Multicast block openvpn bridge with IGMP snooping on

[Rai80]

Im trying to share IPTV multicast traffic with a OpenVPN tunnel in bridge mode (TAP interface)

Site A <--> Asus rt-68ac <---> Internet <---> dd-wrt linksys 320n <---> Site B

The VPN tunnel is up and running without any problems. I can reach hosts and devices from A to B and vica versa.
Site A has IPTV with IGMP Proxy. This works. The STB receive multicast traffic from the IGMP Proxy.

My Goal is to connect 1 of the STB's on Site B, to watch IPTV there.

After days trying...multicast traffic is not reaching Site B over the VPN tunnel.
Till I was investigating about IGMP snooping. When I turn OFF IGMP snooping via the webinterface. Multicast starts flowing through the tunnel and on the bridge interface Br0. Br0 contains: vlan1, eth1, eth2, tap21.

But now all bridge interfaces get flooded with multicast traffic. Which is kinda logic without IGMP snooping.
But network performance is dropping heavily. So this is not THE solution.

With IGMP snooping on I can receive multicast streams only on bridge interfaces: vlan1,eth1, eth2. But NOT on tap21. It seems like the built-in IGMP snooping only supports the default interfaces and blocks all multicast traffic on custom added interfaces like tap21.

What I want is IGMP snooping enabled and receive multicast on the OpenVPN tap interface, when a clients does a IGMP report/join.

Anybody knows how the built-in IGMP snooping does work? Why is it blocking all multicast traffic on tap interface's?

 

[mrc]

Hi,

What settings did you use on the RT-AC68 to get it to tunnel multicast?

I'm currently trying to get IPTV to work over a VPN between a RT-AC68 on a site where there is IPTV, and connect this with a RT-AC66U on a different site. I have OpenVPN up and running, but don't get any signal on the STB I have on the RT-AC66U (which is the client towards the RT-AC68).

 

[Rai80]

Did you use OpenVPN in bridge mode? Tap interface.

This is my config for OpenVPN and Bridge on Location A and Location B

OpenVPN config LocA

daemon
proto udp
rcvbuf 0
sndbuf 0
port 1194
dev tap21
cipher none
comp-lzo yes
keepalive 15 60
verb 3
secret static.key
status-version 2
status status 10

OpenVPN Config LocB

client
mode p2p
dev tap1
proto udp
remote 81.xxx.xxx.xxx 1194
float
cipher none
comp-lzo yes
keepalive 15 60
secret static.key
resolv-retry infinite
nobind

Bridge Config LocA

admin@ASUS:/# brctl show
bridge name bridge id STP enabled interfaces
br0 8000.305a3ac63570 no
vlan1
eth1
eth2
tap21

Bridge Config LocB

admin@DD-WRT:/# brctl show
bridge name bridge id STP enabled interfaces
br0 8000.203c3e562171 no
vlan1
eth1
tap1

 

[mrc]

Hi,

Late feedback, but "project" have been on hold for a while.

I havn't tried your config, but my experience so far;
Running RT-AC68U as Server and RT-AC87U as client.
I have only used a setup which includes using the GUI. With a TAP-configuration, I get the multicasts over - this because the multicasts are joined on the Server-side by a different device. Not a problem for my purpose. I guess I too have flooding, but not a real problem (at least not with the RT-AC87U as client - the RT-AC66U was running with 80-100% CPU with this setup).

The problem I have; I get the multicast, but all other IP-traffic ain't routed through the VPN. Tried the 'push "redirect-gateway def1", but that is maybe only for TUN-mode? With TUN-mode, traffic is routed over the VPN, but I don't get any Multicast (which I guess need the L2-features of TAP).

Did you do anything manually in the config-files and what/why, and is anything manually done with the bridging through brctl?

 

[octopus]

you can stop multicast packets with this on both sides:

ebtables -I OUTPUT -o tap21 --pkttype-type multicast -j REJECT
ebtables -I FORWARD -o tap21 --pkttype-type multicast -j REJECT
ebtables -t nat -I POSTROUTING -o tap21 --pkttype-type multicast -j REJECT

 

[mrc]

you can stop multicast packets with this on both sides:

ebtables -I OUTPUT -o tap21 --pkttype-type multicast -j REJECT
ebtables -I FORWARD -o tap21 --pkttype-type multicast -j REJECT
ebtables -t nat -I POSTROUTING -o tap21 --pkttype-type multicast -j REJECT

I need the multicasts, which I got over the VPN. But in addition I need the rest of the traffic to go over VPN when I use TAP.

 

[Rai80]

In bridge mode you dont have routing/gateway etc. Its all the same network, like a switch.
Which interfaces are member of the bridge? Is your tap interfaces included in the bridge?

 

[mrc]

RT-AC68U as Sever:
bridge name    bridge id        STP enabled    interfaces
br0        8000.74d02b64f868    yes        vlan1
                            eth1
                            eth2
                            tap21




RT-AC87U as Client:
bridge name    bridge id        STP enabled    interfaces
br0        8000.1cb72cc136f0    yes        vlan1
                            eth1
                            tap11

You say it is like a big switch. But I ned the "server side" to set IP-adresses and Gateway adress have to be the server. Now, the clients get IP from the client-side Asus-router.

 

[Rai80]

I use the "server side" as DHCP server for local and remote OpenVPN clients. So on both sides use same IP range. If you use different IP ranges it wont work. Its like using 2 different networks on the same switch. With a sniffer u see the traffic, but on Layer 3 IP, they don't "see" each other.