Roku Control across VLANs

tfmm · August 21, 2025, 3:03pm

I’m attempting to segregate my network, and the next stage is moving smart TVs to the IoT VLAN. These are all Roku Devices, 2 TVs, and one Roku external device. The issue comes into play when trying to use the Android App (on my primary vlan of 101) to control the Devices on the IoT VLAN (102). It does not seem to be able to reconnect. I have attempted firewall rules allowing port 1900 which I see in a lot of Roku documentation as the answer to this issue, however I either misconfigured them, or they were not the answer. Has anyone accomplished this with Roku devices?

jmszuch · August 21, 2025, 9:40pm

Haven’t had a need to do this myself, but it makes me think of a similar issue I was talking about with another user over here:

It sounds like the Roku app uses the same kind of UDP broadcast that smart device in the linked post was using and I figured it might require the same UDP relay software I mention there. At least that’s how it sounds to me!

jeffk931 · August 21, 2025, 9:56pm

TCP port 8060 is used for roku app to tv control. Additionally, in order for the Roku device to be discovered by the app it needs to be in the same /24 subnet as the client device running the Roku app.

In order to make this work on my network, I have my trusted clients on 10.1.0.0/25 and my Rokus on 10.1.0.128/25 (which is the same /24). It’s a little ridiculous, but it works.

jmszuch · August 21, 2025, 10:07pm

Oh, interesting! I’ll have to try that out with my own Roku sometime. Although I feel like that would at least partially defeat the point of seperating the subnets? I could be misinterperting how you have that laid out though

jeffk931 · August 22, 2025, 1:13pm

The client devices (phones) are still in a different subnet & VLAN than the Rokus themselves (different /25s) so you can still do firewall rules between them.

But… they are in the “same /24 block” mathematically

jeffk931 · August 22, 2025, 1:36pm

Adding some additional info:
Based on packet captures it looks like the Roku app on phone (at least on iOS) discovers my Rokus using the following method:

Roku app sends SSDP packet to mcast group 239.255.255.250 on UDP dest port 1900. No responses are received since multicast routing is not enabled in my network
Roku app sends ARP request for EVERY IP in the subnet assigned to my phone (10.1.0.0/25). Again none of these devices are my Rokus, since they are in a different subnet (10.1.0.128/25)
Roku app proceeds to send unicast TCP SYN to dest port 8060 to every single IP within the /24 block of the IP the phone has (10.1.0.5/25 which is in the /24 block of 10.1.0.0/24)
Any Rokus alive within that /24 block respond with a SYN ACK to the Roku app on client phone. For example I have a Roku with IP 10.1.0.129/25