Can I pass BACnet traffic between VLAN's with pfSense?

ramses.sevilla

Hi everyone.

I have 2 VLAN with some IoT devices that talk BACnet:

In the VLAN10 I have 5 devices IoT and in the VLAN20 I have a PC with a application to manage the IoT devices (BACnet).

• With unicast BACnet traffic:

[Src_IP_Device:47808] <---> [Dst_IP_Device:47808]

I haven't any problem because I add rules that permit UDP traffic From/To Port 47808 and works well.

• Other BACnet traffic:

But I have traffic like this that I need pass to VLAN20:

IoT Device in VLAN10

# tcpdump -i VLAN10 host 10.10.10.5
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on VLAN10, link-type EN10MB (Ethernet), capture size 65535 bytes
12:41:48.242602 IP 10.10.10.5 > 224.0.0.180: igmp v2 report 224.0.0.180
12:41:54.912813 IP 10.10.10.5 > 224.0.0.181: igmp v2 report 224.0.0.181
12:41:55.482853 IP 10.10.10.5 > 224.0.23.12: igmp v2 report 224.0.23.12
12:41:57.982762 IP 10.10.10.5 > 224.0.0.180: igmp v2 report 224.0.0.180
12:43:39.519198 IP 10.10.10.5.47808 > 10.10.10.255.47808: UDP, length 16
12:43:40.527476 IP 10.10.10.5.47808 > 10.10.10.255.47808: UDP, length 16
12:43:41.536010 IP 10.10.10.5.47808 > 10.10.10.255.47808: UDP, length 20

And I have traffic like this that I need pass to VLAN10:

PC with management application in VLAN20

# tcpdump -i VLAN20 host 10.20.20.50
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on VLAN20, link-type EN10MB (Ethernet), capture size 65535 bytes
2020-02-20 13:03:14.774008 IP 10.20.20.50.47808 > 10.20.20.255.47808: UDP, length 9
2020-02-20 13:03:14.774133 IP 10.20.20.50.47808 > 10.20.20.255.47808: UDP, length 7
2020-02-20 13:03:20.190109 IP 10.20.20.50 > 224.0.0.22: igmp v3 report, 1 group record(s)
2020-02-20 13:03:20.580483 IP 10.20.20.50 > 224.0.0.22: igmp v3 report, 1 group record(s)
2020-02-20 13:03:26.487769 IP 10.20.20.50.47808 > 10.20.20.255.47808: UDP, length 21
2020-02-20 13:03:29.488264 IP 10.20.20.50.47808 > 10.20.20.255.47808: UDP, length 25
2020-02-20 13:03:32.501243 IP 10.20.20.50 > 224.0.0.22: igmp v3 report, 1 group record(s)
2020-02-20 13:03:32.504990 IP 10.20.20.50.52133 > 224.0.0.180.30000: UDP, length 72
2020-02-20 13:03:32.505241 IP 10.20.20.50.47808 > 10.20.20.255.47808: UDP, length 96
2020-02-20 13:03:32.579452 IP 10.20.20.50 > 224.0.0.22: igmp v3 report, 1 group record(s)
2020-02-20 13:03:34.705826 IP 10.20.20.50 > 224.0.0.22: igmp v3 report, 1 group record(s)
2020-02-20 13:03:35.079232 IP 10.20.20.50 > 224.0.0.22: igmp v3 report, 1 group record(s)
2020-02-20 13:03:35.383309 IP 10.20.20.50 > 224.0.0.22: igmp v3 report, 1 group record(s)
2020-02-20 13:03:35.385927 IP 10.20.20.50.52134 > 224.0.0.180.30000: UDP, length 67
2020-02-20 13:03:35.386803 IP 10.20.20.50.47808 > 10.20.20.255.47808: UDP, length 91

Can I pass this traffics between VLAN10 and VLAN20?

If the answer is yes, how can I do that?

Best regards,

Ramsés

stephenw10

Looks like IGMP proxy may work there, that's what it's trying to use.

If it's doing that though it looks like a protocol that was never meant to be used across subnets.

Steve

ramses.sevilla

@stephenw10, thanks so much by your answer.

Are you sure that I can pass multicast traffic (224.0.0.0/24) between VLAN10 anda VLAN20?

I have tried to configure IGMP Proxy but I have not succedeed. I am sure that I have not done well.

Can anybody help me to configure this funcionality to pass this multicast traffic (224.0.0.0/24)?

Best regards,

Ramsés

stephenw10

That's what the igmp proxy does and it should work here specifically as this is igmp traffic.

How have you configured it? Do you see anything blocked in the firewall log?

Steve

johnpoz

You could also try the pimd package that jimp created for routing multicast..

ramses.sevilla

@stephenw10 / @johnpoz, , , I have configured IGMP Proxy like this:

Interface: VLAN20
Description: Interface with PC IoT Manager
Type: Upstream Interface
Threshold:
Networks: 10.20.20.0/24 (Network of PC IoT Manager) 
---------------------
Interface: VLAN10
Description: Interface with IoT Devices
Type: Downstream Interface
Threshold:
Networks: 224.0.0.0/24 (Multicast IoT Devices)

Later, I have analized the traffic with TCPDump on both VLAN's Interfaces and I don't see IGMP Traffic coming from the other VLAN Interface.

I am not seeing block traffic un the pfSense neither.

What am I doing wrong?

Regards,

Ramsés

stephenw10

Check the system logs for errors when you start igmp proxy. make sure it's actually running in Status > Services.

You could try using PIMD instead although I'm not sure exactly how you might configure it for this.

Otherwise try starting igmp proxy manually in debug mode at the command line.
Stop the service in the webgui, then run:
igmpproxy -d -vv /var/etc/igmpproxy.conf

You will see which interfaces it's running on, any errors and devices using it.

Steve

ramses.sevilla

@stephenw10, I have configurared IGMP Proxy this way:

IGMP Proxy:

Interface: VLAN20
Description: Interface with PC IoT Manager
Type: Upstream Interface
Threshold:
Networks: 10.20.20.0/24 (Network of PC IoT Manager) 
---------------------
Interface: VLAN10
Description: Interface with IoT Devices
Type: Downstream Interface
Threshold:
Networks: 224.0.0.0/8 (Multicast IoT Devices)
Networks: 10.10.10.0/24 (Network of IoT Devices)

Firewall Rules:

* First rule on VALN20 Interface. *
Action: Pass
Interface: VLAN20
Address Family: IPv4
Protocol: IGMP
Source: Any
Destination: Any
Allow IP options: Checked
---------------------
* First rule on VALN10 Interface. *
Action: Pass
Interface: VLAN10
Address Family: IPv4
Protocol: IGMP
Source: Any
Destination: Any
Allow IP options: Checked

I have looked "Service > IGMP Proxy" and appear Stopped.

I have try to start and pfSense show "igmpproxy has been started." but the Service IGMP Proxy still appears "IGMP Proxy -- Stopped".

In "Status > System Logs > System > General" appear:

Feb 25 10:22:56 	igmpproxy 	99201 	There must be at least 2 Vif's where one is upstream.
Feb 25 10:22:56 	igmpproxy 	99201 	adding VIF, Ix 4 Fl 0x0 IP 0x427d8c59 em3, Threshold: 1, Ratelimit: 0
Feb 25 10:22:56 	igmpproxy 	99201 	adding VIF, Ix 3 Fl 0x0 IP 0x8ebb0759 bge0, Threshold: 1, Ratelimit: 0
Feb 25 10:22:56 	igmpproxy 	99201 	adding VIF, Ix 2 Fl 0x0 IP 0x9604a8c0 em2, Threshold: 1, Ratelimit: 0
Feb 25 10:22:56 	igmpproxy 	99201 	adding VIF, Ix 1 Fl 0x0 IP 0x0101230a em1, Threshold: 1, Ratelimit: 0
Feb 25 10:22:56 	igmpproxy 	99201 	adding VIF, Ix 0 Fl 0x0 IP 0x9605a8c0 em0, Threshold: 1, Ratelimit: 0
Feb 25 10:22:56 	php-fpm 	50687 	/status_services.php: Started IGMP proxy service.

I have tried to start the IGMP Proxy in debug mode with "igmpproxy -d -vv /var/etc/igmpproxy.conf" but the "/var/etc/igmpproxy.conf" file not exist.

Where is the problem?

• I can't install PIMD module because I need upgrade the pfSense version to the latest.

Regards,

Ramsés

ramses.sevilla

@stephenw10, well, in my Production Environment, I have found the "igmpproxy.conf" in "/tmp/igmpproxy.conf".

In my Production Environment, I have configurared IGMP Proxy this way:

IGMP Proxy:

Interface: em1_vlan100 (Virtual Interface)
Description: Interface with PC IoT Manager
Type: Upstream Interface
Threshold:
Networks: 10.40.100.0/22 (Network of PC IoT Manager) 
---------------------
Interface: em1 (Physical Interface)
Description: Interface with IoT Devices
Type: Downstream Interface
Threshold:
Networks: 10.35.0.0/16 (Network of IoT Devices)
Networks: 224.0.0.0/8 (Multicast IoT Devices)

Firewall Rules:

* First rule on em1_vlan100 Interface (Virtual Interface). *
Action: Pass
Interface: em1_vlan100
Address Family: IPv4
Protocol: IGMP
Source: Any
Destination: Any
Allow IP options: Checked
---------------------
* First rule on  em1 Interface (Physical Interface). *
Action: Pass
Interface: em1
Address Family: IPv4
Protocol: IGMP
Source: Any
Destination: Any
Allow IP options: Checked

I have looked "Service > IGMP Proxy" and appear Stopped.

I have try to start and pfSense show "igmpproxy has been started." but the Service IGMP Proxy still appears "IGMP Proxy -- Stopped".

In "Status > System Logs > System > General" appear the same:

Feb 25 10:22:56 	igmpproxy 	99201 	There must be at least 2 Vif's where one is upstream.
Feb 25 10:22:56 	igmpproxy 	99201 	adding VIF, Ix 4 Fl 0x0 IP 0x427d8c59 em3, Threshold: 1, Ratelimit: 0
Feb 25 10:22:56 	igmpproxy 	99201 	adding VIF, Ix 3 Fl 0x0 IP 0x8ebb0759 bge0, Threshold: 1, Ratelimit: 0
Feb 25 10:22:56 	igmpproxy 	99201 	adding VIF, Ix 2 Fl 0x0 IP 0x9604a8c0 em2, Threshold: 1, Ratelimit: 0
Feb 25 10:22:56 	igmpproxy 	99201 	adding VIF, Ix 1 Fl 0x0 IP 0x0101230a em1, Threshold: 1, Ratelimit: 0
Feb 25 10:22:56 	igmpproxy 	99201 	adding VIF, Ix 0 Fl 0x0 IP 0x9605a8c0 em0, Threshold: 1, Ratelimit: 0
Feb 25 10:22:56 	php-fpm 	50687 	/status_services.php: Started IGMP proxy service.

I have tried to start the IGMP Proxy in debug mode with "igmpproxy -d -vv /tmp/igmpproxy.conf" and shows this:

/root: igmpproxy -d -vv /tmp/igmpproxy.conf 
Searching for config file at '/tmp/igmpproxy.conf'
Config: Quick leave mode enabled.
Config: Got a phyint token.
Config: IF: Config for interface em1_vlan100.
Config: IF: Got upstream token.
Config: IF: Got ratelimit token '0'.
Config: IF: Got threshold token '1'.
Config: IF: Got altnet token 10.40.100.0/22.
Config: IF: Altnet: Parsed altnet to 10.40.100/22.
IF name : em1_vlan100
Next ptr : 0
Ratelimit : 0
Threshold : 1
State : 1
Allowednet ptr : 1013050
Config: Got a phyint token.
Config: IF: Config for interface em1.
Config: IF: Got downstream token.
Config: IF: Got ratelimit token '0'.
Config: IF: Got threshold token '1'.
Config: IF: Got altnet token 224.0.0.0/8.
Config: IF: Altnet: Parsed altnet to 224/8.
Config: IF: Got altnet token 10.35.0.0/16.
Config: IF: Altnet: Parsed altnet to 10.35/16.
IF name : em1
Next ptr : 0
Ratelimit : 0
Threshold : 1
State : 2
Allowednet ptr : 1013060
Config: Got a phyint token.
Config: IF: Config for interface bge0.
Config: IF: Got disabled token.
IF name : bge0
Next ptr : 0
Ratelimit : 0
Threshold : 1
State : 0
Allowednet ptr : 0
Config: Got a phyint token.
Config: IF: Config for interface em2.
Config: IF: Got disabled token.
IF name : em2
Next ptr : 0
Ratelimit : 0
Threshold : 1
State : 0
Allowednet ptr : 0
Config: Got a phyint token.
Config: IF: Config for interface em3.
Config: IF: Got disabled token.
IF name : em3
Next ptr : 0
Ratelimit : 0
Threshold : 1
State : 0
Allowednet ptr : 0
Config: Got a phyint token.
Config: IF: Config for interface em0.
Config: IF: Got disabled token.
IF name : em0
Next ptr : 0
Ratelimit : 0
Threshold : 1
State : 0
Allowednet ptr : 0
Config: Got a phyint token.
Config: IF: Config for interface em1_vlan10.
Config: IF: Got disabled token.
IF name : em1_vlan10
Next ptr : 0
Ratelimit : 0
Threshold : 1
State : 0
Allowednet ptr : 0
Config: Got a phyint token.
Config: IF: Config for interface em1_vlan20.
Config: IF: Got disabled token.
IF name : em1_vlan20
Next ptr : 0
Ratelimit : 0
Threshold : 1
State : 0
Allowednet ptr : 0
Config: Got a phyint token.
Config: IF: Config for interface em1_vlan30.
Config: IF: Got disabled token.
IF name : em1_vlan30
Next ptr : 0
Ratelimit : 0
Threshold : 1
State : 0
Allowednet ptr : 0
Config: Got a phyint token.
Config: IF: Config for interface em1_vlan50.
Config: IF: Got disabled token.
IF name : em1_vlan50
Next ptr : 0
Ratelimit : 0
Threshold : 1
State : 0
Allowednet ptr : 0
Config: Got a phyint token.
Config: IF: Config for interface em1_vlan101.
Config: IF: Got disabled token.
IF name : em1_vlan101
Next ptr : 0
Ratelimit : 0
Threshold : 1
State : 0
Allowednet ptr : 0
Config: Got a phyint token.
Config: IF: Config for interface em1_vlan200.
Config: IF: Got disabled token.
IF name : em1_vlan200
Next ptr : 0
Ratelimit : 0
Threshold : 1
State : 0
Allowednet ptr : 0
Config: Got a phyint token.
Config: IF: Config for interface em1_vlan210.
Config: IF: Got disabled token.
IF name : em1_vlan210
Next ptr : 0
Ratelimit : 0
Threshold : 1
State : 0
Allowednet ptr : 0
buildIfVc: Interface em0 Addr: 192.168.5.150, Flags: 0xffff8843, Network: 192.168.5/24
buildIfVc: Interface em1 Addr: 10.35.1.1, Flags: 0xffff8843, Network: 10.35/16
buildIfVc: Interface em2 Addr: 192.168.4.150, Flags: 0xffff8843, Network: 192.168.4/24
buildIfVc: Interface bge0 Addr: 88.88.88.142, Flags: 0xffff8843, Network: 88.88.88.136/29
buildIfVc: Interface em3 Addr: 99.99.99.66, Flags: 0xffff8843, Network: 99.99.99.64/27
buildIfVc: Interface lo0 Addr: 127.0.0.1, Flags: 0xffff8049, Network: 127/8
Found config for em0
Found config for em1
Found config for em2
Found config for bge0
Found config for em3
adding VIF, Ix 0 Fl 0x0 IP 0x9605a8c0 em0, Threshold: 1, Ratelimit: 0
        Network for [em0] : 192.168.5/24
adding VIF, Ix 1 Fl 0x0 IP 0x0101230a em1, Threshold: 1, Ratelimit: 0
        Network for [em1] : 10.35/16
        Network for [em1] : 224/8
        Network for [em1] : 10.35/16
adding VIF, Ix 2 Fl 0x0 IP 0x9604a8c0 em2, Threshold: 1, Ratelimit: 0
        Network for [em2] : 192.168.4/24
adding VIF, Ix 3 Fl 0x0 IP 0x8ebb0759 bge0, Threshold: 1, Ratelimit: 0
        Network for [bge0] : 88.88.88.136/29
adding VIF, Ix 4 Fl 0x0 IP 0x427d8c59 em3, Threshold: 1, Ratelimit: 0
        Network for [em3] : 99.99.99.64/27
There must be at least 2 Vif's where one is upstream.

Can you help me with the problem?

Regards,

Ramsés

stephenw10

What version of pfSense are you running?

It's not adding the vlan interface there which was a known bug from a few versions back.
https://redmine.pfsense.org/issues/6099

Your interface naming em1_vlan100 shows it must be a very old version.....

Steve

ramses.sevilla

@stephenw10, thanks so much by your attention and help.

Basing me in the info of this post I have done some tests.

I have pfSense 2.3 (very old, I know, but we are in the migration process) with these network interfaces:

Interface bge0 
Interface em1
Interface em2
Interface em3 
Interface em0 
Interface em1_vlan10 
Interface em1_vlan20 
Interface em1_vlan30 
Interface em1_vlan50 
Interface em1_vlan101 
Interface em1_vlan200 
Interface em1_vlan210

If I select either physical network interface (bge0 to em3) as "Upstream Interface", the IGMP Proxy Service start without problems.

With em3 Interface as Upstream Interface:

# cat /tmp/igmpproxy.conf

##------------------------------------------------------
## Enable Quickleave mode (Sends Leave instantly)
##------------------------------------------------------
quickleave
phyint em3 upstream ratelimit 0 threshold 1
altnet 224.0.0.0/8
altnet 10.35.0.0/16

phyint em1_vlan100 downstream ratelimit 0 threshold 1
altnet 224.0.0.0/8
altnet 10.100.0.0/22

phyint bge0 disabled
phyint em1 disabled
phyint em2 disabled
phyint em0 disabled
phyint em1_vlan10 disabled
phyint em1_vlan20 disabled
phyint em1_vlan30 disabled
phyint em1_vlan50 disabled
phyint em1_vlan101 disabled
phyint em1_vlan200 disabled
phyint em1_vlan210 disabled

If I select either Virtual Interface as Upstream Interface the IGMP Proxy Service not start, appears it stopped.

With em1_vlan10 Interface as Upstream Interface:

# cat /tmp/igmpproxy.conf

##------------------------------------------------------
## Enable Quickleave mode (Sends Leave instantly)
##------------------------------------------------------
quickleave
phyint em1_vlan10 upstream ratelimit 0 threshold 1
altnet 224.0.0.0/8
altnet 10.35.0.0/16

phyint em1_vlan100 downstream ratelimit 0 threshold 1
altnet 224.0.0.0/8
altnet 10.100.0.0/22

phyint bge0 disabled
phyint em1 disabled
phyint em2 disabled
phyint em3 disabled
phyint em0 disabled
phyint em1_vlan20 disabled
phyint em1_vlan30 disabled
phyint em1_vlan50 disabled
phyint em1_vlan101 disabled
phyint em1_vlan200 disabled
phyint em1_vlan210 disabled

In the issue they say that IGMP Proxy does not manage well more than four the first Networks Interfaces but it's not this case.

Can It be that I can't select as Upstream and Downstream Interface two Virtual Interfaces that are over the same Physical Interface or simply select two Virtual Interfaces?

I have create the VLAN Interface 55 over the em0 and select it as Upstream Interface and the IGMP Proxy Service not starts neither.

# cat /tmp/igmpproxy.conf

##------------------------------------------------------
## Enable Quickleave mode (Sends Leave instantly)
##------------------------------------------------------
quickleave
phyint em0_vlan55 upstream ratelimit 0 threshold 1
altnet 224.0.0.0/8
altnet 10.35.0.0/16

phyint em1_vlan100 downstream ratelimit 0 threshold 1
altnet 224.0.0.0/8
altnet 10.100.0.0/22

phyint bge0 disabled
phyint em1 disabled
phyint em2 disabled
phyint em3 disabled
phyint em0 disabled
phyint em1_vlan10 disabled
phyint em1_vlan20 disabled
phyint em1_vlan30 disabled
phyint em1_vlan50 disabled
phyint em1_vlan101 disabled
phyint em1_vlan200 disabled
phyint em1_vlan210 disabled

Regards,

Ramsés

stephenw10

Yes, there was a bug in 2.3.X that prevented IGMP proxy running on VLAN interfaces. You can read about it in that bug link I posted above.

That's just another reason you should upgrade, that is fixed in current.

Steve