Pfsense receive all multicast traffic

GaraQuor

Hello,
We use 2 pfsenses as firewall/dhcp/igmp-querier in HA (carp) on a pretty large network (+-500 devices) with a lot of local multicast traffic.
We only have layer2 switchs with igmp snooping enabled and everything looks fine.

But when we go in the Traffic Graph, we see that the pfsense receive ALL the multicast traffic, when we test on a pc connected to any switch in the network (with wireshark, promisc mode) we only receive data from joined multicast groups.

Someone would have an idea of what's going on ?

Thanks :)

johnpoz

Not sure what that has to do with pfsense.. Block the multicast traffic at your switch if you don't want pfsense interfaces to see it. Not like pfsense is going to be joining multicast groups.

igmp-querier

So your running igmp proxy?

Why would you not do that on your switch?

GaraQuor

Hello,
We not use igmp proxy (We only have multicast on the same lan), we use a igmp-querier (which send global member queries).
But yes we can try run a querier on a layer 3 switch :) (We will test tomorrow)

And carp use multicast no ? So pfsense is ACTUALLY joining multicast group :/ but effectively not 239.x.x.x.x multicast group. (Or it use a special 'trick' ?)

We just do not know why this happens and why that multicast groups only seem to arrive on the pfsense, not on the other 500 computers in the network.

If we don't find why we can effectively block multicast group in switch but that not a 'real' solution...
And we have already try to "block unknown multicast address" but has no effect

johnpoz

@GaraQuor said in Pfsense receive all multicast traffic:

we use a igmp-querier (which send global member queries).

And where exactly are you doing that in pfsense?

GaraQuor

Hello,
We use a hand made querier.

After a lot of test, whoever sends the igmp query packets receive all the local multicast traffic.
I do not know if this is a problem of the igmp snooping implementation in the L2 switches we use (netgear prosafe plus) or if it's a normal behavior...

So we put the querier on a L3 switch in the center of the network, this is not a great solution but it's better than nothing.
Thanks for the help

johnpoz

@GaraQuor said in Pfsense receive all multicast traffic:

We use a hand made querier.

So don't you think that should of been mentioned in your OP... Guess your hand made queirer isn't working..

GaraQuor

The hand made querier work perfectly.
We have the same comportment and the same result with the querier implemented in the L3 switch: All the multicast traffic is sended to the querier (so the implementation written by netgear for his own switches).

When I created the topic I did not know that.

It's been years since we've been working like this before going to a pfsense firewall and pointing that out, our previous firewall did not have such advanced statistics. So I never thought that the problem could come from the querier himself.