Airplay and Sonos traffic not connecting across SSIDs

RouterOS Wireless Networking
1

I am trying to solve why Airplay and Sonos traffic won’t work across two SSIDs on the same access points. Everything else works fine. This manifests as being unable to connect my iPhone to play something on my Sonos speakers.

Wireless network = 3 TP-Link EAP773 access points, connected via cables to a Zyxel Switch. There are 2 SSIDs associated with the APs

The Zyxel switch is connected by an SFP+ DAC to my RB5009 router

The router is connected to the internet.

TP-Link has confirmed that there is no reason why this traffic shouldn’t route across the SSIDs. Connecting the APs to the Mikrotik router does not change anything. If the phone and Sonos device are connected to the same SSID everything works like a charm.

I think I’ve ruled out the APs. Is something in the config likely to be getting in the way? How can I troubleshoot this? Could it be something to do with my pi-hole container running on the RB5009?

# 2025-10-08 13:24:28 by RouterOS 7.20
# software id = 4SAD-K293
#
# model = RB5009UG+S+
# serial number = HE408Z9RT61
/interface bridge
add name="Local Bridge" port-cost-mode=short
add name=dockers port-cost-mode=short
/interface ethernet
set [ find default-name=ether1 ] name="Port 1 - Study"
set [ find default-name=ether2 ] name="Port 2 - Living Room"
set [ find default-name=ether3 ] name="Port 3 - Girl's Room"
set [ find default-name=ether4 ] name="Port 4 - Snug"
set [ find default-name=ether5 ] name="Port 5 - VH Backup"
set [ find default-name=ether6 ] name="Port 6"
set [ find default-name=ether7 ] name="Port 7 - Kitchen"
set [ find default-name=ether8 ] mac-address=A4:43:8C:36:0B:B1 name=\
    "Port 8 - WAN"
set [ find default-name=sfp-sfpplus1 ] name="Port 9 - SFP+"
/interface veth
add address=172.17.0.2/24,fd6c:b6e2:f488::2/64 dhcp=no gateway=172.17.0.1 \
    gateway6=fd6c:b6e2:f488:: mac-address=44:4F:16:BE:02:9D name=veth1
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/container mounts
add dst=/etc/dnsmasq.d name=dnsmasq_pihole src=\
    /usb1-part1/pihole/etc-dnsmasq.d
add dst=/etc/pihole name=etc_pihole src=/usb1-part1/pihole/etc
/disk
add parent=usb1 partition-number=1 partition-offset=512 partition-size=\
    128035675648 type=partition
/interface list
add name=listBridge
add name=WAN
add comment=defconf include=listBridge name=LAN
add name=TRUSTED
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec mode-config
add connection-mark=ipsec name=NordVPN responder=no
/ip ipsec policy group
add name=NordVPN
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
add dpd-interval=2m dpd-maximum-failures=5 name=NordVPN
/ip ipsec peer
add address=al55.nordvpn.com comment=Albania exchange-mode=ike2 name=NordVPN \
    profile=NordVPN
/ip ipsec proposal
add name=NordVPN pfs-group=none
/ip pool
add name=dhcp_pool0 ranges=10.160.100.20-10.160.100.200
/ip dhcp-server
add address-pool=dhcp_pool0 interface="Local Bridge" lease-time=10m name=\
    dhcp1
/ip smb users
set [ find default=yes ] disabled=yes
add name=Darren
/ipv6 pool
add name=IPv6_dockers prefix=fd6c:b6e2:f488::/48 prefix-length=64
/caps-man manager
set enabled=yes
/container
add envlists=pihole_envs interface=veth1 logging=yes mounts=\
    dnsmasq_pihole,etc_pihole name=Pi_Hole remote-image=pihole/pihole:latest \
    root-dir=usb1-part1/pihole start-on-boot=yes workdir=/
/container config
set registry-url=https://registry-1.docker.io tmpdir=usb1-part1/pull
/container envs
add key=DNSMASQ_USER list=pihole_envs value=root
add key=FTLCONF_webserver_api_password list=pihole_envs value=Ham1sh01
add key=TZ list=pihole_envs value=Europe/London
/ip smb
set domain=WORKGROUP enabled=yes interfaces="Local Bridge"
/interface bridge port
add bridge="Local Bridge" interface="Port 2 - Living Room" \
    internal-path-cost=10 path-cost=10
add bridge="Local Bridge" interface="Port 1 - Study" internal-path-cost=10 \
    path-cost=10
add bridge="Local Bridge" interface="Port 7 - Kitchen" internal-path-cost=10 \
    path-cost=10
add bridge="Local Bridge" interface=*F internal-path-cost=10 path-cost=10
add bridge="Local Bridge" interface="Port 3 - Girl's Room" \
    internal-path-cost=10 path-cost=10
add bridge="Local Bridge" interface="Port 4 - Snug" internal-path-cost=10 \
    path-cost=10
add bridge=dockers interface=veth1 internal-path-cost=10 path-cost=10
add bridge="Local Bridge" interface="Port 6"
add bridge="Local Bridge" interface="Port 5 - VH Backup"
add bridge="Local Bridge" interface="Port 9 - SFP+"
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=TRUSTED
/interface list member
add interface="Local Bridge" list=listBridge
add interface="Port 8 - WAN" list=WAN
add interface=dockers list=listBridge
add interface=wireguard1 list=listBridge
add interface="Local Bridge" list=LAN
add interface=dockers list=LAN
add interface=wireguard1 list=LAN
add interface="Local Bridge" list=TRUSTED
add interface=wireguard1 list=TRUSTED
/interface ovpn-server server
add mac-address=FE:A8:27:88:84:9C name=ovpn-server1
/interface wireguard peers
add allowed-address=192.168.10.2/32 comment="2 iPhone" interface=wireguard1 \
    name=peer5 public-key=""
add allowed-address=192.168.10.4/32 comment="4 Dell XPS13 Darren" interface=\
    wireguard1 name=peer7 public-key=\
    ""
add allowed-address=192.168.10.5/32 comment="5 iPad" interface=wireguard1 \
    name=peer8 public-key=""
add allowed-address=192.168.10.11/32 interface=wireguard1 name=peer1 \
    public-key=""
/ip address
add address=10.160.100.1/24 interface="Local Bridge" network=10.160.100.0
add address=192.168.10.1/24 comment=WireGuard1 interface=wireguard1 network=\
    192.168.10.0
add address=172.17.0.1/24 comment="Docker container address range" interface=\
    dockers network=172.17.0.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=10m
/ip dhcp-client
add interface="Port 8 - WAN"
/ip dhcp-server lease
add address=10.160.100.68 client-id=1:ec:71:db:2e:8c:e0 mac-address=\
    EC:71:DB:2E:8C:E0 server=dhcp1
add address=10.160.100.150 client-id=1:f8:25:51:b6:4a:bc mac-address=\
    F8:25:51:B6:4A:BC server=dhcp1
add address=10.160.100.93 client-id=1:5a:63:f6:f3:6d:11 mac-address=\
    5A:63:F6:F3:6D:11 server=dhcp1
add address=10.160.100.97 client-id=1:d8:5e:d3:a6:37:14 mac-address=\
    D8:5E:D3:A6:37:14 server=dhcp1
add address=10.160.100.30 client-id=1:0:11:32:b7:b2:15 mac-address=\
    00:11:32:B7:B2:15 server=dhcp1
add address=10.160.100.75 client-id=\
    30:3a:31:3a:31:3a:36:63:3a:31:66:3a:66:37:3a:34:30:3a:34:62:3a:64:38 \
    mac-address=6C:1F:F7:40:4B:D8 server=dhcp1
add address=10.160.100.152 client-id=1:70:49:a2:21:4a:9 mac-address=\
    70:49:A2:21:4A:09 server=dhcp1
/ip dhcp-server network
add address=10.160.100.0/24 dns-server=10.160.100.1 gateway=10.160.100.1
/ip dns
set allow-remote-requests=yes cache-size=8192KiB max-concurrent-queries=1000 \
    max-concurrent-tcp-sessions=2000 servers=\
    1.1.1.3,1.0.0.3,2606:4700:4700::1113,2606:4700:4700::1003 use-doh-server=\
    https://family.cloudflare-dns.com/dns-query verify-doh-cert=yes
/ip dns static
add address=104.16.249.249 name=cloudflare-dns.com type=A
add address=104.16.248.249 name=cloudflare-dns.com type=A
/ip firewall address-list
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
    not_in_internet
add address=telegraph.co.uk list=VPN
add address=4.78.139.50 list=YouTube
add address=4.78.139.54 list=YouTube
add address=23.101.24.70 list=YouTube
add address=23.202.231.167 list=YouTube
add address=23.217.138.108 list=YouTube
add address=23.225.141.210 list=YouTube
add address=23.234.30.58 list=YouTube
add address=31.13.64.7 list=YouTube
add address=31.13.67.19 list=YouTube
add address=31.13.67.33 list=YouTube
add address=31.13.67.41 list=YouTube
add address=31.13.68.169 list=YouTube
add address=31.13.69.169 list=YouTube
add address=31.13.69.245 list=YouTube
add address=31.13.70.9 list=YouTube
add address=31.13.70.13 list=YouTube
add address=31.13.70.33 list=YouTube
add address=31.13.71.19 list=YouTube
add address=31.13.73.9 list=YouTube
add address=31.13.73.169 list=YouTube
add address=31.13.75.5 list=YouTube
add address=31.13.75.12 list=YouTube
add address=31.13.76.65 list=YouTube
add address=31.13.76.99 list=YouTube
add address=31.13.80.37 list=YouTube
add address=31.13.80.54 list=YouTube
add address=31.13.80.169 list=YouTube
add address=31.13.81.4 list=YouTube
add address=31.13.82.33 list=YouTube
add address=31.13.82.169 list=YouTube
add address=31.13.83.2 list=YouTube
add address=31.13.83.34 list=YouTube
add address=31.13.84.2 list=YouTube
add address=31.13.84.34 list=YouTube
add address=31.13.85.2 list=YouTube
add address=31.13.85.34 list=YouTube
add address=31.13.85.53 list=YouTube
add address=31.13.85.169 list=YouTube
add address=31.13.86.21 list=YouTube
add address=31.13.87.9 list=YouTube
add address=31.13.87.19 list=YouTube
add address=31.13.87.33 list=YouTube
add address=31.13.87.34 list=YouTube
add address=31.13.88.26 list=YouTube
add address=31.13.88.169 list=YouTube
add address=31.13.90.19 list=YouTube
add address=31.13.90.33 list=YouTube
add address=31.13.91.6 list=YouTube
add address=31.13.91.33 list=YouTube
add address=31.13.92.5 list=YouTube
add address=31.13.94.7 list=YouTube
add address=31.13.94.10 list=YouTube
add address=31.13.94.23 list=YouTube
add address=31.13.94.36 list=YouTube
add address=31.13.94.37 list=YouTube
add address=31.13.94.41 list=YouTube
add address=31.13.94.49 list=YouTube
add address=31.13.95.17 list=YouTube
add address=31.13.95.18 list=YouTube
add address=31.13.95.33 list=YouTube
add address=31.13.95.34 list=YouTube
add address=31.13.95.35 list=YouTube
add address=31.13.95.37 list=YouTube
add address=31.13.95.38 list=YouTube
add address=31.13.95.48 list=YouTube
add address=31.13.95.169 list=YouTube
add address=31.13.96.192 list=YouTube
add address=31.13.96.193 list=YouTube
add address=31.13.96.194 list=YouTube
add address=31.13.96.195 list=YouTube
add address=31.13.96.208 list=YouTube
add address=10.160.100.97 comment="admin local desktop" list=Authorized
add address=10.160.100.69 comment="admin Dell XPS 13 laptop" list=Authorized
add address=10.160.100.93 comment="admin Dell iPad" list=Authorized
add address=10.160.100.94 comment="admin iPhone" list=Authorized
add address=192.168.10.2 comment="remote admin iphone" list=Authorized
add address=192.168.10.4 comment="remote admin laptop" list=Authorized
add address=192.168.10.5 comment="remote admin iPad" list=Authorized
/ip firewall filter
add action=accept chain=input comment=\
    "accept established, related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="Drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment="Accept LAN traffic" in-interface=\
    "Local Bridge"
add action=accept chain=input comment="Allow Wireguard" dst-port=13231 \
    protocol=udp
add action=accept chain=input comment="Allow Everything in Wireguard" \
    in-interface=wireguard1
add action=accept chain=input comment="admin access" in-interface-list=\
    TRUSTED src-address-list=Authorized
add action=accept chain=input comment="Allow DNS request for Container - UDP" \
    dst-port=53 in-interface=dockers protocol=udp
add action=accept chain=input comment="Allow DNS request for Container - TCP" \
    dst-port=53 in-interface=dockers protocol=tcp
add action=drop chain=input comment="block everything else"
add action=fasttrack-connection chain=forward comment=\
    "Fasttrack, but not ipsec" connection-mark=!ipsec connection-state=\
    established,related hw-offload=yes
add action=accept chain=forward comment=\
    "Forward established, related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="Drop Invalid" connection-state=invalid \
    log=yes log-prefix=invalid
add action=accept chain=forward comment="Forward all outbound traffic" \
    in-interface="Local Bridge" out-interface="Port 8 - WAN" packet-mark=""
add action=accept chain=forward comment="Allow Wireguard to Subnets" \
    dst-address=10.160.100.0/24 in-interface=wireguard1
add action=accept chain=forward comment="WG to internet" in-interface=\
    wireguard1 out-interface="Port 8 - WAN"
add action=accept chain=forward comment="Accept dst-nat" \
    connection-nat-state=dstnat
add action=accept chain=forward comment="Forward Docker Traffic to WAN" \
    in-interface=dockers out-interface-list=WAN
add action=accept chain=forward comment="Docker forward rule" in-interface=\
    "Local Bridge" out-interface=dockers
add action=drop chain=forward comment="Drop all Else"
add action=drop chain=forward out-interface-list=LAN src-address-list=\
    back-to-home-lan-restricted-peers
/ip firewall mangle
add action=passthrough chain=prerouting comment=\
    "special dummy rule to show fasttrack counters" disabled=yes
add action=mark-connection chain=prerouting comment="Newsgroup Traffic ipsec" \
    connection-state=new dst-port=563 in-interface="Local Bridge" \
    new-connection-mark=ipsec protocol=tcp
add action=mark-connection chain=prerouting comment="YouTube Traffic ipsec" \
    connection-state=new disabled=yes dst-address-list=YouTube in-interface=\
    "Local Bridge" new-connection-mark=ipsec protocol=tcp
add action=mark-connection chain=prerouting comment="YouTube Traffic ipsec" \
    connection-state=new disabled=yes dst-address-list=YouTube in-interface=\
    "Local Bridge" new-connection-mark=ipsec protocol=udp
add action=mark-connection chain=prerouting comment="Mark Telegraph traffic" \
    connection-state=new dst-address-list=VPN in-interface="Local Bridge" \
    new-connection-mark=ipsec protocol=tcp
add action=mark-connection chain=prerouting comment=\
    "Mark Telegraph ICMP traffic" connection-state=new dst-address-list=VPN \
    in-interface="Local Bridge" new-connection-mark=ipsec protocol=icmp
add action=mark-connection chain=prerouting comment=\
    "BitTorrent Ipsec (doesn't filter p2p traffic)" connection-state=new \
    dst-port=16881 in-interface="Local Bridge" new-connection-mark=ipsec \
    protocol=tcp
add action=mark-connection chain=prerouting comment=\
    "BitTorrent DHT traffic UDP" connection-state=new dst-port=6881 \
    in-interface="Local Bridge" new-connection-mark=ipsec protocol=udp
add action=change-mss chain=forward ipsec-policy=in,ipsec new-mss=1300 \
    protocol=tcp tcp-flags=syn tcp-mss=1301-65535
add action=change-mss chain=postrouting ipsec-policy=out,ipsec new-mss=1300 \
    protocol=tcp tcp-flags=syn tcp-mss=1301-65535
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none log=yes log-prefix=\
    masq out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Plex TCP" dst-port=32400 \
    in-interface="Port 8 - WAN" log=yes log-prefix=PlexNAT protocol=tcp \
    to-addresses=10.160.100.75 to-ports=32400
add action=dst-nat chain=dstnat comment=PiHole dst-address=10.160.100.1 \
    dst-port=888 in-interface-list=LAN protocol=tcp to-addresses=172.17.0.2 \
    to-ports=80
add action=dst-nat chain=dstnat comment=\
    "Force any UDP DNS queries that aren't to pihole to go to pihole" \
    dst-address=!172.17.0.2 dst-port=53 in-interface-list=LAN protocol=udp \
    src-address=!172.17.0.2 to-addresses=172.17.0.2
add action=dst-nat chain=dstnat comment=\
    "Force any TCP DNS queries that aren't to pihole to go to pihole" \
    dst-address=!172.17.0.2 dst-port=53 in-interface-list=LAN protocol=tcp \
    src-address=!172.17.0.2 to-addresses=172.17.0.2
/ip ipsec identity
add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=\
    port-strict mode-config=NordVPN peer=NordVPN policy-template-group=\
    NordVPN username=WNGqUUBXZkfY5c3q3SKMYDrY
/ip ipsec policy
add dst-address=0.0.0.0/0 group=NordVPN proposal=NordVPN src-address=\
    0.0.0.0/0 template=yes
/ip service
set ftp disabled=yes
set telnet disabled=yes
set www disabled=yes
set www-ssl certificate=Webfig disabled=no
set ssh port=2200
set winbox address=10.160.100.0/24
set api disabled=yes
/ip smb shares
set [ find default=yes ] directory=/pub disabled=no
add directory=/usb1-part1 name=Container
/ip ssh
set strong-crypto=yes
/ipv6 address
add address=::4aa9:8aff:fe57:4601 from-pool=IPv6_Pool interface=\
    "Local Bridge"
add comment="Docker container address range" from-pool=IPv6_dockers \
    interface=dockers
/ipv6 dhcp-client
add add-default-route=yes interface="Port 8 - WAN" pool-name=IPv6_Pool \
    prefix-hint=::/56 request=prefix
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=youtube.com disabled=yes list=VPN
add address=youtube.com list=YouTube
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="Allow DNS request for Container - UDP" \
    dst-port=53 in-interface=dockers protocol=udp
add action=accept chain=input comment="Allow DNS request for Container - TCP" \
    dst-port=53 in-interface=dockers protocol=tcp
add action=accept chain=input comment="defconf: accept UDP traceroute" \
    dst-port=33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !listBridge
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="Forward Docker Traffic to WAN" \
    in-interface=dockers out-interface-list=WAN
add action=accept chain=forward comment="Docker forward rule" in-interface=\
    "Local Bridge" out-interface=dockers
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !listBridge
/ipv6 firewall nat
add action=masquerade chain=srcnat comment="Masquerade DNS traffic TCP" \
    dst-address=fd6c:b6e2:f488::2/128 dst-port=53 protocol=tcp \
    src-address-list=""
add action=masquerade chain=srcnat comment="Masquerade DNS traffic UDP" \
    dst-address=fd6c:b6e2:f488::2/128 dst-port=53 protocol=udp
add action=dst-nat chain=dstnat comment="Force all UDP DNS queries to pihole" \
    dst-address=!fd6c:b6e2:f488::2/128 dst-port=53 in-interface-list=LAN log=\
    yes protocol=udp src-address=!fd6c:b6e2:f488::2/128 to-address=\
    fd6c:b6e2:f488::2/128
add action=dst-nat chain=dstnat comment="Force all TCP DNS queries to pihole" \
    dst-address=!fd6c:b6e2:f488::2/128 dst-port=53 in-interface-list=LAN \
    protocol=tcp src-address=!fd6c:b6e2:f488::2/128 to-address=\
    fd6c:b6e2:f488::2/128
add action=masquerade chain=srcnat comment="Masquerade for the Pihole" \
    out-interface-list=WAN src-address=fd6c:b6e2:f488::/64
add action=dst-nat chain=dstnat comment=Pihole dst-address=\
    fd94:4dc1:86fb::2/128 dst-port=888 in-interface="Local Bridge" \
    in-interface-list=all protocol=tcp to-address=fd6c:b6e2:f488::2/128 \
    to-ports=80
/ipv6 nd
add dns=fe80::4aa9:8aff:fe57:4601 interface="Local Bridge" \
    managed-address-configuration=yes
/system clock
set time-zone-name=Europe/London
/system identity
set name=Gateway
/system logging
add action=disk topics=interface
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes manycast=yes multicast=yes use-local-clock=yes
/system ntp client servers
add address=time.cloudflare.com
/tool bandwidth-server
set enabled=no
/tool graphing interface
add interface="Port 8 - WAN"
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED
/tool romon
set enabled=yes
/tool traffic-monitor
add disabled=yes interface="Port 8 - WAN" name=tmon1
2

Hi,

I'd ask: why?
Why you think that devices using TP-Links WiFi depend on Mikrotik. How Mikrotik is involved in inter WiFi communication if there is additional separation done with Zyxel switch?

3

It certainly doesnt seem like the Mikrotik device should have anything to do with this if:

  • Both SSIDs are on every access point
  • Both SSIDs are configured exactly the same
  • There are no VLANs or such configured on the access points or the Zytel switch

I would probably start with some basic troubleshooting. Connect the phone and the speaker to different SSIDs. Find the IPs for each of them. What are the IPs? Are they on the same subnet? Try pinging from your phone to the speaker (may need an app like Hurricane Electric net tools).

I dont have much experience with Sonos, but there are probably broadcasts that need to be exchanged for discovery etc. This should be fine as long as youre really in the same broadcast domain.

Edit- So why are there 2 SSIDs if you are not trying to separate anything? Just historical reasons? Have you tried anything on the access points or switch to separate them in the past? Is there some kind of “client isolation” possible on your access points?

4

Simple search over Internet gives:

I'm sorry to hear that you're experiencing difficulties with setting up your Sonos speakers. The "Sonos is on a different network" error message typically occurs when the Sonos app and the speakers are connected to different subnets or have trouble communicating with each other.

Here are a few troubleshooting steps you can try:

  1. Ensure all devices are on the same network: Double-check that your phone, speakers, and any other Sonos devices are connected to the same Wi-Fi network. Sometimes, certain router settings or network configurations can cause devices to be on different subnets, leading to communication issues.

  2. Restart your network equipment: Power cycle your router, modem, and any other network devices. Unplug them from the power source, wait for about 30 seconds, and then plug them back in. This can help refresh the network connection and resolve any temporary network issues.

  3. Disable guest networks and network isolation features: Some routers have guest network or network isolation features that can prevent Sonos devices from communicating properly. Make sure these features are disabled or configure your router to allow communication between devices on the network.

  4. Check router settings: Verify that your router's settings, such as wireless isolation or access control, are not blocking the Sonos devices from connecting to each other. Refer to your router's documentation or contact your network provider for assistance in configuring these settings.

  5. Create a dedicated 2.4GHz Wi-Fi network: Sonos speakers use the 2.4GHz frequency band for communication. If possible, create a separate Wi-Fi network on the 2.4GHz band and connect all your Sonos devices to that network. This can help avoid potential interference or compatibility issues with other devices on the network.

If you've already tried these steps without success, I recommend reaching out to Sonos support again. They will have more in-depth knowledge of the specific issue and can provide further assistance in troubleshooting the problem.

Have you tried this? I do not know why people tend to not search at obvious places. The Sonos forum is the best place to ask on Sonos product problem.

5

Thank you for your response. There are 2 SSIDs because some devices don’t play nice with MLO and some do. They are all given IPs from the Mikrotik DHCP server and are on the same subnet.
Pinging the Sonos IPs across the SSIDs has massive packet loss - 100% or, oddly, close to 100%. Sometimes, packets make it through.

I can ping other IPs. There is something different about Airplay and/or Sonos.

I agree with the other posters - it seems odd that MT might be getting in the way. The reason I asked here and posted my config was to see if anyone had come across anything similar, or could spot something I did in the config that might cause problems.

6

As far as I can see there is no reason for the Mikrotik device to even be in the data path unless there is a misconfiguration in the switch or access points.

Can you successfully ping the Sonos from any devices other than your phone?

It would be an interesting test to create a 3rd SSID exactly like the SSID the Sonos connects to (i assume without MLO), connect your phone to it and ping again. MLO is fairly new and I wonder if its having an affect here.

7

That is what I would have thought as well - why would MT be involved?. TP-Link checked the config and couldn’t find a problem. Connecting to the MT device without the Zyxel switch made no difference.

If the phone is on the same SSID the ping works, as does everything else.

MLO on or off makes no difference - the SSIDs are only there to select some devices to connect using it.

Is there anything that is set by the router - I don’t know, ARP? - that might be getting in the way? As I understand it, these devices connect by discovery process, such as mDNS. Could it be something like that?

I can confirm pihole being off doesn’t fix the problem, but it seems to enable pings to some of the Sonos devices (but not Airplay).

If someone can see an issue with my config that might give me some places to start.

8

Just one more thought. There have been a couple of recent issues here on the forum with wifi access points set to do some sort of "proxy arp" to conserve broadcast bandwidth. It might be worth verifying you dont have anyting like that set.

9

There’s actually an issue with multicast not being handled correctly by the driver stack. It usually shows up as ipv6 nd not working correctly. This was fixed a long time ago, but believe it or not, still randomly shows up in Qualcomm sdks as a regression.

I would try to do a packet capture, and verify that the mdns packets actually arrive at the controlling device.

Often aps have multicast helper/enhance features. Twiddling this might help.

10

What answer do you expect from TP-Link help? Do you fully and unditionally believe them? Did you contact with Zyxel help?
Remove MT from the net and then check what happens.
I suggest two things:

  • create only the one SSID forSonos.
  • contact Sonos for help
11

It’s hard to know where to look or who to listen to. TP-Link, to be fair to them, have been very responsive. It may be that they are to blame and they’ve not tested for this scenario before, but I have done nothing to the config myself, so it’s a pretty vanilla out of the box solution.

I have taken the Zyxel out of the equation and that did nothing. A bit more effort required to take MT out of the equation as it runs everything in the network, but I guess I could maybe jury rig something up, given a little time.

I was hoping that someone might take a quick look at the config to highlight any areas worth exploring. I can also try Sonos, but if the config shines any lights that is another avenue to try. Do you have any suggestions about where to look in the MT box? Is it possible to trace traffic between two devices to try to generate some useful data?

12

I have the feeling that if you turned every device in the network off except for one TP-Link you might have the same issue. All the Mikrotik device does for this situation is provide DHCP, you should be able to ping from an iPhone to the Sonos on the local network of a single WAP for as long as they keep their IP addresses. Ping to the IP address of the Sonos and see what happens.

13

I’ve pinged between the devices - that doesn’t work reliably.

Are you suggesting disconnecting the MT device, or rebooting it or something, and then trying the pings?

14

So you pinged between the iPhone and a Sonos device using the ip address and it was lossy?

I suggested turning off every network device except for one TP-Link, make sure your iPhone and the Sonos are connected to it and ping. As long as they have a valid IP address from before the DHCP server was turned off you should have a valid test.

15

OK, so test whether it’s an AP to AP issue? You also want to disconnect the MT router (at the same time?). I’ll try that when I’m home.

Yes, it was lossy.

16

Standard way of testing is to eliminate potential points of failure one by one.
Have you made one SONOS SSID just for Sonos devices as Sonos suggested?

17

Not yet. Why do you suggest that? I have an SSID that all the devices are on except for one iPhone and a laptop. Apart from the Airplay/Sonos devices there’s no issue. What would isolating the Sonos devices test for? Just so I know what I’m testing/eliminating.

18

Yeah, I was being overly dramatic with my suggestion to eliminate everything except 1 WAP. The point of that was to point out that if you have 2 devices on the same layer2 and layer3 networks and they cant ping without using DNS, there’s probably a layer 1/2 problem between them.

Basically all that has to work is ARP and switching a few ICMP packets.

By far the most probable locations for that problem are either the WAP or the Sonos (or interactions between them).

Reading the Sonos forums makes me very happy I use an open source solution for music distribution….

19

I just got a response from Sonos about the SSID question. This is the reply:

AirPlay and the Sonos app both require your iPhone and Sonos speakers to be on the same WiFi network (SSID) to work together. Even if your SSIDs share the same subnet and devices can generally see each other, AirPlay will not function if your iPhone and Sonos speakers are on different SSIDs.

We recommend connecting both your iPhone and your Sonos speakers to the same WiFi network for AirPlay to work reliably. If you have multiple SSIDs for different purposes, you’ll need to use the same one for both your iPhone and your Sonos devices to stream audio via AirPlay.

Would you like tips on adjusting your network setup, or do you need guidance on how to switch your Sonos system or iPhone to a different SSID?

I find this odd. Why make a protocol linked to the SSID? It makes no sense to me. How can that even be a limitation?

20

Just a wild guess here, but Sonos seems to use both multicast and broadcast in discovery and streaming. Perhaps they have found that at least some WAPs dont re-broadcast some packets they need between the different SSIDs?