How to make multicast work within the OpenVPN tunnel network?
-
I see both IPv4 & IPv6 multicast with stuff like printers, multiDNS, some Chrome device looking for something etc.. What service are you having issues with? The things I see won't normally be passed by a router and also are not coming from your VPN interface. For example, I see at least 2 different IPv4 source addresses. I can see something from FreeBSD at 10.0.1.1, which I assume is your pfSense box and I also see an IPv6 link local address for an MDNS request, which happens to have the same MAC address as that FreeBSD box.
So, what are you seeing on the LAN side, but not elsewhere? Please only attach the files here and not use some external site, as I won't go them.
Also, you don't need pastebin, Dropbox or anything other than attaching the files here. I had no problem reading the files you posted here, but Dropbox wants me to download the file first etc.. When you capture a file with Packet Capture, you save it to your computer and then click on the upload file button, above at right.
-
@JKnott said in How to make multicast work within the OpenVPN tunnel network?:
I see both IPv4 & IPv6 multicast with stuff like printers, multiDNS, some Chrome device looking for something etc.. What service are you having issues with? The things I see won't normally be passed by a router and also are not coming from your VPN interface. For example, I see at least 2 different IPv4 source addresses. I can see something from FreeBSD at 10.0.1.1, which I assume is your pfSense box and I also see an IPv6 link local address for an MDNS request, which happens to have the same MAC address as that FreeBSD box.
So, what are you seeing on the LAN side, but not elsewhere? Please only attach the files here and not use some external site, as I won't go them.
Also, you don't need pastebin, Dropbox or anything other than attaching the files here. I had no problem reading the files you posted here, but Dropbox wants me to download the file first etc.. When you capture a file with Packet Capture, you save it to your computer and then click on the upload file button, above at right.
Just concentrate on the IP addresses that I posted on my earlier post. Like I said, I don't have issues with my other devices in the LAN. I just showed you that there is indeed multicast traffic coming from both sides (pfsense server and client) whether they are using the VPN connection or not. Specifically, concentrate on source IP addresses 10.0.1.1 (pfsense openvpn interface) and 10.0.1.101 (client openvpn interface).
So on the LAN side, I see packets from the client (with source IP: 192.168.10.13 and destination socket: 239.255.255.250:1900) reaching the LAN interface in pfsense. But with openvpn, I see these same "M-SEARCH" packets (src ip: 10.0.1.101 and destination socket: 239.255.255.250:1900) being generated from the client side but not reaching the openvpn interface. Did you read the github link I sent you? Thomas (author of upnp) says it there too.
Not sure what kind of proof you want from me when I said that .cap files are not supported for direct attachment to this site and is the reason why I used dropbox. Here's a screenshot of the error:
So there's no other way for me to upload those .cap files that I downloaded from pfsense other than what I have, dropbox.
-
If it helps, apply this wireshark filter on packetcapture_client_1:
(ip.src == 192.168.10.1 || ip.src == 192.168.10.13) and ip.dst == 239.255.255.250
And this filter on packetcapture_client_2:
(ip.src == 10.0.1.1 || ip.src == 10.0.1.101) and ip.dst == 239.255.255.250
-
You can also use this as a miniupnp test client: https://github.com/miniupnp/miniupnp/releases/download/miniupnpc_2_1/win32-miniupnpc-2.1.zip
Just run
upnp-static.exe -s
in the cmd prompt to see if upnp is working. This test client also generates M-SEARCH method SSDP packets (which again are not reaching the openpnv server interface). -
@kevindd992002 said in How to make multicast work within the OpenVPN tunnel network?:
destination socket: 10.0.1.1:1900
That's not a multicast address, nor is 192.168.10.1:1900. Mulitcast destination addresses are in the 224. to 239. range on IPv4 and ffxx: on IPv6.
As for the file extension, this site can be fussy. A while ago we had to get the native Packet Capture PCAP files accepted. A work around is to rename the extension to pcap or pcapng.
-
@JKnott said in How to make multicast work within the OpenVPN tunnel network?:
@kevindd992002 said in How to make multicast work within the OpenVPN tunnel network?:
destination socket: 10.0.1.1:1900
That's not a multicast address, nor is 192.168.10.1:1900. Mulitcast destination addresses are in the 224. to 239. range on IPv4 and ffxx: on IPv6.
As for the file extension, this site can be fussy. A while ago we had to get the native Packet Capture PCAP files accepted. A work around is to rename the extension to pcap or pcapng.
I'm sorry, it was 3AM when I posted my last reply earlier and that was a typo. I edited my last post. It's supposed to read:
(src IP: 192.168.10.13 and destination socket: 239.255.255.250:1900)
(src ip: 10.0.1.101 and destination socket: 239.255.255.250:1900)And this coincides with my post regarding the Wireshark filters.
As for the packet capture files, here you go:
- Without OpenVPN:
Packet capture from pfsense LAN interface: packetcapture_server_1.pcap
Packet capture from client LAN interface: packetcapture_client_1.pcapng- Server (192.168.10.1) sends multicast packet (NOTIFY method) to 239.255.255.250 and client receives it
- Client (192.168.10.13) sends multicast packet (M-SEARCH method) to 239.255.255.250 and server receives it
- With OpenVPN:
Packet capture from pfsense OpenVPN interface: packetcapture_server_2.pcap
Packet capture from client OpenVPN interface: packetcapture_client_2.pcapng- Server (10.0.1.1) sends multicast packet (NOTIFY method) to 239.255.255.250 and client receives it
- Client (10.0.1.101) sends multicast packet (M-SEARCH method) to 239.255.255.250 and server DOES NOT RECEIVE it
If it helps, my OpenVPN remote access server settings are posted here: https://forum.netgate.com/post/911141
-
I just did a search and came across this: How to get multicast to work with OpenVPN clients?
See the comments about using an IGMP proxy.
-
@JKnott said in How to make multicast work within the OpenVPN tunnel network?:
I just did a search and came across this: How to get multicast to work with OpenVPN clients?
See the comments about using an IGMP proxy.
See my first post. IGMP proxies are not needed because I don't want to make the multicast traffic to LAN behind the pfsense openvpn server. I only need the multicast traffic from the client to reach the openvpn server interface which are both on the same network (the tunnel network).
-
@JKnott any other ideas?
-
No.