Guide: T-Box multicast on Edgerouter

My housemates were getting increasingly frustrated with our HG659 locking up under load (whole different thread) so I wanted to replace it with my ERL3, but getting multicast for the T-Box working through the ERL3 was giving me headaches.

There are some old threads on the topic here, the Ubiquiti documentation, some generic IGMP proxy threads on the Ubiquiti forums, etc. But I couldn't find a 'complete picture' anywhere and I ran into some issues (and went down some rabbit holes) so I figured even thou the T-box's are being EOL'd I'd post there here in case it's useful to anyone else.

It didn't look that hard, configure the IGMP proxy with a few commands, configure the firewall, it should just work, right? Famous last words.

I ran into two main issues, the first of which was simple human error on my part, my UFB connection is VLAN 10 tagged and I forget to configure the IGMP proxy to use the VLAN sub interface in my config.

The biggest gotcha for me however was that the IGMP proxy service kept refusing to load. Turns out, the IGMP proxy service won't start if your WAN interface doesn't have a current IP. As I was trying to test my ERL3 configuration in a disconnected state before putting it 'into production' this caused me no end of grief before I finally dug deep enough to get an error message that led me to a solution.

Enable IGMP Proxy

Config example:


protocols {
    igmp-proxy {
        interface eth0.10 {
            alt-subnet 0.0.0.0/0
            role upstream
            threshold 1
        }
        interface eth2 {
            alt-subnet 0.0.0.0/0
            role downstream
            threshold 1
        }
    }
}

Change <wan> to the name of your WAN interface, change <lan> to the name of your WAN interface

commands:


set protocols igmp-proxy interface <wan> alt-subnet 0.0.0.0/0
set protocols igmp-proxy interface <wan> role upstream
set protocols igmp-proxy interface <wan> threshold 1
set protocols igmp-proxy interface <lan> alt-subnet 0.0.0.0/0
set protocols igmp-proxy interface <lan> role downstream
set protocols igmp-proxy interface <lan> threshold 1

Create firewall rules:

You need to have rules to allow UDP Multicast and IGMP and accepted wisdom seems to be they should be placed ahead of any other rules to avoid stuttering issues.
Assuming you are using the default WAN_IN and WAN_LOCAL rules, your configuration should be something like this:

config example:


name WAN_IN {
    default-action drop
    description "WAN to internal"
    rule 10 {
        action accept
        description "Allow UDP Multicast"
        destination {
            address 224.0.0.0/4
        }
        log disable
        protocol udp
        source {
            address 203.167.247.45/32
        }
    }
    rule 20 {
        action accept
        description "Allow IGMP"
        log disable
        protocol igmp
    }
    rule 30 {
        action accept
        description "Allow established/related"
        state {
            established enable
            related enable
        }
    }
    rule 40 {
        action drop
        description "Drop invalid state"
        state {
            invalid enable
        }
    }
}
name WAN_LOCAL {
    default-action drop
    description "WAN to router"
    rule 10 {
        action accept
        description "Allow UDP Multicast"
        destination {
            address 224.0.0.0/4
        }
        log disable
        protocol udp
        source {
            address 203.167.247.45/32
        }
    }
    rule 20 {
        action accept
        description "Allow IGMP"
        log disable
        protocol igmp
    }
    rule 30 {
        action accept
        description "Allow established/related"
        state {
            established enable
            related enable
        }
    }
    rule 40 {
        action drop
        description "Drop invalid state"
        state {
            invalid enable
        }
    }
}

commands:


set firewall name WAN_IN rule 10 action accept
set firewall name WAN_IN rule 10 description 'Allow UDP Multicast'
set firewall name WAN_IN rule 10 destination address 224.0.0.0/4
set firewall name WAN_IN rule 10 log disable
set firewall name WAN_IN rule 10 protocol udp
set firewall name WAN_IN rule 10 source address 203.167.247.45/32
set firewall name WAN_IN rule 20 action accept
set firewall name WAN_IN rule 20 description 'Allow IGMP'
set firewall name WAN_IN rule 20 log disable
set firewall name WAN_IN rule 20 protocol igmp
set firewall name WAN_IN rule 30 action accept
set firewall name WAN_IN rule 30 description 'Allow established/related'
set firewall name WAN_IN rule 30 state established enable
set firewall name WAN_IN rule 30 state related enable
set firewall name WAN_IN rule 40 action drop
set firewall name WAN_IN rule 40 description 'Drop invalid state'
set firewall name WAN_IN rule 40 state invalid enable
set firewall name WAN_LOCAL rule 10 action accept
set firewall name WAN_LOCAL rule 10 description 'Allow UDP Multicast'
set firewall name WAN_LOCAL rule 10 destination address 224.0.0.0/4
set firewall name WAN_LOCAL rule 10 log disable
set firewall name WAN_LOCAL rule 10 protocol udp
set firewall name WAN_LOCAL rule 10 source address 203.167.247.45/32
set firewall name WAN_LOCAL rule 20 action accept
set firewall name WAN_LOCAL rule 20 description 'Allow IGMP'
set firewall name WAN_LOCAL rule 20 log disable
set firewall name WAN_LOCAL rule 20 protocol igmp
set firewall name WAN_LOCAL rule 30 action accept
set firewall name WAN_LOCAL rule 30 description 'Allow established/related'
set firewall name WAN_LOCAL rule 30 state established enable
set firewall name WAN_LOCAL rule 30 state related enable
set firewall name WAN_LOCAL rule 40 action drop
set firewall name WAN_LOCAL rule 40 description 'Drop invalid state'
set firewall name WAN_LOCAL rule 40 state invalid enable

Lias

freitasm

SpartanVXL

Lias

Apsattv