Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Configure multicast routing

This page provides details about the configuration of multicast routing.

You must turn on multicast forwarding before you can add a multicast route.

To configure multicast routing, do as follows:

  1. Configure static multicast routes

  2. Select: option 3 (Route configuration) > option 2 (Configure Multicast Routing) > option 2 (Configure Static-routes) and execute the following command

    mroute add input-interface port portnumber source-ip sourceipaddress dest-ip destinationipaddress output-interface port portnumber
    

    The parameters and their meanings are shown in the table.

    Option Description
    input-interface Interface on which multicast traffic arrives on the firewall.
    source-ip Unicast IP address of source transmitting multicast traffic.
    destination-ip Class D IP address (224.0.2.0 to 239.255.255.255).
    output-interface Interface from which multicast traffic exits the firewall.
    Example
    mroute add input-interface PortA source-ip 1.1.1.1.1 dest-ip 230.1.1.2 output-interface PortB
    

    Sophos Firewall forwards multicast traffic received on interface PortA from IP address 1.1.1.1 to 230.1.1.2 through interface PortB.

    If you want to inject multicast traffic to more than one interface, you must add routes for each destination interface.

    Example
    mroute add input-interface PortA source-ip 1.1.1.1 dest-ip 230.1.1.2 output-interface PortB
    
    mroute add input-interface PortA source-ip 1.1.1.1 dest-ip 230.1.1.2 output-interface PortC
    
  3. Viewing routes

  4. Select Option 3 (Route Configuration) > Option 2 (Configure Multicast Routing) > Option 2 (Configure Static-routes) and execute the following command:

    mroute show
    
  5. Removing routes

  6. Select Option 3 (Route configuration) > Option 2 (Configure Multicast Routing) > Option 2 (Configure Static-routes) and execute the following command:

    mroute del input-interface source-ipaddress destination-ip output-interface
    

    Example

    mroute del eth0 1.1.1.1 230.1.1.1 eth2
    Multicast route deleted successfully
    

    Note

    • Source and destination interfaces can't be the same for multicast routes.
    • You can't define multicast destination interfaces. Route manipulation per interface is required to add or delete multicast routes.
    • Non-Ethernet interfaces such as IPsec0 aren't supported.
  7. Multicast routes over IPsec VPN tunnel

    Sophos Firewall supports secure transport of multicast traffic over untrusted networks using an IPsec VPN connection.

    You can send and receive unicast and multicast traffic between two or more VPN sites connected to the public internet. This removes multicast-aware routers' dependency on IPsec VPNs to connect two sites.

    To be able to access a multicast route, a unicast host must be configured as an explicit host (with netmask /32) in the VPN configuration.

  8. Select Option 3 (Route Configuration) > Option 2 (Configure Multicast Routing) > Option 2 (Configure Static-routes) and use the below commands to configure multicast routing over IPsec:

    Option Description
    mroute add input-interface Port [portnumber] source-ip [ipaddress] destip [ipaddress] output-interface Port [portnumber]

    To forward multicast traffic from a given interface to another.

    Example:
    mroute add input-interface PortA source-ip192.168.1.2 dest-ip239.0.0.55 outputinterface PortB

    mroute add input-interface Port [portnumber] source-ip [ipaddress] destip [ipaddress] output-tunnel gre name [gretunnelname]

    To forward multicast traffic from a specific interface to a specific GRE tunnel.

    Example:
    mroute add input-interface PortA source-ip192.168.1.2 dest-ip 239.0.0.55 output-tunnel gre name Elitecore

    mroute add input-interface Port [portnumber] source-ip [ipaddress] destip [ipaddress] output-tunnel IPsec

    To forward multicast traffic from a specific interface to IPsec tunnels. Sophos Firewall automatically selects the tunnel to use depending upon the local and remote network configurations.

    Example:
    mroute add input-interface PortA source-ip 192.168.1.2 dest-ip 239.0.0.55 outputtunnel IPsec

    mroute add input-tunnel IPsec name [IPsecconnectionname] sourceip [ipaddress] dest-ip [ipaddress] output-interface Port [portnumber]

    Forwards multicast traffic from an IPsec connection to a specific interface.

    Example:
    mroute add input-tunnel IPsec ~Net2Net source-ip 192.168.1.2 dest-ip 239.0.0.55 output-interface PortB

    mroute add input-tunnel IPsec name [IPsecconnectionname] sourceip [ipaddress] dest-ip [ipaddress] output-tunnel IPsec

    Forwards multicast traffic from a specific IPsec tunnel to other IPsec tunnels. Sophos Firewall automatically selects the appropriate tunnel based on the local and remote network configurations.

    Example:
    mroute add input-tunnel IPsec name Net2Net source-ip 192.168.1.2 destip 239.0.0.55 output-tunnel IPsec

    mroute add input-tunnel IPsec name [IPsecconnectionname] port [number] source-ip [ipaddress] dest-ip pipaddress] output-tunnel gre name [gretunnelname]

    Forwards multicast traffic coming from a specific IPsec tunnel to another specific GRE tunnel

    Example:
    mroute add input-tunnel IPsec name Net2Net source-ip 192.168.1.2 destip 239.0.0.55 output-tunnel gre name Elitecore

    mroute add input-tunnel gre name [gretunnelname] source-ip [ipaddress] dest-ip [ipaddress] output-interface Port [portnumber]

    Forwards multicast traffic coming from a specific GRE tunnel to a specific interface.

    Example:
    mroute add input-tunnel gre name Elitecore source-ip 192.168.1.2 destip 239.0.0.55 output-interface PortB

    mroute add input-tunnel gre name [gretunnelname] source-ip [ipaddress] dest-ip [ipaddress] output-tunnel gre name [gretunnelname]

    Forwards multicast traffic from a specific GRE tunnel to another specific GRE tunnel.

    Example:
    mroute add input-tunnel gre name Elitecore source-ip 192.168.1.2 destip 239.0.0.55 output-tunnel gre name Terminal1

    mroute add input-tunnel gre name [gretunnelname] source-ip [ipaddress] dest-ip [ipaddress] output-tunnel IPsec

    Forwards multicast traffic coming from a specific GRE tunnel to IPsec tunnels. Sophos Firewall automatically selects the appropriate tunnel to be used depending on the local and remote network configurations.

    Example:
    mroute add input-tunnel gre name Elitecore source-ip 192.168.1.2 dest-ip 239.0.0.55 output-tunnel IPsec

    mroute del source-ip [ipaddress] dest-ip [ipaddress]

    Deletes a multicast route.

    Example:
    mroute del source-ip 192.168.1.2 dest-ip 239.0.0.55

    The CLI only shows static interfaces as input and output interfaces, whereas the web admin console shows static and dynamic interfaces. For example, PPPoE and DHCP.