PFSense has a fre default rules regarding where traffic can come from on the WAN interface.
For example, you can tell it to drop any traffic on the WAN that has a private IP address (192.168, 10.0 or 172.0), because in a lot of scenarios you should never see a private IP on the WAN. However, also in a lot of cases you WOULD (if the pfSense is sitting INSIDE a network, rather than on the edge).
It will also block IP ranges that are not officially allocated to anyone, as they're supposedly never meant to be seen in the wild.
You can turn these options off under the Advanced menu in Configuration (I think it is, off the top of my head), or possibly in the WAN configuration screen.
I'm going to suggest that these two options are the place to start, because for whatever reason the traffic may be originating from a private IP range (mail filter, virus scanner, whatever) but hitting the WAN port, OR, a fresh block of IP ranges has been allocated and PFSense is not up to date with its listings.
In our instance, our problem was solved by sysctl parameters, one different from Maciej.
Please note that I do not speak for the OP (buecking), I came on this post due to the problem being related by the basic detail (no multicast traffic in userland).
We have an application that reads data sent to four multicast addresses, and a unique port per multicast address, from an appliance that is (usually) connected directly to an interface on the receiving server.
We were attempting to deploy this software on a customer site when it mysteriously failed with no known reason. Attempts at debugging this software resulted in inspecting every system call, ultimately they all told us the same thing:
Our software asks for data, and the OS never provides any.
The multicast packet counter incremented, tcpdump showed the traffic reaching the box/specific interface, yet we couldn't do anything with it. SELinux was disabled, iptables was running but had no rules in any of the tables.
Stumped, we were.
In randomly poking around, we started thinking about the kernel parameters that sysctl handles, but none of the documented features was either particularly relevant, or if they had to do with multicast traffic, they were enabled. Oh, and ifconfig did list "MULTICAST" in the feature line (up, broadcast, running, multicast). Out of curiosity we looked at /etc/sysctl.conf
. 'lo and behold, this customer's base image had a couple of extra lines added to it at the bottom.
In our case, the customer had set net.ipv4.all.rp_filter = 1
. rp_filter is the Route Path filter, which (as I understand it) rejects all traffic that could not have possibly reached this box. Network subnet hopping, the thought being that the source IP is being spoofed.
Well, this server was on a 192.168.1/24 subnet and the appliance's source IP address for the multicast traffic was somewhere in the 10.* network. Thus, the filter was preventing the server from doing anything meaningful with the traffic.
A couple of tweaks approved by the customer; net.ipv4.eth0.rp_filter = 1
and net.ipv4.eth1.rp_filter = 0
and we were running happily.
Best Answer
I have no personal experience with it, but I'm seeing people saving favorable things about this Simple UDP proxy/pipe tool. It's worth a shot.