create a new WiFi network ("IoT") that's associated to VLAN 20 (Wireless Networks > IoT > Advanced Options > VLAN: Use VLAN > 20). Make sure "Block LAN to WLAN Multicast and Broadcast Data" is unchecked (disabled) and "Enable multicast enhancement (IGMPv3)" is checked (enabled) on both WiFi networks.
+- Configure two "corporate" networks: LAN and IoT (names don't matter). Leave LAN untagged but tag the IoT VLAN as 20 so that clients joining your IoT WiFi network fall on your IoT VLAN. Make sure "Enable IGMP snooping" is enabled (checked) on both networks. Let's say your LAN's subnet is 192.168.1.1/24. Since the IoT VLAN is tagged as 20, I used 192.168.20.1/24 as its subnet but you can really use anything you want. Everything below will assume that your IoT VLAN is tagged as 20 using that subnet.
+- Go to Services > MDNS and enable "Enable Multicast DNS"
+- Join your Sonos speakers to the IoT WiFi network. Your Sonos controller (iPhone, laptop, etc.) remains on your LAN WiFi.
+Now that your networks are set up, we can proceed to making things work between your Sonos speakers (on your IoT network) and your LAN.
+Put the following into your config.gateway.json file and reprovision your USG:
+<code json>
+{
+   "protocols": {
+      "igmp-proxy": {
+         "interface": {
+            "eth1": {
+               "role": "upstream",
+               "threshold": "1"
+            },
+            "eth1.20": {
+               "role": "downstream",
+               "threshold": "1"
+            }
+         }
+      }
+   }
+}
+</code>
+Go to Routing & Firewall > Firewall > Groups to set up your groups:
+Group 1: IoT
+Type: Address IPv4
+Address: 192.168.20.0/24 (your IoT network's subnet)
+Group 2: LAN
+Type: Address IPv4
+Address: 192.168.1.0/24 (your LAN subnet)
+Group 3: RFC1918_Private_IPs
+Type: Address IPv4
+Address: 10.0.0.0/8
+Address: 172.16.0.0/12
+Address: 192.168.0.0/16
+Group 4: Sonos TCP Ports
+Type: Port
+Port: 3400
+Port: 3401
+Port: 3500
+Group 5: Sonos UDP Ports
+Type: Port
+Port: 1900
+Port: 1901
+Port: 1902
+Group 6: Sonos Speakers
+Type: Address IPv4
+Address: This one may be tricky to set up until you have things working since your Sonos speakers don't have a reserved (static) IP address on your IoT network yet. For now, find out what their addresses are and enter them here, their IP addresses probably won't change. Alternatively, go and set static IP addresses for each of your Sonos speakers on the IoT network then come back here.
+Now you're ready to tie everything together.
+Go to Routing & Firewall > Firewall > Rules IPv4 > LAN IN
+You'll be creating a total of 5 rules here. I'll list the relevant settings for each.
+Rule 1: Allow all Established/Related traffic
+Rule Applied: Before predefined rules
+Action: Accept
+IPv4 Protocol: All
+States: Established, Related
+Source Type: Address/Port Group
+IPv4 Address Group: Any
+Port Group: Any
+Destination Type: Address/Port Group
+IPv4 Address Group: Any
+Port Group: Any
+Rule 2: Allow LAN to access all VLANs
+Rule Applied: Before predefined rules
+Action: Accept
+IPv4 Protocol: All
+States: <all unchecked>
+Source Type: Network
+Network: LAN / IPv4 Subnet
+Destination Type: Address/Port Group
+IPv4 Address Group: RFC1918_Private_IPs
+Port Group: Any
+Rule 3: Allow Sonos players to LAN (TCP)
+Rule Applied: Before predefined rules
+Action: Accept
+IPv4 Protocol: TCP
+States: <all unchecked>
+Source Type: Address/Port Group
+IPv4 Address Group: Sonos Speakers
+Port Group: Any
+Destination Type: Address/Port Group
+IPv4 Address Group: LAN
+Port Group: Sonos TCP Ports
+Rule 4: Allow Sonos players to LAN (UDP)
+Rule Applied: Before predefined rules
+Action: Accept
+IPv4 Protocol: UDP
+States: <all unchecked>
+Source Type: Address/Port Group
+IPv4 Address Group: Sonos Speakers
+Port Group: Any
+Destination Type: Address/Port Group
+IPv4 Address Group: LAN
+Port Group: Sonos UDP Ports
+Rule 5: Block all inter-VLAN communication
+Rule Applied: Before predefined rules
+Action: Drop
+IPv4 Protocol: All
+Logging: Enable Logging (on) - this one's optional but it'll help you identify whether any critical traffic from the Sonos speakers to your LAN is being blocked if things aren't working
+States: <all unchecked>
+Source Type: Address/Port Group
+IPv4 Address Group: RFC1918_Private_IPs
+Port Group: Any
+Destination Type: Address/Port Group
+IPv4 Address Group: RFC1918_Private_IPs
+Port Group: Any
+Rule #5 is the one that prevents VLANs from talking to each other and which isolates your IoT devices from your LAN.
+Make sure these rules are applied in this order (drag and drop them in the "LAN IN" firewall rules list if the order doesn't match).
+Now… assuming I haven't left anything out, reboot EVERYTHING. Like, power cycle everything, including the Sonos speakers and your Sonos controller. Even after doing all this, my setup didn't work immediately. I'm guessing it's because some network configs had to be refreshed, which a power cycle resolved.
+Start everything back up and HOPEFULLY it all works. If your Sonos controller can't see your speakers, check your USG logs (you did enable logging on the VLAN->VLAN deny rule, right?) to see what's getting blocked.
+Once it's all working, remember to give your Sonos devices static IP addresses so that you can keep them properly mapped in the "Sonos Speakers" firewall group.