I have a local multicast udp stream enabled on my local lan (i.e. udp://239.1.1.1:5000). On Mikrotik router (latest router os) with default config and igmp snooping enabled that group is always active on lan bridge, even if there are no joins on that group in our local lan. The entry is also not present in MDB list on lan bridge.

The only way to disable this multicast traffic is to disable “unknown multicast flood” on that particular lan bridge port, but then that group won’t be visible on neighbour devices. This is a bug. The group should be visible in local MDB list and the traffic should only become active on mikrotik router when there's at least someone who joined that group.

The issue is easily replicated with default mikrotik config on all routeros devices. It is also described here and I believe it was not resolved.

viewtopic.php?t=161603

Can comeone please advise if there's a solution to this matter or should I fill a bug report? This can become a bigger issue if you have a lot of multicast streams active on local lan devices.

This is not a bug. Your post reflects a complete misunderstanding of what multicast is and how to control it. “Unknown multicast flood” does exactly what you describe.

Without knowing the nature of your stream, I’m going to guess that what you actually want here is to enable the IGMP querier to pinch off abandoned streams.

Better explanations of the stream’s content, the devices that “sink” it, and the network design goals will yield better guesses.

Thank you for your answer. I also accept the fact I don't understand how to control the multicast traffic so I'd be really grateful for a further explanation.

Let's say I have some (about 10) simple multicast mpegts streams generated with ffmpeg or vlc or similar. These multicast groups are all generated on one single PC1 inside local LAN (ip 192.168.1.100). And also, let's say the bandwidth sum of these groups together is 1gbit/s. Then I have another PC2 in that same LAN (ip 192.168.1.200) where I'd like to access these streams, one by one with mpegts capable player (VLC).

My main router is mikrotik (ip 192.168.1.1). Both PC's are connected directly to mikrotik bridge LAN ports. If all these groups are active all the time on mikrotik's LAN uplink, then the port would be probably saturated with 1gbit/s traffic. How would I be able to achieve this, so on local LAN all these groups are visible on all PC's, but not all traffic is present on mikrotik router all the time?

Also, as you suggested, all I'd like to do is "pinch off all the abandoned streams". So in my case, if on PC2 there is only one stream viewed as the moment, there should also be only that single stream active on main mikrotik router's LAN bridge, and no other streams at that particular moment. For achieving this, I'd probably need to setup local igmp-querier and/or mld-querier on mikrotik LAN bridge interface. How would it be possible to achieve this?

10 simple multicast mpegts streams…bandwidth sum of these groups together is 1gbit/s.

A hundred megs per? What are you doing, 8k@120?

With modern codecs, reasonable resolutions, and common frame rates, you should be down in the single digits. 10 Mbit/sec per stream is lots for 2k@30.

If all these groups are active all the time on mikrotik's LAN uplink, then the port would be probably saturated with 1gbit/s traffic. How would I be able to achieve this, so on local LAN all these groups are visible on all PC's, but not all traffic is present on mikrotik router all the time?

If the source is putting out streams totaling a gigabit of data per second, that will be true no matter what you do with unknown multicast flooding, IGMP snooping, IGMP querying, PIM, whatever. The source is the source. All these other measures do is control how much of that appears at the other ports on the same switch. These measures don't stop the source from sending a gigabit of data solid per second.

This is why I mention reasonable data rates. If you put out ten streams at ten megs each, that's a lot easier to tolerate than ten streams @ 100 Mbit/sec each.

I tried to enable "igmp querier" (Multicast Querier on LAN bridge), but the multicast traffic won't stop.

It won't do so, instantly. It's governed by a complicated timeout sequence. As you can see, even when the client explicitly leaves the multicast group, it doesn't stop instantly by default, and if by some means there is no IGMP group-leave message at all, you have to wait out the entire querier timeout sequence before the stream will stop flowing to ports that once did request the stream.

You can shorten these timeouts toward zero, but they should not be flat zero, because that would imply constant querying. "Are you sure you want this stream? Are you sure? Are you sure?" Annoying and wasteful.

Try hitting the Stop button in VLC before closing it to force an IGMP group-leave packet. If that gives better results than you get from killing VLC outright, then you might have cause to complain that closing the program doesn't send out a final group-leave packet automatically.

Thank you again for thorough explanation. I think we are close to the final solution.

Yes, there's no 1gbit/s streams altogether on my current network, but we have multiple multicast streamers and the complete sum of all streams is over 100mbit/s and it's saturating LAN uplink on main mikrotik router all the time.

I'm aware about the needed timeout for multicast streams to stop and I know these timings can be set further down to shorten the timeouts. But our streams never stop on mikrotik main router, probably because there's no local igmp-querier active on bridge lan?

Curently I have two bridges (bridge-wan with only sfp1 port and bridge-lan with all lan ports). WAN is connected to internet (our ISP) and the status is:
/interface bridge monitor bridge-wan
...
igmp-querier: sfp1 10.1.1.7
mld-querier: none

My LAN bridge IP is 192.168.1.1 and the status is:
/interface bridge monitor bridge-lan
...
igmp-querier: none
mld-querier: none

So my question is, how would I be able to setup an active "local" igmp-querier and/or mld-querier for my bridge-lan?

our streams never stop on mikrotik main router, probably because there's no local igmp-querier active on bridge lan?

That's certainly part of it. For continuous streams like IPTV, you need the querier to deal with clients that abandon their streams. Even the best-behaved client software is subject to lost packets, broken network links, etc.

If you want a consultation, post the sanitized "/export" of your configuration into a "code" block. Stop making us guess.

I have two bridges (bridge-wan with only sfp1 port and bridge-lan with all lan ports)

You should probably have the WAN port outside any bridge. There are protocols that only work atop a bridge, including IGMP queriers, but you don't run that on the WAN side, you do it on the LAN.

Also, as a rule, IGMP snooping type stuff with a router is less than ideal. It's better done on a smart switch that offloads LAN traffic from the router proper. Then you don't need to worry about your multicast traffic spamming your WAN link, because nothing on the Internet will ever request these streams.

how would I be able to setup an active "local" igmp-querier and/or mld-querier for my bridge-lan?

Are you asking me to write the configuration for you after pointing you at the relevant documentation page?

You should probably have the WAN port outside any bridge. There are protocols that only work atop a bridge, including IGMP queriers, but you don't run that on the WAN side, you do it on the LAN.

That's probably the main issue in my case. I have two bridges (bridge-wan and bridge-lan) and there's already igmp-querier detected on bridge-wan which of course isn't aware of our local multicast streams inside bridge-lan.

The relevant documentation page says:
The bridge will not send queries if an external IGMP/MLD querier is detected (see the monitoring values igmp-querier and mld-querier).

So, if I understand this correctly, if you have multiple bridges as I do (bridge-wan, bridge-lan), and an external igmp-querier is detected on bridge-wan interface, then there's no option to enable another igmp-querier on bridge-lan? If that's so, then I should (probably) have only one bridge (bridge-lan) in my case?

But, what about the cases, where you actually need more than one bridge? For instance, I have igmp-proxy which proxies multicast iptv groups from bridge-wan to bridge-lan in my case. Using igmp-proxy i can then watch iptv streams from our ISP. On the other side, we have our own multicast streams inside bridge-lan and there's no option to use local igmp-querier in our case, so there's always all multicast present between source streamer and mikrotik uplink lan port.

And what about vlan's? Let's say you put all router ports into one bridge, then create vlan's over that bridge and use vlan-fitlering, how would it be then possible to assign local igmp-querier insted of the one that would be detected inside one of tha vlan's from the wan side?

I try to understand the issue, but it's so badly documented. There's actually no info about how to set/force local igmp-querier, or maybe how to ignore the other one (wan in my case) if there is one.

and an external igmp-querier is detected on bridge-wan interface

If by "WAN" you mean the Internet, then that isn't going to happen. For all common intents and purposes, the Internet doesn't transport multicast.

(It could have, once up on a time, but decades of strange decisions scuttled that.)

This means you won't find random Internet hosts running IGMP queriers, interfering with your LAN.

Now, if by "WAN" you instead mean a private inter-site network, then whether there are IGMP queriers out there is up to you and that WAN's managers. Moreover, whether those IGMP queries transit router boundaries is also up to you.

Generally, you want one IGMP querier per LAN; no more, no less.

But, what about the cases, where you actually need more than one bridge interfaces?

That's almost always a mistake. Search this forum for the many, many related posts on this topic.

And what about vlan's?

That is probably the single most common case where you do not want multiple bridges. All the VLANs appear on one bridge, which sorts out which traffic goes where via bridge VLAN filtering.

Let's say you put all ports into one bridge, then create vlan's over that bridge and use vlan-fitlering, how would it be then possible to assign local igmp-querier insted of the one that would be detected from the wan side?

Routers block multicast by default, so there is no interference from this vague "WAN" you speak of unless you've gone out of your way to push the multicast traffic through from the WAN, most commonly by setting up PIM-SM, which obviates IGMP snooping across that boundary.

If there is no multicast on the WAN, then setting the IGMP querier on the single VLAN-filtered bridge should operate independently on each VLAN for essentially the same reason: VLANs block multicast and broadcast by default.

it's so badly documented

No, the docs on this are reasonable. They merely assume you know what you're doing, and I'm sorry to say, you don't.

The RouterOS manual is not the appropriate place to seek an education on multicast routing. I'd consider a week-long course an introduction, and a month-long course a good start.

Ok, I think it's clear to me now, what's actually happening in my case. I'm also sure a month-long course would be more than useful for me. However, here's the complete description.

I have Mikrotik HEX S. Our ISP provider offers FTTH connection, so I have GBIC in SFP1 as uplink from our ISP. We also have IPTV box, VOIP phone and static IP. I created a bridge-wan with ports: sfp1, lan1, lan2. I assigned static IP to bridge-wan, connected IPTV box to lan1, and connected VOIP phone to lan2. ISP probably has different (tagged?) vlan's for iptv/voip, but that doesn't matter in this case as this part works ok.

Then I have another bridge (bridge-lan) with ports: lan3, lan4, lan5. I also use igmp-proxy, so I can watch multicast (IPTV) streams directly from our ISP's network. For internet access, I do NAT/masquerading between bridge-lan and bridge-wan.

As I wrote above, If I check bridge-wan and bridge-lan for igmp/mld queriers, there's a igmp-querier detected on sfp1 port (sfp1 10.1.1.7) inside bridge-wan. So, this igmp-querier is at our ISP's side and it's automatically detected on our Mikrotik HEX's GBIC. As the documentation says and as you also noted, there can be only one igmp-querier, then this is the only one that it is used in our case. And because this one is at our ISP's side (there's NAT between bridge-wan and bridge-lan), it's of course not aware of our local multicast groups, so all the traffic at our bridge-lan side is treated simply as "unknown multicast traffic" and it never stops. But when I access a public ISP's multicast group through igmp-proxy, then it's properly added to local MDB list and it's also removed after a while when the client's stream stops.

To conclude, I only have two more questions:

1. How in my case would it be even possible to use local igmp-querier on bridge-lan? I need two bridges for the reasons explained above. I also need igmp-proxy which should use our ISP's (public) igmp-querier. And I also need local igmp-querier, so it would stop (pinch off as you said) the multicast traffic with no active listeners, and not treat it as unknown multicast flood anymore.

2. If it's somehow possible to setup local igmp-querier and ignore/block the one from our ISP, how would I then be able to access iptv multicast groups through igmp-proxy which are available in our ISP's network? Would they work also just by using igmp-querier on our bridge-lan?

Our ISP provider offers FTTH connection, so I have GBIC in SFP1 as uplink from our ISP

That explains why you want interface sfp1 to be outside the LAN bridge, but it doesn't explain why you need two bridges — lone ports can be unbridged and still function in routing traffic — nor why ether1 and ether2 have to be bridged to sfp1.

My best guess is that by putting your IPTV and VoIP devices outside the firewall — out in what was once commonly termed the DMZ — you simplify routing and such, but it is not strictly necessary to do that. You could certainly assign sfp1 to the fiber modem and put everything else on the LAN-side bridge. Nothing you've told us about so far prevents that.

This is, in fact, the default "AP Router" configuration for the hEX class devices.

this igmp-querier is at our ISP's side

Another good reason to move the IPTV box inside the firewall. You want the IGMP querier inside your private LAN. You have no business operating an IGMP querier on your ISP's WAN-side network. That's their territory to manage.

when I access a public ISP's multicast group through igmp-proxy

RouterOS's IGMP proxy functions — in part — as an IGMP querier. (Docs) You do not need a separate one on networks using a proxy.

ignore/block the one from our ISP

You don't block the ISP's IGMP querier. You leave it alone, on the WAN side, where your IPTV box is not. IGMP packets stop at the routing later. No conflict can ensue.

Your IGMP proxy straddles the LAN/WAN boundary to request a given IPTV stream from your ISP, let it through the firewall, and manage the queries on the LAN side that determine when the IPTV box abandons the stream, pinching it off by telling the ISP "IGMP group leave", which should stop their IPTV packet source from sending you more packets.

If that doesn't happen, you need to get down to the packet sniffer layer to pursue this further.

After reading all your suggestions and thoughtful explanations about how/why to only have only one bridge and leave everything else on the public side, it seems I'll have to do some reconfiguration and do some further tests to see if everything works then as expected. I'll setup a test envrionment and do some testing, and if it works fine, I'll put the config into production.

For now, thank you for all help and support, I'll certainly get back with additional info when I setup everything, so I can post results.

Something I don’t believe I made clear is that my “one bridge only” advice isn’t mere personal preference. It reflects a hardware limitation in most RouterOS devices. See my Bridge Per Switch Chip article for details, plus some fun games you can play in and around these limitations.

You need to make use of IGMP/MLD Snooping + IGMP Proxy in simple topologies. Or use PIM in advanced topologies.

And single bridge only, or you're done for, that's not a MikroTik thing, that's how Linux DSA is designed, if you don't like it then use Juniper which is FreeBSD based, but even Juniper has moved to Linux host and Linux completely with JunOS Evolved. Cisco is also Linux based.

https://www.kernel.org/doc/Documentatio ... sa/dsa.txt