USG FLEX H Series Firewall: IGMP Proxy Support

Options
Zyxel_Claudia
Zyxel_Claudia Posts: 194 image  Zyxel Employee
Network Detective-New Adventure Badge Network Detective Badge First Comment Friend Collector
edited November 14 in Other Topics

Multicast traffic, especially for IPTV or live video streaming, requires efficient handling across networks. To support this, USG FLEX H Series firewalls now include IGMP Proxy functionality - allowing multicast traffic to flow seamlessly between your internal clients and external multicast servers.

What Is IGMP Proxy?

IGMP Proxy allows the firewall to act as a multicast router (or agent) between multicast servers (upstream) and clients (downstream). It enables the firewall to manage IGMP (Internet Group Management Protocol) messages and selectively forward multicast streams only when clients request them.

Use Case:

For example, in an IPTV deployment, clients on the LAN join multicast groups to receive video streams. USG FLEX H Series Firewall, acting as an IGMP proxy, ensures only the requested streams are forwarded to the LAN - minimizing unnecessary traffic.

How It Works

  1. Client sends IGMP Join Request to subscribe to a multicast group (e.g., 239.0.0.1).
  2. Firewall (IGMP Proxy) forwards this request upstream to the multicast server.
  3. Once the stream is received, the firewall multicasts it only to clients that have joined the group

IGMP Proxy Configuration Steps

To enable IGMP Proxy on Zyxel firewalls:

  1. Navigate to: Network > Multicast
  2. Enable IGMP Proxy
  3. Set Interface Roles:
    • Upstream Interface – connected to the multicast source/server
    • Downstream Interface – connected to multicast clients
  4. Control Traffic Scope:
    • Allow All Multicast Addresses – forwards all multicast traffic
    • Allow Specific Addresses – only allows selected multicast groups (better performance)

Multicast Status Monitoring

Once configured:

  • Multicast entries only appear when:
    1. The upstream interface receives a multicast stream
    2. The downstream interface receives a valid IGMP Join Request
image.png

This ensures multicast traffic is only forwarded when actively subscribed to by clients.

Note: Policy Control Priority

Even if a firewall policy control rule blocks multicast traffic, IGMP Proxy takes priority.

IGMP Proxy overrides firewall policies. If a multicast group is allowed by IGMP Proxy settings, the traffic will be forwarded - even if a deny rule exists.

This ensures service continuity for valid multicast use cases.

Categories

EnglishTiếng ViệtРусскийไทย中文(台灣)