Hi all,
First of all, I hope I am in the correct post for this problem.
We have a cluster of IIS servers in VLAN X which use NLB (Network Load Balancing: https://learn.microsoft.com/en-us/windows-server/networking/technologies/network-load-balancing (https://learn.microsoft.com/en-us/windows-server/networking/technologies/network-load-balancing)) to balance the traffic to these machines. It is quite an old technic but still works like a charm as long with you are in the same subnet when a OPNsense firewall is being used.
We use IGMP multicast as the cluster operation mode instead of unicast. The switches are configured correctly and recognise the IPs for the cluster.
From a second subnet in VLAN Y we are able to ping every IP address that is not linked to the NLB cluster, also all other traffic is working fine for these IP addresses.
All the IP addresses that are linked to the NLB cluster will give a time-out when pinging them, also no other traffic seems to work.
For now we allow all traffic between the 2 VLANs to exclude rules from being the problem, also the Windows Firewalls are turned off to exclude problems with these as well.
Since the switches handle the multicast we didn't think any additional configuration for the OPNsense was needed. However it does not work...
Does OPNsense need additional set-up to work with IGMP multicast when working with an NLB cluster?
Edit: We run opnsense-business version 23.4.2.
Hi,
just to confirm, the
"Block bogon networks"
checkbox is not checked on both VLANs interface settings, right?
Hi Tron80,
Thank you for your reply.
I just did a test with an unchecked "Block bogon networks".
There is no difference in the behavior of the traffic between the 2 VLANs.
All the traffic to none NLB ip-addresses is wording. Traffic to NLB ip-addresses doesn't work.
So this doesn't seem to be the cause of the problem.
Just to be clear: you tested with unchecked box on both VLANs X and Y?
Yes correct, both where turned off during the test yesterday.
I have to admit that I am not the multicast expert but I guess you might want to look at the os-igmp-proxy extension for opnsense and take it into operation accordingly.
But again, multicast does not like me and I don't like it. Sorry.
Thanks for your help.
I have broadened the search a bit away from OPNsense and looked for people with similar problems when they are using FreeBSD or pfSense (Since OPNsense is forked from it).
This broadened search let me to the tunable net.link.ether.inet.allow_multicast https://man.freebsd.org/cgi/man.cgi?query=arp&sektion=4 (https://man.freebsd.org/cgi/man.cgi?query=arp&sektion=4)
Setting this tunable at least causes the IP and the correct mac-address to be visible in the ARP-table in OPNsense. It also causes log message like "<5>arp: 01:00:5e:7f:d2:28 is multicast" to disappear from the general system log.
However, traffic to those NLB IP-addresses is still not working :(
Does anyone else have an idea?
I will have look at the os-igmp-proxy, but it looks like it is designed to proxcy the IGMP messages. I am not sure if this is what we need in this case.
I did some package capture on the firewall and attached the screenshots of the capture to this post.
ping_210-30.png contains the capture of a working ping to a none NLB ip-address.
ping_210-40.png contains the capture of a not working ping to a NLB ip-address.
To me it looks like OPNsense is just not routing the reply, but I am not an expert in this. Hopefully someone has a better idea of what is going on.
The missing attachment