igmpproxy "Permission denied"

mot

Hello,
I'm trying to setup iptv with my connection, everything (inet/iptv) goes over pppoe in vlan 24.
Currently i'm running pfsense 2.4.5-DEVELOPMENT

I decided to create a different new vlan inside my LAN just for the STB

 TRUNK ---> pfsense ----> VLAN60 (192.168.1.1)
      (vlan24-PPPoe)   |---> VLAN61 (192.168.3.1) -> STB (192.168.3.199)

If I capture traffic in the VLAN61 interface I can see the STB igmp packets, but I didn't see any igmp traffic on the wan interface.

In the igmpproxy log I can see the error "sendto to 224.0.0.1 on 192.168.3.1; Errno(13): Permission denied" and I have no idea how to solve this.

I have the igmp rules for LAN and WAN with the 'Allow IP options' option marked.

Any idea?
Thanks.

My igmpproxy.conf contains:

quickleave
phyint vmx1.61 downstream ratelimit 0 threshold 1
altnet 192.168.3.0/24

phyint pppoe0 upstream ratelimit 0 threshold 1
altnet 239.192.0.0/16
altnet 224.0.0.0/4

phyint vmx1.60 disabled
phyint vmx3 disabled
phyint vmx1 disabled
phyint vmx0.24 disabled
phyint vmx0 disabled
phyint ovpns1 disabled

TCDUMP over LAN

#tcpdump -n -i vmx1.61 -vv igmp
tcpdump: listening on vmx1.61, link-type EN10MB (Ethernet), capture size 262144 bytes
19:52:10.565682 IP (tos 0xc0, ttl 1, id 0, offset 0, flags [DF], proto IGMP (2), length 32, options (RA))
    192.168.3.199 > 224.0.0.2: igmp leave 239.192.250.109
19:52:10.567915 IP (tos 0xc0, ttl 1, id 0, offset 0, flags [DF], proto IGMP (2), length 32, options (RA))
    192.168.3.199 > 239.192.250.59: igmp v2 report 239.192.250.59
19:52:16.869858 IP (tos 0xc0, ttl 1, id 0, offset 0, flags [DF], proto IGMP (2), length 32, options (RA))
    192.168.3.199 > 239.192.250.59: igmp v2 report 239.192.250.59
19:52:20.805826 IP (tos 0xc0, ttl 1, id 0, offset 0, flags [DF], proto IGMP (2), length 32, options (RA))
    192.168.3.199 > 239.192.250.59: igmp v2 report 239.192.250.59

And the igmpproxy log is:

Searching for config file at '/var/etc/igmpproxy.conf'
Config: Quick leave mode enabled.
Config: Got a phyint token.
Config: IF: Config for interface vmx1.61.
Config: IF: Got downstream token.
Config: IF: Got ratelimit token '0'.
Config: IF: Got threshold token '1'.
Config: IF: Got altnet token 192.168.3.0/24.
Config: IF: Altnet: Parsed altnet to 192.168.3/24.
IF name : vmx1.61
Next ptr : 0
Ratelimit : 0
Threshold : 1
State : 2
Allowednet ptr : e26000
Config: Got a phyint token.
Config: IF: Config for interface pppoe0.
Config: IF: Got upstream token.
Config: IF: Got ratelimit token '0'.
Config: IF: Got threshold token '1'.
Config: IF: Got altnet token 239.192.0.0/16.
Config: IF: Altnet: Parsed altnet to 239.192/16.
Config: IF: Got altnet token 224.0.0.0/4.
Config: IF: Altnet: Parsed altnet to 224/4.
IF name : pppoe0
Next ptr : 0
Ratelimit : 0
Threshold : 1
State : 1
Allowednet ptr : e26010
Config: Got a phyint token.
Config: IF: Config for interface vmx1.60.
Config: IF: Got disabled token.
IF name : vmx1.60
Next ptr : 0
Ratelimit : 0
Threshold : 1
State : 0
Allowednet ptr : 0
Config: Got a phyint token.
Config: IF: Config for interface vmx3.
Config: IF: Got disabled token.
IF name : vmx3
Next ptr : 0
Ratelimit : 0
Threshold : 1
State : 0
Allowednet ptr : 0
Config: Got a phyint token.
Config: IF: Config for interface vmx1.
Config: IF: Got disabled token.
IF name : vmx1
Next ptr : 0
Ratelimit : 0
Threshold : 1
State : 0
Allowednet ptr : 0
Config: Got a phyint token.
Config: IF: Config for interface vmx0.24.
Config: IF: Got disabled token.
IF name : vmx0.24
Next ptr : 0
Ratelimit : 0
Threshold : 1
State : 0
Allowednet ptr : 0
Config: Got a phyint token.
Config: IF: Config for interface vmx0.
Config: IF: Got disabled token.
IF name : vmx0
Next ptr : 0
Ratelimit : 0
Threshold : 1
State : 0
Allowednet ptr : 0
Config: Got a phyint token.
Config: IF: Config for interface ovpns1.
Config: IF: Got disabled token.
IF name : ovpns1
Next ptr : 0
Ratelimit : 0
Threshold : 1
State : 0
Allowednet ptr : 0
buildIfVc: Interface vmx3 Addr: 192.168.2.1, Flags: 0xffff8843, Network: 192.168.2/24
buildIfVc: Interface lo0 Addr: 127.0.0.1, Flags: 0xffff8049, Network: 127/8
buildIfVc: Interface vmx1.60 Addr: 192.168.1.1, Flags: 0xffff8843, Network: 192.168.1/24
buildIfVc: Interface vmx1.60 Addr: 10.10.10.1, Flags: 0xffff8843, Network: 10.10.10/24
buildIfVc: Interface vmx1.61 Addr: 192.168.3.1, Flags: 0xffff8943, Network: 192.168.3/24
buildIfVc: Interface pppoe0 Addr: 86.61.176.34, Flags: 0xffff89d1, Network: 86.61.176.34/32
buildIfVc: Interface ovpns1 Addr: 172.31.4.1, Flags: 0xffff8051, Network: 172.31.4/24
Found config for vmx3
Found config for vmx1.60
Found config for vmx1.60
Found config for vmx1.61
Found config for pppoe0
Found config for ovpns1
adding VIF, Ix 0 Fl 0x0 IP 0x0103a8c0 vmx1.61, Threshold: 1, Ratelimit: 0
        Network for [vmx1.61] : 192.168.3/24
        Network for [vmx1.61] : 192.168.3/24
Found upstrem IF #0, will assing as upstream Vif 31
adding VIF, Ix 1 Fl 0x0 IP 0x13b03d5f pppoe0, Threshold: 1, Ratelimit: 0
        Network for [pppoe0] : 86.61.176.34/32
        Network for [pppoe0] : 239.192/16
        Network for [pppoe0] : 224/4
Got 262144 byte buffer size in 0 iterations
Joining all-routers group 224.0.0.2 on vif 192.168.3.1
joinMcGroup: 224.0.0.2 on vmx1.61
Joining all igmpv3 multicast routers group 224.0.0.22 on vif 192.168.3.1
joinMcGroup: 224.0.0.22 on vmx1.61
sendto to 224.0.0.1 on 192.168.3.1; Errno(13): Permission denied
SENT Membership query   from 192.168.3.1     to 224.0.0.1
Sent membership query from 192.168.3.1 to 224.0.0.1. Delay: 10
Created timeout 1 (#0) - delay 10 secs
(Id:1, Time:10)
Created timeout 2 (#1) - delay 21 secs
(Id:1, Time:10)
(Id:2, Time:21)
RECV V2 member report   from 192.168.3.1     to 224.0.0.22
The IGMP message was from myself. Ignoring.
RECV Membership query   from 192.168.3.1     to 224.0.0.1
About to call timeout 1 (#0)
Aging routes in table.

Current routing table (Age active routes):
-----------------------------------------------------
No routes in table...
-----------------------------------------------------
RECV V2 member report   from 192.168.3.1     to 224.0.0.22
The IGMP message was from myself. Ignoring.
RECV V2 member report   from 192.168.3.1     to 224.0.0.2
The IGMP message was from myself. Ignoring.
RECV V2 member report   from 192.168.3.1     to 224.0.0.9
The IGMP message was from myself. Ignoring.
About to call timeout 2 (#0)
sendto to 224.0.0.1 on 192.168.3.1; Errno(13): Permission denied
SENT Membership query   from 192.168.3.1     to 224.0.0.1
Sent membership query from 192.168.3.1 to 224.0.0.1. Delay: 10
Created timeout 3 (#0) - delay 10 secs
(Id:3, Time:10)
Created timeout 4 (#1) - delay 21 secs
(Id:3, Time:10)
(Id:4, Time:21)
RECV Membership query   from 192.168.3.1     to 224.0.0.1
About to call timeout 3 (#0)
Aging routes in table.

Current routing table (Age active routes):
-----------------------------------------------------
No routes in table...
-----------------------------------------------------
About to call timeout 4 (#0)
sendto to 224.0.0.1 on 192.168.3.1; Errno(13): Permission denied
SENT Membership query   from 192.168.3.1     to 224.0.0.1
Sent membership query from 192.168.3.1 to 224.0.0.1. Delay: 10
Created timeout 5 (#0) - delay 10 secs
(Id:5, Time:10)
Created timeout 6 (#1) - delay 115 secs
(Id:5, Time:10)
(Id:6, Time:115)
RECV Membership query   from 192.168.3.1     to 224.0.0.1
RECV Leave message      from 192.168.3.199   to 224.0.0.2
Got leave message from 192.168.3.199 to 239.192.250.109. Starting last member detection.
Created timeout 7 (#1) - delay 0 secs
(Id:5, Time:10)
(Id:7, Time:0)
(Id:6, Time:115)
RECV V2 member report   from 192.168.3.199   to 239.192.250.59
Should insert group 239.192.250.59 (from: 192.168.3.199) to route table. Vif Ix : 0
No existing route for 239.192.250.59. Create new.
No routes in table. Insert at beginning.
Inserted route table entry for 239.192.250.59 on VIF #0
Joining group 239.192.250.59 upstream on IF address 86.61.176.34
joinMcGroup: 239.192.250.59 on pppoe0

Current routing table (Insert Route):
-----------------------------------------------------
#0: Dst: 239.192.250.59, Age:2, St: I, OutVifs: 0x00000001
-----------------------------------------------------
RECV V3 member report   from 86.61.176.34    to 224.0.0.22
The IGMP message was from myself. Ignoring.
RECV V2 member report   from 192.168.3.1     to 224.0.0.2
The IGMP message was from myself. Ignoring.
RECV V3 member report   from 86.61.176.34    to 224.0.0.22
The IGMP message was from myself. Ignoring.
RECV V2 member report   from 192.168.3.1     to 224.0.0.22
The IGMP message was from myself. Ignoring.
RECV V2 member report   from 192.168.3.1     to 224.0.0.9
The IGMP message was from myself. Ignoring.
About to call timeout 5 (#0)
Aging routes in table.

Current routing table (Age active routes):
-----------------------------------------------------
#0: Dst: 239.192.250.59, Age:1, St: I, OutVifs: 0x00000001
-----------------------------------------------------
About to call timeout 7 (#1)
RECV V2 member report   from 192.168.3.199   to 239.192.250.59
Should insert group 239.192.250.59 (from: 192.168.3.199) to route table. Vif Ix : 0
Updated route entry for 239.192.250.59 on VIF #0

Current routing table (Insert Route):
-----------------------------------------------------
#0: Dst: 239.192.250.59, Age:1, St: I, OutVifs: 0x00000001
-----------------------------------------------------
About to call timeout 6 (#0)
sendto to 224.0.0.1 on 192.168.3.1; Errno(13): Permission denied
SENT Membership query   from 192.168.3.1     to 224.0.0.1
Sent membership query from 192.168.3.1 to 224.0.0.1. Delay: 10
Created timeout 8 (#0) - delay 10 secs
(Id:8, Time:10)
Created timeout 9 (#1) - delay 115 secs
(Id:8, Time:10)
(Id:9, Time:115)
RECV Membership query   from 192.168.3.1     to 224.0.0.1