IGMP Proxy is broken?

rudelerius

I'm running NanoBSD and there is not pkg command installed. Can anyone give a quick statement on whether this would work on NanoBSD at all? For one thing whether the igmpproxy package is available at all for NanoBSD

@flo: I can confirm that pkg and igmpproxy can be installed on the current NanoBSD version of pfSense. However, prior to following Andre453's instructions, you must first (re)mount the file system as read/write. (Follow these instructions: https://doc.pfsense.org/index.php/Remount_embedded_filesystem_as_read-write.)

I was able to install pkg and install igmpproxy version 0.1. However, when I went to confirm it was running, it was not. When I attempt to run it, I get the response "You must specify the configuration file."

I thought that was what I was doing when I created the igmpstart.sh file in /usr/local/etc/rc.d/ and specified therein the path to /tmp/igmpproxy.conf to the daemon. I've double checked the spelling in the file names, locations, paths, etc. I made certain that the file system was mounted r/w when making all changes, including making the igmpstart.sh file executable with chmod, but I am still receiving the message that I need to specify the configuration file. Is it possible that there is something different about the way NanoBSD starts the daemons or uses the shell scripts, or whatever, that is different from the full version? Perhaps another step is required that I am unaware of?

Any assistance in making this work would be greatly appreciated. If this question would be better served by creating a new topic, instead of adding to this one, feel free to say so as well.

Thanks. Jon.

Andrew453

Hi. There's actually a better way to upgrade igmpproxy to the latest version.

Rather than creating igmpstart.sh to start the upgraded igmpproxy, you can actually edit the original function in pfSense to do it. This means the start/stop services etc options in pfSense work properly. The revised instructions to upgrade are:

Upgrade igmpproxy in the shell.

pkg
pkg update
pkg install igmpproxy

Once you've done this, because the command line options for igmpproxy 0.1 are different to the existing version on pfSense, igmpproxy won't start on boot. You therefore need to edit pfSense's function that starts the service:

Use the editor in the GUI to open etc/inc/services.inc

Find the line which reads: "/* NOTE: -d4 means everything LOG_WARNING and smaller */"

Edit the line underneath to change -d4 to -v -v:

mwexec("/usr/local/sbin/igmpproxy -v -v {$g['tmp_path']}/igmpproxy.conf");

(n.b. the -v -v enables verbose logging, which might be useful if you're having problems. You can leave that out if you don't want your system logs to record igmpproxy activity.)

Thanks.

rudelerius

Thanks for the update Andrew453

Unfortunately, no matter what I do, I cannot seem to get igmpproxy to run after installing and updating using pkg. I tried editing etc/inc/services.inc as noted, but it still does not appear in top after a reboot. When I attempt to run it manually, I still receive the message that I must specify a configuration file. When I pass in the path to the configuration file at launch, using the -d mode, the application responds that "There must be at least 2 Vif's where one is upstream." I've checked the configuration file and both the upstream and downstream interfaces/addresses appear to be configured correctly.

I did a Google search and found this on the SourceForge page for igmpproxy: http://sourceforge.net/p/igmpproxy/bugs/4/, but I don't think it is valid, as both interfaces I've got assigned as upstream and downstream have an IPV4 address assigned. I don't really see any other detailed output of the debug command to try to troubleshoot anything else. Not sure where to look next.

Again, any help is appreciated.

Andrew453

Hi. Can you post your config file please?

rudelerius

Here is my /tmp/igmpproxy.conf file:

##------------------------------------------------------
## Enable Quickleave mode (Sends Leave instantly)
##------------------------------------------------------
quickleave
phyint em0 upstream ratelimit 0 threshold 1
altnet 224.0.0.0/4
altnet 184.60.0.0/16
altnet 184.61.0.0/16

phyint em1_vlan10 downstream ratelimit 0 threshold 1
altnet 10.10.0.0/24

phyint lagg0_vlan80 disabled
phyint lagg0_vlan10 disabled
phyint em1_vlan12 disabled
phyint em1_vlan80 disabled
phyint bridge2 disabled

Here are the ifconfig outputs for em0 and em1_vlan10:

$ ifconfig em0
em0: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 1500
	options=5209b <rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,vlan_hwfilter,vlan_hwtso>ether 00:01:xx:xx:xx:xx
	inet6 fe80::201:69ff:fe01:24b9%em0 prefixlen 64 scopeid 0x1 
	inet 192.168.0.16 netmask 0xffffff00 broadcast 192.168.0.255 
	nd6 options=23 <performnud,accept_rtadv,auto_linklocal>media: Ethernet autoselect (1000baseT <full-duplex>)
	status: active</full-duplex></performnud,accept_rtadv,auto_linklocal></rxcsum,txcsum,vlan_mtu,vlan_hwtagging,vlan_hwcsum,wol_magic,vlan_hwfilter,vlan_hwtso></up,broadcast,running,promisc,simplex,multicast>

Yes, my WAN address is a private IP. Until I can figure out this igmpproxy problem, my pfSense firewall is sitting behind my ISPs Actiontec modem/router.

$ ifconfig em1_vlan10
em1_vlan10: flags=8943 <up,broadcast,running,promisc,simplex,multicast>metric 0 mtu 1500
	options=3 <rxcsum,txcsum>ether 00:01:xx:xx:xx:xx
	inet6 fe80::201:69ff:fe01:24b8%em1_vlan10 prefixlen 64 scopeid 0xe 
	inet 10.10.0.1 netmask 0xffffff00 broadcast 10.10.0.255 
	nd6 options=21 <performnud,auto_linklocal>media: Ethernet autoselect (1000baseT <full-duplex>)
	status: active
	vlan: 10 vlanpcp: 0 parent interface: em1</full-duplex></performnud,auto_linklocal></rxcsum,txcsum></up,broadcast,running,promisc,simplex,multicast>

All looks fine to me. I don't get it.

Andrew453

I had a look at the source code for igmpproxy to see when it throws this error. Basically, it iterates through the available interfaces and adds them in if (1) they have an IPv4 address and (2) they're not a loopback adapter. Both your interfaces seem to have ipv4 and aren't loopback, so I imagine that for some reason it's not finding the interfaces in the first place.

I wonder if it might have something to do with your vlans - they're not physical interfaces.

Just for testing purposes, have you tried disabling your vlans, giving em1 the 10.8.0.x address range and trying again? If it picks it up then, at least you know what the problem is.

rudelerius

@Andrew453-
I've been kicking around your comment about igmpproxy not finding my interface at all. I think that, as you also noted, that the vlan may be the issue. Here's why:

After looking around the interwebs a bit, I think I may have stumbled onto a possible cause/solution at this link: http://wiki.ipfire.org/en/addons/igmpproxy/start.

Specifically, the notation of the interface name in the config file posted there:

phyint red0.8

It makes me wonder if the use of the alias "em1_vlan10" may be the cause of the problem. I speculate that if I change the interface name in the config file to em1.10, it might work. I've no real idea if that's the cause, but it can't hurt to try it!

I'll post results here once I've had a chance to give it a go.

rudelerius

Well- tried using the following config with no luck:

##------------------------------------------------------
## Enable Quickleave mode (Sends Leave instantly)
##------------------------------------------------------
quickleave
phyint em0 upstream ratelimit 0 threshold 1
altnet 224.0.0.0/4
altnet 184.60.0.0/16
altnet 184.61.0.0/16

phyint em1.10 downstream ratelimit 0 threshold 1
altnet 10.10.0.0/24

phyint lagg0.80 disabled
phyint lagg0.10 disabled
phyint em1.12 disabled
phyint em1.80 disabled
phyint br2 disabled

According to the logs (see attached), it keeps failing on the upstream (em0) interface; it doesn't even appear to make it to the downstream interface. But, I see absolutely no reason why that should be the case- I'm not using any VLAN on the WAN interface. I don't get it.

log.PNG_thumb

rudelerius

I really suspect that this line in the source code for igmpproxy is causing the failure to find the downstream interface:

if(strlen(token) >= IF_NAMESIZE) return NULL;

I think the IF name: "em1_vlan1" may be longer than the value held in that constant.

Unfortunately, after looking in all of the files included in the tar file for igmpproxy, I could not find where that constant was defined and what the maximum number of characters is for the if name.

Perhaps someone more saavy could find it for me?

Jon.

EDIT: this link indicates it is defined in system file sys/net/if.h. Not clear to me if the max size is 16 bits.
http://fxr.watson.org/fxr/ident?v=FREEBSD51;im=bigexcerpts;i=IF_NAMESIZE
Seems too small.

Andrew453

It's 16 characters, rather than bits.

I think that part of the code is actually reading the interface config from your file - so it's sanity checking what's in the config file rather than what the hardware is reporting exists. There's a separate bit of the code that actually loads in the physical interfaces, and then attempts to match the two.

If you look in your logs at start up you should see it initialise the interfaces, e.g.:

Aug 1 09:43:54 igmpproxy[23972]: adding VIF, Ix 2 Fl 0x0 IP 0x[ ] ath0_wlan0, Threshold: 1, Ratelimit: 0
Aug 1 09:43:54 igmpproxy[23972]: adding VIF, Ix 1 Fl 0x0 IP 0x[ ] re1, Threshold: 1, Ratelimit: 0
Aug 1 09:43:54 igmpproxy[23972]: adding VIF, Ix 0 Fl 0x0 IP 0x[ ] re0, Threshold: 1, Ratelimit: 0

I suspect you'll find your Vlan is missing.

Perhaps try to rename it to shorten it and remove any out of the ordinary characters etc (no underscores, spaces, dots etc). I suspect that's probably not the issue though. You're not the first person to have trouble getting igmpproxy to work with vlans: http://community.ubnt.com/t5/EdgeMAX/How-do-I-add-vlan-to-igmp-proxy/td-p/1099265

I saw a reference elsewhere to giving your vlans different mac addresses, in an attempt to get igmpproxy to pick them up.

Andrew453

Hi rudelerius. I've had a bit more of a look at this - I was wondering whether igmproxy supports vlans or not, so I tried it on my set up.

I can confirm it does support vlans so it should see them. e.g. below is my log when I had a vlan running:

Aug 1 16:39:17 igmpproxy[18165]: adding VIF, Ix 3 Fl 0x0 IP 0x[ ] re1_vlan12, Threshold: 1, Ratelimit: 0
Aug 1 16:39:17 igmpproxy[18165]: adding VIF, Ix 2 Fl 0x0 IP 0x[ ] ath0_wlan0, Threshold: 1, Ratelimit: 0
Aug 1 16:39:17 igmpproxy[18165]: adding VIF, Ix 1 Fl 0x0 IP 0x[ ] re1, Threshold: 1, Ratelimit: 0
Aug 1 16:39:17 igmpproxy[18165]: adding VIF, Ix 0 Fl 0x0 IP 0x[ ] re0, Threshold: 1, Ratelimit: 0

Are you sure you've got your vlans set up right?

You need to define the vlan in Interfaces > (assign) > VLANs.

Then you need to add it to the interfaces list and enable it. pfSense will give it another interface name, e.g. OPT2

Once you've got that, give it an IP etc.

Then, in Services > IGMP proxy, define your upstream and downstream interfaces and select the vlan interface as appropriate e.g. OPT2

When the igmpproxy service restarts, all should be well. There's no need to edit the igmpproxy.conf file directly (services.inc overwrites it anyway), nor start/stop the service from the command line if you've followed my updated instructions to patch services.inc

Hope this helps!

rudelerius

Are you sure you've got your vlans set up right?

You need to define the vlan in Interfaces > (assign) > VLANs.

Then you need to add it to the interfaces list and enable it. pfSense will give it another interface name, e.g. OPT2

Once you've got that, give it an IP etc.

Then, in Services > IGMP proxy, define your upstream and downstream interfaces and select the vlan interface as appropriate e.g. OPT2

When the igmpproxy service restarts, all should be well. There's no need to edit the igmpproxy.conf file directly (services.inc overwrites it anyway), nor start/stop the service from the command line if you've followed my updated instructions to patch services.inc

Hope this helps!

Thanks for trying to help Andrew453. Unfortunately, nothing works.

I have double checked all of my configuration of the vlan, interfaces, igmpproxy, etc. and I cannot find anything that isn't set up correctly. I have followed all of your instructions to the letter. Whenever I restart pfSense (or try to start igmpproxy manually), I see the following in the logs:

Aug 6 09:24:00 php-fpm[7798]: /rc.newwanip: The command '/usr/local/sbin/igmpproxy -v -v /tmp/igmpproxy.conf' returned exit code '255', the output was ''
Aug 6 09:24:00 igmpproxy[47493]: There must be at least 2 Vif's where one is upstream.
Aug 6 09:24:00 igmpproxy[47493]: adding VIF, Ix 0 Fl 0x0 IP 0x1000a8c0 em0, Threshold: 1, Ratelimit: 0

em0 is my WAN interface. The next line in my config should configure my LAN interface (em1_vlan10) as the upstream interface, but it fails as noted above. I have no idea why and it just doesn't make any sense.

Name Type Values Description
WAN upstream 224.0.0.0/4, 184.60.0.0/16, 184.61.0.0/16 TDS TV UPSTREAM IGMP PROXY
LAN downstream 10.10.0.0/24 TDS TV DOWNSTREAM IGMP PROXY

I'm at a complete loss of what to do to fix this problem.

Andrew453

Can you post your Interfaces > (assign) screen, and your Interfaces > VLANs screen please?

rudelerius

Hopefully your eyes can see something wrong that mine can't. It all looks correct to me. Images are attached, as I don't know how to post in-line.

Interfaces_vlans.JPG_thumb

Interfaces_Assign.JPG_thumb

Andrew453

Thanks. When I had multicast VLANs working on my setup and recognised by igmpproxy, I also had an interface assigned in pfSense to the underlying physical port (em1 in your case). Have you tried that? It shouldn't matter, but if igmpproxy is being fussy it might help to ensure the underlying interface on which the VLANs depend is up and running.

There's usually a certain amount of trial and error in diagnosing the issue and getting these things to work. The trick is to keep on trying different tweaks to your setup until you get a response from igmpproxy and then work backwards from that.

YoMarK

Luckily i found this thread, was trying for hours and hours yesterday to get IGMP proxy working, but it just would not work.
So I upgraded it to the latest version using pkg and made the change to the pfsense config file (tnx Andrew453).

After that, it started working immediately.
FYI: I'm using it on a dutch fibre connection where they have a separate iptv network(so WAN/IPTV is a different cable).

This is a mayor bug, and the fix seems quite simple.

doktornotor

Bumped the bug… the outdated junk gets really annoying. https://redmine.pfsense.org/issues/4672#note-6

rudelerius

Hi all,

It shouldn't matter, but if igmpproxy is being fussy it might help to ensure the underlying interface on which the VLANs depend is up and running.

In spite of the fact that I agree with Andrew453 that it doesn't seem necessary that the em1 network port should need to be assigned to an interface in pfSense, since the proxy is not using that interface as either upstream or downstream, but rather the vlan interface that rides on top of it, it does appear that this has resolved my problem with igmpproxy actually starting.

Although, I'm still leery that it will work correctly though. In my case, when the proxy is started, the log shows that the em1 interface is brought up, not the em1_vlan interface (see attached image). I'm not able to test it at the moment, as I already have an igmp proxy running on the ISP's router/gateway device, and I don't want to cause any issues with the IPTV that would result in the kids and (especially) the wife to go ballistic on me for ruining their brain-melting veg-out time on a Saturday afternoon.

syslog_igmpproxy.JPG_thumb

Andrew453

I doubt it's working I'm afraid - I'd hoped assigning em1 might also have brought up the VLAN but it hasn't. The VLAN still isn't recognised so the multicast traffic won't route properly. Running out of ideas I'm afraid. For some reason it just doesn't like your VLAN. I assume your NICs support VLAN tagging and the VLAN is enabled in pfSense?

One possible workaround: I assume you're using VLANs to segregate traffic on your local network for security or other reasons. I can see you've set a number of them up, for which the IPTV network is one. One option would be to run the IPTV on the native em1 (i.e. not a VLAN), which is recognised by igmpproxy. As long as everything else is on VLANs, the traffic should still be segregated. Would that work?

.

rudelerius

Just to see if it helped, I rebooted the firewall. I thought maybe it would help igmpproxy find the vlan interface, and unfortunately, it doesn't.

But, I can see membership queries in the logs from both networks: the ISP residential gateway at 192.168.0.1, and also from pfSense and my Dell switches on the pfSense vlan: 10.10.0.2 and 10.10.0.3.

I really have no idea what the heck is going on! The em nics are vlan capable (refer to previous posts with ifconfig details). Also, the vlans are all properly set up in pfSense and assigned to interfaces (see previous attachments).

Maybe it's hardware related? This is a pretty old box- a repurposed MSA 4000 that I found on eBay. For instance, after rebooting this most recent time to see if it helped igmpproxy, the vga output on the box sort of stopped working. That is, it shows the boot sequence, right up until the line "Generating RRD Graphs…..Done" and then it stops all output. Hitting enter does nothing (where in the past it used to bring up the pfSense menu). I can still access the box by SSH and get to the menu, but it just no longer works on the vga output. When I toggle the kvm switch, it ouputs the log info for the hardware changes, as it always has, but never reverts to the menu.

Obviously, this is another issue, but it only appeared on this box after finally getting igmpproxy to run and then rebooting the system. Who knows. Sometimes, I wish stuff would just work! : (