Hi Jonas, your comment led me to investigate (on Ubuntu 20.04 LTS host) libvirt's support for multi-cast traffic. I am not sure 100% but it seems that with the following configuration, multi-cast receive is allowed (it's a bridge to a physical interface) but for sending multi-cast out, a 2nd interface is required. Not sure if there any available examples of people doing it this way. Allow me to present some details about my setup and ask anyone for ideas on how to check multi-cast configuration for the VM host that the vSRX runs on. The network bridge in question is br0, which is mapped to ge-0/0/0.0
1. Config libvirt, on VM Host (s5)
dev1@s5:~$ virsh iface-dumpxml br0
<interface type='bridge' name='br0'>
<mtu size='1500'/>
<bridge stp='on' delay='1500'>
<interface type='ethernet' name='eno1'>
<link speed='100' state='up'/>
<mac address='88:51:fb:63:ee:9d'/>
</interface>
</bridge>
</interface>
2. Please see https://libvirt.org/formatdomain.html#multicast-tunnel
Multicast tunnel
A multicast group is setup to represent a virtual network. Any VMs whose network devices are in the same multicast group can talk to each other even across hosts. This mode is also available to unprivileged users. There is no default DNS or DHCP support and no outgoing network access. To provide outgoing network access, one of the VMs should have a 2nd NIC which is connected to one of the first 4 network types and do the appropriate routing. The multicast protocol is compatible with that used by user mode linux guests too. The source address used must be from the multicast address block.
...
<devices>
<interface type='mcast'>
<mac address='52:54:00:6d:90:01'/>
<source address='230.0.0.1' port='5558'/>
</interface>
</devices>
...
3. Config on vSRX 20.3R1.8 router (r5), after I pulled out the VRRP configuration from the time I posted the original message. At this stage, it is plain old routing in flow-mode (ipv4). So, do you see any deficiencies in my initial configuration - But again, I am not sure that libvirt xml configuration will (or will not) allow incoming multicast traffic.
set system management-instance
set system name-server 172.31.254.3 routing-instance NET20-R5-VR
set system syslog user * any emergency
set system syslog file messages any any
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands any
set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval
set security screen ids-option untrust-screen icmp ping-death
set security screen ids-option untrust-screen ip source-route-option
set security screen ids-option untrust-screen ip tear-drop
set security screen ids-option untrust-screen tcp syn-flood alarm-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood attack-threshold 200
set security screen ids-option untrust-screen tcp syn-flood source-threshold 1024
set security screen ids-option untrust-screen tcp syn-flood destination-threshold 2048
set security screen ids-option untrust-screen tcp syn-flood queue-size 2000
set security screen ids-option untrust-screen tcp syn-flood timeout 20
set security screen ids-option untrust-screen tcp land
set security nat source rule-set source_nat from zone trust
set security nat source rule-set source_nat to zone untrust
set security nat source rule-set source_nat rule nat1 match source-address 0.0.0.0/0
set security nat source rule-set source_nat rule nat1 then source-nat interface
set security policies from-zone trust to-zone trust policy default-permit match source-address any
set security policies from-zone trust to-zone trust policy default-permit match destination-address any
set security policies from-zone trust to-zone trust policy default-permit match application any
set security policies from-zone trust to-zone trust policy default-permit then permit
set security policies from-zone trust to-zone untrust policy default-permit match source-address any
set security policies from-zone trust to-zone untrust policy default-permit match destination-address any
set security policies from-zone trust to-zone untrust policy default-permit match application any
set security policies from-zone trust to-zone untrust policy default-permit then permit
set security policies from-zone untrust to-zone trust policy default_deny match source-address any
set security policies from-zone untrust to-zone trust policy default_deny match destination-address any
set security policies from-zone untrust to-zone trust policy default_deny match application any
set security policies from-zone untrust to-zone trust policy default_deny then deny
set security policies pre-id-default-policy then log session-close
set security zones security-zone trust tcp-rst
set security zones security-zone trust interfaces ge-0/0/0.0 host-inbound-traffic system-services all
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services ntp
set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services ping
set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services traceroute
set interfaces ge-0/0/0 unit 0 description "TDC14 Branch LAN"
set interfaces ge-0/0/0 unit 0 family inet address 172.31.254.5/26
set interfaces ge-0/0/1 unit 0 enable
set interfaces ge-0/0/1 unit 0 family inet address 10.0.0.79/24
set interfaces ge-0/0/2 unit 0 description "2nd conn to TDC14 Branch LAN"
set interfaces ge-0/0/2 unit 0 family inet address 172.31.254.6/26
deactivate interfaces ge-0/0/2 unit 0
set interfaces fxp0 unit 0 family inet address 172.31.240.1/22
set routing-instances NET20-R5-VR routing-options static route 0.0.0.0/0 next-hop 10.0.0.1
set routing-instances NET20-R5-VR interface ge-0/0/0.0
set routing-instances NET20-R5-VR interface ge-0/0/1.0
set routing-instances NET20-R5-VR interface ge-0/0/2.0
deactivate routing-instances NET20-R5-VR interface ge-0/0/2.0
set routing-instances NET20-R5-VR instance-type virtual-router
set protocols vrrp traceoptions file vrrp-log
set protocols vrrp traceoptions file size 1m
set protocols vrrp traceoptions flag packets
4. I think I will have to check if vrrp is allowed or not, but for now here is the running interface config ...
ttadmin@r5> show interfaces ge-0/0/0.0 detail |no-more
Logical interface ge-0/0/0.0 (Index 71) (SNMP ifIndex 518) (Generation 136)
Description: TDC14 Branch LAN
Flags: Up SNMP-Traps 0x4004000 Encapsulation: ENET2
Traffic statistics:
Input bytes : 258123606
Output bytes : 356850268
Input packets: 487914
Output packets: 465089
Local statistics:
Input bytes : 2247158
Output bytes : 106268
Input packets: 51103
Output packets: 1789
Transit statistics:
Input bytes : 255876448 1260704 bps
Output bytes : 356744000 20000 bps
Input packets: 436811 117 pps
Output packets: 463300 57 pps
Security: Zone: trust
Allowed host-inbound traffic : bootp dns dhcp finger ftp tftp ident-reset http https ike netconf ping reverse-telnet reverse-ssh rlogin rpm rsh snmp snmp-trap ssh telnet traceroute xnm-clear-text xnm-ssl
lsping ntp sip dhcpv6 r2cp webapi-clear-text webapi-ssl tcp-encap sdwan-appqoe l3-ha
Flow Statistics :
Flow Input statistics :
Self packets : 1575
ICMP packets : 1773
VPN packets : 0
Multicast packets : 8936
Bytes permitted by policy : 250495656
Connections established : 12910
Flow Output statistics:
Multicast packets : 0
Bytes permitted by policy : 356612152
Flow error statistics (Packets dropped due to):
Address spoofing: 0
Authentication failed: 0
Incoming NAT errors: 0
Invalid zone received packet: 0
Multiple user authentications: 0
Multiple incoming NAT: 0
No parent for a gate: 0
No one interested in self packets: 0
No minor session: 0
No more sessions: 0
No NAT gate: 0
No route present: 8937
No SA for incoming SPI: 0
No tunnel found: 0
No session for a gate: 0
No zone or NULL zone binding 1
Policy denied: 0
Security association not active: 0
TCP sequence number out of window: 0
Syn-attack protection: 0
User authentication errors: 0
Protocol inet, MTU: 1500
Max nh cache: 100000, New hold nh limit: 100000, Curr nh cnt: 3, Curr new hold cnt: 0, NH drop cnt: 0
Generation: 156, Route table: 4
Flags: Sendbcast-pkt-to-re, Is-Primary
Addresses, Flags: Is-Default Is-Preferred Is-Primary
Destination: 172.31.254.0/26, Local: 172.31.254.5, Broadcast: 172.31.254.63, Generation: 142