I had a hard time figuring out that the Multicast IP to Multicast MAC translation doesn't properly work.
The issue itself is described here: https://github.com/opnsense/core/issues/3629
Therefore I decided to write a quick tutorial for init7 (https://www.init7.net) customers to properly configure Multicast on OPNsense for TV7.
Credits:
- Philip Hofstetter: https://blog.pilif.me/2018/05/22/fiber7-tv-behind-pfsense/
- Philipp Häfelfinger: https://haefelfinger.ch/posts/2018/2018-10-18-fiber7-tv7-pfsense/
Note: the following step-by-step guide applies to init7's TV7 Multicast stream. The configuration might differ if you use this guide to achieve similar results for other Multicast streams.1. Install pluginTo get Multicast to work on OPNsense we are going to use os-igmp-proxy.
2. Configure IGMP ProxyTo get started we need to configure IGMP Proxy.
- Navigate to Services -> IGMP Proxy
- Click Add+ and use the following config:
- Interface: WAN
- Description: WAN_UP
- Type: Upstream Interface
- Threshold: 1
- Option 1: Networks (single entry): 77.109.129.0/25
- Option 2: Networks (multiple entries, single hosts):
- 77.109.129.16/32
- 77.109.129.17/32
- 77.109.129.18/32
- 77.109.129.19/32
- Click Save
- Once again click Add+ and use the following config:
- Interface: LAN
- Description: LAN_DOWN
- Type: Downstream Interface
- Threshold: 1
- Networks: Enter your local network here (e.g. 192.168.1.0/24)
- Click Save once again
This will do it for the IGMP Proxy config.
We will now move along to the Firewall Rules.
3. Firewall RulesLANFirst we have to enable
allow options on the default LAN rule
Default allow LAN to any rule.
- Navigate to Firewall -> Rules -> LAN
- Edit the rule with the description "Default allow LAN to any rule" by clicking the pencil.
- Scroll down until you see Advanced Options: and click on Show/Hide
- Make sure that the allow options checkbox is checked
- Click Save
- Back on Overview click on Apply changes to enable the changed rule
WANNow we have to properly configure the WAN rules to allow IGMP and Multicast traffic.
- Navigate to Firewall -> Rules -> WAN
- Click Add+
- Apply the following config:
- Protocol: IGMP
- Source: WAN net
- Destination: Single host or Network -> 224.0.0.0/4
- Description: Allow IGMP Multicast Traffic
- Scroll down until you see Advanced Options: and click on Show/Hide
- Make sure that the allow options checkbox is checked
- Click Save
- Click once again Add+
- Apply the following config:
- Protocol: PIM
- Source: WAN net
- Destination: Single host or Network -> 224.0.0.0/4
- Description: Allow PIM Traffic
- Scroll down until you see Advanced Options: and click on Show/Hide
- Make sure that the allow options checkbox is checked
- Click Save
- Once again click Add+ and apply the following config:
Option A (single Rule):
- Apply the following config:
- Protocol: UDP
- Source: Single host or Network -> 77.109.129.0/25
- Destination: Single host or Network -> 239.0.0.0/8
- Destination port range: Other -> from: 5000 -> to: 5000
- Description: init7: Allow Multicast Traffic
- Scroll down until you see Advanced Options: and click on Show/Hide
- Make sure that the allow options checkbox is checked
- Click Save
Option B (multiple rules, single host):
- Apply the following config:
- Protocol: UDP
- Source: Single host or Network -> 77.109.129.16/32
- Destination: Single host or Network -> 239.0.0.0/8
- Destination port range: Other -> from: 5000 -> to: 5000
- Description: init7: Allow Multicast Traffic
- Scroll down until you see Advanced Options: and click on Show/Hide
- Make sure that the allow options checkbox is checked
- Click Save
- Back on Overview clone the rule which has 77.109.129.16 as source
- Change source to 77.109.129.17
- Click Save
- Back on Overview clone the rule which has 77.109.129.17 as source
- Change source to 77.109.129.18
- Click Save
- Back on Overview clone the rule which has 77.109.129.18 as source
- Change source to 77.109.129.19
- Click Save
- Back on Overview click on Apply changes to enable the changed rule
With the firewall properly configured, everything should be running fine, right?
Yes, that's where this GitHub issue comes into play.
We actually need one more rule.
FloatingWe need to add a floating rule to fix the Multicast MAC address issue.
Every Multicast IP address resolves into a predefined Multicast MAC address
Here are some information about it including a calculator: http://www.dqnetworks.ie/toolsinfo.d/multicastaddressing.html
If the Multicast MAC address does not match the Multicast IP address one can only guess what the gateway will do with it.
Therefore we have to add a new floating rule:
- Navigate to Firewall -> Rules -> Floating
- Click Add+
- Apply the following config:
- Interface: WAN
- Direction: out
- Protocol: IGMP
- Source: WAN address
- Destination: Single host or Network -> 224.0.0.0/4
- Scroll down until you see Advanced Options: and click on Show/Hide
- Make sure that the allow options checkbox is checked
- Click Save
- Back on Overview click on Apply changes to enable the changed rule
With this rule in place we are able to properly receive the TV7 Multicast stream.
I just try to follow your how-to but didn't get any stream. I'm running a pfSense 2.4.5; hope that's not the issue here. I didn't get nothing in the logs. So I don't have any clue where to start the debugging.
I do not understand the last step about floating. What should I do there about MAC addresses?
Any hint is welcome.
Sorry for the delay in writing @hidalgo
For pfSense the "Floating step" shouldn't be necessary.
The linked articles from Philip Hofstetter and Philipp Häfelfinger should explain the pfSense configuration pretty well.
Worked great, thank you very much! What a time saver :D
Hi
I got following error in debug and verbose mode
igmpproxy -d -v /usr/local/etc/igmpproxy.conf
adding VIF, Ix 0 Fl 0x0 IP 0xeaeac355 ixl1, Threshold: 1, Ratelimit: 0
adding VIF, Ix 1 Fl 0x0 IP 0x0101a8c0 bridge0, Threshold: 1, Ratelimit: 0
Joining group 224.0.0.2 on interface bridge0
Joining group 224.0.0.22 on interface bridge0
sendto to 224.0.0.1 on 192.168.1.1; Errno(13): Permission denied
RECV Membership query from 192.168.1.1 to 224.0.0.1
RECV V3 member report from 192.168.1.104 to 224.0.0.22
Inserted route table entry for 239.255.255.250 on VIF #1
Joining group 239.255.255.250 on interface ixl1
RECV V3 member report from 192.168.1.104 to 224.0.0.22
Updated route entry for 239.255.255.250 on VIF #1
The IGMP message was local multicast. Ignoring.
RECV V3 member report from 192.168.1.104 to 224.0.0.22
Updated route entry for 239.255.255.250 on VIF #1
RECV V3 member report from 192.168.1.104 to 224.0.0.22
Updated route entry for 239.255.255.250 on VIF #1
RECV V2 member report from 192.168.1.1 to 224.0.0.2
The IGMP message was from myself. Ignoring.
RECV V2 member report from 192.168.1.1 to 224.0.0.22
The IGMP message was from myself. Ignoring.
sendto to 224.0.0.1 on 192.168.1.1; Errno(13): Permission denied
RECV Membership query from 192.168.1.1 to 224.0.0.1
RECV V2 member report from 192.168.1.1 to 224.0.0.22
The IGMP message was from myself. Ignoring.
How I can fix this error?
sendto to 224.0.0.1 on 192.168.1.1; Errno(13): Permission denied
Is TV7 still working with those settings as of today? I've tried every guide I could find, but Multicast streaming is still not working.
Edit: I found the problem already. I had a separate rule for IGMP on LAN and it was placed below the general LAN rule. After placing it on top the stream started working.
Thanks @sToRmInG for the How-To, worrked straight with OPNsense 24.1.1-amd64 8)
This guide has worked for me too.
Make sure you are directly connected via ethernet to your router when you try out multicast. Turns out I have issues with multicast and my Ubiquiti access point. When I was setting up multicast I was initially doing it over WiFi and attributed multicast not working to OPNsense, where in fact the firewall setup was correct.
Thank you for this very helpful post. I had to make some changes to get it working...
When you go to the ISPs website and activate the `nerdmode`:
* https://www.init7.net/de/support/faq/mit-welchen-uebertragungsarten-funktionieren-die-tv-streams/
You can see some changes to the network ranges:
* 77.109.129.0/25 -> 77.109.129.0/24
* 239.0.0.0/8 -> 233.50.230.0/24
As for all the rules where you where able to use the `WAN net` i had to replace it with the IP `81.6.46.1`, which is outside of my WAN IPs network. Maybe this is only because i have a fixed IPv4 address.