Hi there,
I have a RUTX50 with one physical device (DeviceA) attached to a switch-port, and a Sonicwall TZ370 firewall/router, also with a single physical device (DeviceB) attached to a switch-port. An IPSec tunnel connects the RUTX50 and TZ370.
NetworkA
172.23.60.0/24
DeviceA
172.23.60.53
RUTX50
172.23.60.1
TZ370
172.22.60.1
DeviceB
172.22.60.50
NetworkB
172.22.60.0/24
The VPN tunnel comes up and ordinary network traffic flows between DeviceA and DeviceB, and vice versa.
The DeviceA emits network traffic into the multicast group: 239.23.43.78 and DeviceB joins that same multicast group.
The TZ370 shows the group 239.23.43.78 on its IGMP state table as a result of DeviceB’s Join. However, no multicast packets appear to flow through the VPN tunnel.
On the RUTX50 I’ve enabled IGMP Snooping on the advanced tab of my LAN configuration page. I’ve also installed the IGMP Proxy package and configured it with:
Direction: Upstream
Interface: Lan
Firewall zone: Lan
Networks: 172.23.60.0/24
Direction: Downstream
Interface: Lan
Firewall zone: Lan
Networks: 172.22.60.0/24
Is there some other config (routing, firewall rules, etc.) required on the RUTX50 to ensure IGMP querier reports are sent across the VPN to the TZ370 so it becomes aware of the existence of the multicast groups created by the device attached to the RUTX50?
Thanks for your help,
Tony
Good afternoon,
A few insights on your case :
IGMP Proxy on the RUTX50 acts as a multicast router proxy, forwarding IGMP membership reports upstream and downstream. However, the upstream interface should be the one connected to the tunnel (VPN) interface, and the downstream interface should be the LAN where hosts join groups. Your current config uses the same LAN interface for both upstream and downstream, which is likely incorrect.
You need to configure the VPN tunnel interface as the upstream interface in IGMP Proxy, and the LAN interface where DeviceA resides as downstream (or vice versa depending on topology). This allows IGMP membership reports to be forwarded across the tunnel properly.
Ensure that multicast traffic (UDP to 239.23.43.78) and IGMP packets are allowed through the IPSec tunnel by the firewall rules on both RUTX50 and TZ370. The tunnel must permit multicast IP ranges and IGMP protocol (IP protocol 2) traffic. Static routes or policies may need to be added to route multicast traffic via the tunnel interface explicitly.
IGMP Proxy is a simple proxy and does not do full multicast routing. Sometimes, static multicast forwarding cache (MFC) entries or multicast routing protocols (like PIM) are needed on routers to forward multicast packets properly across VPNs. The RUTX50 IGMP Proxy does not support full multicast routing, so consider this limitation.
The RUTX50 or TZ370 must act as an IGMP querier on their respective LANs to maintain IGMP group membership. Verify that the IGMP querier is enabled on the RUTX50 LAN interface and that IGMP queries are sent across the tunnel to the TZ370. This may require additional manual configuration or enabling IGMP querier functionality on the VPN interface.
IGMP Snooping should be enabled on the LAN switches to optimize multicast forwarding locally, but it does not forward multicast or IGMP packets across routed interfaces or VPNs by itself. Snooping alone will not solve the cross-VPN multicast forwarding problem.
Regards,
Arturas