Multicast through a VPN ?



  • I'm running a VOIP server behind my pfSense firewall.
    I connect my office through IPSec to the pfSense firewall.

    IP range in the office is 192.168.1.0/24
    IP range behind pfSense is 192.168.2.0/24

    Now my office can reach the Voip server without a problem, but my voip server can't do autoprovisioning on the 192.168.1.0 range (by which phones are found with Multicast)
    Is it possible to somehow multicast also on the 192.168.1.0 range ?

    The IGMP proxy feature sounds like what I need, but I have no clue on howto configure it….


  • Rebel Alliance Developer Netgate

    IGMP Proxy (or in some cases Avahi) with OpenVPN would be the way to set that up. As to the particular settings, you'd set it up somewhat like so:

    server side <- upstream interface | downstream interface -> vpn … vpn <- upstream interface | downstream interface -> client side

    Listing the appropriate subnets along the way.

    You might need to use tap rather than tun for the VPN to make it work.



  • Aha ok so this is not possible with IPSec? (it would be preferable as my router on the office network only supports IPSec VPN)
    I guess I'll have look in how to set it up with OpenVPN.


  • Rebel Alliance Developer Netgate

    It wouldn't be possible with IPsec that I'm aware of. Maybe IPsec in transport mode + GIF tunnel, but it probably wouldn't support that either.



  • @normanu:

    Aha ok so this is not possible with IPSec? (it would be preferable as my router on the office network only supports IPSec VPN)
    I guess I'll have look in how to set it up with OpenVPN.

    You might look into creating a GRE tunnel that rides your IPSec VPN Tunnel.
    More than one step, but it will accomplish what you're looking to do.

    Multicast can pass over GRE.

    Talk on these forums here (0).
    An apparent solution between a Vyatta node and a pfsense node (1).

    (0) https://forum.pfsense.org/index.php?topic=34755.0
    (1) http://xtropx.blogspot.com/2012/10/gre-between-vyatta-core-pfsense.html



  • It says in the other topic

    It depends on what you mean by "GRE over IPsec", really. IPsec in tunnel mode is really using the GRE protocol under the hood, but with its SPD matching and whatnot going on.

    Is not as easy as enabling it for the standard config?
    The problem is my other side….
    I have to find out how to start the GRE tunnel on my Fritz!box (if this is possible)



  • @jimp:

    IGMP Proxy (or in some cases Avahi) with OpenVPN would be the way to set that up. As to the particular settings, you'd set it up somewhat like so:

    server side <- upstream interface | downstream interface -> vpn … vpn <- upstream interface | downstream interface -> client side

    Listing the appropriate subnets along the way.

    You might need to use tap rather than tun for the VPN to make it work.

    I have now 2 pfSense machines running and trying to get a OpenVPN VPN working with TAP so far the VPN is running and I can ping the VPN interfaces.
    But I can't ping the networks.

    Server side

    
    dev ovpns1
    dev-type tap
    dev-node /dev/tap1
    writepid /var/run/openvpn_server1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp
    cipher AES-128-CBC
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local xxx.xxx.xxx.14
    engine cryptodev
    ifconfig 10.0.8.1 255.255.255.0
    lport 1194
    management /var/etc/openvpn/server1.sock unix
    push "route 192.168.2.0 255.255.255.0"
    route 192.168.1.0 255.255.255.0
    secret /var/etc/openvpn/server1.secret 
    
    

    Client side

    
    dev ovpnc1
    dev-type tap
    dev-node /dev/tap1
    writepid /var/run/openvpn_client1.pid
    #user nobody
    #group nobody
    script-security 3
    daemon
    keepalive 10 60
    ping-timer-rem
    persist-tun
    persist-key
    proto udp
    cipher AES-128-CBC
    up /usr/local/sbin/ovpn-linkup
    down /usr/local/sbin/ovpn-linkdown
    local 192.168.1.6
    engine cryptodev
    lport 0
    management /var/etc/openvpn/client1.sock unix
    remote xxx.xxx.xxx..14 1194
    ifconfig 10.0.8.2 255.255.255.0
    secret /var/etc/openvpn/client1.secret 
    
    

    If I add the route 192 etc in the config, I get the following errors,

    Feb 17 14:33:40 openvpn[54177]: OpenVPN ROUTE: OpenVPN needs a gateway parameter for a –route option and no default was specified by either --route-gateway or --ifconfig options
    Feb 17 14:33:40 openvpn[54177]: OpenVPN ROUTE: failed to parse/resolve route for host/network: 192.168.1.0

    Not sure what I am doing wrong….

    UPDATE:

    I now followed this guide, http://www.virtualtothecore.com/en/create-a-stretched-lan-between-your-site-and-vcloud-using-pfsense/
    With my IPSec VPN I had no packet loss and good ping times, with this I have the following,

    Pinging 192.168.1.10 with 32 bytes of data:
    Reply from 192.168.1.10: bytes=32 time=781ms TTL=64
    Reply from 192.168.1.10: bytes=32 time=19ms TTL=64
    Request timed out.
    Request timed out.
    Reply from 192.168.1.10: bytes=32 time=1038ms TTL=64
    Reply from 192.168.1.10: bytes=32 time=20ms TTL=64
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.
    Request timed out.

    Ping statistics for 192.168.1.10:
        Packets: Sent = 11, Received = 4, Lost = 7 (63% loss),
    Approximate round trip times in milli-seconds:
        Minimum = 19ms, Maximum = 1038ms, Average = 464ms



  • I have come yet again a little closer!
    The problem starts when bonding the network devices on the server side (the TAP with the LAN interface)
    When bonding the interfaces …. BAM full packet loss...

    Not sure yet how to solve this ....

    UPDATE:

    Someone here seems to have similar problems but on the LAGG interface….
    https://forum.pfsense.org/index.php/topic,68069.0.html



  • I now tried again with TUN just to be sure I'm no crazy.
    Everything is working fine, ping is good 20ms.

    Then tried switching back to bridged mode (changed LAN interface to same IP is other network) and unstable connection again.
    I set the verb to 8 and noticed that the connection drops and connects all the time, but I see no reason why …..

    PS: Can the post be moved to the OpenVPN board?



  • I give up untill someone comes with something to try, I can't figure it out ….  :'(