Welcome to the Sophos User Bulletin Board.
If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

Reply
 
LinkBack Thread Tools Display Modes
Member
Join Date: Nov 2008
Posts: 42
#1 (permalink)  
Old 06-12-2011, 04:56 PM
Default SSDP (UDP 1900) over L2TP VPN Connection

Hello,

I wish to control my Sonos audio system remotely via iPhone.

I've configured and successfully connected to my Astaro via L2TP over IPSec. The iPhone is assigned 192.168.0.2 address from custom VPN Pool. This is the same subnet as my local home network on which the Sonos boxes reside.

I am able to ping my Sonos boxes from the iPhone when connected via VPN.

The Sonos app uses SSDP (UDP port 1900) to destination 239.255.255.250 (broadcast) to detect the Sonos boxes.

I ran Wireshark on my local network and was not able to see any SSDP traffic from the iPhone.

Thus, my question is, what is preventing SSDP packets originating from my iPhone from reaching my local network?

Much thanks,
Scott

Last edited by busthead; 06-14-2011 at 02:07 AM. Reason: fixed typo: changed "using" to "uses"
Reply With Quote
BAlfson's Avatar
Grandis Professorem Astaro
Join Date: Mar 2007
Location: Oklahoma City
Posts: 20,663
#2 (permalink)  
Old 06-12-2011, 10:17 PM
Default

Hi, Scott,

Although Astaro says it should work in some versions of Astaro, you should not have an overlap between VPN Pools and your 'Internal (Network)'.

Quote:
The Sonos app using SSDP (UDP port 1900) to destination 239.255.255.250 (broadcast) to detect the Sonos boxes.
If there's more than a single Sonos system, you may need to add another external IP. If I understand this correctly, the 239.x.y.250 address will need a DNAT to "see" your Sonos system's internal IP.

Did that help?

Cheers - Bob
__________________
ACE V7 - Astaro Preferred Partner since V3
SCA/UTM - Sophos Gold Solution Partner
www.MediaSoftUSA.com
Addicted to my iPhone!
Reply With Quote
Member
Join Date: Nov 2008
Posts: 42
#3 (permalink)  
Old 06-13-2011, 05:01 PM
Default

Hi Bob,

I am running ASG Software v8.102.

I don't have "overlap between VPN Pools and your 'Internal (Network)'." My VPN Pool is one IP address 192.168.0.2. All hosts on my internal network have addresses other than 192.168.0.2, so I don't see the problem you are trying to illustrate.

I have six Sonos systems,

Sonos ZP90 - Family Room 192.168.0.214
Sonos ZP120 - Garage 1 192.168.0.215
Sonos ZP120 - Master Bath 192.168.0.210
Sonos ZP120 - Garage 2 192.168.0.211
Sonos ZP120 - Game Room 192.168.0.212
Sonos ZP120 - Backyard 192.168.0.213

Can you please explain why I "may need to add another external IP?"

Hope this info helps. It seems as though we are not on the same page quite yet.

Thanks,
Scott
Reply With Quote
BAlfson's Avatar
Grandis Professorem Astaro
Join Date: Mar 2007
Location: Oklahoma City
Posts: 20,663
#4 (permalink)  
Old 06-13-2011, 09:45 PM
Default

The problem is one of default gateways and ARP tables. This may not be your current problem, but it's just a good habit to NOT have VPN IPs in the same subnet with other local networks.

I don't know sonos. If all you need to do is reach each device directly from your iPhone, then making the change I suggested probably will fix your problem. If there's come central Sonos server that needs to be able to "see" each device, then you have a different problem. If the server justs needs to be able to "see" a Sonos device when the device calls the server, then you may have a masquerading problem.

Can you explain what is supposed to happen?

Cheers - Bob
__________________
ACE V7 - Astaro Preferred Partner since V3
SCA/UTM - Sophos Gold Solution Partner
www.MediaSoftUSA.com
Addicted to my iPhone!
Reply With Quote
Member
Join Date: Nov 2008
Posts: 42
#5 (permalink)  
Old 06-14-2011, 02:15 AM
Default

Hi Bob,

Sorry if you're not understanding what is supposed to happen. Thought I did a decent job of describing it in my first post,

"The Sonos app uses SSDP (UDP port 1900) to destination 239.255.255.250 (broadcast) to detect the Sonos boxes."

i.e. the SSDP packets (from my iPhone connected via L2TP over IPSec VPN) are not reaching my my internal network (or the Sonos devices on it).

Intimate knowledge of the Sonos system is not required. All I need to know is if Astaro will pass this traffic with my current configuration and if not, what change(s) do I need to make.

Is the "change you suggested" creating a DNAT rule? If so, how do I DNAT broadcast traffic. This doesn't make sense to me.

Thanks,
Scott
Reply With Quote
BAlfson's Avatar
Grandis Professorem Astaro
Join Date: Mar 2007
Location: Oklahoma City
Posts: 20,663
#6 (permalink)  
Old 06-14-2011, 07:21 PM
Default

I just consulted the Sonos site. It appears that one ZP must be connected with a cable to your Astaro, and that that device then communicates with the other ZPs wirelessly. In other words, that your iPhone AP "speaks" to the other ZPs via the one wired to the Astaro. If I understand correctly, you have
Internet>[modem]<--><Public IP[Astaro]Internal IP><-->[One ZP x] {wireless} [other ZPs]
If that's the case, it looks like you need a NAT rule:
{Host def for 239.255.255.250} --> SSDP --> 'External (Address)' : DNAT to {IP of One ZP x] with 'Auto Packet filter rule' checked
That will enable 239.255.255.250 to initiate and carry on a conversation with the wired device, [One ZP x].

Does that resolve your issue?

Cheers - Bob
PS I didn't spend much time reading it, but it sounds like you don't need to connect with L2TP to accomplish what you want.
__________________
ACE V7 - Astaro Preferred Partner since V3
SCA/UTM - Sophos Gold Solution Partner
www.MediaSoftUSA.com
Addicted to my iPhone!
Reply With Quote
Member
Join Date: Nov 2008
Posts: 42
#7 (permalink)  
Old 06-14-2011, 08:56 PM
Default

Bob,

Can you please include a link to the Sonos site you reference above?

All my Sonos units are wired.

I understand the DNAT rule you are suggesting. I do not understand why it is necessary.

Are you not able to tell me why the SSDP packets are not being seen on my local network? As stated above, I'm able to ping my Sonos units. Ping (ICMP) is lower in the TCP/IP stack than SSDP. Thus, if ping packets are forwarded on to the local network without a DNAT rule, why would SSDP require a DNAT rule?

Your statement, "sounds like you don't need to connect with L2TP to accomplish what you want" concerns me. You do understand that I am trying to REMOTELY (as in off the physical premisses) control my Sonos system correct?

Thanks,
Scott
Reply With Quote
BAlfson's Avatar
Grandis Professorem Astaro
Join Date: Mar 2007
Location: Oklahoma City
Posts: 20,663
#8 (permalink)  
Old 06-15-2011, 12:17 PM
Default

Scott, I think your problem is that you need to understand how the iPhone app works first, and that's probably information available on the Sonos website or in their forums. Here's the link I found with a quick google: Directions and Diagrams for the Sonos Wireless Music System

About the best answer I can give you to your question is that a firewall, by definition, blocks all traffic that is not specifically allowed. if Sonos has a server that needs to be able to call your home system, you having a VPN established from your iPhone does nothing to affect that; the DNAT I recommended is what you would need.

Cheers - Bob
__________________
ACE V7 - Astaro Preferred Partner since V3
SCA/UTM - Sophos Gold Solution Partner
www.MediaSoftUSA.com
Addicted to my iPhone!
Reply With Quote
Member
Join Date: Nov 2008
Posts: 42
#9 (permalink)  
Old 06-16-2011, 04:21 AM
Default

Bob,

No offense, but I understand how the Sonos app works. It appears that you are confused.

There is no Sonos server in the cloud that connects to my home system. The Sonos system requires a broadband connection to download content (Internet radio), NOT to be administered remotely. The iPhone app was designed to function when connected to the same local network as the Sonos units. Thus, the reason I am connecting via VPN and assigning my iPhone an IP address on the same subnet as my Sonos units.

Hopefully now you have a better understanding of the situation. Please allow me to ask my question in a different manner,

If I have the following packet filter rule enabled,

Source: 192.168.0.0/24
Service: Any IP
Destination: 239.255.255.250/32

shouldn't Astaro pass SSDP broadcasts from my iPhone (connected via L2TP over IPSec VPN with IP addr 192.168.0.2) to my local network? And if not, why?

Thanks,
Scott
Reply With Quote
BAlfson's Avatar
Grandis Professorem Astaro
Join Date: Mar 2007
Location: Oklahoma City
Posts: 20,663
#10 (permalink)  
Old 06-16-2011, 07:24 PM
Default

No, not confused, just ignorant by choice!

Assigning an address within 'Internal (Network)' to a remote user works sometimes. In this case, I suspect that all will work correctly if you'll just change the 'Pool network' back to 'VPN Pool (L2TP)' with 10.242.3.0/24. If that doesn't solve the problem, then look at the Packet Filter and Intrusion Prevention logs. If you still can't see the issue, then I'm out of guesses.

Cheers - Bob
__________________
ACE V7 - Astaro Preferred Partner since V3
SCA/UTM - Sophos Gold Solution Partner
www.MediaSoftUSA.com
Addicted to my iPhone!
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT. The time now is 04:58 PM.


Powered by vBulletin® Version 3.8.6
Copyright ©2000 - 2015, Jelsoft Enterprises Ltd.

These pages are specifically maintained for the discussion of firewall issues within the Open Source community, and might already reflect new alpha/beta releases under development. Please refer to our product specifications for the functionality of the actual release. Discussions of new/enhanced functionality does not constitute a commitment of Astaro, to integrate this functionality into future releases.