Community discussions

MikroTik App
 
sub205
just joined
Topic Author
Posts: 2
Joined: Sun Sep 18, 2022 9:43 am

Multicast noob questions

Tue Oct 18, 2022 9:37 am

Hi there,

how is it possible to connect different vlans to a multicast address?

Situation here: I have a linux-vm in VLAN 200 which has a daemon running that listens on 224.0.23.12.
A system in another VLAN wants to send packets there. Which, obviously, don't reach their target.

System in between is a CRS354-48P-4S+2Q+RM running RouterOS 7.5

I temporarily fixed it by putting both systems in the same VLAN/subnet. But that doesn't sound right.

I'm used to nearly all IPV4-stuff since many years, but multicast is something i never had to do with.

Is there some easy way to accomplish this?

Kind regards,
Stephan
 
tangent
Forum Veteran
Forum Veteran
Posts: 736
Joined: Thu Jul 01, 2021 3:15 pm

Re: Multicast noob questions

Tue Oct 18, 2022 4:12 pm

how is it possible to connect different vlans to a multicast address?

With a multicast router.

And what protocol, your next question will be, does one route multicast with? Answer: PIM-SM.

RouterOS also has a proprietary IGMP proxy service that may be of use here.

There have been reports of bugs with these facilities in ROS 7, but since I don't use those, I can't corroborate that. For all I know, they're all fixed now, and if not, then maybe the remaining bugs don't affect your use case. Give them a try, and if it doesn't work, contact support.

a daemon running that listens on 224.0.23.12.

Presumably a KNX automation controller.

If not, someone's abusing the IANA assigned IP space.

I temporarily fixed it by putting both systems in the same VLAN/subnet. But that doesn't sound right.

Why not? You have a controller and an application that speaks to the controller. Why must there be a VLAN barrier between them?

I'd understand if you were talking about random Chinese IoT home automation crap, but this KNX stuff looks high-end. Surely you can assume there aren't current vulnerabilities in this equipment, and that it gets regular patches. If not, why pay the prices they must be charging to produce that huge web site as a mere marketing ancillary?

Define your threat model, and the proper response will fall out of that.
 
sub205
just joined
Topic Author
Posts: 2
Joined: Sun Sep 18, 2022 9:43 am

Re: Multicast noob questions

Wed Oct 19, 2022 1:04 pm

Yes, it's a KNX gateway.

The reason i want to do this is that i built several VLANs for all different sections of my network, which is quite large actually.

I have VLANs for normal PCs, Guests, SIP-Phones, Cameras, House-stuff and untrusted appliances. I also separated the KNX stuff, as i want to carefully configure rules for this.

Sure, i could just put both devices in the same VLAN, but that's a good point to getting started with multicast-stuff, so i thought it wouldn't hurt to try it out and learn how it should be done, before i encounter similar stuff at a customers site and don't know how to deal with it.

I'll read about PIM-SM and try to figure out. But before trying to hard, is it even possible to route Multicast with the model of my switch or does it require to disable hardware offloading (which, obviously, would be silly)?

EDIT: After thinking about it, maybe it's wiser to use the IGMP-proxy of my PFsense for this purpose?
 
tangent
Forum Veteran
Forum Veteran
Posts: 736
Joined: Thu Jul 01, 2021 3:15 pm

Re: Multicast noob questions

Wed Oct 19, 2022 3:50 pm

I have VLANs for normal PCs, Guests, SIP-Phones, Cameras, House-stuff and untrusted appliances. I also separated the KNX stuff, as i want to carefully configure rules for this.

One of the characteristics of VLANs vs router-separated switches or vs multiple isolated bridges on a single switch is that a given port can be on more than one VLAN. Therefore, a possible solution is to put the KNX stuff on one VLAN, the user devices on another, and the subset of that last that also need to control the KNX stuff on the KNX VLAN. Then you can have simple hardware ACL rules like "if it's multicast and its IP is 224.0.23.12, tag it for the KNX VLAN," leaving everything else to go onto the regular user equipment VLAN.

is it even possible to route Multicast with the model of my switch or does it require to disable hardware offloading

Multicast routing is a CPU-mediated feature. However, you may be able to get enough control with hardware ACL rules to get the effect you want.

maybe it's wiser to use the IGMP-proxy of my PFsense for this purpose?

PIM is a proper routing function, so that is quite likely a better option, if the router is in the right place on the network.

You might end up with a hybrid approach, such as with ACL rules directing KNX traffic toward the port on the pfSense router that is set up to make decisions about it, which then bounces traffic back down into the switch with VLAN tags applied or similar to send the traffic to its true destination.

Who is online

Users browsing this forum: No registered users and 2 guests