Any source Multicast between VLANs, IGMPv3, OpenWrt 21 on RPI 4

Hi,
I would like to use a Raspberry Pi 4 as a Multicast Router, here is the network I like to realize:

Three-Point.drawio1152×804 176 KB

The any source Multicast uses the IGMPv3 protocol (ttl=1) the UDP packages have a ttl of 16.
I have installed smcroute, so I can see the multicast routing, here is the show output:

root@OpenWrt:~# smcroutectl show

(*,G) Template Rules
ROUTE (S,G)                                IIF       OIFS
(*, 225.3.2.1)                             eth0
(*, 225.0.0.0/24)                          eth0

(S,G) Rules
ROUTE (S,G)                                IIF       OIFS
(192.168.1.42, 225.1.2.3)                  eth0

Kernel MFC Table
ROUTE (S,G)                                IIF       OIFS
(192.168.1.42, 225.1.2.3)                  eth0
(192.168.101.201, 239.255.255.250)         eth0.101
(192.168.101.240, 224.0.23.12)             eth0.101
(192.168.101.201, 239.0.0.1)               eth0.101
(192.168.101.140, 224.0.23.12)             eth0.101
(192.168.102.150, 224.0.23.12)             eth0.102
(192.168.100.235, 239.255.255.250)         eth0.100
(192.168.101.240, 239.255.255.250)         eth0.101

For testing, I have added all VLANs to the LAN Zone, if I add the Multicast Route manually with:

smcroutectl add eth0.99 224.0.23.12 eth0.101 eth0.102
smcroutectl add eth0.101 224.0.23.12 eth0.99 eth0.102
smcroutectl add eth0.102 224.0.23.12 eth0.99 eth0.101

the Multicast works as aspekted. Here are my Questions:

1. How I can realize the Multicast 224.0.23.12 routing between the VLANs automatically?
2. Do I need to add the VLANs to a bridge and create an interface for the bridge? Apart from Multicast communication, no other communication between the VLANs should be possible. But from the VLAN eth0.99 should be possible to communicate to all VLANs.

Here is my config:

root@OpenWrt:~# ubus call system board
{
        "kernel": "5.4.179",
        "hostname": "OpenWrt",
        "system": "ARMv8 Processor rev 3",
        "model": "Raspberry Pi 4 Model B Rev 1.4",
        "board_name": "raspberrypi,4-model-b",
        "release": {
                "distribution": "OpenWrt",
                "version": "21.02.2",
                "revision": "r16495-bf0c965af0",
                "target": "bcm27xx/bcm2711",
                "description": "OpenWrt 21.02.2 r16495-bf0c965af0"
        }
}
root@OpenWrt:~# uci export network
package network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fdb2:acc5:1bc9::/48'

config device
        option name 'br-lan'
        option type 'bridge'
        option bridge_empty '1'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config device
        option type '8021q'
        option ifname 'eth0'
        option vid '10'
        option name 'eth0.10'

config interface 'wan'
        option proto 'dhcp'
        option device 'eth0.10'

config device
        option type '8021q'
        option ifname 'eth0'
        option vid '99'
        option name 'eth0.99'

config device
        option type '8021q'
        option ifname 'eth0'
        option vid '100'
        option name 'eth0.100'

config device
        option type '8021q'
        option ifname 'eth0'
        option vid '101'
        option name 'eth0.101'

config device
        option type '8021q'
        option ifname 'eth0'
        option vid '102'
        option name 'eth0.102'

config interface 'MGMTknx'
        option proto 'static'
        option device 'eth0.99'
        option ipaddr '192.168.99.1'
        option netmask '255.255.255.0'

config interface 'GSA'
        option proto 'static'
        option device 'eth0.100'
        option ipaddr '192.168.100.1'
        option netmask '255.255.255.0'

config interface 'WHG101'
        option proto 'static'
        option device 'eth0.101'
        option ipaddr '192.168.101.1'
        option netmask '255.255.255.0'

config interface 'WHG102'
        option proto 'static'
        option device 'eth0.102'
        option ipaddr '192.168.102.1'
        option netmask '255.255.255.0'

config device
        option name 'eth0'

config device
        option type 'bridge'
        option name 'knx-br'
        list ports 'eth0.101'
        list ports 'eth0.102'
        list ports 'eth0.99'
        option bridge_empty '1'
        option multicast_querier '1'
        option query_interval '1500'
root@OpenWrt:~# uci export dhcp
package dhcp

config dnsmasq
        option domainneeded '1'
        option boguspriv '1'
        option filterwin2k '0'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option nonegcache '0'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option nonwildcard '1'
        option localservice '1'
        option ednspacket_max '1232'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '12h'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        option ra_slaac '1'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'
        list ra_flags 'none'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config dhcp 'GSA'
        option interface 'GSA'
        option start '100'
        option limit '150'
        option leasetime '12h'
        list ra_flags 'none'

config dhcp 'MGMTknx'
        option interface 'MGMTknx'
        option start '100'
        option limit '150'
        option leasetime '12h'
        list ra_flags 'none'

config dhcp 'WHG101'
        option interface 'WHG101'
        option start '100'
        option limit '150'
        option leasetime '12h'
        list ra_flags 'none'

config dhcp 'WHG102'
        option interface 'WHG102'
        option start '100'
        option limit '150'
        option leasetime '12h'
        list ra_flags 'none'

config host
        option name 'abb-ipr'
        option ip '192.168.101.140'
        option mac '00:0C:DE:FF:FF:FA'

config host
        option name 'abb-ipr'
        option ip '192.168.102.150'
        option mac '00:0C:DE:FF:FF:FB'
root@OpenWrt:~# uci export firewall
package firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'
        list network 'lan'
        list network 'MGMTknx'
        list network 'GSA'
        list network 'WHG101'
        list network 'WHG102'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Support-UDP-Traceroute'
        option src 'wan'
        option dest_port '33434:33689'
        option proto 'udp'
        option family 'ipv4'
        option target 'REJECT'
        option enabled 'false'

config include
        option path '/etc/firewall.user'

Thanks.

What does "automatically" mean?

Multicast between networks requires a Multicast router (e.g. pimd or smcroute).

Bridging connects VLANs, you actually state this in your sentence by wanting to block all other communication. So you'd have to install other software to firewall what was already separated.

I'm lost, you said multicast works as expected, correct?

Are you asking how to do this without installing smcroute?

What does "automatically" mean?

if a device joined to the Multicast 224.0.23.12 group in VLAN it should create the route between the VLANs that the group needs.

Multicast between networks requires a Multicast router (e.g. pimd or smcroute).

I was not sure if I need pimd, I have installed the package frr-pimd but if I try to start pimd I receive this error:

root@OpenWrt:~# pimd
2022/04/24 08:57:39 PIM: Failure to register for VIFWHOLE and WRONGVIF upcalls 92 Protocol not available
2022/04/24 08:57:39 PIM: Could not enable mroute on socket fd=8: errno=22: Invalid argument

I'm lost, you said multicast works as expected, correct?

then I tried it with smcroute and when I add the Routes manually with this command:

smcroutectl add eth0.99 224.0.23.12 eth0.101 eth0.102
smcroutectl add eth0.101 224.0.23.12 eth0.99 eth0.102
smcroutectl add eth0.102 224.0.23.12 eth0.99 eth0.101

then the multicast works, but I need later to create 500 VLANs.I would like to only add with VLAN can join to the Multicast group and not that I have to add for each VLAN the source and destination VLANs. I am not a network expert but should it not work with PIM-SSM or a similar routing protocol. Or am I wrong?

Are you asking how to do this without installing smcroute?

no, I search for the best way to solve my problem. OpenWRT and routing are new for me.
Thank you for your help.

now pimd works, I had to go over vtysh.

here is my frr.conf:

password zebra
log syslog
access-list vty permit 127.0.0.0/8
access-list vty deny any
line vty
 access-class vty
debug igmp
debug pim
debug pim zebra
interface eth0.99
 ip pim ssm
 ip igmp
 interface eth0.101
 ip pim ssm
 ip igmp
interface eth0.102
 ip pim ssm
 ip igmp

in Wireshark, I see the "Membership Query" and the "Membership Report / Join group".
but the routing doesn't work. Here is my console output:

OpenWrt# show ip pim interface
Interface         State          Address  PIM Nbrs           PIM DR  FHR IfChannels
eth0.99              up     192.168.99.1         0            local    0          0
eth0.101             up    192.168.101.1         0            local    0          0
eth0.102             up    192.168.102.1         0            local    0          0
pimreg             down          0.0.0.0         0            local    0          0
OpenWrt# show ip igmp interface
Interface         State          Address  V  Querier  Query Timer    Uptime
eth0.99              up     192.168.99.1  3    local     00:00:33  00:25:26
eth0.101             up    192.168.101.1  3    local     00:00:33  00:25:26
eth0.102             up    192.168.102.1  3    local     00:00:33  00:25:26
OpenWrt# show ip igmp groups
Total IGMP groups: 0
Watermark warn limit(Not Set): 0
Interface        Address         Group           Mode Timer    Srcs V Uptime

Is this normal that the interface pimreg state is down?
What do I need to change in my config to activate the routing between the VLANs?

Thanks
Regards

Hey, Im facing the same issue with the pimd, how did you got rid of the error message?/
Have you managed to run the frr-pimd successfully?