Multicast
-
Hi
I have 4 WAN interface and one LAN
On the LAN side I have a devise which use multicast as it is a lodbalancer.
I am not ready to switch it to haproxy
When I try to ping from the Lan default gateway 192.168.0.1 to the host with multicast 192.168.0.10 it do not reply.
From the out side I have 4 NAT rules to direct the trafic to 192.168.0.10
When I look in the arp list it says it is Incomplete
So how do I enable Pfsense to work with multicast.
I have look at the documentation for IGMP but didnot understand it.Regards
Henning -
So how do I enable Pfsense to work with multicast.
Hi,
Multicast on the same subnet is more a matter of Layer 2 switch + IGMP snooping cabability...
in case you want multicast traffic between network segments
then we can talk about pfSense IGMP proxy@hsv "When I try to ping from the Lan default gateway 192.168.0.1 to the host with multicast 192.168.0.10 it do not reply.."
if it's a windows machine (192.168.0.10) then use this:
netsh advfirewall firewall add rule name="ICMP Allow incoming V4 echo request" protocol=icmpv4:8,any dir=in action=allow
-
ICMP is enabled so I can ping it from other servers in the subnet.
So the problem is that Pfsense do not like multicast. -
I have the same problem. Multicast not working correctly. Not with IGMP-proxy (not at all) and not with PIMD (it works a bit).
Never the less I would advice the more capable recently introduced PIMD-package. It works "a bit", problem is that it does not recognise all of my vlan-interfaces.
But your config is of cause different, so may be ..... it works for you
For info on my system pimd is refusing a lot of vlan interfaces with the following message "Invalid phyint address '<technical interface name>'. I did raise a bugreport for that.
I hope you are more sucessfull. Let me/us know.
Louis
PS of cause the fw-settings sould allow the resulting unicast traffic. -
So the problem is that Pfsense do not like multicast.
I understand...
We configure multicast traffic on the switches for example for AoIP purposes (IGMP snooping thus, traffic on the same subnet does not need to reach the router).
f.e.:
or
or
BTW:
Exactly what multicast routing function you want to implement?Cats bury it so they can't see it!
(You know what I mean if you have a cat) -
To answer that first a rough outline of my network
- I have two "core switches" one for 1G one for "10G" each carrying multiple vlans
- in the center pfSense as router and firewall
- in the rooms small (5/ 8 -port) Netgear managed switches
- the network is divided in “security-zones” implemented with vlans
In the RedZone my server, among other things hosting my (twonky)media-server. In the PC-zone, Guest-zone, and IoT-zone equipment like Hifi-receivers and media-players.
PIMD should use the IGMP-messages to build routing tables and to forward the multicast broadcast / response messages. If that is successful the Twonky and the “media-devices” know each other. And of course the result is unicast info and data (stream) exchange, which should be allowed by the FW-rules (and if applicable NAT-rules).
That is it
Additional, but necessary in a small network, the switches should be configured for IGMP-snooping, to prevent lots of unnecessary messages.
That is of cause that is my situation, I do not know what @hsv wants to accomplish
Louis
-
@louis2 said in Multicast:
@louis2 "To answer that first a rough outline of my network"nice system, but it's just in your house
Additional, but necessary in a small network,
this Cisco installment makes up only 2-3% of our system...
At 18 radiostations, we serve nearly 300 colleagues in the AoIP system with the appropriate audio materials and broadcast the FM-UHF program from 24 telekom towers, within a radius of 350 km
(the entire system includes 44 voice VLANs, connected by 47 Cisco switches and 8 Brocade switches over fiber and Cat6, this is no small system)
DANTE protocol (https://www.audinate.com/)we never route the multicast traffic, only the core-switches the IGMP querier(s) in the system and control everything
BTW:
our own backbone network is 2x40G 2420Km fiber with IEEE 1588 Precision Time Protocol (PTP) across the networkI've been crying a lot about multicast, since the system latency can't be more than 1-2ms everywhere
(routers raise this value to the skies)+++edit:
I work with these multicast addresses / ports..
-
If multicast is in and stays(!) in a dedicated vlan, it is not necessary to send it through a router. And I agree completely, you should not do that because of the added latency.
However, if the multicast source is in a different vlan as the multicast receiver/destination, than you need to route that. And that will probably be at the users premises and not in the telecom network.
Note that my provider is sending the TV-streams in a different vlan than the internet, and that the set-top-box is supposed to be connected to that tv-vlan.
Louis
-
-
Note that my provider is sending the TV-streams in a different vlan than the internet, and that the set-top-box is supposed to be connected to that tv-vlan.
The way I take that... Is you should split that traffic at layer 2 when it comes in. So your STB would not be behind the layer 3 device..
Now keep in mind only half way through my first cup of coffee but would you do something like this..
Where you split the L2 networks before pfsense.
-
John,
I think the same with one small difference, being that the Ls2-switch is inside the ISP-device.
Not 100% sure, because I have internet and telephone from the ISP and television from the Cable.
Louis
-
To be even more precise, I have the lan-connection(s) from the ISP-device connected to my 1G-coreswitch. At the entrance port of that switch the lan is transformated to a vlan (PID=internet-vlan-no).
The Internet VLAN is entering pfSense, the TV-vlan (if present), is passing pfSense / stays level2.
Louis
-
is passing pfSense / stays level2.
Doesn't work that way, pfsense is a layer 3 device. Pfsense is not going to pass on vlan tags.. Nor layer 2 traffic..
Sniffing on pfsense is seeing the vlan traffic.. Then put switch in front of pfsense to send the STB vlan to the devices that are suppose to be on that vlan..
-
My problem is that it is mail traffic that's coming in and goes to a loadbalancer (MS) this loadbalancer use multicast.
So the router need to communicate to this multicast unit.I have tried to look into HAProxy, whit absolut not succes. The documentation I have found do not help me at all.
So if som body can point med to a HAproxy description, where you have one front ip number with multiple Ports to 2 or more servers in the backend that could help, as I cannot see pfsense handle this multicast problem.
Regards
Henning -
John, I know. The description of my network was over simplified. pfSense is not really in the middle of the 1G and 10G core switches.
I have a 1G-network towards most rooms and towards the ISP-device. That network is handled by the 1G-core. And I have a 10G network which connects my server, my nas and my main-PC.
Both (physical) networks are connected to pfSense for routing between the VLANs independent from the fact if they are located in the 1G or in the 10G domain.
pfSense is connected to the 1G-switch via a 1G-lagg and connected to the 10G-switch via a 10G-up and a 10G-down link. However there is also a direct (physical) connection between those two switches.
To take the TV-VLAN as example, is a vlan starting at the ISP-device, passing the 1G-core ending on one of the small Netgear switches in the living room.
Louis
-
-
Ok that makes sense.
To be honest I have no idea what @hsv is talking about.. Load balancer that uses multicast??
For example
host with multicast 192.168.0.10 it do not reply.
That is NOT a multicast address.. So I have a funny suspicion there is some misuse of terms going on.
-
-
Maybe if he sends some traffic to this device at 192.168.0.10, it multicasts the traffic that is sends on?
@hsv really going to need a bit more info.. What is this device, or what software are you running on 192.168.0.10.. What sort of traffic is it?
If you can not arp from pfsense, for this 192.168.0.10 address - then no your never going to be able to send it traffic.. To do anything with..
From the out side I have 4 NAT rules to direct the trafic to 192.168.0.10
Can you post those, so we can maybe glean some insight into what your trying to do exactly.
-
