SRX

I'd like to setup some multicast routing on a SRX240, but only for directly attached networks, no remote/foreign networks should take part.

This will be mainly for Bonjour/Zeroconf between wired and wireless networks (that are segmented over different SRX interfaces).

I've already configured IGMP and can see the respective hosts being members of the groups, but I do not have any multicast routes in the routing table.

Do I need to activate anything else (like PIM) in such a simple environment?

(Firewall rules are already configured to allow MC traffic)

Thanks!

Hi,

Although from a theoretical perspective, PIM would not be necessary as the firewall/router should know multicast subscibers and sources on all subnets, practical experience (on EX series devices but I would guess it applies to SRX as well) it didn't work until I enabled PIM.

Regards,

Dominik

I was under the same impression and enabled PIM now.

Occasionally there is a multicast route visible when I do a "show multicast route" but there is no traffic being forwarded anyway...

Could you post your config? Have you assigned interfaces to PIM and if yes, have you enabled dense or sparse mode? If sparse, you need to set a RP, here the firewall itself.

I'm trying to get multicast working between interface ge-4/0/0.0 and ge-6/0/0.0:

> show configuration protocols igmp
interface ge-0/0/4.0 {
    version 3;
    accounting;
}
interface ge-0/0/6.0 {
    version 3;
    accounting;
}

> show configuration protocols pim
interface ge-0/0/4.0 {
    mode dense;
}
interface ge-0/0/6.0 {
    mode dense;
}

And PIM + IGMP come up:

> show pim interfaces
Instance: PIM.master

Name               Stat Mode       IP V State NbrCnt JoinCnt(sg) JoinCnt(*g) DR address
ge-0/0/4.0         Up   Dense       4 2 DR         0           0            0 192.168.127.1
ge-0/0/6.0         Up   Dense       4 2 DR         0           1            0 192.168.121.1

IGMP even shows some group members:

> show igmp interface detail
Interface: ge-0/0/4.0
    Querier: 192.168.127.1
    State:         Up Timeout:    None Version:  3 Groups:      4
    Immediate leave: Off
    Promiscuous mode: Off
    Passive: Off
Interface: ge-0/0/6.0
    Querier: 192.168.121.1
    State:         Up Timeout:    None Version:  3 Groups:      5
    Immediate leave: Off
    Promiscuous mode: Off
    Passive: Off

Right now I'm most interested in group 239.255.255.250

> show igmp group 239.255.255.250 detail
Interface: ge-0/0/4.0, Groups: 4
    Group: 239.255.255.250
        Group mode: Exclude
        Source: 0.0.0.0
        Source timeout: 0
        Last reported by: 192.168.127.199
        Group timeout:     171 Type: Dynamic
        Output interface: ge-0/0/4.0
Interface: ge-0/0/6.0, Groups: 5
    Group: 239.255.255.250
        Group mode: Exclude
        Source: 0.0.0.0
        Source timeout: 0
        Last reported by: 192.168.121.2
        Group timeout:     197 Type: Dynamic
        Output interface: ge-0/0/6.0

192.168.127.199 & 192.168.121.2 that should communicate, but when I send a mc packet from 192.168.127.199 to 239.255.255.250 nothing leaves on ge-0/0/6.0

> show multicast statistics inet
Instance: master Family: INET
Interface: local
    Routing protocol:                Mismatch error:               0
    Mismatch:                    0   Mismatch no route:            0
    Kernel resolve:              0   Routing notify:               0
    Resolve no route:            0   Resolve error:                0
    Resolve filtered:            0   Notify filtered:              0
    In kbytes:                   0   In packets:                   0
    Out kbytes:                  0   Out packets:                  0
Interface: ge-0/0/4.0
    Routing protocol:          PIM   Mismatch error:               0
    Mismatch:                    0   Mismatch no route:            0
    Kernel resolve:              0   Routing notify:               0
    Resolve no route:            0   Resolve error:                0
    Resolve filtered:            0   Notify filtered:              0
    In kbytes:                   0   In packets:                   0
    Out kbytes:                  5   Out packets:                 19
Interface: ge-0/0/6.0
    Routing protocol:          PIM   Mismatch error:               0
    Mismatch:                    0   Mismatch no route:            0
    Kernel resolve:             18   Routing notify:               0
    Resolve no route:            0   Resolve error:                0
    Resolve filtered:            0   Notify filtered:              0
    In kbytes:                   5   In packets:                  27
    Out kbytes:                  0   Out packets:                  0

Any ideas?

set protocols pim dense-groups 239.255.255.250 

Are you doing that on SRX?

Do you have all proper zones and policies in place? Or place SRX in packet mode.

Also make sure multicast packet TTL is greater than 1.

HTH

Rgds

Alex

(Sorry, I accidentally clicked on "accept this solution)

Yes this is a SRX, both interfaces are in different zones, but there is a policy to accept any/MC-address/udp (with logging) and traffic is not hitting this rule (but also not the following drop-log rule):

  Policy: multicast, State: enabled, Index: 59, Scope Policy: 0, Sequence number: 3
    Source addresses: any
    Destination addresses: MC_224.0.0.251, MC_224.0.0.252, MC_224.0.0.2, MC_224.0.0.22, MC_239.255.255.250, MC_239.255.255.253, MC_224.0.0.1
    Applications: junos-udp-any
    Action: permit, log
  Policy: droplog, State: enabled, Index: 18, Scope Policy: 0, Sequence number: 4
    Source addresses: any
    Destination addresses: any
    Applications: any
    Action: deny, log

Actually that

Also make sure multicast packet TTL is greater than 1.

is the problem: All my multicast packets are sent with  TTL of 1 (link local), so the SRX will just not forward them.

Unfortunately I cannot influence the applications (and their TTL for multicast) so I'm a little lost here. Is there a way (on the SRX) to either mangle the packet to have a higher TTL or route it regardless of TTL?

---

@ctr wrote:

: All my multicast packets are sent with  TTL of 1 (link local), so the SRX will just not forward them.

Unfortunately I cannot influence the applications (and their TTL for multicast) so I'm a little lost here. Is there a way (on the SRX) to either mangle the packet to have a higher TTL or route it regardless of TTL?

---

TTL can be only decremented by routers, not incremented.

every module that processes a datagram must decrease the TTL by at least one

 http://www.ietf.org/rfc/rfc791.txt

If you cannot influence app behaviour, then either a transit VLAN or CCC cross-connect on SRX will _not_ decrement TTL.

IP routers _must_ decrement TTL. Period.

HTH

Rgds

Alex

have u solved the problem ?

i m trying to enable multicast in the DMZ zone of isg-2000 firewall for test purpose but until now no luck.

if the multicast traffic source like some TV channel is in the Untrust, and you would like to watch it in some machines in the DMZ, what needs to be configured in DMZ for allowing the multicast traffic.

Thanks,

I am trying to solve exactly the same issue for one of my customer who wants to know "How to implement Bonjour in Juniper SRX environment"

So far we do not have a clear understanding on how the application{Bonjour} is working.

I am suggesting him and you too to contact apple and open a support case with them or ask them how they suggest to deploy the application in a wired network.

They should at least suggest what are the basic requirements for the application to work in wired setup, without this no one will be able to tell you how to fix the issue.

Once you know the requirement I am sure you would be able to understand if thatis possible or not and if yes you can seek help on what exacly needs to be done.

Regards,

Sachin

Advance TAC