[HELP] IGMP Multicast Issue

cube · December 18, 2022, 2:18pm

Hi,

I have a vyos router and a raspberry pi with 4g module connected by a zerotier layer 2 tunnel. There is bridge between eth0 and zt interface in the raspberry because I need multicast traffic from the raspberry pi to reach the vyos router.

A iptv client is connected to the ethernet port of the raspberry, and it works with multicast routing (Note that this iptv device works ok when directly connected to the vyos router LAN_IPTV)

I connect the device to the ethernet port (br0) and it gets dhcp from the zt_tv reserverd address 192.168.198.200. So I know the layer 2 bridge is working ok.

18:22:15.523233 IP 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from a8:9fxxxx, length 548
18:22:15.523539 IP 192.168.198.1.67 > 192.168.198.200.68: BOOTP/DHCP, Reply, length 319

But here is the problem, my device is sending igmp v2 reports to join 239.0.2.30 group (which has the udp stream) and it does not get to the vyos router. I thought that the bridge or zerotier could be dropping multicast traffic BUT the igmp v2 leaves (which have the 224.0.0.2 destination address) are getting to the vyos router.

**pi sending reports and leaves**
root@raspberrypi:/home/pi# tcpdump -nni br0 igmp
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on br0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
22:26:05.836541 IP 192.168.198.1 > 224.0.0.1: igmp query v2
22:26:06.386033 IP 192.168.198.200 > 224.0.0.2: igmp leave 239.0.2.129
22:26:06.391316 IP 192.168.198.200 > 239.0.2.129: igmp v2 report 239.0.2.129
22:26:06.481861 IP 192.168.198.1 > 224.0.0.2: igmp v2 report 224.0.0.2
22:26:07.356312 IP 192.168.198.200 > 239.0.2.30: igmp v2 report 239.0.2.30
22:26:09.134276 IP 192.168.198.200 > 239.0.5.185: igmp v2 report 239.0.5.185
22:26:09.349244 IP 192.168.198.200 > 239.0.2.129: igmp v2 report 239.0.2.129
22:26:10.350438 IP 192.168.198.200 > 224.0.0.2: igmp leave 239.0.2.30
22:26:10.356237 IP 192.168.198.200 > 239.0.2.30: igmp v2 report 239.0.2.30
22:26:11.189726 IP 192.168.198.1 > 239.0.0.1: igmp v2 report 239.0.0.1
22:26:11.400861 IP 192.168.198.200 > 224.0.0.2: igmp leave 239.0.2.129
22:26:11.407205 IP 192.168.198.200 > 239.0.2.129: igmp v2 report 239.0.2.129

**vyos only getting the leaves**
vyos@vyos:~$ sudo tcpdump -nni eth5 igmp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth5, link-type EN10MB (Ethernet), capture size 262144 bytes
17:34:37.682950 IP 192.168.198.200 > 224.0.0.2: igmp leave 239.0.2.129
17:34:41.202831 IP 192.168.198.200 > 224.0.0.2: igmp leave 239.0.2.30
17:34:42.652880 IP 192.168.198.200 > 224.0.0.2: igmp leave 239.0.2.129
17:34:47.663462 IP 192.168.198.200 > 224.0.0.2: igmp leave 239.0.2.129
17:34:51.251242 IP 192.168.198.200 > 224.0.0.2: igmp leave 239.0.2.30
17:34:52.672888 IP 192.168.198.200 > 224.0.0.2: igmp leave 239.0.2.129
17:34:57.682973 IP 192.168.198.200 > 224.0.0.2: igmp leave 239.0.2.129
17:35:01.233323 IP 192.168.198.200 > 224.0.0.2: igmp leave 239.0.2.30
17:35:02.723154 IP 192.168.198.200 > 224.0.0.2: igmp leave 239.0.2.129
17:35:07.705208 IP 192.168.198.200 > 224.0.0.2: igmp leave 239.0.2.129
17:35:11.253226 IP 192.168.198.200 > 224.0.0.2: igmp leave 239.0.2.30
17:35:12.724713 IP 192.168.198.200 > 224.0.0.2: igmp leave 239.0.2.129
17:35:17.732959 IP 192.168.198.200 > 224.0.0.2: igmp leave 239.0.2.129
17:35:21.273066 IP 192.168.198.200 > 224.0.0.2: igmp leave 239.0.2.30
17:35:22.743705 IP 192.168.198.200 > 224.0.0.2: igmp leave 239.0.2.129

Besides, I did some testing with iperf and the igmp v2 reports from the rpi bridge get to the vyos interface with no problem.
Also, somehow, if I use iperf -s -u -B 239.0.2.30%eth5 -i 1 in the vyos router (like forcing to listen on that address), the reports start to arrive and I can see the streaming in the iptv device connected to the pi.

vyos@vyos:~$ sudo tcpdump -nni eth5
18:40:49.405584 IP 192.168.198.200 > 224.0.0.2: igmp leave 239.0.2.129
18:40:53.075746 IP 192.168.198.200 > 224.0.0.2: igmp leave 239.0.2.30
18:40:54.436475 IP 192.168.198.200 > 224.0.0.2: igmp leave 239.0.2.129
18:40:59.445268 IP 192.168.198.200 > 224.0.0.2: igmp leave 239.0.2.129
18:41:03.095979 IP 192.168.198.200 > 224.0.0.2: igmp leave 239.0.2.30

** here I run iperf -s -u -B 239.0.2.30%eth5 -i 1 **

18:41:03.767165 IP 192.168.198.1 > 239.0.2.30: igmp v2 report 239.0.2.30
18:41:04.445836 IP 192.168.198.200 > 224.0.0.2: igmp leave 239.0.2.129
18:41:05.915475 IP 192.168.198.200 > 239.0.2.30: igmp v2 report 239.0.2.30
18:41:05.916168 IP 192.168.198.200 > 239.0.2.30: igmp v2 report 239.0.2.30
18:41:05.916620 IP 192.168.198.200 > 239.0.2.30: igmp v2 report 239.0.2.30
18:41:05.986245 IP 172.26.20.41.30774 > 239.0.2.30.22222: UDP, length 1400
18:41:06.102858 IP 172.26.20.41.30774 > 239.0.2.30.22222: UDP, length 1400
18:41:06.220126 IP 172.26.20.41.30774 > 239.0.2.30.22222: UDP, length 1151
18:41:06.220350 IP 172.26.20.41.30774 > 239.0.2.30.22222: UDP, length 235
18:41:06.220512 IP 172.26.20.41.30774 > 239.0.2.30.22222: UDP, length 52
18:41:06.220696 IP 172.26.20.41.30774 > 239.0.2.30.22222: UDP, length 50
18:41:06.336237 IP 172.26.20.41.30774 > 239.0.2.30.22222: UDP, length 1121
18:41:06.336473 IP 172.26.20.41.30774 > 239.0.2.30.22222: UDP, length 53
18:41:06.336645 IP 172.26.20.41.30774 > 239.0.2.30.22222: UDP, length 49
18:41:06.336784 IP 172.26.20.41.30774 > 239.0.2.30.22222: UDP, length 49
18:41:06.336968 IP 172.26.20.41.30774 > 239.0.2.30.22222: UDP, length 94
18:41:06.452915 IP 172.26.20.41.30774 > 239.0.2.30.22222: UDP, length 1400
18:41:06.569589 IP 172.26.20.41.30774 > 239.0.2.30.22222: UDP, length 407
18:41:06.686150 IP 172.26.20.41.30774 > 239.0.2.30.22222: UDP, length 1400
18:41:06.686287 IP 172.26.20.41.30774 > 239.0.2.30.22222: UDP, length 379
18:41:06.803274 IP 172.26.20.41.30774 > 239.0.2.30.22222: UDP, length 1400
18:41:06.803450 IP 172.26.20.41.30774 > 239.0.2.30.22222: UDP, length 527
18:41:06.919759 IP 172.26.20.41.30774 > 239.0.2.30.22222: UDP, length 1400
 
** this is the multicast route table when it works (eth2 is lan, eth5 is zerotier)**
vyos@vyos# ip mroute
(172.26.20.41,239.0.2.2)         Iif: eth0.2     Oifs: eth2  State: resolved
(172.23.61.201,239.0.5.185)      Iif: eth0.2     Oifs: eth2  State: resolved
(172.26.20.39,239.0.2.155)       Iif: eth0.2     Oifs: eth2  State: resolved
(172.26.20.41,239.0.2.30)        Iif: eth0.2     Oifs: eth2 eth5  State: resolved
(172.26.20.39,239.0.2.129)       Iif: eth0.2     Oifs: eth2  State: resolved

CONFIGURATIONS
-vyos:

set firewall options interface pppoe0 adjust-mss '1452'
set firewall receive-redirects 'disable'
set firewall send-redirects 'enable'
set firewall source-validation 'disable'
set firewall syn-cookies 'enable'
set firewall twa-hazards-protection 'disable'

set interfaces ethernet eth0 duplex 'auto'
set interfaces ethernet eth0 speed 'auto'
set interfaces ethernet eth0 vif 2 address '10.x.x.x/10'
set interfaces ethernet eth0 vif 2 description 'IPTV'
set interfaces ethernet eth0 vif 2 mtu '1500'
set interfaces ethernet eth0 vif 6 description 'Internet (PPPoE)'

set interfaces ethernet eth2 address '192.168.98.1/24'
set interfaces ethernet eth2 description 'LAN IPTV'
set interfaces ethernet eth2 duplex 'auto'
set interfaces ethernet eth2 speed 'auto'

set interfaces ethernet eth5 description 'ZeroTier IPTV'

set interfaces pppoe pppoe0 authentication password 'XXXX'
set interfaces pppoe pppoe0 authentication user 'XXXX'
set interfaces pppoe pppoe0 connect-on-demand
set interfaces pppoe pppoe0 default-route 'auto'
set interfaces pppoe pppoe0 mtu '1492'
set interfaces pppoe pppoe0 source-interface 'eth0.6'

set nat source rule 1 outbound-interface 'pppoe0'
set nat source rule 1 protocol 'all'
set nat source rule 1 source
set nat source rule 1 translation address 'masquerade'
set nat source rule 2 log 'enable'
set nat source rule 2 outbound-interface 'eth0.2'
set nat source rule 2 protocol 'all'
set nat source rule 2 source
set nat source rule 2 translation address 'masquerade'

set protocols igmp-proxy disable-quickleave
set protocols igmp-proxy interface eth0.2 alt-subnet '172.0.0.0/8'
set protocols igmp-proxy interface eth0.2 role 'upstream'
set protocols igmp-proxy interface eth0.2 threshold '1'
set protocols igmp-proxy interface eth1 role 'downstream'
set protocols igmp-proxy interface eth1 threshold '1'
set protocols igmp-proxy interface eth2 role 'downstream'
set protocols igmp-proxy interface eth2 threshold '1'
set protocols igmp-proxy interface eth5 role 'downstream'
set protocols igmp-proxy interface eth5 threshold '1'

set protocols rip interface 'eth0.2'
set protocols rip passive-interface 'default'

set service dhcp-server global-parameters 'option opch code 240 = text;'
set service dhcp-server listen-address '192.168.98.1'
set service dhcp-server listen-address '192.168.198.1'
set service dhcp-server shared-network-name ZT_TV subnet 192.168.198.0/24 default-router '192.168.198.1'
set service dhcp-server shared-network-name ZT_TV subnet 192.168.198.0/24 lease '86400'
set service dhcp-server shared-network-name ZT_TV subnet 192.168.198.0/24 range 0 start '192.168.198.201'
set service dhcp-server shared-network-name ZT_TV subnet 192.168.198.0/24 range 0 stop '192.168.198.205'
set service dhcp-server shared-network-name ZT_TV subnet 192.168.198.0/24 static-mapping arris_STIH207-0.0 ip-address '192.168.198.200'
set service dhcp-server shared-network-name ZT_TV subnet 192.168.198.0/24 static-mapping arris_STIH207-0.0 mac-address 'a8:9fxxxxxx'
set service dhcp-server shared-network-name ZT_TV subnet 192.168.198.0/24 subnet-parameters 'option domain-name-servers 172.26.23.3;'
set service dhcp-server shared-network-name ZT_TV subnet 192.168.198.0/24 subnet-parameters 'option opch &quot;:::::239.0.2.10:22222:v6.0:239.0.2.30:22222&quot;;'

set service dhcp-server shared-network-name LAN_TV subnet 192.168.98.0/24 default-router '192.168.98.1'
set service dhcp-server shared-network-name LAN_TV subnet 192.168.98.0/24 lease '86400'
set service dhcp-server shared-network-name LAN_TV subnet 192.168.98.0/24 range 0 start '192.168.98.200'
set service dhcp-server shared-network-name LAN_TV subnet 192.168.98.0/24 range 0 stop '192.168.98.205'
set service dhcp-server shared-network-name LAN_TV subnet 192.168.98.0/24 static-mapping HUMAX_PTT1000 ip-address '192.168.98.200'
set service dhcp-server shared-network-name LAN_TV subnet 192.168.98.0/24 static-mapping HUMAX_PTT1000 mac-address 'ec:c3xxxxxx'
set service dhcp-server shared-network-name LAN_TV subnet 192.168.98.0/24 subnet-parameters 'option domain-name-servers 172.26.23.3;'
set service dhcp-server shared-network-name LAN_TV subnet 192.168.98.0/24 subnet-parameters 'option opch &quot;:::::239.0.2.10:22222:v6.0:239.0.2.30:22222&quot;;'

-bridge:

# bridge -d link show
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 master br0 state forwarding priority 32 cost 19
    hairpin off guard off root_block off fastleave off learning on flood on mcast_flood on mcast_to_unicast off neigh_suppress off vlan_tunnel off isolated off
9: ztqu3h7blr: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 2800 master br0 state forwarding priority 32 cost 100
    hairpin off guard off root_block off fastleave off learning on flood on mcast_flood on mcast_to_unicast off neigh_suppress off vlan_tunnel off isolated off
10: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 master br0

So I am a bit confused, I don’t know if it’s something about the pi bridge, zerotier or vyos, but i hope someone can shed some light on this which is driving me crazy.

cube · December 19, 2022, 11:08pm

Solved it creating a bridge to a physical eth of the vyos router. Everything works now.

system · December 22, 2022, 10:45am

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.