Multicast through a VPN ?

normanu

I'm running a VOIP server behind my pfSense firewall.
I connect my office through IPSec to the pfSense firewall.

IP range in the office is 192.168.1.0/24
IP range behind pfSense is 192.168.2.0/24

Now my office can reach the Voip server without a problem, but my voip server can't do autoprovisioning on the 192.168.1.0 range (by which phones are found with Multicast)
Is it possible to somehow multicast also on the 192.168.1.0 range ?

The IGMP proxy feature sounds like what I need, but I have no clue on howto configure it….

jimp

IGMP Proxy (or in some cases Avahi) with OpenVPN would be the way to set that up. As to the particular settings, you'd set it up somewhat like so:

server side <- upstream interface | downstream interface -> vpn … vpn <- upstream interface | downstream interface -> client side

Listing the appropriate subnets along the way.

You might need to use tap rather than tun for the VPN to make it work.

normanu

Aha ok so this is not possible with IPSec? (it would be preferable as my router on the office network only supports IPSec VPN)
I guess I'll have look in how to set it up with OpenVPN.

jimp

It wouldn't be possible with IPsec that I'm aware of. Maybe IPsec in transport mode + GIF tunnel, but it probably wouldn't support that either.

silvertip257

@normanu:

Aha ok so this is not possible with IPSec? (it would be preferable as my router on the office network only supports IPSec VPN)
I guess I'll have look in how to set it up with OpenVPN.

You might look into creating a GRE tunnel that rides your IPSec VPN Tunnel.
More than one step, but it will accomplish what you're looking to do.

Multicast can pass over GRE.

Talk on these forums here (0).
An apparent solution between a Vyatta node and a pfsense node (1).

(0) https://forum.pfsense.org/index.php?topic=34755.0
(1) http://xtropx.blogspot.com/2012/10/gre-between-vyatta-core-pfsense.html

normanu

It says in the other topic

It depends on what you mean by "GRE over IPsec", really. IPsec in tunnel mode is really using the GRE protocol under the hood, but with its SPD matching and whatnot going on.

Is not as easy as enabling it for the standard config?
The problem is my other side….
I have to find out how to start the GRE tunnel on my Fritz!box (if this is possible)

normanu

@jimp:

IGMP Proxy (or in some cases Avahi) with OpenVPN would be the way to set that up. As to the particular settings, you'd set it up somewhat like so:

server side <- upstream interface | downstream interface -> vpn … vpn <- upstream interface | downstream interface -> client side

Listing the appropriate subnets along the way.

You might need to use tap rather than tun for the VPN to make it work.

I have now 2 pfSense machines running and trying to get a OpenVPN VPN working with TAP so far the VPN is running and I can ping the VPN interfaces.
But I can't ping the networks.

Server side

dev ovpns1
dev-type tap
dev-node /dev/tap1
writepid /var/run/openvpn_server1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-128-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local xxx.xxx.xxx.14
engine cryptodev
ifconfig 10.0.8.1 255.255.255.0
lport 1194
management /var/etc/openvpn/server1.sock unix
push "route 192.168.2.0 255.255.255.0"
route 192.168.1.0 255.255.255.0
secret /var/etc/openvpn/server1.secret 

Client side

dev ovpnc1
dev-type tap
dev-node /dev/tap1
writepid /var/run/openvpn_client1.pid
#user nobody
#group nobody
script-security 3
daemon
keepalive 10 60
ping-timer-rem
persist-tun
persist-key
proto udp
cipher AES-128-CBC
up /usr/local/sbin/ovpn-linkup
down /usr/local/sbin/ovpn-linkdown
local 192.168.1.6
engine cryptodev
lport 0
management /var/etc/openvpn/client1.sock unix
remote xxx.xxx.xxx..14 1194
ifconfig 10.0.8.2 255.255.255.0
secret /var/etc/openvpn/client1.secret 

If I add the route 192 etc in the config, I get the following errors,

Feb 17 14:33:40 openvpn[54177]: OpenVPN ROUTE: OpenVPN needs a gateway parameter for a –route option and no default was specified by either --route-gateway or --ifconfig options
Feb 17 14:33:40 openvpn[54177]: OpenVPN ROUTE: failed to parse/resolve route for host/network: 192.168.1.0

Not sure what I am doing wrong….

UPDATE:

I now followed this guide, http://www.virtualtothecore.com/en/create-a-stretched-lan-between-your-site-and-vcloud-using-pfsense/
With my IPSec VPN I had no packet loss and good ping times, with this I have the following,

Pinging 192.168.1.10 with 32 bytes of data:
Reply from 192.168.1.10: bytes=32 time=781ms TTL=64
Reply from 192.168.1.10: bytes=32 time=19ms TTL=64
Request timed out.
Request timed out.
Reply from 192.168.1.10: bytes=32 time=1038ms TTL=64
Reply from 192.168.1.10: bytes=32 time=20ms TTL=64
Request timed out.
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 192.168.1.10:
    Packets: Sent = 11, Received = 4, Lost = 7 (63% loss),
Approximate round trip times in milli-seconds:
    Minimum = 19ms, Maximum = 1038ms, Average = 464ms

normanu

I have come yet again a little closer!
The problem starts when bonding the network devices on the server side (the TAP with the LAN interface)
When bonding the interfaces …. BAM full packet loss...

Not sure yet how to solve this ....

UPDATE:

Someone here seems to have similar problems but on the LAGG interface….
https://forum.pfsense.org/index.php/topic,68069.0.html

normanu

I now tried again with TUN just to be sure I'm no crazy.
Everything is working fine, ping is good 20ms.

Then tried switching back to bridged mode (changed LAN interface to same IP is other network) and unstable connection again.
I set the verb to 8 and noticed that the connection drops and connects all the time, but I see no reason why …..

PS: Can the post be moved to the OpenVPN board?

normanu

I give up untill someone comes with something to try, I can't figure it out ….  :'(