Recently (probably after latest December update) IGMP traffic stopped working.
Is there again any solution?
AFAIK the rules have been setup as pointed out in various documentation on the PF firewall.
IPTV now stays black, "play error" only on live streams. (OTT traffic still works).
Router/Network:
Setup: VLAN 4 = Entry point for Multicast traffic (=Upstream) DHCP interface.
VLAN 12 = TVLAN : STB is connected here (=Downstream)
(WAN is interface for OTT)...
[ Other VLANS exist, not relevant for Mcast ].
IGMP:
For upstream the 100.64.0.0/20 address block is used. this is mentioned in the upstream block
For downstream the 192.168.TVLAN.0/24 is used, STB requests DHCP address.
Firewall:
Floating rule:
Interface VLAN04, VLAN012
Protocol: IPv4 IGMP
Source: any
Destination: any
Direction: in
Options: allow all
Verdict: pass
Floating rule:
Interface VLAN04, VLAN012
Protocol: IPv4 IGMP
Source: any
Destination: any
Direction: out
Options: allow all
Verdict: pass
Floating rule:
Interface VLAN04, VLAN012
Protocol: IPv4 IGMP
Source: This Firewall
Destination: any
Direction: out
Options: allow all
Verdict: pass
(+ similar for MC packets )
# pfctl -s rules |grep igmp | grep vlan04
pass out quick on vlan04 inet proto igmp from (self) to any no state allow-opts label "94c660efceff2ab83dc70703cb0c9a75"
pass in quick on vlan04 inet proto igmp all no state allow-opts label "814db0b05f4e6b06d600a2090c22024e"
pass in quick on vlan04 inet proto igmp from any to (self) no state allow-opts label "ed02681de5b1e6111e114f5c4314b46e"
# pfctl -s rules |grep igmp | grep vlan012
pass out quick on vlan012 inet proto igmp from (self) to any no state allow-opts label "94c660efceff2ab83dc70703cb0c9a75"
pass in quick on vlan012 inet proto igmp all no state allow-opts label "814db0b05f4e6b06d600a2090c22024e"
pass in quick on vlan012 inet proto igmp from any to (self) no state allow-opts label "ed02681de5b1e6111e114f5c4314b46e"
When running:
# igmpproxy -n -vv -d /usr/local/etc/igmpproxy.conf
The followin shows:
sendto to 224.0.0.1 on 192.168.TVLAN.1; Errno(13): Permission denied
SENT Membership query from 192.168.TVLAN.1 to 224.0.0.1
Sent membership query from 192.168.TVLAN.1 to 224.0.0.1. Delay: 10
Created timeout 721 (#0) - delay 10 secs
(Id:721, Time:10)
Created timeout 722 (#1) - delay 115 secs
(Id:721, Time:10)
(Id:722, Time:115)
RECV Membership query from 192.168.TVLAN.1 to 224.0.0.1
RECV V2 member report from 192.168.TVLAN.1 to 224.0.0.251
The IGMP message was from myself. Ignoring.
RECV V2 member report from 192.168.TVLAN.1 to 224.0.0.22
The IGMP message was from myself. Ignoring.
# About to call timeout 721 (#0)
Aging routes in table.
Current routing table (Age active routes):
-----------------------------------------------------
No routes in table...
-----------------------------------------------------
Most recent update was installed somewhere last week.
System was rebooted after upgrade. Appearantly if mDNS-repeater is started before IGMP-proxy IGMP-proxy fails this way.
if IGMP-proxy is started first then it does work as advertised.