Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Poor performance on pfSense Proxmox VM - IPTV loosing connection

    Scheduled Pinned Locked Moved General pfSense Questions
    10 Posts 2 Posters 1.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • G
      gelcom
      last edited by gelcom

      Hi all,

      I have a dedicated pfSense firewall and everything is running perfect. It's a home use.

      I use pfSense to feed a few IPTV boxes I have

      As I don't want to deal with IGMP proxies and DHCP leases on IPTV network I setup a pfSense bridge with 3 ports assigned:

      TV_Bridge consists of:
      TV_IN : this is where I connect the cable from IPTV modem
      TV_HALL: output to a switch on the first floor
      TV_DEISE: output to a switch on the second floor

      As I want to have packet filter on bridge interface and not at member interface I set System/Advanced/System Tunables:
      Packet filter on the member interface = 0
      Packet filter on the bridge interface = 1

      Then I assigned TV_Bridge to an interface with:
      IPv4 Configuration Type = none
      IPv6 Configuration Type = none
      Block private networks and loopback addresses = not checked
      Block bogon networks = not checked

      Then I created I pass all rule on TV_Bridge as follows:
      Protocol: IPV4+IPV6
      Source: *
      Port: *
      Destination: *
      Port: *
      Gateway: *
      Queue: none
      Allow IP options: checked

      It's working perfect.

      Then I decided to migrate this server to a Proxmox VM.

      I moved the same Intel i350 4 port NIC I use at pfSense dedicated machine to Proxmox server and created one bridge for each port. They are all virtio bridges with firewall option off.

      Then I assigned these bridges to pfSense machine.

      Then I imported pfSense configuration to the VM and updated NIC names.

      Hardware Checksum Offloading, Hardware TCP Segmentation Offloading and Hardware Large Receive Offloading are all checked on System/Advanced/Networking tab.

      I have IPTV connectivity on all TVs but images are shown for 5-10 seconds then connection is lost. Then image comes back again and after another 5-10 seconds freezes again...

      I have no idea on how to debug that.

      My CPU is a Epyc 7742 with "host" type to VM

      I assigned 8 vCPUs with 8GB of RAM. Proxmox shows 2% CPU usage.

      Any help is appreciated.

      kind regards

      1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        Mmm, that sounds like a multicast issue.

        Can you pcap on the interfaces and see what happens when the stream stops?

        I assume you're not seeing anything logged as blocked?

        Other traffic passes OK?

        Steve

        G 1 Reply Last reply Reply Quote 0
        • G
          gelcom @stephenw10
          last edited by

          @stephenw10 said in Poor performance on pfSense Proxmox VM - IPTV loosing connection:

          I assume you're not seeing anything logged as blocked?

          Other traffic passes OK?

          no traffic being blocked
          all other traffic seems ok

          @stephenw10 said in Poor performance on pfSense Proxmox VM - IPTV loosing connection:

          Can you pcap on the interfaces and see what happens when the stream stops?

          This is what pcap shows:

          11:48:41.630324 IP 172.24.98.63.47811 > 239.192.0.25.3001: UDP, length 1328
11:48:41.630499 IP 192.168.15.254.1847 > 172.29.132.137.47806: UDP, length 134
11:48:41.631310 IP 172.24.98.63.47811 > 239.192.0.25.3001: UDP, length 1328
11:48:41.633304 IP 172.24.98.63.47811 > 239.192.0.25.3001: UDP, length 1328
11:48:41.633384 IP 172.29.132.137.47806 > 192.168.15.254.1847: UDP, length 65
11:48:41.634290 IP 172.24.98.63.47811 > 239.192.0.25.3001: UDP, length 1328
11:48:41.636289 IP 172.24.98.63.47811 > 239.192.0.25.3001: UDP, length 1328
11:48:41.637338 IP 172.24.98.63.47811 > 239.192.0.25.3001: UDP, length 1328
11:48:41.640281 IP 172.24.98.63.47811 > 239.192.0.25.3001: UDP, length 1328
11:48:41.641258 IP 172.24.98.63.47811 > 239.192.0.25.3001: UDP, length 1328
11:48:41.653177 IP 172.24.98.63.47811 > 239.192.0.25.3001: UDP, length 1328
11:48:41.653369 IP 172.24.98.63.47811 > 239.192.0.25.3001: UDP, length 1328
11:48:41.653605 IP 172.24.98.63.47811 > 239.192.0.25.3001: UDP, length 1328
11:48:41.653778 IP 172.24.98.63.47811 > 239.192.0.25.3001: UDP, length 1328
11:48:41.653954 IP 172.24.98.63.47811 > 239.192.0.25.3001: UDP, length 1332
11:48:41.653962 IP 172.24.98.63.47811 > 239.192.0.25.3001: UDP, length 1328
11:48:41.654126 IP 172.24.98.63.47811 > 239.192.0.25.3001: UDP, length 1328
11:48:41.659235 IP 172.24.98.63.47811 > 239.192.0.25.3001: UDP, length 1328
11:48:41.661284 IP 172.24.98.63.47811 > 239.192.0.25.3001: UDP, length 1328
11:48:41.663304 IP 172.24.98.63.47811 > 239.192.0.25.3001: UDP, length 1328
11:48:41.663473 IP 172.24.98.63.47811 > 239.192.0.25.3001: UDP, length 1328
11:48:41.665263 IP 172.24.98.63.47811 > 239.192.0.25.3001: UDP, length 1328
11:48:41.667317 IP 172.24.98.63.47811 > 239.192.0.25.3001: UDP, length 1328
11:48:41.667485 IP 172.24.98.63.47811 > 239.192.0.25.3001: UDP, length 1328
11:48:41.669300 IP 172.24.98.63.47811 > 239.192.0.25.3001: UDP, length 1328
11:48:41.671288 IP 172.24.98.63.47811 > 239.192.0.25.3001: UDP, length 1328
11:48:41.671460 IP 172.24.98.63.47811 > 239.192.0.25.3001: UDP, length 1328
11:48:41.673272 IP 172.24.98.63.47811 > 239.192.0.25.3001: UDP, length 1328
11:48:41.675403 IP 172.24.98.63.47811 > 239.192.0.25.3001: UDP, length 1328
11:48:41.675408 IP 172.24.98.63.47811 > 239.192.0.25.3001: UDP, length 1328
11:48:41.677279 IP 172.24.98.63.47811 > 239.192.0.25.3001: UDP, length 1328
11:48:41.679255 IP 172.24.98.63.47811 > 239.192.0.25.3001: UDP, length 1328
11:48:41.679430 IP 172.24.98.63.47811 > 239.192.0.25.3001: UDP, length 1328
11:48:41.679436 IP 172.24.98.63.47811 > 239.192.0.25.3001: UDP, length 1328
11:48:41.681275 IP 172.24.98.63.47811 > 239.192.0.25.3001: UDP, length 1328
11:48:41.683272 IP 172.24.98.63.47811 > 239.192.0.25.3001: UDP, length 1328
11:48:41.684314 IP 172.24.98.63.47811 > 239.192.0.25.3001: UDP, length 1328
11:48:41.685265 IP 172.24.98.63.47811 > 239.192.0.25.3001: UDP, length 1328
11:48:41.687319 IP 172.24.98.63.47811 > 239.192.0.25.3001: UDP, length 1328
11:48:41.688329 IP 172.24.98.63.47811 > 239.192.0.25.3001: UDP, length 1328
11:48:41.691332 IP 172.24.98.63.47811 > 239.192.0.25.3001: UDP, length 1328
11:48:41.692293 IP 172.24.98.63.47811 > 239.192.0.25.3001: UDP, length 1328
11:48:41.694292 IP 172.24.98.63.47811 > 239.192.0.25.3001: UDP, length 1328
11:48:41.695315 IP 172.24.98.63.47811 > 239.192.0.25.3001: UDP, length 1332
11:48:41.697302 IP 172.24.98.63.47811 > 239.192.0.25.3001: UDP, length 1328
11:48:41.698317 IP 172.24.98.63.47811 > 239.192.0.25.3001: UDP, length 1328
11:48:41.699292 IP 172.24.98.63.47811 > 239.192.0.25.3001: UDP, length 1328
11:48:41.701300 IP 172.24.98.63.47811 > 239.192.0.25.3001: UDP, length 1328
11:48:41.703294 IP 172.24.98.63.47811 > 239.192.0.25.3001: UDP, length 1328
11:48:41.705283 IP 172.24.98.63.47811 > 239.192.0.25.3001: UDP, length 1328
11:48:41.706260 IP 172.24.98.63.47811 > 239.192.0.25.3001: UDP, length 1328
11:48:41.708395 IP 172.24.98.63.47811 > 239.192.0.25.3001: UDP, length 1328
11:48:41.709274 IP 172.24.98.63.47811 > 239.192.0.25.3001: UDP, length 1328
11:48:41.710309 IP 172.24.98.63.47811 > 239.192.0.25.3001: UDP, length 1328
11:48:41.712336 IP 172.24.98.63.47811 > 239.192.0.25.3001: UDP, length 1328
11:48:41.713331 IP 172.24.98.63.47811 > 239.192.0.25.3001: UDP, length 1328
11:48:41.715302 IP 172.24.98.63.47811 > 239.192.0.25.3001: UDP, length 1328
11:48:41.717283 IP 172.24.98.63.47811 > 239.192.0.25.3001: UDP, length 1328
11:48:41.717469 IP 172.24.98.63.47811 > 239.192.0.25.3001: UDP, length 1328
11:48:41.719347 IP 172.24.98.63.47811 > 239.192.0.25.3001: UDP, length 1328
11:48:41.720276 IP 172.24.98.63.47811 > 239.192.0.25.3001: UDP, length 1332
11:48:41.721299 IP 172.24.98.63.47811 > 239.192.0.25.3001: UDP, length 1328
11:48:41.723311 IP 172.24.98.63.47811 > 239.192.0.25.3001: UDP, length 1328
11:48:41.726331 IP 172.24.98.63.47811 > 239.192.0.25.3001: UDP, length 1328
11:48:41.727294 IP 172.24.98.63.47811 > 239.192.0.25.3001: UDP, length 1328
11:48:41.728338 IP 172.24.98.63.47811 > 239.192.0.25.3001: UDP, length 1328
11:48:41.730316 IP 172.24.98.63.47811 > 239.192.0.25.3001: UDP, length 1328
11:48:41.731311 IP 172.24.98.63.47811 > 239.192.0.25.3001: UDP, length 1328
11:48:41.734306 IP 172.24.98.63.47811 > 239.192.0.25.3001: UDP, length 1328
11:48:41.735294 IP 172.24.98.63.47811 > 239.192.0.25.3001: UDP, length 1328
11:48:41.737292 IP 172.24.98.63.47811 > 239.192.0.25.3001: UDP, length 1328
11:48:41.738291 IP 172.24.98.63.47811 > 239.192.0.25.3001: UDP, length 1332
11:48:41.739329 IP 172.24.98.63.47811 > 239.192.0.25.3001: UDP, length 1328
11:48:41.741290 IP 172.24.98.63.47811 > 239.192.0.25.3001: UDP, length 1328
11:48:41.742307 IP 172.24.98.63.47811 > 239.192.0.25.3001: UDP, length 1332
11:48:41.744290 IP 172.24.98.63.47811 > 239.192.0.25.3001: UDP, length 1328
11:48:41.745317 IP 172.24.98.63.47811 > 239.192.0.25.3001: UDP, length 1328
11:48:41.745489 IP 172.24.98.63.47811 > 239.192.0.25.3001: UDP, length 1328
11:48:41.746305 IP 172.24.98.63.47811 > 239.192.0.25.3001: UDP, length 1328
11:48:41.748305 IP 172.24.98.63.47811 > 239.192.0.25.3001: UDP, length 1328
11:48:41.749334 IP 172.24.98.63.47811 > 239.192.0.25.3001: UDP, length 1328
11:48:41.751344 IP 172.24.98.63.47811 > 239.192.0.25.3001: UDP, length 1328
11:48:41.752340 IP 172.24.98.63.47811 > 239.192.0.25.3001: UDP, length 1328
11:48:41.753290 IP 172.24.98.63.47811 > 239.192.0.25.3001: UDP, length 1328
11:48:41.755289 IP 172.24.98.63.47811 > 239.192.0.25.3001: UDP, length 1328
11:48:41.756302 IP 172.24.98.63.47811 > 239.192.0.25.3001: UDP, length 1328
11:48:41.757430 IP 172.24.98.63.47811 > 239.192.0.25.3001: UDP, length 1328
11:48:41.760558 IP 172.24.98.63.47811 > 239.192.0.25.3001: UDP, length 1328
11:48:41.762345 IP 172.24.98.63.47811 > 239.192.0.25.3001: UDP, length 1328
11:48:41.763343 IP 172.24.98.63.47811 > 239.192.0.25.3001: UDP, length 1328
11:48:41.764288 IP 172.24.98.63.47811 > 239.192.0.25.3001: UDP, length 1328
11:48:41.766324 IP 172.24.98.63.47811 > 239.192.0.25.3001: UDP, length 1328
11:48:41.767412 IP 172.24.98.63.47811 > 239.192.0.25.3001: UDP, length 1328
11:48:41.769313 IP 172.24.98.63.47811 > 239.192.0.25.3001: UDP, length 1328
11:48:41.770355 IP 172.24.98.63.47811 > 239.192.0.25.3001: UDP, length 1328
11:48:41.771372 IP 172.24.98.63.47811 > 239.192.0.25.3001: UDP, length 1328
11:48:41.774312 IP 172.24.98.63.47811 > 239.192.0.25.3001: UDP, length 1328
11:48:41.775302 IP 172.24.98.63.47811 > 239.192.0.25.3001: UDP, length 1328
11:48:41.777340 IP 172.24.98.63.47811 > 239.192.0.25.3001: UDP, length 1328
11:48:41.778312 IP 172.24.98.63.47811 > 239.192.0.25.3001: UDP, length 1328

          Packet Capture files: pcap.zip

          1 Reply Last reply Reply Quote 0
          • stephenw10S
            stephenw10 Netgate Administrator
            last edited by

            Going to need to see more than 100 packets there I think, that only covers 0.15s.
            We need to see the stream stop and what, if anything, happens at that point.

            G 1 Reply Last reply Reply Quote 0
            • G
              gelcom @stephenw10
              last edited by gelcom

              @stephenw10 said in Poor performance on pfSense Proxmox VM - IPTV loosing connection:

              Going to need to see more than 100 packets there I think, that only covers 0.15s.

              Sorry for the NOOB mistake...

              Pls find larger pcap files:
              pcap TV_Bridge
              pcap TV_Hall

              kind regards

              1 Reply Last reply Reply Quote 0
              • stephenw10S
                stephenw10 Netgate Administrator
                last edited by stephenw10

                Ok so in both pcap there appears to be two multicast streams 239.192.0.79 and 239.192.0.167.

                The Hall pcap shows more but both show devices leaving the .79 multicast group deliberately:

                No.	Time		Source		Destination	Proto	TTL	Length	Info	Time difference	VLAN	Response time	New Column
11519	8.943599	192.168.15.254	224.0.0.2	IGMPv2	1	60	Leave Group 239.192.0.79	0.000034			11519
11337	8.809562	192.168.15.1	239.192.0.79	IGMPv2	1	60	Membership Query, specific for group 239.192.0.79	0.000269			11337
11323	8.799550	192.168.15.250	224.0.0.2	IGMPv2	1	60	Leave Group 239.192.0.79	0.000284			11323
11541	8.959324	192.168.15.1	239.192.0.79	IGMPv2	1	60	Membership Query, specific for group 239.192.0.79	0.000034			11541
15191	13.088562	192.168.15.1	224.0.0.1	IGMPv2	1	60	Membership Query, general	0.000854			15191

                Are those devices what you're seeing the issue with?

                Hard to see what pfSense or Proxmox could be doing there. It's possible there's some traffic that never gets to pfSense inside Proxmox at all. It would not appear in either pcap if that's the case.

                I'll admit multicast always seems somewhat like blackmagic to me. 😉

                Steve

                G 1 Reply Last reply Reply Quote 0
                • G
                  gelcom @stephenw10
                  last edited by gelcom

                  @stephenw10 said in Poor performance on pfSense Proxmox VM - IPTV loosing connection:

                  Are those devices what you're seeing the issue with?

                  IPs 192.168.15.250 and 192.168.15.254 are IPTV client boxes conected to TVs. All of them are getting this problem.

                  IP 192.168.15.1 is ISP Modem where TV_In is connected to.

                  I know nothing about IGMP but I assume IPs 239.192.0.79 and 239.192.0.167 are IGMP servers where streams come from.

                  The problem is that this same config and same hardware is working 100% on pfSense dedicated machine. Something with pfSense virtualized is causing the issue and I can't trace what it is...

                  The most strange thing is that video works for a few seconds, then drops, then works again for a few seconds and so on.

                  Maybe performance issues on virtual NICs or proxmox virtual bridges? Is it possible to troubleshoot that in any way?

                  still trying to debug where the problem is...

                  kind regards

                  stephenw10S 1 Reply Last reply Reply Quote 0
                  • stephenw10S
                    stephenw10 Netgate Administrator @gelcom
                    last edited by

                    @gelcom said in Poor performance on pfSense Proxmox VM - IPTV loosing connection:

                    I assume IPs 239.192.0.79 and 239.192.0.167 are IGMP servers where streams come from

                    Those are the multicast addresses the servers are sending traffic to. Anything that's a member of the group will receive it. Hence seeing the clients leave the group could be related to the issue.

                    I would be looking for IGMP snooping enabled on something that might be preventing the required messages between the TV boxes and router.

                    Steve

                    G 1 Reply Last reply Reply Quote 1
                    • G
                      gelcom @stephenw10
                      last edited by

                      @stephenw10 said in Poor performance on pfSense Proxmox VM - IPTV loosing connection:

                      I would be looking for IGMP snooping enabled on something that might be preventing the required messages between the TV boxes and router.

                      I followed you advice and I disabled multicast snooping on the 3 linux bridges involved with multicast and the problem vanished!!!

                      It was really a problem outside pfSense firewall. I really appreciate your effort and support!! :-)

                      echo 0 > /sys/class/net/vmbr4/bridge/multicast_snooping
echo 0 > /sys/class/net/vmbr5/bridge/multicast_snooping
echo 0 > /sys/class/net/vmbr6/bridge/multicast_snooping

                      thanks again!!

                      kind regards

                      1 Reply Last reply Reply Quote 1
                      • stephenw10S
                        stephenw10 Netgate Administrator
                        last edited by

                        Ah, great result. Also good to know Proxmox does that, I hadn't hit that yet on my in install.

                        Steve

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.