PDA

View Full Version : Required dual-NIC setup, having tough time getting NDI to only hit one



RoverRadio
09-04-2017, 04:59 PM
Have a production truck. Each workstation has 20Gbit fiber NIC for internal LAN , 1Gbit NIC for WheatNet audio (entire truck is audio over IP: http://wheatstone.com/blades-ip-audio-network/wheatnet-ip-technology-overview), which needs to be on its own network.

The 20Gbit NICs are connected to Ubiquiti switch and USG-Pro router. Plenty of bandwidth for NDI. Default gateway is 192.168.10.1

The 1Gbit WheatNet NICs connect to an isolated Cisco switch - no router. No default gateway. 192.168.87.x subnet

Everything works fine in this setup, except for NDI. NDI will use Fiber sometimes, and WheatNet sometimes. This is problematic, as we need the WheatNet network to be exclusively audio, and because they are 1Gbit I'd rather not have NDI going over them.

No matter what I'ver tried over the past two days, I can not get NDI to only use the Fiber NICs.

These are all Windows 10 Pro machines. Fiber metric is set at 1. WheatNet metric set at 2000. So it should five preference to Fiber, but it still uses both (sometimes a machine will be receiving NDI on Fiber while simultaneously sending on WheatNet).

This has been killing me for past 2 days. There must be some way to get it to stick to only the 192.168.10.1 fiber subnet, but I can't get it to work no matter what I've tried.

Any ideas?

Thanks!

kanep
09-04-2017, 10:14 PM
NDI will use multiple NICs automatically.

However, if you want to stop it from using a particular NIC, you can setup a firewall rule to block traffic on port 5353/UDP on the NIC you don't want NDI to use. This port is used by the auto discovery mechanism of NDI.

RoverRadio
09-05-2017, 09:17 AM
Will give that a shot later today and report back. Thanks!

RoverRadio
09-05-2017, 03:24 PM
UDP 5353? I blocked it on the entire 192.168.87.0/24 subnet, but NDI is still getting through.

Screengrab attached shows NDI Studio Monitor receiving on the top (correct network) at 121 Mbps.

Unfortunately it also shows NDI Scan Converter sending 49.7 Mbps on the bottom network (WheatNet audio).

Any suggestions of what else to look at on my end?

137833

RoverRadio
09-05-2017, 06:37 PM
As a follow-up, I tried blocking UDP 5353 both inbound and outbound for the IP's associated with the NIC I want to block. It always gets through.

If I block UDP 5353 globally, it does indeed block discovery.

Is discovery somehow still getting through on the other subnet, but routing to WheatNet?

Stumped.

kanep
09-05-2017, 06:42 PM
I'll have to give it a try myself, but I'm going off the information found in this thread.

http://forums.newtek.com/showthread.php?154021-Routing-NDI-traffic-to-a-specific-NIC

-UPDATE-

I just tried the Windows firewall, which when I blocked 5353/UDP I got no NDI traffic at all, so it appears that works. However, from what I can find the Windows firewall cannot limit a rule to a specific network interface, so it looks like a 3rd party firewall would be required.

Something else that might work is to block 5353/UDP globally, then use the NDI Access Manager tool and point it at the only IP address that you want communication over. I've not tried this, but I think this should work.

RoverRadio
09-05-2017, 08:09 PM
I'll pick up on this tomorrow. Symantec Endpoint allows per-NIC rules. I'll see what I can get working on this end, but it was a miserable failure today unfortunately.

RoverRadio
09-07-2017, 07:39 PM
UPDATE: I *think* I finally got this to work as desired.

As noted above, Windows Firewall doesn't allow per-adapter rules.

In order to get this to work, install Symantec Endpoint (you'll need to put Symantec Endpoint Manager on a system on your LAN somewhere, and the client on your target system(s)).

In Manager create a new Firewall rule. You need to assign it to the MAC address(es) of the target adapters you want to enforce.

Create a rule that Allows All traffic from everywhere. Then create a rule on top of that that blocks UDP 5353 both in/out from all sources/destinations.

After that, in NDI Access Manager manually enter the IP addresses of sources you wish to Receive from on all computers you want to be able to receive.

And pray.

P.S. As I am sure has been pointed out, there should really be a built-in function of NDI (in either host applications or Access Manager somehow) to select what NIC's you want to allow. Set with a few clicks instead of jumping through all the above hoops. It is not uncommon whatsoever in larger facilities do have 2 or 3 NICs per machine...I'd consider the routing of NDI traffic to a specific NIC a critical function. Add VPN, etc. into the mix and you've got all sorts of headaches.

Thanks for the help!

kanep
09-07-2017, 08:16 PM
Glad you got it working. In the link I posted above, the plan is to add this support into NDI. It appears that with having multiple operating systems to support, this feature it isn't a simple as it might seem to implement.

frank.leggett
04-30-2019, 07:30 AM
Hi is there any update to this. I am also trying to isolate NDI traffic from a 2nd network. I have a laptop listening to bids on an auction network and is also supplying Livetext captions to the Tricaster. At present the NDI traffic is causing trouble on the Auction Network which I use for bids and internet so I would like to isolate NDI from that network. I have a WAN router which will isolate the NDI but I can still get internet traffic but it also blocks the bid board posts so I need to have a 2nd NIC just listening the bid board but stop the NDI traffic leaking back onto the Auction network via the 2nd NIC.