4.8. Multicast Routing

4.8.1. Overview

The Multicast Problem

Certain types of Internet interactions, such as conferencing and video broadcasts, require a single client or host to send the same packet to multiple receivers. This could be achieved through the sender duplicating the packet with different receiving IP addresses or by a broadcast of the packet across the Internet. These solutions waste large amounts of sender resources or network bandwidth and are therefore not satisfactory. An appropriate solution should also be able to scale to large numbers of receivers.

The Multicast Routing Solution

Multicast Routing solves the problem by the network routers themselves, replicating and forwarding packets via the optimum route to all members of a group.

The IETF standards that allow multicast routing are the following:

  • Class D of the IPv4 address space which is reserved for multicast traffic. Each multicast IP address represents an arbitrary group of recipients.

  • The Internet Group Membership Protocol (IGMP) allows a receiver to tell the network that it is a member of a particular multicast group.

  • Protocol Independent Multicast (PIM) is a group of routing protocols for deciding the optimal path for multicast packets.

Underlying Principles

Multicast routing functions on the principle that an interested receiver joins a group for a multicast by using the IGMP protocol. PIM routers can then duplicate and forward packets to all members of such a multicast group, thus creating a distribution tree for packet flow. Rather than acquiring new network information, PIM uses the routing information from existing protocols, such as OSPF, to decide the optimal path.

Reverse Path Forwarding

A key mechanism in the multicast routing process is Reverse Path Forwarding. For unicast traffic, a router is concerned only with a packet's destination. With multicast, the router is also concerned with a packets source since it forwards the packet on paths which are known to be downstream, away from the packet's source. This approach is adopted to avoid loops in the distribution tree.

Routing to the Correct Interface

By default, multicast packets are routed by cOS Core to the core interface (in other words, to cOS Core itself). Multicast Policy objects are created in the IP rule set in order to perform forwarding to the correct interfaces. This is demonstrated in the Example 4.16, “Multicast Forwarding With No Address Translation”.

Promiscuous Mode

If an IP rule set entry exists which applies to a multicast packet's destination IP address, then that Ethernet interface automatically gets its receive mode set to promiscuous in order to receive multicast packets. Promiscuous mode means that traffic with a destination MAC address that does not match the Ethernet interface's MAC address will be sent to cOS Core and not discarded by the interface. Promiscuous mode is enabled automatically by cOS Core and the administrator does not need to worry about doing this.

With multicast only, the usage of promiscuous mode can be explicitly controlled using the Ethernet object property Receive Multicast Traffic which has a default value of Auto. If this property is set to Off, the multicast forwarding feature cannot function.

If the administrator enters a CLI ifstat <ifname> command, the Receive Mode status line will show the value Promiscuous next to it instead of Normal to indicate the mode has changed. This is discussed further in Section 3.4.2, Ethernet Interfaces.

4.8.2. Multicast Forwarding with Multicast Policies

The Multicast Policy is used to achieve duplication and forwarding of packets through more than one interface. This feature implements multicast forwarding in cOS Core, where a multicast packet is sent through several interfaces.

Note that since this rule overrides the normal routing tables, packets that should be duplicated by the Multicast Policy need to be routed to the core interface.

By default, the multicast IP range 224.0.0.0/4 is always routed to core and does not have to be manually added to the routing tables. Each specified output interface can individually be configured with static address translation of the destination address. The Interface field in the Interface/Net Tuple dialog may be left empty if the IPAddress field is set. In this case, the output interface will be determined by a route lookup on the specified IP address.

The Multicast Policy can operate in one of two modes:

  • Using IGMP

    The traffic flow specified by the Multicast Policy must have been requested by hosts using IGMP before any multicast packets are forwarded through the specified interfaces. This is the default behavior of cOS Core.

  • Not using IGMP

    The traffic flow will be forwarded according to the specified interfaces directly without any interference from IGMP.

Example 4.16. Multicast Forwarding With No Address Translation

This example shows how to configure multicast forwarding together with IGMP. The multicast sender is 192.168.10.1 and generates the multicast streams 239.192.10.0/24:1234. These multicast streams should be forwarded from interface wan through the interfaces if1, if2 and if3. The streams should only be forwarded if some host has requested the streams using the IGMP protocol.

A Multicast Policy object will be created to forward the multicast groups. All groups have the same sender that has the IP address 192.168.10.1, which is located behind the wan interface.

The multicast groups should only be forwarded to the outgoing interfaces if clients behind those interfaces have requested the groups using IGMP. The following steps will configure forwarding of the multicast traffic.

IGMP is configured separately and this is described in Section 4.8.3.2, IGMP Rules Configuration with Address Translation. It is configured in the same way that it is configured when using other IP rule set entries.

InControl

Follow similar steps to those used for the Web Interface below.

Web Interface

A. Create a custom Service object for multicast:

  1. Go to: Objects > Services > Add > TCP/UDP
  2. Now enter:
    • Name: my_multicast_service
    • Type: UDP
    • Destination: 1234

B. Create a Multicast Policy object:

  1. Go to: Policies > Firewalling > Main IP Rules > Add > Multicast Policy
  2. Now enter:
    • Name: my_multicast_policy
    • Source Interface: wan
    • Source Network: 192.168.10.1
    • Destination Interface: core
    • Destination Network: 239.192.10.0/24
    • Service: my_multicast_service
  3. Under Destination Translation add one entry each for the output interfaces if1, if2 and if3 and leave the IP Address fields blank since no destination address translation is required.
  4. Enable the option Require IGMP
  5. Click OK

IGMP configuration for this example is described in Section 4.8.3.1, IGMP Rules Configuration with No Address Translation.

Creating a Multicast Policy with the CLI

Creating multicast policies through the CLI requires some additional explanation.

The CLI command to create a Multicast Policy is the following:

Device:/> add MulticastPolicy Name=mc_policy1
	SourceNetwork=<srcnet>
	SourceInterface=<srcif>
	DestinationInterface=<srcif>
	DestinationNetwork=<destnet>
	Service=<service>
	MultiplexArgument={outif1;ip1},{outif2;ip2},{outif3;ip3}...

The two values {outif;ip} represent a combination of output interface and, if address translation of a group is needed, an IP address.

If, for example, multiplexing of the multicast group 239.192.100.50 is required to the output interfaces if2 and if3, then the command to create the rule would be:

Device:/> add MulticastPolicy Name=mc_policy2
	SourceNetwork=<srcnet>
	SourceInterface=<if1>
	DestinationInterface=core
	DestinationNetwork=239.192.100.50
	Service=<service>
	MultiplexArgument={if2;},{if3;}

The destination interface is core since 239.192.100.50 is a multicast group. No address translation of 239.192.100.50 was added but if it is required for, say, if2 then the final argument would be:

	MultiplexArgument={if2;<new_ip_address>},{if3;}

Example 4.17. Multicast Forwarding With Address Translation

This example is based on the previous one but this time the multicast group is translated. When the multicast streams 239.192.10.0/24 are forwarded through the if2 interface, the multicast groups should be translated into 237.192.10.0/24. No address translation should be made when forwarding through interface if1. This is illustrated in the diagram below.

InControl

Follow similar steps to those used for the Web Interface below.

Web Interface

A. Create a custom service for multicast called multicast_service:

  1. Go to: Objects > Services > Add > TCP/UDP
  2. Now enter:
    • Name: multicast_service
    • Type: UDP
    • Destination: 1234

B. Create a Multicast Policy:

  1. Go to: Policies > Firewalling > Main IP Rules > Add > Multicast Policy
  2. Now enter:
    • Name: my_multicast_sat
    • Source Interface: wan
    • Source Network: 192.168.10.1
    • Destination Interface: core
    • Destination Network: 239.192.10.0/24
    • Service: multicast_service
  3. Under Destination Translation add interface if1 and leave the IP Address field blank since no destination address translation is required. Add interface if2 but this time, enter 237.192.10.0 as the IPAddress.
  4. Enable the option Require IGMP
  5. Click OK

IGMP configuration for this example is described in Section 4.8.3.2, IGMP Rules Configuration with Address Translation.

4.8.3. IGMP Configuration

IGMP signaling between hosts and routers can be divided into two categories:

  • IGMP Reports

    Reports are sent from hosts towards the router when a host wants to subscribe to new multicast groups or change current multicast subscriptions.

  • IGMP Queries

    Queries are IGMP messages sent from the router towards the hosts in order to make sure that it will not close any stream that some host still wants to receive.

Normally, both types of rule have to be specified for IGMP to function but there are two exceptions:

  1. If the multicast source is located on a network directly connected to the router, no query rule is needed.

  2. If a neighboring router is statically configured to deliver a multicast stream to the Clavister firewall, an IGMP query would also not have to be specified.

cOS Core supports two IGMP modes of operation:

  • Snoop Mode

  • Proxy Mode

The operation of these two modes are shown in the following illustrations:

Multicast Snoop Mode

Figure 4.23. Multicast Snoop Mode

Multicast Proxy Mode

Figure 4.24. Multicast Proxy Mode

In Snoop Mode, the Clavister firewall will act transparently between the hosts and another IGMP router. It will not send any IGMP Queries. It will only forward queries and reports between the other router and the hosts.

In Proxy Mode, the firewall will act as an IGMP router towards the clients and actively send queries. Towards the upstream router, the firewall will be acting as a normal host, subscribing to multicast groups on behalf of its clients.

4.8.3.1. IGMP Rules Configuration with No Address Translation

This example describes the IGMP rules needed for configuring IGMP rules for Example 4.16, “Multicast Forwarding With No Address Translation”. No Address Translation scenario described above. The router is required to act as a host towards the upstream router and therefore IGMP must be configured to run in proxy mode.

Example 4.18. IGMP - No Address Translation

The following example requires a configured interface group IfGrpClients including interfaces if1, if2 and if3. The IP address of the upstream IGMP router is known as UpstreamRouterIP.

Two rules are needed. The first one is a report rule that allows the clients behind interfaces if1, if2 and if3 to subscribe for the multicast groups 239.192.10.0/24. The second rule, is a query rule that allows the upstream router to query us for the multicast groups that the clients have requested.

The following steps need to be executed to create the two rules.

InControl

Follow similar steps to those used for the Web Interface below.

Web Interface

A. Create the first IGMP Rule:

  1. Go to: Network > Routing > IGMP Rules > Add > IGMP Rule
  2. Under General enter:
    • Name: A suitable name for the rule, for example Reports
    • Type: Report
    • Action: Proxy
    • Output: wan (this is the relay interface)
  3. Under Address Filter enter:
    • Source Interface: lfGrpClients
    • Source Network: if1net, if2net, if3net
    • Destination Interface: core
    • Destination Network: auto
    • Multicast Source: 192.168.10.1
    • Multicast Destination: 239.192.10.0/24
  4. Click OK

B. Create the second IGMP Rule:

  1. Again, go to: Network > Routing > IGMP Rules > Add > IGMP Rule
  2. Under General enter:
    • Name: A suitable name for the rule, for example Queries
    • Type: Query
    • Action: Proxy
    • Output: IfGrpClients (this is the relay interface)
  3. Under Address Filter enter:
    • Source Interface: wan
    • Source Network: UpstreamRouterIp
    • Destination Interface: core
    • Destination Network: auto
    • Multicast Source: 192.168.10.1
    • Multicast Group: 239.192.10.0/24
  4. Click OK

4.8.3.2. IGMP Rules Configuration with Address Translation

The following examples illustrates the IGMP rules needed to configure IGMP according to the Address Translation scenario described above in Example 4.17, “Multicast Forwarding With Address Translation”. We need two IGMP report rules, one for each client interface. The interface if1 uses no address translation and if2 translates the multicast group to 237.192.10.0/24. We also need two query rules, one for the translated address and interface, and one for the original address towards if1.

Two examples are provided, one for each pair of report and query rules. It is assumed the upstream multicast router uses the IP address UpstreamRouterIP.

Example 4.19. Interface if1 Configuration

The following steps needs to be executed to create the report and query rule pair for if1 which uses no address translation.

InControl

Follow similar steps to those used for the Web Interface below.

Web Interface

A. Create the first IGMP Rule:

  1. Go to: Network > Routing > IGMP Rules > Add > IGMP Rule
  2. Under General enter:
    • Name: A suitable name for the rule, for example Reports_if1
    • Type: Report
    • Action: Proxy
    • Output: wan (this is the relay interface)
  3. Under Address Filter enter:
    • Source Interface: if1
    • Source Network: if1net
    • Destination Interface: core
    • Destination Network: auto
    • Multicast Source: 192.168.10.1
    • Multicast Group: 239.192.10.0/24
  4. Click OK

B. Create the second IGMP Rule:

  1. Again, go to: Network > Routing > IGMP Rules > Add > IGMP Rule
  2. Under General enter:
    • Name: A suitable name for the rule, for example Queries_if1
    • Type: Query
    • Action: Proxy
    • Output: if1 (this is the relay interface)
  3. Under Address Filter enter:
    • Source Interface: wan
    • Source Network: UpstreamRouterIp
    • Destination Interface: core
    • Destination Network: auto
    • Multicast Source: 192.168.10.1
    • Multicast Group: 239.192.10.0/24
  4. Click OK

Example 4.20. Interface if2 Configuration - Group Translation

The following steps needs to be executed to create the report and query rule pair for if2 which translates the multicast group. Note that the group translated therefore the IGMP reports include the translated IP addresses and the queries will contain the original IP addresses

InControl

Follow similar steps to those used for the Web Interface below.

Web Interface

A. Create the first IGMP Rule:

  1. Go to: Network > Routing > IGMP Rules > Add > IGMP Rule
  2. Under General enter:
    • Name: A suitable name for the rule, for example Reports_if2
    • Type: Report
    • Action: Proxy
    • Output: wan (this is the relay interface)
  3. Under Address Filter enter:
    • Source Interface: if2
    • Source Network: if2net
    • Destination Interface: core
    • Destination Network: auto
    • Multicast Source: 192.168.10.1
    • Multicast Group: 239.192.10.0/24
  4. Click OK

B. Create the second IGMP Rule:

  1. Again, go to: Network > Routing > IGMP Rules > Add > IGMP Rule
  2. Under General enter:
    • Name: A suitable name for the rule, for example Queries_if2
    • Type: Query
    • Action: Proxy
    • Output: if2 (this is the relay interface)
  3. Under Address Filter enter:
    • Source Interface: wan
    • Source Network: UpstreamRouterIp
    • Destination Interface: core
    • Destination Network: auto
    • Multicast Source: 192.168.10.1
    • Multicast Group: 239.192.10.0/24
  4. Click OK
[Tip] Advanced IGMP Settings

There are a number of IGMP advanced settings which are global and apply to all interfaces which do not have IGMP settings explicitly specified for them.

4.8.4. Advanced IGMP Settings

The following advanced settings for IGMP can be found in the Web Interface by going to:
Network > Routing > Advanced Multicast Settings

Auto Add Multicast Core Route

This setting will automatically add core routes in all routing tables for the multicast IP address range 224.0.0.0/4. If the setting is disabled, multicast packets might be forwarded according to the default route.

Default: Enabled

IGMP Before Rules

For IGMP traffic, by-pass the normal IP rule set and consult the IGMP rule set.

Default: Enabled

IGMP React To Own Queries

The firewall should always respond with IGMP Membership Reports, even to queries originating from itself. Global setting on interfaces without an overriding IGMP Setting.

Default: Disabled

IGMP Lowest Compatible Version

IGMP messages with a version lower than this will be logged and ignored. Global setting on interfaces without an overriding IGMP Setting.

Default: IGMPv1

IGMP Router Version

The IGMP protocol version that will be globally used on interfaces without a configured IGMP Setting. Multiple querying IGMP routers on the same network must use the same IGMP version. Global setting on interfaces without an overriding IGMP Setting.

Default: IGMPv3

IGMP Last Member Query Interval

The maximum time in milliseconds until a host has to send an answer to a group or group-and-source specific query. Global setting on interfaces without an overriding IGMP Setting.

Default: 5,000

IGMP Max Total Requests

The maximum global number of IGMP messages to process each second.

Default: 1000

IGMP Max Interface Requests

The maximum number of requests per interface and second. Global setting on interfaces without an overriding IGMP Setting.

Default: 100

IGMP Query Interval

The interval in milliseconds between General Queries sent by the device to refresh its IGMP state. Global setting on interfaces without an overriding IGMP Setting.

Default: 125,000

IGMP Query Response Interval

The maximum time in milliseconds until a host has to send a reply to a query. Global setting on interfaces without an overriding IGMP Setting.

Default: 10,000

IGMP Robustness Variable

IGMP is robust to (IGMP Robustness Variable - 1) packet losses. Global setting on interfaces without an overriding IGMP Setting.

Default: 2

IGMP Startup Query Count

The firewall will send IGMP Startup Query Count general queries with an interval of IGMPStartupQueryInterval at startup. Global setting on interfaces without an overriding IGMP Setting.

Default: 2

IGMP Startup Query Interval

The interval of General Queries in milliseconds used during the startup phase. Global setting on interfaces without an overriding IGMP Setting.

Default: 30,000

IGMP Unsolicited Report Interval

The time in milliseconds between repetitions of an initial membership report. Global setting on interfaces without an overriding IGMP Setting.

Default: 1,000

4.8.5. Tunneling Multicast using GRE

It is possible to tunnel cOS Core multicast between two Clavister firewalls through a GRE tunnel. The multicast server will be behind one firewall and the clients behind the other with a GRE tunnel linking the two firewalls.

Setup Issues

There are certain issues that must be noted with tunneling multicast:

  • Make sure that the multicast server is sending the stream with a higher TTL than 1 (VLC uses TTL=1 by default).

  • When using IGMP, make sure that the destination network is not set to all-nets. If it is, the multiplex rule will not forward the stream to the correct interface.

  • Multicast Policy rule set entries must be set up both on the firewall that the server is behind and on the firewall that the clients are behind (in other words, the tunnel terminator).

  • Incoming and outgoing IGMP rules for reporting and querying must be configured on both sides of the tunnel if IGMP is used.

Tunneling Setup Summary

The following components are needed on both the client and server side:

  • Configure a GRE Tunnel object with the remote network being the client network for the server side and the server network on the client side.

  • Configure routes that route multicast traffic bound for the network on the other side through the GRE tunnel.

  • Configure a Multicast Policy on both sides.

  • For the Multicast Policy objects, enable the option: Multicast traffic must have been requested using IGMP before it is forwarded.

  • Configure IGMP rule objects for the multicast traffic.

An Example Configuration

An example multicast tunneling scenario is illustrated below.

Tunneling Multicast using GRE

Figure 4.25. Tunneling Multicast using GRE

The IPv4 address book object called mc_group on both sides of the tunnel is the same multicast IPv4 range. In this example, 239.100.100.0/24.

A. Server Side Configuration Setup

For the server side configuration, assume the client network is the IPv4 address book object client_net, the local internal tunnel endpoint is If2_ip (the server is on the If2 interface). A GRE tunnel called gre_to_clients is configured and the remote network is the address book object called client_net.

GRE Tunnel

Name IP Address Remote Endpoint Remote Network
gre_to_clients If2_ip client_interface_ip client_net

Routes

Provided that the above GRE object has the option to automatically add routes enabled, the following route will be added by cOS Core to the main routing table.

Network Interface
client_net gre_to_clients

Services

Name Type Destination Ports
mc_stream udp 1234

IP Rule Set Entries

Entry Type Source
Interface
Source
Network
Destination
Interface
Destination
Network
Service Multiplex
Interface
Multicast
Policy
If2 If2_net core mc_group mc_stream gre_to_clients
IP Policy If2 If2_net core mc_group mc_stream  

IGMP Rules

Type Action Source
Interface
Source
Network
Multicast
Group
Multicast
Source
Relay
Interface
Query Proxy If2 If2_net mc_group all-nets gre_to_clients
Report Proxy gre_clients all-nets all-nets all-nets If2

B. Client Side Configuration Setup

For the client side configuration, assume the server network is the IPv4 address book object server_net, the local internal tunnel endpoint is If3_ip (the clients are on the If3 interface). A GRE tunnel called gre_to_server is configured and the remote network is the address book object called server_net.

GRE Tunnel

Name IP Address Remote Endpoint Remote Network
gre_to_server If3_ip server_interface_ip server_net

Routes

Provided that the above GRE object has the option to automatically add routes enabled, the following route will be added by cOS Core to the main routing table.

Network Interface
server_net gre_to_server

Services

Name Type Destination Ports
mc_stream udp 1234

IP Rule Set Entries

Entry Type Source
Interface
Source
Network
Destination
Interface
Destination
Network
Service Multiplex
Interface
Multicast
Policy
gre_to_server server_net core mc_group mc_stream If3
IP Policy gre_to_server server_net core mc_group mc_stream  

IGMP Rules

Type Action Source
Interface
Source
Network
Multicast
Group
Multicast
Source
Relay
Interface
Report Proxy If3 If3_net mc_group all-nets gre_to_server
Query Proxy gre_to_server all-nets all-nets all-nets If3