Solution for Multicast Over Tunnel

CNLiberal · Mar 30, 2020, 9:06 PM

I'm searching for a way to run my Roon music software on my Mac (Catalina) over the internet. The Roon software requires listening to MULTICAST traffic on a Subnet/VLAN. I've created several VLANs on my home network. I'm using the mdns caching capabilities of my switch to advertise those mdns announcements across the VLANs. This is working fine. From the switch to the pfSense box, I've got a separate VLAN on a /30 and am using OSPF between the devices to advertise the general 0.0.0.0/0 default information originate out from pfSense. This is also working correctly. What I'd like to do is figure out a way of getting that multicast traffic over a VPN to my Mac client. I was envisioning a VPN tunnel between my Mac client and the pfSense box and only allowing the single IP for my Roon Server (10.0.10.110). I do have OpenVPN server configured, but haven't found decent OpenVPN software for the Mac yet. Could also be IPSec, but getting multicast working over that would mean a GRE interface, and I've not found a GRE client for Mac either.

Any help would be appreciated. Thanks!

NogBadTheBad · Mar 30, 2020, 7:24 PM

Could you not just create a IPSec mobile VPN connection up and set the virtual IP address for the clients to be on the same subnet as the Roon server ?

https://docs.netgate.com/pfsense/en/latest/vpn/ipsec/configuring-an-ipsec-remote-access-mobile-vpn-using-ikev2-with-eap-mschapv2.html

MacOS supports ikev2 without any need for any additional software.

CNLiberal · Mar 30, 2020, 7:35 PM

@NogBadTheBad Thanks for the reply! Unfortunately, that will not work as pfSense isn't doing any routing for my VLANs. The switch is doing the routing between VLANs, which means pfSense doesn't live on that VLAN.

NogBadTheBad · Mar 30, 2020, 7:38 PM

@CNLiberal said in Solution for Broadcast Over Tunnel:

my Mac client. I w

Drat, I did quickly try it and I can see a couple of my devices via mdns

andy@mac-pro ~ % dns-sd -B _afpovertcp._tcp .
Browsing for _afpovertcp._tcp
DATE: ---Mon 30 Mar 2020---
20:36:08.752 ...STARTING...
Timestamp A/R Flags if Domain Service Type Instance Name
20:36:08.753 Add 3 4 local. _afpovertcp._tcp. nas
20:36:08.753 Add 2 4 local. _afpovertcp._tcp. timecapsule
^C
andy@mac-pro ~ %

JKnott · Mar 30, 2020, 8:28 PM

@CNLiberal

Apparently, you have a bit to learn about networks. First off, there is OpenVPN TAP mode, which is essentially a bridge. Also, it makes no difference whether IPSec, OpenVPN or PPP over frame relay. An IP path is an IP path, no matter what's underneath. It just means you have to set up appropriate routing. Also, broadcasts are not routeable, but multicasts may be. Find out what you actually need and go from there. If you use a TUN VPN, you will need routing and configuring for multicast.

CNLiberal · Mar 30, 2020, 9:05 PM

@JKnott I appreciate the response. However, I do not appreciate the tone in which you responded. I've got experience in networking that I won't go into here, and even if I didn't, your answer wouldn't get any one seeking help any closer to their solution.

I currently am using pfSense's OpenVPN server in TUN mode. I suppose I could setup a TAP server on a different port (1195 maybe?) and get that bridged mode VPN. I suppose I'd need the Avahi daemon listening on the "LAN" side of pfSense and spitting out the mDNS announcements on the OpenVPN TAP server side. I've got no idea if that would even work. I was hoping someone could give me some direction in that regard.

My original thought was to setup GRE over my current OpenVPN server while creating a GRE interface on my Macbook. However, it looks like Apple gave up on GRE interfaces a while ago. Part of my question was about GRE for Mac, and I was hoping someone out there had better Google-Fu than I.

Another part of my original post was in regards to OpenVPN software that's reliable on a Mac. I was using TunnelBlick, and one of the issues I'd encountered was it wouldn't actually route traffic. I've asked on this forum if anyone ran into that issue, and was told to "pay for software" and not rely on free software (which is ironic considering pfSense is offered free).

I suppose I did word the title poorly and I'm now going to fix that, if the forum allows it.

Good day.

dotdash · Mar 30, 2020, 10:28 PM

@CNLiberal said in Solution for Multicast Over Tunnel:

haven't found decent OpenVPN software for the Mac yet.

On this point, the client linked on this page from the OpenVPN Access server docs, in my experience, works fine with an OpenVPN server on pfSense. Just import the standard config. I have not tried this with a tap connection. I used the 2.7 version, and haven't tested the 3.1 beta. The page also mentions alternate clients.
https://openvpn.net/vpn-server-resources/connecting-to-access-server-with-macos/