Updated UFW configuration (actual state: Roon 1.8, Build 952)

Alex_Reusch · June 5, 2022, 10:18am

Guys,
I have searched through several cluttered posts of how to configure UFW (I use Ubuntu Server 22.04 LTS) to work reliable. Also, it seems that recent updates of Roon require some additional ports to be opened, which are not listed in most of the current available instructions (I currently run Roon 1.8, Build 952). I share with you my configuration that works very well.

First of all, I would like to mention that I work with application profiles for UFW. This seems to me to be a much cleaner approach. So each application has its own profile and i can easily identify what a rule is needed for.

So let’s start:

1. Create application profile for Roon
sudo nano /etc/ufw/applications.d/roon

[Roon]
title=Roon Server
description=Roon Labs Core Music Server
ports=9003/udp|9100:9200/tcp|1900/udp|9330:9339/tcp|30000:30010/tcp

2. Activate UFW application profile for Roon
sudo ufw allow from 192.168.1.0/24 to any app roon

Remarks:
This is my subnet. Of course, you need to adjust the above IP-range to your own setup
I have specified a specific subnet. As an alternative you could also generally allow the application:

sudo ufw allow app roon

3. Update IGMP rules for proper Roon-Endpoint discovery
sudo nano /etc/ufw/before.rules

### IGMP (Roon) ###"
-A ufw-before-input -s 224.0.0.0/4 -j ACCEPT
-A ufw-before-input -d 224.0.0.0/4 -j ACCEPT
-A ufw-before-input -s 240.0.0.0/5 -j ACCEPT
-A ufw-before-input -m pkttype --pkt-type multicast -j ACCEPT
-A ufw-before-input -m pkttype --pkt-type broadcast -j ACCEPT

Remarks:
Also make sure that the following rule is set:

-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT

This should be set per default, but in case that the rules have been modified earlier.

Done!!!
That’s it. Your Roon setup should now work properly with UFW enabled.
You might have to reload UFW to apply the changes related to IGMP:

sudo ufw reload

Additional information:
You can easily check your firewall configuration (and see the applied application profiles) with:

sudo ufw status verbose

Michael_Urban1 · August 21, 2022, 6:24pm

Hello, I’m not able to get my Roon Server (Ubuntu 20) to discover my Ropiee endpoint with UFW enabled. By disabling the firewall, everything works as expected. In the before.rules file at the end, I added:

### IGMP (Roon) ###"
-A ufw-before-input -s 224.0.0.0/4 -j ACCEPT
-A ufw-before-input -d 224.0.0.0/4 -j ACCEPT
-A ufw-before-input -s 240.0.0.0/5 -j ACCEPT
-A ufw-before-input -m pkttype --pkt-type multicast -j ACCEPT
-A ufw-before-input -m pkttype --pkt-type broadcast -j ACCEPT

Then, I receive this error:

ERROR: problem running ufw-init
iptables-restore: line 80 failed

Problem running '/etc/ufw/before.rules'

I appreciate any assistance.

Alex_Reusch · September 10, 2022, 6:21am

I still have some issue with the firewall settings:
Using the configuration above, the Roon core is not able to discover my Roon endpoint (Sonore opticalRendu). So I always must temporary disable the firewall, only then, the core is able to detect the Endpoint. Afte the core found the endpoint, I can finally enable the firewall again and I am able to stream to the endpoint without any further issues.

Is there any recommendation to my setting, to allow the endpoint to be discovered with the firewall enabled? I know there is a possible workaround by adding a rule to allow the IP adress of the endpoint, but this is not really what I am trying to achieve…

Christophe_Saelens · September 10, 2022, 8:38am

I have a similar issue with my Naim Uniti. For some reason this is the only device that doesn’t get picked up by my core after I restart it. Like you, I needed to temporarily disable the firewall or restart the Uniti for it to get detected.
I solved it by adding a rule that allows udp ports 32768 to 65535 from my Uniti. It seems it selects a random port in this range to communicate with the core and sticks to it, even when nothing at the other end responds. My guess is that the firewall drops these packets as it does not see it as established/related traffic.

FYI, the ports I have open are:

udp 5353 (mDNS, because Chromecast)
udp 9003 (Roon disovery)
tcp 9330:9339 and 30000:30009
udp 32768:65535 (limited to my Uniti)

igmp isn’t used by Roon for discovering or streaming to endpoints afaik

Alex_Reusch · September 10, 2022, 10:47am

Thanks, that worked for me. It is still strange, that there is such a huge port range necessary in order to make discovery of endpoints work.

Christophe_Saelens · September 10, 2022, 11:21am

I think it has to do with how Roon is implemented on the endpoint-side. When testing I installed RoPieee on a RPi I had lying around and that didn’t have any issues being discovered by the core after a reboot or a restart of the Roon service.
In my fw logs I could see that my Uniti was using a random port in that ephemeral range to connect to the core and that those packets were being dropped. My best guess is that the core and the endpoint negotiate a port and in this case the Uniti sticks to that port even after losing connection with the core and doesn’t renegotiate a new port. This connection gets blocked by the core’s firewall since it doesn’t recognise this traffic anymore after a restart. The RoPieee does renegotiate and so it is immediately found by the core.
I’m not a networking expert, so maybe someone who is can chime in.
Roon’s documentation regarding this subject is nonexistent…
You might be able to narrow it down a bit more if you have a lot of time on your hands, but I was happy that it worked .

Alex_Reusch · September 11, 2022, 11:28am

Thanks and 100% agree. Works for me now, but if Roon could be more precise in their documentation that would be really helpfu.

Eric_Bennett · February 6, 2023, 10:43pm

Alex and Christophe Saelens, this is awesome. Just what we needed in an easy to follow structure. Thank you!!
Roon - you should be ashamed that you could not document this need and thankful for users like Alex.

Eric_Bennett · February 6, 2023, 10:44pm

Alex nails the port access configuration.

JohnSmith_roon · March 24, 2023, 9:59am

@Alex_Reusch Should this still work with latest Roon Core?

I’m trying to run this where a Bridge is installed, but it just stops playback as soon as I enable

Christophe_Saelens · March 24, 2023, 9:17pm

Should still work, nothing has changed since this was posted. Did you implement these rules core-side or bridge-side?
Incoming rules one the side of the bridge will be different from the rules on the core.

Alex_Reusch · April 11, 2023, 3:57pm

@JohnSmith_roon: As you might have noticed, I had to update the application profile for Roon and increase the port range, due to Roons (bad) implementation of the endpoint. See the discussion with @Christophe_Saelens from Sep '22. Here is the updated profile, which works great for me:

[Roon]
title=Roon Server
description=Roon Labs Core Music Server
ports=9003/udp|9100:9200/tcp|1900/udp|9330:9339/tcp|30000:30009/tcp|32768:65535>