Trouble Connecting Sonos IKEA Speakers to ASUS GT-AX6000 with Merlin Firmware

[drinkingbird]

I find myself standing at the crossroads of functionality and security, a place where many a brave soul has faltered. My Sonos speakers are now harmoniously connected to my guest network, thanks to the dark magic of YazFi and the "Two Way to Guest" setting. The symphony plays, but at what cost?

I seek your wisdom on fortifying this setup against the unseen threats that lurk in the shadows of every network. While the speakers sing, I wish to ensure that they are not also whispering secrets to malevolent forces.

1. Are there specific firewall rules within YazFi that could tighten the security while allowing the Sonos system to function?
2. How vulnerable is a "Two Way to Guest" setup in terms of potential unauthorized access to my main LAN?
3. Are there any additional Merlin or YazFi features that could act as talismans against digital malevolence?

Your insights, like a sorcerer's spells, could fortify this digital fortress I call a network. I await your wisdom with bated breath.

Yazfi lets you use a script to set up custom firewall rules, it is detailed in the documentation. So if you can find the specific ports etc that are needed you can lock it down some.

Two way to guest is not really any better than leaving access intranet enabled. May provide a tiny bit of protection but not enough to bother isolating them. It could also be that they want all devices to be on the same SSID/subnet too, not sure.

 

[Mogsy]

Kind of defeats the purpose of putting them on the guest.

I thought so too. That's the only IoT device I have on 2 way. When experimenting, AirPlay won't work on 1 way. Sonos works on different subnet, just require 2 way to guest. I had a brief chat with JackYaz about it, and I thought YazFi was built to handle that isolation.

 

[drinkingbird]

I thought so too. That's the only IoT device I have on 2 way. When experimenting, AirPlay won't work on 1 way. Sonos works on different subnet, just require 2 way to guest. I had a brief chat with JackYaz about it, and I thought YazFi was built to handle that isolation.

Airplay requires mDNS which basically requires everything to be on the same network for the most part (there is a "helper" that can be enabled via script but may not be reliable). In that case the different subnets of Yazfi are going to make things harder.

You basically have two options if you want it to work between main and guest:

-Yazfi along with a script to enable mDNS helper and permit the mDNS traffic from guest to main LAN only (basically 1-way to guest plus adding only mDNS in the other direction).
-Stock Asus Guest 2 or 3, and a script to disable AP/client Isolation and enable the traffic you want to be able to go through the firewall in both directions.

Either way you need to do some scripting and trial/error.

What I often suggest to people in that scenario that don't want to do scripting is keep your isolation and keep the guest network saved n your phone or whatever you use to airplay, and just switch networks when you want to play music, and switch back when done, just takes a couple taps. For that solution Yazfi will work for you "out of the box" as all it needs is the Client Isolation disabled, which you can do in the GUI for Yazfi.

In reality for many IOT things that need local discovery and communication that ends up being the only option. Some systems require everything on the same SSID, some require all on the same subnet, etc.