I have a pfSense firewall on my WAN, which splits into one automation network (192.168.10.x) and a network to my Windows server (Windows server has 192.168.1.4 in and uses 192.168.0.1 as it’s internal network). On the Pi I can ping 192.168.1.4 on the server (there’s a bridge in pfSense connecting the two networks) without problems.
On the Server I have set NAT for port 1400 from 192.168.1.4 to the internal IP of the Sonos speaker (an IKEA Symfonisk, but they work very well with HA), 192.168.0.213. But I’m starting to wonder if it’s the wrong port. I found the port here on the forum, in this thread where @amelchio says:
“If you have a firewall on Home Assistant, you now need to open TCP port 1400.”
But maybe that’s not the same as I’m doing? So is there another port I need to open? I have this in my configuration file for HA:
sonos:
media_player:
interface_addr: 192.168.1.4
You forgot to say what your problem is?
Sorry… It plain doesn’t work. I don’t get a media player card in the GUI, and I don’t see anything in the log.
Another reboot, and I got an error in the log:
Error doing job: Future exception was never retrieved
10:59 components/sonos/media_player.py (ERROR)
Okay … so “they work very well” is in a different setup (same LAN), I presume.
Discovery will not work across networks, so you need static setup.
sonos:
media_player:
hosts: 192.168.1.4
I am a bit confused about your setup. I suggest not doing NAT and bridging (not even sure what you mean with that). Instead, attach pfSense to both networks and add a firewall rule to allow the server IP to connect to tcp/1400 on the Sonos IP.
Yeah, I have that setup in the config file, as shown further up. And yes, it works in my cabin, where the network setup is easier. But at home I have found that I need to separate the home automation network with the Pi’s and AirPlay streaming in a separate, parralell network because I have a work program that for some reason disturbs MQTT, and my whole setup is based on MQTT.
There is a rule in pfSense that allows access to the 192.168.1.x network, if not there would be no chance of it working. 
That’s what I meant by bridge. And NAT is that when the packets come to the Server on 192.168.1.4 I have to use NAT for the Windows Server 2016 to know where to send them, which is 192.168.0.213. But the 192.168.0 network is the private network on the inside of the Windows server, and pfSense does not have access to that at all, that’s totally isolated, and if the connection isn’t initiated from the inside (a computer browsing the net and so on) the server only lets in what it has in the NAT setup.
This is the official list of Sonos ports, and I don’t see 1400 there anywhere. Why isn’t that shown?
TCP/IP:
80 (Internet Radio, updates and registration)
443 (Rhapsody, Napster, and SiriusXM)
445 (CIFS)
3400 (incoming UPnP events - Sonos app for Mac or PC)
3401 (Sonos app for iOS)
3445 (OS X / Windows File Sharing)
3500 (Sonos app for Android)
4070 (Spotify incoming events)
4444 (Sonos update process)
UDP:
136-139 (NetBIOS)
1900 (UPnP events and device detection)
1901 (UPnP responses)
2869, 10243, 10280-10284 (Windows Media Player NSS)
5353 (Spotify Control)
6969 (Initial configuration)
That is not identical.
You need to allow access from the server to tcp/1400 on the (real) IP of the Sonos.
But … it doesn’t work.
Is your Home Assistant running on the Windows server or on the Pi you mention?
Sorry, I cannot follow your description. Here is a drawing of a reasonable setup.
+----------------+ +--------------+ +----------------+
| Home Assistant | | pfSense | | Sonos |
| 192.168.1.4 | <--> | 192.168.1.1 | | |
| | | 192.168.10.1 | <--> | 192.168.10.213 |
| | | WAN IP | | |
+----------------+ +--------------+ +----------------+
^
|
v
Internet
Then this Home Assistant configuration should work, if pfSense does not block packets.
sonos:
media_player:
hosts: 192.168.10.213
Nope, I’m not good enough to explainI guess. And most of the IP addresses in your drawing are wrong, nothing like what I have written. This is my setup, I guess I should have made this drawing at once:
+------------------+ +----------------+ +----------------+
| Windows Server | | pfSense | | Home Assistant |
| 192.168.1.4 | <--> | 192.168.1.1 | | |
| | | 192.168.10.1 | <--> | 192.168.10.103 |
| 192.168.0.1 | | WAN IP | | |
+------------------+ +----------------+ +----------------+
^ ^
192.168.0.x |
v v
+----------------------+ Internet
| Sonos |
| |
| 192.168.0.213 |
+----------------------+
So the packets go from HA through pfSense, to the WindowsServer 2016, and that NAT’s them to the Sonos (just like it NATs FTP to one computer, HTTPS to a virtual machine, HTTP to another virtual machine, camera streams to four cameras around the house and so on. My best guess is that there’s a second port that has to be NATed, like 1400 is now.
That will not work. The Sonos speaker cannot be behind NAT because the HTTP Host header must match its IP address. If you really want that setup I guess you could use a reverse HTTP proxy on the Windows Server to rewrite the headers. That would still only allow for a single speaker though.
Moving 192.168.0.x onto pfSense and dropping NAT seems like a better option.
Ok, thanks! Using Windows for reverse proxy would mean that I’d have to install IIS, and that would probably mess up my setup more than it’s worth. The last suggestion is impossible, I have a lot of stuff running on the server that my work computers on the inside needs.
But at least that explains why it doesn’t work. The solution may be to set up a separate Pi with only Home Assistant on the internal network and let that control it. Or maybe I could get it to work the other way? If I put the Sonos on the 192.168.10.x network, could it be controlled from an Android phone on the internal 192.168.0.x network? My wife wants to use the Sonos app, which is why I put it on the internal net, for me it would be preferable to have it on the external net anyway.
Edit: Or maybe even install Home Assistant in a virtual environment on the server. I assume it doesn’t take much CPU to run since a Pi does it comfortably. But is there a chance it will make the server less reliable and stable?
Maybe like this (WAN removed as it is not relevant).
+------------------+ +----------------+ +----------------+
| Windows Server | | pfSense | | Home Assistant |
| 192.168.1.4 | <--> | 192.168.1.1 | | |
| | | 192.168.10.1 | <--> | 192.168.10.103 |
| 192.168.0.4 | <--> | 192.168.0.1 | | |
+------------------+ +----------------+ +----------------+
^
|
v
+----------------------+
| Sonos |
| |
| 192.168.0.213 |
+----------------------+
Since the Sonos question is now explained, I will withdraw from this thread. Good luck 
…
Thanks! I’m afraid the server’s IP is hardcoded in far too much equipment and software to change, but I will try to take a backup of the virtual machine I have as my home automation server and install Home Assistant there in a virtual environment. That VM has connections to all three networks, so that should work.