Ace sleuth @CRo figured out you need to enable IGMP and broadcast networking, and mentioned
If you want I can also make some firewalld entries
I want . I created a simple firewalld service file for Roon server that opens the ports it uses (TCP 9100-9200 and UDP 9103); you can add to firewalld with firewall-cmd --permanent --new-service-from-file=/path/to/my/roon-server.xml and then it shows up in the Firewall Configuration UI as a nice service you can turn on and off , but it doesn’t work: Android Roon controller is stuck “Looking for your Roon Core.” I believe I need to enable IGMP and broadcast when this service is running, but
I can’t figure out how to enable broadcast. firewall-cmd --add-protocol=igmp seems to work (add --permanent should make it permanent), but I don’t know the equivalent magic for broadcast.
I don’t know how to tie turning these protocols on to enabling the Roon server.
Is there some way to get Linux to let you know when it’s blocking network packets? I think firewalld just configures the kernel, so getting it to log with something like sudo firewalld --nofork --debug 2 --log-file /tmp/firewalld_manual.log doesn’t help.
Thanks for any insights! Sorry if I mis-format this, I’m new.
I’m afraid I can’t help you too much from a Fedora point of view, but the settings for Ubuntu 18.04 below whilst based on UFW do translate fairly readily into iptables which should be easier to decipher. You’ll need to adjust for your subnet.
sudo ufw allow from 192.168.1.0/24 to any port 9100:9200 proto tcp sudo ufw allow from 192.168.1.0/24 to any port 9003 proto udp sudo ufw allow from 192.168.1.0/24 to any port 1900 proto udp
sudo nano /etc/ufw/user.rules
### IGMP ###
-A ufw-user-input -s 126.96.36.199/4 -j ACCEPT
-A ufw-user-input -d 188.8.131.52/4 -j ACCEPT
-A ufw-user-input -s 240.0.0.0/5 -j ACCEPT
-A ufw-user-input -m pkttype --pkt-type multicast -j ACCEPT
-A ufw-user-input -m pkttype --pkt-type broadcast -j ACCEPT
The first 3 lines above could be achieved using sudo ufw allow from ... but the later are too complex. However, line 4 is equivalent to firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -m pkttype --pkt-type multicast -j ACCEPT.
I have moved your post over to the #tinkering section, since we cant specify specific rules for firewalld.
As a note - I would suggest adding an application-based exception instead of specifying specific ports as Roon may be using randomized ports for certain aspects.
to your roonserver.service file (then systemctl daemon-reload). In my case I’m manually starting and running Roon on my laptop not as root user but as a restricted user, so I prepend + to these two /usr/bin/firewall-cmd commands so they run as root. It seems to work: systemctl start roonserver enables this service in the firewall (use /usr/bin/firewall-cmd --list-services to check) and I can control Roon core, and systemctl stop roonserver disables it.
Is there some way to get Linux to let you know when it’s blocking network packets?
A: In the Firewall GUI, change menu > Options > Log Denied from “Off” to “All” or “multicast”, then look for messages in journalctl on the particular network interface, e.g. ernel: FINAL_REJECT: IN=enp0s31f6 .... I was never able to find particular failure messages when my Roon controller couldn’t find Roon core because of firewall blocking.