Unable to reach Roon ready devices on other IP-ranges

I have a roon multiroom installation for years now. There are wired parts (core, sonos boost, some endpoints), and parts on wifi (android controllers, Riopee endpoints, Sonos Roams, Wiim Pro Plus).
For securityreasons, I seperated the different (wifi) networks.
Wired: 192.168.1.*
Wifi: 192.168.2.*
Wifi IOT: 192.168.3.*

Core is in the .1 range, controllers on the .2 range, endpoints on the .3 range.
That works, I can control the core with the androiddevices, and play music on most of the endpoints.
But some endpoints won’t show up again, and they are allways Roon tested or Roon ready.
So I could add them using airplay or chromecast, but a connection using RAAT seems impossible.
At the settings/audiodevices, I see them as chromecase and airplay endpoints. But they are gone at the Roon Ready/Tested sections.

Wiim Pro Wired is active under Roon Ready devices. But another Wiim Pro that is connected to the wifi-network doesnt.
Sonos Roams are connected to wifi and don’t show up as Roon Ready devices like they used to. As the other Sonos speakers are connected to a wired Sonos Boost, they all are in the .1 range.
So in Roon the sonosspeakers in another ip-range don’t work (using sonos streaming), but in the Sonos-app everything works fine. All sonos devices, not matter in wich IP-range, show up and play music.
So it has to be something on the roon side.

Why can’t Roon connect to Roon Ready/Tested devices in another IP-range in the case of Sonos and Wiim Pro? While Riopeee endpoints, in the same range (.3) do show up and work.

I hope I explained it well.
And there is a way out offcourse :slight_smile:

Kind regards,

Roon does not support subnets, VLANs, etc. All Roon-using devices, remotes, and server must be on the same subnet.

You will find discussions and people who may have figured out working configurations in the Tinkering forum category

Owkay, I can put them back on the same network, but that still doenst explain why endpoints like Riopee do work on another IP-range.

Well Roipeee uses Roon Bridge and maybe there are subtle differences to a Roon Ready stack. Some of what works and what doesn’t may be seemingly random and also not consistent over time, depending on what the Roon server is trying to do in a given moment. I don’t know.

In the end, Roon code does nothing to attempt making it work.

None of my Ropiees work over my vlan for RAAT only the Airplay client is visible but it won’t play to it. Chromecast works perfectly fine across vlans as long as mdns is active. System airplay on iOS and macOS works fine over vlans but for some reason not via Roon. RAAT in all cases won’t go across subnets without a lot of network tinkering this is by design. Your on your own to get it to work.

I increasingly wonder if a reasonable solution to all of this would be for Roon to implement an “Add Device” feature to Settings > Audio which allows the user to specify a device by IP address. This wouldn’t alleviate the need for people to configure their networks to allow traffic between their Roon server and endpoints. Still, it would eliminate the constant discussions about why we need UDP proxies and how to get them working. I wouldn’t prioritize this above things like “ARC should work,” but there’s a steady stream of people trying (and mostly failing) to get VLANs working. It would allow support (and by this I mean you guys :slight_smile:) to actually help people like this poster, to get things working.


I wonder. It would eliminate some of these constant discussions, but I understand if Roon isn’t keen on adding the need to support misconfigured subnets, VLANs, and so on to their support list, in addition to the issues some users already have with even their simple LANs :slight_smile:

That’s the tradeoff.

Roon barely supports any of this anyhow. Anything they do would, in actuality, amount to improving the tools they provide you, @Simon_Arnold3, the mods, and a few others to help people get Roon running in their environment. The answer today is essentially “you need to either give up on segmenting and securing your network or you need to figure out how to run a proxy”.

In today’s world of IoT, it’s becoming a best practice for anyone bringing many devices into their home to think about protecting themselves from the devices they deploy. Just my opinion but it seems to me that we’d all be in much better shape if the solution to vlans was:

  • Assign static addresses to your server and endpoints
  • Allow traffic between your server and endpoints based on IP address
  • Go to Settings > Audio > Add Endpoint or Settings > Extensions > Add Extension and add the device or extension by IP

And if you’re not capable of doing that, then you shouldn’t be using vlan in the first place :slight_smile:


Maybe, yeah. But I personally don’t do any help with this anyway, I just send them to you in Tinkering :stuck_out_tongue_winking_eye:
Reading manuals of routers I don’t know to post screenshots for port forwarding settings is enough, thank you very much.

True, but people already do so many things they shouldn’t :slight_smile:

Since you’ve already got the manual open, can’t you just flip to the sections on IP reservations, port profiles, and firewall rules? I have faith in you to be able to do it.

I can’t help anybody there. You should stop sending them. It’s just too hard.


Just kidding, I only recommend searching, reading, and maybe asking in Tinkering


I just moved all music devices back in the same LAN.
I’m familiar with network setup but it’s just not worth the hastle.

The message ‘won’t work over VLAN or different LAN’s’ was enough for me.

I just didn’t consider that fact as some things worked, and others didn’t. And Sonos has no problem with it.
I do think it’s not a very unusual situation. From the moment you think of securing things, you’ll end up seperating IOT-devices. And for me those are IOT-devices.
I have to trust developers behind Ropiee and RooExtend and that’s it :slight_smile:
It’s adding those components that made me want to secure things.

kind regards,

What is the security reason for the OP splitting it like this? I cannot think of one.

There are many security-breaches with IOT devices. Remember the securitycam hack a couple years ago (recordings of IP cameras in your home were suddenly available on a Chinese website.), peoples Synology-NAS blocked by ransomware, etc… The less well-known the vendor, the greater the risk of poor security implementation. The better known the vendor, the greater the risk of attacks. Not to mention things that come in via AliExpress.

It’s common practice to seperate those devices in a different network-environment with more limitations, then your main network.

No it’s common to put those iot devices in their own vlan and using the firewall prevent that vlan from seeing anything else on the network.

I have my main wifi/lan then I have an iot WiFi for those devices that cannot see the main wifi/lan

I don’t fully understand @Thomas_Vandromme’s network.

Wired vs. WiFi isn’t what matters. A VLAN can be simultaneously wired and wireless because a WiFi network can be “mapped” to a VLAN just like an individual port can be (assuming a hardware/software combination that supports this).

I use three VLANs:

  1. Default. I consider this my “high trust” network. Our phones, computers, tablets (happen to be all Apple), Synology NAS, UniFi cameras, Apple TV. Some of this is a compromise. (Wired/WiFi)

  2. Roon. Roon server, endpoints. (Wired/WiFi)

  3. IoT. Everything else. Automation hubs, door locks, refrigerators, … (Wired/WiFi)

  4. Guest. (WiFi only, device isolation)

Intervlan traffic is blocked by default. Traffic is selectively allowed through the firewall. For example, all devices on 1 have access to 2 and 3. Roon server can talk to 1. Home Assistant, on 2, can speak to anything on Roon. Etc. Lots of rules.

I think this is similar to what @Gareth_Irwin is describing.


Ok, now we are all saying the same :slight_smile:
You cannot add Roon endpoints to an IOT-network, and the core to the main network.
The only way to seperate roon from the main network is setting up a seperate vlan for all things roon. Like gTunes did.

It can be done but it is not cut and dry with most home routers in setting up different vlans. On the other hand there are routers that can be configured to do exactly this.

Ubiquity for example can accomplish this. However to set this up on a Ubiquity router your understanding of networks has to be a step above and also understand command line configurations. You Tube has plenty of videos on these routers to have it setup with multiple vlans. Once configured and setup, it is rock solid and secure.