Multicast through a VPN ?
-
I'm running a VOIP server behind my pfSense firewall.
I connect my office through IPSec to the pfSense firewall.IP range in the office is 192.168.1.0/24
IP range behind pfSense is 192.168.2.0/24Now my office can reach the Voip server without a problem, but my voip server can't do autoprovisioning on the 192.168.1.0 range (by which phones are found with Multicast)
Is it possible to somehow multicast also on the 192.168.1.0 range ?The IGMP proxy feature sounds like what I need, but I have no clue on howto configure it….
-
IGMP Proxy (or in some cases Avahi) with OpenVPN would be the way to set that up. As to the particular settings, you'd set it up somewhat like so:
server side <- upstream interface | downstream interface -> vpn … vpn <- upstream interface | downstream interface -> client side
Listing the appropriate subnets along the way.
You might need to use tap rather than tun for the VPN to make it work.
-
Aha ok so this is not possible with IPSec? (it would be preferable as my router on the office network only supports IPSec VPN)
I guess I'll have look in how to set it up with OpenVPN.
-
It wouldn't be possible with IPsec that I'm aware of. Maybe IPsec in transport mode + GIF tunnel, but it probably wouldn't support that either.
-
Aha ok so this is not possible with IPSec? (it would be preferable as my router on the office network only supports IPSec VPN)
I guess I'll have look in how to set it up with OpenVPN.You might look into creating a GRE tunnel that rides your IPSec VPN Tunnel.
More than one step, but it will accomplish what you're looking to do.Multicast can pass over GRE.
Talk on these forums here (0).
An apparent solution between a Vyatta node and a pfsense node (1).(0) https://forum.pfsense.org/index.php?topic=34755.0
(1) http://xtropx.blogspot.com/2012/10/gre-between-vyatta-core-pfsense.html
-
It says in the other topic
It depends on what you mean by "GRE over IPsec", really. IPsec in tunnel mode is really using the GRE protocol under the hood, but with its SPD matching and whatnot going on.
Is not as easy as enabling it for the standard config?
The problem is my other side….
I have to find out how to start the GRE tunnel on my Fritz!box (if this is possible)
-
IGMP Proxy (or in some cases Avahi) with OpenVPN would be the way to set that up. As to the particular settings, you'd set it up somewhat like so:
server side <- upstream interface | downstream interface -> vpn … vpn <- upstream interface | downstream interface -> client side
Listing the appropriate subnets along the way.
You might need to use tap rather than tun for the VPN to make it work.
I have now 2 pfSense machines running and trying to get a OpenVPN VPN working with TAP so far the VPN is running and I can ping the VPN interfaces.
But I can't ping the networks.Server side
dev ovpns1 dev-type tap dev-node /dev/tap1 writepid /var/run/openvpn_server1.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp cipher AES-128-CBC up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown local xxx.xxx.xxx.14 engine cryptodev ifconfig 10.0.8.1 255.255.255.0 lport 1194 management /var/etc/openvpn/server1.sock unix push "route 192.168.2.0 255.255.255.0" route 192.168.1.0 255.255.255.0 secret /var/etc/openvpn/server1.secretClient side
dev ovpnc1 dev-type tap dev-node /dev/tap1 writepid /var/run/openvpn_client1.pid #user nobody #group nobody script-security 3 daemon keepalive 10 60 ping-timer-rem persist-tun persist-key proto udp cipher AES-128-CBC up /usr/local/sbin/ovpn-linkup down /usr/local/sbin/ovpn-linkdown local 192.168.1.6 engine cryptodev lport 0 management /var/etc/openvpn/client1.sock unix remote xxx.xxx.xxx..14 1194 ifconfig 10.0.8.2 255.255.255.0 secret /var/etc/openvpn/client1.secretIf I add the route 192 etc in the config, I get the following errors,
Feb 17 14:33:40 openvpn[54177]: OpenVPN ROUTE: OpenVPN needs a gateway parameter for a –route option and no default was specified by either --route-gateway or --ifconfig options
Feb 17 14:33:40 openvpn[54177]: OpenVPN ROUTE: failed to parse/resolve route for host/network: 192.168.1.0Not sure what I am doing wrong….
UPDATE:
I now followed this guide, http://www.virtualtothecore.com/en/create-a-stretched-lan-between-your-site-and-vcloud-using-pfsense/
With my IPSec VPN I had no packet loss and good ping times, with this I have the following,Pinging 192.168.1.10 with 32 bytes of data:
Reply from 192.168.1.10: bytes=32 time=781ms TTL=64
Reply from 192.168.1.10: bytes=32 time=19ms TTL=64
Request timed out.
Request timed out.
Reply from 192.168.1.10: bytes=32 time=1038ms TTL=64
Reply from 192.168.1.10: bytes=32 time=20ms TTL=64
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.Ping statistics for 192.168.1.10:
Packets: Sent = 11, Received = 4, Lost = 7 (63% loss),
Approximate round trip times in milli-seconds:
Minimum = 19ms, Maximum = 1038ms, Average = 464ms
-
I have come yet again a little closer!
The problem starts when bonding the network devices on the server side (the TAP with the LAN interface)
When bonding the interfaces …. BAM full packet loss...Not sure yet how to solve this ....
UPDATE:
Someone here seems to have similar problems but on the LAGG interface….
https://forum.pfsense.org/index.php/topic,68069.0.html
-
I now tried again with TUN just to be sure I'm no crazy.
Everything is working fine, ping is good 20ms.Then tried switching back to bridged mode (changed LAN interface to same IP is other network) and unstable connection again.
I set the verb to 8 and noticed that the connection drops and connects all the time, but I see no reason why …..PS: Can the post be moved to the OpenVPN board?
-
I give up untill someone comes with something to try, I can't figure it out …. :'(
