From dbd2fa36a9387018bf3c02806ba45441352c0042 Mon Sep 17 00:00:00 2001
From: Joseph Hanson <joe@veri.dev>
Date: Sat, 13 Apr 2024 18:16:33 -0500
Subject: [PATCH] mDNS and sonos.

---
 config-parts/firewall-ipv4.sh       | 40 +++++++++++++++++++++++++++--
 config-parts/firewall.sh            | 13 ++++++++++
 config-parts/service-dhcp_server.sh | 16 +++++++++---
 config-parts/service.sh             | 10 ++++++++
 4 files changed, 73 insertions(+), 6 deletions(-)

diff --git a/config-parts/firewall-ipv4.sh b/config-parts/firewall-ipv4.sh
index e8fa1f4..7917245 100644
--- a/config-parts/firewall-ipv4.sh
+++ b/config-parts/firewall-ipv4.sh
@@ -38,6 +38,11 @@ set firewall ipv4 name iot-local rule 200 description 'Rule: accept_discovery_fr
 set firewall ipv4 name iot-local rule 200 destination group port-group sonos-discovery
 set firewall ipv4 name iot-local rule 200 protocol 'udp'
 set firewall ipv4 name iot-local rule 200 source group address-group 'sonos_players'
+set firewall ipv4 name iot-local rule 220 action 'accept'
+set firewall ipv4 name iot-local rule 220 description 'Rule: accept_api_from_sonos_controllers'
+set firewall ipv4 name iot-local rule 220 destination group port-group sonos-controller-api
+set firewall ipv4 name iot-local rule 220 protocol 'tcp'
+set firewall ipv4 name iot-local rule 220 source group address-group 'sonos_controllers'
 set firewall ipv4 name iot-local rule 999 action 'drop'
 set firewall ipv4 name iot-local rule 999 description 'Rule: drop_invalid'
 set firewall ipv4 name iot-local rule 999 state invalid
@@ -74,6 +79,17 @@ set firewall ipv4 name iot-containers rule 999 log
 set firewall ipv4 name iot-trusted default-action 'drop'
 set firewall ipv4 name iot-trusted description 'From IOT to TRUSTED'
 set firewall ipv4 name iot-trusted default-log
+set firewall ipv4 name iot-trusted rule 100 description 'Rule: accept_udp_from_sonos_players_to_sonos_controllers'
+set firewall ipv4 name iot-trusted rule 100 destination group address-group 'sonos_controllers'
+set firewall ipv4 name iot-trusted rule 100 destination port '319,320,30000-65535'
+set firewall ipv4 name iot-trusted rule 100 protocol 'udp'
+set firewall ipv4 name iot-trusted rule 100 source group address-group 'sonos_players'
+set firewall ipv4 name iot-trusted rule 110 action 'accept'
+set firewall ipv4 name iot-trusted rule 110 description 'Rule: accept_tcp_from_sonos_players_to_sonos_controllers'
+set firewall ipv4 name iot-trusted rule 110 destination group address-group 'sonos_controllers'
+set firewall ipv4 name iot-trusted rule 110 destination port '1400,3400,3401,3500,30000-65535'
+set firewall ipv4 name iot-trusted rule 110 protocol 'tcp'
+set firewall ipv4 name iot-trusted rule 110 source group address-group 'sonos_players'
 set firewall ipv4 name iot-trusted rule 999 action 'drop'
 set firewall ipv4 name iot-trusted rule 999 description 'Rule: drop_invalid'
 set firewall ipv4 name iot-trusted rule 999 state invalid
@@ -190,6 +206,11 @@ set firewall ipv4 name local-iot rule 110 description 'Rule: accept_mdns'
 set firewall ipv4 name local-iot rule 110 destination port 'mdns'
 set firewall ipv4 name local-iot rule 110 protocol 'udp'
 set firewall ipv4 name local-iot rule 110 source port 'mdns'
+set firewall ipv4 name local-iot rule 200 action 'accept'
+set firewall ipv4 name local-iot rule 200 description 'Rule: accept_discovery_from_sonos_controllers'
+set firewall ipv4 name local-iot rule 200 destination group port-group sonos-controller-discovery
+set firewall ipv4 name local-iot rule 200 protocol 'udp'
+set firewall ipv4 name local-iot rule 200 source group address-group 'sonos_controllers'
 set firewall ipv4 name local-iot rule 999 action 'drop'
 set firewall ipv4 name local-iot rule 999 description 'Rule: drop_invalid'
 set firewall ipv4 name local-iot rule 999 state invalid
@@ -256,7 +277,7 @@ set firewall ipv4 name local-trusted rule 110 protocol 'udp'
 set firewall ipv4 name local-trusted rule 110 source port 'mdns'
 set firewall ipv4 name local-trusted rule 200 action 'accept'
 set firewall ipv4 name local-trusted rule 200 description 'Rule: accept_discovery_from_sonos_players'
-set firewall ipv4 name local-trusted rule 200 destination group port-group sonos-discovery
+set firewall ipv4 name local-trusted rule 200 destination group port-group sonos-player-discovery
 set firewall ipv4 name local-trusted rule 200 protocol 'udp'
 set firewall ipv4 name local-trusted rule 200 source group address-group 'sonos_players'
 set firewall ipv4 name local-trusted rule 400 action 'accept'
@@ -472,6 +493,16 @@ set firewall ipv4 name containers-wan description 'From CONTAINERS to WAN'
 # From TRUSTED to IOT
 set firewall ipv4 name trusted-iot default-action 'accept'
 set firewall ipv4 name trusted-iot description 'From TRUSTED to IOT'
+set firewall ipv4 name trusted-iot rule 110 action 'accept'
+set firewall ipv4 name trusted-iot rule 110 description 'Rule: accept_tcp_from_sonos_controllers_to_sonos_players'
+set firewall ipv4 name trusted-iot rule 110 destination port '1400,1443,4444,7000,30000-65535'
+set firewall ipv4 name trusted-iot rule 110 protocol 'tcp'
+set firewall ipv4 name trusted-iot rule 110 source group address-group 'sonos_controllers'
+set firewall ipv4 name trusted-iot rule 111 action 'accept'
+set firewall ipv4 name trusted-iot rule 111 description 'Rule: accept_udp_from_sonos_controllers_to_sonos_players'
+set firewall ipv4 name trusted-iot rule 111 destination port '319,320,30000-65535'
+set firewall ipv4 name trusted-iot rule 111 protocol 'udp'
+set firewall ipv4 name trusted-iot rule 111 source group address-group 'sonos_controllers'
 set firewall ipv4 name trusted-iot rule 999 action 'drop'
 set firewall ipv4 name trusted-iot rule 999 description 'Rule: drop_invalid'
 set firewall ipv4 name trusted-iot rule 999 state invalid
@@ -510,9 +541,14 @@ set firewall ipv4 name trusted-local rule 120 action 'accept'
 set firewall ipv4 name trusted-local rule 120 description 'Rule: accept_dns'
 set firewall ipv4 name trusted-local rule 120 destination port 'domain,domain-s'
 set firewall ipv4 name trusted-local rule 120 protocol 'tcp_udp'
+set firewall ipv4 name trusted-local rule 210 action 'accept'
+set firewall ipv4 name trusted-local rule 210 description 'Rule: accept_discovery_from_sonos_controllers'
+set firewall ipv4 name trusted-local rule 210 destination group port-group sonos-controller-discovery
+set firewall ipv4 name trusted-local rule 210 protocol 'udp'
+set firewall ipv4 name trusted-local rule 210 source group address-group 'sonos_controllers'
 set firewall ipv4 name trusted-local rule 211 action 'accept'
 set firewall ipv4 name trusted-local rule 211 description 'Rule: accept_discovery_from_sonos_players'
-set firewall ipv4 name trusted-local rule 211 destination group port-group sonos-discovery
+set firewall ipv4 name trusted-local rule 211 destination group port-group sonos-player-discovery
 set firewall ipv4 name trusted-local rule 211 protocol 'udp'
 set firewall ipv4 name trusted-local rule 211 source group address-group 'sonos_players'
 set firewall ipv4 name trusted-local rule 400 action 'accept'
diff --git a/config-parts/firewall.sh b/config-parts/firewall.sh
index b2c498c..c62da9c 100644
--- a/config-parts/firewall.sh
+++ b/config-parts/firewall.sh
@@ -27,6 +27,19 @@ set firewall group address-group vyos_unifi address '10.5.0.10'
 set firewall group network-group k8s_services network '10.45.0.0/16'
 set firewall group address-group sonos_players address '10.1.2.31'
 
+# Sonos controllers
+set firewall group port-group sonos-controller-api port '1400'
+set firewall group port-group sonos-controller-discovery port '1900'
+
+set firewall group address-group sonos_controllers address '10.1.2.21' # jahanson laptop
+set firewall group address-group sonos_controllers address '10.1.2.22-10.1.2.23' # Elisia's laptop
+set firewall group address-group sonos_controllers address '10.1.2.31-10.1.2.37' # iOS devices
+
+# Sonos players
+set firewall group port-group sonos-player-discovery port '1900'
+
+set firewall group address-group sonos_players address '10.1.3.71-10.1.3.75'
+
 # Port groups
 set firewall group port-group wireguard port '51820'
 set firewall group port-group sonos-discovery port '1900-1902'
diff --git a/config-parts/service-dhcp_server.sh b/config-parts/service-dhcp_server.sh
index a1b8acd..05f259c 100644
--- a/config-parts/service-dhcp_server.sh
+++ b/config-parts/service-dhcp_server.sh
@@ -142,14 +142,22 @@ set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mappin
 
 
 # Switchbot plugs
-set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping switchbot-plug-mini-1 ip-address '10.1.3.33'
+set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping switchbot-plug-mini-1 ip-address '10.1.3.31'
 set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping switchbot-plug-mini-1 mac-address 'A0:76:4E:21:DE:D0'
-set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping switchbot-plug-mini-2 ip-address '10.1.3.34'
+set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping switchbot-plug-mini-2 ip-address '10.1.3.32'
 set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping switchbot-plug-mini-2 mac-address '34:85:18:0E:C7:CC'
-set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping switchbot-plug-mini-3 ip-address '10.1.3.35'
+set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping switchbot-plug-mini-3 ip-address '10.1.3.33'
 set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping switchbot-plug-mini-3 mac-address '68:B6:B3:B3:EF:6C'
-set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping switchbot-plug-mini-4 ip-address '10.1.3.36'
+set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping switchbot-plug-mini-4 ip-address '10.1.3.34'
 set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping switchbot-plug-mini-4 mac-address 'A0:76:4E:1F:D7:84'
+set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping switchbot-plug-mini-5 ip-address '10.1.3.35'
+set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping switchbot-plug-mini-5 mac-address '34:85:18:10:37:60'
+set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping switchbot-plug-mini-6 ip-address '10.1.3.36'
+set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping switchbot-plug-mini-6 mac-address 'A0:76:4E:35:81:38'
+set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping switchbot-plug-mini-7 ip-address '10.1.3.37'
+set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping switchbot-plug-mini-7 mac-address '68:b6:b3:b2:5a:30'
+set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping switchbot-plug-mini-8 ip-address '10.1.3.38'
+set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping switchbot-plug-mini-8 mac-address '68:B6:B3:B7:EF:24'
 
 # Sonos
 set service dhcp-server shared-network-name IOT subnet 10.1.3.0/24 static-mapping office-sonos-beam ip-address '10.1.3.71'
diff --git a/config-parts/service.sh b/config-parts/service.sh
index cac722d..aa8370a 100644
--- a/config-parts/service.sh
+++ b/config-parts/service.sh
@@ -13,6 +13,16 @@ set service ntp server time.cloudflare.com
 set service ssh disable-password-authentication
 set service ssh port '22'
 
+# UDP Broadcast-Relay
+set service broadcast-relay id 1 description 'Sonos'
+set service broadcast-relay id 1 interface 'eth1.20'
+set service broadcast-relay id 1 interface 'eth1.30'
+set service broadcast-relay id 1 port '1900'
+
+# mDNS Repeater
+set service mdns repeater interface 'eth1.20'
+set service mdns repeater interface 'eth1.30'
+
 # TFTP server
 set service tftp-server directory '/config/tftpboot'
 set service tftp-server listen-address 10.1.1.1
\ No newline at end of file