On pfSense 2.2 IGMP Proxy does not work with GRE tunnels



  • Hello,

    I have done one post on another thread, but this seems the correct place to do it.

    I am trying to route some multicast stream (UDP 239.x.x.x) to one GRE interface using pfSense 2.2.
    But I am not having success in doing it.

    I have done the following:

    1)Create de GRE tunnel + create the GRE interface
      I am able to ping the other endpoint of the GRE tunnel with success.

    1. I have configured the IGMP proxy to have one Upstream and two downstreams.
        First Interface Downstream is the GRE interface
        Second Donwstream Interface is one physical interface.

    2. I have step up the firewall rules to permit everyting, and also in the rules "Advanced Options" I have activated the flag "This allows packets with IP Options to pass".

    I see that the multicast routed to the other Tunnel endpoint for some seconds and then stop!
    I can see, on pfsense, using tcpdump that the IGMP requests are arriving from the GRE tunnel, but for some reason the multicasts are not routed to it.

    I see that if i restart the IGMP Proxy service, the multicast start being routed again to the tunnel interface, but only for a short period of time.

    I already read almost all the posts about this topic, and it were them that show me the right path, but now I am not able to figured out what is happening.

    Can some have an idea of is the cause?

    I have done the configuration mentioned on the post, but still no multicast is arriving on the tunnel.

    The configurations are:

    1. IGMP Proxy

    :more igmpproxy.conf

    ##–----------------------------------------------------

    Enable Quickleave mode (Sends Leave instantly)

    ##------------------------------------------------------
    quickleave
    phyint em3 upstream ratelimit 0 threshold 1
    altnet 192.168.113.0/24
    altnet 239.255.1.8/8

    phyint gre0 downstream ratelimit 0 threshold 1
    altnet 10.10.10.0/30
    altnet 239.255.1.8/8

    phyint bge0 disabled
    phyint em0 disabled
    phyint bge1 disabled
    phyint em1 disabled
    phyint em2 disabled

    1. The firewall rules are:  pfctl -sr | grep allow-opts

    pass out inet all flags S/SA keep state allow-opts label "let out anything IPv4 from firewall host itself"
    pass out inet6 all flags S/SA keep state allow-opts label "let out anything IPv6 from firewall host itself"
    pass out route-to (bge0 192.168.0.254) inet from 192.168.0.25 to ! 192.168.0.0/24 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
    pass out route-to (bge1 REMOTE_SERVER) inet from REMOTE_SERVER to ! REMOTE_SERVER/16 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
    pass out route-to (em2 192.168.3.254) inet from 192.168.3.25 to ! 192.168.3.0/24 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
    pass out route-to (gre0 10.10.10.2) inet from 10.10.10.1 to ! 10.10.10.0/30 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
    pass in quick on em3 inet proto udp from any to 224.0.0.0/4 keep state allow-opts label "USER_RULE"
    pass in quick on em3 inet from any to 192.168.113.0/24 flags S/SA keep state allow-opts label "USER_RULE"
    pass in quick on em3 inet proto icmp all keep state allow-opts label "USER_RULE"
    pass in quick on em3 inet proto udp all keep state allow-opts label "USER_RULE"
    pass in quick on em3 inet all flags S/SA keep state allow-opts label "USER_RULE"
    pass in quick on em1 inet proto igmp all keep state allow-opts label "USER_RULE: Multicat traffic IGMP"
    pass in quick on em1 inet proto udp from any to 224.0.0.0/4 keep state allow-opts label "USER_RULE: Multicat traffic UDP"
    pass in quick on em2 reply-to (em2 192.168.3.254) inet proto igmp all no state allow-opts label "USER_RULE"
    pass in quick on em2 reply-to (em2 192.168.3.254) inet proto icmp all keep state allow-opts label "USER_RULE"
    pass in quick on em2 reply-to (em2 192.168.3.254) inet proto udp all keep state allow-opts label "USER_RULE"
    pass in quick on em2 reply-to (em2 192.168.3.254) inet all flags S/SA keep state allow-opts label "USER_RULE"
    pass in quick on gre0 reply-to (gre0 10.10.10.2) inet proto igmp from 10.10.10.0/30 to 224.0.0.0/8 keep state allow-opts label "USER_RULE"
    pass in quick on gre0 reply-to (gre0 10.10.10.2) inet from any to 192.168.113.0/24 flags S/SA keep state allow-opts label "USER_RULE"
    pass in quick on gre0 reply-to (gre0 10.10.10.2) inet all flags S/SA keep state allow-opts label "USER_RULE"
    pass in quick on gre0 reply-to (gre0 10.10.10.2) inet proto igmp all keep state allow-opts label "USER_RULE"
    pass in quick on gre0 reply-to (gre0 10.10.10.2) inet proto udp all keep state allow-opts label "USER_RULE"
    pass in quick on gre0 reply-to (gre0 10.10.10.2) inet proto icmp all keep state allow-opts label "USER_RULE"
    pass in quick on gre0 reply-to (gre0 10.10.10.2) inet proto gre all keep state allow-opts label "USER_RULE"

    The multicast are arriving in interface EM3 and should be routed to tunnel interface GRE0

    I see the multicast report arriving on the GRE0 interface, 10.10.10.2 is the remote tunnel endpoint :
    15:39:04.138013 IP 10.10.10.2 > 239.255.1.8: igmp v2 report 239.255.1.8
    15:39:11.757964 IP 10.10.10.2 > 239.255.1.8: igmp v2 report 239.255.1.8
    15:39:16.461933 IP 10.10.10.2 > 239.255.1.8: igmp v2 report 239.255.1.8

    When these igmp are arriving on the GRE0 interface I see on the igmpproxy logs the error message:
    No interfaces found for source 10.10.10.2

    And I see no igmp traffic on EM3 interface when i do "tcpdump -vvni em3 igmp.

    I can not understand why this is not working, I must be doing something wrong.
    Do someone has some advise for me please?

    Manuel Silva.