IGMP Proxy Configuration in pfSense

Internet Group Management Protocol Explained

The Internet Group Management Protocol (IGMP) is a communications protocol used by hosts and adjacent routers on IP networks to establish multicast group memberships. IGMP operates between the client computer and a local multicast router. Like other network management protocols, it operates above the network layer. There are three versions of IGMP: version 1, defined by RFC 1112, version 2, defined by RFC 2236, and version 3 was initially defined by RFC 3376 and has been updated by RFC 4604. A router can serve as  an IGMP proxy, as we shall soon see.

The IPv4 address scheme assigns Class D addresses for IP multicasting. IGMP is the protocol that uses these addresses. The following addresses have specific functions or are unavailable:

  • 222.0.0.0 is reserved, and you cannot assign it to a group.
  • 222.0.0.1 is the all-hosts address – a pack sent to this address reaches all hosts on a subnet.
  • 222.0.0.2 is the all-routers address – a packet sent to this address reaches all routers on a subnet.

This implementation of IGMP complies with IGMPv2, which involves the exchange of the following types of messages between routers and hosts:

  • Group membership queries
  • Group membership reports
  • Leave group membership messages

A multicast router can be a querier or a nonquerier. There is only one querier on a network at any time. Multicast routers monitor queries from other multicast routers to determine the status of the querier. If the querier hears a query from a router with a lower IP address, it relinquishes its role to that router.


Multicast routers send two types of group membership queries to hosts on the network: [1] general queries to the all-hosts group address, and [2] specific queries to the appropriate multicast group address. The purpose of a membership group query is to discover the multicast groups to which a host belongs. When a host receives such a query, it identifies the groups associated with the query and determines to which groups it belongs. Since the query has a Max Response Time field (the maximum time a host can take to respond to a query), the host sets a timer less than this field, and when the timer expires, the host muliticasts a group membership report to the group address. When a multicast router receives a report, it adds the group to the membership list for the network and sets a timer to the Group Membership Interval. If this timer expires before the router receives another group membership report, the router determines that the group has no members left on the network. If the router does not receive any reports for a specific multicast group within the Max Response Time, it assumes that the group has no members on the network. The router does not forward subsequent multicasts for that group to the network.

New to IGMP version 2 are the leave group membership messages. When a host leaves a group, it sends such a message to multicast routers on the network. A host generally addresses leave group membership messages to the all-routers group address, 222.0.0.2.


The IGMP protocol is implemented on a particular host and within a router. A host requests membership to a group through its local router while a router listens for these requests and periodically sends out subscription queries.

IGMP Proxy Configuration

IGMP Proxy

IGMP proxy configuration in pfSense. Here, we configure the upstream interface.

IGMP proxy configuration is relatively simple. You enable IGMP proxy on one interface, which connects to a router closer to the root of the tree. This interface is the upstream interface. The router on the upstream interface should be running IGMP. You also enable IGMP on the interfaces that connect the system to its hosts that are farther away from the root of the tree. These interfaces are known as downstream interfaces. When you configure IGMP proxy, the system interacts with the router on its upstream interface through the exchange of IGMP messages. However, when acting as the proxy, the system performs the host portion of the IGMP task on the upstream interface as follows:

  • When queried, sends group membership reports to the group.
  • When one of its hosts joins a multicast address group to which none of its other hosts belong, sends unsolicited group membership reports to that group.
  • When the last of its hosts in a particular multicast group leaves the group, sends an unsolicited leave group membership report to the all-routers group.
IGMP Proxy

IGMP Proxy page showing the upstream and downstream interfaces.

To configure IGMP Proxy in pfSense, first navigate to Services -> IGMP Proxy. Click on the “plus” button to add a new interface. To configure the upstream interface, select “WAN” in the “Interface” dropdown box. Then at “Description“, add an appropriate description. For “Type“, select “Upstream Interface”. At “Threshold“, you can set a time to live (TTL) threshold (the default is 1). At “Network(s)“, press the “plus” button and add one or more networks (along with the number of bits in the network name at the “CIDR” dropdown box). This defines which subnets are allowed to communicate via the IGMP proxy. I set it to “0.0.0.0” for the network and “0” for the CIDR to allow all outside hosts to send IGMP messages, but you can change this setting if necessary. Then press “Save” to save the new interface, and “Apply changes” on the next page.

Now you need to configure the downstream interface. Click the “plus” button again. At “Interface“, choose the interface on which the hosts will belong to a multicast group (probably LAN). At “Description, type an appropriate description, and at “Type“, select “Downstream Interface” from the dropdown box. At threshold, define a TTL threshold if necessary. At “Network“, click on the “plus” button and specify at least one network name and CIDR. Then press “Save” to save the changes and “Apply changes” to apply the changes.

You also need a firewall rule on the downstream side (typically LAN) that matches/passes this traffic which has the advanced option checked to allow packets with IP Options.  To do this, navigate to Firewall -> Rules, and click on the appropriate tab (probably LAN).  Click on “plus” to add a new rule. Leave settings for “Interface“, “TCP/IP Version“, “Protocol“, “Source” and “Destination” unchanged. At “Description“, enter a description. Scroll down to “Advanced features“, and at “Advanced Options“, click on the “Advanced” button, and check on the first check box to allow packets with IP options to pass.  Then scroll down, press the “Save” button to save this rule and on the next page press “Apply changes” to apply the changes.

External Links:

Internet Group Management Protocol at Wikipedia

IGMP Proxy at doc.pfsense.org

IGMP Proxy at juniper.net

Be Sociable, Share!

Speak Your Mind

*

© 2013 David Zientara. All rights reserved. Privacy Policy