Routing Multicast to a GRE tunnel using IGMP Proxy



  • Hello,

    I am trying to route some multicast stream (UDP 239.x.x.x) to one GRE interface on pFsense 2.2.
    But I am not having success in doing it.

    I have done the following:

    1)Create de GRE tunnel + create the GRE interface
      I am able to ping the other endpoint of the GRE tunnel with success.

    1. I have configured the IGMP proxy to have one Upstream and two downstreams.
        First Interface Downstream is the GRE interface
        Second Donwstream Interface is one physical interface.

    2. I have step up the firewall rules to permit everyting, and also in the rules "Advanced Options" I have activated the flag "This allows packets with IP Options to pass".

    I see that the multicast routed to the other Tunnel endpoint for some seconds and then stop!
    I can see, on pfsense, using tcpdump that the IGMP requests are arriving from the GRE tunnel, but for some reason the multicasts are not routed to it.

    I see that if i restart the IGMP Proxy service, the multicast start being routed again to the tunnel interface, but only for a short period of time.

    I already read almost all the posts about this topic, and it were them that show me the right path, but now I am not able to figured out what is happening.

    Can some have an idea of is the cause?

    Thanks in advance!

    Manuel Silva.


  • Banned



  • Hello,

    I have done the configuration mentioned on the post, but still no multicast is arriving on the tunnel.

    The configurations are:

    1. IGMP Proxy

    :more igmpproxy.conf

    ##–----------------------------------------------------

    Enable Quickleave mode (Sends Leave instantly)

    ##------------------------------------------------------
    quickleave
    phyint em3 upstream ratelimit 0 threshold 1
    altnet 192.168.113.0/24
    altnet 239.255.1.8/8

    phyint gre0 downstream ratelimit 0 threshold 1
    altnet 10.10.10.0/30
    altnet 239.255.1.8/8

    phyint bge0 disabled
    phyint em0 disabled
    phyint bge1 disabled
    phyint em1 disabled
    phyint em2 disabled

    1. The firewall rules are:  pfctl -sr | grep allow-opts

    pass out inet all flags S/SA keep state allow-opts label "let out anything IPv4 from firewall host itself"
    pass out inet6 all flags S/SA keep state allow-opts label "let out anything IPv6 from firewall host itself"
    pass out route-to (bge0 192.168.0.254) inet from 192.168.0.25 to ! 192.168.0.0/24 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
    pass out route-to (bge1 REMOTE_SERVER) inet from REMOTE_SERVER to ! REMOTE_SERVER/16 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
    pass out route-to (em2 192.168.3.254) inet from 192.168.3.25 to ! 192.168.3.0/24 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
    pass out route-to (gre0 10.10.10.2) inet from 10.10.10.1 to ! 10.10.10.0/30 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
    pass in quick on em3 inet proto udp from any to 224.0.0.0/4 keep state allow-opts label "USER_RULE"
    pass in quick on em3 inet from any to 192.168.113.0/24 flags S/SA keep state allow-opts label "USER_RULE"
    pass in quick on em3 inet proto icmp all keep state allow-opts label "USER_RULE"
    pass in quick on em3 inet proto udp all keep state allow-opts label "USER_RULE"
    pass in quick on em3 inet all flags S/SA keep state allow-opts label "USER_RULE"
    pass in quick on em1 inet proto igmp all keep state allow-opts label "USER_RULE: Multicat traffic IGMP"
    pass in quick on em1 inet proto udp from any to 224.0.0.0/4 keep state allow-opts label "USER_RULE: Multicat traffic UDP"
    pass in quick on em2 reply-to (em2 192.168.3.254) inet proto igmp all no state allow-opts label "USER_RULE"
    pass in quick on em2 reply-to (em2 192.168.3.254) inet proto icmp all keep state allow-opts label "USER_RULE"
    pass in quick on em2 reply-to (em2 192.168.3.254) inet proto udp all keep state allow-opts label "USER_RULE"
    pass in quick on em2 reply-to (em2 192.168.3.254) inet all flags S/SA keep state allow-opts label "USER_RULE"
    pass in quick on gre0 reply-to (gre0 10.10.10.2) inet proto igmp from 10.10.10.0/30 to 224.0.0.0/8 keep state allow-opts label "USER_RULE"
    pass in quick on gre0 reply-to (gre0 10.10.10.2) inet from any to 192.168.113.0/24 flags S/SA keep state allow-opts label "USER_RULE"
    pass in quick on gre0 reply-to (gre0 10.10.10.2) inet all flags S/SA keep state allow-opts label "USER_RULE"
    pass in quick on gre0 reply-to (gre0 10.10.10.2) inet proto igmp all keep state allow-opts label "USER_RULE"
    pass in quick on gre0 reply-to (gre0 10.10.10.2) inet proto udp all keep state allow-opts label "USER_RULE"
    pass in quick on gre0 reply-to (gre0 10.10.10.2) inet proto icmp all keep state allow-opts label "USER_RULE"
    pass in quick on gre0 reply-to (gre0 10.10.10.2) inet proto gre all keep state allow-opts label "USER_RULE"

    The multicast are arriving in interface EM3 and should be routed to tunnel interface GRE0

    I see the multicast report arriving on the GRE0 interface, 10.10.10.2 is the remote tunnel endpoint :
    15:39:04.138013 IP 10.10.10.2 > 239.255.1.8: igmp v2 report 239.255.1.8
    15:39:11.757964 IP 10.10.10.2 > 239.255.1.8: igmp v2 report 239.255.1.8
    15:39:16.461933 IP 10.10.10.2 > 239.255.1.8: igmp v2 report 239.255.1.8

    When these igmp are arriving on the GRE0 interface I see on the igmpproxy logs the error message:
    No interfaces found for source 10.10.10.2

    And I see not igmp traffic on EM3 interface when i do "tcpdump -vvni em3 igmp.

    I can not understand why this is not working, do someone has some advise for me please?

    Best

    Manuel


  • Banned

    @MSilva:

    I have done the configuration mentioned on the post, but still no multicast is arriving on the tunnel.

    What post? Already linked you to a bug which tells you that the package (which alone is totally dead upstream) is about 5 years behind the dead upstream on pfSense.  ::) It's broken, stop wasting your time.



  • Hello,

    well, there are several post in this forum and i read all of them, to see if I could have some solution using pFsense.

    I have done the IGMPPROXY pkg upgrade, and was hopping it could work as indicated in the post https://forum.pfsense.org/index.php?topic=93293.0.

    I could try other approaches like xorp/smcroute/mroute or similar. But i like pfSense, so I doing an effort to see if the igmpproxy could work for me.

    If that will never work, then i will put it aside and explore other solutions.

    Best.

    Manuel


  • Banned

    I have absolutely zero clue what "upgrade" are you talking about. The binary shipped with pfSense core is about 10 years old broken code. There is no pkg anywhere and nothing got upgraded anywhere.



  • I am talking about the post done by "Andrew453"
    "
    First you need to upgrade igmpproxy in the shell.

    pkg
    pkg update
    pkg install igmpproxy

    However, once you've done this, because the command line options for igmpproxy 0.1 are different to the existing version on pfSense, igmpproxy won't start on boot.  You therefore need a custom shell script to do it:

    "

    Possibly i read it wrong and get the wrong idea.

    Regards,

    MP


  • Banned

    Perhaps ask someone who's using it on the other thread…