The goal of this post is to cover networking ports used by Roon.
Earlier today I spoke with product development and gave feedback that proper networking documentation was needed. It would serve to make installation easier for users with non-standard network setups, such as multiple firewalled network segments. Documentation would provide needed information to those without the skills to perform packet analysis, as well as speed things along for those that do have these skills but want as friction-less of a deployment as possible.
Iâm intending to publish my findings as a means to provide some information to the community until official documentation can step in. If you do not want to review the entire post and just want to jump to the results, check the TL;DR below.
Analysis of traffic:
The capture being referenced is watching with a filter targeting the roon core (source OR destination), and the core is running on Fedora 40. This traffic was captured by stopping the roon service, beginning the capture, and then starting the roon service. Once running, a mobile client in a separate VLAN/subnet (roon remote) was connected, began playback of audio, and then stopped.
EDIT:
The firewall in my environment has MDNS and multicast enabled. The firewall rule suggestions at the end are assuming you allow multicast between the subnet the roon core is on, and the other subnets the remotes/bridges are on.
Roon Core traffic flow after startup:
-DNS query for api.roonlabs.net was performed for A/AAAA records.
-IGMPv3 group 239.255.255.250 was joined via multicast to 224.0.0.22
-SSDP discover packet sent to multicast 239.255.255.250 over UDP/1900
-NAT-PMP external address request sent to gateway over UDP/5351 (Note: I have NAT-PMP/UPNP disabled, so no further information was gathered on this. At this point, if you have either enabled, it should âJust Workâ˘â, and automatic configuration of your firewall should occur.)
-3-Way handshake to api.roonlabs.net performed (TCP/443)
-TLSv1.2 handshake to api.roonblabs.net performed (for the cipher nerds out there, the server selected TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 [0xcca9] which as of this posting is rated A+)
-DNS query for bits.roonlabs.net for A/AAAA records
-3-way handshake to bits.roonlabs.net, and subsequent TLS connection (interestingly enough, TLSv1.3 using TLS_AES_256_GCM_SHA384 [0x1302]. Also rated A+ as of this posting)
-Roon Discovery (UDP/9003) packets sent to multicast 239.255.90.90, and subnet broadcast address. These packets reference TCP/9200
-Roon Discovery (UDP/9003) sent again to multicast address above, packets reference TCP/HTTP/HTTPS ports 9150,9330,55000 respectively
-First Roon Bridge attempts connection to core over UDP/37831 (which was source port for Roon Discovery Packet)
-Second Roon Bridge attempts connection to core over UDP/37831
-Subsequent UDP packets observed that return to core over UDP using the source ports used by Roon Core when performing Roon Discovery.
-First Roon Bridge connects to core over TCP/9330
-First Roon Bridge performs websocket connection.
-Core performs DNS Query for push-connector-v2-0.prd.roonlabs-1.prd.roonlabs.net
-Core connects to push-connector above over TCP/80 and changes to websocket
-Roon remote (mobile phone) begins sending ICMP to multiple ports listed in Roon Discovery packet
-Roon Core sends UDP packets back towards Roon Remote over UDP. Destination ports are all ports that were attempted by Roon Remote over ICMP.
-Roon Core sends Roon Discovery packet to Roon Remote
-Roon Remote connects to Core over TCP/9332
-Roon Core sends multiple UDP packets to Remote, all high ephemeral ports
-Roon Core sends TCP/Ephemeral to remote. Likely audio playback. Worth noting there is some DPLAY packets in there as well, but these are also using the same ports.
The above process of announcing to multicast/broadcast/SSDP appeared to be consistent across restarts of the roon core service. After a pattern was observed, I moved from following flows to inspecting traffic by source, grouped with destination/protocol. Below are the observations.
Roon Remote ports observed:
-Connections to Core: TCP/9330, TCP/9332, ICMP(UDP)/Ephemeral
-Connections from Core: UDP/9003, UDP/Ephemeral, TCP/Ephemeral
Roon Core ports observed:
-Connections to gateway: UDP/53, UDP/5351, UDP/5353, UDP/9003
-Connections to subnet broadcast: UDP/9003
-Connections to multicast: IGMP, UDP/1900, UDP/9003, UDP/5353 (might not be tied to roon. PTR records are for raop and googlecast)
-Connections to remote: UDP/9003, UDP/33990-58611, TCP/37176-50608
-Connections to bridge: TCP/9200, TCP/41975-43684, UDP/34685-60020
-Connections from remote: TCP/9330, TCP/9332, UDP/33990-41114
-Connections from bridge: TCP/9330, TCP/54282-60682, UDP/36472-47701
-Connections to external: api.roonlabs.net, bits.roonlabs.net, discovery.roonlabs.net, push-connector-v2-0.prd-roonlabs-1.prd.roonlabs.net. Everything used TCP/443 except for connections to push-connector, which used TCP/80.
Roon Bridge ports observed:
-Connections to core: TCP/9330, TCP/54282-60682, UDP/36472-47701
-Connections from core: TCP/9200, TCP/54282-60682, UDP/37381-43071
Some final thoughts/takeaways:
Looking at the ephemeral ports, there appears to be a clear distinction between TCP and UDP port ranges. Another item worth noting is that ephemeral ports are not following RFC 6335 which states this should be in 49152-65535 range. My best guess (and why I called out the Fedora 40 host) is that this is following standard linux port ranges, which is typically 32768-60999. This is an important detail if you are planning on using accurate firewall rules between your core and bridge/remote, as this range will depend on the host OS since it appears Roonâs software is not hard coded to a specific range. It would be nice to receive where the line between TCP/UDP exists in the ephemeral range as well.
My bridges and remotes are all on my wireless client subnet. I feel this needs to be mentioned because I did not inspect traffic directly for these, so things like multicast or outbound connections to the internet would not be seen. As such, there may be some external connections that are needed to allow bridges/remotes to work correctly.
This traffic was captured over a few short periods of time, so I know I do not have the full picture here. If youâre looking to lock down firewalls to only the necessary ports and port ranges, then some assumptions will need to be made. Namely on the 9000 range ports. 9330 was in use, 9332 was as well, so what about 9331? Does that range stop at 9332, or does it continue to 9400? How will adding additional remotes and bridges affect the ports in use?
TL;DR
I can think of three general approaches here, each increasing in security over the former.
-The âjust make it work approachâ, where you allow TCP/UDP ports 1024-65535 between everything, as well as access to IGMP and ICMP, and do not restrict outbound internet access.
-The âlets reign it in a bitâ approach, where you allow the core/bridge/remote to talk on TCP/UDP ports 9000-9500, and 30000-65535, IGMP/ICMP, and do not restrict outbound internet access.
-The âenterprise securityâ approach, where specifically you allow:
Source, Destination, Port, Protocol
- Remote, Core, 9300-9400, TCP
- Remote, Core, N/A, ICMP
- Remote, Core, 32768-65535, UDP
- Core, Remote, 9000-9100, UDP
- Core, Remote, 32768-65535, TCP / UDP
- Bridge, Core, 9300-9400, TCP
- Bridge, Core, 32768-65535, TCP / UDP
- Core, Bridge, 9100-9300, TCP
- Core, Bridge, 32768-65535, TCP / UDP
- Core, Multicast, N/A, IGMP
- Core, Multicast, 9000-9100, UDP
- Core, Broadcast, 9000-9100,UDP
- Core, External Sites(*), 80/443, TCP
External Sites(*):
- api.roonlabs.net
- bits.roonlabs.net
- discovery.roonlabs.net
- push-connector-v2-0.prd-roonlabs-1.prd.roonlabs.net
Iâm assuming with the enterprise security approach youre already accounting for DNS/DHCP where needed, as well as any other internal services you need to allow.