Roon's AirPlay not working with firewall enabled (ref#PMP4X3)

What best describes your playback issue?

· Music doesn't start when I press "Play"

What type of Zone is affected by this problem?

· *Network Zones* are affected.

Is the affected network Zone connected with Ethernet or WiFi?

· WiFi

Does the issue affect all file formats?

· The issue affects *multiple/all* file formats.

Does the issue happen with local library music, streaming service music, or both?

· *Both streaming and local* *library* music are affected.

Do you encounter any playback errors with the "System Output" Zone?

· I don't have a System Output available, but I'd like to keep troubleshooting

How is the affected Zone connected to your RoonServer machine?

· Network - WiFi

Which network audio protocol is the Zone using with Roon?

· Airplay

Since this is an Airplay Zone, have you tried toggling Airplay Compatibility Mode for this Zone in the Device Setup window?

· There is no change in behavior.

Does the device show up at all in Roon Settings -> Audio?

· Yes, it shows up there, but it isn't Enabled

Does the "Enable" button unlock the Zone?

· I pressed Enable, but the Zone remains disabled

Does the device play audio from another source when using the same connection?

· The device has no problems with another audio source

Have you checked that Roon is whitelisted in any firewalls?

· I've checked the firewall and the issue remains

If the device has multiple output options, do the other options work as expected?

· Only one output type is affected while the other output type works as expected

Is the device using the latest firmware as per the manufacturer?

· Firmware is up-to-date but the issue remains

What are the make and model of the affected audio device(s) and the connection type?

· HomePod mini

Describe the issue

Roon unable to AirPlay with firewall in place

Describe your network setup

eero Pro 6E

Some further context: I have setup Roon Server on a Linux machine that has a generally restrictive firewall. The firewall allows TCP ports 9100:9200, 9330:9339, 30000:30010 and UDP ports 9003, which I understand are required for basic operation. Additionally, I’m using TCP 55002 for Roon ARC.

Everything works in this configuration except AirPlay. HomePod devices show up in Settings > Audio as Roon Tested, AirPlay 2 devices. When enabled, no track is able to be started. After some duration, the track pauses at 0:00. This happens with FLAC or MP3; I do not use any third-party service. Via the Roon ARC app, I use AirPlay fine, since it is through my iPhone.

Disabling the firewall, I can play music to the HomePod I’m testing. lsof shows an established TCP connection to the HomePod’s IP address, but it originates from a different port each time roon-server is restarted. I’ve observed the following ports used: 41980, 49872, 52336, 57150, 59546.

This is a significant range and appears undocumented from what I can find. How do I proceed in securing the machine running Roon Server without obstructing the ability to use AirPlay?

Hi @stackptr,

Thank you for your post. RoonServer can be a little tricky to configure with restrictive firewalls since it assigns certain ports dynamically.

The ports above are in a range usually reserved for temporary, dynamic assignment - Roon relies on dynamic assignment for some protocols to allow for flexibility in device discovery. There’s also a chance you’re seeing the UPnP stack in RoonServer attempt to ping the HomePod to configure port forwarding automatically in a harmless and redundant exchange.

However, Airplay 1 device discovery announcements should take place on a predictable port. For this particular issue, make sure that the bonjour and mDNS ports in Apple’s documentation are safelisted: TCP and UDP ports used by Apple software products - Apple Support

I’d also verify that you’ve allowed Roon local network access on the Mac running Sequoia in your System Settings → Privacy & Security → Local network list.

Please let us know if this makes sense.

Thanks for your response, @connor.

I’ve opened ports for bonjour and mDNS as specified in the documentation from Apple Support, namely: UDP 1900 and UDP 5350-5353. This has not changed anything.

Regarding UPnP, I have ensured that the option is enabled on the eero router but I am not sure how to test things further.

roon-server is not running on a Mac, although I am attempting to play to a HomePod from the Roon macOS client. But I can also confirm the issue is present on an iPhone and iPad (using Roon, not Roon ARC).

Hey @stackptr,

Thanks for the update!

Are you running Sequoia on this Mac? There was a recent update to 15.3 that fixed many local networking issues that may be playing a part in your airplay issue.

Let me know if you’re able to update and see if you’re able to reproduce afterward.

We’ll be on standby for your reply, thank you! :pray:

Hey @benjamin

I’ll update to 15.3 but I want to note that the issue is reproducible on other clients like Roon on my iPhone (but ARC is able to AirPlay fine). Also, if I temporarily disable the firewall on my Linux machine, the issue is cleared up. That seems to indicate an issue on the Linux side of things.

Thanks

Hi @stackptr

Have you tried adding exceptions for AirPlay to your firewall rules?

Yes, ports 80, 443, 554 (TCP/UDP), 3689, and 5353 have been opened. I can confirm this by using netcat on the server to listen on the port, and then scan the port from a different computer, e.g.:

server
❯ sudo nc -l 554

elsewhere
❯ nc -zv server 554

Hi @stackptr ,

Configuring the Linux firewall may be a bit trickier than just adding the specific ports, as Roon can use randomized ports. In the past, other user have been able to configure their firewall with the below guides, can you please let us know if this helps?

I ended up having to open a port range 30000:65535 for devices on my local network to get this to work:

iptables -A INPUT -p tcp -j --dport 30000:65535 -s 192.168.4.0/24 ACCEPT
iptables -A INPUT -p udp -j --dport 30000:65535 -s 192.168.4.0/24 ACCEPT

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.