UniFi Sonos Firewall Regeln
Im folgenden wird das einrichten der Firewall Regeln behandelt. Diese Sektion danke ich dem UniFi Forum.
Da die Antwort Ursprünglich in Englisch kam, werde ich diese so übernehmen:
Initial setup:
1- In addition to your default WiFi network (which is not associated to a VLAN), create a new WiFi network („IoT“) that's associated to VLAN 20 (Wireless Networks > IoT > Advanced Options > VLAN: Use VLAN > 20). Make sure „Block LAN to WLAN Multicast and Broadcast Data“ is unchecked (disabled) and „Enable multicast enhancement (IGMPv3)“ is checked (enabled) on both WiFi networks.
2- Configure two „corporate“ networks: LAN and IoT (names don't matter). Leave LAN untagged but tag the IoT VLAN as 20 so that clients joining your IoT WiFi network fall on your IoT VLAN. Make sure „Enable IGMP snooping“ is enabled (checked) on both networks. Let's say your LAN's subnet is 192.168.1.1/24. Since the IoT VLAN is tagged as 20, I used 192.168.20.1/24 as its subnet but you can really use anything you want. Everything below will assume that your IoT VLAN is tagged as 20 using that subnet.
3- Go to Services > MDNS and enable „Enable Multicast DNS“
4- Join your Sonos speakers to the IoT WiFi network. Your Sonos controller (iPhone, laptop, etc.) remains on your LAN WiFi.
Now that your networks are set up, we can proceed to making things work between your Sonos speakers (on your IoT network) and your LAN.
Put the following into your config.gateway.json file and reprovision your USG:
{
"protocols": {
"igmp-proxy": {
"interface": {
"eth1": {
"role": "upstream",
"threshold": "1"
},
"eth1.20": {
"role": "downstream",
"threshold": "1"
}
}
}
}
}
Go to Routing & Firewall > Firewall > Groups to set up your groups:
Group 1: IoT
Type: Address IPv4
Address: 192.168.20.0/24 (your IoT network's subnet)
Group 2: LAN
Type: Address IPv4
Address: 192.168.1.0/24 (your LAN subnet)
Group 3: RFC1918_Private_IPs
Type: Address IPv4
Address: 10.0.0.0/8
Address: 172.16.0.0/12
Address: 192.168.0.0/16
Group 4: Sonos TCP Ports
Type: Port
Port: 3400
Port: 3401
Port: 3500
Group 5: Sonos UDP Ports
Type: Port
Port: 1900
Port: 1901
Port: 1902
Group 6: Sonos Speakers
Type: Address IPv4
Address: This one may be tricky to set up until you have things working since your Sonos speakers don't have a reserved (static) IP address on your IoT network yet. For now, find out what their addresses are and enter them here, their IP addresses probably won't change. Alternatively, go and set static IP addresses for each of your Sonos speakers on the IoT network then come back here.
Now you're ready to tie everything together.
Go to Routing & Firewall > Firewall > Rules IPv4 > LAN IN
You'll be creating a total of 5 rules here. I'll list the relevant settings for each.
Rule 1: Allow all Established/Related traffic
Rule Applied: Before predefined rules
Action: Accept
IPv4 Protocol: All
States: Established, Related
Source Type: Address/Port Group
IPv4 Address Group: Any
Port Group: Any
Destination Type: Address/Port Group
IPv4 Address Group: Any
Port Group: Any
Rule 2: Allow LAN to access all VLANs
Rule Applied: Before predefined rules
Action: Accept
IPv4 Protocol: All
States: <all unchecked>
Source Type: Network
Network: LAN / IPv4 Subnet
Destination Type: Address/Port Group
IPv4 Address Group: RFC1918_Private_IPs
Port Group: Any
Rule 3: Allow Sonos players to LAN (TCP)
Rule Applied: Before predefined rules
Action: Accept
IPv4 Protocol: TCP
States: <all unchecked>
Source Type: Address/Port Group
IPv4 Address Group: Sonos Speakers
Port Group: Any
Destination Type: Address/Port Group
IPv4 Address Group: LAN
Port Group: Sonos TCP Ports
Rule 4: Allow Sonos players to LAN (UDP)
Rule Applied: Before predefined rules
Action: Accept
IPv4 Protocol: UDP
States: <all unchecked>
Source Type: Address/Port Group
IPv4 Address Group: Sonos Speakers
Port Group: Any
Destination Type: Address/Port Group
IPv4 Address Group: LAN
Port Group: Sonos UDP Ports
Rule 5: Block all inter-VLAN communication
Rule Applied: Before predefined rules
Action: Drop
IPv4 Protocol: All
Logging: Enable Logging (on) - this one's optional but it'll help you identify whether any critical traffic from the Sonos speakers to your LAN is being blocked if things aren't working
States: <all unchecked>
Source Type: Address/Port Group
IPv4 Address Group: RFC1918_Private_IPs
Port Group: Any
Destination Type: Address/Port Group
IPv4 Address Group: RFC1918_Private_IPs
Port Group: Any
Rule #5 is the one that prevents VLANs from talking to each other and which isolates your IoT devices from your LAN.
Make sure these rules are applied in this order (drag and drop them in the „LAN IN“ firewall rules list if the order doesn't match).
Now… assuming I haven't left anything out, reboot EVERYTHING. Like, power cycle everything, including the Sonos speakers and your Sonos controller. Even after doing all this, my setup didn't work immediately. I'm guessing it's because some network configs had to be refreshed, which a power cycle resolved.
Start everything back up and HOPEFULLY it all works. If your Sonos controller can't see your speakers, check your USG logs (you did enable logging on the VLAN→VLAN deny rule, right?) to see what's getting blocked.
Once it's all working, remember to give your Sonos devices static IP addresses so that you can keep them properly mapped in the „Sonos Speakers“ firewall group.