Discover endpoints on a routed network segment

I m a new Roon user. I have two networks in my house. I have a secured network - and an insecure network
My wired devices are on the internal secured network together with my servers incl the Roon server and my Nas with music
On my insecure network i have the wireless devices like mobile phones (Roon controllers) and Chromecasts.

Now the Roon server (ubuntu 18.04 LTS VM) discovers all the devices on the secure network but it cannot discover my Chromecasts on the insecure network.

Would it be possible that the next version of Roon server for Linux could have a feature where one could enter the ip address of a device that should be found by device discover? This way It would be possible for Roon to discover endpoints on another network.

That would be great!

As owners take control over their network setup there will be more and more home networks that are segmented.
It is a pity if Roon are not able to work optimally with all devices on such segmented networks

The problem is very likely the lack of a suitable protocol that is supported by home routers. Network Discovery Protocol or Link Layer DP are possibles but if the router doesn’t support it, it’s dead in the water.

I agree it would be nice to be able to set up cross vlan connections even it they have to be manually configured.

It would be most useful over a VPN to our homes’ private networks too.

Unfortunately, a search for VLAN across the forum finds numerous features requests to allow this…unlikely there will ever be enough demand. It’s unfortunate, as the current IoT threat scenario the world is living with now could have been largely mitigated if everyone isolated risky devices.

Hi Larry_post.
I agree - and since Roon can play across routed networks from the server on my secure network to my mobile on the insecure wifi network there is support for this in the RAAT protocol.
The only matter is the discovery protocol. I can see that this is difficult bordering to impossible because of the many implementations of routing protocols.

This is why I am requesting a simple solutions to this problem in the form of a file where i could enter device ip addresses that Roon should connect to. It doesn’t even have to be behind a UI - just a txt file on the server that the knowing user could edit to enter device ip addresses…


Hmm, if your mobile on the insecure network can see your Roon server on the secure network, then you don’t have much separation. Do you have a access list in place that allows your mobile to see the server?

I have mine completely separate and haven’t tried allowing clients on each to see each other as it would be contrary to my goal of isolation.

I provided more details in another thread but… just pointing the remote or core at an “address” won’t work. There is a bunch of socket creation between endpoints / remotes / core that need to happen and, right now, the discovery of how to do that and the ports being used (somewhat random although my understanding is the newer versions of Roon limit it to a port range) expect everything to be on the same broadcast domain.

If you can move your core, endpoints, and remotes to the same lan segment you’ll be a lot happier. Then the only thing you need to focus on is getting SMB functional across your LAN segments (which is plenty doable) so Roon can see your NAS.

I do plan on figuring this out but I’ve not had time to really focus on it yet. It’s way more involved than I originally expected so, for now, I’ve put a USB drive on my ROCK, moved all my endpoints onto that network, and have shifted a couple tablets over to that segment as well to act as remotes. At least I can listen to my music.

Yes I have a zone rule that allows my mobile (the tablets and the kids mobiles) to access the Roon server.

1 Like

You could also use IGMP Snooping on the router to specifically forward the broadcast discovery to other routed networks…

I my opinion it is a bad solution to invite all sorts of “strange” semi-secure devices into your most protected areas. That is why i have mobile phones, guests and Chromecasts and the like on my insecure network.

I think that most of the work for this request is already done. I have my Mobile on the insecure network accessing the Roon server on the secure network. Likewise the Roon server is able to use the mobile on the insecure network as an endpoint.
So the technical foundations in the RAAT protocol is there.

The issue is how to tell the Roon server that there is an additional endpoint at a specific IP addres on the other network.

The specifics (technical details like resolution, bit depth, MQA or not) about the endpoint could be entered manually like when you tell Roon what the capabilities your DAC has.
As I see it allmost all the building bricks are there…

IGMP snooping doesn’t cross VLANs, and multicast doesn’t cross VLANs unless you enable multicast routing.

Each vlan has it’s own IGMP snooping table.

1 Like

Yepp, you can do alot with multicast if you have a decent router and/or switch:


Agreed. I manage a Cisco network for 30 years now (yikes I’m old). The SG series are nice, capable switches that I believe they acquired from Linksys.

I deal more with Nexus core and stackable edge 3750 type switches.

I am no network shark, i’m a linux admin - but with a little help from my friends i have had my network segmented into a insecure and a secure part.

All the wireless devices are inherently insecure and thus on the insecure part. All wired devices including servers (and my Roon server VM) are on the secure network.

I think it would be fairly simple for Roon devs to implement the facility i suggest. If the specific network address is known to the Roon server it know where to send the packages to querry the devices for facilities. Just like it is doing to the mobile which is on the insecure network and thus behind a router.

Think more along the lines of secure and not-secure devices. Just because the device is on the wireless network does not mean it is insecure. In fact, you could very well turn-on 802.1x and enterprise WPA then authenticate both wired and wireless devices the same way.

I used to have my network split this way but now I think of it as secure and insecure devices. Both my secure and insecure networks have wireless networks (with different authentication schemes). Anything that is “insecure” or needs to talk to inherently insecure things goes on the insecure network. This includes all my roon endpoints and the Roon Server.

My problem is that I have “secure” devices (like my desktop PC) that I’d like to be able to control Roon with but it cannot find my server. By treating the server and endpoints as insecure and then putting a couple tablets on the insecure network gets me 90% there.

I think a feature to get a version of Remote that does actually work across routed networks should be very high on the list of things to implement by Roon. But, I also think some of the issues people are having with splitting wired/wireless for security is a bit of a dated architecture. That, of course, is an opinion.

Something that I did to connect to my Squeezebox Server from my mobile phone to stream whilst I was not home can also be used with Roon, namely, you create an SSH tunnel (or even a VPN if your router allows it, however I find SSH is ubiquitous and easy to implement on the client side.)

Assuming residential internet:

  • Port forward (port of your choice, for Roon) a port for SSH to some server on your LAN / segment / vLAN that has your Roon server on it that has an SSH Server.
  • Where ever it is you want to end up on your LAN from outside, use public-key authentication, and or other strong authentication for example two-factor. Then there is nothing to fear.
  • Using an SSH client on your Android / whatever phone, configure the SSH client to tunnel the Roon ports (udp 9003, tcp 9100:9200) when connecting via your SSH tunnel

And Bob’s your uncle.

Now, Squeezebox has a great advantage as far this type of thing goes, because you can define the type of compression per client, so for example you can have your mobile setup to get MP3 256, or even FLAC. RAAT is going to be pretty “fat”, although if you have a decent mobile data contingent, then for occasional listening it should be economical enough.

Now, technically, you can do the same thing for connecting multiple subnets / LANs (wired or not) as well.

As we all agree, yes, it would be nice if Roon was routable, but until that happens, it would be possible with tunneling and for example IGMP forwarding (as alluded to above.)