English Forums > Tutorials and FAQs

HOW TO - Configure OPNsense for TV7 (init7) Multicast Stream

(1/1)

sToRmInG:
I had a hard time figuring out that the Multicast IP to Multicast MAC translation doesn't properly work.
The issue itself is described here: https://github.com/opnsense/core/issues/3629

Therefore I decided to write a quick tutorial for init7 customers to properly configure Multicast on OPNsense for TV7.

Credits:

* Philip Hofstetter: https://blog.pilif.me/2018/05/22/fiber7-tv-behind-pfsense/
* Philipp Häfelfinger: https://haefelfinger.ch/posts/2018/2018-10-18-fiber7-tv7-pfsense/
Note: the following step-by-step guide applies to init7's TV7 Multicast stream. The configuration might differ if you use this guide to achieve similar results for other Multicast streams.

1. Install plugin
To get Multicast to work on OPNsense we are going to use os-igmp-proxy.

2. Configure IGMP Proxy
To get started we need to configure IGMP Proxy.

* Navigate to Services -> IGMP Proxy
* Click Add+ and use the following config:

* Interface: WAN
* Description: WAN_UP
* Type: Upstream Interface
* Threshold: 1
* Option 1: Networks (single entry): 77.109.129.0/25
* Option 2: Networks (multiple entries, single hosts):

* 77.109.129.16/32
* 77.109.129.17/32
* 77.109.129.18/32
* 77.109.129.19/32
* Click Save
* Once again click Add+ and use the following config:

* Interface: LAN
* Description: LAN_DOWN
* Type: Downstream Interface
* Threshold: 1
* Networks: Enter your local network here (e.g. 192.168.1.0/24)
* Click Save once againThis will do it for the IGMP Proxy config.
We will now move along to the Firewall Rules.

3. Firewall Rules

LAN
First we have to enable allow options on the default LAN rule Default allow LAN to any rule.

* Navigate to Firewall -> Rules -> LAN
* Edit the rule with the description "Default allow LAN to any rule" by clicking the pencil.
* Scroll down until you see Advanced Options: and click on Show/Hide
* Make sure that the allow options checkbox is checked
* Click Save
* Back on Overview click on Apply changes to enable the changed rule
WAN
Now we have to properly configure the WAN rules to allow IGMP and Multicast traffic.

* Navigate to Firewall -> Rules -> WAN
* Click Add+
* Apply the following config:

* Protocol: IGMP
* Source: WAN net
* Destination: Single host or Network -> 224.0.0.0/4
* Description: Allow IGMP Multicast Traffic
* Scroll down until you see Advanced Options: and click on Show/Hide
* Make sure that the allow options checkbox is checked
* Click Save
* Click once again Add+
* Apply the following config:

* Protocol: PIM
* Source: WAN net
* Destination: Single host or Network -> 224.0.0.0/4
* Description: Allow PIM Traffic
* Scroll down until you see Advanced Options: and click on Show/Hide
* Make sure that the allow options checkbox is checked
* Click Save
* Once again click Add+ and apply the following config:
Option A (single Rule):

* Apply the following config:

* Protocol: UDP
* Source: Single host or Network -> 77.109.129.0/25
* Destination: Single host or Network -> 239.0.0.0/8
* Destination port range: Other -> from: 5000 -> to: 5000
* Description: init7: Allow Multicast Traffic
* Scroll down until you see Advanced Options: and click on Show/Hide
* Make sure that the allow options checkbox is checked
* Click SaveOption B (multiple rules, single host):

* Apply the following config:

* Protocol: UDP
* Source: Single host or Network -> 77.109.129.16/32
* Destination: Single host or Network -> 239.0.0.0/8
* Destination port range: Other -> from: 5000 -> to: 5000
* Description: init7: Allow Multicast Traffic
* Scroll down until you see Advanced Options: and click on Show/Hide
* Make sure that the allow options checkbox is checked
* Click Save
* Back on Overview clone the rule which has 77.109.129.16 as source
* Change source to 77.109.129.17
* Click Save
* Back on Overview clone the rule which has 77.109.129.17 as source
* Change source to 77.109.129.18
* Click Save
* Back on Overview clone the rule which has 77.109.129.18 as source
* Change source to 77.109.129.19
* Click Save
* Back on Overview click on Apply changes to enable the changed ruleWith the firewall properly configured, everything should be running fine, right?

Yes, that's where this GitHub issue comes into play.
We actually need one more rule.

Floating
We need to add a floating rule to fix the Multicast MAC address issue.

Every Multicast IP address resolves into a predefined Multicast MAC address
Here are some information about it including a calculator: http://www.dqnetworks.ie/toolsinfo.d/multicastaddressing.html

If the Multicast MAC address does not match the Multicast IP address one can only guess what the gateway will do with it.
Therefore we have to add a new floating rule:

* Navigate to Firewall -> Rules -> Floating
* Click Add+
* Apply the following config:

* Interface: WAN
* Direction: out
* Protocol: IGMP
* Source: WAN address
* Destination: Single host or Network -> 224.0.0.0/4
* Scroll down until you see Advanced Options: and click on Show/Hide
* Make sure that the allow options checkbox is checked
* Click Save
* Back on Overview click on Apply changes to enable the changed ruleWith this rule in place we are able to properly receive the TV7 Multicast stream.

hidalgo:
I just try to follow your how-to but didn’t get any stream. I’m running a pfSense 2.4.5; hope that’s not the issue here. I didn’t get nothing in the logs. So I don’t have any clue where to start the debugging.
I do not understand the last step about floating. What should I do there about MAC addresses?
Any hint is welcome.

sToRmInG:
Sorry for the delay in writing @hidalgo

For pfSense the "Floating step" shouldn't be necessary.
The linked articvles from Philip Hofstetter and Philipp Häfelfinger should explain the pfSense configuration pretty well.

mephistopheles:
Worked great, thank you very much! What a time saver :D

Navigation

[0] Message Index

Go to full version