VLANs, Roon and ARC

I’m in the process of setting up a new home network with a desire to segregate certain devices with VLANs etc.

Has anyone already done this with Roon in their environment? I’m thinking port restrictions, inter VLAN routing etc.

What kit are you using too?

Well, Roon isn’t specifically designed with VLANs in mind, so you will need to keep that in mind yourself when you are designing your network. I’m a long-time IT professional with a pretty sophisticated home network, and I can’t for the life of me think if why I would want VLANs in my house; frankly, they are over-applied in business settings in all-too-many cases. Perhaps if you explained what your goals with VLANning are, we could help.

1 Like

At my house, I have two VLANs related to Roon: a main VLAN and an “IoT” VLAN. The Roon Server and almost all the endpoints are in the IoT VLAN, so I don’t have any issues with them.

My Windows machine, which is in the main VLAN, has no troubles with Roon. I’m able to use Roon Remote to control the server, and the server detects the audio devices on my Windows box as endpoints.

However, getting Roon Remote to work on my Android phone is more challenging. When my Android phone is at my home, it is in the main VLAN. To get the Roon Server to make my phone available as endpoint, I need to run the scyto/multicast-relay docker container in my network with --relay specified.

I use a P2P VPN connection from my phone to my home (WireGuard, or OpenVPN in tun mode). Since these VPN servers don’t support broadcast messages, I also run the synfinatic/udp-proxy-2020 docker container.

With those two containers running, and with firewall rules to allow the devices in the main network to talk to devices in the IoT network, I’m able to use Roon successfully.

(I also run a regular mDNS and SSDP relay between these two VLANs, but I’m not sure if they are needed for Roon.)

Main purpose is segregation of IoT devices, I was tempted to give Roon Rock and Sonos devices their space as well.

Does it need to be? If you put it into the IoT VLAN wouldn’t that solve the issue?

To be clear, I am not the OP and do not have any issues with my configuration. I was only answering the original question of how I got Roon to work with VLANs.

Of course, my phone doesn’t need to be in any specific VLAN, but I prefer it in the main VLAN. The whole point of the IoT VLAN is so insecure IoT devices cannot communicate with my “main” devices, and my phone is one such device.

Before I set up the broadcast proxying, I could get my Android phone to show up as an endpoint by starting Roon, switching to the IoT network, waiting for the phone to be detected, and then switching back to the main network. That would usually work, although sometimes I had to do the switch multiple times. The broadcast proxying removes the need for that, though.

I do this.

Network including router, all switches, all access points is UniFi. Three vlans, firewall rules to isolate the vlans with exceptions for specific devices and ports.

Vlans are:

  • Default: higher-trust client devices including phones, computers, tablets. We use Apple Home and Apple TVs and I include those. It would be hard to do this without them included.

  • IoT: The many random, untrusted things we have on our network.

  • Roon: Roon server, music endpoints, rooDials, RoPieeees, etc.

I run Roon server in a Docker container on a Synology NAS which is beefy enough for what I ask from it. Each vlan has a physical port on the NAS. I do a lot in Docker - about a dozen containers on the NAS. I have a Docker macvlan defined for each actual vlan, and Synology firewall / router rules to prevent inter-vlan routing on the Synology itself. Roon is on the Docker macvlan that is on the Roon vlan.

Given all of this, I can put any Docker container on to any of the vlans.

I run synfinatic/udp-proxy-2020 in a Docker container on the NAS. It has IP address on “default” and “Roon” and proxies UDP between them.

With udp-proxy-2020 running in this configuration, Roon can discover the devices on default. None of the issues that you’re describing with your Android phone. If you brought your phone to my house and put it on Default, it would just work.

There are at least a few of us doing this with Roon on Docker in Synology in vlan environments. The posts describing it are at the end of this very long thread: Docker images for Roon [Please Note: Using Dockers and VMs isn't supported by Roon] - #267 by patrick_mccarthy

You can probably replicate this with any multi-homed device on which you run Roon and a udp proxy though you’ll want to be careful to not allow that device to bridge your vlans.

Hope this helps.


With scyto/multicast-relay, I also have no problems with my Android phone at my home.

scyto/multicast-relay and synfinatic/udp-proxy-2020 serve similar purposes in that they each proxy UDP broadcasts across networks. The difference is that multicast-relay sends the broadcasts as broadcasts on the target network, while udp-proxy-2020 sends them as unicast messages to all known clients on the target network.

udp-proxy-2020 is required for networks that don’t support broadcast, like WireGuard. It will also work for networks that do support broadcasts, albeit not quite as efficiently. That is why I used multicast-relay to proxy across my home networks, and only use udp-proxy-2020 for my VPN networks.

Can you elaborate on what you mean when you say?:

I interpret this to mean that ud-proxy-2020 is somehow aware of all clients on the destination network(s) and sends a unique packet to each. I don’t think this is what it does. I think it reads the broadcast packet from the “source” network and sends that same packet out on the “destination” network(s).

The “Send” code is in this file: udp-proxy-2020/cmd/udp-proxy-2020/send.go at main · synfinatic/udp-proxy-2020 · GitHub

If you look at lines 26-36, you’ll see what I’m referring to. It’s simply enumerating the network interfaces it’s aware of and sending the broadcast packet out on each network that is not the network from which it originated.

I don’t know anyhthing about scyto/multicast-relay but I’m not sure it’s doing anything materially different than udp-proxy-2020.

I could easily be misunderstanding what you’re saying or misunderstanding the code. Please help clarify if that’s the case.

I do have another question for you, @David_Rothenberger.

You commented that udp-proxy-2020 is less efficient than multicast-relay. Is this because of how it reads from libcap?

I may play with mutlicast-relay just to get my head around it.

I believe I misunderstood how udp-proxy-2020 actually works. I misinterpreted the README.md.

After reading it more closely, I believe it does basically proxy the broadcast messages between networks that support broadcasts, like regular ethernet connections, similar to what multicast-relay does.

The special sauce in udp-proxy-2020 has to do with point-to-point networks like OpenVPN. Apparently Roon tries to send broadcast messages to the .255 address of these networks, but since those networks don’t support broadcasts, those messages do not make it to the proxy if it does a regular listen on a UDP socket.

So, udp-proxy-2020 uses libpcap to “sniff” those messages instead of using a regular UDP socket. And, it uses unicast messages to deliver the broadcast packets to clients on the P2P network. You can see that in listen.go.

The README.md mentions that it has to “learn” the IP addresses of the devices on these P2P networks. Thus, the VPN client must send a :9003 packet before it can receive any.

TL;DR: udp-proxy-2020 works like multicast-relay for regular networks, but adds support for “broadcasting” to clients on P2P networks like OpenVPN and WireGuard.

1 Like

Ah…I see what you mean in the udp-proxy-2020 code.

Thanks for the education and the conversation. This clarified a couple of things I didn’t understand.

1 Like

It did for me as well. I learned I can stop using the multicast-relay container.

1 Like

Hey man, thank you for the information regarding Roon and VLANs. Could I use the multicast script from github to get Roon Remote running on cell service while outside my home network? I’m currently using meshnet with Nord VPN, and performance is pretty terrible. I’ve found out Roon remote dosent work well with VPNs because of udp multicast, but it seems you’ve found a solution

I am able to get Roon Remote working with a Wireguard VPN connection using a combination of the mDNS Reflector and SSDP Relay built into my router (Firewalla) and the udp-proxy-2020. If your firewall/router doesn’t support mDNS/SSDP relays, you could run multicast-relay to do that.

How you set this up will depend on the router/firewall you have, and where your Wireguard server is within your network.

Got it, should i get my hands on a Firewalla Purple? Could i just run that with my ATT gigabit router? Firewalla has wireguard built in so i think it would be easiest and a good investment provided Roon Remote would work flawlessly.

I love my Firewalla (Gold Plus) and heartily recommend their products. I recommend posting on the Firewalla subreddit for advice on using the Purple with your router. The best way to use a Firewalla is to replace your router with it, but that may not be possible with AT&T.

If you can use a Firewalla, you should be able to get Roon Remote to work over a WireGuard connection. It works fine for me.