Hi, really confused by multicast configuration on dfl-800. It is a new area for me, I've tried to be as comprehensive with my info here in the hope it makes it easier to offer any advice.
Can the DFL-800 act as a multicast router in its own right or does it always need to refer to an upstream mrouter?
My situation is that I have a vlan interface with a multicast source directly connected to a DFL-800 and I would like to use the dfl-800 to manage any igmp reports from hosts on the lan interface so that the multicast source doesn't flood my switch.
So far I've enabled igmp snooping on a procurve switch, created vlan interface on the dfl and the switch for the lan and the multicast vlan and set up ip and igmp rules as per the guide in chap4 (routing). Unfortunately I don't seem to be getting any streaming coming through.
Topology:---------
clients (192.168.0.0/24) --> lan (iface) --> dfl-800 (core) --> vlan-mcast:7 (192.168.15.0/24) --> multicast source (192.168.15.20 & 227.40.50.61:1234)
IP Rules: as per chapter 4 - no address translation-------------------------
Name: forward-mcast
Action: Multiplex SAT
Service: multicast-stream (tcp/udp 0-65535,1234)
Source Int: vlan-mcast:7
Dest Int: core
Source Net: vlan-mcast-net (192.168.15.0/24)
Dest Net: mcast-net (227.40.50.0/24)
multiplex SAT - interface: lan, IP address none, multiplex traffic must have been requested using igmp before it is forwarded is ticked
----
Name: allow-mcast-to-lan
Action: Allow
Service: multicast-stream (tcp/udp 0-65535,1234)
Source Int: vlan-mcast:7
Dest Int: core
Source Net: vlan-mcast-net (192.168.15.0/24)
Dest Net: mcast-net (227.40.50.0/24)
IGMP Rules:-------------------------
Name: lan-vlan-report-proxy
Type: report
Action: Proxy
Relay Iface: vlan-mcast:7
Source iface: lan
Source Net: lannet (192.168.0.0/24)
Dest Iface: core
Dest Net: auto
Multicast Source: vlan-mcast-net (192.168.15.0/24)
Multicast Group: mcast-net (227.40.50.0/24)
----
Name: vlan-lan-query-proxy
Type: query
Action: Proxy
Relay Iface: lan
Source iface: vlan-mcast:7
Source Net: vlan-mcast-net (192.168.15.0/24)
Dest Iface: core
Dest Net: auto
Multicast Source: vlan-mcast-net (192.168.15.0/24)
Multicast Group: mcast-net (227.40.50.0/24)
------
When I then try to use VLC to join the 227.40.50.61:1234 group, I can see via wireshark that IGMP join requests are sent to 224.0.0.22
(
example line: Source:192.168.0.6, Destination 224.0.0.22, Protocol IGMP, Info V3 Membership Report / Join group 227.40.50.61 for any sources).
Nothing seems to be logged on the DFL-800 to indicate that it's receiving/reacting to these IGMP packets.
Occasionally there will be a packet recorded by wireshark
(
Source 192.168.0.1 [this is the lan gateway to the DFL], Destination 224.0.0.1, Protocol IGMP, Info V3 Membership Query, general)
Only log that seems to appear is my multiplex SAT rule that triggers the following:
-----
2010-09-28/16:58:33 Notice CONN/600001 allow-mcast-to-lan UDP vlan-mcast/core 192.168.15.20/227.40.50.60 1000/1234 conn_open satdestrule=gss-forward-mcast conn=open
-----
2010-09-28/16:58:33 Notice CONN/600001 allow-mcast-to-lan UDP vlan-mcast/core 192.168.15.20/227.40.50.61 1001/1234 conn_open satdestrule=gss-forward-mcast conn=open
-----
So a few questions,
- This setup is based on 4.5.2.1 multicast forwarding - no address translation on the help. Is this the appropriate setup for this particular topology situation?
- The IP rules that I entered as part of the guide dealt with straight forwarding of the multicast stream from the vlan -> lan. Should there be IP rules to deal with the 224.0.0.22 and 224.0.0.1 addresses that i see with wireshark?
- Could the fact that my report from the vlc host is sending IGMP to 224.0.0.22 and my query from the dfl is sending igmp to 224.0.0.1 be part of the problem?
Are there any other tutorials or guides that describe multicast routing on netdefend firewalls?
Thanks in advance,
Mark.
Author
Topic: multicast routing and IGMP reports/queries across vlans (Read 8624 times)