Only allow multicast to certain hosts
I haven't implemented this solution yet, but I intend to use pfsense with my ISP's IPTV service. This uses multicast+igmp.
I have read numerous other posts and I think I'll be able to get it working.
However, all the other posts all says that I have to create a firewall rule on the WAN side that allow all traffic with a destination of 22.214.171.124/4, 126.96.36.199/4, and 188.8.131.52/4 (all multicast ranges).
Is there any way in pfsense to have that rule, but limit the traffic to a particular host? I'm not really comfortable allowing multicast traffic to all hosts within my network. However, I'm willing to be proven wrong if there is no security risk in doing this…
Another thing, is that I need all my hosts (including the IPTV box) to be on the same subnet (as my IPTV box has some chromecast-like features that need to be on the same subnet as my laptops)
Help is appreciated
Ok, so after a bit of googling, I may be able to get round my fears as in my case (I use BT here in the UK), the IPTV multicast traffic is delivered straight to the phsyical port, rather than encapulated inside the regular PPPoE stream for surfing:
So I guess my normal hosts are secure as the allow all rules would be on the physical interface, rather than the PPoE WAN interface? (Unless an attacker of course managed to come in via the physical port, rather than inside the PPPoE, although this would be unlikely?)