Community discussions

MikroTik App
 
novical
just joined
Topic Author
Posts: 10
Joined: Mon Jun 22, 2015 11:08 pm

Multicast over VPN for site-to-site

Tue Feb 09, 2016 5:46 pm

I'm trying to set up multicast session for MikroTik-to-MikroTik VPN connection.
IPSec over IP tunnel and IPSec over GRE work ok for pinging between the 2 LAN subnets but I can't seem to detect multicast traffic over them.

I have a device behind router 1 that is set up as a multicast server on 224.0.0.224.
Wireshark filtering for ip.dst eq 224.0.0.224 on a laptop behind the same router shows the device sending multicast traffic. Wireshark on a laptop behind the other router doesn't show any multicast traffic using the same filter.
The laptops can ping each other, the multicast server, and the LAN and WAN IPs of the routers.

I'm not necessarily restricted with the VPN option I'm using. I'm just trying to find a way to have multicast traffic working over VPN.
Any suggestions on how to do this are appreciated!
 
novical
just joined
Topic Author
Posts: 10
Joined: Mon Jun 22, 2015 11:08 pm

Re: Multicast over VPN for site-to-site

Thu Feb 11, 2016 5:33 pm

After digging on the forum and other websites/blogs, I found that EoIP w/ IPSEC and PPTP are the only ones that passed multicast traffic. GRE w/IPSEC, IP Tunnel w/IPSEC and LAN to LAN IPSEC setups work fine for "general" VPN connection but not for multicast. Please keep in mind I didn't test Bonjour or Rendezvous Point. I'm trying to keep the network layout as simple as possible for other techs to troubleshoot so I didn't get into installing the multicast package etc.

It would be nice if MikroTik had better documentation. Examples are ok, but lots of times don't cover everything you need and I couldn't find any documentation for feature comparison for the different types of VPN. This will be very helpful for people that are just getting into the MirkoTik world (such as myself).

Thanks.
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4052
Joined: Wed May 11, 2011 6:08 pm

Re: Multicast over VPN for site-to-site

Thu Feb 11, 2016 5:38 pm

Multicast should work over GRE and IPIP tunnels also - you will need to enable PIM on your interfaces and choose one of the two routers as the RP.
/routing pim
Set all interfaces to use pim and igmp (or just the GRE and LAN interfaces). In both routers, set the RP to be the same exact IP address.
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
novical
just joined
Topic Author
Posts: 10
Joined: Mon Jun 22, 2015 11:08 pm

Re: Multicast over VPN for site-to-site

Thu Feb 11, 2016 5:51 pm

Hi ZeroByte,

Thanks for the comment. We decided to go a different route for how to do this, but it's good to know there are other options for this. I didn't have time to test in detail the scenario you describe. I followed this: http://wiki.mikrotik.com/wiki/Manual:Mu ... ed_example but didn't have time to really troubleshoot once the quick test didn't work.
I probably missed something...
 
jimtony
just joined
Posts: 3
Joined: Thu Aug 18, 2016 7:39 pm

Re: Multicast over VPN for site-to-site

Thu Aug 18, 2016 8:17 pm

I am struggling with the same thing.
Tried ipip tunnel with and without IPSec, gre tunnel with IPSec, l2tp with IPSec. Not able to get multicast in the other end.
Have tried to activate just pim, then igmp and both. Neither worked.
My multicast server is 239.192.49.49.
It's a IP-DECT system that uses multicast to communicate between the DECT base stations.
Some tip would be really appreciated.
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4052
Joined: Wed May 11, 2011 6:08 pm

Re: Multicast over VPN for site-to-site

Fri Aug 19, 2016 12:45 am

My multicast server is 239.192.49.49.
This is the first misconception.

The correct way to say this is: My server sends messages to multicast group 239.192.49.49
The big difference is that the address is the destination, not the source. The source will be the unicast IP of the server.

Make sure that your routing tables all have routes that point to the unicast IP of the server, because multicast packets from that source are routed in the opposite direction....
Also make sure that all of your routers have a RP set, and be sure that all routers use exactly the same RP address.
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
User avatar
doneware
Trainer
Trainer
Posts: 644
Joined: Mon Oct 08, 2012 8:39 pm
Location: Hungary

Re: Multicast over VPN for site-to-site

Fri Aug 19, 2016 1:15 am

After digging on the forum and other websites/blogs, I found that EoIP w/ IPSEC and PPTP are the only ones that passed multicast traffic. GRE w/IPSEC, IP Tunnel w/IPSEC and LAN to LAN IPSEC setups work fine
to be able to run multicast routing you need an interface. IPSec tunnel mode or transport mode does not provide that. not even proper routing, but policies.

any kind of IP based peer-to-peer tunnel (GRE, IP-IP, EoIP, etc) will work just fine with PIM as long they are addressed (have valid IPv4 addresses).
client-server tunnels (PPTP, L2TP, SSTP) can also work but usually they need "instantiated" static interfaces, e.g. usernames are mapped to static interfaces
as the "<xxxx>" formatted dynamic interfaces may not be added to any routing protocol as they will disappear upon session disconnect.

L2 tunnels (EoIP) can work with IGMP since they are bridging ethernet.

as long you have your "routed" or "bridged" tunnels, throwing on IPSec as transport will not break anything:
just create a policy that uses transport mode esp for the tunnelling protocol of your choice (i.e. GRE, IP protocol 47) between the
tunnel local and remote address, and that was it. you can add this afterwards, first just use your vanilla tunnel w/o encryption and make
multicast working on that.

multicast traffic requires RPF-check to pass, so the destinations need to know where to find the source.
say your MC source has an IP address of 1.2.3.4 and sends packets to multicast address 239.1.1.1
all the destination devices shall be able to reach 1.2.3.4 or they will not be part of the multicast distribution tree.
e.g. an entry for 1.2.3.4 (or a less specific route) must be in the routing table.

in case you have multiple parallel links, all of the must be configured for PIM and all of them must be able to forward traffic towards the
MC source address.

do it step by step:
1 build tunnels (w/o encryption)
2 adjust routing
3 configure PIM and IGMP
4 test multicast (do a ping from MC source to the MC destination group address) check for packets to arrive at the receivers
5 configure encryption for your tunnels as needed.
#TR0359
 
jimtony
just joined
Posts: 3
Joined: Thu Aug 18, 2016 7:39 pm

Re: Multicast over VPN for site-to-site

Fri Aug 19, 2016 9:14 am

Sorry about mistyping. The multicast server has IP address 192.168.100.15 and sends messages to 239.192.49.49.

At the moment I'm using two routers.
This is my config:
Router 1:
/interface ipip
add allow-fast-path=no !keepalive local-address=R1_WAN_IP name=\
ipip-tunnel1 remote-address=R2_WAN_IP
/ip address
add address=1.1.1.1/24 interface=ipip-tunnel1 network=1.1.1.0
/ip firewall filter
add action=accept chain=input log-prefix="" protocol=ipip
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.92.0/23 log-prefix="" \
src-address=192.168.100.0/24
/ip route
add distance=1 dst-address=192.168.92.0/23 gateway=1.1.1.2
/routing pim interface
add interface=bridge1 (IGMP and PIM is checked)
add interface=ipip-tunnel1 (IGMP and PIM is checked)
/routing pim rp
add address=192.168.100.1 group=239.0.0.0/8

Router 2:
/interface ipip
add allow-fast-path=no !keepalive local-address=R2_WAN_IP name=\
ipip-tunnel1 remote-address=R1_WAN_IP
/ip address
add address=1.1.1.2/24 interface=ipip-tunnel1 network=1.1.1.0
/ip firewall filter
add action=accept chain=input log-prefix="" protocol=ipip
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.100.0/24 log-prefix="" \
src-address=192.168.92.0/23
/ip route
add distance=1 dst-address=192.168.100.0/24 gateway=1.1.1.1
/routing pim interface
add interface=bridge-local (IGMP and PIM is checked)
add interface=ipip-tunnel1 (IGMP and PIM is checked)
/routing pim rp
add address=192.168.100.1 group=239.0.0.0/8

I turned off ipsec just to make sure it wasn't any misconfiguration.
Changed from GRE to IPIP. This didn't help either.

In the MFC tab of router 1, I see 192.168.93.3 is listed. But under incoming interface it is shown as "unknown". Outgoing interface is shown as "bridge1".

When I'm trying to ping 239.192.49.49 from R1, I'm only receiving respond from the device within R1.
And from R2 only device within R2.

Regards,
Jim
 
jimtony
just joined
Posts: 3
Joined: Thu Aug 18, 2016 7:39 pm

Re: Multicast over VPN for site-to-site

Mon Aug 22, 2016 8:24 pm

No suggestions?
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4052
Joined: Wed May 11, 2011 6:08 pm

Re: Multicast over VPN for site-to-site

Mon Aug 22, 2016 11:40 pm

No suggestions?
Well, your NAT exception rules wouldn't apply to multicast traffic....

R1:
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.92.0/23 log-prefix="" src-address=192.168.100.0/24

R2:
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.100.0/24 log-prefix="" src-address=192.168.92.0/23

The multicast traffic has a destination of 239.192.49.49 - so this traffic will not be exempted from nat by the above rules.
Obviously you must have more NAT rules than the ones shown, though, as there are no masquerade/srcnat rules which would allow general internet traffic....

I would re-write your nat rules:
chain=srcnat action=accept out-interface=tunnel-interface
(or else only have a masquerade rule for out-interface=wan-interface, since the tunnel interface is NOT the WAN interface, it won't nat and you won't need the exception rules)
When given a spoon,
you should not cling to your fork.
The soup will get cold.
 
aartyom
just joined
Posts: 2
Joined: Thu Jan 12, 2017 11:37 am

Re: Multicast over VPN for site-to-site

Thu Jan 12, 2017 12:03 pm

I have similar problem but not sure if I need to configure anything in Firewall and NAT rules for multicast to work. Can anyone clarify?
My setup:
192.168.0.0/24->MTK0=192.168.0.200;1.1.1.1<---IPSEC VPN WITH NAT-->MTK8=192.168.8.0;2.2.2.2<-192.168.8.0

relevant config is below, it doesn't work and even MCAST rx/tx counters are not incremented
clients can ping and access each other


MTK0
--------
/ip address
add address=192.168.0.200/24 comment="default configuration" interface=ether2-master-local network=192.168.0.0
add address=1.1.1.1/30 interface=ether1-gateway network=1.1.1.0
/ip route
add distance=1 gateway=1.1.1.2
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-192-cbc,3des
/ip ipsec peer
add address=2.2.2.2/32 enc-algorithm=3des secret=*
/ip ipsec policy
add dst-address=192.168.8.0/24 sa-dst-address=2.2.2.2 sa-src-address=1.1.1.1 src-address=192.168.0.0/24 tunnel=yes
/ip firewall filter
add action=accept chain=forward dst-address=192.168.8.0/24 src-address=192.168.0.0/24
add action=accept chain=forward dst-address=192.168.0.0/24 src-address=192.168.8.0/24
add action=accept chain=input comment="Allow IKE" dst-port=500,4500,1701 protocol=udp
add action=accept chain=input comment="Allow IPSec-esp" protocol=ipsec-esp
add action=accept chain=input comment="Allow IPSec-ah" protocol=ipsec-ah
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.8.0/24 out-interface=ether1-gateway src-address=192.168.0.0/24
/routing igmp-proxy interface
add alternative-subnets=227.0.0.2/32 interface=ether1-gateway upstream=yes
add alternative-subnets=227.0.0.2/32 interface=bridge-local
/routing pim interface
add alternative-subnets=227.0.0.2/32,192.168.0.0/24,192.168.8.0/24
/routing pim rp
add address=2.2.2.2 disabled=yes group=227.0.0.2/32
add address=192.168.8.1 group=227.0.0.2/32


MTK8
--------
/ip address
add address=192.168.8.1/24 comment=defconf interface=ether2-master network=192.168.8.0
add address=2.2.2.2/30 interface=ether1-gateway network=2.2.2.0
/ip route
add distance=1 gateway=2.2.2.1
/ip firewall filter
add action=accept chain=forward dst-address=192.168.8.0/24 in-interface=ether1-gateway out-interface=bridge-local src-address=192.168.0.0/24
add action=accept chain=forward dst-address=192.168.0.0/24 in-interface=bridge-local out-interface=ether1-gateway src-address=192.168.8.0/24
add action=accept chain=input comment="Allow IKE" dst-port=500,1701,4500 protocol=udp
add action=accept chain=input comment="Allow IPSec-esp" protocol=ipsec-esp
add action=accept chain=input comment="Allow IPSec-ah" protocol=ipsec-ah
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.0.0/24 out-interface=ether1-gateway src-address=192.168.8.0/24
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-192-cbc,3des
/ip ipsec peer
add address=176.99.136.86/32 enc-algorithm=3des policy-template-group=default secret=*
/ip ipsec policy
add dst-address=192.168.0.0/24 sa-dst-address=1.1.1.1 sa-src-address=2.2.2.2 src-address=192.168.8.0/24 tunnel=yes
/routing igmp-proxy interface
add alternative-subnets=227.0.0.2/32 disabled=yes interface=ether1-gateway upstream=yes
add alternative-subnets=227.0.0.2/32 disabled=yes interface=bridge-local
/routing pim interface
add alternative-subnets=227.0.0.2/32 disabled=yes
/routing pim rp
add address=2.2.2.2 disabled=yes group=227.0.0.2/32
add address=192.168.8.1 group=227.0.0.2/32


Windows application is vypress chat, it doesn't use any specific server and just send packets to 227.0.0.2 group to register and see neighbors. Local subnet clients are discovered without any problem, but it cannot see any remote subnet client.

I tried to add nat, filter(forward) and ipsec-proposal rules for 192.168.0.0->227.0.0.2 but nothing worked, rx/tx counters still 0

Who is online

Users browsing this forum: Ahrefs [Bot], Bing [Bot], Google [Bot], SamuelPA and 25 guests