tl;dr: Roon does work across subnets, but it’s deliberately crippled to not allow it.
I always assumed Roon wouldn’t work across subnets since that generally appears to be the case, but apparently it does. At my house with two local subnets I can hit the Roon Core from either subnet.
With that being the case I decided to check if I could install the Core in my server subnet, which is also an additional subnet, though connected by an IPsec tunnel since it sits in a datacenter. The server installed fine, but when i went to configure it with a Roon client, it wouldn’t connect. There are no firewall denies between the subnets (each side can hit the other fine) and there is only a single router between them - the same router between my two local house subnets.
I did a bunch of network checks and saw that the Roon client’s packets were definitely reaching the server and vice versa, but I was never given the option in the client to set it up. I even checked the multicast packets to 239.255.90.90 port 9003/udp which is what the Roon client joins to make discovery attempts. Sure enough, the TTL is set to 2 on those packets, so they should make it through one router.
Here you can see the client at 10.11.12.67 hitting the server at 10.250.250.25 (this is from the server itself):
01:46:59.905901 IP 10.11.12.67.51361 > 10.250.250.25.9003: UDP, length 98
01:47:05.023566 IP 10.11.12.67.51361 > 10.150.0.1.9003: UDP, length 98
01:47:05.027863 IP 10.11.12.67.51361 > 10.250.250.25.9003: UDP, length 98
01:47:05.034936 IP 10.250.250.25.9003 > 10.11.12.67.51361: UDP, length 401
And here is the client seeing occasional responses back (this is from the client):
19:48:58.103041 IP 10.11.12.67.51361 > 10.250.250.25.9003: UDP, length 98
19:48:58.110088 IP 10.250.250.25.9003 > 10.11.12.67.51361: UDP, length 401
They can clearly reach each other and talk to each other. Pretty much any other software works fine between the two machines, so this is a Roon limitation, and not done for any actual technical reason.
My only thought is that for the first connection attempt the client and server have to be in the same subnet, but after that it can be wherever, as long as they’re reachable, done as some sort of artificial restriction on how these things can connect. If that’s the case… that’s annoying. I’d rather have one of my servers doing what it’s supposed to be doing (running on datacenter power 24x7 with gobs of bandwidth) versus devoting one of my desktops to being on and sitting around all day so it can serve local content. If Roon wanted to prevent a ton of people connecting to public Roon servers there are ways around that don’t involve neutering network connectivity and limiting options.