IGMP Proxy - Not working with VLANs (bug:6099). What are my options?



  • Modem (fiber) -> 4 NIC pfSense box

    NIC-1: Internet
    NIC-2: UniFi AC AP
    VLAN: 100 - PRIVATE  – My private devices - phone, laptop, NAS, MediaPC, etc.
    VLAN: 200 - SHARE -- Printer, SONOS, Chromcast.
    VLAN: 300 - GUEST -- Guest phones, laptops etc.
    NIC-3: LAN -> SWITCH
    NIC-4: NOT_IN_USE

    SUBNETS:
    VLAN 100: 192.168.1.0/24 (BRIDGED LAN with PRIVATE)
    VLAN 200: 192.168.2.0/24
    VLAN 300: 192.168.3.0/24

    I want to connect:
    VLAN 100 with VLAN 200
    VLAN 300 with VLAN 200

    With this system both myself and guests can access shared devices while keeping my devices private.

    I can access the printer via the IP (no problem), but I need multicasting so it's found automatically. I also need this feature for the SONOS and Chromecast. Is there any work around that I can use now that IGMP is not working with the newest release of pfSense? Any ETA on this fix?

    Thanks guys!



  • There is still hope.

    https://redmine.pfsense.org/issues/6099#note-85
    https://github.com/pfsense/FreeBSD-ports/pull/182

    I've tracked the problem and did some changes that will aid on this.
    Now hoping the developers accept the patches I submitted, place them in the trees and issue brand new snapshots for wide testing.



  • I have been updating that bug report daily and I saw your fixes (not that I know the technical bits) but it sounded very promising!

    Thanks a lot Jorge! :)



  • Thanks for your feedback, if you want you can try the compiled binary on your system:
    https://redmine.pfsense.org/issues/6099#note-87

    The zip file includes 3 folders with igmproxy for:
    bsd10.3_amd64: pfSense 2.3-amd64
    bsd10.3_i386: pfSense 2.3-i386
    bsd11.0_amd64: pfSense 2.4-amd64 (alpha)

    Backup original "/usr/local/sbin/igmpproxy" somewhere and place the new one in that location.

    Example:

    1. Stop igmpproxy service using WebGUI services management
    2. Go "Diagnostics > Command Prompt"
    3. Upload igmproxy_all.zip (a little typo only one 'p' lol) using the upload form (uploading the igmpproxy elf doesn't work due to suhosin)
    4. Then run on command line (shell):
    mv /usr/local/sbin/igmpproxy /usr/local/sbin/igmpproxy.bak
    
    cd /tmp && unzip /tmp/igmproxy_all.zip
    cp /tmp/__folder__/igmpproxy /usr/local/sbin/igmpproxy
    
    chmod +x /usr/local/sbin/igmpproxy
    chmod -w /usr/local/sbin/igmpproxy
    

    folder can be bsd10.3_amd64 or other depending on installed version. replace in command.

    1. (Re)start igmpproxy service

    Procedure in this way is only slightly tested as I usually use ssh ftp to upload the file.
    Always have a config backup at hand from 2.2.6 just in case you want to revert and reinstall old version.

    Good luck!

    [Message edited to fix bad syntax in commands and fix uploading of igmpproxy zip]



  • I have now uploaded igmpproxy_20160905_1818.zip containing a small tweak I consider important to improve subnet logic.

    It also contains a few more files such as a gzip'ed version of igmpproxy that can be uploaded via Diagnostics > Command Prompt, then decompressed and moved to the appropriate place.

    Testers are welcome.

    Thanks :)



  • @JorgeOliveira:

    I have now uploaded igmpproxy_20160905_1818.zip containing a small tweak I consider important to improve subnet logic.

    It also contains a few more files such as a gzip'ed version of igmpproxy that can be uploaded via Diagnostics > Command Prompt, then decompressed and moved to the appropriate place.

    Testers are welcome.

    Thanks :)

    Thanks for the clear instructions (that someone without much freebsd knowledge needs)! I will have to try that later today hopeful (as I can't run my new pfSense system before this is fixed anyways) :)



  • Unfortunately that didn't work :(

    Still getting: The source address 192.168.3.100 for group 239.255.255.250, is not in any valid net for upstream VIF.

    When I am searching for my Sonos via the AirAudio app. 192.168.3.100 is the IP of my phone.

    This is how the config looks:

    LAN downstream 192.168.1.1/24
    WAN upstream 192.168.3.1/24, 192.168.1.1/24, 192.168.2.1/24
    SHARED downstream 192.168.2.1/24
    GUEST downstream 192.168.3.1/24

    Does that look correct?

    I am connected to the GUEST network with my phone and want multicasting from my SONOS and Printer (on the SHARED network).

    Firewall rules are applied to accept IP packages.



  • Downgraded to 2.2.6 and IGMP is working great. Guess I'll stay on this release until this bug is fixed :)



  • Another approach would be perhaps to offload IGMP/multicast from pfSense, and use a small switch which supports VLANs and IGMP Snooping, like TL-SG105E:
    http://www.tp-link.com/en/faq-1125.html
    The switch itself routes multicast traffic directly by hardware between the configured VLANs - which is far better than relying on a binary in pfSense.
    TL-SG105E is a 5-port gigabit, manageable switch has a very reasonable price, just make sure you get the V2 hardware model.
    There are also 8-port and more ports models, just check TP-Link's site.



  • @robi:

    Another approach would be perhaps to offload IGMP/multicast from pfSense, and use a small switch which supports VLANs and IGMP Snooping, like TL-SG105E:
    http://www.tp-link.com/en/faq-1125.html
    The switch itself routes multicast traffic directly by hardware between the configured VLANs - which is far better than relying on a binary in pfSense.
    TL-SG105E is a 5-port gigabit, manageable switch has a very reasonable price, just make sure you get the V2 hardware model.
    There are also 8-port and more ports models, just check TP-Link's site.

    Thanks - I actually have the 8 port version :)



  • As it is now my switch (TP-8port) is just on it's default setting: VLAN 1. The TP is connected to the LAN (NIC 2) interface on pfSense box.
    NIC 1 is WAN
    NIC 3 is Unifi AP connected with VLAN 100 (Private WLAN), VLAN 200 (Shared WLAN), VLAN 300 (Guest VLAN).

    Would I be able to set the switch up to do IGMP across VLANS like my current setup as in VLAN100,200,300 talk together when doing IGMP on the switch?

    Thanks mate!

    Well, as a first step I would configure all VLANs in the switch too. Just add 100,200,300 as VLANs in the switch.
    Designate two ports (say port 7 and port8) to have all three VLANs tagged.
    Designate first one port (say port 6) to be in VLAN 100 untagged, and set PVID also 100.
    In the switch's IP settings, where you set the IP address of the switch, set management VLAN to 100.
    Now unplug your UniFi from pfSense, and plug it in port 7 of the switch.
    Also connect port 8 of the switch to where UniFi was on pfSense. Unplug the switch from NIC3 of pfSense, you won't need that anymore (and you won't need the bridge in pfSense either).
    You can now access the switch through UniFi through VLAN100 directly, not around through the bridge!
    You can now safely set the rest of the ports in the switch to any vlans, say VLAN 100 untagged (and PVID 100 too!).

    From this on, proceed with Multicast configuration as described in the FAQ section I linked above.