Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Multicast security best practice

    Scheduled Pinned Locked Moved Firewalling
    4 Posts 2 Posters 482 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Q Offline
      q54e3w
      last edited by

      I was thinking of moving some security cameras and display devices into a multicast group to reduce multiple unicast streams, more out of learning curiosity than anything.
      Assume I move this traffic from say 192.168.x.0/24 and create a local unicast group 225.168.x.0/24 is there a need and/or benefit to firewall that subnet from others to prevent malicious actors trying to register as part of that multicast group?

      1 Reply Last reply Reply Quote 0
      • johnpozJ Offline
        johnpoz LAYER 8 Global Moderator
        last edited by

        @q54e3w said in Multicast security best practice:

        move this traffic from say 192.168.x.0/24 and create a local unicast group 225.168.x.0/24

        Huh? The multicast stream being done by the camera would have nothing to do with their normal IPv4 address.. You wouldn't assign the camera a multicast address vs its normal address.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 25.07 | Lab VMs 2.8, 25.07

        1 Reply Last reply Reply Quote 0
        • Q Offline
          q54e3w
          last edited by q54e3w

          I have several displays that each camera streams to, in each camera there’s an option to enter a multicast address you broadcast on. I assume the receivers listen to this broadcast address instead of the regular address which is probably used for management and configuration still.
          Does this multicast address need firewalling like a regular address range?

          Maybe I’m not understanding!?

          1 Reply Last reply Reply Quote 0
          • johnpozJ Offline
            johnpoz LAYER 8 Global Moderator
            last edited by johnpoz

            Sure.. But that would have nothing to do with the camera's normal IPv4 address.. You stated "move this traffic from say 192.168.x.0/24" like you were going to change the devices IPv4 address to a multicast address.. You wouldn't do that - the device still needs it normal IPv4 address.

            What multicast address space you want to use for multicast traffic has nothing to do with that.

            As to anything you would do on pfsense.. Nothing.. devices on the same L2 talking multicast to each other would have nothing to do with pfsense.

            Also not sure why you would use anything in 225, that is reserved multicast space.. If want to create multicast groups, does your switch(es) support IGMP snooping, or wireless?

            I woulds assume your camera's talking multicast anyway.. There is no reason to specify which group they are on (via address) unless you have multiple multicast streams on this L2 network, and your wanting to have your switching infrastructure limit which devices see what streams by allowing the devices to join a specific group..

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 25.07 | Lab VMs 2.8, 25.07

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.