On pfSense 2.2 IGMP Proxy does not work with GRE tunnels
-
Hello,
I have done one post on another thread, but this seems the correct place to do it.
I am trying to route some multicast stream (UDP 239.x.x.x) to one GRE interface using pfSense 2.2.
But I am not having success in doing it.I have done the following:
1)Create de GRE tunnel + create the GRE interface
I am able to ping the other endpoint of the GRE tunnel with success.-
I have configured the IGMP proxy to have one Upstream and two downstreams.
First Interface Downstream is the GRE interface
Second Donwstream Interface is one physical interface. -
I have step up the firewall rules to permit everyting, and also in the rules "Advanced Options" I have activated the flag "This allows packets with IP Options to pass".
I see that the multicast routed to the other Tunnel endpoint for some seconds and then stop!
I can see, on pfsense, using tcpdump that the IGMP requests are arriving from the GRE tunnel, but for some reason the multicasts are not routed to it.I see that if i restart the IGMP Proxy service, the multicast start being routed again to the tunnel interface, but only for a short period of time.
I already read almost all the posts about this topic, and it were them that show me the right path, but now I am not able to figured out what is happening.
Can some have an idea of is the cause?
I have done the configuration mentioned on the post, but still no multicast is arriving on the tunnel.
The configurations are:
- IGMP Proxy
:more igmpproxy.conf
##–----------------------------------------------------
Enable Quickleave mode (Sends Leave instantly)
##------------------------------------------------------
quickleave
phyint em3 upstream ratelimit 0 threshold 1
altnet 192.168.113.0/24
altnet 239.255.1.8/8phyint gre0 downstream ratelimit 0 threshold 1
altnet 10.10.10.0/30
altnet 239.255.1.8/8phyint bge0 disabled
phyint em0 disabled
phyint bge1 disabled
phyint em1 disabled
phyint em2 disabled- The firewall rules are: pfctl -sr | grep allow-opts
pass out inet all flags S/SA keep state allow-opts label "let out anything IPv4 from firewall host itself"
pass out inet6 all flags S/SA keep state allow-opts label "let out anything IPv6 from firewall host itself"
pass out route-to (bge0 192.168.0.254) inet from 192.168.0.25 to ! 192.168.0.0/24 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
pass out route-to (bge1 REMOTE_SERVER) inet from REMOTE_SERVER to ! REMOTE_SERVER/16 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
pass out route-to (em2 192.168.3.254) inet from 192.168.3.25 to ! 192.168.3.0/24 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
pass out route-to (gre0 10.10.10.2) inet from 10.10.10.1 to ! 10.10.10.0/30 flags S/SA keep state allow-opts label "let out anything from firewall host itself"
pass in quick on em3 inet proto udp from any to 224.0.0.0/4 keep state allow-opts label "USER_RULE"
pass in quick on em3 inet from any to 192.168.113.0/24 flags S/SA keep state allow-opts label "USER_RULE"
pass in quick on em3 inet proto icmp all keep state allow-opts label "USER_RULE"
pass in quick on em3 inet proto udp all keep state allow-opts label "USER_RULE"
pass in quick on em3 inet all flags S/SA keep state allow-opts label "USER_RULE"
pass in quick on em1 inet proto igmp all keep state allow-opts label "USER_RULE: Multicat traffic IGMP"
pass in quick on em1 inet proto udp from any to 224.0.0.0/4 keep state allow-opts label "USER_RULE: Multicat traffic UDP"
pass in quick on em2 reply-to (em2 192.168.3.254) inet proto igmp all no state allow-opts label "USER_RULE"
pass in quick on em2 reply-to (em2 192.168.3.254) inet proto icmp all keep state allow-opts label "USER_RULE"
pass in quick on em2 reply-to (em2 192.168.3.254) inet proto udp all keep state allow-opts label "USER_RULE"
pass in quick on em2 reply-to (em2 192.168.3.254) inet all flags S/SA keep state allow-opts label "USER_RULE"
pass in quick on gre0 reply-to (gre0 10.10.10.2) inet proto igmp from 10.10.10.0/30 to 224.0.0.0/8 keep state allow-opts label "USER_RULE"
pass in quick on gre0 reply-to (gre0 10.10.10.2) inet from any to 192.168.113.0/24 flags S/SA keep state allow-opts label "USER_RULE"
pass in quick on gre0 reply-to (gre0 10.10.10.2) inet all flags S/SA keep state allow-opts label "USER_RULE"
pass in quick on gre0 reply-to (gre0 10.10.10.2) inet proto igmp all keep state allow-opts label "USER_RULE"
pass in quick on gre0 reply-to (gre0 10.10.10.2) inet proto udp all keep state allow-opts label "USER_RULE"
pass in quick on gre0 reply-to (gre0 10.10.10.2) inet proto icmp all keep state allow-opts label "USER_RULE"
pass in quick on gre0 reply-to (gre0 10.10.10.2) inet proto gre all keep state allow-opts label "USER_RULE"The multicast are arriving in interface EM3 and should be routed to tunnel interface GRE0
I see the multicast report arriving on the GRE0 interface, 10.10.10.2 is the remote tunnel endpoint :
15:39:04.138013 IP 10.10.10.2 > 239.255.1.8: igmp v2 report 239.255.1.8
15:39:11.757964 IP 10.10.10.2 > 239.255.1.8: igmp v2 report 239.255.1.8
15:39:16.461933 IP 10.10.10.2 > 239.255.1.8: igmp v2 report 239.255.1.8When these igmp are arriving on the GRE0 interface I see on the igmpproxy logs the error message:
No interfaces found for source 10.10.10.2And I see no igmp traffic on EM3 interface when i do "tcpdump -vvni em3 igmp.
I can not understand why this is not working, I must be doing something wrong.
Do someone has some advise for me please?Manuel Silva.
-