Sonos - which ports do I need to open for auto-discovery?

Configuration
#1

Hi all,

I’ve upgraded my Home Assistant host once again and migrated it to a mightier machine. However, on this instance I do want to use firewalls to lock it down as much as possible. HA is running in a container with host networking. I got everything else working, from my Telegram bot to the Homematic CCU callbacks (which also required a configuration option/port setting).

When I do that - even if I open the recommended port 1400/tcp as per the Sonos integration doc -, the devices are not automatically discovered. I can make it work by using the advanced mode and specifying every single IP address, but that’s not great if those ever change due to DHCP.

There’s also https://support.sonos.com/s/article/688?language=en_US this from Sonos, but that’s apparently not sufficient for auto-discovery either.

Which ports do I have to open?

(I’m considering to open just everything it’s listening on as seen via lsof, but I’d like to understand it better than that, and that’d miss ports only briefly open.)

Thanks for all help!

#2

TCP Port 1400 inbound

#3

Thanks! As I covered in my initial post, I’ve got that open - but that isn’t sufficient for enabling auto discovery, it still requires an explicit list of all devices.

#4

Looking at my firewall, I also have the uPnp UDP port open 1900

#5

Thanks! 1900/udp added is also not sufficient for auto-discovery. Maybe someone has made this work before?

#6

It’s working for me. Here’s a full dump of iptables - must be one of these.

Chain INPUT_FIREWALL (1 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
RETURN     tcp  --  anywhere             anywhere             multiport dports 2202,ssh,mysql
RETURN     udp  --  anywhere             anywhere             multiport dports dhcpv6-server,dhcpv6-client
RETURN     tcp  --  anywhere             anywhere             multiport dports 50002,50001
RETURN     udp  --  anywhere             anywhere             udp dpt:ssdp
RETURN     tcp  --  192.168.0.0/16       anywhere             multiport dports 5100,5101
RETURN     tcp  --  192.168.0.0/16       anywhere             tcp dpt:8123
RETURN     tcp  --  192.168.0.0/16       anywhere             multiport dports http,https
RETURN     tcp  --  192.168.1.70         anywhere             tcp dpt:mysql
RETURN     udp  --  192.168.0.0/16       anywhere             multiport sports netbios-ns,netbios-dgm
RETURN     tcp  --  192.168.0.0/16       anywhere             tcp dpt:afpovertcp
RETURN     udp  --  192.168.0.0/16       anywhere             udp dpt:mdns
RETURN     tcp  --  192.168.0.0/16       anywhere             multiport dports netbios-ns,netbios-dgm,netbios-ssn,microsoft-ds,sunrpc,892,nfs
RETURN     udp  --  192.168.0.0/16       anywhere             multiport dports netbios-ns,netbios-dgm,netbios-ssn,microsoft-ds,sunrpc,892,nfs
RETURN     tcp  --  192.168.0.0/16       anywhere             tcp dpt:2202
RETURN     udp  --  anywhere             anywhere             -m geoip --source-country US  multiport dports l2f,ipsec-nat-t,isakmp
RETURN     esp  --  anywhere             anywhere             -m geoip --source-country US
RETURN     ah   --  anywhere             anywhere             -m geoip --source-country US
RETURN     tcp  --  192.168.50.70        anywhere             tcp dpt:5566
RETURN     tcp  --  192.168.3.0/24       anywhere             tcp dpt:5566
RETURN     udp  --  192.168.0.0/16       anywhere             udp spt:19997
RETURN     tcp  --  192.168.0.0/16       anywhere             multiport dports 9900,9901,rtsp
RETURN     udp  --  192.168.0.0/16       anywhere             udp dpt:19998
RETURN     icmp --  192.168.0.0/16       anywhere
RETURN     tcp  --  192.168.0.0/16       anywhere             tcp dpt:6690
RETURN     tcp  --  192.168.0.0/16       anywhere             tcp dpt:9123
RETURN     tcp  --  192.168.1.70         anywhere             tcp dpt:nut
RETURN     tcp  --  192.168.0.0/16       anywhere             tcp dpt:1400
RETURN     tcp  --  anywhere             anywhere             tcp dpt:domain
RETURN     udp  --  anywhere             anywhere             udp dpt:domain
RETURN     tcp  --  192.168.0.0/16       anywhere             tcp dpt:8888
RETURN     tcp  --  192.168.0.0/16       anywhere             tcp dpt:8091
DROP       all  --  anywhere             anywhere
RETURN     tcp  --  anywhere             anywhere             multiport dports 9900,9901,5100,5101
DROP       all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere
RETURN     all  --  anywhere             anywhere
#7

Are your Sonos devices on a different subnet than your HA host? Discovery works using multicast packets (SSDP & mDNS) which do not cross subnets by default. Just opening firewall ports is not enough if that’s the case. What is your router and/or firewall equipment?

#8

@jjlawren It’s all on the same subnet (the other box on the very same network worked before, as does everything else). I’m using Linux’s firewalld; I’m trying to only expose what I absolutely must, and I access HA via a nginx HTTPS reverse-proxy with SSL client side certificate checking.

I think I’ll have to bite the bullet and open all the ports based on what @PeteRage shared, maybe match that with the ports I see the HA processes listen on.

Unfortunately, there’s no document describing which ports HA needs why. Maybe I can figure some of that out at this point and try to write a bit of a doc.

1 Like
#9

You’ll likely need to open up UDP ports 32768-60999 from Sonos → HA for SSDP discovery responses. This is a side-effect of how SSDP discovery works where the response is sent back to the source port from the initial discovery message. That port is chosen from the ephemeral range. That’s also assuming that your outbound multicast packets are reaching the Sonos devices in the first place…

#10

Step 1 could be to temporarily disable the firewall and see if it works. Then at least you’ll know it can work. I’ll search the source code see what I find.

#11

@jjlawren Yeah, but they are sent to the SSDP discovery ports, even though their source port is more random. I’m not blocking outbound much.

@PeteRage Yeah, it works without the firewall, just like on the box I ran it on previously. The source code with all the various modules is … very complex, I think I may be better off with looking at the open ports and writing a document as to what they’re used for and why they need to be open.

That’ll be wrong and incomplete, and publishing wrong information is the best way to get someone to come out and correct you, much better than asking a question :smiley: I hope I’ll get to it within the next few days.

#12

Okay, I found it - I think. I also needed to unblock udp/5353 (mDNS).

I see Home Assistant is also using 2 additional random UDP ports - one for IPv4, one for IPv6, but different ports - in the >30000 range, but since they’re random I can’t easily unblock them without opening the entire range.

I’ll leave them closed and possibly find something not working eventually and then I can hopefully reconfigure it to use an explicit port number, like with the Homematic integration :slight_smile:

Thanks all.

#13

That’s what I was referring to when talking about the SSDP responses using random ports in the ephemeral range. If mDNS is working reliably for you instead then you don’t need to open up this whole range; the two protocols are used for basically the same thing. I’ve found SSDP to be “quicker” but either (or both) can be used for discovery.

#14

Hi @jjlawren, thanks, that was very helpful! I’m not very familiar with the discovery protocols, this pointed me in the right direction.

I found the section in the source code, and the SSDP library would actually support specifying a port (HA just goes with 0, meaning a random one is picked). I may end up trying to submit a patch to make that configurable via the ssdp: integration block for advanced use.