I do this.
Network including router, all switches, all access points is UniFi. Three vlans, firewall rules to isolate the vlans with exceptions for specific devices and ports.
Vlans are:
-
Default: higher-trust client devices including phones, computers, tablets. We use Apple Home and Apple TVs and I include those. It would be hard to do this without them included.
-
IoT: The many random, untrusted things we have on our network.
-
Roon: Roon server, music endpoints, rooDials, RoPieeees, etc.
I run Roon server in a Docker container on a Synology NAS which is beefy enough for what I ask from it. Each vlan has a physical port on the NAS. I do a lot in Docker - about a dozen containers on the NAS. I have a Docker macvlan defined for each actual vlan, and Synology firewall / router rules to prevent inter-vlan routing on the Synology itself. Roon is on the Docker macvlan that is on the Roon vlan.
Given all of this, I can put any Docker container on to any of the vlans.
I run synfinatic/udp-proxy-2020 in a Docker container on the NAS. It has IP address on “default” and “Roon” and proxies UDP between them.
With udp-proxy-2020 running in this configuration, Roon can discover the devices on default. None of the issues that you’re describing with your Android phone. If you brought your phone to my house and put it on Default, it would just work.
There are at least a few of us doing this with Roon on Docker in Synology in vlan environments. The posts describing it are at the end of this very long thread: Docker images for Roon [Please Note: Using Dockers and VMs isn't supported by Roon] - #267 by patrick_mccarthy
You can probably replicate this with any multi-homed device on which you run Roon and a udp proxy though you’ll want to be careful to not allow that device to bridge your vlans.
Hope this helps.