Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    multicast inconsistant

    Scheduled Pinned Locked Moved
    General pfSense Questions
    6
    48
    1.4k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • stephenw10S
      stephenw10 Netgate Administrator
      last edited by

      Driver issue can hide traffic from pcaps. The ix driver had a bug that was filtering vlan0 for example. pcap showed no traffic.

      johnpozJ 1 Reply Last reply Reply Quote 1
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @stephenw10
        last edited by johnpoz

        @stephenw10 ah - good info.. But that is a error at the driver level.. Not some software in pfsense.. But guess there could be a problem after he updated with the driver.. Good info!!

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.03 | Lab VMs 2.7.2, 24.03

        1 Reply Last reply Reply Quote 1
        • dennypageD
          dennypage
          last edited by

          Of note is that the whole thing is a LAGG, and often packet captures do not function as one would expect. Several times in the past I have ended up having to run individual captures on the interfaces involved in the LAGG to get a complete picture.

          If it were me, the first diagnostic thing I would do is to remove the LAGG from the picture. YMMV.

          johnpozJ 1 Reply Last reply Reply Quote 2
          • johnpozJ
            johnpoz LAYER 8 Global Moderator @dennypage
            last edited by

            @dennypage also great info - and I have seen that in the past.. When troubleshooting where trying to validate traffic gets to where it is suppose to go and there is a lag at the endpoint, we have always turned down all but one interface in the lag

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.03 | Lab VMs 2.7.2, 24.03

            dennypageD 1 Reply Last reply Reply Quote 1
            • M
              maximushugus
              last edited by

              I restored a know working configuration from last year to my switch : it didn't solve the problem.

              But by doing a packet capture on pfSense this time, after restoring my switch config, I have a weird behavior :

              • First after restoring (and restarting) my switch config, everything was working, I asked a multicast IPTV stream from my ISP on my PC and I was able to receive the stream.
              • But as soon as I stopped the stream, it stopped, but I was not able anymore to ask this multicast stream.

              Here is the capture : as you can see, after packet n°10 with my PC leaving the multicast group, pfSense only see multicast from its own IP sourcecapture.pcap

              1 Reply Last reply Reply Quote 0
              • bmeeksB
                bmeeks @johnpoz
                last edited by

                @johnpoz said in multicast inconsistant:

                You know who might be good resource - @bmeeks he handles all the IPS stuff, fairly sure he would know if something could prevent being seen at the sniff level in pfsense.

                The only possible way for IPS to interfere with a traffic sniff would be when using Inline IPS Mode with the netmap kernel device. That could theoretically intercept and drop a packet before PCAP on the interface could see it, but I actually doubt that both PCAP and netmap can coexist simultaneously on the same physical interface. I suspect one of them is sure to complain about the other during initialization.

                But simply stopping the IDS/IPS service is sufficient to completely remove it from any possible interference in the sniff.

                M 1 Reply Last reply Reply Quote 1
                • M
                  maximushugus
                  last edited by

                  By reseting the port link on my switch for my pfSense, I can reproduce this behavior

                  1 Reply Last reply Reply Quote 0
                  • M
                    maximushugus @bmeeks
                    last edited by maximushugus

                    @bmeeks I tried a packet capture after stopping the dpinger service, but it didn't change anything.

                    I correct myself : on a capture on my pfSense when I have this problem, I only see multicast with IPv4 source address of my pfSense AND MDNS multicast packets (224.0.0.251) from my lan AND multicast leave group from my lan (but not multicast join group)

                    johnpozJ 1 Reply Last reply Reply Quote 0
                    • johnpozJ
                      johnpoz LAYER 8 Global Moderator @maximushugus
                      last edited by

                      @maximushugus said in multicast inconsistant:

                      stopping the dpinger service

                      what would that have to do with anything - dpinger is what checks to see if your gateway is online via pinging it.

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.03 | Lab VMs 2.7.2, 24.03

                      M 1 Reply Last reply Reply Quote 0
                      • M
                        maximushugus @johnpoz
                        last edited by

                        @johnpoz I though this would stop IDS/IPS service as said above

                        dennypageD 1 Reply Last reply Reply Quote 0
                        • dennypageD
                          dennypage @maximushugus
                          last edited by

                          @maximushugus said in multicast inconsistant:

                          I though this would stop IDS/IPS service as said above

                          It won't. dpinger has no relationship to IDS/IPS.

                          1 Reply Last reply Reply Quote 0
                          • M
                            maximushugus
                            last edited by

                            I don't really know what you mean by IDS/IPS. If it's in relation to snort or suricata, i do not have those packet installed
                            I have wireguard, avahi, openvpn (and arping, iperf)

                            bmeeksB 1 Reply Last reply Reply Quote 0
                            • bmeeksB
                              bmeeks @maximushugus
                              last edited by

                              @maximushugus said in multicast inconsistant:

                              I don't really know what you mean by IDS/IPS. If it's in relation to snort or suricata, i do not have those packet installed
                              I have wireguard, avahi, openvpn (and arping, iperf)

                              If you do not have Snort or Suricata installed, then forget all the remarks about IDS/IPS. They are not relevant without one of those packages installed and running.

                              1 Reply Last reply Reply Quote 1
                              • dennypageD
                                dennypage @johnpoz
                                last edited by

                                @maximushugus said in multicast inconsistant:

                                By reseting the port link on my switch for my pfSense, I can reproduce this behavior

                                @maximushugus, you should start with this suggestion:

                                @johnpoz said in multicast inconsistant:

                                When troubleshooting where trying to validate traffic gets to where it is suppose to go and there is a lag at the endpoint, we have always turned down all but one interface in the lag

                                1 Reply Last reply Reply Quote 0
                                • M
                                  maximushugus
                                  last edited by

                                  To update the topic : for the moment I'm not able to do testing disabling lag because of my configuration.
                                  But I reinstalled pfSense 2.7.0 reimporting the exact same configuration, and my multicast is working again.
                                  I suspect a bug in the igmpproxy program in pfSense 2.7.2 (or pfSense 2.7.1 but I never tried this version)
                                  Maybe it is related with this : https://redmine.pfsense.org/issues/15043

                                  1 Reply Last reply Reply Quote 0
                                  • stephenw10S
                                    stephenw10 Netgate Administrator
                                    last edited by

                                    @maximushugus said in multicast inconsistant:

                                    https://redmine.pfsense.org/issues/15043

                                    It could be that. Those fixes are in 24.03.

                                    1 Reply Last reply Reply Quote 0
                                    • M
                                      maximushugus
                                      last edited by

                                      I tried to transfer the igmpproxy binary from working 2.7.0 pfSense to 2.7.2.
                                      But it looks like the binary is exactly the same...

                                      To resume : if I restart my pfSense interfaces and launch igmpproxy, the first multicast stream I ask is working. But as soon as I leave this first asked multicast stream, it is not working anymore, and if I do a packet capture, I do not see any multicast packets exept those with IPv4 source address of my pfSense AND MDNS multicast packets (224.0.0.251) from my lan AND multicast leave group from my lan (but not multicast join group).

                                      I managed to get igmpproxy logs from working state to not working (by restarting interfaces from my switch and lauching igmpproxy after reconnecting). On this log I put "****************" when I left the stream on my PC :

                                      igmpproxy -n -d -vv /etc/igmpproxy.conf
Searching for config file at '/etc/igmpproxy.conf'
Config: Quick leave mode enabled.
Config: Got a phyint token.
Config: IF: Config for interface lagg0.1.
Config: IF: Got upstream token.
Config: IF: Got ratelimit token '0'.
Config: IF: Got threshold token '1'.
Config: IF: Got whitelist token 233.32.36.0/24.
Config: IF: Altnet: Parsed altnet to 233.32.36/24.
Config: IF: Got whitelist token 233.60.197.0/24.
Config: IF: Altnet: Parsed altnet to 233.60.197/24.
Config: IF: Got whitelist token 233.49.82.0/24.
Config: IF: Altnet: Parsed altnet to 233.49.82/24.
Config: IF: Got whitelist token 233.136.0.0/24.
Config: IF: Altnet: Parsed altnet to 233.136.0/24.
Config: IF: Got whitelist token 233.136.44.0/24.
Config: IF: Altnet: Parsed altnet to 233.136.44/24.
Config: IF: Got altnet token 0.0.0.0/0.
Config: IF: Altnet: Parsed altnet to default.
IF name : lagg0.1
Next ptr : 0
Ratelimit : 0
Threshold : 1
State : 1
Allowednet ptr : 7c41b0a0
Config: Got a phyint token.
Config: IF: Config for interface lagg0.3.
Config: IF: Got downstream token.
Config: IF: Got ratelimit token '0'.
Config: IF: Got threshold token '1'.
Config: IF: Got altnet token 0.0.0.0/0.
Config: IF: Altnet: Parsed altnet to default.
IF name : lagg0.3
Next ptr : 0
Ratelimit : 0
Threshold : 1
State : 2
Allowednet ptr : 7c41b0c0
Config: Got a phyint token.
Config: IF: Config for interface lagg0.99.
Config: IF: Got downstream token.
Config: IF: Got ratelimit token '0'.
Config: IF: Got threshold token '1'.
IF name : lagg0.99
Next ptr : 0
Ratelimit : 0
Threshold : 1
State : 2
Allowednet ptr : 0
Config: Got a phyint token.
Config: IF: Config for interface lagg0.50.
Config: IF: Got disabled token.
IF name : lagg0.50
Next ptr : 0
Ratelimit : 0
Threshold : 1
State : 0
Allowednet ptr : 0
Config: Got a phyint token.
Config: IF: Config for interface gre0.
Config: IF: Got disabled token.
IF name : gre0
Next ptr : 0
Ratelimit : 0
Threshold : 1
State : 0
Allowednet ptr : 0
Config: Got a phyint token.
Config: IF: Config for interface tun_wg0.
Config: IF: Got disabled token.
IF name : tun_wg0
Next ptr : 0
Ratelimit : 0
Threshold : 1
State : 0
Allowednet ptr : 0
Config: Got a phyint token.
Config: IF: Config for interface tun_wg1.
Config: IF: Got disabled token.
IF name : tun_wg1
Next ptr : 0
Ratelimit : 0
Threshold : 1
State : 0
Allowednet ptr : 0
Config: Got a phyint token.
Config: IF: Config for interface lagg0.2.
Config: IF: Got disabled token.
IF name : lagg0.2
Next ptr : 0
Ratelimit : 0
Threshold : 1
State : 0
Allowednet ptr : 0
buildIfVc: Interface lo0 Addr: 127.0.0.1, Flags: 0xffff8049, Network: 127/8
buildIfVc: Interface lo0 Addr: 45.13.104.149, Flags: 0xffff8049, Network: 45/8
buildIfVc: Interface lagg0.3 Addr: 192.168.3.1, Flags: 0xffff8943, Network: 192.168.3/24
buildIfVc: Interface lagg0.50 Addr: 192.168.50.1, Flags: 0xffff8943, Network: 192.168.50/24
buildIfVc: Interface lagg0.99 Addr: 192.168.99.1, Flags: 0xffff8943, Network: 192.168.99/24
buildIfVc: Interface lagg0.1 Addr: 109.11.243.7, Flags: 0xffff8843, Network: 109.11.243/24
buildIfVc: Interface lagg0.1 Addr: 192.168.4.253, Flags: 0xffff8843, Network: 192.168.4/24
buildIfVc: Interface ovpns1 Addr: 192.168.26.1, Flags: 0xffff8043, Network: 192.168.26/24
buildIfVc: Interface tun_wg0 Addr: 192.168.25.1, Flags: 0xffff80c1, Network: 192.168.25/24
buildIfVc: Interface tun_wg1 Addr: 192.168.27.1, Flags: 0xffff80c1, Network: 192.168.27/24
buildIfVc: Interface gre0 Addr: 10.1.0.246, Flags: 0xffff8051, Network: 10.1.0.244/30
Found config for lagg0.3
Found config for lagg0.50
Found config for lagg0.99
Found config for lagg0.1
Found config for lagg0.1
Found config for tun_wg0
Found config for tun_wg1
Found config for gre0
adding VIF, Ix 0 Fl 0x0 IP 0x0103a8c0 lagg0.3, Threshold: 1, Ratelimit: 0
        Network for [lagg0.3] : 192.168.3/24
        Network for [lagg0.3] : default
adding VIF, Ix 1 Fl 0x0 IP 0x0163a8c0 lagg0.99, Threshold: 1, Ratelimit: 0
        Network for [lagg0.99] : 192.168.99/24
Found upstrem IF #0, will assing as upstream Vif 27
adding VIF, Ix 2 Fl 0x0 IP 0x07f30b6d lagg0.1, Threshold: 1, Ratelimit: 0
        Network for [lagg0.1] : 109.11.243/24
        Network for [lagg0.1] : default
Found upstrem IF #1, will assing as upstream Vif 28
adding VIF, Ix 3 Fl 0x0 IP 0xfd04a8c0 lagg0.1, Threshold: 1, Ratelimit: 0
        Network for [lagg0.1] : 192.168.4/24
        Network for [lagg0.1] : default
Got 262144 byte buffer size in 0 iterations
Joining all-routers group 224.0.0.2 on vif 192.168.3.1
Joining group 224.0.0.2 on interface lagg0.3
Joining all igmpv3 multicast routers group 224.0.0.22 on vif 192.168.3.1
Joining group 224.0.0.22 on interface lagg0.3
Joining all-routers group 224.0.0.2 on vif 192.168.99.1
Joining group 224.0.0.2 on interface lagg0.99
Joining all igmpv3 multicast routers group 224.0.0.22 on vif 192.168.99.1
Joining group 224.0.0.22 on interface lagg0.99
SENT Membership query   from 192.168.3.1     to 224.0.0.1
Sent membership query from 192.168.3.1 to 224.0.0.1. Delay: 10
SENT Membership query   from 192.168.99.1    to 224.0.0.1
Sent membership query from 192.168.99.1 to 224.0.0.1. Delay: 10
Created timeout 1 (#0) - delay 10 secs
(Id:1, Time:10) 
Created timeout 2 (#1) - delay 21 secs
(Id:1, Time:10) 
(Id:2, Time:21) 
RECV V2 member report   from 192.168.3.1     to 224.0.0.2
The IGMP message was from myself. Ignoring.
RECV V2 member report   from 192.168.3.1     to 224.0.0.22
The IGMP message was from myself. Ignoring.
RECV V2 member report   from 192.168.99.1    to 224.0.0.2
The IGMP message was from myself. Ignoring.
RECV V2 member report   from 192.168.99.1    to 224.0.0.22
The IGMP message was from myself. Ignoring.
RECV Membership query   from 192.168.3.1     to 224.0.0.1
RECV Membership query   from 192.168.99.1    to 224.0.0.1
Route activate request from 192.168.3.31 to 224.2.127.254 on VIF[2]
No table entry for 224.2.127.254 [From: 192.168.3.31]. Inserting route.
No existing route for 224.2.127.254. Create new.
No routes in table. Insert at beginning.
Inserted route table entry for 224.2.127.254 on VIF #-1
The group address 224.2.127.254 may not be forwarded upstream. Ignoring.

Current routing table (Insert Route):
-----------------------------------------------------
#0: Dst: 224.2.127.254, Age:2, St: I, OutVifs: 0x00000000, dHosts: yes
-----------------------------------------------------

Current routing table (Activate Route):
-----------------------------------------------------
#0: Src0: 192.168.3.31, Dst: 224.2.127.254, Age:2, St: A, OutVifs: 0x00000000, dHosts: yes
-----------------------------------------------------
Route activate request from 192.168.3.4 to 239.255.255.250 on VIF[2]
No table entry for 239.255.255.250 [From: 192.168.3.4]. Inserting route.
No existing route for 239.255.255.250. Create new.
Found existing routes. Find insert location.
Inserting at beginning, before route 224.2.127.254
Inserted route table entry for 239.255.255.250 on VIF #-1
The group address 239.255.255.250 may not be forwarded upstream. Ignoring.

Current routing table (Insert Route):
-----------------------------------------------------
#0: Dst: 239.255.255.250, Age:2, St: I, OutVifs: 0x00000000, dHosts: yes
#1: Src0: 192.168.3.31, Dst: 224.2.127.254, Age:2, St: A, OutVifs: 0x00000000, dHosts: yes
-----------------------------------------------------

Current routing table (Activate Route):
-----------------------------------------------------
#0: Src0: 192.168.3.4, Dst: 239.255.255.250, Age:2, St: A, OutVifs: 0x00000000, dHosts: yes
#1: Src0: 192.168.3.31, Dst: 224.2.127.254, Age:2, St: A, OutVifs: 0x00000000, dHosts: yes
-----------------------------------------------------
RECV V2 member report   from 192.168.3.4     to 224.2.127.254
Should insert group 224.2.127.254 (from: 192.168.3.4) to route table. Vif Ix : 0
Updated route entry for 224.2.127.254 on VIF #0
Vif bits : 0x00000001
Setting TTL for Vif 0 to 1
Adding MFC: 192.168.3.31 -> 224.2.127.254, InpVIf: 2
The group address 224.2.127.254 may not be forwarded upstream. Ignoring.

Current routing table (Insert Route):
-----------------------------------------------------
#0: Src0: 192.168.3.4, Dst: 239.255.255.250, Age:2, St: A, OutVifs: 0x00000000, dHosts: yes
#1: Src0: 192.168.3.31, Dst: 224.2.127.254, Age:2, St: A, OutVifs: 0x00000001, dHosts: yes
-----------------------------------------------------
RECV V2 member report   from 192.168.3.4     to 239.255.255.250
Should insert group 239.255.255.250 (from: 192.168.3.4) to route table. Vif Ix : 0
Updated route entry for 239.255.255.250 on VIF #0
Vif bits : 0x00000001
Setting TTL for Vif 0 to 1
Adding MFC: 192.168.3.4 -> 239.255.255.250, InpVIf: 2
The group address 239.255.255.250 may not be forwarded upstream. Ignoring.

Current routing table (Insert Route):
-----------------------------------------------------
#0: Src0: 192.168.3.4, Dst: 239.255.255.250, Age:2, St: A, OutVifs: 0x00000001, dHosts: yes
#1: Src0: 192.168.3.31, Dst: 224.2.127.254, Age:2, St: A, OutVifs: 0x00000001, dHosts: yes
-----------------------------------------------------
RECV V2 member report   from 192.168.99.1    to 224.0.0.2
The IGMP message was from myself. Ignoring.
RECV V2 member report   from 192.168.3.1     to 224.0.0.2
The IGMP message was from myself. Ignoring.
RECV V2 member report   from 192.168.3.37    to 239.255.255.250
Should insert group 239.255.255.250 (from: 192.168.3.37) to route table. Vif Ix : 0
Updated route entry for 239.255.255.250 on VIF #0
Vif bits : 0x00000001
Setting TTL for Vif 0 to 1
Adding MFC: 192.168.3.4 -> 239.255.255.250, InpVIf: 2
The group address 239.255.255.250 may not be forwarded upstream. Ignoring.

Current routing table (Insert Route):
-----------------------------------------------------
#0: Src0: 192.168.3.4, Dst: 239.255.255.250, Age:2, St: A, OutVifs: 0x00000001, dHosts: yes
#1: Src0: 192.168.3.31, Dst: 224.2.127.254, Age:2, St: A, OutVifs: 0x00000001, dHosts: yes
-----------------------------------------------------
RECV V2 member report   from 192.168.3.4     to 239.255.255.246
Should insert group 239.255.255.246 (from: 192.168.3.4) to route table. Vif Ix : 0
No existing route for 239.255.255.246. Create new.
Found existing routes. Find insert location.
Inserting at beginning, before route 239.255.255.250
Inserted route table entry for 239.255.255.246 on VIF #0
The group address 239.255.255.246 may not be forwarded upstream. Ignoring.

Current routing table (Insert Route):
-----------------------------------------------------
#0: Dst: 239.255.255.246, Age:2, St: I, OutVifs: 0x00000001, dHosts: yes
#1: Src0: 192.168.3.4, Dst: 239.255.255.250, Age:2, St: A, OutVifs: 0x00000001, dHosts: yes
#2: Src0: 192.168.3.31, Dst: 224.2.127.254, Age:2, St: A, OutVifs: 0x00000001, dHosts: yes
-----------------------------------------------------
RECV V2 member report   from 192.168.3.9     to 239.255.255.250
Should insert group 239.255.255.250 (from: 192.168.3.9) to route table. Vif Ix : 0
Updated route entry for 239.255.255.250 on VIF #0
Vif bits : 0x00000001
Setting TTL for Vif 0 to 1
Adding MFC: 192.168.3.4 -> 239.255.255.250, InpVIf: 2
The group address 239.255.255.250 may not be forwarded upstream. Ignoring.

Current routing table (Insert Route):
-----------------------------------------------------
#0: Dst: 239.255.255.246, Age:2, St: I, OutVifs: 0x00000001, dHosts: yes
#1: Src0: 192.168.3.4, Dst: 239.255.255.250, Age:2, St: A, OutVifs: 0x00000001, dHosts: yes
#2: Src0: 192.168.3.31, Dst: 224.2.127.254, Age:2, St: A, OutVifs: 0x00000001, dHosts: yes
-----------------------------------------------------
RECV V2 member report   from 192.168.3.18    to 239.255.255.250
Should insert group 239.255.255.250 (from: 192.168.3.18) to route table. Vif Ix : 0
Updated route entry for 239.255.255.250 on VIF #0
Vif bits : 0x00000001
Setting TTL for Vif 0 to 1
Adding MFC: 192.168.3.4 -> 239.255.255.250, InpVIf: 2
The group address 239.255.255.250 may not be forwarded upstream. Ignoring.

Current routing table (Insert Route):
-----------------------------------------------------
#0: Dst: 239.255.255.246, Age:2, St: I, OutVifs: 0x00000001, dHosts: yes
#1: Src0: 192.168.3.4, Dst: 239.255.255.250, Age:2, St: A, OutVifs: 0x00000001, dHosts: yes
#2: Src0: 192.168.3.31, Dst: 224.2.127.254, Age:2, St: A, OutVifs: 0x00000001, dHosts: yes
-----------------------------------------------------
RECV Membership query   from 1.1.1.1         to 224.0.0.1
RECV V2 member report   from 192.168.3.1     to 224.0.0.22
The IGMP message was from myself. Ignoring.
RECV V2 member report   from 192.168.3.1     to 224.0.0.251
The IGMP message was from myself. Ignoring.
RECV V2 member report   from 192.168.3.111   to 239.255.255.250
Should insert group 239.255.255.250 (from: 192.168.3.111) to route table. Vif Ix : 0
Updated route entry for 239.255.255.250 on VIF #0
Vif bits : 0x00000001
Setting TTL for Vif 0 to 1
Adding MFC: 192.168.3.4 -> 239.255.255.250, InpVIf: 2
The group address 239.255.255.250 may not be forwarded upstream. Ignoring.

Current routing table (Insert Route):
-----------------------------------------------------
#0: Dst: 239.255.255.246, Age:2, St: I, OutVifs: 0x00000001, dHosts: yes
#1: Src0: 192.168.3.4, Dst: 239.255.255.250, Age:2, St: A, OutVifs: 0x00000001, dHosts: yes
#2: Src0: 192.168.3.31, Dst: 224.2.127.254, Age:2, St: A, OutVifs: 0x00000001, dHosts: yes
-----------------------------------------------------
RECV V2 member report   from 192.168.99.1    to 224.0.0.22
The IGMP message was from myself. Ignoring.
About to call timeout 1 (#0)
Aging routes in table.

Current routing table (Age active routes):
-----------------------------------------------------
#0: Dst: 239.255.255.246, Age:1, St: I, OutVifs: 0x00000001, dHosts: yes
#1: Src0: 192.168.3.4, Dst: 239.255.255.250, Age:2, St: A, OutVifs: 0x00000001, dHosts: yes
#2: Src0: 192.168.3.31, Dst: 224.2.127.254, Age:2, St: A, OutVifs: 0x00000001, dHosts: yes
-----------------------------------------------------
Route activate request from 192.168.3.18 to 239.255.255.250 on VIF[2]
Vif bits : 0x00000001
Setting TTL for Vif 0 to 1
Adding MFC: 192.168.3.18 -> 239.255.255.250, InpVIf: 2
Vif bits : 0x00000001
Setting TTL for Vif 0 to 1
Adding MFC: 192.168.3.4 -> 239.255.255.250, InpVIf: 2

Current routing table (Activate Route):
-----------------------------------------------------
#0: Dst: 239.255.255.246, Age:1, St: I, OutVifs: 0x00000001, dHosts: yes
#1: Src0: 192.168.3.18, Src1: 192.168.3.4, Dst: 239.255.255.250, Age:2, St: A, OutVifs: 0x00000001, dHosts: yes
#2: Src0: 192.168.3.31, Dst: 224.2.127.254, Age:2, St: A, OutVifs: 0x00000001, dHosts: yes
-----------------------------------------------------
RECV V2 member report   from 192.168.3.4     to 224.2.127.254
Should insert group 224.2.127.254 (from: 192.168.3.4) to route table. Vif Ix : 0
Updated route entry for 224.2.127.254 on VIF #0
Vif bits : 0x00000001
Setting TTL for Vif 0 to 1
Adding MFC: 192.168.3.31 -> 224.2.127.254, InpVIf: 2
The group address 224.2.127.254 may not be forwarded upstream. Ignoring.

Current routing table (Insert Route):
-----------------------------------------------------
#0: Dst: 239.255.255.246, Age:1, St: I, OutVifs: 0x00000001, dHosts: yes
#1: Src0: 192.168.3.18, Src1: 192.168.3.4, Dst: 239.255.255.250, Age:2, St: A, OutVifs: 0x00000001, dHosts: yes
#2: Src0: 192.168.3.31, Dst: 224.2.127.254, Age:2, St: A, OutVifs: 0x00000001, dHosts: yes
-----------------------------------------------------
RECV V2 member report   from 192.168.3.4     to 239.255.255.250
Should insert group 239.255.255.250 (from: 192.168.3.4) to route table. Vif Ix : 0
Updated route entry for 239.255.255.250 on VIF #0
Vif bits : 0x00000001
Setting TTL for Vif 0 to 1
Adding MFC: 192.168.3.18 -> 239.255.255.250, InpVIf: 2
Vif bits : 0x00000001
Setting TTL for Vif 0 to 1
Adding MFC: 192.168.3.4 -> 239.255.255.250, InpVIf: 2
The group address 239.255.255.250 may not be forwarded upstream. Ignoring.

Current routing table (Insert Route):
-----------------------------------------------------
#0: Dst: 239.255.255.246, Age:1, St: I, OutVifs: 0x00000001, dHosts: yes
#1: Src0: 192.168.3.18, Src1: 192.168.3.4, Dst: 239.255.255.250, Age:2, St: A, OutVifs: 0x00000001, dHosts: yes
#2: Src0: 192.168.3.31, Dst: 224.2.127.254, Age:2, St: A, OutVifs: 0x00000001, dHosts: yes
-----------------------------------------------------
RECV V2 member report   from 192.168.3.4     to 239.255.255.246
Should insert group 239.255.255.246 (from: 192.168.3.4) to route table. Vif Ix : 0
Updated route entry for 239.255.255.246 on VIF #0
The group address 239.255.255.246 may not be forwarded upstream. Ignoring.

Current routing table (Insert Route):
-----------------------------------------------------
#0: Dst: 239.255.255.246, Age:1, St: I, OutVifs: 0x00000001, dHosts: yes
#1: Src0: 192.168.3.18, Src1: 192.168.3.4, Dst: 239.255.255.250, Age:2, St: A, OutVifs: 0x00000001, dHosts: yes
#2: Src0: 192.168.3.31, Dst: 224.2.127.254, Age:2, St: A, OutVifs: 0x00000001, dHosts: yes
-----------------------------------------------------
RECV V2 member report   from 192.168.3.112   to 233.136.0.202
Should insert group 233.136.0.202 (from: 192.168.3.112) to route table. Vif Ix : 0
No existing route for 233.136.0.202. Create new.
Found existing routes. Find insert location.
Inserting at beginning, before route 239.255.255.246
Inserted route table entry for 233.136.0.202 on VIF #0
Joining group 233.136.0.202 upstream on IF address 109.11.243.7
Joining group 233.136.0.202 on interface lagg0.1
Joining group 233.136.0.202 upstream on IF address 192.168.4.253
Joining group 233.136.0.202 on interface lagg0.1
can't join group 233.136.0.202 on interface lagg0.1; Errno(48): Address already in use

Current routing table (Insert Route):
-----------------------------------------------------
#0: Dst: 233.136.0.202, Age:2, St: I, OutVifs: 0x00000001, dHosts: yes
#1: Dst: 239.255.255.246, Age:1, St: I, OutVifs: 0x00000001, dHosts: yes
#2: Src0: 192.168.3.18, Src1: 192.168.3.4, Dst: 239.255.255.250, Age:2, St: A, OutVifs: 0x00000001, dHosts: yes
#3: Src0: 192.168.3.31, Dst: 224.2.127.254, Age:2, St: A, OutVifs: 0x00000001, dHosts: yes
-----------------------------------------------------
RECV V2 member report   from 109.11.243.7    to 233.136.0.202
The IGMP message was from myself. Ignoring.
Route activate request from 77.130.48.82 to 233.136.0.202 on VIF[2]
Vif bits : 0x00000001
Setting TTL for Vif 0 to 1
Adding MFC: 77.130.48.82 -> 233.136.0.202, InpVIf: 2

Current routing table (Activate Route):
-----------------------------------------------------
#0: Src0: 77.130.48.82, Dst: 233.136.0.202, Age:2, St: A, OutVifs: 0x00000001, dHosts: yes
#1: Dst: 239.255.255.246, Age:1, St: I, OutVifs: 0x00000001, dHosts: yes
#2: Src0: 192.168.3.18, Src1: 192.168.3.4, Dst: 239.255.255.250, Age:2, St: A, OutVifs: 0x00000001, dHosts: yes
#3: Src0: 192.168.3.31, Dst: 224.2.127.254, Age:2, St: A, OutVifs: 0x00000001, dHosts: yes
-----------------------------------------------------
About to call timeout 2 (#0)
SENT Membership query   from 192.168.3.1     to 224.0.0.1
Sent membership query from 192.168.3.1 to 224.0.0.1. Delay: 10
SENT Membership query   from 192.168.99.1    to 224.0.0.1
Sent membership query from 192.168.99.1 to 224.0.0.1. Delay: 10
Created timeout 3 (#0) - delay 10 secs
(Id:3, Time:10) 
Created timeout 4 (#1) - delay 21 secs
(Id:3, Time:10) 
(Id:4, Time:21) 
RECV Membership query   from 192.168.99.1    to 224.0.0.1
RECV Membership query   from 192.168.3.1     to 224.0.0.1
RECV V2 member report   from 192.168.99.1    to 224.0.0.22
The IGMP message was from myself. Ignoring.
RECV V2 member report   from 192.168.3.1     to 224.0.0.22
The IGMP message was from myself. Ignoring.
About to call timeout 3 (#0)
Aging routes in table.

Current routing table (Age active routes):
-----------------------------------------------------
#0: Src0: 77.130.48.82, Dst: 233.136.0.202, Age:1, St: A, OutVifs: 0x00000001, dHosts: yes
#1: Dst: 239.255.255.246, Age:2, St: I, OutVifs: 0x00000001, dHosts: yes
#2: Src0: 192.168.3.18, Src1: 192.168.3.4, Dst: 239.255.255.250, Age:2, St: A, OutVifs: 0x00000001, dHosts: yes
#3: Src0: 192.168.3.31, Dst: 224.2.127.254, Age:2, St: A, OutVifs: 0x00000001, dHosts: yes
-----------------------------------------------------
RECV Leave message      from 192.168.3.112   to 224.0.0.2
Got leave message from 192.168.3.112 to 233.136.0.202. Starting last member detection.
**********************************************************************
counted 1 interfaces
quickleave is enabled and this was the last downstream host, leaving group 233.136.0.202 now
Leaving group 233.136.0.202 upstream on IF address 109.11.243.7
Leaving group 233.136.0.202 on interface lagg0.1
Interface id 0 is in group $d
SENT Membership query   from 192.168.3.1     to 233.136.0.202
Sent membership query from 192.168.3.1 to 233.136.0.202. Delay: 10
Interface id 1 is in group $d
Created timeout 5 (#0) - delay 10 secs
(Id:5, Time:10) 
(Id:4, Time:11) 
RECV Leave message      from 109.11.243.7    to 224.0.0.2
Got leave message from 109.11.243.7 to 233.136.0.202. Starting last member detection.
The found if for 109.11.243.7 was not downstream. Ignoring leave request.
RECV Membership query   from 192.168.3.1     to 233.136.0.202
RECV V2 member report   from 192.168.3.1     to 224.0.0.251
The IGMP message was from myself. Ignoring.
RECV V2 member report   from 192.168.3.1     to 224.0.0.2
The IGMP message was from myself. Ignoring.
RECV V2 member report   from 192.168.99.1    to 224.0.0.2
The IGMP message was from myself. Ignoring.
About to call timeout 5 (#0)
Interface id 0 is in group $d
SENT Membership query   from 192.168.3.1     to 233.136.0.202
Sent membership query from 192.168.3.1 to 233.136.0.202. Delay: 10
Interface id 1 is in group $d
Created timeout 6 (#0) - delay 10 secs
(Id:6, Time:10) 
(Id:4, Time:1) 
RECV Membership query   from 192.168.3.1     to 233.136.0.202
About to call timeout 6 (#0)
Removing group 233.136.0.202. Died of old age.
Removed route entry for 233.136.0.202 from table.
Vif bits : 0x00000001
Setting TTL for Vif 0 to 1
Removing MFC: 77.130.48.82 -> 233.136.0.202, InpVIf: 2

Current routing table (Remove route):
-----------------------------------------------------
#0: Dst: 239.255.255.246, Age:2, St: I, OutVifs: 0x00000001, dHosts: yes
#1: Src0: 192.168.3.18, Src1: 192.168.3.4, Dst: 239.255.255.250, Age:2, St: A, OutVifs: 0x00000001, dHosts: yes
#2: Src0: 192.168.3.31, Dst: 224.2.127.254, Age:2, St: A, OutVifs: 0x00000001, dHosts: yes
-----------------------------------------------------
About to call timeout 4 (#0)
SENT Membership query   from 192.168.3.1     to 224.0.0.1
Sent membership query from 192.168.3.1 to 224.0.0.1. Delay: 10
SENT Membership query   from 192.168.99.1    to 224.0.0.1
Sent membership query from 192.168.99.1 to 224.0.0.1. Delay: 10
Created timeout 7 (#0) - delay 10 secs
(Id:7, Time:10) 
Created timeout 8 (#1) - delay 115 secs
(Id:7, Time:10) 
(Id:8, Time:115) 
RECV Membership query   from 192.168.3.1     to 224.0.0.1
RECV Membership query   from 192.168.99.1    to 224.0.0.1
RECV Membership query   from 1.1.1.1         to 224.0.0.1
RECV V2 member report   from 192.168.99.1    to 224.0.0.2
The IGMP message was from myself. Ignoring.
RECV V2 member report   from 192.168.3.1     to 224.0.0.22
The IGMP message was from myself. Ignoring.
RECV V2 member report   from 192.168.3.1     to 224.0.0.2
The IGMP message was from myself. Ignoring.
RECV V2 member report   from 192.168.3.1     to 224.0.0.251
The IGMP message was from myself. Ignoring.
RECV V2 member report   from 192.168.99.1    to 224.0.0.22
The IGMP message was from myself. Ignoring.
About to call timeout 7 (#0)
Aging routes in table.

Current routing table (Age active routes):
-----------------------------------------------------
#0: Dst: 239.255.255.246, Age:1, St: I, OutVifs: 0x00000001, dHosts: yes
#1: Src0: 192.168.3.18, Src1: 192.168.3.4, Dst: 239.255.255.250, Age:1, St: A, OutVifs: 0x00000001, dHosts: yes
#2: Src0: 192.168.3.31, Dst: 224.2.127.254, Age:1, St: A, OutVifs: 0x00000001, dHosts: yes
-----------------------------------------------------
About to call timeout 8 (#0)
SENT Membership query   from 192.168.3.1     to 224.0.0.1
Sent membership query from 192.168.3.1 to 224.0.0.1. Delay: 10
SENT Membership query   from 192.168.99.1    to 224.0.0.1
Sent membership query from 192.168.99.1 to 224.0.0.1. Delay: 10
Created timeout 9 (#0) - delay 10 secs
(Id:9, Time:10) 
Created timeout 10 (#1) - delay 115 secs
(Id:9, Time:10) 
(Id:10, Time:115) 
RECV Membership query   from 192.168.3.1     to 224.0.0.1
RECV Membership query   from 192.168.99.1    to 224.0.0.1
RECV V2 member report   from 192.168.99.1    to 224.0.0.2
The IGMP message was from myself. Ignoring.
RECV V2 member report   from 192.168.99.1    to 224.0.0.22
The IGMP message was from myself. Ignoring.
RECV V2 member report   from 192.168.3.1     to 224.0.0.251
The IGMP message was from myself. Ignoring.
RECV V2 member report   from 192.168.3.1     to 224.0.0.2
The IGMP message was from myself. Ignoring.
RECV V2 member report   from 192.168.3.1     to 224.0.0.22
The IGMP message was from myself. Ignoring.
About to call timeout 9 (#0)
Aging routes in table.
Removing group 239.255.255.246. Died of old age.
Removed route entry for 239.255.255.246 from table.

Current routing table (Remove route):
-----------------------------------------------------
#0: Src0: 192.168.3.18, Src1: 192.168.3.4, Dst: 239.255.255.250, Age:1, St: A, OutVifs: 0x00000001, dHosts: yes
#1: Src0: 192.168.3.31, Dst: 224.2.127.254, Age:1, St: A, OutVifs: 0x00000001, dHosts: yes
-----------------------------------------------------
Removing group 239.255.255.250. Died of old age.
Removed route entry for 239.255.255.250 from table.
Vif bits : 0x00000001
Setting TTL for Vif 0 to 1
Removing MFC: 192.168.3.18 -> 239.255.255.250, InpVIf: 2
Vif bits : 0x00000001
Setting TTL for Vif 0 to 1
Removing MFC: 192.168.3.4 -> 239.255.255.250, InpVIf: 2

Current routing table (Remove route):
-----------------------------------------------------
#0: Src0: 192.168.3.31, Dst: 224.2.127.254, Age:1, St: A, OutVifs: 0x00000001, dHosts: yes
-----------------------------------------------------
Removing group 224.2.127.254. Died of old age.
Removed route entry for 224.2.127.254 from table.
Vif bits : 0x00000001
Setting TTL for Vif 0 to 1
Removing MFC: 192.168.3.31 -> 224.2.127.254, InpVIf: 2

Current routing table (Remove route):
-----------------------------------------------------
No routes in table...
-----------------------------------------------------

Current routing table (Age active routes):
-----------------------------------------------------
No routes in table...
-----------------------------------------------------
About to call timeout 10 (#0)
SENT Membership query   from 192.168.3.1     to 224.0.0.1
Sent membership query from 192.168.3.1 to 224.0.0.1. Delay: 10
SENT Membership query   from 192.168.99.1    to 224.0.0.1
Sent membership query from 192.168.99.1 to 224.0.0.1. Delay: 10
Created timeout 11 (#0) - delay 10 secs
(Id:11, Time:10) 
Created timeout 12 (#1) - delay 115 secs
(Id:11, Time:10) 
(Id:12, Time:115) 
RECV Membership query   from 192.168.3.1     to 224.0.0.1
RECV Membership query   from 192.168.99.1    to 224.0.0.1
RECV V2 member report   from 192.168.99.1    to 224.0.0.2
The IGMP message was from myself. Ignoring.
About to call timeout 11 (#0)
Aging routes in table.

Current routing table (Age active routes):
-----------------------------------------------------
No routes in table...
-----------------------------------------------------
RECV Membership query   from 1.1.1.1         to 224.0.0.1
RECV V2 member report   from 192.168.99.1    to 224.0.0.22
The IGMP message was from myself. Ignoring.
RECV V2 member report   from 192.168.3.1     to 224.0.0.251
The IGMP message was from myself. Ignoring.
RECV V2 member report   from 192.168.3.1     to 224.0.0.2
The IGMP message was from myself. Ignoring.
RECV V2 member report   from 192.168.3.1     to 224.0.0.22
The IGMP message was from myself. Ignoring.

                                      So as you can see, after leaving the stream, it is not receiving any join group anymore (even if I try to join this multicast stream again on my PC).

                                      Because the igmpproxy binary was not changed, I think this is a kernel/pfSense issue with rule/state/filter table between 2.7.0 and 2.7.2,

                                      What do you think about it ?
                                      Thanks

                                      1 Reply Last reply Reply Quote 0
                                      • M
                                        maximushugus
                                        last edited by

                                        Also if it can help, here is netstat -g results at different moment during the problem :

                                        Before lauching igmpproxy :

                                        netstat -g

IPv4 Virtual Interface Table is empty

IPv4 Multicast Forwarding Table is empty


IPv6 Multicast Interface Table is empty

IPv6 Multicast Forwarding Table is empty

                                        After starting igmpproxy but before asking for the stream on my PC :

                                        netstat -g

IPv4 Virtual Interface Table
 Vif   Thresh   Local-Address   Remote-Address    Pkts-In   Pkts-Out
  0         1   192.168.3.1                             0          0
  1         1   192.168.99.1                            0          0
  2         1   109.11.243.7                            0          0
  3         1   192.168.4.253                           0          0

IPv4 Multicast Forwarding Table
 Origin          Group             Packets In-Vif  Out-Vifs:Ttls
 192.168.3.31    224.2.127.254           0    2    0:1
 192.168.3.4     239.255.255.250         0    2    0:1

                                        After asking for the multicast stream on my PC and receiving the stream :

                                        netstat -g

IPv4 Virtual Interface Table
 Vif   Thresh   Local-Address   Remote-Address    Pkts-In   Pkts-Out
  0         1   192.168.3.1                             0      16716
  1         1   192.168.99.1                            0          0
  2         1   109.11.243.7                        16716          0
  3         1   192.168.4.253                           0          0

IPv4 Multicast Forwarding Table
 Origin          Group             Packets In-Vif  Out-Vifs:Ttls
 192.168.3.31    224.2.127.254           0    2    0:1
 77.130.48.82    233.136.0.202       16716    2    0:1
 192.168.3.18    239.255.255.250         0    2    0:1
 192.168.3.4     239.255.255.250         0    2    0:1


IPv6 Multicast Interface Table is empty

IPv6 Multicast Forwarding Table is empty

                                        After stopping the stream on my PC :

                                        netstat -g

IPv4 Virtual Interface Table
 Vif   Thresh   Local-Address   Remote-Address    Pkts-In   Pkts-Out
  0         1   192.168.3.1                             0      16716
  1         1   192.168.99.1                            0          0
  2         1   109.11.243.7                        16716          0
  3         1   192.168.4.253                           0          0

IPv4 Multicast Forwarding Table
 Origin          Group             Packets In-Vif  Out-Vifs:Ttls
 192.168.3.31    224.2.127.254           0    2    0:1
 77.130.48.82    233.136.0.202       16716    2    0:1
 192.168.3.18    239.255.255.250         0    2    0:1
 192.168.3.4     239.255.255.250         0    2    0:1


IPv6 Multicast Interface Table is empty

IPv6 Multicast Forwarding Table is empty

                                        And if I try again to ask for the multicast stream on my PC :

                                        netstat -g

IPv4 Virtual Interface Table
 Vif   Thresh   Local-Address   Remote-Address    Pkts-In   Pkts-Out
  0         1   192.168.3.1                             0      16716
  1         1   192.168.99.1                            0          0
  2         1   109.11.243.7                        16716          0
  3         1   192.168.4.253                           0          0

IPv4 Multicast Forwarding Table
 Origin          Group             Packets In-Vif  Out-Vifs:Ttls
 192.168.3.31    224.2.127.254           0    2    0:1
 77.130.48.82    233.136.0.202       16716    2    0:1
 192.168.3.18    239.255.255.250         0    2    0:1
 192.168.3.4     239.255.255.250         0    2    0:1


IPv6 Multicast Interface Table is empty

IPv6 Multicast Forwarding Table is empty
                                        1 Reply Last reply Reply Quote 0
                                        • M
                                          maximushugus
                                          last edited by

                                          Just to update, I still have the problem.
                                          But I installed and properly configured PIMD, disabling IGMP proxy.

                                          With this configuration I have the exact same problem : I only see multicast with IPv4 source of my pfSense, and MDNS, (224.0.0.251) from my lan and multicast leave group but not multicast join group from my lan.

                                          So I this the problem is in pfSense itself and not in IGMPproxy nor PIMD

                                          Also if from a PC on my lan I ping a multicast 224.0.0.2, I can see this on a capture on pfSense.

                                          That's really weird

                                          1 Reply Last reply Reply Quote 0
                                          • M
                                            maximushugus
                                            last edited by

                                            I found I have the same problem as discribed here

                                            I have the same configuration with a LAGG of ixl0 and ixl1
                                            I suspect this is the problem.
                                            I get a lot of those errors

                                            pfSense kernel: ixl1: Disabled multicast promiscuous mode

                                            when enabling or disabling any multicast program (avahi, igmpproxy or pimd), even if I disable every program

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post