Talking to Roon from another VLAN (I got it working)

@Aaron_Turner Is the state of Roon still that it doesn’t work on completely open VLANs?

I’ve currently just purchased a USW to go with my USG and I’ve setup 6 VLANs for various reasons, I came across this post when Roon which is on a VM under proxmox within a VLAN wasn’t seeing any audio devices at all.

I moved it to the default network and now it sees my phone as an audio device, but I’m assuming the bridge for my main desktop PC isn’t being seen as that’s in another VLAN.

Currently I have no firewall rules setup, USG by default allows all traffic between VLANs, so why isn’t this working?

Roon uses multicast to discover endpoints. By design, multicast doesn’t cross subnet borders. For that you’ll have to do some more exotic stuff. There’s no toggle you can switch on the USG that will magically make this work I’m afraid.

Hi all,

Since this thread is one of the top hits on google for trying to get this to work… I figured id post what i did to get it working on pfSense.

I have my Roon Core on my vlan12 and my workstation on vlan11.

First i created a port alias with all the Roon UDP ports:

UDP 32768:65535, 9003

image1161×466 27.2 KB

Then i created a port alias with all the Roon TCP ports:

TCP 9100:9200, 9330:9339, 30000:30010, 32768:65535

image1167×560 34.9 KB

Then created an IP Alias with the IP of my Roon Core and another IP Alias for the IP of my Workstation.

After those were completed, I installed the UDP Broadcast Relay from the Package Manager. And added a configured instance of:

ID: 1
Port: 9003
Interfaces: vlan11 and vlan12

image1148×385 23.4 KB

I then created two firewall rules on each vlan interface (vlan 11 and vlan 12):

VLAN_12:

IPv4 UDP Only
Source: Roon_Core (roon core alias)
Destination: WIN_001 (workation alias)
Destination Ports: ROON_UDP_PORTS (Port alias created previously with all UDP ports required)

IPv4 TCP Only
Source: Roon_Core (roon core alias)
Destination: WIN_001 (workstation alias)
Destination Ports: ROON_TCP_PORTS (Port alias created previously with all TCP ports required)

image1216×201 15.9 KB

In terms of the other way around from my Workstation to Roon Core, i needed to add the entire subnet to the rules, as it sends packets to the broadcast/gateway IP addresses of both the vlan11 and vlan12.

I created an IP-Network Alias with both my vlan11 and vlan12 subnets in them:

image1151×508 37.1 KB

I then created 2 firewall rules on the VLAN11 interface:

VLAN_11:

IPv4 UDP Only
Source: WIN_001 (alias for my workstation)
Destination: ROON_NETWORKS (alias created previously with both subnets)
Destination ports: ROON_UDP_PORTS (alias created previously with all required UDP ports)

IPv4 TCP Only
Source: WIN_001 (alias for my workstation)
Destination: ROON_NETWORKS (alias created previously with both subnets)
Destination ports: ROON_TCP_PORTS (alias created previously with all required TCP ports)

image1293×196 17.4 KB

Once that was all done, i was able to launch Roon on my Windows Workstation and control and stream music successfully. Both streaming from my iFi Zen DAC attached directly to my Roon Core, as well as using my speakers connected to my Windows workstation.

I was running around in circles trying to get it to work previously, so hopefully this helps someone else!

Okay, guys. I’m really struggling with this and am super confident that somewhere along the way I’ve made a config error, but can’t for the life of me determine what’s causing my issue.

Bit of background:

• pfSense at Site A:

  • LAN is 10.1.0.0/16
  • (legacy) Individual Wireguard Client-to-Site VPNs (road warrior) – iMac is 172.16.220.0/30
  • (new) Site-to-Site Wireguard VPN is 172.16.200.1/24 (also tried /30)
  • Roon Core lives on a Ubuntu VM at 10.1.0.30

• pfSense at Site B:

  • LAN is 10.2.0.0/16
  • Site-to-Site Wireguard VPN is 172.16.200.2/24 (also tried /30)

For the site-to-site VPN, I followed the YouTube video on the pfSense channel and have the gateways and static routes in place as described. Traffic passes like a champ – ICMP ping works great in both directions, I can SSH to hosts at either site, hosts with web configs/status pages load perfectly from and to both sites. Traffic is passing as expected.

I installed udp-broadcast-proxy as instructed on both pfSense boxes and confirmed it’s running on both ends. Checked the log files and they’re clean. Included the LAN and Wireguard tunnels on both sides (vmx.0 and tun_wg5 at Site A and igb0 and tun_wg0 at Site B). Avahi is running, for whatever that’s worth.

I have an iMac at Site B with the Roon client software installed. If I connect to the wireless LAN that’s behind my pfSense box at this site, I can pass traffic to the Roon Core (10.2.202.101 to 10.1.0.30) – I can SSH into the box, I can ping it, works as expected. But when I launch the Roon client, it perpetually waits for my Roon Server. If I try to discover it, it never finds it.

Here’s where I’m confused though… I also have the Wireguard client installed directly on the iMac and a client-to-server tunnel configured. If I connect to the wireless LAN that’s NOT behind my pfSense box (so no site-to-site VPN in the mix) and then launch the Wireguard client software on my iMac to stand up a tunnel that way, the Roon software instantly finds my server at 10.1.0.30, connects, and behaves exactly as I would expect it to. Discovery works great, too.

All of this to say - my ultimate goal is to get the site-to-site VPN working at my office so I can stick my iMac and an Eversolo streamer/DAC behind the pfSense site-to-site VPN and have it connect back to the Roon Server at home.

Any thoughts about what I’m doing wrong here? Any other info that would help diagnose?

Site to site vpn’s are a very different beast. There is no ‘how to’ or recipe for making it work. As for diagnosing, you’ll have to run tcpdump on your pfSense boxes and diagnose the issue by looking at packets and seeing how they are getting forwarded (or dropped).

Recent versions of Wireshark have the ability to decode the Roon discovery messages which can aid in this.

Sorry, no other advice at this time.

Thanks, @Aaron_Turner - that points me in a good direction. If I make some progress, I’ll certainly report back to the group on how I got there.