I’ve upgraded my Home Assistant host once again and migrated it to a mightier machine. However, on this instance I do want to use firewalls to lock it down as much as possible. HA is running in a container with host networking. I got everything else working, from my Telegram bot to the Homematic CCU callbacks (which also required a configuration option/port setting).
When I do that - even if I open the recommended port 1400/tcp as per the Sonos integration doc -, the devices are not automatically discovered. I can make it work by using the advanced mode and specifying every single IP address, but that’s not great if those ever change due to DHCP.
(I’m considering to open just everything it’s listening on as seen via lsof, but I’d like to understand it better than that, and that’d miss ports only briefly open.)
Thanks! As I covered in my initial post, I’ve got that open - but that isn’t sufficient for enabling auto discovery, it still requires an explicit list of all devices.
Are your Sonos devices on a different subnet than your HA host? Discovery works using multicast packets (SSDP & mDNS) which do not cross subnets by default. Just opening firewall ports is not enough if that’s the case. What is your router and/or firewall equipment?
@jjlawren It’s all on the same subnet (the other box on the very same network worked before, as does everything else). I’m using Linux’s firewalld; I’m trying to only expose what I absolutely must, and I access HA via a nginx HTTPS reverse-proxy with SSL client side certificate checking.
I think I’ll have to bite the bullet and open all the ports based on what @PeteRage shared, maybe match that with the ports I see the HA processes listen on.
Unfortunately, there’s no document describing which ports HA needs why. Maybe I can figure some of that out at this point and try to write a bit of a doc.
You’ll likely need to open up UDP ports 32768-60999 from Sonos → HA for SSDP discovery responses. This is a side-effect of how SSDP discovery works where the response is sent back to the source port from the initial discovery message. That port is chosen from the ephemeral range. That’s also assuming that your outbound multicast packets are reaching the Sonos devices in the first place…
Step 1 could be to temporarily disable the firewall and see if it works. Then at least you’ll know it can work. I’ll search the source code see what I find.
@jjlawren Yeah, but they are sent to the SSDP discovery ports, even though their source port is more random. I’m not blocking outbound much.
@PeteRage Yeah, it works without the firewall, just like on the box I ran it on previously. The source code with all the various modules is … very complex, I think I may be better off with looking at the open ports and writing a document as to what they’re used for and why they need to be open.
That’ll be wrong and incomplete, and publishing wrong information is the best way to get someone to come out and correct you, much better than asking a question I hope I’ll get to it within the next few days.
Okay, I found it - I think. I also needed to unblock udp/5353 (mDNS).
I see Home Assistant is also using 2 additional random UDP ports - one for IPv4, one for IPv6, but different ports - in the >30000 range, but since they’re random I can’t easily unblock them without opening the entire range.
I’ll leave them closed and possibly find something not working eventually and then I can hopefully reconfigure it to use an explicit port number, like with the Homematic integration
That’s what I was referring to when talking about the SSDP responses using random ports in the ephemeral range. If mDNS is working reliably for you instead then you don’t need to open up this whole range; the two protocols are used for basically the same thing. I’ve found SSDP to be “quicker” but either (or both) can be used for discovery.
Hi @jjlawren, thanks, that was very helpful! I’m not very familiar with the discovery protocols, this pointed me in the right direction.
I found the section in the source code, and the SSDP library would actually support specifying a port (HA just goes with 0, meaning a random one is picked). I may end up trying to submit a patch to make that configurable via the ssdp: integration block for advanced use.
@lmb Any chance you’ve done or started the work to make the ssdp response port configurable? I’ve been working on adding firewalls to my HA server, and was running into the same issue.
I’m in the same boat of “everything mostly works when I open all the other ports”, but I’d like to eventually get SSDP also working properly without opening a massive UDP port range in the firewall.
If you haven’t had to pick this up since then, I might give it a look, but just wanted to check if this is in progress anywhere.
I hope I’ll get to it within the next few days.