23.01.b.20230106.0600 IGMP proxy stops TV stream

Remie2000

Hi I just came accross this same issue. And this is a blocking issue for me aswell.
I hope it can be fixed in 23.01 instead of 23.05 where it is scheduled for right now.

DBMandrake

@stephenw10

Just to report that I also seem to be having an issue with the IGMP Proxy generating packets with invalid checksums, although in my case I am running 2.6.0, and I am using a completely different network adaptor.

As I am only just configuring the IGMP proxy for the first time (after the router has been installed for a few months) I do not have a previously working installation to compare with, and I have been troubleshooting for some time before noticing the checksum errors. Tcpdump running on the same device shows:

tcpdump: listening on ix0, link-type EN10MB (Ethernet), capture size 262144 bytes
11:21:25.462732 IP (tos 0xc0, ttl 1, id 13, offset 0, flags [none], proto IGMP (2), length 32, options (RA))
    10.0.2.3 > 224.0.0.1: igmp query v2
11:21:26.999364 IP (tos 0x0, ttl 1, id 58030, offset 0, flags [none], proto IGMP (2), length 32, options (RA), bad cksum 0 (->5624)!)
    10.0.1.254 > 224.0.0.7: igmp v2 report 224.0.0.7
11:21:27.601357 IP (tos 0x0, ttl 1, id 35790, offset 0, flags [none], proto IGMP (2), length 32, options (RA), bad cksum 0 (->ac0f)!)
    10.0.1.254 > 224.0.0.252: igmp v2 report 224.0.0.252
11:21:30.205921 IP (tos 0x0, ttl 1, id 33675, offset 0, flags [none], proto IGMP (2), length 32, options (RA), bad cksum 0 (->b453)!)
    10.0.1.254 > 224.0.0.251: igmp v2 report 224.0.0.251
11:21:36.336285 IP (tos 0x0, ttl 1, id 37154, offset 0, flags [none], proto IGMP (2), length 32, options (RA), bad cksum 0 (->a5fc)!)
    10.0.1.254 > 224.0.1.187: igmp v2 report 224.0.1.187
11:21:36.672559 IP (tos 0x0, ttl 1, id 59654, offset 0, flags [none], proto IGMP (2), length 32, options (RA), bad cksum 0 (->3fd9)!)
    10.0.1.254 > 239.255.255.250: igmp v2 report 239.255.255.250

Tcpdump running on another PFSense router connected to the same switch does not show these packets at all so presumably they are being dropped by the switch or receiving router due to the checksum error. In any case Multicast routing between VLAN's is not working.

Here is the network card configuration:

pciconf -lv ix0

ix0@pci0:1:0:0: class=0x020000 card=0x031b1dcf chip=0x15288086 rev=0x01 hdr=0x00
    vendor     = 'Intel Corporation'
    device     = 'Ethernet Controller 10-Gigabit X540-AT2'
    class      = network
    subclass   = ethernet


ifconfig -vvvm ix0

ix0: flags=8b43<UP,BROADCAST,RUNNING,PROMISC,ALLMULTI,SIMPLEX,MULTICAST> metric 0 mtu 1500
        description: LAN
        options=e138bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,WOL_UCAST,WOL_MCAST,WOL_MAGIC,VLAN_HWFILTER,RXCSUM_IPV6,TXCSUM_IPV6>
        capabilities=f53fbb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,WOL_UCAST,WOL_MCAST,WOL_MAGIC,VLAN_HWFILTER,VLAN_HWTSO,NETMAP,RXCSUM_IPV6,TXCSUM_IPV6>
        ether 98:b7:85:89:7f:74
        inet6 fe80::9ab7:85ff:fe89:7f74%ix0 prefixlen 64 scopeid 0x1
        inet 10.0.1.254 netmask 0xffff0000 broadcast 10.0.255.255
        media: Ethernet autoselect (10Gbase-T <full-duplex>)
        status: active
        supported media:
                media autoselect
                media 100baseTX
                media 1000baseT
                media 10Gbase-T
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

I have not yet tried disabling Hardware Checksum Offloading as I've only just discovered this thread now in the middle of a work day so I can't reboot just now but I could try rebooting in the evening if this might provide a useable workaround.

The hardware is a Quad core 3.5Ghz Xeon server so should be OK to do software based checksum generation I would think ?

thebear

@dbmandrake I think a reboot should be done. With the setting enable this could be a valid data capture. Without the offloading pfSense is able to generate the checksums itself.

We can’t make a conclusion without disabling offloading.

DBMandrake

@thebear Yes I will disable checksum offloading and reboot after hours and test again tomorrow.

Also unless I have missed something, PFSense is still sending out igmp v2 reports with corrupt checksums even after I have disabled the IGMP proxy service ?

Such as:

12:29:38.863070 IP (tos 0x0, ttl 1, id 33267, offset 0, flags [none], proto IGMP (2), length 32, options (RA), bad cksum 0 (->b5eb)!)
    10.0.1.254 > 224.0.0.251: igmp v2 report 224.0.0.251

Could this be related to the Avahi service (which is still running) since 224.0.0.251 is the multicast address used by mDNS ? If so what is generating the igmp report ? The Avahi service itself or something within a lower level in the OS ?

stephenw10

Yes, with hardware checksum offloading enabled the pcap will show bad checksums as the hardware calculates them before the wire.

You might not expect to see replies to reports like that either. Unlike the queries shown above.

Steve

DBMandrake

@stephenw10 Sorry for the noise in the thread, you were right about the checksum offloading.

I temporarily disabled IGMP snooping on the switch (to stop it filtering/handling the requests itself) and was able to observe the IGMP reports from the upstream side of IGMP proxy at another device arriving safely across the network with correct checksums. So checksums is not my issue so I never bothered to try turning off hardware checksuming.

However something really weird is going on - when the switch which is normally the IGMP querier (10.0.2.1) is the querier, it is somehow suppressing IGMP membership reports from the upstream interface of IGMP proxy on PFSense, (10.0.1.254) but when I make a different switch the querier (10.0.2.3 - the switch PFsense is connected to) suddenly IGMP proxy starts sending the upstream IGMP membership reports that it should be and it starts to work - at least partially, as I was able to find and play an SSDP advertised multicast stream between VLAN's.

A lot more debugging required on my part to figure out what's going on. One problem I have is a large mix of different switch models, with some of the older ones not necessarily playing nicely - I have a suspicion there is at least one other switch on the network which is not following the gentlemans rule of "don't be IGMP querier when a lower IP address device is already sending IGMP queries" as I have seen intermittent changes in the multicast router destination pointing towards these suspect downstream switches even though they are explicitly configured to never be an IGMP querier!

Beerman

Unfortunately, I have the same problem here. Just updated from 22.05 to

23.01-RC (amd64)
built on Wed Feb 08 14:19:05 UTC 2023

I can confirm that the IGMP proxy does not work and IPTV with this version unfortunately then also not.

Then the bug probably also applies to "CE 2.7.0", right?

stephenw10

I would expect it to be the same in 2.7 currently, yes.

thebear

@stephenw10 @jimp

Is threre any way the fix will make it into 23.01? That would be very appreciated.

https://redmine.pfsense.org/issues/13929

stephenw10

Not at this point, at least not in the release build. There is no fix yet as I understand it and the release is imminent. If it's something that can be patched at runtime it can be added to the system patches package later.

Beerman

This is not good news...
Then I have to skip this update. :(

stephenw10

I agree it's unfortunate but we couldn't hold the release for this. As soon as we pin down the issue we'll know more.

tohil

@stephenw10 is this issue affecting all IGMP proxy setups? Not just particullar driver or configuration. Combinations?

stephenw10

I haven't been able to replicate it here yet so I can't say for sure. However I would expect it to be something that affects all NICs/drivers. Other multicast traffic, like CARP, does not appear affected so it looks like something in igmpproxy or the libraries it uses.

Steve

mxt3rs

I faced the same issue when upgraded to 23.01, Disable hardware checksum offload didnt help, bad checksum was in the packet capture
after reverting to BE 22.05 no bad checksum and ip tv works,
my interface is I226-V

jrueger

It would be nice if this issue was included in the release notes for 23.01. I read through all the documentation for 23.01 and then proceeded with the upgrade only to find that igmp-proxy did not work. Several hours of troubleshooting lead me to this forum post where it appears that the issue was known for some time before the release of 23.01. This is not the introduction to Netgate and pfSense that I wanted, having just migrated to Netgate products from Ubiquiti Unifi products specifically for the igmp-proxy functionality. Oh well, now I'll get an early introduction to the process for rolling back upgrades.

thebear

@jrueger said in 23.01.b.20230106.0600 IGMP proxy stops TV stream:

Oh well, now I'll get an early introduction to the process for rolling back upgrades.

Well that's not new to UniFi users right ;-) but yes I think the dev's underestimate the impact of this bug for home deployments. The list get longer and longer when users hit the update button.

At least it could be documented under know issues.

jrueger

@thebear - no kidding with the Unifi gateways ... I finally abandoned Ubiquiti because of the opaqueness of their processes and capabilities. They did finally introduce igmp-proxy functionality in the latest release but with no documentation ... only a checkbox in the GUI and no explanation of just what exactly was enabled when checking the box. So far I am enjoying pfSense immensely so I can live with the igmp-proxy issue since I get to tinker more with things. My wife wasn't happy that her television show was interrupted!

stephenw10

Yes, I apologise, it should have been in the notes. The issue was undefined, and still is to some extent. Hopefully we can pin it down shortly.

Steve

mxt3rs

@stephenw10
issue seems to be from upstream FreeBSD-14 , I was able reproduce checksum errors on FreeBSD-14.0-CURRENT-amd64-20230216-2894c8c96b9b-260969 while freeBSD 13.1-Release doesn't have the issue, pcap attached
13.pcap
14.pcap