Enabling IGMP and broadcast in firewalld for Linux Roon server

Continuing the discussion from Android Roon Remote looses connection to Core (daily):

Ace sleuth @CRo figured out you need to enable IGMP and broadcast networking, and mentioned

If you want I can also make some firewalld entries

I want :wink: . I created a simple firewalld service file for Roon server that opens the ports it uses (TCP 9100-9200 and UDP 9103); you can add to firewalld with firewall-cmd --permanent --new-service-from-file=/path/to/my/roon-server.xml and then it shows up in the Firewall Configuration UI as a nice service you can turn on and off :+1: , but it doesn’t work: Android Roon controller is stuck “Looking for your Roon Core.” I believe I need to enable IGMP and broadcast when this service is running, but

  1. I can’t figure out how to enable broadcast. firewall-cmd --add-protocol=igmp seems to work (add --permanent should make it permanent), but I don’t know the equivalent magic for broadcast.
  2. I don’t know how to tie turning these protocols on to enabling the Roon server.
  3. Is there some way to get Linux to let you know when it’s blocking network packets? I think firewalld just configures the kernel, so getting it to log with something like sudo firewalld --nofork --debug 2 --log-file /tmp/firewalld_manual.log doesn’t help.

Thanks for any insights! Sorry if I mis-format this, I’m new.

Core Machine (Operating system/System info/Roon build number)

Roon Server on Fedora 31 laptop / version 2.1.0?

Network Details (Including networking gear model/manufacturer and if on WiFi/Ethernet)

Netgear WGR614v10 over WiFi

Audio Devices (Specify what device you’re using and its connection type - USB/HDMI/etc.)

Chromecast endpoint

Description Of Issue
See above.

I believe you’d be looking for multicast more than broadcast. SSDP too I guess, but I am not sure what Roon is actually using for discovery.

Please note that this should be UDP 9003.

I’m afraid I can’t help you too much from a Fedora point of view, but the settings for Ubuntu 18.04 below whilst based on UFW do translate fairly readily into iptables which should be easier to decipher. You’ll need to adjust for your subnet.

sudo ufw allow from 192.168.1.0/24 to any port 9100:9200 proto tcp
sudo ufw allow from 192.168.1.0/24 to any port 9003 proto udp
sudo ufw allow from 192.168.1.0/24 to any port 1900 proto udp

sudo nano /etc/ufw/user.rules

### IGMP ###
-A ufw-user-input -s 224.0.0.0/4 -j ACCEPT
-A ufw-user-input -d 224.0.0.0/4 -j ACCEPT
-A ufw-user-input -s 240.0.0.0/5 -j ACCEPT
-A ufw-user-input -m pkttype --pkt-type multicast -j ACCEPT
-A ufw-user-input -m pkttype --pkt-type broadcast -j ACCEPT

The first 3 lines above could be achieved using sudo ufw allow from ... but the later are too complex. However, line 4 is equivalent to firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -m pkttype --pkt-type multicast -j ACCEPT.

Hi @S_Page,

I have moved your post over to the #tinkering section, since we cant specify specific rules for firewalld.
As a note - I would suggest adding an application-based exception instead of specifying specific ports as Roon may be using randomized ports for certain aspects.

  1. I can’t figure out how to enable broadcast. firewall-cmd --add-protocol=igmp seems to work (add --permanent should make it permanent), but I don’t know the equivalent magic for broadcast.

A: @erig0 suggested adding

  <protocol value="igmp"/>

, and that seemed to work (I updated the gist).

  1. I don’t know how to tie turning these protocols on to enabling the Roon server.

A: One approach is to add

ExecStartPre=/usr/bin/firewall-cmd --add-service=roon-server
ExecStopPost=/usr/bin/firewall-cmd --remove-service=roon-server

to your roonserver.service file (then systemctl daemon-reload). In my case I’m manually starting and running Roon on my laptop not as root user but as a restricted user, so I prepend + to these two /usr/bin/firewall-cmd commands so they run as root. It seems to work: systemctl start roonserver enables this service in the firewall (use /usr/bin/firewall-cmd --list-services to check) and I can control Roon core, and systemctl stop roonserver disables it.

  1. Is there some way to get Linux to let you know when it’s blocking network packets?

A: In the Firewall GUI, change menu > Options > Log Denied from “Off” to “All” or “multicast”, then look for messages in journalctl on the particular network interface, e.g. ernel: FINAL_REJECT: IN=enp0s31f6 .... I was never able to find particular failure messages when my Roon controller couldn’t find Roon core because of firewall blocking.

Thanks everyone!

2 Likes

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.