PFSense Instability and IGMP?
My PFSense installation has been rock solid until the introduction of IPTV. I've noticed that once a STB is placed on the LAN that the performance of the network degrades quickly and eventually gets to a point of it being nearly unusable. In fact, if PFSense is rebooted it will never come back up online (stops loading when it gets to the WAN interface). If I remove the IPTV box and reboot, PFSense comes back online with no problems.
My first assumption is that there is some sort of flooding occurring but I can't place my hand on it.
From a configuration perspective I have the following WAN rule:
Proto SRC Port Destination Port GW Queue
UDP * * 126.96.36.199/4 * * none
On the LAN side, I have selected to pass multicast traffic by editing the default LAN net rule going to options and ticking the box that says "This allows packets with IP options to pass. Otherwise they are blocked by default. This is usually only seen with multicast traffic."
I have also edited the IGMPProxy settings:
WAN upstream 188.8.131.52/4,
LAN downstream 192.168.0.0/24
WAN Network Topology:
2Wire RG (99.x.x.x Public IP passing WAN to PFSense via DMZ) -> PFSense WAN (99.x.x.x Public IP)
LAN Network Topology:
PFSense LAN (192.168.0.254) -> GS116E Switch with IGMP Snooping Enabled and 4 IPTV boxes (down to 1 for troubleshooting)
CPU Usage is low - 8-11%, Memory is 2 Gigs…WAN is gigabit, LAN is 100 Meg. Should be more than enough capacity..especially just for 1 IPTV box (I have 4, but down to 1 for troubleshooting purposes)
Thought I would follow-up, I tried the same configuration on 3 different PCs with the same results.
There is definitely some sort of issue here, I can't determine if the box is being IGMP flooded because of a VPN server being added or CARP interface.
To recap, the server works fine initially with VPN, 5 Virtual interfaces, and IGMP traffic. However, upon a reboot…the system never fully recovers once the interfaces come up.
For a few moments you can ping the PFSense box then it goes offline (ping time out) and DHCP server no longer issues DHCP addresses.
If I remove the WAN and LAN ethernet cords the box will reboot normally. If I remove all IGMP traffic by turning off the set top boxes the box will boot fine and traffic flows as normal. If I restore IGMP traffic ping times increase and things work normally for awhile.
Any ideas how this can be isolated further - is it a problem with the IGMP proxy or is there some kind of issue with having an OpenVPN server and using CARP for virtual IPs?
I'm going to wipe the system, reinstall fresh and only configure the LAN, WAN Settings and IGMP proxy as described above and see if the issue is gone (hopefully by process of elimination I can determine what service is causing this behavior.
Update - Figured it out what was causing this…just not sure how to fix it.
The configuration of an IP Alias and CARP interfaces so I can use my static IPs from the 2Wire is the culprit. Using the process of elimination is how I was able to detect this - I'm not sure how to resolve it though...any ideas?
Anyone have any suggestions or can explain what's occurring?
At the recommendation of a friend I installed another NIC in the device to segment IPTV traffic from regular traffic:
WAN: Public IP Address
LAN: 192.168.0.x /24
OPT: 192.168.1.x /24
The OPT interface is supplying IPTV/Multicast. - that works fine now with U-verse ;D
Problem still remains with regards to CARP, adding a CARP interface to the WAN causes instabilities shortly after a reboot. Is this a bug? How does it get reported?