What are the new ports that Roon Server needs open in the firewall?

Hey, I got Roon Server to run on Fedora as an unprivileged user (not root) with SELinux and firewall enabled. My post about it seemed quite popular. I don’t know if anyone is using the Roon Firewalld rule that I crafted.

But now it’s broken; in order for my Roon remote on Android to connect to Roon Core, I have to disable the firewall (sudo systemctl stop firewalld). There’s a more recent thread about “Firewall Settings” that’s grayed out and ends with @Geoff_Coupe saying

Please note that the settings given above are no longer valid since build 880 was released

There are threads suggesting Roon also needs TCP port 9330 and 9333 open, another suggesting 9331, 9932, and 9334-9339 as well to access Sonos devices.

Is there definitive list of what ports Roon Server now listens on? Thanks!

3 Likes

These are the ports I have open on my Roon Core VM:
TCP: 9330:9339,30000:30009
UDP: 9003,32768:65535
I stream to my Uniti Atom and a Chromecast device and with these opened up I’m not having any issues.

Roon isn’t very forthcoming with the info on the ports.
They give this post Roon Api on Build 880: Connection refused error :( - #15 by Geoff_Coupe as an explanation but it just seems to me as an excuse to use whatever random port they can pull out of their hat without any prior notice.

Thanks! I updated my Linux firewall rule, also below, and it works for me and my setup; but mine is a simple one with no Sonos, multi-room, etc. I didn’t have to enable that huge range of UDP ports, before or after Roon Server changed; maybe Red Hat’s firewalld doesn’t require it.

<?xml version="1.0" encoding="utf-8"?>
<service>
  <short>Roon Server</short>
  <description>Roon Server from Roon Labs plays music according to instructions from Roon Controllers</description>
  <!-- per https://community.roonlabs.com/t/connection-failed-and-chromecast-issues-roon-using-new-additional-network-ports-since-880/181528/18 -->
  <!-- unclear if necessary: port protocol="tcp" port="8008-8009"/ -->
  <port protocol="udp" port="9003"/>
  <port protocol="tcp" port="9330-9339"/>
  <port protocol="tcp" port="30000-30010"/>
  <!-- unclear if necessary: port protocol="udp" port="32768-65535"/ -->
  <!-- igmp enables multicast. Unclear if broadcast and SSDP are needed too, see https://community.roonlabs.com/t/android-roon-remote-looses-connection-to-core-daily/61650/45 says is also required? -->
  <protocol value="igmp"/>
</service>

Thank you for this message @S_Page, I am running the Roon server on an Ubuntu 20.04 system and I am trying to configure my iptables firewall.

I must say I cannot understand why port management is so complicated with Roon. Normally, it is sufficient to keep one port open for discovery or first client connection, and then the client and server can move the connection to a different random port as long as the firewall on the server allows connections with a RELATED or ESTABLISHED state.

In the post mentioned above (https://community.roonlabs.com/t/roon-api-on-build-880-connection-refused-error/181619/15), @Geoff_Coupe and @brian recommend using the discovery method. This might be fine for extensions developers using the Roon API, but this is not a practical solution for a user like me that is running the Roon core on his system and needs a firewal to ensure minimal security.

I opened the ports you suggested above and everything seems to be working fine (until it doesn’t), but these are very wide port ranges. Half of the UDP range needs to be kept open. I may have other applications that are vulnerable on these ports and this seems like an unjustified security risk.

I faced an issue when trying to stream from Roon under wine to my roon bridge on the same linux machine behind ufw firewall. I resolved it with the following.

To find the needed ports, I looked at:

sudo lsof -i -P | grep -i 'roon\|mono-sgen'

Then, configured them with ufw.

$ sudo tee /etc/ufw/applications.d/roon <<- EOM
[Roon]
title=Roon Bridge
description=Roon Bridge
ports=9300:9304,9000:9003,9200,9150,10000:60000/tcp|9003,10000:60000/udp
EOM

$ sudo ufw allow from any to any app roon

Hi @michaelm,
It may be stating the obvious :smile:, but these configurations suggest you are opening the 10,000 to 60,000 range both for TCP and UDP traffic, in addition to other TCP/UPD ports. This is even more opened ports than the suggestion above. Your lsof command will list all network files/sockets, even UDP or TCP sockets that are not active. It is not necessary to open inactive sockets and it is not even necessary to open all active sockets if etablished and related connections are allowed (as it should, by default, with ufw).

What we need is a clear answer on how the Roon core manages ports and which ports should be accessible for new clients connections.

1 Like

Yeah, the rule is wider than I would like. The configuration above in the thread wasn’t enough for me. I cut off my testing at this point when I got something working. If there were officially published rules that would help.

I have to say that it is ridiculous that roon can’t just publish the port access requirements within release notes for each release, they must be documented by the developers.

2 Likes

These are the ports I have opened in my router since last October. UPnP is off. Roon and Qobuz are running flawlessly since then.

The Akamai IP addresses are required for Qobuz because it is their servers where the streaming music service comes from.

My home router (Unifi Dream Router UDR) is set under very restrictive rules. So I would never accept any advice regarding hundreds or even thousands of ports opened for a specific service. My experience with most of the Internet services providers is terrible, very few accept giving you any information.

1 Like

Hi Mathesis,

Thanks, this seems to work so far. Leaving aside the ports (and IP addresses) that are specific to your implementation, I am opening these ports:

  • Port 9093 for UPD protocol
  • Ports 9330 to 9339 for TCP protocol
  • Ports 30000 to 30010 for TCP protocol

Also, the new Roon ARC application requires an additional port that must be opened on the computer running the Roon Server. The port must also be forwarded by my router to the computer, otherwise the application might not work outside my home:

  • Port 42839 for TCP protocol

This is still way too many opened ports in my view — only one port should be necessary for the connections initiated by the Roon client applications — but it is better than my previous settings.

Cheers!

2 Likes

I recently reinstalled Roon Server on Fedora 37. I searched for “listen” in /var/roon/RoonServer/ and found the following in Logs.

[broker/httpserver] HTTP server listening on port 9330
[broker/httpserver] HTTPS server listening on port 55000
[remoting/brokerserver] Remoting server (V1) listening on port 9331
[remoting/brokerserver] Remoting server (V2) listening on port 9332
[roonapi] listening on port 9150

For what it’s worth I reloaded my old 2022 firewalld roon server service rules I described earlier in this thread and in my gist and I was able to access Roon Server from Roon Control on an Android phone on Wi-Fi at home, and it could connect to RoPieee and a Chromecast. That service ruleset has port 9003 for UDP, ports 9330-9339 for TCP, and 30000-30010 for TCP; it has nothing corresponding to the “HTTPS server listening on port 55000” or “[roonapi] listening on port 9150” log messages,yet it works for me. But I’m not using remote controls, APIs, ARC, or any kind of fancy stuff. And this is a firewall running on my Linux laptop running Roon Server, not one running on a router.

“Your Mileage Will Vary” :slightly_smiling_face: Roon should document this stuff!

I also open UDP port 9003 in my Fedora firewalld rule (and not the huge UDP range). But @Mathesis_Corp_SL and @cookie_man, you open UDP port 9093. Which is right?

Come on Roon, please publish the ports you use (and be smarter about it).

1 Like

I have this range open because otherwise I’m having issues with my Roon Ready amp.
It doesn’t seem to be necessary in all cases though, some devices work fine without.
In those cases UDP 9003 and TCP 9330-9339 should be sufficient.
If you use Chromecast devices, you’ll also need to open TCP 30000-30009.

1 Like

I totally agree, Roon should help to get the best settings, but nothing changes…

I don’t like to have open ports without restrictions. That is why my firewall has working two filters, dedicated ports for Roon and Qobuz in my case, but the access to those ports are restricted, only Qobuz and Roon servers are allowed to go thru those ports.

My list of IP servers is probably valid only for Europe, meanwhile Northamerica will have different addresses. Anyways, I found that Qobuz services are located on Akamai servers, and if you visit Akamai web site, they have a complete description of services and ip address.

I hope this can help you guys!

1 Like