IGMP Proxy (multicast routing)

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.
R

Rand__

Well-Known Member
Mar 6, 2014
6,634
1,767
113
Got myself a set of multiroom speakers and o/c want to isolate them in a separate VLAN...

Unfortunately it turns out my Sophos UTM does not have an IGMP proxy (and seems not to be able to act as Multicast Routing Rendezvous Point either), so it looks like I need a separate component.

O/c my Cisco Switches could do IGMP-Proxy, but only in routing mode... which I just turned off since I couldnt get Cross VLAN DHCP to work properly with them (probably return routing issue, had similar issues with a secondary UTM vm as VLAN router until a set a dedicated route to it), so these are out too,

Not really keen on redoing the firewalls just now, so replacing Sophos UTM with XG (or another UTM) is not a viable option at this time; I'd rather look for a drop in (vm) to act as proxy or rendevous point.
If that even works that way;)

Thanks
 
Last edited:
R

Rand__

Well-Known Member
Mar 6, 2014
6,634
1,767
113
Still looking for a solution -
nobody who isolated their speakers?
Or everybody using better firewalls?
Or are you all routing on the switch instead?
 
M

MoMeanMugs

Member
Apr 16, 2018
60
19
8
74
I tried to get things working on PFSense, but it never worked properly. I have an Ubuntu server acting as print server/access point that's connected to my VLAN's. I installed Socat on it, and it works really well (only took a couple minutes to set up). I'm sure you could use something low power like a Raspberry Pi.
 
M

Marsh

Moderator
May 12, 2013
2,645
1,496
113
Very interest in socat.
Could you post quick example of your config?
 
R

Rand__

Well-Known Member
Mar 6, 2014
6,634
1,767
113
Me too, and ideally a network diagramm to see how this is working ;)

Found a few pages but still missing the overall picture to understand how it works...

Using socat for multicast receiving and proxying | danman's blog

blog.danman.eu blog.danman.eu

I assume its basically a router for multicast traffic? That presumably will work since multicast will not be sent to the default router but be flooded on the network? So socat picks it up and forwards (or likely resends) to a different vlan?
 
M

MoMeanMugs

Member
Apr 16, 2018
60
19
8
74
Sorry for delay in reply guys. Just got back from a week long work trip. I'll leave some details here to get you started. I'll have to circle back around once I've had some sleep. :)

I'll just leave an example of what I did for the HDHomerun. I have other instances of socat running for other purposes.

I have multiple VLAN's (one for management, media devices, guest, work, etc). I have PFSense doing all the routing. This Ubuntu box is on a managed switch with VLAN trunking set up so it can see all VLAN's. It has an IP address in each VLAN. The start config for socat for the HDHomerun:

Code: 
#!/bin/bash
### BEGIN INIT INFO
# Provides:          socat
# Required-Start:
# Required-Stop:
# Should-Start:
# X-Start-Before:
# X-Stop-After:
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: hdhr broadcasts
# Description:       Forward hdhr broadcasts across subnet
### END INIT INFO

DESC="socat for hdhr"
NAME=socat
DAEMON=/usr/bin/$NAME
SOCAT_ARGS="-d -d -lf /tmp/socat.log udp4-recvfrom:65001,broadcast,fork udp4-sendto:192.168.102.215:65001"
PATH=/bin:/usr/bin:/sbin:/usr/sbin


. /lib/lsb/init-functions


[ -x $DAEMON ] || exit 0


start_socat() {
        start-stop-daemon --quiet --start --pidfile /var/run/socat.$NAME.pid --background --make-pidfile --exec $DAEMON -- $SOCAT_ARGS $ARGS < /dev/null
}

stop_socat() {
        start-stop-daemon --stop --quiet --pidfile /var/run/socat.$NAME.pid --exec $DAEMON
        rm -f /var/run/socat.$NAME.pid
}

start() {
        echo "Starting $DESC:"
        start_socat
}

stop() {
        echo -n "Stopping $DESC:"

        for PIDFILE in `ls /var/run/socat.*.pid 2> /dev/null`; do
                NAME=`echo $PIDFILE | cut -c16-`
                NAME=${NAME%%.pid}
                stop_socat
                echo -n " $NAME"
        done
}

case "$1" in
    start)
#        log_daemon_msg "Starting socat" "socat"
        if start ; then
                log_end_msg $?
        else
                log_end_msg $?
        fi
        ;;
    stop)
#       log_daemon_msg "Stopping socat" "socat"
        if stop ; then
                log_end_msg $?
        else
                log_end_msg $?
        fi
        ;;
    reload|force-reload|restart)
        log_daemon_msg "Restarting socat" "socat"
        stop
        if start ; then
                log_end_msg $?
        else
                log_end_msg $?
        fi
        ;;
        *)
        echo "Usage: /etc/init.d/$NAME {start|stop|reload|force-reload|restart}"
        exit 3
        ;;
esac

exit 0
Since the Ubuntu box will see any broadcast messages on port 65001 (the discovery port for the HDHomerun), it will route the packets to the static IP address for the HDHomerun. Replies from the HDHomerun will go back to the source. There is different syntax depending on what you want to do. The manpage for socat should give you enough info to get going on your use case.

Poke some holes in UFW:

Code: 
sudo ufw allow in on br1 to any port 65001 proto udp comment 'VLAN1 (Trusted) HDHomerun Discovery'
sudo ufw allow in on br4 to any port 65001 proto udp comment 'VLAN4 (Media) HDHomerun Discovery'
sudo ufw allow in on br5 to any port 65001 proto udp comment 'VLAN5 (Plex) HDHomerun Discovery'
I then poke some holes in the PFSense firewall for the actual datastream coming from the HDHomerun (not on port 65001).

What is it you're trying to proxy? Maybe we can walk through your use case and come up with the config files.
 
  • Like
Reactions: Marsh
M

Marsh

Moderator
May 12, 2013
2,645
1,496
113
Thank you.
I'll read your notes and have fun with it.

I am trying to use airplay . Receiver is in subnet, server is in another subnet.
 
M

MoMeanMugs

Member
Apr 16, 2018
60
19
8
74
Marsh said:
Thank you.
I'll read your notes and have fun with it.

I am trying to use airplay . Receiver is in subnet, server is in another subnet.
Click to expand...
If all you want it Airplay, Avahi on Ubuntu is also very easy to set up. I couldn't get Avahi on PFSense to work properly either.
 
  • Like
Reactions: Marsh
M

MoMeanMugs

Member
Apr 16, 2018
60
19
8
74
Rand__ said:
I assume its basically a router for multicast traffic? That presumably will work since multicast will not be sent to the default router but be flooded on the network? So socat picks it up and forwards (or likely resends) to a different vlan?
Click to expand...
Yep, that's exactly what it does!
 
R

Rand__

Well-Known Member
Mar 6, 2014
6,634
1,767
113
Thanks :)

I am trying to get my Wireless Speakers (Denon Heos Home) to work over VLANs so I can have controllers in the regular net and play to the speakers in an isolated vlan.
And the same from a bunch of isolated IoT displays in yet another vlan.

---OT---
I found that IPFire has a module for socat ...
I am always reluctant (no idea why) to run a linux box just for a single service and rather deploy an appliance there (totally overkill usually) - maybe i should look into containers:p
---OT---
 
M

MoMeanMugs

Member
Apr 16, 2018
60
19
8
74
I understand about running a separate box for this, which is why I mentioned the RPi. I didn't originally go down the path of running on Linux until I realized the effort I was putting into PFSense wasn't going anywhere.

I don't have any Denon products, so I'm going to make some guesses here...

This site mentions all the ports:

<rn:page_title/>

support-uk.denon.com support-uk.denon.com

Are you using static IP's for your speakers? How many IP's are represented by your speakers? Would it be possible to put one of the speakers on your main network to get some of the port sequencing? I'm guessing those listening ports are just returning the IP address for the speaker and then 80 is for control and 554 for data streaming (RTSP - realtime streaming protocol). This is similar to the way it works for the HDHomerun. I'm not sure what that huge port range is for since I don't know the Heos products.

Since IPFire is Linux-based, you can try something like:

Code: 
echo -n 49152 49153 49154 1900 | xargs -d ' ' -I% bash -c 'socat udp4-recv:%,fork upd4-sendto:192.168.102.1:% &'
Obviously, you'd replace the IP address with your speaker's IP. Reason why I was asking if you have multiple speakers is you'd need to rebroadcast instead of redirecting to one IP if you have multiple.
 
R

Rand__

Well-Known Member
Mar 6, 2014
6,634
1,767
113
At this point I have 4 speakers, potentially a few more in the future.
I have them all on the main VPN atm since i couldnt get it to run separated (and the pc/source is in mainnet so)...

Will have to setup a box then, or run on any of the other linux vms I run. just need to find some time;)

Thanks a lot though, it sounds like a plan at least:)
 
You must log in or register to reply here.
Top Bottom