What are the new ports that Roon Server needs open in the firewall?

Hey, I got Roon Server to run on Fedora as an unprivileged user (not root) with SELinux and firewall enabled. My post about it seemed quite popular. I don’t know if anyone is using the Roon Firewalld rule that I crafted.

But now it’s broken; in order for my Roon remote on Android to connect to Roon Core, I have to disable the firewall (sudo systemctl stop firewalld). There’s a more recent thread about “Firewall Settings” that’s grayed out and ends with @Geoff_Coupe saying

Please note that the settings given above are no longer valid since build 880 was released

There are threads suggesting Roon also needs TCP port 9330 and 9333 open, another suggesting 9331, 9932, and 9334-9339 as well to access Sonos devices.

Is there definitive list of what ports Roon Server now listens on? Thanks!

3 Likes

These are the ports I have open on my Roon Core VM:
TCP: 9330:9339,30000:30009
UDP: 9003,32768:65535
I stream to my Uniti Atom and a Chromecast device and with these opened up I’m not having any issues.

Roon isn’t very forthcoming with the info on the ports.
They give this post Roon Api on Build 880: Connection refused error :( - #15 by Geoff_Coupe as an explanation but it just seems to me as an excuse to use whatever random port they can pull out of their hat without any prior notice.

Thanks! I updated my Linux firewall rule, also below, and it works for me and my setup; but mine is a simple one with no Sonos, multi-room, etc. I didn’t have to enable that huge range of UDP ports, before or after Roon Server changed; maybe Red Hat’s firewalld doesn’t require it.

<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>Roon Server</short>
  <description>Roon Server from Roon Labs plays music according to instructions from Roon Controllers</description>
  <!-- per https://community.roonlabs.com/t/connection-failed-and-chromecast-issues-roon-using-new-additional-network-ports-since-880/181528/18 -->
  <!-- unclear if necessary: port protocol="tcp" port="8008-8009"/ -->
  <port protocol="udp" port="9003"/>
  <port protocol="tcp" port="9330-9339"/>
  <port protocol="tcp" port="30000-30010"/>
  <!-- unclear if necessary: port protocol="udp" port="32768-65535"/ -->
  <!-- igmp enables multicast. Unclear if broadcast and SSDP are needed too, see https://community.roonlabs.com/t/android-roon-remote-looses-connection-to-core-daily/61650/45 says is also required? -->
  <protocol value="igmp"/>
</service>

Thank you for this message @S_Page, I am running the Roon server on an Ubuntu 20.04 system and I am trying to configure my iptables firewall.

I must say I cannot understand why port management is so complicated with Roon. Normally, it is sufficient to keep one port open for discovery or first client connection, and then the client and server can move the connection to a different random port as long as the firewall on the server allows connections with a RELATED or ESTABLISHED state.

In the post mentioned above (https://community.roonlabs.com/t/roon-api-on-build-880-connection-refused-error/181619/15), @Geoff_Coupe and @brian recommend using the discovery method. This might be fine for extensions developers using the Roon API, but this is not a practical solution for a user like me that is running the Roon core on his system and needs a firewal to ensure minimal security.

I opened the ports you suggested above and everything seems to be working fine (until it doesn’t), but these are very wide port ranges. Half of the UDP range needs to be kept open. I may have other applications that are vulnerable on these ports and this seems like an unjustified security risk.

I faced an issue when trying to stream from Roon under wine to my roon bridge on the same linux machine behind ufw firewall. I resolved it with the following.

To find the needed ports, I looked at:

sudo lsof -i -P | grep -i 'roon\|mono-sgen'

Then, configured them with ufw.

$ sudo tee /etc/ufw/applications.d/roon <<- EOM
[Roon]
title=Roon Bridge
description=Roon Bridge
ports=9300:9304,9000:9003,9200,9150,10000:60000/tcp|9003,10000:60000/udp
EOM

$ sudo ufw allow from any to any app roon

Hi @Michael_Garate,
It may be stating the obvious :smile:, but these configurations suggest you are opening the 10,000 to 60,000 range both for TCP and UDP traffic, in addition to other TCP/UPD ports. This is even more opened ports than the suggestion above. Your lsof command will list all network files/sockets, even UDP or TCP sockets that are not active. It is not necessary to open inactive sockets and it is not even necessary to open all active sockets if etablished and related connections are allowed (as it should, by default, with ufw).

What we need is a clear answer on how the Roon core manages ports and which ports should be accessible for new clients connections.

Yeah, the rule is wider than I would like. The configuration above in the thread wasn’t enough for me. I cut off my testing at this point when I got something working. If there were officially published rules that would help.