Issue with Multicast Response via NWConnectionGroup Behind a Firewall

App & System Services Networking
harshal_goyal OP
Created Dec ’24
Replies 5
Boosts 0
Views 343
Participants 2

Hello Everyone,

I’m working on a project that involves multicast communication between processes running on different devices within the same network. For all my Apple devices (macOS, iOS, etc.), I am using NWConnectionGroup, which listens on a multicast address "XX.XX.XX.XX" and a specific multicast port.

The issue occurs when a requestor (such as a non-Apple process) sends a multicast request, and the server, which is a process running on an Apple device using NWConnectionGroup (the responder), attempts to reply. The problem is that the response is sent from a different ephemeral port rather than the port on which the multicast request was received.

If the client is behind a firewall that blocks unsolicited traffic, the firewall only allows incoming packets on the same multicast port used for the initial request. Since the multicast response is sent from a different ephemeral port, the firewall blocks this response, preventing the requestor from receiving it.

Questions:

  1. Is there a recommended approach within the NWConnectionGroup or Network.framework to ensure that responses to multicast requests are sent from the same port used for the request?

  2. Are there any best practices for handling multicast responses in scenarios where the requestor is behind a restrictive firewall?

Any insights or suggestions on how to account for this behavior and ensure reliable multicast communication in such environments would be greatly appreciated.

Thanks,

Harshal

Replies  5
Boosts  0
Views  343
Participants  2
DTS Engineer OP
Apple
Feb ’25

Sorry I missed this originally; I was out of the office.

Written by harshal_goyal in 771207021
If the client is behind a firewall that blocks unsolicited traffic

Just to confirm, you’re talking about a non-Apple firewall, right? So, not the firewall built in to macOS?

And the sequence is:

  1. Your accessory sends a multicast datagram.

  2. It passes out of the firewall, which records its address tuple, that is, local IP / local port / remote IP / remote port.

  3. The datagram is delivered to your app on an Apple device

  4. Your app sends a reply.

  5. The firewall blocks the incoming datagram because its tuple isn’t aligned with the tuple from step 2.

Is that right?

If so, can you give me an example tuple for the datagrams in steps 2 and 5. Well, for step 5 I’d like two example tuples, a working one and a failing one.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
harshal_goyal OP
4w

Hi @DTS Engineer ,

Yes, when I mentioned the firewall, I was referring to a non-Apple firewall — one that's external to macOS and potentially blocking unsolicited traffic.

As for the address tuples you requested:

Step 2 (Recorded Tuple) :

Local IP: 10.20.16.45

Local Port: 5000

Remote IP: 10.20.16.144

Remote Port: 5000

Step 5 (Working Tuple):

Local IP: 10.20.16.45

Local Port: 5000

Remote IP: 10.20.16.144

Remote Port: 5000

Step 5 (Failing Tuple):

Local IP: 10.20.16.45

Local Port: 5000

Remote IP: 10.20.16.144

Remote Port: 53000 (Response is sent from ephemeral port in case of NF)

Let me know if you need any more details!

0
DTS Engineer OP
Apple
4w

Thanks.

So step 2 suggests that your accessory is 10.20.16.45 and the Apple device is 10.20.16.144. Is that right?

Also, you started this thread with:

Written by harshal_goyal in 771207021
I am using NWConnectionGroup … on a multicast address "XX.XX.XX.XX"

but none of the addresses in these tuples are IPv4 multicast addresses.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
harshal_goyal OP
3w

HI @DTS Engineer ,

Written by DTS Engineer in 824207022
So step 2 suggests that your accessory is 10.20.16.45 and the Apple device is 10.20.16.144. Is that right?

Yes, that's correct. The accessory is 10.20.16.45, and the Apple device is 10.20.16.144.

Apologies for the incorrect example in my previous reply.

Here are the step 2 and step 5 tuples with context of multicast:

Step 2:

Local IP: 10.20.16.45

Local Port: 5000

Remote IP: 239.0.0.25

Remote Port: 5000

Step 5: (working tuple)

Local IP: 10.20.16.28 ( a linux device jonied on same multicast ip and group)

Local port: 5000

Remote IP: 239.0.0.25

Remote Port: 5000

Step 5 : (failing tuple)

Local IP: 10.20.16.144 (Apple device running Network Framework using NWConnectionGroup)

Local Port: 53000 (because responses are sent from ephemeral ports)

Remote IP: 239.0.0.25

Remote Port: 5000

0
DTS Engineer OP
Apple
3w

Thanks for all those details. That’s exactly what I needed.

With regards step 4, what API are you using to send your reply?

ps I think this might be another case where you have to use BSD Sockets rather than Network framework, something I mention in TN3151 and then touch on again in Extra-ordinary Networking > Broadcasts and Multicasts, Hints and Tips. However, I don’t want to say this for sure until I full understand your setup.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
Issue with Multicast Response via NWConnectionGroup Behind a Firewall
First post date Last post date
 
 
Q