Enabling IGMP and broadcast in firewalld for Linux Roon server

Continuing the discussion from Android Roon Remote looses connection to Core (daily):

Ace sleuth @CRo figured out you need to enable IGMP and broadcast networking, and mentioned

If you want I can also make some firewalld entries

I want :wink: . I created a simple firewalld service file for Roon server that opens the ports it uses (TCP 9100-9200 and UDP 9103); you can add to firewalld with firewall-cmd --permanent --new-service-from-file=/path/to/my/roon-server.xml and then it shows up in the Firewall Configuration UI as a nice service you can turn on and off :+1: , but it doesn’t work: Android Roon controller is stuck “Looking for your Roon Core.” I believe I need to enable IGMP and broadcast when this service is running, but

  1. I can’t figure out how to enable broadcast. firewall-cmd --add-protocol=igmp seems to work (add --permanent should make it permanent), but I don’t know the equivalent magic for broadcast.
  2. I don’t know how to tie turning these protocols on to enabling the Roon server.
  3. Is there some way to get Linux to let you know when it’s blocking network packets? I think firewalld just configures the kernel, so getting it to log with something like sudo firewalld --nofork --debug 2 --log-file /tmp/firewalld_manual.log doesn’t help.

Thanks for any insights! Sorry if I mis-format this, I’m new.

Core Machine (Operating system/System info/Roon build number)

Roon Server on Fedora 31 laptop / version 2.1.0?

Network Details (Including networking gear model/manufacturer and if on WiFi/Ethernet)

Netgear WGR614v10 over WiFi

Audio Devices (Specify what device you’re using and its connection type - USB/HDMI/etc.)

Chromecast endpoint

Description Of Issue
See above.

I believe you’d be looking for multicast more than broadcast. SSDP too I guess, but I am not sure what Roon is actually using for discovery.

Please note that this should be UDP 9003.

I’m afraid I can’t help you too much from a Fedora point of view, but the settings for Ubuntu 18.04 below whilst based on UFW do translate fairly readily into iptables which should be easier to decipher. You’ll need to adjust for your subnet.

sudo ufw allow from 192.168.1.0/24 to any port 9100:9200 proto tcp
sudo ufw allow from 192.168.1.0/24 to any port 9003 proto udp
sudo ufw allow from 192.168.1.0/24 to any port 1900 proto udp

sudo nano /etc/ufw/user.rules

### IGMP ###
-A ufw-user-input -s 224.0.0.0/4 -j ACCEPT
-A ufw-user-input -d 224.0.0.0/4 -j ACCEPT
-A ufw-user-input -s 240.0.0.0/5 -j ACCEPT
-A ufw-user-input -m pkttype --pkt-type multicast -j ACCEPT
-A ufw-user-input -m pkttype --pkt-type broadcast -j ACCEPT

The first 3 lines above could be achieved using sudo ufw allow from ... but the later are too complex. However, line 4 is equivalent to firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -m pkttype --pkt-type multicast -j ACCEPT.

Hi @S_Page,

I have moved your post over to the #tinkering section, since we cant specify specific rules for firewalld.
As a note - I would suggest adding an application-based exception instead of specifying specific ports as Roon may be using randomized ports for certain aspects.