Hi,
I have a roon multiroom installation for years now. There are wired parts (core, sonos boost, some endpoints), and parts on wifi (android controllers, Riopee endpoints, Sonos Roams, Wiim Pro Plus).
For securityreasons, I seperated the different (wifi) networks.
Wired: 192.168.1.*
Wifi: 192.168.2.*
Wifi IOT: 192.168.3.*
Core is in the .1 range, controllers on the .2 range, endpoints on the .3 range.
That works, I can control the core with the androiddevices, and play music on most of the endpoints.
But some endpoints wonât show up again, and they are allways Roon tested or Roon ready.
So I could add them using airplay or chromecast, but a connection using RAAT seems impossible.
At the settings/audiodevices, I see them as chromecase and airplay endpoints. But they are gone at the Roon Ready/Tested sections.
Example;
Wiim Pro Wired is active under Roon Ready devices. But another Wiim Pro that is connected to the wifi-network doesnt.
Sonos Roams are connected to wifi and donât show up as Roon Ready devices like they used to. As the other Sonos speakers are connected to a wired Sonos Boost, they all are in the .1 range.
So in Roon the sonosspeakers in another ip-range donât work (using sonos streaming), but in the Sonos-app everything works fine. All sonos devices, not matter in wich IP-range, show up and play music.
So it has to be something on the roon side.
Why canât Roon connect to Roon Ready/Tested devices in another IP-range in the case of Sonos and Wiim Pro? While Riopeee endpoints, in the same range (.3) do show up and work.
I hope I explained it well.
And there is a way out offcourse
Well Roipeee uses Roon Bridge and maybe there are subtle differences to a Roon Ready stack. Some of what works and what doesnât may be seemingly random and also not consistent over time, depending on what the Roon server is trying to do in a given moment. I donât know.
In the end, Roon code does nothing to attempt making it work.
None of my Ropiees work over my vlan for RAAT only the Airplay client is visible but it wonât play to it. Chromecast works perfectly fine across vlans as long as mdns is active. System airplay on iOS and macOS works fine over vlans but for some reason not via Roon. RAAT in all cases wonât go across subnets without a lot of network tinkering this is by design. Your on your own to get it to work.
I increasingly wonder if a reasonable solution to all of this would be for Roon to implement an âAdd Deviceâ feature to Settings > Audio which allows the user to specify a device by IP address. This wouldnât alleviate the need for people to configure their networks to allow traffic between their Roon server and endpoints. Still, it would eliminate the constant discussions about why we need UDP proxies and how to get them working. I wouldnât prioritize this above things like âARC should work,â but thereâs a steady stream of people trying (and mostly failing) to get VLANs working. It would allow support (and by this I mean you guys ) to actually help people like this poster, to get things working.
I wonder. It would eliminate some of these constant discussions, but I understand if Roon isnât keen on adding the need to support misconfigured subnets, VLANs, and so on to their support list, in addition to the issues some users already have with even their simple LANs
Roon barely supports any of this anyhow. Anything they do would, in actuality, amount to improving the tools they provide you, @Simon_Arnold3, the mods, and a few others to help people get Roon running in their environment. The answer today is essentially âyou need to either give up on segmenting and securing your network or you need to figure out how to run a proxyâ.
In todayâs world of IoT, itâs becoming a best practice for anyone bringing many devices into their home to think about protecting themselves from the devices they deploy. Just my opinion but it seems to me that weâd all be in much better shape if the solution to vlans was:
Assign static addresses to your server and endpoints
Allow traffic between your server and endpoints based on IP address
Go to Settings > Audio > Add Endpoint or Settings > Extensions > Add Extension and add the device or extension by IP
And if youâre not capable of doing that, then you shouldnât be using vlan in the first place
Maybe, yeah. But I personally donât do any help with this anyway, I just send them to you in Tinkering
Reading manuals of routers I donât know to post screenshots for port forwarding settings is enough, thank you very much.
True, but people already do so many things they shouldnât
Since youâve already got the manual open, canât you just flip to the sections on IP reservations, port profiles, and firewall rules? I have faith in you to be able to do it.
I canât help anybody there. You should stop sending them. Itâs just too hard.
I just moved all music devices back in the same LAN.
Iâm familiar with network setup but itâs just not worth the hastle.
The message âwonât work over VLAN or different LANâsâ was enough for me.
I just didnât consider that fact as some things worked, and others didnât. And Sonos has no problem with it.
I do think itâs not a very unusual situation. From the moment you think of securing things, youâll end up seperating IOT-devices. And for me those are IOT-devices.
I have to trust developers behind Ropiee and RooExtend and thatâs it
Itâs adding those components that made me want to secure things.
There are many security-breaches with IOT devices. Remember the securitycam hack a couple years ago (recordings of IP cameras in your home were suddenly available on a Chinese website.), peoples Synology-NAS blocked by ransomware, etc⌠The less well-known the vendor, the greater the risk of poor security implementation. The better known the vendor, the greater the risk of attacks. Not to mention things that come in via AliExpress.
Itâs common practice to seperate those devices in a different network-environment with more limitations, then your main network.
Wired vs. WiFi isnât what matters. A VLAN can be simultaneously wired and wireless because a WiFi network can be âmappedâ to a VLAN just like an individual port can be (assuming a hardware/software combination that supports this).
I use three VLANs:
Default. I consider this my âhigh trustâ network. Our phones, computers, tablets (happen to be all Apple), Synology NAS, UniFi cameras, Apple TV. Some of this is a compromise. (Wired/WiFi)
Roon. Roon server, endpoints. (Wired/WiFi)
IoT. Everything else. Automation hubs, door locks, refrigerators, ⌠(Wired/WiFi)
Guest. (WiFi only, device isolation)
Intervlan traffic is blocked by default. Traffic is selectively allowed through the firewall. For example, all devices on 1 have access to 2 and 3. Roon server can talk to 1. Home Assistant, on 2, can speak to anything on Roon. Etc. Lots of rules.
I think this is similar to what @Gareth_Irwin is describing.
Ok, now we are all saying the same
You cannot add Roon endpoints to an IOT-network, and the core to the main network.
The only way to seperate roon from the main network is setting up a seperate vlan for all things roon. Like gTunes did.
It can be done but it is not cut and dry with most home routers in setting up different vlans. On the other hand there are routers that can be configured to do exactly this.
Ubiquity for example can accomplish this. However to set this up on a Ubiquity router your understanding of networks has to be a step above and also understand command line configurations. You Tube has plenty of videos on these routers to have it setup with multiple vlans. Once configured and setup, it is rock solid and secure.
