propagate packet with special IP from bridge to another ?

petoulachi · April 14, 2022, 8:11am

Hello,

I’m using a RB5009 (ROS 7.2) with 3 bridges :
-brwan, for internet
-brlan, for my wired lan (192.168.1.0/24)
-brwifi, with an AP and my wifi connected devices (192.168.13.0/24)

lan and wifi can connect to the internet with a simple nat rule :

add action=masquerade chain=srcnat out-interface=br-wan to-addresses=0.0.0.0

routing between lan and wifi is automatically done. I can ping from my lan to a wifi device, and vice versa.
As I need to isolate wifi from the LAN, i’ve made a simple firewall rule to block traffic :

add action=drop chain=forward connection-state=invalid,new,untracked in-interface=br-wifi log=yes log-prefix=fwwifi out-interface=br-lan

So I still can established connection from my lan to my wifi (AP typically), but the wifi cannot communicate with my LAN, which is perfect.

Now, i’m having trouble with a specific case :
-one wifi device (192.168.13.3) send UDP (dstport 9898) packet to specific IP 224.0.0.50. I need thoses packets to propagate on my LAN. I can’t find a way to do it. Perfectly the packet should remain the same (same from IP, same destination IP).

I’ve had a new NAT rule :

add action=dst-nat chain=dstnat dst-address=224.0.0.50 dst-port=9898 log=yes log-prefix="lumi nat" protocol=udp src-address=192.168.13.3 to-addresses=192.168.1.5

I was expected that at least, packet would come to my LAN to the 192.168.1.5. The rule is hitted :

lumi nat dstnat: in:br-wifi out:(unknown 0), src-mac xx:xx:xx:xx:xx:xx, proto UDP, 192.168.13.3:4321->224.0.0.50:9898, len 163

But nothing else. My firewall does not have any rule that is hit, and my LAN network does not have any packet.

I’ve also seen that there are NAT rules in the bridge category but it does not do more.
I’ve also tried to “lie”, adding the 244.0.0.0/24 network to my address lit associated to the br-lan bridge. I was expecting my involved routing, but it seems not.

Any help appreciated

sindy · April 17, 2022, 10:46am

Look at multicast routing, but you may get disappointed like I did if the recipient of the multicast packets doesn’t work properly.

petoulachi · April 20, 2022, 8:44am

After looking the documentation I can’t find a way to do something. My RB5009 does not have “routing pim” but “routing pimsm” which does not have the same implementation and does not seems to be able what we are looking for ?

Thanks a lot for your help

sindy · April 20, 2022, 9:54am

/routing/pimsm is what you need, but the documentation is a stub so far. The IP address you have provided, 224.0.0.50, is a multicast one. So the device sends a packet to that multicast address from its unicast one; since the destination address is a multicast one, the multicast routing will forward it to all subnets attached to the interfaces which take part in multicast routing (as configured under /routing/pimsm) and all devices that listen on that multicast address will receive the packet. What happens next depends on the implemenation - typically, if it is a service discovery packet, all the recipients will answer from their unicast addresses to the unicast address of the sender, so the sender will be able to build a list of devices and contact them using their individual addresses.

What may go wrong is the process of subscription to multicast groups via IGMP, that’s what I was referring to in my previous post. My use case was to have a home audio in one network and mobile phones with a remote control application in another, and it failed due to some missing response from the home audio in the IGMP subscription procedure. Maybe the PIM-SM implementation is more tolerant to this, I run ROS 6 in the network in question.

petoulachi · April 20, 2022, 10:35am

I feel quite dumb but I can’t figure how should I configure under routing/primsm the multicast to forward to different bridge ?

Adding an instance is not related to a bridge, then interface template is related to a source address and not a destination one. I’m lost here. Tried a few differents tests but does not seems to do anything !

sindy · April 20, 2022, 10:41am

/routing/pimsm/instance/add name=only
/routing/pimsm/interface-template/add instance=only interfaces=bridge1,bridge2

The addresses are the local ones, that’s normal.

petoulachi · April 20, 2022, 12:13pm

It seems that just adding instance and interface template does not do anything. (can’t see multicast on br-wifi on the separate bridge br-lan). I’ve also tried to add the source address on the template with the IP address of the device doing multicast, or the multicast address, without success

Is there some way to have logs with those features ? I’m completly blind here

sindy · April 20, 2022, 12:18pm

system/logging/add topics=pim

then try to add the local address of one of the bridges as a static rendezvous point:
/routing/pimsm/static-rp/add address=192.168.9.1 instance=only

petoulachi · April 20, 2022, 12:24pm

/routing pimsm instance
add disabled=no name=pimsm-instance vrf=main
/routing pimsm interface-template
add disabled=no instance=pimsm-instance interfaces=br-wifi,br-lan source-addresses=""
/routing pimsm static-rp
add address=192.168.13.1 instance=pimsm-instance

No log and no mutlicast. Tried with the br-lan IP address without success too.

sindy · April 20, 2022, 1:07pm

No more ideas here. On the protocol development status page, PIM-SM is shown as fully working, but in the absence of any working example in the manual, it is hard to find out what is wrong.

petoulachi · April 20, 2022, 1:19pm

Same here , as there is absoluty no documentation it’s hard to guess what’s wrong. Anyway many thanks for your help !