Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Can I pass BACnet traffic between VLAN's with pfSense?

    Scheduled Pinned Locked Moved General pfSense Questions
    12 Posts 3 Posters 894 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • stephenw10S
      stephenw10 Netgate Administrator
      last edited by

      Looks like IGMP proxy may work there, that's what it's trying to use.

      If it's doing that though it looks like a protocol that was never meant to be used across subnets.

      Steve

      1 Reply Last reply Reply Quote 0
      • R
        ramses.sevilla
        last edited by

        @stephenw10, thanks so much by your answer.

        Are you sure that I can pass multicast traffic (224.0.0.0/24) between VLAN10 anda VLAN20?

        I have tried to configure IGMP Proxy but I have not succedeed. I am sure that I have not done well.

        Can anybody help me to configure this funcionality to pass this multicast traffic (224.0.0.0/24)?

        Best regards,

        Ramsés

        1 Reply Last reply Reply Quote 0
        • stephenw10S
          stephenw10 Netgate Administrator
          last edited by

          That's what the igmp proxy does and it should work here specifically as this is igmp traffic.

          How have you configured it? Do you see anything blocked in the firewall log?

          Steve

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            You could also try the pimd package that jimp created for routing multicast..

            pimd.jpg

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • R
              ramses.sevilla
              last edited by

              @stephenw10 / @johnpoz, , , I have configured IGMP Proxy like this:

              Interface: VLAN20
Description: Interface with PC IoT Manager
Type: Upstream Interface
Threshold:
Networks: 10.20.20.0/24 (Network of PC IoT Manager) 
---------------------
Interface: VLAN10
Description: Interface with IoT Devices
Type: Downstream Interface
Threshold:
Networks: 224.0.0.0/24 (Multicast IoT Devices)

              Later, I have analized the traffic with TCPDump on both VLAN's Interfaces and I don't see IGMP Traffic coming from the other VLAN Interface.

              I am not seeing block traffic un the pfSense neither.

              What am I doing wrong?

              Regards,

              Ramsés

              1 Reply Last reply Reply Quote 0
              • stephenw10S
                stephenw10 Netgate Administrator
                last edited by

                Check the system logs for errors when you start igmp proxy. make sure it's actually running in Status > Services.

                You could try using PIMD instead although I'm not sure exactly how you might configure it for this.

                Otherwise try starting igmp proxy manually in debug mode at the command line.
                Stop the service in the webgui, then run:
                igmpproxy -d -vv /var/etc/igmpproxy.conf

                You will see which interfaces it's running on, any errors and devices using it.

                Steve

                1 Reply Last reply Reply Quote 0
                • R
                  ramses.sevilla
                  last edited by

                  @stephenw10, I have configurared IGMP Proxy this way:

                  IGMP Proxy:

                  Interface: VLAN20
Description: Interface with PC IoT Manager
Type: Upstream Interface
Threshold:
Networks: 10.20.20.0/24 (Network of PC IoT Manager) 
---------------------
Interface: VLAN10
Description: Interface with IoT Devices
Type: Downstream Interface
Threshold:
Networks: 224.0.0.0/8 (Multicast IoT Devices)
Networks: 10.10.10.0/24 (Network of IoT Devices)

                  Firewall Rules:

                  * First rule on VALN20 Interface. *
Action: Pass
Interface: VLAN20
Address Family: IPv4
Protocol: IGMP
Source: Any
Destination: Any
Allow IP options: Checked
---------------------
* First rule on VALN10 Interface. *
Action: Pass
Interface: VLAN10
Address Family: IPv4
Protocol: IGMP
Source: Any
Destination: Any
Allow IP options: Checked

                  I have looked "Service > IGMP Proxy" and appear Stopped.

                  I have try to start and pfSense show "igmpproxy has been started." but the Service IGMP Proxy still appears "IGMP Proxy -- Stopped".

                  In "Status > System Logs > System > General" appear:

                  Feb 25 10:22:56 	igmpproxy 	99201 	There must be at least 2 Vif's where one is upstream.
Feb 25 10:22:56 	igmpproxy 	99201 	adding VIF, Ix 4 Fl 0x0 IP 0x427d8c59 em3, Threshold: 1, Ratelimit: 0
Feb 25 10:22:56 	igmpproxy 	99201 	adding VIF, Ix 3 Fl 0x0 IP 0x8ebb0759 bge0, Threshold: 1, Ratelimit: 0
Feb 25 10:22:56 	igmpproxy 	99201 	adding VIF, Ix 2 Fl 0x0 IP 0x9604a8c0 em2, Threshold: 1, Ratelimit: 0
Feb 25 10:22:56 	igmpproxy 	99201 	adding VIF, Ix 1 Fl 0x0 IP 0x0101230a em1, Threshold: 1, Ratelimit: 0
Feb 25 10:22:56 	igmpproxy 	99201 	adding VIF, Ix 0 Fl 0x0 IP 0x9605a8c0 em0, Threshold: 1, Ratelimit: 0
Feb 25 10:22:56 	php-fpm 	50687 	/status_services.php: Started IGMP proxy service.

                  I have tried to start the IGMP Proxy in debug mode with "igmpproxy -d -vv /var/etc/igmpproxy.conf" but the "/var/etc/igmpproxy.conf" file not exist.

                  Where is the problem?

                  • I can't install PIMD module because I need upgrade the pfSense version to the latest.

                  Regards,

                  Ramsés

                  1 Reply Last reply Reply Quote 0
                  • R
                    ramses.sevilla
                    last edited by

                    @stephenw10, well, in my Production Environment, I have found the "igmpproxy.conf" in "/tmp/igmpproxy.conf".

                    In my Production Environment, I have configurared IGMP Proxy this way:

                    IGMP Proxy:

                    Interface: em1_vlan100 (Virtual Interface)
Description: Interface with PC IoT Manager
Type: Upstream Interface
Threshold:
Networks: 10.40.100.0/22 (Network of PC IoT Manager) 
---------------------
Interface: em1 (Physical Interface)
Description: Interface with IoT Devices
Type: Downstream Interface
Threshold:
Networks: 10.35.0.0/16 (Network of IoT Devices)
Networks: 224.0.0.0/8 (Multicast IoT Devices)

                    Firewall Rules:

                    * First rule on em1_vlan100 Interface (Virtual Interface). *
Action: Pass
Interface: em1_vlan100
Address Family: IPv4
Protocol: IGMP
Source: Any
Destination: Any
Allow IP options: Checked
---------------------
* First rule on  em1 Interface (Physical Interface). *
Action: Pass
Interface: em1
Address Family: IPv4
Protocol: IGMP
Source: Any
Destination: Any
Allow IP options: Checked

                    I have looked "Service > IGMP Proxy" and appear Stopped.

                    I have try to start and pfSense show "igmpproxy has been started." but the Service IGMP Proxy still appears "IGMP Proxy -- Stopped".

                    In "Status > System Logs > System > General" appear the same:

                    Feb 25 10:22:56 	igmpproxy 	99201 	There must be at least 2 Vif's where one is upstream.
Feb 25 10:22:56 	igmpproxy 	99201 	adding VIF, Ix 4 Fl 0x0 IP 0x427d8c59 em3, Threshold: 1, Ratelimit: 0
Feb 25 10:22:56 	igmpproxy 	99201 	adding VIF, Ix 3 Fl 0x0 IP 0x8ebb0759 bge0, Threshold: 1, Ratelimit: 0
Feb 25 10:22:56 	igmpproxy 	99201 	adding VIF, Ix 2 Fl 0x0 IP 0x9604a8c0 em2, Threshold: 1, Ratelimit: 0
Feb 25 10:22:56 	igmpproxy 	99201 	adding VIF, Ix 1 Fl 0x0 IP 0x0101230a em1, Threshold: 1, Ratelimit: 0
Feb 25 10:22:56 	igmpproxy 	99201 	adding VIF, Ix 0 Fl 0x0 IP 0x9605a8c0 em0, Threshold: 1, Ratelimit: 0
Feb 25 10:22:56 	php-fpm 	50687 	/status_services.php: Started IGMP proxy service.

                    I have tried to start the IGMP Proxy in debug mode with "igmpproxy -d -vv /tmp/igmpproxy.conf" and shows this:

                    /root: igmpproxy -d -vv /tmp/igmpproxy.conf 
Searching for config file at '/tmp/igmpproxy.conf'
Config: Quick leave mode enabled.
Config: Got a phyint token.
Config: IF: Config for interface em1_vlan100.
Config: IF: Got upstream token.
Config: IF: Got ratelimit token '0'.
Config: IF: Got threshold token '1'.
Config: IF: Got altnet token 10.40.100.0/22.
Config: IF: Altnet: Parsed altnet to 10.40.100/22.
IF name : em1_vlan100
Next ptr : 0
Ratelimit : 0
Threshold : 1
State : 1
Allowednet ptr : 1013050
Config: Got a phyint token.
Config: IF: Config for interface em1.
Config: IF: Got downstream token.
Config: IF: Got ratelimit token '0'.
Config: IF: Got threshold token '1'.
Config: IF: Got altnet token 224.0.0.0/8.
Config: IF: Altnet: Parsed altnet to 224/8.
Config: IF: Got altnet token 10.35.0.0/16.
Config: IF: Altnet: Parsed altnet to 10.35/16.
IF name : em1
Next ptr : 0
Ratelimit : 0
Threshold : 1
State : 2
Allowednet ptr : 1013060
Config: Got a phyint token.
Config: IF: Config for interface bge0.
Config: IF: Got disabled token.
IF name : bge0
Next ptr : 0
Ratelimit : 0
Threshold : 1
State : 0
Allowednet ptr : 0
Config: Got a phyint token.
Config: IF: Config for interface em2.
Config: IF: Got disabled token.
IF name : em2
Next ptr : 0
Ratelimit : 0
Threshold : 1
State : 0
Allowednet ptr : 0
Config: Got a phyint token.
Config: IF: Config for interface em3.
Config: IF: Got disabled token.
IF name : em3
Next ptr : 0
Ratelimit : 0
Threshold : 1
State : 0
Allowednet ptr : 0
Config: Got a phyint token.
Config: IF: Config for interface em0.
Config: IF: Got disabled token.
IF name : em0
Next ptr : 0
Ratelimit : 0
Threshold : 1
State : 0
Allowednet ptr : 0
Config: Got a phyint token.
Config: IF: Config for interface em1_vlan10.
Config: IF: Got disabled token.
IF name : em1_vlan10
Next ptr : 0
Ratelimit : 0
Threshold : 1
State : 0
Allowednet ptr : 0
Config: Got a phyint token.
Config: IF: Config for interface em1_vlan20.
Config: IF: Got disabled token.
IF name : em1_vlan20
Next ptr : 0
Ratelimit : 0
Threshold : 1
State : 0
Allowednet ptr : 0
Config: Got a phyint token.
Config: IF: Config for interface em1_vlan30.
Config: IF: Got disabled token.
IF name : em1_vlan30
Next ptr : 0
Ratelimit : 0
Threshold : 1
State : 0
Allowednet ptr : 0
Config: Got a phyint token.
Config: IF: Config for interface em1_vlan50.
Config: IF: Got disabled token.
IF name : em1_vlan50
Next ptr : 0
Ratelimit : 0
Threshold : 1
State : 0
Allowednet ptr : 0
Config: Got a phyint token.
Config: IF: Config for interface em1_vlan101.
Config: IF: Got disabled token.
IF name : em1_vlan101
Next ptr : 0
Ratelimit : 0
Threshold : 1
State : 0
Allowednet ptr : 0
Config: Got a phyint token.
Config: IF: Config for interface em1_vlan200.
Config: IF: Got disabled token.
IF name : em1_vlan200
Next ptr : 0
Ratelimit : 0
Threshold : 1
State : 0
Allowednet ptr : 0
Config: Got a phyint token.
Config: IF: Config for interface em1_vlan210.
Config: IF: Got disabled token.
IF name : em1_vlan210
Next ptr : 0
Ratelimit : 0
Threshold : 1
State : 0
Allowednet ptr : 0
buildIfVc: Interface em0 Addr: 192.168.5.150, Flags: 0xffff8843, Network: 192.168.5/24
buildIfVc: Interface em1 Addr: 10.35.1.1, Flags: 0xffff8843, Network: 10.35/16
buildIfVc: Interface em2 Addr: 192.168.4.150, Flags: 0xffff8843, Network: 192.168.4/24
buildIfVc: Interface bge0 Addr: 88.88.88.142, Flags: 0xffff8843, Network: 88.88.88.136/29
buildIfVc: Interface em3 Addr: 99.99.99.66, Flags: 0xffff8843, Network: 99.99.99.64/27
buildIfVc: Interface lo0 Addr: 127.0.0.1, Flags: 0xffff8049, Network: 127/8
Found config for em0
Found config for em1
Found config for em2
Found config for bge0
Found config for em3
adding VIF, Ix 0 Fl 0x0 IP 0x9605a8c0 em0, Threshold: 1, Ratelimit: 0
        Network for [em0] : 192.168.5/24
adding VIF, Ix 1 Fl 0x0 IP 0x0101230a em1, Threshold: 1, Ratelimit: 0
        Network for [em1] : 10.35/16
        Network for [em1] : 224/8
        Network for [em1] : 10.35/16
adding VIF, Ix 2 Fl 0x0 IP 0x9604a8c0 em2, Threshold: 1, Ratelimit: 0
        Network for [em2] : 192.168.4/24
adding VIF, Ix 3 Fl 0x0 IP 0x8ebb0759 bge0, Threshold: 1, Ratelimit: 0
        Network for [bge0] : 88.88.88.136/29
adding VIF, Ix 4 Fl 0x0 IP 0x427d8c59 em3, Threshold: 1, Ratelimit: 0
        Network for [em3] : 99.99.99.64/27
There must be at least 2 Vif's where one is upstream.

                    Can you help me with the problem?

                    Regards,

                    Ramsés

                    1 Reply Last reply Reply Quote 0
                    • stephenw10S
                      stephenw10 Netgate Administrator
                      last edited by

                      What version of pfSense are you running?

                      It's not adding the vlan interface there which was a known bug from a few versions back.
                      https://redmine.pfsense.org/issues/6099

                      Your interface naming em1_vlan100 shows it must be a very old version.....

                      Steve

                      R 1 Reply Last reply Reply Quote 0
                      • R
                        ramses.sevilla @stephenw10
                        last edited by

                        @stephenw10, thanks so much by your attention and help.

                        Basing me in the info of this post I have done some tests.

                        I have pfSense 2.3 (very old, I know, but we are in the migration process) with these network interfaces:

                        Interface bge0 
Interface em1
Interface em2
Interface em3 
Interface em0 
Interface em1_vlan10 
Interface em1_vlan20 
Interface em1_vlan30 
Interface em1_vlan50 
Interface em1_vlan101 
Interface em1_vlan200 
Interface em1_vlan210

                        If I select either physical network interface (bge0 to em3) as "Upstream Interface", the IGMP Proxy Service start without problems.

                        With em3 Interface as Upstream Interface:

                        # cat /tmp/igmpproxy.conf

##------------------------------------------------------
## Enable Quickleave mode (Sends Leave instantly)
##------------------------------------------------------
quickleave
phyint em3 upstream ratelimit 0 threshold 1
altnet 224.0.0.0/8
altnet 10.35.0.0/16

phyint em1_vlan100 downstream ratelimit 0 threshold 1
altnet 224.0.0.0/8
altnet 10.100.0.0/22

phyint bge0 disabled
phyint em1 disabled
phyint em2 disabled
phyint em0 disabled
phyint em1_vlan10 disabled
phyint em1_vlan20 disabled
phyint em1_vlan30 disabled
phyint em1_vlan50 disabled
phyint em1_vlan101 disabled
phyint em1_vlan200 disabled
phyint em1_vlan210 disabled

                        If I select either Virtual Interface as Upstream Interface the IGMP Proxy Service not start, appears it stopped.

                        With em1_vlan10 Interface as Upstream Interface:

                        # cat /tmp/igmpproxy.conf

##------------------------------------------------------
## Enable Quickleave mode (Sends Leave instantly)
##------------------------------------------------------
quickleave
phyint em1_vlan10 upstream ratelimit 0 threshold 1
altnet 224.0.0.0/8
altnet 10.35.0.0/16

phyint em1_vlan100 downstream ratelimit 0 threshold 1
altnet 224.0.0.0/8
altnet 10.100.0.0/22

phyint bge0 disabled
phyint em1 disabled
phyint em2 disabled
phyint em3 disabled
phyint em0 disabled
phyint em1_vlan20 disabled
phyint em1_vlan30 disabled
phyint em1_vlan50 disabled
phyint em1_vlan101 disabled
phyint em1_vlan200 disabled
phyint em1_vlan210 disabled

                        In the issue they say that IGMP Proxy does not manage well more than four the first Networks Interfaces but it's not this case.

                        Can It be that I can't select as Upstream and Downstream Interface two Virtual Interfaces that are over the same Physical Interface or simply select two Virtual Interfaces?

                        I have create the VLAN Interface 55 over the em0 and select it as Upstream Interface and the IGMP Proxy Service not starts neither.

                        # cat /tmp/igmpproxy.conf

##------------------------------------------------------
## Enable Quickleave mode (Sends Leave instantly)
##------------------------------------------------------
quickleave
phyint em0_vlan55 upstream ratelimit 0 threshold 1
altnet 224.0.0.0/8
altnet 10.35.0.0/16

phyint em1_vlan100 downstream ratelimit 0 threshold 1
altnet 224.0.0.0/8
altnet 10.100.0.0/22

phyint bge0 disabled
phyint em1 disabled
phyint em2 disabled
phyint em3 disabled
phyint em0 disabled
phyint em1_vlan10 disabled
phyint em1_vlan20 disabled
phyint em1_vlan30 disabled
phyint em1_vlan50 disabled
phyint em1_vlan101 disabled
phyint em1_vlan200 disabled
phyint em1_vlan210 disabled

                        Regards,

                        Ramsés

                        1 Reply Last reply Reply Quote 0
                        • stephenw10S
                          stephenw10 Netgate Administrator
                          last edited by

                          Yes, there was a bug in 2.3.X that prevented IGMP proxy running on VLAN interfaces. You can read about it in that bug link I posted above.

                          That's just another reason you should upgrade, that is fixed in current.

                          Steve

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.