Multicast
-
So the problem is that Pfsense do not like multicast.
I understand...
We configure multicast traffic on the switches for example for AoIP purposes (IGMP snooping thus, traffic on the same subnet does not need to reach the router).
f.e.:
or
or
BTW:
Exactly what multicast routing function you want to implement?Cats bury it so they can't see it!
(You know what I mean if you have a cat) -
To answer that first a rough outline of my network
- I have two "core switches" one for 1G one for "10G" each carrying multiple vlans
- in the center pfSense as router and firewall
- in the rooms small (5/ 8 -port) Netgear managed switches
- the network is divided in “security-zones” implemented with vlans
In the RedZone my server, among other things hosting my (twonky)media-server. In the PC-zone, Guest-zone, and IoT-zone equipment like Hifi-receivers and media-players.
PIMD should use the IGMP-messages to build routing tables and to forward the multicast broadcast / response messages. If that is successful the Twonky and the “media-devices” know each other. And of course the result is unicast info and data (stream) exchange, which should be allowed by the FW-rules (and if applicable NAT-rules).
That is it
Additional, but necessary in a small network, the switches should be configured for IGMP-snooping, to prevent lots of unnecessary messages.
That is of cause that is my situation, I do not know what @hsv wants to accomplish
Louis
-
@louis2 said in Multicast:
@louis2 "To answer that first a rough outline of my network"nice system, but it's just in your house
Additional, but necessary in a small network,
this Cisco installment makes up only 2-3% of our system...
At 18 radiostations, we serve nearly 300 colleagues in the AoIP system with the appropriate audio materials and broadcast the FM-UHF program from 24 telekom towers, within a radius of 350 km
(the entire system includes 44 voice VLANs, connected by 47 Cisco switches and 8 Brocade switches over fiber and Cat6, this is no small system)
DANTE protocol (https://www.audinate.com/)we never route the multicast traffic, only the core-switches the IGMP querier(s) in the system and control everything
BTW:
our own backbone network is 2x40G 2420Km fiber with IEEE 1588 Precision Time Protocol (PTP) across the networkI've been crying a lot about multicast, since the system latency can't be more than 1-2ms everywhere
(routers raise this value to the skies)+++edit:
I work with these multicast addresses / ports..
-
If multicast is in and stays(!) in a dedicated vlan, it is not necessary to send it through a router. And I agree completely, you should not do that because of the added latency.
However, if the multicast source is in a different vlan as the multicast receiver/destination, than you need to route that. And that will probably be at the users premises and not in the telecom network.
Note that my provider is sending the TV-streams in a different vlan than the internet, and that the set-top-box is supposed to be connected to that tv-vlan.
Louis
-
-
Note that my provider is sending the TV-streams in a different vlan than the internet, and that the set-top-box is supposed to be connected to that tv-vlan.
The way I take that... Is you should split that traffic at layer 2 when it comes in. So your STB would not be behind the layer 3 device..
Now keep in mind only half way through my first cup of coffee but would you do something like this..
Where you split the L2 networks before pfsense.
-
John,
I think the same with one small difference, being that the Ls2-switch is inside the ISP-device.
Not 100% sure, because I have internet and telephone from the ISP and television from the Cable.
Louis
-
To be even more precise, I have the lan-connection(s) from the ISP-device connected to my 1G-coreswitch. At the entrance port of that switch the lan is transformated to a vlan (PID=internet-vlan-no).
The Internet VLAN is entering pfSense, the TV-vlan (if present), is passing pfSense / stays level2.
Louis
-
is passing pfSense / stays level2.
Doesn't work that way, pfsense is a layer 3 device. Pfsense is not going to pass on vlan tags.. Nor layer 2 traffic..
Sniffing on pfsense is seeing the vlan traffic.. Then put switch in front of pfsense to send the STB vlan to the devices that are suppose to be on that vlan..
-
My problem is that it is mail traffic that's coming in and goes to a loadbalancer (MS) this loadbalancer use multicast.
So the router need to communicate to this multicast unit.I have tried to look into HAProxy, whit absolut not succes. The documentation I have found do not help me at all.
So if som body can point med to a HAproxy description, where you have one front ip number with multiple Ports to 2 or more servers in the backend that could help, as I cannot see pfsense handle this multicast problem.
Regards
Henning -
John, I know. The description of my network was over simplified. pfSense is not really in the middle of the 1G and 10G core switches.
I have a 1G-network towards most rooms and towards the ISP-device. That network is handled by the 1G-core. And I have a 10G network which connects my server, my nas and my main-PC.
Both (physical) networks are connected to pfSense for routing between the VLANs independent from the fact if they are located in the 1G or in the 10G domain.
pfSense is connected to the 1G-switch via a 1G-lagg and connected to the 10G-switch via a 10G-up and a 10G-down link. However there is also a direct (physical) connection between those two switches.
To take the TV-VLAN as example, is a vlan starting at the ISP-device, passing the 1G-core ending on one of the small Netgear switches in the living room.
Louis
-
-
Ok that makes sense.
To be honest I have no idea what @hsv is talking about.. Load balancer that uses multicast??
For example
host with multicast 192.168.0.10 it do not reply.
That is NOT a multicast address.. So I have a funny suspicion there is some misuse of terms going on.
-
-
Maybe if he sends some traffic to this device at 192.168.0.10, it multicasts the traffic that is sends on?
@hsv really going to need a bit more info.. What is this device, or what software are you running on 192.168.0.10.. What sort of traffic is it?
If you can not arp from pfsense, for this 192.168.0.10 address - then no your never going to be able to send it traffic.. To do anything with..
From the out side I have 4 NAT rules to direct the trafic to 192.168.0.10
Can you post those, so we can maybe glean some insight into what your trying to do exactly.
-
-
Hi
Yes the diagram is correct, but I only have 4 WAN, but I guess the problem will be the same.And yes pfsense can not resolve it to a MAC adresse.
Why I do not know.I have no problem on a windows client make arp -a and see the mac address to be:
03-bf-c0-a8-0b-e1Regards
Henning -
If pfsense can not arp then you have a connectivity issue..
How do you have this actually connected to pfsense.
If what your trying to do is the above, that has ZERO to do with multicast and pfsense.. What you loadbalancer does with unicast your traffic coming from the internet has nothing to do with pfsense talking to the LB..
You need to figure out what the problem is with basic connectivity from pfsense 192.168.0.1 and this IP at 192.168.0.10 which is your LB.. If pfsense can not even arp for that IP then they are not actually connected via the same L2 network, ie switch cable plugged into pfsense port?
How is 192.168.0.10 connected to this 192.168.0 network?
Now if this 192.168.0.10 is some sort of VIP? If pfsense can not arp for that IP, then it is impossible for it to send it traffic If your saying its just not arping - then setup a static arp entry for it on pfsense.. this 03-bf-c0-a8-0b-e1 mac
But there should be unicast mac for your cluster.. Why can you not use that?
Some details of how you have everything connected will help us help you.
-
Hi
How do I add a static arp to the arp list?
The setup is 3 virtual host where pfsense and a test windows server is placed on ESXi0 on ESXi1 and 2 the mail setup are running.
From the test server I can ping and resolve the LB but on Pfsense I cannot.So the network is working. I have for testing setup the Windows Test server with VLAN also so looked from VMware the 2 server are setup the same way.
Regards
Henning -
es the diagram is correct,
I used to deal with MS load balancer (especially multicast), long time ago...
(we always use a hardware base load balancer, HA proxy )but I am interested in this topic...
no this will not work under pfSense.... (100%)
bring the theme under linux...https://github.com/google/seesaw
