====== UniFi Sonos Firewall Regeln ======

Im folgenden wird das einrichten der Firewall Regeln behandelt. 
Diese Sektion danke ich dem UniFi Forum.

Da die Antwort Ursprünglich in Englisch kam, werde ich diese so übernehmen:


Initial setup:

 

1- In addition to your default WiFi network (which is not associated to a VLAN), create a new WiFi network ("IoT") that's associated to VLAN 20 (Wireless Networks > IoT > Advanced Options > VLAN: Use VLAN > 20). Make sure "Block LAN to WLAN Multicast and Broadcast Data" is unchecked (disabled) and "Enable multicast enhancement (IGMPv3)" is checked (enabled) on both WiFi networks.

 

2- Configure two "corporate" networks: LAN and IoT (names don't matter). Leave LAN untagged but tag the IoT VLAN as 20 so that clients joining your IoT WiFi network fall on your IoT VLAN. Make sure "Enable IGMP snooping" is enabled (checked) on both networks. Let's say your LAN's subnet is 192.168.1.1/24. Since the IoT VLAN is tagged as 20, I used 192.168.20.1/24 as its subnet but you can really use anything you want. Everything below will assume that your IoT VLAN is tagged as 20 using that subnet.

 

3- Go to Services > MDNS and enable "Enable Multicast DNS"

 

4- Join your Sonos speakers to the IoT WiFi network. Your Sonos controller (iPhone, laptop, etc.) remains on your LAN WiFi.

 

Now that your networks are set up, we can proceed to making things work between your Sonos speakers (on your IoT network) and your LAN.

 

Put the following into your config.gateway.json file and reprovision your USG:

 
<code json>
{

   "protocols": {

      "igmp-proxy": {

         "interface": {

            "eth1": {

               "role": "upstream",

               "threshold": "1"

            },

            "eth1.20": {

               "role": "downstream",

               "threshold": "1"

            }

         }

      }

   }

}

</code>
 

Go to Routing & Firewall > Firewall > Groups to set up your groups:

 

Group 1: IoT

Type: Address IPv4

Address: 192.168.20.0/24 (your IoT network's subnet)

 

Group 2: LAN

Type: Address IPv4

Address: 192.168.1.0/24 (your LAN subnet)

 

Group 3: RFC1918_Private_IPs

Type: Address IPv4

Address: 10.0.0.0/8

Address: 172.16.0.0/12

Address: 192.168.0.0/16

 

Group 4: Sonos TCP Ports

Type: Port

Port: 3400

Port: 3401

Port: 3500

 

Group 5: Sonos UDP Ports

Type: Port

Port: 1900

Port: 1901

Port: 1902

 

Group 6: Sonos Speakers

Type: Address IPv4

Address: This one may be tricky to set up until you have things working since your Sonos speakers don't have a reserved (static) IP address on your IoT network yet. For now, find out what their addresses are and enter them here, their IP addresses probably won't change. Alternatively, go and set static IP addresses for each of your Sonos speakers on the IoT network then come back here.

 

Now you're ready to tie everything together.

 

Go to Routing & Firewall > Firewall > Rules IPv4 > LAN IN

 

You'll be creating a total of 5 rules here. I'll list the relevant settings for each.

 

Rule 1: Allow all Established/Related traffic

Rule Applied: Before predefined rules

Action: Accept

IPv4 Protocol: All

States: Established, Related

Source Type: Address/Port Group

IPv4 Address Group: Any

Port Group: Any

Destination Type: Address/Port Group

IPv4 Address Group: Any

Port Group: Any

 

Rule 2: Allow LAN to access all VLANs

Rule Applied: Before predefined rules

Action: Accept

IPv4 Protocol: All

States: <all unchecked>

Source Type: Network

Network: LAN / IPv4 Subnet

Destination Type: Address/Port Group

IPv4 Address Group: RFC1918_Private_IPs

Port Group: Any

 

Rule 3: Allow Sonos players to LAN (TCP)

Rule Applied: Before predefined rules

Action: Accept

IPv4 Protocol: TCP

States: <all unchecked>

Source Type: Address/Port Group

IPv4 Address Group: Sonos Speakers

Port Group: Any

Destination Type: Address/Port Group

IPv4 Address Group: LAN

Port Group: Sonos TCP Ports

 

Rule 4: Allow Sonos players to LAN (UDP)

Rule Applied: Before predefined rules

Action: Accept

IPv4 Protocol: UDP

States: <all unchecked>

Source Type: Address/Port Group

IPv4 Address Group: Sonos Speakers

Port Group: Any

Destination Type: Address/Port Group

IPv4 Address Group: LAN

Port Group: Sonos UDP Ports

 

Rule 5: Block all inter-VLAN communication

Rule Applied: Before predefined rules

Action: Drop

IPv4 Protocol: All

Logging: Enable Logging (on) - this one's optional but it'll help you identify whether any critical traffic from the Sonos speakers to your LAN is being blocked if things aren't working

States: <all unchecked>

Source Type: Address/Port Group

IPv4 Address Group: RFC1918_Private_IPs

Port Group: Any

Destination Type: Address/Port Group

IPv4 Address Group: RFC1918_Private_IPs

Port Group: Any

 

Rule #5 is the one that prevents VLANs from talking to each other and which isolates your IoT devices from your LAN.

 

Make sure these rules are applied in this order (drag and drop them in the "LAN IN" firewall rules list if the order doesn't match).

 

Now… assuming I haven't left anything out, reboot EVERYTHING. Like, power cycle everything, including the Sonos speakers and your Sonos controller. Even after doing all this, my setup didn't work immediately. I'm guessing it's because some network configs had to be refreshed, which a power cycle resolved.

 

Start everything back up and HOPEFULLY it all works. If your Sonos controller can't see your speakers, check your USG logs (you did enable logging on the VLAN->VLAN deny rule, right?) to see what's getting blocked.

 

Once it's all working, remember to give your Sonos devices static IP addresses so that you can keep them properly mapped in the "Sonos Speakers" firewall group.