Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Can you filter multicast with a bridge?

    Scheduled Pinned Locked Moved
    L2/Switching/VLANs
    2
    3
    159
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • senseivitaS
      senseivita
      last edited by

      I was wondering if I could create a transparent firewall so only multicast traffic is allowed through from the participants?

      I've another questions more about the logistics of it; because software bridges are resource-expensive, what if I filtered out on two (or more) separate interfaces but actually do the link outside the VM somewhere physically in a switch? Or in like a software-controlled physical device capable of doing wirespeed without breaking a sweat ...that's a switch, right? 😂 What I mean is within the confines of the host, like a multi-port NIC or something.

      I find this topic really interesting. I have physically bridged VLANs before (only once) but with zero filtering, the piggyback VLAN was virtually (figuratively and literally) nowhere to be found anywhere, it was just there. When I first plugged in the cable though hypervisor jet engines kicked into high gear (broadcast storm), I rushed to enable STP (cable still in, quiescing protects the VMs for a few seconds with all data paths lost) which I avoid as much as I can and things calmed down. I disabled STP again with the patch cable still in because it should not be needed, one VLAN not "existing" and all, and sure enough the storm didn't come back. It was only after plugging in the cable.

      Eventually I remembered I could just use RADIUS with MAC-based auth to drop devices on the proper VLAN without tricks, but it was an interesting experience nevertheless. Are there any more interesting ways of bridging things?? :)

      Missing something? Word endings, maybe? I included a free puzzle in this msg if you solv--okay, I'm lying. It's dyslexia, makes me do that, sorry! Just finish the word; they're rarely misspelled, just incomplete. Yeah-yeah-I know. Same thing.

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        What exactly are you wanting to accomplish?

        Are you wanting to forward multicast from 1 L2 into a different L2? if so something like the pimd package can do that.

        I am not a fan of breaching L2 boundaries with multicast.

        But depending on your switching infrastructure you can all kinds of fancy stuff with multicast, I filter it from entering the network from some hosts at the switch port they are plugged into.. Because they are little freaking noise machines when it comes to multicast.. Windows for example.. And have run into some software (plex) for example where could not stop it from sending out its discovery nonsense via multicast. So I just prevent it the switch port its connected too.

        Happy to discuss best way to solve whatever sort of issue your running into..

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

        1 Reply Last reply Reply Quote 0
        • senseivitaS
          senseivita
          last edited by

          Well, no exactly, I already got noisy stuff under one subnet. I'm just curious if it can be achieved by merely using a transparent firewall technique while keeping the rest of the L2s separated. This is the first time I've thought about pfSense filtering below L3 I believe.

          The switches I have, come with lots of stuff for multicast, fancy is actually a fitting word for it's a lot, from multicast filtering to routing to something in the middle (MVR) Plenty more features than for the other L2/L3 areas. But playing with these can easily lead to trouble, nothing too serious yet not far off--I traced a painfully slow network to the Avahi plugin when 2.4.5p1 was first released. It's been switched off since then.

          There is one multicast feature that I though seemed like a good compromise, in Ubiquiti-branded stuff it's called MVR, everywhere else is just Multicast VLAN, in Cisco it's probably named by its RFC # and then their licensed next to it. 😆 MVR is supposed to drop all multicast traffic regardless of source VLAN into a dedicated VLAN so traffic traffic won't bother other operations, setting up the ports' mode for it is contradictory in all documentation even it's got not router/source/whatever port designations. I tried so hard to make it work but I kept missing the almost-never-mentioned point: it only goes one-way, same as all other multicast protocols, they're designed to work in this waterfall-like fashion, as if source always were an IPTV operator for instances; remote from the Internet, doesn't care what you have to say. It's never a mesh or at least one-ways-for-all situation. The naming doesn't make it easier either, I know VLANs inside and out now, but when I go through these docs that aren't even for VLANs it makes me question how much do I really know about VLANs, ADHD kicks in and I've lost all day when I eventually l land in the document that triggered the spiral.

          Not that useful for something like a remote app, or Spotify Connect/AirPlay, all relying heavily on multicast, treated like broadcast but even less smart. Some just assume your wireless network is the same as the wired one or the most infuriating are those incompatible Enterprise WPAs that expects the other device setting it up to connect to the same SSID otherwise it won't take it. It drives me insane this Harmony Hub I use for domo losses connectivity I have to go get a step ladder to pair it over Bluetooth, to then failing its "tests" to give you an IP input field only at the very end while you wait balancing on the ladder. 🤬

          Got sidetracked there, sorry. Avahi and mDNS Repeater seem to be the only tools available for this but they're not really protocols, are they? They're included everywhere, well, Avahi is, but it's banned from switches it seems. They only router appliance I've seen that dealt with this type is in the Ubiquiti USG line, Ubiquiti as a brand sort of constantly readjusts its priorities (or has no direction), so it doesn't really count. So I'm exploring option to see what could be done if I didn't have or didn't know how to setup a RADIUS server (and pfSense didn't have one right in there). There's a lot more happening at L2 beyond ethenet so I'm curious.

          I'd love to get my hands on one of those old ATM cards though I woulnd't know what to do with it 5 seconds later. I think my ISP is still using ATM despite delivering fiber I have this hunch. All of their naming still hints to ATM stuff. :)

          I don't think you know how much I appreciate those little bits about Plex and preemptive filtering 'cause it's the first kind of thing that pops in my mind when I run into trouble. Thanks for the help!

          Missing something? Word endings, maybe? I included a free puzzle in this msg if you solv--okay, I'm lying. It's dyslexia, makes me do that, sorry! Just finish the word; they're rarely misspelled, just incomplete. Yeah-yeah-I know. Same thing.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.