DLNA, IGMP Proxy, VLANs, Subnets... Oh, dear...

nfld_republic

@stephenw10 said in DLNA, IGMP Proxy, VLANs, Subnets... Oh, dear...:

igmpproxy -d -vv /var/etc/igmpproxy.conf

Here's some output... Anyone have any ideas?

igmpproxy -d -vv /var/etc/igmpproxy.conf
Searching for config file at '/var/etc/igmpproxy.conf'
Config: Quick leave mode enabled.
Config: Got a phyint token.
Config: IF: Config for interface igb3.20.
Config: IF: Got upstream token.
Config: IF: Got ratelimit token '0'.
Config: IF: Got threshold token '1'.
Config: IF: Got altnet token 192.168.20.0/24.
Config: IF: Altnet: Parsed altnet to 192.168.20/24.
Config: IF: Got altnet token 224.0.0.0/4.
Config: IF: Altnet: Parsed altnet to 224/4.
IF name : igb3.20
Next ptr : 0
Ratelimit : 0
Threshold : 1
State : 1
Allowednet ptr : e25000
Config: Got a phyint token.
Config: IF: Config for interface igb3.30.
Config: IF: Got downstream token.
Config: IF: Got ratelimit token '0'.
Config: IF: Got threshold token '1'.
Config: IF: Got altnet token 192.168.30.0/24.
Config: IF: Altnet: Parsed altnet to 192.168.30/24.
IF name : igb3.30
Next ptr : 0
Ratelimit : 0
Threshold : 1
State : 2
Allowednet ptr : e25020
Config: Got a phyint token.
Config: IF: Config for interface igb3.25.
Config: IF: Got downstream token.
Config: IF: Got ratelimit token '0'.
Config: IF: Got threshold token '1'.
Config: IF: Got altnet token 192.168.25.0/24.
Config: IF: Altnet: Parsed altnet to 192.168.25/24.
IF name : igb3.25
Next ptr : 0
Ratelimit : 0
Threshold : 1
State : 2
Allowednet ptr : e25030
Config: Got a phyint token.
Config: IF: Config for interface igb1.
Config: IF: Got disabled token.
IF name : igb1
Next ptr : 0
Ratelimit : 0
Threshold : 1
State : 0
Allowednet ptr : 0
Config: Got a phyint token.
Config: IF: Config for interface igb3.201.
Config: IF: Got disabled token.
IF name : igb3.201
Next ptr : 0
Ratelimit : 0
Threshold : 1
State : 0
Allowednet ptr : 0
Config: Got a phyint token.
Config: IF: Config for interface igb5.
Config: IF: Got disabled token.
IF name : igb5
Next ptr : 0
Ratelimit : 0
Threshold : 1
State : 0
Allowednet ptr : 0
Config: Got a phyint token.
Config: IF: Config for interface igb3.100.
Config: IF: Got disabled token.
IF name : igb3.100
Next ptr : 0
Ratelimit : 0
Threshold : 1
State : 0
Allowednet ptr : 0
Config: Got a phyint token.
Config: IF: Config for interface igb3.
Config: IF: Got disabled token.
IF name : igb3
Next ptr : 0
Ratelimit : 0
Threshold : 1
State : 0
Allowednet ptr : 0
Config: Got a phyint token.
Config: IF: Config for interface igb2.
Config: IF: Got disabled token.
IF name : igb2
Next ptr : 0
Ratelimit : 0
Threshold : 1
State : 0
Allowednet ptr : 0
buildIfVc: Interface igb1 Addr: 156.57.107.225, Flags: 0xffff8943, Network: 156.57.104/22
buildIfVc: Interface igb2 Addr: 10.100.101.254, Flags: 0xffff8843, Network: 10.100.101/24
buildIfVc: Interface igb3 Addr: 10.100.200.254, Flags: 0xffff8943, Network: 10.100.200/24
buildIfVc: Interface igb5 Addr: 192.168.10.254, Flags: 0xffff8943, Network: 192.168.10/24
buildIfVc: Interface lo0 Addr: 127.0.0.1, Flags: 0xffff8049, Network: 127/8
buildIfVc: Interface igb3.30 Addr: 192.168.30.254, Flags: 0xffff8943, Network: 192.168.30/24
buildIfVc: Interface igb3.100 Addr: 192.168.100.254, Flags: 0xffff8943, Network: 192.168.100/24
buildIfVc: Interface igb3.25 Addr: 192.168.25.254, Flags: 0xffff8943, Network: 192.168.25/24
buildIfVc: Interface igb3.20 Addr: 192.168.20.254, Flags: 0xffff8943, Network: 192.168.20/24
buildIfVc: Interface igb3.201 Addr: 10.100.201.254, Flags: 0xffff8943, Network: 10.100.201/24
buildIfVc: Interface ovpns1 Addr: 192.168.99.1, Flags: 0xffff8051, Network: 192.168.99/24
buildIfVc: Interface ovpns2 Addr: 172.16.1.1, Flags: 0xffff8051, Network: 172.16.1/24
Found config for igb1
Found config for igb2
Found config for igb3
Found config for igb5
Found config for igb3.30
Found config for igb3.100
Found config for igb3.25
Found config for igb3.20
Found config for igb3.201
adding VIF, Ix 0 Fl 0x0 IP 0xfe1ea8c0 igb3.30, Threshold: 1, Ratelimit: 0
        Network for [igb3.30] : 192.168.30/24
        Network for [igb3.30] : 192.168.30/24
adding VIF, Ix 1 Fl 0x0 IP 0xfe19a8c0 igb3.25, Threshold: 1, Ratelimit: 0
        Network for [igb3.25] : 192.168.25/24
        Network for [igb3.25] : 192.168.25/24
Found upstrem IF #0, will assing as upstream Vif 32
adding VIF, Ix 2 Fl 0x0 IP 0xfe14a8c0 igb3.20, Threshold: 1, Ratelimit: 0
        Network for [igb3.20] : 192.168.20/24
        Network for [igb3.20] : 192.168.20/24
        Network for [igb3.20] : 224/4
Got 262144 byte buffer size in 0 iterations
Joining all-routers group 224.0.0.2 on vif 192.168.30.254
joinMcGroup: 224.0.0.2 on igb3.30
Joining all igmpv3 multicast routers group 224.0.0.22 on vif 192.168.30.254
joinMcGroup: 224.0.0.22 on igb3.30
Joining all-routers group 224.0.0.2 on vif 192.168.25.254
joinMcGroup: 224.0.0.2 on igb3.25
Joining all igmpv3 multicast routers group 224.0.0.22 on vif 192.168.25.254
joinMcGroup: 224.0.0.22 on igb3.25
SENT Membership query   from 192.168.30.254  to 224.0.0.1
Sent membership query from 192.168.30.254 to 224.0.0.1. Delay: 10
SENT Membership query   from 192.168.25.254  to 224.0.0.1
Sent membership query from 192.168.25.254 to 224.0.0.1. Delay: 10
Created timeout 1 (#0) - delay 10 secs
(Id:1, Time:10) 
Created timeout 2 (#1) - delay 21 secs
(Id:1, Time:10) 
(Id:2, Time:21) 
RECV Membership query   from 192.168.30.254  to 224.0.0.1
RECV Membership query   from 192.168.25.254  to 224.0.0.1
RECV V2 member report   from 192.168.25.240  to 224.0.1.60
Should insert group 224.0.1.60 (from: 192.168.25.240) to route table. Vif Ix : 1
No existing route for 224.0.1.60. Create new.
No routes in table. Insert at beginning.
Inserted route table entry for 224.0.1.60 on VIF #1
Joining group 224.0.1.60 upstream on IF address 192.168.20.254
joinMcGroup: 224.0.1.60 on igb3.20

Current routing table (Insert Route):
-----------------------------------------------------
#0: Dst: 224.0.1.60, Age:2, St: I, OutVifs: 0x00000002
-----------------------------------------------------
RECV V2 member report   from 192.168.25.254  to 224.0.0.2
The IGMP message was from myself. Ignoring.
The IGMP message was local multicast. Ignoring.
RECV V2 member report   from 192.168.25.240  to 224.0.1.1
Should insert group 224.0.1.1 (from: 192.168.25.240) to route table. Vif Ix : 1
No existing route for 224.0.1.1. Create new.
Found existing routes. Find insert location.
Inserting at beginning, before route 224.0.1.60
Inserted route table entry for 224.0.1.1 on VIF #1
Joining group 224.0.1.1 upstream on IF address 192.168.20.254
joinMcGroup: 224.0.1.1 on igb3.20

Current routing table (Insert Route):
-----------------------------------------------------
#0: Dst: 224.0.1.1, Age:2, St: I, OutVifs: 0x00000002
#1: Dst: 224.0.1.60, Age:2, St: I, OutVifs: 0x00000002
-----------------------------------------------------
The IGMP message was local multicast. Ignoring.
RECV V2 member report   from 192.168.25.254  to 224.0.0.22
The IGMP message was from myself. Ignoring.
The IGMP message was local multicast. Ignoring.
RECV V2 member report   from 192.168.30.4    to 239.2.0.252
Should insert group 239.2.0.252 (from: 192.168.30.4) to route table. Vif Ix : 0
No existing route for 239.2.0.252. Create new.
Found existing routes. Find insert location.
Inserting after route 224.0.1.60
Inserted route table entry for 239.2.0.252 on VIF #0
Joining group 239.2.0.252 upstream on IF address 192.168.20.254
joinMcGroup: 239.2.0.252 on igb3.20

Current routing table (Insert Route):
-----------------------------------------------------
#0: Dst: 224.0.1.1, Age:2, St: I, OutVifs: 0x00000002
#1: Dst: 224.0.1.60, Age:2, St: I, OutVifs: 0x00000002
#2: Dst: 239.2.0.252, Age:2, St: I, OutVifs: 0x00000001
-----------------------------------------------------
RECV V2 member report   from 192.168.30.254  to 224.0.0.22
The IGMP message was from myself. Ignoring.
RECV V2 member report   from 192.168.30.254  to 224.0.0.2
The IGMP message was from myself. Ignoring.
RECV V2 member report   from 192.168.25.205  to 239.0.0.250
Should insert group 239.0.0.250 (from: 192.168.25.205) to route table. Vif Ix : 1
No existing route for 239.0.0.250. Create new.
Found existing routes. Find insert location.
Inserting after route 224.0.1.60
Inserted route table entry for 239.0.0.250 on VIF #1
Joining group 239.0.0.250 upstream on IF address 192.168.20.254
joinMcGroup: 239.0.0.250 on igb3.20

Current routing table (Insert Route):
-----------------------------------------------------
#0: Dst: 224.0.1.1, Age:2, St: I, OutVifs: 0x00000002
#1: Dst: 224.0.1.60, Age:2, St: I, OutVifs: 0x00000002
#2: Dst: 239.0.0.250, Age:2, St: I, OutVifs: 0x00000002
#3: Dst: 239.2.0.252, Age:2, St: I, OutVifs: 0x00000001
-----------------------------------------------------
About to call timeout 1 (#0)
Aging routes in table.

Current routing table (Age active routes):
-----------------------------------------------------
#0: Dst: 224.0.1.1, Age:1, St: I, OutVifs: 0x00000002
#1: Dst: 224.0.1.60, Age:1, St: I, OutVifs: 0x00000002
#2: Dst: 239.0.0.250, Age:1, St: I, OutVifs: 0x00000002
#3: Dst: 239.2.0.252, Age:1, St: I, OutVifs: 0x00000001
-----------------------------------------------------
About to call timeout 2 (#0)
SENT Membership query   from 192.168.30.254  to 224.0.0.1
Sent membership query from 192.168.30.254 to 224.0.0.1. Delay: 10
SENT Membership query   from 192.168.25.254  to 224.0.0.1
Sent membership query from 192.168.25.254 to 224.0.0.1. Delay: 10
Created timeout 3 (#0) - delay 10 secs
(Id:3, Time:10) 
Created timeout 4 (#1) - delay 21 secs
(Id:3, Time:10) 
(Id:4, Time:21) 
RECV Membership query   from 192.168.30.254  to 224.0.0.1
RECV Membership query   from 192.168.25.254  to 224.0.0.1
The IGMP message was local multicast. Ignoring.
The IGMP message was local multicast. Ignoring.
RECV V2 member report   from 192.168.25.240  to 224.0.1.1
Should insert group 224.0.1.1 (from: 192.168.25.240) to route table. Vif Ix : 1
Updated route entry for 224.0.1.1 on VIF #1

Current routing table (Insert Route):
-----------------------------------------------------
#0: Dst: 224.0.1.1, Age:1, St: I, OutVifs: 0x00000002
#1: Dst: 224.0.1.60, Age:1, St: I, OutVifs: 0x00000002
#2: Dst: 239.0.0.250, Age:1, St: I, OutVifs: 0x00000002
#3: Dst: 239.2.0.252, Age:1, St: I, OutVifs: 0x00000001
-----------------------------------------------------
RECV V2 member report   from 192.168.30.254  to 224.0.0.2
The IGMP message was from myself. Ignoring.
The IGMP message was local multicast. Ignoring.
The IGMP message was local multicast. Ignoring.
RECV V2 member report   from 192.168.25.205  to 239.0.0.250
Should insert group 239.0.0.250 (from: 192.168.25.205) to route table. Vif Ix : 1
Updated route entry for 239.0.0.250 on VIF #1

Current routing table (Insert Route):
-----------------------------------------------------
#0: Dst: 224.0.1.1, Age:1, St: I, OutVifs: 0x00000002
#1: Dst: 224.0.1.60, Age:1, St: I, OutVifs: 0x00000002
#2: Dst: 239.0.0.250, Age:1, St: I, OutVifs: 0x00000002
#3: Dst: 239.2.0.252, Age:1, St: I, OutVifs: 0x00000001
-----------------------------------------------------
The IGMP message was local multicast. Ignoring.
RECV V2 member report   from 192.168.25.240  to 224.0.1.60
Should insert group 224.0.1.60 (from: 192.168.25.240) to route table. Vif Ix : 1
Updated route entry for 224.0.1.60 on VIF #1

Current routing table (Insert Route):
-----------------------------------------------------
#0: Dst: 224.0.1.1, Age:1, St: I, OutVifs: 0x00000002
#1: Dst: 224.0.1.60, Age:1, St: I, OutVifs: 0x00000002
#2: Dst: 239.0.0.250, Age:1, St: I, OutVifs: 0x00000002
#3: Dst: 239.2.0.252, Age:1, St: I, OutVifs: 0x00000001
-----------------------------------------------------
The IGMP message was local multicast. Ignoring.
RECV V2 member report   from 192.168.25.254  to 224.0.0.22
The IGMP message was from myself. Ignoring.
RECV V2 member report   from 192.168.25.254  to 224.0.0.2
The IGMP message was from myself. Ignoring.
The IGMP message was local multicast. Ignoring.
RECV V2 member report   from 192.168.30.254  to 224.0.0.22
The IGMP message was from myself. Ignoring.
About to call timeout 3 (#0)
Aging routes in table.
Removing group 239.2.0.252. Died of old age.
Removed route entry for 239.2.0.252 from table.
Leaving group 239.2.0.252 upstream on IF address 192.168.20.254
leaveMcGroup: 239.2.0.252 on igb3.20

Current routing table (Remove route):
-----------------------------------------------------
#0: Dst: 224.0.1.1, Age:2, St: I, OutVifs: 0x00000002
#1: Dst: 224.0.1.60, Age:2, St: I, OutVifs: 0x00000002
#2: Dst: 239.0.0.250, Age:2, St: I, OutVifs: 0x00000002
-----------------------------------------------------

Current routing table (Age active routes):
-----------------------------------------------------
#0: Dst: 224.0.1.1, Age:2, St: I, OutVifs: 0x00000002
#1: Dst: 224.0.1.60, Age:2, St: I, OutVifs: 0x00000002
#2: Dst: 239.0.0.250, Age:2, St: I, OutVifs: 0x00000002
-----------------------------------------------------
About to call timeout 4 (#0)
SENT Membership query   from 192.168.30.254  to 224.0.0.1
Sent membership query from 192.168.30.254 to 224.0.0.1. Delay: 10
SENT Membership query   from 192.168.25.254  to 224.0.0.1
Sent membership query from 192.168.25.254 to 224.0.0.1. Delay: 10
Created timeout 5 (#0) - delay 10 secs
(Id:5, Time:10) 
Created timeout 6 (#1) - delay 115 secs
(Id:5, Time:10) 
(Id:6, Time:115) 
RECV Membership query   from 192.168.30.254  to 224.0.0.1
RECV Membership query   from 192.168.25.254  to 224.0.0.1
RECV V2 member report   from 192.168.25.240  to 224.0.1.60
Should insert group 224.0.1.60 (from: 192.168.25.240) to route table. Vif Ix : 1
Updated route entry for 224.0.1.60 on VIF #1

Current routing table (Insert Route):
-----------------------------------------------------
#0: Dst: 224.0.1.1, Age:2, St: I, OutVifs: 0x00000002
#1: Dst: 224.0.1.60, Age:2, St: I, OutVifs: 0x00000002
#2: Dst: 239.0.0.250, Age:2, St: I, OutVifs: 0x00000002
-----------------------------------------------------
RECV V2 member report   from 192.168.30.254  to 224.0.0.22
The IGMP message was from myself. Ignoring.
The IGMP message was local multicast. Ignoring.
RECV V2 member report   from 192.168.25.254  to 224.0.0.2
The IGMP message was from myself. Ignoring.
The IGMP message was local multicast. Ignoring.
The IGMP message was local multicast. Ignoring.
The IGMP message was local multicast. Ignoring.
RECV V2 member report   from 192.168.30.254  to 224.0.0.2
The IGMP message was from myself. Ignoring.
RECV V2 member report   from 192.168.25.254  to 224.0.0.22
The IGMP message was from myself. Ignoring.
RECV V2 member report   from 192.168.25.205  to 239.0.0.250
Should insert group 239.0.0.250 (from: 192.168.25.205) to route table. Vif Ix : 1
Updated route entry for 239.0.0.250 on VIF #1

Current routing table (Insert Route):
-----------------------------------------------------
#0: Dst: 224.0.1.1, Age:2, St: I, OutVifs: 0x00000002
#1: Dst: 224.0.1.60, Age:2, St: I, OutVifs: 0x00000002
#2: Dst: 239.0.0.250, Age:2, St: I, OutVifs: 0x00000002
-----------------------------------------------------
RECV V2 member report   from 192.168.25.240  to 224.0.1.1
Should insert group 224.0.1.1 (from: 192.168.25.240) to route table. Vif Ix : 1
Updated route entry for 224.0.1.1 on VIF #1

Current routing table (Insert Route):
-----------------------------------------------------
#0: Dst: 224.0.1.1, Age:2, St: I, OutVifs: 0x00000002
#1: Dst: 224.0.1.60, Age:2, St: I, OutVifs: 0x00000002
#2: Dst: 239.0.0.250, Age:2, St: I, OutVifs: 0x00000002
-----------------------------------------------------
About to call timeout 5 (#0)
Aging routes in table.

Current routing table (Age active routes):
-----------------------------------------------------
#0: Dst: 224.0.1.1, Age:2, St: I, OutVifs: 0x00000002
#1: Dst: 224.0.1.60, Age:2, St: I, OutVifs: 0x00000002
#2: Dst: 239.0.0.250, Age:2, St: I, OutVifs: 0x00000002
-----------------------------------------------------
^Cselect() failure; Errno(4): Interrupted system call
Got a interrupt signal. Exiting.
clean handler called
Removing route entry for 224.0.1.1
Leaving group 224.0.1.1 upstream on IF address 192.168.20.254
leaveMcGroup: 224.0.1.1 on igb3.20
Removing route entry for 224.0.1.60
Leaving group 224.0.1.60 upstream on IF address 192.168.20.254
leaveMcGroup: 224.0.1.60 on igb3.20
Removing route entry for 239.0.0.250
Leaving group 239.0.0.250 upstream on IF address 192.168.20.254
leaveMcGroup: 239.0.0.250 on igb3.20
All routes removed. Routing table is empty.
Shutdown complete....

stephenw10

Well it looks to be working at least some-what as expected.

Do those IPs on the downstream interfaces look correct? 25.240, 30.4, 25.205?

I assume pfSense is using .254 on each interface?

What I don't see there is any traffic from 20.252 but this is not something I look into very often.

Do you see any blocked traffic on vlan 20?

Steve

nfld_republic

@stephenw10 Thanks for the response.

• Downstream interfaces are correct.
• Nodes are corrects (trusted wired (LG TV) and trusted wireless (Roku) clients - although another one is an HP OfficeJet Pro )
• Not actually seeing MediaHouse (Android, TrustedWiFi) or VLC (Ubuntu, VLC Player) clients, though
• Interface gateways are correct
• Not seeing any blocked traffic on VLAN 20 for the media server (20.252) (all accepted)

May 25 21:20:44	SERVERS20	192.168.20.252:41914	239.255.255.250:1900	UDP
May 25 21:20:44	SERVERS20	192.168.20.252:1900	239.255.255.250:1900	UDP
May 25 21:20:22	SERVERS20	192.168.20.252:137	192.168.20.255:137	UDP
May 25 21:19:44	SERVERS20	192.168.20.252:41914	239.255.255.250:1900	UDP

stephenw10

That's what you see blocked on vlan 20?

I'd try doing a packet capture on vlan 20. Check what igmp traffic is there in either direction.

Steve

nfld_republic

@stephenw10 I am seeing these as being accepted (green check mark); not blocked...

stephenw10

Hmm, OK. Check igmp traffic in a packet capture on vlan 20 then.

Or at least check igmp states on vlan 20.

Steve

nfld_republic

@stephenw10 Hi Steve - Now I am really getting out of my depth (jack of all trades... master of none ).
I did a promiscuous packet capture on VLAN 20 searching only for the media server (20.252) and over the course of about 5 minutes I only saw 4 multicast announcement from the media server. They were Apple Airplay.

nfld_republic

I also increased the TTL on each of the IGMP interfaces to 4. I did not see any change.

nfld_republic

Here's the relevant (I think) part of the capture:

stephenw10

Rather than filter by the server IP I would leave that empty and filter by protocol 'igmp'. We want to be sure the proxy is sending something at least when clients on the downstream side try to find services.

Steve

nfld_republic

@stephenw10 Thanks - here is the VLAN 20 IGMP filter:

stephenw10

Hmm, yeah this is outside what I usually do too.

Was there a client on one of the downstream interfaces trying to connect whilst that was happening?

You might have to use pimd instead. Plenty of others have tried and failed to make this work it seems:
https://forum.netgate.com/post/814716

Steve

nfld_republic

@stephenw10 Hi Steve - two clients on VLAN 25 and 2 on VLAN 30. None of them can find the media server. I tried pimd before (no luck) but I think that you are right - pimd may be a solution.

I wonder if the issue with IGMP proxy being broken since 2.4...

nfld_republic

And...
pimd works!
Now, all we need is a proper pfSense pimd package an interface.

A reminder to anyone else using this:

1. you need to back your pimd.conf file up as any updates will removed pimd and the configuration.
2. you will need to manually configuration pimd.conf and select your interfaces/VLANs appropriately. (obvious but worth stating )
3. make sure you disable IGMP Proxy - they cannot co-exist.

And a big thank you for everyone's input. GREAT FORUM!

stephenw10

Nice! What config did it require?
I doubt it be that difficult. Probably time to open a feature request if it does not already exist: https://redmine.pfsense.org

Steve

nfld_republic

@stephenw10 Not much of a configuration:

# phyint igb0 disable - commented out as not configured
phyint igb1 disable
phyint igb2 disable
phyint igb3 disable
# phyint igb4 disable - commented out as not configured
phyint igb5 disable
phyint igb3.30 enable
phyint igb3.100 disable
phyint igb3.25 enable
phyint igb3.20 enable
phyint igb3.201 disable
phyint ovpns1 disable
phyint ovpns2 disable

# bsr-candidate igb3.20
bsr-candidate priority 5
rp-candidate time 30 priority 20
group-prefix 224.0.0.0 masklen 4
spt-threshold packets 0 interval 100

I likely will have to manually restart pimd restart (not a big deal since the firewall won't be restarting often).

stephenw10

You can start it at boot with a shellcmd easily enough:
https://docs.netgate.com/pfsense/en/latest/development/executing-commands-at-boot-time.html

Yeah a gui page to select interfaces and set those options should not be hard. All the code exists in other packages.

Steve

nfld_republic

@stephenw10 Added pimd be added to redmine.