NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

Picobot's avatar
Picobot
Aspirant
Jul 20, 2022
Solved

GC110: How to completely block IGMP packets on one physical port or one specific IP address ?

Hello everyone,


as the topic says, I am looking for a solution that completely blocks all incoming and outgoing IGMP packets on one physical port of the switch or one specific IP address. The reason is the following: In Germany, the access point "o2 Home Satellite", which is actually an Askey RG3110W, is currently sold for only 3€. Regardless of the fact that this device is designed to be used together with the "o2 Homebox", this access point works very well together with a Fritz!Box 7590.


However, there is one problem: for some obscure reason, this access point pretends to be an "IGMP v2 router" and suppresses the Fritz!Box as an "IGMP v3 router". For this reason, the IPTV service "Magenta TV", which is offered by Deutsche Telekom and requires IGMP v3 capable devices to organize the multicast packets, no longer works as soon as this access point is switched on.


Hence the question: Can I somehow configure the GC110 so that this "o2 Home Satellite" access point can send and receive TCP, UDP and ICMP packets, but all IGMP packets to and from this access point are completely blocked?


Thanks in advance for any advice

Picobot

 

  • Picobot's avatar
    Picobot
    Jul 22, 2022

    Here is the feedback:

    After studying the manual of the GC110 a bit more intensively, the solution was much easier than I had first thought.

     

    Step 1: Create an ACL-Name, in this case "block-igmp"

    Step 2: For this ACL, create an IP extended rule with sequence number 1, which blocks all IGMP traffic from the source IP of the o2 access point

    Step 3: For the same ACL, create a second IP extended rule with sequence number 2, which allows all other traffic ( match every = true )

    This second rule is mandatory, because the switch by default will drop all packets which do not match any of the rules.

    Step 4: Bind this ACL to the physical port where the o2 access point is connected.

     

    Now the "IGMPv2 membership querys" which are sent from the o2 AP for some obscure reason can't enter the rest of the LAN anymore and the "Magenta TV" receivers in the LAN are working without any problems.

     

    Until next time, Picobot

3 Replies

  • JeraldM's avatar
    JeraldM
    NETGEAR Employee Retired
    Jul 21, 2022

    Hi Picobot,

     

    Please check page 144 of the user manual here under Switching > Multicast > IGMP Snooping > IGMP Snooping Interface Configuration.

     

     

    Regards,

     

    JeraldM

    NETGEAR Community Team

    • Picobot's avatar
      Picobot
      Aspirant
      Jul 21, 2022

      Hi JeraldM,

       

      the problem is not the IGMP-Snooping of the GC110.

       

      The situation at the moment is the following: As soon as the o2 AP is switched on, after a short moment the message "IGMPv2 multicast router [IP address of the o2 AP] active" appears in the event log of the Fritz!Box. If I have understood the specs of IGMP correctly, the whole LAN, including the other switches, which are capable of IMGPv3 snooping, is "downgraded" to IGMPv2. As soon as I switch off the o2 AP, after a few minutes the message "IGMPv3 multicast router [IP address of Fritz!Box] active" appears on the FB7590 after a short time and Magenta TV works again.

       

      Since I own a second o2 AP which is located at my home, I think I was able to track down the problem with the help of wireshark. When the o2 AP is switched on, it sends the message "192.168.1.250 224.0.0.1 IGMPv2 60 Membership Query, general"

       

      At this moment the Fritz!Box as IGMPv3 router is replaced by the o2 AP as IGMPv2 Router and the whole LAN is downgraded to IGMPv2, which is why "Magenta TV" is no longer working. After switching off the o2 AP it takes a few minutes until the message "192.168.1.254 224.0.0.1 IGMPv3 60 Membership Query, general" appears within wireshark and "Magenta TV" is working again.

       

      So I need a filter which blocks the "192.168.1.250 224.0.0.1 IGMPv2 60 Membership Query, general" packet. I already tried to create an extended IP4 ACL rule which blocks IGMP packets from the IP address of the o2 AP. But the AP in question and the GC110 are located in a friends house and I have to tell him to reconnect the o2 AP to the gc110 to check out if my filter works like I am hoping for.

       

      Therefore I will report back later.

       

       

       

      • Picobot's avatar
        Picobot
        Aspirant
        Jul 22, 2022

        Here is the feedback:

        After studying the manual of the GC110 a bit more intensively, the solution was much easier than I had first thought.

         

        Step 1: Create an ACL-Name, in this case "block-igmp"

        Step 2: For this ACL, create an IP extended rule with sequence number 1, which blocks all IGMP traffic from the source IP of the o2 access point

        Step 3: For the same ACL, create a second IP extended rule with sequence number 2, which allows all other traffic ( match every = true )

        This second rule is mandatory, because the switch by default will drop all packets which do not match any of the rules.

        Step 4: Bind this ACL to the physical port where the o2 access point is connected.

         

        Now the "IGMPv2 membership querys" which are sent from the o2 AP for some obscure reason can't enter the rest of the LAN anymore and the "Magenta TV" receivers in the LAN are working without any problems.

         

        Until next time, Picobot

NETGEAR Academy

Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology! 

Join Us!

ProSupport for Business

Comprehensive support plans for maximum network uptime and business peace of mind.

 

Learn More