How to enable UPnP port 1900 broadcasts for local use?

Question

I have a LAN subnet and a separate Wifi subnet. I've created two rules to allow each subnet to talk to the WAN connection and all of that appears to be working well. I have an additional rule to allow the LAN to communicate with Wifi; but Wifi cannot communicate with the LAN unless I poke holes through the firewall for specific applications which I have done. I created a last catch-all drop rule to log anything that isn't matched by earlier rules so I can see them in the logs. Everything is good. 
 However, I've been trying to get a Sonos speaker working in my house. When I use my phone which is on the Wifi subnet, the speaker works great. I'm trying to get the software from my wired PC to work with the speaker and I've been unable to succeed. The problem is clear in the logs, I see many packets that are from my PC with src port 1901 and dst port 1900 to dst IP 255.255.255.255. I think these are UPnP broadcast packets looking for the speaker but these packets from my PC are being dropped by the last catch-all rule. 
 I did some googling and found a couple of threads on another Sophos forum (UTM): 
 
 how-to-allow-traffic-to-general-broadcast 
 rule-to-block-ssdp-1900-udp 
 
 One of these mention that the broadcast address isn't recognized by the "Any" tag and that it was necessary to create it. I also followed both threads instructions to create a UPNP service. However, when I define the rule in the list and put it in the middle of my rule set those log entries still get dropped by the catch-all rule! I've been unable to allow them no matter how relaxed I make the rule. 
 Here are my current settings that aren't working to allow the packets: 
 [IP Host] 
 
 Name: Local Broadcast 
 IP Version: IPv4 
 Type: IP 
 IP Address: 255.255.255.255 
 IP Host Group: <nothing selected> 
 
 [Services] 
 
 Name: UPNP 
 Type: TCP/UDP 
 Entry:
 
 Protocol: UDP 
 Source Port: 1:65535 
 Destination Port: 1900

[Firewall Rule] 
 
 Source: LAN, Any Host, MyPC 
 Destination: Any Zone, Local Broadcast 
 What: UPNP 
 Action: Accept

What do I need to do to allow UPnP on my LAN and Wifi subnets?

Sam Thompson · Accepted Answer

I'm afraid RFC states that these IP addresses should not be routed. 
 *EDIT* If Sonos uses a multicast address you may be able to forward that. You will need to find out if and what the multicast address is from Sonos. 
 https://community.sophos.com/kb/en-us/123135 
 The only other way I can think of doing this would be to bridge the WiFi and LAN together. This will put them both on the same subnet. Guide below. 
 https://community.sophos.com/kb/en-us/122789#Firmware%20version%2016.05%20MR7%20onward

Greg Grotsky · Answer

SamThompson said: 
 *EDIT* If Sonos uses a multicast address you may be able to forward that. You will need to find out if and what the multicast address is from Sonos. 
 https://community.sophos.com/kb/en-us/123135

Sam, I was able to get this to work finally today. I found the following threads on multicast forwarding: 
 
 Enabling-Sonos-UPnP-IGMP-traffic-across-restricted-guest-network 
 sonos-across-multiple-ip-subnets 
 
 I spent an hour or two this morning trying to figure it out. For the record here's what I did, maybe others can get their systems working too: 
 
 Turn on Routing->Static Routing->Enable Multicast Forwarding 
 Under Manage Multicast Route, add a route with these details:
 
 Source IP: the PC I want to be able to control the speaker from. 
 Multicast IP: 239.255.255.250 (this is the address that the speaker watches for commands from, I think) 
 Source Interface: my LAN port 
 Destination Interface: my WiFI port

Then I had to tweak the services list that I allow from the set of speakers to include the ports I found on this support link .

Thanks for the help. 
 -Greg