OpenWrt Forum Archive

Topic: Block multicast

The content of this topic has been archived on 9 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Hi all!

Is there any way to block multicast packets so that it does not flood the wireless interface?

I have a wireless AP/Ethernet bridge based on Kamikaze over Asus WL500gD. When I connect the IP-TV receiver on my LAN, the WL500 LEDs start flashing like crazy and all wireless connections get dropped.

I tried iptables br-lan -multicast without success...

Any ideas?

Cheers,

/rp

HI,

try something like this in /etc/firewall.user:

iptables -I FORWARD -o br-lan -s 224.0.0.0/4 -j DROP

~ JoW

No luck...
It seems that the packets are being switched before iptables chains...

/rp

then try to drop them in INPUT or OUTPUT, maybe FORWARD does not apply in your case.

Already done that... no luck as well...

Could it be because of using the LAN to connect to the Multicast router? Is the LAN switch bridged with the WL0 interface?

/rp

Yep, it is bridged in the default configuration, see "brctl show".

well if the plain rule above does not match the rule one wouldn't work either I fear

I see, had to read the post more closely. The wifi interface is bridged with the LAN, therefore you never get to layer 3 as everything stays in layer 2. The switch will read that it is multicast traffic and just do the forwarding itself. You will need to use ebtables to filter this traffic I believe.

Indeed. I think if he switches to a routed setup the problem will vanish, without iptables/ebtables tricks, but then he'll loose broadcasting accross lan and wifi too...

jow wrote:

Indeed. I think if he switches to a routed setup the problem will vanish, without iptables/ebtables tricks, but then he'll loose broadcasting accross lan and wifi too...

What do you mean by a routed setup? Do you mean to remove the bridge between the wifi and LAN segments? If so, then yes, I believe that would work in order to filter this traffic but as you said, it brings up other concerns he needs to be aware of.

Absolutely right. The problem disapeared when I changed from the LAN ports to the WAN ports. However, it also raised problems with broadcasts, since I lost the possibility to browse SMB shares and uPNP...

Oh well... I think I'll have to switch off the television when I want to use wireless... bummer...

xiptos wrote:

Absolutely right. The problem disapeared when I changed from the LAN ports to the WAN ports. However, it also raised problems with broadcasts, since I lost the possibility to browse SMB shares and uPNP...

Oh well... I think I'll have to switch off the television when I want to use wireless... bummer...

Well there are ways around that as well I think. Why not just use ebtables and filter the multicast traffic. It isn't hard. Just compile in ebtables support.

Another idea, try

sysctl -w net.ipv4.conf.all.mc_forwarding=0

If it works, edit /etc/sysctl.conf to make it persistent.

~ JoW

jow wrote:

Another idea, try

sysctl -w net.ipv4.conf.all.mc_forwarding=0

If it works, edit /etc/sysctl.conf to make it persistent.

~ JoW

Again, don't think that will work. The multicast traffic never gets up to the actual Linux system, it is all just handled by the switch.

Although a long shot, I tried it... it gives-me "Permission denied", even as root. I'll try to use ebtables, if I manage to get it compiled. smile

I have another idea, why not reconfigure how switching works? That is, by using vlans, you can separate the port on which you connect your ip-tv from the rest of your lan ports. Say for example, assuming a 4-lanport router, you set ports 1-3 as VLAN1, then set port 4 and 5 (the internet/wan port), as VLAN2. The you connect your ip-tv at port 4 so that it is separated from your lan. What do you think of this workaround?

Of course the port numbers vary with different hardware, Mine for example has ports 0-3 as lan ports 1-4, port 4 as wan port, and port 5 as the internal, hardwired port, for a total of 6 ports on a 4-lanport router. And do not forget to include the internal, hardwired port of your switch on each when defining vlans.

(Last edited by braveheartleo on 25 Jan 2010, 13:53)

It looks you are using the router as a switch and AP, and the multicast traffic floods your wireless interface.
Multicast is different from broadcast, as it is only intended for subscribing hosts. Unfortunately, any switch that doesn't implement IGMP snooping doesn't know who wants multicast, so will handle it like broadcast.

The ideal solution is to implement IGMP snooping. I don't know how to do that.
A working solution is to filter multicast traffic being sent to the wifi interface.

1 - Install ebtables:

opkg update
opkg install ebtables

note 1: if you are using the router as a switch, you will need to add config option gateway and config list dns to the LAN interface configuration to gain internet connectivity.
note 2: installing kernel modules with packages doesn't work every time. If your router doesn't boot anymore, please compile OpenWRT with ebtables built-in.

2 - Add rules:

Edit /etc/firewall.user and add:

ebtables -A FORWARD -o wlan0 -d Multicast -j DROP # drop multicast traffic coming from another interface to wlan0(WIFI)

If this doesn't work as you wish, you may try also this rules:

ebtables -A FORWARD -i eth0 -d Multicast -j DROP # drop multicast traffic coming from eth0(LAN) to any other bridged interface
ebtables -A INPUT -i eth0 -d Multicast -j DROP # drop multicast traffic coming from eth0(LAN) to the CPU


Regards

The discussion might have continued from here.