Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    multicast inconsistant

    Scheduled Pinned Locked Moved General pfSense Questions
    49 Posts 6 Posters 5.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • johnpozJ
      johnpoz LAYER 8 Global Moderator @maximushugus
      last edited by

      @maximushugus if your not seeing it via a sniff on pfsense, that has nothing to do with firewall rules on pfsense or blocking or not blocking igmp with ip options set.. Because the sniff would happen before any firewall rules were used.. Now up the stack could be blocked from "seeing" that traffic - but sniff at the wire would show it.

      If pfsense is not seeing the traffic via sniff points to switch not sending it out the port pfsense is connected too.. Or your sniffing on a vlan and the traffic is not tagged, etc.

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 24.11 | Lab VMs 2.8, 24.11

      M 1 Reply Last reply Reply Quote 1
      • M
        maximushugus @johnpoz
        last edited by

        @johnpoz I agree with you but what is strange is that my problem happened after updating pfSense, and at this moment I didn't touch my switch, that's why I was searching for a pfSense problem

        johnpozJ 1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator @maximushugus
          last edited by johnpoz

          @maximushugus I hear ya - but I am not aware of anything in pfsense that would prevent a "sniff" ie packet capture from seeing the traffic coming into the interface.. If that traffic gets passed up the stack to be further processed either by something running on pfsense or routed, etc. sure... But at the sniff, if not seeing it on the sniff - that tells me its not there.

          The only thing would be if your sniffing for traffic tagged for vlan X, but the traffic itself is not tagged.. You wouldn't see it then in your capture.

          You know who might be good resource - @bmeeks he handles all the IPS stuff, fairly sure he would know if something could prevent being seen at the sniff level in pfsense.

          I can't recall ever running into a scenario where not being seen by a packet capture, but traffic actually there - unless you not sniffing for the actual traffic, be it wrong vlan related or wrong interface, wrong protocol or wrong ip or port, etc... And I have been doing this a really long time ;)

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          bmeeksB 1 Reply Last reply Reply Quote 0
          • stephenw10S
            stephenw10 Netgate Administrator
            last edited by

            Driver issue can hide traffic from pcaps. The ix driver had a bug that was filtering vlan0 for example. pcap showed no traffic.

            johnpozJ 1 Reply Last reply Reply Quote 1
            • johnpozJ
              johnpoz LAYER 8 Global Moderator @stephenw10
              last edited by johnpoz

              @stephenw10 ah - good info.. But that is a error at the driver level.. Not some software in pfsense.. But guess there could be a problem after he updated with the driver.. Good info!!

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              1 Reply Last reply Reply Quote 1
              • dennypageD
                dennypage
                last edited by

                Of note is that the whole thing is a LAGG, and often packet captures do not function as one would expect. Several times in the past I have ended up having to run individual captures on the interfaces involved in the LAGG to get a complete picture.

                If it were me, the first diagnostic thing I would do is to remove the LAGG from the picture. YMMV.

                johnpozJ 1 Reply Last reply Reply Quote 2
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator @dennypage
                  last edited by

                  @dennypage also great info - and I have seen that in the past.. When troubleshooting where trying to validate traffic gets to where it is suppose to go and there is a lag at the endpoint, we have always turned down all but one interface in the lag

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  dennypageD 1 Reply Last reply Reply Quote 1
                  • M
                    maximushugus
                    last edited by

                    I restored a know working configuration from last year to my switch : it didn't solve the problem.

                    But by doing a packet capture on pfSense this time, after restoring my switch config, I have a weird behavior :

                    • First after restoring (and restarting) my switch config, everything was working, I asked a multicast IPTV stream from my ISP on my PC and I was able to receive the stream.
                    • But as soon as I stopped the stream, it stopped, but I was not able anymore to ask this multicast stream.

                    Here is the capture : as you can see, after packet n°10 with my PC leaving the multicast group, pfSense only see multicast from its own IP sourcecapture.pcap

                    1 Reply Last reply Reply Quote 0
                    • bmeeksB
                      bmeeks @johnpoz
                      last edited by

                      @johnpoz said in multicast inconsistant:

                      You know who might be good resource - @bmeeks he handles all the IPS stuff, fairly sure he would know if something could prevent being seen at the sniff level in pfsense.

                      The only possible way for IPS to interfere with a traffic sniff would be when using Inline IPS Mode with the netmap kernel device. That could theoretically intercept and drop a packet before PCAP on the interface could see it, but I actually doubt that both PCAP and netmap can coexist simultaneously on the same physical interface. I suspect one of them is sure to complain about the other during initialization.

                      But simply stopping the IDS/IPS service is sufficient to completely remove it from any possible interference in the sniff.

                      M 1 Reply Last reply Reply Quote 1
                      • M
                        maximushugus
                        last edited by

                        By reseting the port link on my switch for my pfSense, I can reproduce this behavior

                        1 Reply Last reply Reply Quote 0
                        • M
                          maximushugus @bmeeks
                          last edited by maximushugus

                          @bmeeks I tried a packet capture after stopping the dpinger service, but it didn't change anything.

                          I correct myself : on a capture on my pfSense when I have this problem, I only see multicast with IPv4 source address of my pfSense AND MDNS multicast packets (224.0.0.251) from my lan AND multicast leave group from my lan (but not multicast join group)

                          johnpozJ 1 Reply Last reply Reply Quote 0
                          • johnpozJ
                            johnpoz LAYER 8 Global Moderator @maximushugus
                            last edited by

                            @maximushugus said in multicast inconsistant:

                            stopping the dpinger service

                            what would that have to do with anything - dpinger is what checks to see if your gateway is online via pinging it.

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            SG-4860 24.11 | Lab VMs 2.8, 24.11

                            M 1 Reply Last reply Reply Quote 0
                            • M
                              maximushugus @johnpoz
                              last edited by

                              @johnpoz I though this would stop IDS/IPS service as said above

                              dennypageD 1 Reply Last reply Reply Quote 0
                              • dennypageD
                                dennypage @maximushugus
                                last edited by

                                @maximushugus said in multicast inconsistant:

                                I though this would stop IDS/IPS service as said above

                                It won't. dpinger has no relationship to IDS/IPS.

                                1 Reply Last reply Reply Quote 0
                                • M
                                  maximushugus
                                  last edited by

                                  I don't really know what you mean by IDS/IPS. If it's in relation to snort or suricata, i do not have those packet installed
                                  I have wireguard, avahi, openvpn (and arping, iperf)

                                  bmeeksB 1 Reply Last reply Reply Quote 0
                                  • bmeeksB
                                    bmeeks @maximushugus
                                    last edited by

                                    @maximushugus said in multicast inconsistant:

                                    I don't really know what you mean by IDS/IPS. If it's in relation to snort or suricata, i do not have those packet installed
                                    I have wireguard, avahi, openvpn (and arping, iperf)

                                    If you do not have Snort or Suricata installed, then forget all the remarks about IDS/IPS. They are not relevant without one of those packages installed and running.

                                    1 Reply Last reply Reply Quote 1
                                    • dennypageD
                                      dennypage @johnpoz
                                      last edited by

                                      @maximushugus said in multicast inconsistant:

                                      By reseting the port link on my switch for my pfSense, I can reproduce this behavior

                                      @maximushugus, you should start with this suggestion:

                                      @johnpoz said in multicast inconsistant:

                                      When troubleshooting where trying to validate traffic gets to where it is suppose to go and there is a lag at the endpoint, we have always turned down all but one interface in the lag

                                      1 Reply Last reply Reply Quote 0
                                      • M
                                        maximushugus
                                        last edited by

                                        To update the topic : for the moment I'm not able to do testing disabling lag because of my configuration.
                                        But I reinstalled pfSense 2.7.0 reimporting the exact same configuration, and my multicast is working again.
                                        I suspect a bug in the igmpproxy program in pfSense 2.7.2 (or pfSense 2.7.1 but I never tried this version)
                                        Maybe it is related with this : https://redmine.pfsense.org/issues/15043

                                        1 Reply Last reply Reply Quote 0
                                        • stephenw10S
                                          stephenw10 Netgate Administrator
                                          last edited by

                                          @maximushugus said in multicast inconsistant:

                                          https://redmine.pfsense.org/issues/15043

                                          It could be that. Those fixes are in 24.03.

                                          1 Reply Last reply Reply Quote 0
                                          • M
                                            maximushugus
                                            last edited by

                                            I tried to transfer the igmpproxy binary from working 2.7.0 pfSense to 2.7.2.
                                            But it looks like the binary is exactly the same...

                                            To resume : if I restart my pfSense interfaces and launch igmpproxy, the first multicast stream I ask is working. But as soon as I leave this first asked multicast stream, it is not working anymore, and if I do a packet capture, I do not see any multicast packets exept those with IPv4 source address of my pfSense AND MDNS multicast packets (224.0.0.251) from my lan AND multicast leave group from my lan (but not multicast join group).

                                            I managed to get igmpproxy logs from working state to not working (by restarting interfaces from my switch and lauching igmpproxy after reconnecting). On this log I put "****************" when I left the stream on my PC :

                                            igmpproxy -n -d -vv /etc/igmpproxy.conf
Searching for config file at '/etc/igmpproxy.conf'
Config: Quick leave mode enabled.
Config: Got a phyint token.
Config: IF: Config for interface lagg0.1.
Config: IF: Got upstream token.
Config: IF: Got ratelimit token '0'.
Config: IF: Got threshold token '1'.
Config: IF: Got whitelist token 233.32.36.0/24.
Config: IF: Altnet: Parsed altnet to 233.32.36/24.
Config: IF: Got whitelist token 233.60.197.0/24.
Config: IF: Altnet: Parsed altnet to 233.60.197/24.
Config: IF: Got whitelist token 233.49.82.0/24.
Config: IF: Altnet: Parsed altnet to 233.49.82/24.
Config: IF: Got whitelist token 233.136.0.0/24.
Config: IF: Altnet: Parsed altnet to 233.136.0/24.
Config: IF: Got whitelist token 233.136.44.0/24.
Config: IF: Altnet: Parsed altnet to 233.136.44/24.
Config: IF: Got altnet token 0.0.0.0/0.
Config: IF: Altnet: Parsed altnet to default.
IF name : lagg0.1
Next ptr : 0
Ratelimit : 0
Threshold : 1
State : 1
Allowednet ptr : 7c41b0a0
Config: Got a phyint token.
Config: IF: Config for interface lagg0.3.
Config: IF: Got downstream token.
Config: IF: Got ratelimit token '0'.
Config: IF: Got threshold token '1'.
Config: IF: Got altnet token 0.0.0.0/0.
Config: IF: Altnet: Parsed altnet to default.
IF name : lagg0.3
Next ptr : 0
Ratelimit : 0
Threshold : 1
State : 2
Allowednet ptr : 7c41b0c0
Config: Got a phyint token.
Config: IF: Config for interface lagg0.99.
Config: IF: Got downstream token.
Config: IF: Got ratelimit token '0'.
Config: IF: Got threshold token '1'.
IF name : lagg0.99
Next ptr : 0
Ratelimit : 0
Threshold : 1
State : 2
Allowednet ptr : 0
Config: Got a phyint token.
Config: IF: Config for interface lagg0.50.
Config: IF: Got disabled token.
IF name : lagg0.50
Next ptr : 0
Ratelimit : 0
Threshold : 1
State : 0
Allowednet ptr : 0
Config: Got a phyint token.
Config: IF: Config for interface gre0.
Config: IF: Got disabled token.
IF name : gre0
Next ptr : 0
Ratelimit : 0
Threshold : 1
State : 0
Allowednet ptr : 0
Config: Got a phyint token.
Config: IF: Config for interface tun_wg0.
Config: IF: Got disabled token.
IF name : tun_wg0
Next ptr : 0
Ratelimit : 0
Threshold : 1
State : 0
Allowednet ptr : 0
Config: Got a phyint token.
Config: IF: Config for interface tun_wg1.
Config: IF: Got disabled token.
IF name : tun_wg1
Next ptr : 0
Ratelimit : 0
Threshold : 1
State : 0
Allowednet ptr : 0
Config: Got a phyint token.
Config: IF: Config for interface lagg0.2.
Config: IF: Got disabled token.
IF name : lagg0.2
Next ptr : 0
Ratelimit : 0
Threshold : 1
State : 0
Allowednet ptr : 0
buildIfVc: Interface lo0 Addr: 127.0.0.1, Flags: 0xffff8049, Network: 127/8
buildIfVc: Interface lo0 Addr: 45.13.104.149, Flags: 0xffff8049, Network: 45/8
buildIfVc: Interface lagg0.3 Addr: 192.168.3.1, Flags: 0xffff8943, Network: 192.168.3/24
buildIfVc: Interface lagg0.50 Addr: 192.168.50.1, Flags: 0xffff8943, Network: 192.168.50/24
buildIfVc: Interface lagg0.99 Addr: 192.168.99.1, Flags: 0xffff8943, Network: 192.168.99/24
buildIfVc: Interface lagg0.1 Addr: 109.11.243.7, Flags: 0xffff8843, Network: 109.11.243/24
buildIfVc: Interface lagg0.1 Addr: 192.168.4.253, Flags: 0xffff8843, Network: 192.168.4/24
buildIfVc: Interface ovpns1 Addr: 192.168.26.1, Flags: 0xffff8043, Network: 192.168.26/24
buildIfVc: Interface tun_wg0 Addr: 192.168.25.1, Flags: 0xffff80c1, Network: 192.168.25/24
buildIfVc: Interface tun_wg1 Addr: 192.168.27.1, Flags: 0xffff80c1, Network: 192.168.27/24
buildIfVc: Interface gre0 Addr: 10.1.0.246, Flags: 0xffff8051, Network: 10.1.0.244/30
Found config for lagg0.3
Found config for lagg0.50
Found config for lagg0.99
Found config for lagg0.1
Found config for lagg0.1
Found config for tun_wg0
Found config for tun_wg1
Found config for gre0
adding VIF, Ix 0 Fl 0x0 IP 0x0103a8c0 lagg0.3, Threshold: 1, Ratelimit: 0
        Network for [lagg0.3] : 192.168.3/24
        Network for [lagg0.3] : default
adding VIF, Ix 1 Fl 0x0 IP 0x0163a8c0 lagg0.99, Threshold: 1, Ratelimit: 0
        Network for [lagg0.99] : 192.168.99/24
Found upstrem IF #0, will assing as upstream Vif 27
adding VIF, Ix 2 Fl 0x0 IP 0x07f30b6d lagg0.1, Threshold: 1, Ratelimit: 0
        Network for [lagg0.1] : 109.11.243/24
        Network for [lagg0.1] : default
Found upstrem IF #1, will assing as upstream Vif 28
adding VIF, Ix 3 Fl 0x0 IP 0xfd04a8c0 lagg0.1, Threshold: 1, Ratelimit: 0
        Network for [lagg0.1] : 192.168.4/24
        Network for [lagg0.1] : default
Got 262144 byte buffer size in 0 iterations
Joining all-routers group 224.0.0.2 on vif 192.168.3.1
Joining group 224.0.0.2 on interface lagg0.3
Joining all igmpv3 multicast routers group 224.0.0.22 on vif 192.168.3.1
Joining group 224.0.0.22 on interface lagg0.3
Joining all-routers group 224.0.0.2 on vif 192.168.99.1
Joining group 224.0.0.2 on interface lagg0.99
Joining all igmpv3 multicast routers group 224.0.0.22 on vif 192.168.99.1
Joining group 224.0.0.22 on interface lagg0.99
SENT Membership query   from 192.168.3.1     to 224.0.0.1
Sent membership query from 192.168.3.1 to 224.0.0.1. Delay: 10
SENT Membership query   from 192.168.99.1    to 224.0.0.1
Sent membership query from 192.168.99.1 to 224.0.0.1. Delay: 10
Created timeout 1 (#0) - delay 10 secs
(Id:1, Time:10) 
Created timeout 2 (#1) - delay 21 secs
(Id:1, Time:10) 
(Id:2, Time:21) 
RECV V2 member report   from 192.168.3.1     to 224.0.0.2
The IGMP message was from myself. Ignoring.
RECV V2 member report   from 192.168.3.1     to 224.0.0.22
The IGMP message was from myself. Ignoring.
RECV V2 member report   from 192.168.99.1    to 224.0.0.2
The IGMP message was from myself. Ignoring.
RECV V2 member report   from 192.168.99.1    to 224.0.0.22
The IGMP message was from myself. Ignoring.
RECV Membership query   from 192.168.3.1     to 224.0.0.1
RECV Membership query   from 192.168.99.1    to 224.0.0.1
Route activate request from 192.168.3.31 to 224.2.127.254 on VIF[2]
No table entry for 224.2.127.254 [From: 192.168.3.31]. Inserting route.
No existing route for 224.2.127.254. Create new.
No routes in table. Insert at beginning.
Inserted route table entry for 224.2.127.254 on VIF #-1
The group address 224.2.127.254 may not be forwarded upstream. Ignoring.

Current routing table (Insert Route):
-----------------------------------------------------
#0: Dst: 224.2.127.254, Age:2, St: I, OutVifs: 0x00000000, dHosts: yes
-----------------------------------------------------

Current routing table (Activate Route):
-----------------------------------------------------
#0: Src0: 192.168.3.31, Dst: 224.2.127.254, Age:2, St: A, OutVifs: 0x00000000, dHosts: yes
-----------------------------------------------------
Route activate request from 192.168.3.4 to 239.255.255.250 on VIF[2]
No table entry for 239.255.255.250 [From: 192.168.3.4]. Inserting route.
No existing route for 239.255.255.250. Create new.
Found existing routes. Find insert location.
Inserting at beginning, before route 224.2.127.254
Inserted route table entry for 239.255.255.250 on VIF #-1
The group address 239.255.255.250 may not be forwarded upstream. Ignoring.

Current routing table (Insert Route):
-----------------------------------------------------
#0: Dst: 239.255.255.250, Age:2, St: I, OutVifs: 0x00000000, dHosts: yes
#1: Src0: 192.168.3.31, Dst: 224.2.127.254, Age:2, St: A, OutVifs: 0x00000000, dHosts: yes
-----------------------------------------------------

Current routing table (Activate Route):
-----------------------------------------------------
#0: Src0: 192.168.3.4, Dst: 239.255.255.250, Age:2, St: A, OutVifs: 0x00000000, dHosts: yes
#1: Src0: 192.168.3.31, Dst: 224.2.127.254, Age:2, St: A, OutVifs: 0x00000000, dHosts: yes
-----------------------------------------------------
RECV V2 member report   from 192.168.3.4     to 224.2.127.254
Should insert group 224.2.127.254 (from: 192.168.3.4) to route table. Vif Ix : 0
Updated route entry for 224.2.127.254 on VIF #0
Vif bits : 0x00000001
Setting TTL for Vif 0 to 1
Adding MFC: 192.168.3.31 -> 224.2.127.254, InpVIf: 2
The group address 224.2.127.254 may not be forwarded upstream. Ignoring.

Current routing table (Insert Route):
-----------------------------------------------------
#0: Src0: 192.168.3.4, Dst: 239.255.255.250, Age:2, St: A, OutVifs: 0x00000000, dHosts: yes
#1: Src0: 192.168.3.31, Dst: 224.2.127.254, Age:2, St: A, OutVifs: 0x00000001, dHosts: yes
-----------------------------------------------------
RECV V2 member report   from 192.168.3.4     to 239.255.255.250
Should insert group 239.255.255.250 (from: 192.168.3.4) to route table. Vif Ix : 0
Updated route entry for 239.255.255.250 on VIF #0
Vif bits : 0x00000001
Setting TTL for Vif 0 to 1
Adding MFC: 192.168.3.4 -> 239.255.255.250, InpVIf: 2
The group address 239.255.255.250 may not be forwarded upstream. Ignoring.

Current routing table (Insert Route):
-----------------------------------------------------
#0: Src0: 192.168.3.4, Dst: 239.255.255.250, Age:2, St: A, OutVifs: 0x00000001, dHosts: yes
#1: Src0: 192.168.3.31, Dst: 224.2.127.254, Age:2, St: A, OutVifs: 0x00000001, dHosts: yes
-----------------------------------------------------
RECV V2 member report   from 192.168.99.1    to 224.0.0.2
The IGMP message was from myself. Ignoring.
RECV V2 member report   from 192.168.3.1     to 224.0.0.2
The IGMP message was from myself. Ignoring.
RECV V2 member report   from 192.168.3.37    to 239.255.255.250
Should insert group 239.255.255.250 (from: 192.168.3.37) to route table. Vif Ix : 0
Updated route entry for 239.255.255.250 on VIF #0
Vif bits : 0x00000001
Setting TTL for Vif 0 to 1
Adding MFC: 192.168.3.4 -> 239.255.255.250, InpVIf: 2
The group address 239.255.255.250 may not be forwarded upstream. Ignoring.

Current routing table (Insert Route):
-----------------------------------------------------
#0: Src0: 192.168.3.4, Dst: 239.255.255.250, Age:2, St: A, OutVifs: 0x00000001, dHosts: yes
#1: Src0: 192.168.3.31, Dst: 224.2.127.254, Age:2, St: A, OutVifs: 0x00000001, dHosts: yes
-----------------------------------------------------
RECV V2 member report   from 192.168.3.4     to 239.255.255.246
Should insert group 239.255.255.246 (from: 192.168.3.4) to route table. Vif Ix : 0
No existing route for 239.255.255.246. Create new.
Found existing routes. Find insert location.
Inserting at beginning, before route 239.255.255.250
Inserted route table entry for 239.255.255.246 on VIF #0
The group address 239.255.255.246 may not be forwarded upstream. Ignoring.

Current routing table (Insert Route):
-----------------------------------------------------
#0: Dst: 239.255.255.246, Age:2, St: I, OutVifs: 0x00000001, dHosts: yes
#1: Src0: 192.168.3.4, Dst: 239.255.255.250, Age:2, St: A, OutVifs: 0x00000001, dHosts: yes
#2: Src0: 192.168.3.31, Dst: 224.2.127.254, Age:2, St: A, OutVifs: 0x00000001, dHosts: yes
-----------------------------------------------------
RECV V2 member report   from 192.168.3.9     to 239.255.255.250
Should insert group 239.255.255.250 (from: 192.168.3.9) to route table. Vif Ix : 0
Updated route entry for 239.255.255.250 on VIF #0
Vif bits : 0x00000001
Setting TTL for Vif 0 to 1
Adding MFC: 192.168.3.4 -> 239.255.255.250, InpVIf: 2
The group address 239.255.255.250 may not be forwarded upstream. Ignoring.

Current routing table (Insert Route):
-----------------------------------------------------
#0: Dst: 239.255.255.246, Age:2, St: I, OutVifs: 0x00000001, dHosts: yes
#1: Src0: 192.168.3.4, Dst: 239.255.255.250, Age:2, St: A, OutVifs: 0x00000001, dHosts: yes
#2: Src0: 192.168.3.31, Dst: 224.2.127.254, Age:2, St: A, OutVifs: 0x00000001, dHosts: yes
-----------------------------------------------------
RECV V2 member report   from 192.168.3.18    to 239.255.255.250
Should insert group 239.255.255.250 (from: 192.168.3.18) to route table. Vif Ix : 0
Updated route entry for 239.255.255.250 on VIF #0
Vif bits : 0x00000001
Setting TTL for Vif 0 to 1
Adding MFC: 192.168.3.4 -> 239.255.255.250, InpVIf: 2
The group address 239.255.255.250 may not be forwarded upstream. Ignoring.

Current routing table (Insert Route):
-----------------------------------------------------
#0: Dst: 239.255.255.246, Age:2, St: I, OutVifs: 0x00000001, dHosts: yes
#1: Src0: 192.168.3.4, Dst: 239.255.255.250, Age:2, St: A, OutVifs: 0x00000001, dHosts: yes
#2: Src0: 192.168.3.31, Dst: 224.2.127.254, Age:2, St: A, OutVifs: 0x00000001, dHosts: yes
-----------------------------------------------------
RECV Membership query   from 1.1.1.1         to 224.0.0.1
RECV V2 member report   from 192.168.3.1     to 224.0.0.22
The IGMP message was from myself. Ignoring.
RECV V2 member report   from 192.168.3.1     to 224.0.0.251
The IGMP message was from myself. Ignoring.
RECV V2 member report   from 192.168.3.111   to 239.255.255.250
Should insert group 239.255.255.250 (from: 192.168.3.111) to route table. Vif Ix : 0
Updated route entry for 239.255.255.250 on VIF #0
Vif bits : 0x00000001
Setting TTL for Vif 0 to 1
Adding MFC: 192.168.3.4 -> 239.255.255.250, InpVIf: 2
The group address 239.255.255.250 may not be forwarded upstream. Ignoring.

Current routing table (Insert Route):
-----------------------------------------------------
#0: Dst: 239.255.255.246, Age:2, St: I, OutVifs: 0x00000001, dHosts: yes
#1: Src0: 192.168.3.4, Dst: 239.255.255.250, Age:2, St: A, OutVifs: 0x00000001, dHosts: yes
#2: Src0: 192.168.3.31, Dst: 224.2.127.254, Age:2, St: A, OutVifs: 0x00000001, dHosts: yes
-----------------------------------------------------
RECV V2 member report   from 192.168.99.1    to 224.0.0.22
The IGMP message was from myself. Ignoring.
About to call timeout 1 (#0)
Aging routes in table.

Current routing table (Age active routes):
-----------------------------------------------------
#0: Dst: 239.255.255.246, Age:1, St: I, OutVifs: 0x00000001, dHosts: yes
#1: Src0: 192.168.3.4, Dst: 239.255.255.250, Age:2, St: A, OutVifs: 0x00000001, dHosts: yes
#2: Src0: 192.168.3.31, Dst: 224.2.127.254, Age:2, St: A, OutVifs: 0x00000001, dHosts: yes
-----------------------------------------------------
Route activate request from 192.168.3.18 to 239.255.255.250 on VIF[2]
Vif bits : 0x00000001
Setting TTL for Vif 0 to 1
Adding MFC: 192.168.3.18 -> 239.255.255.250, InpVIf: 2
Vif bits : 0x00000001
Setting TTL for Vif 0 to 1
Adding MFC: 192.168.3.4 -> 239.255.255.250, InpVIf: 2

Current routing table (Activate Route):
-----------------------------------------------------
#0: Dst: 239.255.255.246, Age:1, St: I, OutVifs: 0x00000001, dHosts: yes
#1: Src0: 192.168.3.18, Src1: 192.168.3.4, Dst: 239.255.255.250, Age:2, St: A, OutVifs: 0x00000001, dHosts: yes
#2: Src0: 192.168.3.31, Dst: 224.2.127.254, Age:2, St: A, OutVifs: 0x00000001, dHosts: yes
-----------------------------------------------------
RECV V2 member report   from 192.168.3.4     to 224.2.127.254
Should insert group 224.2.127.254 (from: 192.168.3.4) to route table. Vif Ix : 0
Updated route entry for 224.2.127.254 on VIF #0
Vif bits : 0x00000001
Setting TTL for Vif 0 to 1
Adding MFC: 192.168.3.31 -> 224.2.127.254, InpVIf: 2
The group address 224.2.127.254 may not be forwarded upstream. Ignoring.

Current routing table (Insert Route):
-----------------------------------------------------
#0: Dst: 239.255.255.246, Age:1, St: I, OutVifs: 0x00000001, dHosts: yes
#1: Src0: 192.168.3.18, Src1: 192.168.3.4, Dst: 239.255.255.250, Age:2, St: A, OutVifs: 0x00000001, dHosts: yes
#2: Src0: 192.168.3.31, Dst: 224.2.127.254, Age:2, St: A, OutVifs: 0x00000001, dHosts: yes
-----------------------------------------------------
RECV V2 member report   from 192.168.3.4     to 239.255.255.250
Should insert group 239.255.255.250 (from: 192.168.3.4) to route table. Vif Ix : 0
Updated route entry for 239.255.255.250 on VIF #0
Vif bits : 0x00000001
Setting TTL for Vif 0 to 1
Adding MFC: 192.168.3.18 -> 239.255.255.250, InpVIf: 2
Vif bits : 0x00000001
Setting TTL for Vif 0 to 1
Adding MFC: 192.168.3.4 -> 239.255.255.250, InpVIf: 2
The group address 239.255.255.250 may not be forwarded upstream. Ignoring.

Current routing table (Insert Route):
-----------------------------------------------------
#0: Dst: 239.255.255.246, Age:1, St: I, OutVifs: 0x00000001, dHosts: yes
#1: Src0: 192.168.3.18, Src1: 192.168.3.4, Dst: 239.255.255.250, Age:2, St: A, OutVifs: 0x00000001, dHosts: yes
#2: Src0: 192.168.3.31, Dst: 224.2.127.254, Age:2, St: A, OutVifs: 0x00000001, dHosts: yes
-----------------------------------------------------
RECV V2 member report   from 192.168.3.4     to 239.255.255.246
Should insert group 239.255.255.246 (from: 192.168.3.4) to route table. Vif Ix : 0
Updated route entry for 239.255.255.246 on VIF #0
The group address 239.255.255.246 may not be forwarded upstream. Ignoring.

Current routing table (Insert Route):
-----------------------------------------------------
#0: Dst: 239.255.255.246, Age:1, St: I, OutVifs: 0x00000001, dHosts: yes
#1: Src0: 192.168.3.18, Src1: 192.168.3.4, Dst: 239.255.255.250, Age:2, St: A, OutVifs: 0x00000001, dHosts: yes
#2: Src0: 192.168.3.31, Dst: 224.2.127.254, Age:2, St: A, OutVifs: 0x00000001, dHosts: yes
-----------------------------------------------------
RECV V2 member report   from 192.168.3.112   to 233.136.0.202
Should insert group 233.136.0.202 (from: 192.168.3.112) to route table. Vif Ix : 0
No existing route for 233.136.0.202. Create new.
Found existing routes. Find insert location.
Inserting at beginning, before route 239.255.255.246
Inserted route table entry for 233.136.0.202 on VIF #0
Joining group 233.136.0.202 upstream on IF address 109.11.243.7
Joining group 233.136.0.202 on interface lagg0.1
Joining group 233.136.0.202 upstream on IF address 192.168.4.253
Joining group 233.136.0.202 on interface lagg0.1
can't join group 233.136.0.202 on interface lagg0.1; Errno(48): Address already in use

Current routing table (Insert Route):
-----------------------------------------------------
#0: Dst: 233.136.0.202, Age:2, St: I, OutVifs: 0x00000001, dHosts: yes
#1: Dst: 239.255.255.246, Age:1, St: I, OutVifs: 0x00000001, dHosts: yes
#2: Src0: 192.168.3.18, Src1: 192.168.3.4, Dst: 239.255.255.250, Age:2, St: A, OutVifs: 0x00000001, dHosts: yes
#3: Src0: 192.168.3.31, Dst: 224.2.127.254, Age:2, St: A, OutVifs: 0x00000001, dHosts: yes
-----------------------------------------------------
RECV V2 member report   from 109.11.243.7    to 233.136.0.202
The IGMP message was from myself. Ignoring.
Route activate request from 77.130.48.82 to 233.136.0.202 on VIF[2]
Vif bits : 0x00000001
Setting TTL for Vif 0 to 1
Adding MFC: 77.130.48.82 -> 233.136.0.202, InpVIf: 2

Current routing table (Activate Route):
-----------------------------------------------------
#0: Src0: 77.130.48.82, Dst: 233.136.0.202, Age:2, St: A, OutVifs: 0x00000001, dHosts: yes
#1: Dst: 239.255.255.246, Age:1, St: I, OutVifs: 0x00000001, dHosts: yes
#2: Src0: 192.168.3.18, Src1: 192.168.3.4, Dst: 239.255.255.250, Age:2, St: A, OutVifs: 0x00000001, dHosts: yes
#3: Src0: 192.168.3.31, Dst: 224.2.127.254, Age:2, St: A, OutVifs: 0x00000001, dHosts: yes
-----------------------------------------------------
About to call timeout 2 (#0)
SENT Membership query   from 192.168.3.1     to 224.0.0.1
Sent membership query from 192.168.3.1 to 224.0.0.1. Delay: 10
SENT Membership query   from 192.168.99.1    to 224.0.0.1
Sent membership query from 192.168.99.1 to 224.0.0.1. Delay: 10
Created timeout 3 (#0) - delay 10 secs
(Id:3, Time:10) 
Created timeout 4 (#1) - delay 21 secs
(Id:3, Time:10) 
(Id:4, Time:21) 
RECV Membership query   from 192.168.99.1    to 224.0.0.1
RECV Membership query   from 192.168.3.1     to 224.0.0.1
RECV V2 member report   from 192.168.99.1    to 224.0.0.22
The IGMP message was from myself. Ignoring.
RECV V2 member report   from 192.168.3.1     to 224.0.0.22
The IGMP message was from myself. Ignoring.
About to call timeout 3 (#0)
Aging routes in table.

Current routing table (Age active routes):
-----------------------------------------------------
#0: Src0: 77.130.48.82, Dst: 233.136.0.202, Age:1, St: A, OutVifs: 0x00000001, dHosts: yes
#1: Dst: 239.255.255.246, Age:2, St: I, OutVifs: 0x00000001, dHosts: yes
#2: Src0: 192.168.3.18, Src1: 192.168.3.4, Dst: 239.255.255.250, Age:2, St: A, OutVifs: 0x00000001, dHosts: yes
#3: Src0: 192.168.3.31, Dst: 224.2.127.254, Age:2, St: A, OutVifs: 0x00000001, dHosts: yes
-----------------------------------------------------
RECV Leave message      from 192.168.3.112   to 224.0.0.2
Got leave message from 192.168.3.112 to 233.136.0.202. Starting last member detection.
**********************************************************************
counted 1 interfaces
quickleave is enabled and this was the last downstream host, leaving group 233.136.0.202 now
Leaving group 233.136.0.202 upstream on IF address 109.11.243.7
Leaving group 233.136.0.202 on interface lagg0.1
Interface id 0 is in group $d
SENT Membership query   from 192.168.3.1     to 233.136.0.202
Sent membership query from 192.168.3.1 to 233.136.0.202. Delay: 10
Interface id 1 is in group $d
Created timeout 5 (#0) - delay 10 secs
(Id:5, Time:10) 
(Id:4, Time:11) 
RECV Leave message      from 109.11.243.7    to 224.0.0.2
Got leave message from 109.11.243.7 to 233.136.0.202. Starting last member detection.
The found if for 109.11.243.7 was not downstream. Ignoring leave request.
RECV Membership query   from 192.168.3.1     to 233.136.0.202
RECV V2 member report   from 192.168.3.1     to 224.0.0.251
The IGMP message was from myself. Ignoring.
RECV V2 member report   from 192.168.3.1     to 224.0.0.2
The IGMP message was from myself. Ignoring.
RECV V2 member report   from 192.168.99.1    to 224.0.0.2
The IGMP message was from myself. Ignoring.
About to call timeout 5 (#0)
Interface id 0 is in group $d
SENT Membership query   from 192.168.3.1     to 233.136.0.202
Sent membership query from 192.168.3.1 to 233.136.0.202. Delay: 10
Interface id 1 is in group $d
Created timeout 6 (#0) - delay 10 secs
(Id:6, Time:10) 
(Id:4, Time:1) 
RECV Membership query   from 192.168.3.1     to 233.136.0.202
About to call timeout 6 (#0)
Removing group 233.136.0.202. Died of old age.
Removed route entry for 233.136.0.202 from table.
Vif bits : 0x00000001
Setting TTL for Vif 0 to 1
Removing MFC: 77.130.48.82 -> 233.136.0.202, InpVIf: 2

Current routing table (Remove route):
-----------------------------------------------------
#0: Dst: 239.255.255.246, Age:2, St: I, OutVifs: 0x00000001, dHosts: yes
#1: Src0: 192.168.3.18, Src1: 192.168.3.4, Dst: 239.255.255.250, Age:2, St: A, OutVifs: 0x00000001, dHosts: yes
#2: Src0: 192.168.3.31, Dst: 224.2.127.254, Age:2, St: A, OutVifs: 0x00000001, dHosts: yes
-----------------------------------------------------
About to call timeout 4 (#0)
SENT Membership query   from 192.168.3.1     to 224.0.0.1
Sent membership query from 192.168.3.1 to 224.0.0.1. Delay: 10
SENT Membership query   from 192.168.99.1    to 224.0.0.1
Sent membership query from 192.168.99.1 to 224.0.0.1. Delay: 10
Created timeout 7 (#0) - delay 10 secs
(Id:7, Time:10) 
Created timeout 8 (#1) - delay 115 secs
(Id:7, Time:10) 
(Id:8, Time:115) 
RECV Membership query   from 192.168.3.1     to 224.0.0.1
RECV Membership query   from 192.168.99.1    to 224.0.0.1
RECV Membership query   from 1.1.1.1         to 224.0.0.1
RECV V2 member report   from 192.168.99.1    to 224.0.0.2
The IGMP message was from myself. Ignoring.
RECV V2 member report   from 192.168.3.1     to 224.0.0.22
The IGMP message was from myself. Ignoring.
RECV V2 member report   from 192.168.3.1     to 224.0.0.2
The IGMP message was from myself. Ignoring.
RECV V2 member report   from 192.168.3.1     to 224.0.0.251
The IGMP message was from myself. Ignoring.
RECV V2 member report   from 192.168.99.1    to 224.0.0.22
The IGMP message was from myself. Ignoring.
About to call timeout 7 (#0)
Aging routes in table.

Current routing table (Age active routes):
-----------------------------------------------------
#0: Dst: 239.255.255.246, Age:1, St: I, OutVifs: 0x00000001, dHosts: yes
#1: Src0: 192.168.3.18, Src1: 192.168.3.4, Dst: 239.255.255.250, Age:1, St: A, OutVifs: 0x00000001, dHosts: yes
#2: Src0: 192.168.3.31, Dst: 224.2.127.254, Age:1, St: A, OutVifs: 0x00000001, dHosts: yes
-----------------------------------------------------
About to call timeout 8 (#0)
SENT Membership query   from 192.168.3.1     to 224.0.0.1
Sent membership query from 192.168.3.1 to 224.0.0.1. Delay: 10
SENT Membership query   from 192.168.99.1    to 224.0.0.1
Sent membership query from 192.168.99.1 to 224.0.0.1. Delay: 10
Created timeout 9 (#0) - delay 10 secs
(Id:9, Time:10) 
Created timeout 10 (#1) - delay 115 secs
(Id:9, Time:10) 
(Id:10, Time:115) 
RECV Membership query   from 192.168.3.1     to 224.0.0.1
RECV Membership query   from 192.168.99.1    to 224.0.0.1
RECV V2 member report   from 192.168.99.1    to 224.0.0.2
The IGMP message was from myself. Ignoring.
RECV V2 member report   from 192.168.99.1    to 224.0.0.22
The IGMP message was from myself. Ignoring.
RECV V2 member report   from 192.168.3.1     to 224.0.0.251
The IGMP message was from myself. Ignoring.
RECV V2 member report   from 192.168.3.1     to 224.0.0.2
The IGMP message was from myself. Ignoring.
RECV V2 member report   from 192.168.3.1     to 224.0.0.22
The IGMP message was from myself. Ignoring.
About to call timeout 9 (#0)
Aging routes in table.
Removing group 239.255.255.246. Died of old age.
Removed route entry for 239.255.255.246 from table.

Current routing table (Remove route):
-----------------------------------------------------
#0: Src0: 192.168.3.18, Src1: 192.168.3.4, Dst: 239.255.255.250, Age:1, St: A, OutVifs: 0x00000001, dHosts: yes
#1: Src0: 192.168.3.31, Dst: 224.2.127.254, Age:1, St: A, OutVifs: 0x00000001, dHosts: yes
-----------------------------------------------------
Removing group 239.255.255.250. Died of old age.
Removed route entry for 239.255.255.250 from table.
Vif bits : 0x00000001
Setting TTL for Vif 0 to 1
Removing MFC: 192.168.3.18 -> 239.255.255.250, InpVIf: 2
Vif bits : 0x00000001
Setting TTL for Vif 0 to 1
Removing MFC: 192.168.3.4 -> 239.255.255.250, InpVIf: 2

Current routing table (Remove route):
-----------------------------------------------------
#0: Src0: 192.168.3.31, Dst: 224.2.127.254, Age:1, St: A, OutVifs: 0x00000001, dHosts: yes
-----------------------------------------------------
Removing group 224.2.127.254. Died of old age.
Removed route entry for 224.2.127.254 from table.
Vif bits : 0x00000001
Setting TTL for Vif 0 to 1
Removing MFC: 192.168.3.31 -> 224.2.127.254, InpVIf: 2

Current routing table (Remove route):
-----------------------------------------------------
No routes in table...
-----------------------------------------------------

Current routing table (Age active routes):
-----------------------------------------------------
No routes in table...
-----------------------------------------------------
About to call timeout 10 (#0)
SENT Membership query   from 192.168.3.1     to 224.0.0.1
Sent membership query from 192.168.3.1 to 224.0.0.1. Delay: 10
SENT Membership query   from 192.168.99.1    to 224.0.0.1
Sent membership query from 192.168.99.1 to 224.0.0.1. Delay: 10
Created timeout 11 (#0) - delay 10 secs
(Id:11, Time:10) 
Created timeout 12 (#1) - delay 115 secs
(Id:11, Time:10) 
(Id:12, Time:115) 
RECV Membership query   from 192.168.3.1     to 224.0.0.1
RECV Membership query   from 192.168.99.1    to 224.0.0.1
RECV V2 member report   from 192.168.99.1    to 224.0.0.2
The IGMP message was from myself. Ignoring.
About to call timeout 11 (#0)
Aging routes in table.

Current routing table (Age active routes):
-----------------------------------------------------
No routes in table...
-----------------------------------------------------
RECV Membership query   from 1.1.1.1         to 224.0.0.1
RECV V2 member report   from 192.168.99.1    to 224.0.0.22
The IGMP message was from myself. Ignoring.
RECV V2 member report   from 192.168.3.1     to 224.0.0.251
The IGMP message was from myself. Ignoring.
RECV V2 member report   from 192.168.3.1     to 224.0.0.2
The IGMP message was from myself. Ignoring.
RECV V2 member report   from 192.168.3.1     to 224.0.0.22
The IGMP message was from myself. Ignoring.

                                            So as you can see, after leaving the stream, it is not receiving any join group anymore (even if I try to join this multicast stream again on my PC).

                                            Because the igmpproxy binary was not changed, I think this is a kernel/pfSense issue with rule/state/filter table between 2.7.0 and 2.7.2,

                                            What do you think about it ?
                                            Thanks

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.