Firewall_multicastOptions
Multicasting, also called IP multicasting, is a method for sending one Internet Protocol (IP) packet simultaneously to multiple hosts. Multicast is suited to the rapidly growing segment of Internet traffic - multimedia presentations and video conferencing. For example, a single host transmitting an audio or video stream and ten hosts that want to receive this stream. In mutlicasting, the sending host transmits a single IP packet with a specific multicast address, and the 10 hosts simply need to be configured to listen for packets targeted to that address to receive the transmission. Multicasting is a point-to-multipoint IP communication mechanism that operates in a connectionless mode - hosts receive multicast transmissions by “tuning in” to them, a process similar to tuning in to a radio.
The Firewall Settings > Multicast page allows you to manage multicast traffic on the SonicWALL security appliance.
This section provides configuration tasks for Multicast Snooping.
Enable Multicast - This checkbox is disabled by default. Select this checkbox to support multicast traffic.
Require IGMP Membership reports for multicast data forwarding - This checkbox is enabled by default. Select this checkbox to improve performance by regulating multicast data to be forwarded to only interfaces joined into a multicast group address using IGMP.
Multicast state table entry timeout (minutes) - This field has a default of 5. The value range for this field is 5 to 60 (minutes). Update the default timer value of 5 in the following conditions:
You suspect membership queries or reports are being lost on the network.
You want to reduce the IGMP traffic on the network and currently have a large number of multicast groups or clients. This is a condition where you do not have a router to route traffic.
You want to synchronize the timing with an IGMP router.
This section provides configuration tasks for Multicast Policies.
Enable reception of all multicast addresses - This radio button is not enabled by default. Select this radio button to receive all (class D) multicast addresses. Receiving all multicast addresses may cause your network to experience performance degradation.
Enable reception for the following multicast addresses - This radio button is enabled by default. In the pull-down menu, select Create a new multicast object or Create new multicast group.
Note Only address objects and groups associated with the MULTICAST zone are available to select. Only addresses from 224.0.0.1 to 239.255.255.255 can be bound to the MULTICAST zone.
To create a multicast address object:
In the Enable reception for the following multicast addresses list, select Create new multicast object.
In the Add Address Object window, configure:
Name: The name of the address object.
Zone Assignment: Select MULTICAST.
Type: Select Host, Range, Network, or MAC.
IP Address: If you selected Host or Network, the IP address of the host or network. The IP address must be in the range for multicast, 224.0.0.0 to 239.255.255.255.
Netmask: If you selected Network, the netmask for the network.
Starting IP Address and Ending IP Address: If you selected Range, the starting and ending IP address for the address range. The IP addresses must be in the range for multicast, 224.0.0.1 to 239.255.255.255.
This section provides descriptions of the fields in the IGMP State table.
Multicast Group Address—Provides the multicast group address the interface is joined to.
Interface / VPN Tunnel—Provides the interface (such as LAN) for the VPN policy.
IGMP Version—Provides the IGMP version (such as V2 or V3).
Time Remaining—Provides the amount of time left before the IGMP entry will be flushed. This is calculated by subtracting the “Multicast state table entry timeout (minutes)” value, which has the default value of 5 minutes, and the elapsed time since the multicast address was added.
Flush and Flush All buttons—To flush a specific entry immediately, check the box to the left of the entry and click Flush. Click Flush All to immediately flush all entries.
Enabling Multicast on LAN-Dedicated Interfaces
Perform the following steps to enable multicast support on LAN-dedicated interfaces.
Enable multicast support on your SonicWALL security appliance. In the Firewall Settings > Multicast setting, click on the Enable Multicast checkbox. And in the Multicast Policy section, select the Enable the reception of all multicast addresses.
Enable multicast support on LAN interfaces. In the Network > Interfaces setting, click on the ‘Configure’ icon for the LAN interface. In the Edit Interface - LAN page, click on the Enable Multicast Support checkbox.
Perform the following steps to enable multicast support for address objects over a VPN tunnel.
Enable multicast support on your SonicWALL security appliance. In the Firewall Settings > Multicast setting, click on the Enable Multicast checkbox. And in the Multicast Policy section, select the Enable the reception for the following multicast addresses and select from the pull-down menu, Create new multicast address object....
Create a multicast address object. In the Add Address Object window, enter the following information for your address object:
Name
Zone Assignment: <LAN, WAN, DMZ, VPN, MULTICAST, WLAN, or a custom zone>
Type: <Host, Range, Network>
If you select Host, you will need to enter an IP address.
If you select Range, you will need to enter a Starting IP Address and an Ending IP Address.
If you select Network, you will need to enter a description of the Network and a Netmask.
If you select MAC, you will need to enter a MAC Address.
Enable multicast support on the VPN policy for your GroupVPN. In the VPN > Settings firmware setting, click on the “Configure’ icon to edit your GroupVPN’s VPN policy.
In the VPN Policy window, select the Advanced tab. At the Advanced tab, select the Enable Multicast checkbox.
Enabling Multicast Through a VPN
To enable multicast across the WAN through a VPN, follow:
Enable multicast globally. On the Firewall Settings > Multicast page, check the Enable Multicast checkbox, and click the Apply button for each security appliance.
Enable multicast support on each individual interface that will be participating in the multicast network. On the Network > Interfaces page for each interface on all security appliances participating, go to the Edit Interface: Advanced tab, and select the Enable Multicast Support checkbox.
Enable multicast on the VPN policies between the security appliances. From the VPN > Settings page, Advanced tab for each policy, select the Enable Multicast checkbox.
The resulting Access Rules should look as follows:
Note Notice that the default WLAN'MULTICAST access rule for IGMP traffic is set to 'DENY'. This will need to be changed to 'ALLOW' on all participating appliances to enable multicast, if they have multicast clients on their WLAN zones.
Make sure the tunnels are active between the sites, and start the multicast server application and client applications. As multicast data is sent from the multicast server to the multicast group (224.0.0.0 through 239.255.255.255), the SonicWALL security appliance will query its IGMP state table for that group to determine where to deliver that data. Similarly, when the appliance receives that data at the VPN zone, it will query its IGMP State Table to determine where it should deliver the data.
The IGMP State Tables (upon updating) should provide information indicating that there is a multicast client on the X3 interface, and across the vpnMcastServer tunnel for the 224.15.16.17 group.
Note By selecting “Enable reception of all multicast addresses”, you might see entries other than those you are expecting to see when viewing your IGMP State Tabled. These are caused by other multicast applications that might be running on your hosts.