Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Multicast through a VPN ?

    Scheduled Pinned Locked Moved IPsec
    10 Posts 3 Posters 13.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      normanu
      last edited by

      I'm running a VOIP server behind my pfSense firewall.
      I connect my office through IPSec to the pfSense firewall.

      IP range in the office is 192.168.1.0/24
      IP range behind pfSense is 192.168.2.0/24

      Now my office can reach the Voip server without a problem, but my voip server can't do autoprovisioning on the 192.168.1.0 range (by which phones are found with Multicast)
      Is it possible to somehow multicast also on the 192.168.1.0 range ?

      The IGMP proxy feature sounds like what I need, but I have no clue on howto configure it….

      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        IGMP Proxy (or in some cases Avahi) with OpenVPN would be the way to set that up. As to the particular settings, you'd set it up somewhat like so:

        server side <- upstream interface | downstream interface -> vpn … vpn <- upstream interface | downstream interface -> client side

        Listing the appropriate subnets along the way.

        You might need to use tap rather than tun for the VPN to make it work.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        • N
          normanu
          last edited by

          Aha ok so this is not possible with IPSec? (it would be preferable as my router on the office network only supports IPSec VPN)
          I guess I'll have look in how to set it up with OpenVPN.

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            It wouldn't be possible with IPsec that I'm aware of. Maybe IPsec in transport mode + GIF tunnel, but it probably wouldn't support that either.

            Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 0
            • S
              silvertip257
              last edited by

              @normanu:

              Aha ok so this is not possible with IPSec? (it would be preferable as my router on the office network only supports IPSec VPN)
              I guess I'll have look in how to set it up with OpenVPN.

              You might look into creating a GRE tunnel that rides your IPSec VPN Tunnel.
              More than one step, but it will accomplish what you're looking to do.

              Multicast can pass over GRE.

              Talk on these forums here (0).
              An apparent solution between a Vyatta node and a pfsense node (1).

              (0) https://forum.pfsense.org/index.php?topic=34755.0
              (1) http://xtropx.blogspot.com/2012/10/gre-between-vyatta-core-pfsense.html

              1 Reply Last reply Reply Quote 0
              • N
                normanu
                last edited by

                It says in the other topic

                It depends on what you mean by "GRE over IPsec", really. IPsec in tunnel mode is really using the GRE protocol under the hood, but with its SPD matching and whatnot going on.

                Is not as easy as enabling it for the standard config?
                The problem is my other side….
                I have to find out how to start the GRE tunnel on my Fritz!box (if this is possible)

                1 Reply Last reply Reply Quote 0
                • N
                  normanu
                  last edited by

                  @jimp:

                  IGMP Proxy (or in some cases Avahi) with OpenVPN would be the way to set that up. As to the particular settings, you'd set it up somewhat like so:

                  server side <- upstream interface | downstream interface -> vpn … vpn <- upstream interface | downstream interface -> client side

                  Listing the appropriate subnets along the way.

                  You might need to use tap rather than tun for the VPN to make it work.

                  I have now 2 pfSense machines running and trying to get a OpenVPN VPN working with TAP so far the VPN is running and I can ping the VPN interfaces.
                  But I can't ping the networks.

                  Server side

                  
                  dev ovpns1
                  dev-type tap
                  dev-node /dev/tap1
                  writepid /var/run/openvpn_server1.pid
                  #user nobody
                  #group nobody
                  script-security 3
                  daemon
                  keepalive 10 60
                  ping-timer-rem
                  persist-tun
                  persist-key
                  proto udp
                  cipher AES-128-CBC
                  up /usr/local/sbin/ovpn-linkup
                  down /usr/local/sbin/ovpn-linkdown
                  local xxx.xxx.xxx.14
                  engine cryptodev
                  ifconfig 10.0.8.1 255.255.255.0
                  lport 1194
                  management /var/etc/openvpn/server1.sock unix
                  push "route 192.168.2.0 255.255.255.0"
                  route 192.168.1.0 255.255.255.0
                  secret /var/etc/openvpn/server1.secret 
                  
                  

                  Client side

                  
                  dev ovpnc1
                  dev-type tap
                  dev-node /dev/tap1
                  writepid /var/run/openvpn_client1.pid
                  #user nobody
                  #group nobody
                  script-security 3
                  daemon
                  keepalive 10 60
                  ping-timer-rem
                  persist-tun
                  persist-key
                  proto udp
                  cipher AES-128-CBC
                  up /usr/local/sbin/ovpn-linkup
                  down /usr/local/sbin/ovpn-linkdown
                  local 192.168.1.6
                  engine cryptodev
                  lport 0
                  management /var/etc/openvpn/client1.sock unix
                  remote xxx.xxx.xxx..14 1194
                  ifconfig 10.0.8.2 255.255.255.0
                  secret /var/etc/openvpn/client1.secret 
                  
                  

                  If I add the route 192 etc in the config, I get the following errors,

                  Feb 17 14:33:40 openvpn[54177]: OpenVPN ROUTE: OpenVPN needs a gateway parameter for a –route option and no default was specified by either --route-gateway or --ifconfig options
                  Feb 17 14:33:40 openvpn[54177]: OpenVPN ROUTE: failed to parse/resolve route for host/network: 192.168.1.0

                  Not sure what I am doing wrong….

                  UPDATE:

                  I now followed this guide, http://www.virtualtothecore.com/en/create-a-stretched-lan-between-your-site-and-vcloud-using-pfsense/
                  With my IPSec VPN I had no packet loss and good ping times, with this I have the following,

                  Pinging 192.168.1.10 with 32 bytes of data:
                  Reply from 192.168.1.10: bytes=32 time=781ms TTL=64
                  Reply from 192.168.1.10: bytes=32 time=19ms TTL=64
                  Request timed out.
                  Request timed out.
                  Reply from 192.168.1.10: bytes=32 time=1038ms TTL=64
                  Reply from 192.168.1.10: bytes=32 time=20ms TTL=64
                  Request timed out.
                  Request timed out.
                  Request timed out.
                  Request timed out.
                  Request timed out.

                  Ping statistics for 192.168.1.10:
                      Packets: Sent = 11, Received = 4, Lost = 7 (63% loss),
                  Approximate round trip times in milli-seconds:
                      Minimum = 19ms, Maximum = 1038ms, Average = 464ms

                  1 Reply Last reply Reply Quote 0
                  • N
                    normanu
                    last edited by

                    I have come yet again a little closer!
                    The problem starts when bonding the network devices on the server side (the TAP with the LAN interface)
                    When bonding the interfaces …. BAM full packet loss...

                    Not sure yet how to solve this ....

                    UPDATE:

                    Someone here seems to have similar problems but on the LAGG interface….
                    https://forum.pfsense.org/index.php/topic,68069.0.html

                    1 Reply Last reply Reply Quote 0
                    • N
                      normanu
                      last edited by

                      I now tried again with TUN just to be sure I'm no crazy.
                      Everything is working fine, ping is good 20ms.

                      Then tried switching back to bridged mode (changed LAN interface to same IP is other network) and unstable connection again.
                      I set the verb to 8 and noticed that the connection drops and connects all the time, but I see no reason why …..

                      PS: Can the post be moved to the OpenVPN board?

                      1 Reply Last reply Reply Quote 0
                      • N
                        normanu
                        last edited by

                        I give up untill someone comes with something to try, I can't figure it out ….  :'(

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.