IGMP proxy no longer works reliably after 2.7.1 update
-
@Remie2000 said in IGMP proxy no longer works reliably after 2.7.1 update:
@Remie2000 said in IGMP proxy no longer works reliably after 2.7.1 update:
@jimp said in IGMP proxy no longer works reliably after 2.7.1 update:
Kristof requested some information from users hitting this bug. See https://redmine.pfsense.org/issues/15043 for the full details. If anyone hitting this can check into what he's asking for it would help. Here is the text describing what to gather:
MRT_DEL_MFC; Errno(49) is interesting. error 49 is EADDRNOTAVAIL, which can only be returned (for MRT_DEL_MFC at least) if the membership igmpproxy attempted to remove does not exist.
So as far as the kernel is concerned we're not joined to that group.
(Do note that the membership lookup takes both origin and group address into account, so it's possible that the group is correct but the membership address is not for example.)We're going to need a bit more information to track this down.
Let's start with a debug log, because igmpproxy can log the relevant information before it attempts MRT_DEL_MFC. That does require it to run with debug verbosity, which can't be set through the webui. Terminate the running process and restart it as/usr/local/sbin/igmpproxy -v -v /var/etc/igmpproxy.conf
(or/usr/local/sbin/igmpproxy -d -v -v /var/etc/igmpproxy.conf
to run it in the foreground and send all output to stdout).Once the error occurs (and igmpproxy is still running!) also export the kernel's view of the multicast state with
netstat -i -a -n
andnetstat -g
.Shucks I just missed that while I was downgrading...
I've downgraded to 23.05.1 for the weekend again. So my family can enjoy internet + TV again.
If somebody else can provide the logs that is still affected then it would be great.If nobody else can find time by the end of next week I can arrange some time (when the kids are at school and my wife at work ;-) ) by recreating the situation again.
Thanks a lot @jimp for mentioning. I will also post this update on another forum where we discuss this issue.
I'm going to try some quick testing, time is limited don't know if I can produce any results.
I've supplied the results, downgrading again before my family returns home :-)
-
@Remie2000 thank you very much for taking the time!
-
This post is deleted! -
@vjizzle said in IGMP proxy no longer works reliably after 2.7.1 update:
Release 24.03…wow. So the fix is targeted to be here somewhere in the next 6 months orso?
Is it possible to run the igmp proxy package from 2.6 on 2.7? That would be a workaround perhaps for the time being.
@vjizzle This is typically how it is done. A separate fix is created and made available asap, usually within days or weeks. You can install the fix through the Patch option in your pfSense System-->Patches. Then, in the next big release the fix is incorporated in the main release and the patch can be dropped. Depending a bit also on where the fix should be made, not everything is under control of the pfSense team.
This was at least my experience around IGMPproxy issues, there have been some in the past. Everybody keeps saying that IGMPproxy is just a simple service passing packets along, however given the amount of issues I guess it is either more complex than everybody thinks or a good set of regression tests are missing.
-
@haraldinho
Yes, that is also how I expect things to work, however setting a delivery date that far in the future is not how you manage expectations realistically. Nonetheless, for now, running fine on 2.6. -
With the latest kernel patch from Kristof Provost this issue is solved!
-
@Rai80 great news!!
I get a file not found error on opening that next cloud link. Anyway assuming that link is restored. How do you install that image? -
@Cornel Just download the file [pfSense-kernel-pfSense-2.7.2.r.20231212.1754.pkg] to your pfSense box. When the link is working again.
Install it with: pkg add -f pfSense-kernel-pfSense-2.7.2.r.20231212.1754.pkg
RebootAnd done!
-
@Rai80 not sure what exactly the difference is, but Kristof suggested the following to install:
“Backup your device, download the pkg file to it, "pkg install -U <patchname>.pkg" and reboot.”
-
Since the former link is not working anymore I uploaded the patched kernel: https://file.io/f2Xmr5QlCTnF
-
@Rai80 thanks for sharing! Did you by any chance also get the 23.09.1 package?
-
@Cornel No sorry. I saw it was there, I think you have to wait for Kristof to make the link available again.
-
In any case I think it is better to wait a couple of days until the official patch will be available to be installed through the regular patch options.
-
@Rai80 No problem - in hindsight I'll wait for either a patch or a package specific for my architecture. Happy to see the Netgate team and the community on the ball. Great to see that a solution might be available soon.
-
@Rai80 said in IGMP proxy no longer works reliably after 2.7.1 update:
pfSense-kernel-pfSense-2.7.2.r.20231212.1754.pkg
And now? The pkg isnt available anymore!
The guys which are lucky enough to download it quickly have reliable iptv and the rest of us are fxxked?
Fun enough the maintainers "forgot" kernelside iptv elements in their maintenance releases...
Now we have to wait a year again to see an kernel which is obvious ready? Rofl
-
@UlfMerbold
I think the updated kernel fix is in the latest CE snapshots. -
Well, in my opinion this issue could have been handled better.
At first, it seemed a patch would be made available as "system patch" in pfsense.
But as the fix is kernel based, it can't be made available as a patch?The patch that was uploaded has since been removed and the mirror has also been deleted.
As said, we now have two options:- Install a snapshot, something that is far from ideal on a production system
- Wait for CE 2.8 release, that can take 6 months+.
Furthermore, IGMP proxy have been plagued with issues in the last CE (and plus) releases.
The previous issue https://redmine.pfsense.org/issues/12079 was never resolved and has been closed due to lack of feedback.
Feedback which could only have been provided after installing a snapshot version.It's hard to understand why the devs won't release the patched kernel.
I've been without live TV for months now. I'd really like to try a fixed kernel for 2.7.2.Cheers.
-
But why the heck they removed the package?
Install a fixed package is far more secure as going to an full dev snapshot.
They left the userbase alone, paying or not, with an error they made is an slap into our faces.
I need reliability, not just in running pfsense as it is, also in patch quality!
How "good" a business is, we see if we look onto their awarness for such "problems"...and this makes me happy NOT to be in a paid subscription plan -
i'm also disapointed regarding handeling this issue. The rollback from netgate for free Lab/home use of pfsense+ is bad too.
For homeuser paying 129 bugs/year is totally overrated. Yes of course i agree and thought about to pay for support. Maybe like other guys with donation or a small lifetime subscription.
And what i hell should prevent a 3. Party supplier to install pfsense CE on their products and if the byer will have mor support they can bye a subscription.
But as you can see also pfsense+ user are leaved alone. (i had migrated to pfsense+home a while ago, now i'm back at 2.7.0 an stay as long as i can on this version)
If you have a look at other FW creators they, for example SOPHOS they offer home use for free on own hardware. Ok SOPHOS is no and good example. ;)
But they don't fear th dark. They support homeuser because of mind branding. As a homeuser you get the same updates as business user, only the features are smaller.
Netgate shall think about that the community test and find bugs for them as you can see with this issue. To create a 2.7.3 with a fixes Kernal cold not be a geat effort. So where is the problem ?
In the past before netgate this where th case. -
A few weeks ago or maybe a month when this issue was brought up I did post a link here that outlines what the supported packages are in pfsense
https://www.netgate.com/supported-pfsense-plus-packagesThere are caveats to this list but the main point being if your package isn’t here it’s not supported. If it is here AND it explicitly states it is supported by Netgate then it’s good to install otherwise stay away from any package .
I agree with all points here and communication should’ve been clearer. Let’s hope they are reading this and provide an update.