Updated UFW configuration (actual state: Roon 1.8, Build 952)

Guys,
I have searched through several cluttered posts of how to configure UFW (I use Ubuntu Server 22.04 LTS) to work reliable. Also, it seems that recent updates of Roon require some additional ports to be opened, which are not listed in most of the current available instructions (I currently run Roon 1.8, Build 952). I share with you my configuration that works very well.

First of all, I would like to mention that I work with application profiles for UFW. This seems to me to be a much cleaner approach. So each application has its own profile and i can easily identify what a rule is needed for.

So let’s start:

1. Create application profile for Roon
sudo nano /etc/ufw/applications.d/roon

[Roon]
title=Roon Server
description=Roon Labs Core Music Server
ports=9003/udp|9100:9200/tcp|1900/udp|9330:9339/tcp|30000:30010/tcp

2. Activate UFW application profile for Roon
sudo ufw allow from 192.168.1.0/24 to any app roon

Remarks:
This is my subnet. Of course, you need to adjust the above IP-range to your own setup
I have specified a specific subnet. As an alternative you could also generally allow the application:

sudo ufw allow app roon

3. Update IGMP rules for proper Roon-Endpoint discovery
sudo nano /etc/ufw/before.rules

### IGMP (Roon) ###"
-A ufw-before-input -s 224.0.0.0/4 -j ACCEPT
-A ufw-before-input -d 224.0.0.0/4 -j ACCEPT
-A ufw-before-input -s 240.0.0.0/5 -j ACCEPT
-A ufw-before-input -m pkttype --pkt-type multicast -j ACCEPT
-A ufw-before-input -m pkttype --pkt-type broadcast -j ACCEPT

Remarks:
Also make sure that the following rule is set:

-A ufw-before-input -p icmp --icmp-type echo-request -j ACCEPT

This should be set per default, but in case that the rules have been modified earlier.

Done!!!
That’s it. Your Roon setup should now work properly with UFW enabled.
You might have to reload UFW to apply the changes related to IGMP:

sudo ufw reload

Additional information:
You can easily check your firewall configuration (and see the applied application profiles) with:

sudo ufw status verbose

3 Likes