Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Sevire issues related to IGMP multicast traffic

    Scheduled Pinned Locked Moved Firewalling
    1 Posts 1 Posters 62 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      louis2
      last edited by

      I am using a multicast server which should bring e.g. music to multiple vlan's.

      The multicast server sends a broadcast 'I am here' and clients can replay 'I am interested in the stream'.

      This protocol IGMP V3 uses ipv4 addresses like:
      224.0.0.1, 224.0.0.2, 224.0.0.22 and 239.255.255.0

      These messages have to pass to the application distributing the multicast across multiple vlan's. PIMD is a well know application for that.

      However there are multiple (pfSense) issues related to this process. I would like to mention the four most obvious ones here:

      1. if there is an multicast client or server in a (v)lan that system will generate multicast address e.g. to subscribe to a multicast stream. Those messages should not lead to alarms. However they do (more on that under 3 and 4)
      2. the IGMP-messages are normally not routable (are restricted to the vlan), however in case of a package intended to forward multicast to other vlans, the firewall should allow the messages to pass to that application (that worked at least for the previous pfSense releases), but I am not sure in the actual 2.8 or pfsens+ (beta) versions.
      3. I defined pass rules without logging passing any iPV4/IPV6 type towards 'any' address. However those rules behaves as a block rule with logging for IGMP witch is absolutely not OK !!!
      4. Trying to solve issue 3) I placed a rule in front of a rule as described under 3) which should pass the mentioned IGMP addresses. To make that possible I did check 'Allow IP options' under advanced.
        Even that did not remove the endless stream of multicast alarms in the log.

      These points are really not OK and even if you do not use a multicast server situated in another (v)lan very annoying.

      I really hope Netgate takes action!

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.