On pfSense 2.2 IGMP Proxy does not work with GRE tunnels

MSilva

Hello,

I have done one post on another thread, but this seems the correct place to do it.

I am trying to route some multicast stream (UDP 239.x.x.x) to one GRE interface using pfSense 2.2.
But I am not having success in doing it.

I have done the following:

1)Create de GRE tunnel + create the GRE interface
  I am able to ping the other endpoint of the GRE tunnel with success.

2. I have configured the IGMP proxy to have one Upstream and two downstreams.
     First Interface Downstream is the GRE interface
     Second Donwstream Interface is one physical interface.

3. I have step up the firewall rules to permit everyting, and also in the rules "Advanced Options" I have activated the flag "This allows packets with IP Options to pass".

I see that the multicast routed to the other Tunnel endpoint for some seconds and then stop!
I can see, on pfsense, using tcpdump that the IGMP requests are arriving from the GRE tunnel, but for some reason the multicasts are not routed to it.

I see that if i restart the IGMP Proxy service, the multicast start being routed again to the tunnel interface, but only for a short period of time.

I already read almost all the posts about this topic, and it were them that show me the right path, but now I am not able to figured out what is happening.

Can some have an idea of is the cause?

I have done the configuration mentioned on the post, but still no multicast is arriving on the tunnel.

The configurations are:

1. IGMP Proxy

:more igmpproxy.conf

##–----------------------------------------------------

Enable Quickleave mode (Sends Leave instantly)

##------------------------------------------------------
quickleave
phyint em3 upstream ratelimit 0 threshold 1
altnet 192.168.113.0/24
altnet 239.255.1.8/8

phyint gre0 downstream ratelimit 0 threshold 1
altnet 10.10.10.0/30
altnet 239.255.1.8/8

phyint bge0 disabled
phyint em0 disabled
phyint bge1 disabled
phyint em1 disabled
phyint em2 disabled

2. The firewall rules are:  pfctl -sr | grep allow-opts

pass out inet all flags S/SA keep state allow-opts label "let out anything IPv4 from firewall host itself"
pass out inet6 all flags S/SA keep state allow-opts label "let out anything IPv6 from firewall host itself"
pass out route-to (bge0 192.168.0.254) inet from 192.168.0.25 to ! 192.168.0.0/24 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
pass out route-to (bge1 REMOTE_SERVER) inet from REMOTE_SERVER to ! REMOTE_SERVER/16 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
pass out route-to (em2 192.168.3.254) inet from 192.168.3.25 to ! 192.168.3.0/24 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
pass out route-to (gre0 10.10.10.2) inet from 10.10.10.1 to ! 10.10.10.0/30 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
pass in quick on em3 inet proto udp from any to 224.0.0.0/4 keep state allow-opts label "USER_RULE"
pass in quick on em3 inet from any to 192.168.113.0/24 flags S/SA keep state allow-opts label "USER_RULE"
pass in quick on em3 inet proto icmp all keep state allow-opts label "USER_RULE"
pass in quick on em3 inet proto udp all keep state allow-opts label "USER_RULE"
pass in quick on em3 inet all flags S/SA keep state allow-opts label "USER_RULE"
pass in quick on em1 inet proto igmp all keep state allow-opts label "USER_RULE: Multicat traffic IGMP"
pass in quick on em1 inet proto udp from any to 224.0.0.0/4 keep state allow-opts label "USER_RULE: Multicat traffic UDP"
pass in quick on em2 reply-to (em2 192.168.3.254) inet proto igmp all no state allow-opts label "USER_RULE"
pass in quick on em2 reply-to (em2 192.168.3.254) inet proto icmp all keep state allow-opts label "USER_RULE"
pass in quick on em2 reply-to (em2 192.168.3.254) inet proto udp all keep state allow-opts label "USER_RULE"
pass in quick on em2 reply-to (em2 192.168.3.254) inet all flags S/SA keep state allow-opts label "USER_RULE"
pass in quick on gre0 reply-to (gre0 10.10.10.2) inet proto igmp from 10.10.10.0/30 to 224.0.0.0/8 keep state allow-opts label "USER_RULE"
pass in quick on gre0 reply-to (gre0 10.10.10.2) inet from any to 192.168.113.0/24 flags S/SA keep state allow-opts label "USER_RULE"
pass in quick on gre0 reply-to (gre0 10.10.10.2) inet all flags S/SA keep state allow-opts label "USER_RULE"
pass in quick on gre0 reply-to (gre0 10.10.10.2) inet proto igmp all keep state allow-opts label "USER_RULE"
pass in quick on gre0 reply-to (gre0 10.10.10.2) inet proto udp all keep state allow-opts label "USER_RULE"
pass in quick on gre0 reply-to (gre0 10.10.10.2) inet proto icmp all keep state allow-opts label "USER_RULE"
pass in quick on gre0 reply-to (gre0 10.10.10.2) inet proto gre all keep state allow-opts label "USER_RULE"

The multicast are arriving in interface EM3 and should be routed to tunnel interface GRE0

I see the multicast report arriving on the GRE0 interface, 10.10.10.2 is the remote tunnel endpoint :
15:39:04.138013 IP 10.10.10.2 > 239.255.1.8: igmp v2 report 239.255.1.8
15:39:11.757964 IP 10.10.10.2 > 239.255.1.8: igmp v2 report 239.255.1.8
15:39:16.461933 IP 10.10.10.2 > 239.255.1.8: igmp v2 report 239.255.1.8

When these igmp are arriving on the GRE0 interface I see on the igmpproxy logs the error message:
No interfaces found for source 10.10.10.2

And I see no igmp traffic on EM3 interface when i do "tcpdump -vvni em3 igmp.

I can not understand why this is not working, I must be doing something wrong.
Do someone has some advise for me please?

Manuel Silva.