Multicast IGMP reports missing

Hi,

I'm running the latest TurrisOS which ships OpenWrt 21.02. When I upgraded TurrisOS from 5.x.y to 6.x.y, (OpenWrt upgrade from 19.07 to 21.02), multicast traffic stopped being visible to the router. I've already asked in the Turris forums but nobody has suggested anything and I'm out of ideas. The official Turris technical support suggested to get this sorted with the OpenWrt user community.

I've got a device wired directly to lan4, which is configured as:

config interface 'VERO'
	option proto 'static'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'
	option ip6assign '64'
	option ip6hint '2'
	option device 'lan4'

This device in question has IPv4 address 192.168.2.21. In that device, if I try to join multicast group 239.77.3.6 via:

socat STDIO UDP4-DATAGRAM:239.77.3.6:8889,ip-add-membership=239.77.3.6:192.168.2.21

I can see on the device via tcpdump (with tcpdump -i eth0 -vv src 192.168.2.21 and igmp -n) the IGMPv2 report packets to join the group:

09:22:21.516913 IP (tos 0xc0, ttl 1, id 0, offset 0, flags [DF], proto IGMP (2), length 32, options (RA))
    192.168.2.21 > 239.77.3.6: igmp v2 report 239.77.3.6

However if I listen on the router side with tcpdump -i lan4 -vv src 192.168.2.21 and igmp -n I cannot see any traffic at all. Other traffic like ICMP or TCP is visible as it should.

As I mentioned this used to work fine on OpenWrt 19.07.

Does anybody know why?

Thanks.

Please reproduce it on an official OpenWrt installation first, we do not know what kind of modifications are contained in TurrisOS

2 Likes

Lol, the support told you to ask us about their product?

1 Like

Yes, unfortunately:

Actually, this topic is rather advanced and already exceeds our official
technical support. On the other hand, if you manage to figure it out in
collaboration with our or the OpenWrt user community, we can help you to
implement a solution either to Turris OS or directly to the OpenWrt upstream.

They're also "keeping their fingers crossed for me" :smiley:

Can your provide a more complete network configuration and also your /etc/config/firewall to see by which policy and rules the VERO/lan4 interface is covered? Also provide the output of sysctl -a | grep lan4 for completeness

Hi @jow

First of all, I know this is not your business and I totally understand that you'd prefer if I reproduced this using a vanilla OpenWrt installation. I sincerely appreciate your help, though.

I (maybe wrongly) discarded this being a firewall misconfiguration as, if I understand correctly, tcpdump sits before netfilter for input traffic so the fact that there's nothing on the interface shouldn't have anything to do with the firewall. It smells like the traffic is discarded at kernel/driver level before it's delivered to user space. I've also tried to enable /proc/sys/net/ipv4/conf/lan4/log_martians just in case but nothing is being logged.

Here's the requested information (I've obfuscated public IP addresses, MAC addresses and some device names):

ip addr

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN group default qlen 1024
    link/ether MAC7 brd ff:ff:ff:ff:ff:ff
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1508 qdisc mq state UP group default qlen 1024
    link/ether MAC8 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::MAC1/64 scope link 
       valid_lft forever preferred_lft forever
4: eth2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1024
    link/ether MAC7 brd ff:ff:ff:ff:ff:ff
    inet IPV4_PUB_ADDR/24 brd 85.195.208.255 scope global eth2
       valid_lft forever preferred_lft forever
    inet6 IPV6_PREFIX_2:MAC2/64 scope global dynamic noprefixroute 
       valid_lft 2591998sec preferred_lft 604798sec
    inet6 IPV6_PREFIX_2::10/128 scope global dynamic noprefixroute 
       valid_lft 3635sec preferred_lft 2635sec
    inet6 fe80::MAC2/64 scope link 
       valid_lft forever preferred_lft forever
5: lan0@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP group default qlen 1000
    link/ether MAC8 brd ff:ff:ff:ff:ff:ff
6: lan1@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP group default qlen 1000
    link/ether MAC8 brd ff:ff:ff:ff:ff:ff
7: lan2@eth1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue master br-lan state LOWERLAYERDOWN group default qlen 1000
    link/ether MAC8 brd ff:ff:ff:ff:ff:ff
8: lan3@eth1: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue master br-lan state LOWERLAYERDOWN group default qlen 1000
    link/ether MAC8 brd ff:ff:ff:ff:ff:ff
9: lan4@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether MAC8 brd ff:ff:ff:ff:ff:ff
    inet 192.168.2.1/24 brd 192.168.2.255 scope global lan4
       valid_lft forever preferred_lft forever
    inet6 IPV6_PREFIX:2::1/64 scope global dynamic noprefixroute 
       valid_lft 3635sec preferred_lft 2635sec
    inet6 fe80::MAC1/64 scope link 
       valid_lft forever preferred_lft forever
10: ip6tnl0@NONE: <NOARP> mtu 1452 qdisc noop state DOWN group default qlen 1000
    link/tunnel6 :: brd :: permaddr e61f:cd46:ff44::
11: sit0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000
    link/sit 0.0.0.0 brd 0.0.0.0
19: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether MAC8 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.1/24 brd 192.168.1.255 scope global br-lan
       valid_lft forever preferred_lft forever
    inet6 IPV6_PREFIX:1::1/64 scope global dynamic noprefixroute 
       valid_lft 3635sec preferred_lft 2635sec
    inet6 fe80::MAC1/64 scope link 
       valid_lft forever preferred_lft forever
20: wlan1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP group default qlen 1000
    link/ether MAC10 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::MAC3/64 scope link 
       valid_lft forever preferred_lft forever
21: wlan0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-lan state UP group default qlen 1000
    link/ether MAC11 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::MAC4/64 scope link 
       valid_lft forever preferred_lft forever
26: vtun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 500
    link/none 
    inet 172.16.1.1/24 scope global vtun0
       valid_lft forever preferred_lft forever
    inet6 IPV6_PREFIX:f::1/64 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::e8fd:ff62:ec78:b97c/64 scope link stable-privacy 
       valid_lft forever preferred_lft forever

So basically all physical LAN devices plus the two WLANs bridged into br-lan living in a single network. Then lan4 with a separate network where the device that generates the IGMP traffic sits. The WAN interface is eth2. There's also a virtual interface for a VPN (vtun0).

/etc/config/firewall

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option target 'ACCEPT'
	option src 'wan'
	option family 'ipv6'
	option dest_ip 'IPV6_PREFIX:1::25'
	option dest_port '51413'
	option name 'Allow PY to ZZ'
	option dest 'lan'

config rule
	option target 'ACCEPT'
	option src 'lan'
	option name 'Allow outgoing ntpd from TT'
	option proto 'udp'
	option src_mac 'MAC1'
	option dest 'wan'
	option dest_port '123'

config rule
	option src 'lan'
	option name 'Drop outgoing traffic from TT'
	option src_mac 'MAC1'
	option target 'REJECT'
	option dest 'wan'

config rule
	option target 'ACCEPT'
	option src 'wan'
	option proto 'udp'
	option dest_port '1194'
	option name 'Allow-OpenVPN'

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	option network 'OpenVPN VERO lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	option network 'wan wan6 WAN4'

config forwarding
	option src 'lan'
	option dest 'wan'

config include
	option path '/etc/firewall.user'

config redirect
	option target 'DNAT'
	option src 'wan'
	option dest 'lan'
	option proto 'tcp udp'
	option src_dport '51413'
	option dest_ip '192.168.1.25'
	option dest_port '51413'
	option name 'YYT'

config rule
	option dest_port '80'
	option src 'wan'
	option name 'Allow-HTTP-XX'
	option target 'ACCEPT'
	option family 'ipv6'
	list dest_ip 'IPV6_PREFIX:1::26'
	option dest 'lan'
	list proto 'tcp'

config rule
	option dest_port '443'
	option src 'wan'
	option name 'Allow-HTTPS-XX'
	option target 'ACCEPT'
	option family 'ipv6'
	list dest_ip 'IPV6_PREFIX:1::26'
	option dest 'lan'
	list proto 'tcp'

config zone 'turris_vpn_client'
	option name 'tr_vpn_cl'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'

config forwarding 'turris_vpn_client_forward'
	option src 'lan'
	option dest 'tr_vpn_cl'

sysctl -a | grep lan4

net.ipv4.conf.lan4.accept_local = 0
net.ipv4.conf.lan4.accept_redirects = 1
net.ipv4.conf.lan4.accept_source_route = 1
net.ipv4.conf.lan4.arp_accept = 0
net.ipv4.conf.lan4.arp_announce = 0
net.ipv4.conf.lan4.arp_filter = 0
net.ipv4.conf.lan4.arp_ignore = 1
net.ipv4.conf.lan4.arp_notify = 0
net.ipv4.conf.lan4.bc_forwarding = 0
net.ipv4.conf.lan4.bootp_relay = 0
net.ipv4.conf.lan4.disable_policy = 0
net.ipv4.conf.lan4.disable_xfrm = 0
net.ipv4.conf.lan4.drop_gratuitous_arp = 0
net.ipv4.conf.lan4.drop_unicast_in_l2_multicast = 0
net.ipv4.conf.lan4.force_igmp_version = 0
net.ipv4.conf.lan4.forwarding = 1
net.ipv4.conf.lan4.igmpv2_unsolicited_report_interval = 10000
net.ipv4.conf.lan4.igmpv3_unsolicited_report_interval = 1000
net.ipv4.conf.lan4.ignore_routes_with_linkdown = 0
net.ipv4.conf.lan4.log_martians = 0
net.ipv4.conf.lan4.mc_forwarding = 1
net.ipv4.conf.lan4.medium_id = 0
net.ipv4.conf.lan4.promote_secondaries = 0
net.ipv4.conf.lan4.proxy_arp = 0
net.ipv4.conf.lan4.proxy_arp_pvlan = 0
net.ipv4.conf.lan4.route_localnet = 0
net.ipv4.conf.lan4.rp_filter = 0
net.ipv4.conf.lan4.secure_redirects = 1
net.ipv4.conf.lan4.send_redirects = 1
net.ipv4.conf.lan4.shared_media = 1
net.ipv4.conf.lan4.src_valid_mark = 0
net.ipv4.conf.lan4.tag = 0
net.ipv4.neigh.lan4.anycast_delay = 100
net.ipv4.neigh.lan4.app_solicit = 0
net.ipv4.neigh.lan4.base_reachable_time = 30
net.ipv4.neigh.lan4.base_reachable_time_ms = 30000
net.ipv4.neigh.lan4.delay_first_probe_time = 5
net.ipv4.neigh.lan4.gc_stale_time = 60
net.ipv4.neigh.lan4.locktime = 100
net.ipv4.neigh.lan4.mcast_resolicit = 0
net.ipv4.neigh.lan4.mcast_solicit = 3
net.ipv4.neigh.lan4.proxy_delay = 80
net.ipv4.neigh.lan4.proxy_qlen = 64
net.ipv4.neigh.lan4.retrans_time = 100
net.ipv4.neigh.lan4.retrans_time_ms = 1000
net.ipv4.neigh.lan4.ucast_solicit = 3
net.ipv4.neigh.lan4.unres_qlen = 91
net.ipv4.neigh.lan4.unres_qlen_bytes = 180224
net.ipv6.conf.lan4.accept_dad = 1
net.ipv6.conf.lan4.accept_ra = 0
net.ipv6.conf.lan4.accept_ra_defrtr = 1
net.ipv6.conf.lan4.accept_ra_from_local = 0
net.ipv6.conf.lan4.accept_ra_min_hop_limit = 1
net.ipv6.conf.lan4.accept_ra_mtu = 1
net.ipv6.conf.lan4.accept_ra_pinfo = 1
net.ipv6.conf.lan4.accept_redirects = 1
net.ipv6.conf.lan4.accept_source_route = 0
net.ipv6.conf.lan4.addr_gen_mode = 0
net.ipv6.conf.lan4.autoconf = 1
net.ipv6.conf.lan4.dad_transmits = 1
net.ipv6.conf.lan4.disable_ipv6 = 0
net.ipv6.conf.lan4.disable_policy = 0
net.ipv6.conf.lan4.drop_unicast_in_l2_multicast = 0
net.ipv6.conf.lan4.drop_unsolicited_na = 0
net.ipv6.conf.lan4.enhanced_dad = 1
net.ipv6.conf.lan4.force_mld_version = 0
net.ipv6.conf.lan4.force_tllao = 0
net.ipv6.conf.lan4.forwarding = 1
net.ipv6.conf.lan4.hop_limit = 64
net.ipv6.conf.lan4.ignore_routes_with_linkdown = 0
net.ipv6.conf.lan4.ioam6_enabled = 0
net.ipv6.conf.lan4.ioam6_id = 65535
net.ipv6.conf.lan4.ioam6_id_wide = 4294967295
net.ipv6.conf.lan4.keep_addr_on_down = 0
net.ipv6.conf.lan4.max_addresses = 16
net.ipv6.conf.lan4.max_desync_factor = 600
net.ipv6.conf.lan4.mc_forwarding = 0
net.ipv6.conf.lan4.mldv1_unsolicited_report_interval = 10000
net.ipv6.conf.lan4.mldv2_unsolicited_report_interval = 1000
net.ipv6.conf.lan4.mtu = 1500
net.ipv6.conf.lan4.ndisc_notify = 0
net.ipv6.conf.lan4.ndisc_tclass = 0
net.ipv6.conf.lan4.proxy_ndp = 0
net.ipv6.conf.lan4.ra_defrtr_metric = 1024
net.ipv6.conf.lan4.regen_max_retry = 3
net.ipv6.conf.lan4.router_solicitation_delay = 1
net.ipv6.conf.lan4.router_solicitation_interval = 4
net.ipv6.conf.lan4.router_solicitation_max_interval = 3600
net.ipv6.conf.lan4.router_solicitations = -1
net.ipv6.conf.lan4.rpl_seg_enabled = 0
net.ipv6.conf.lan4.seg6_enabled = 0
sysctl: error reading key 'net.ipv6.conf.lan4.stable_secret': I/O error
net.ipv6.conf.lan4.suppress_frag_ndisc = 1
net.ipv6.conf.lan4.temp_prefered_lft = 86400
net.ipv6.conf.lan4.temp_valid_lft = 604800
net.ipv6.conf.lan4.use_oif_addrs_only = 0
net.ipv6.conf.lan4.use_tempaddr = 0
net.ipv6.neigh.lan4.anycast_delay = 100
net.ipv6.neigh.lan4.app_solicit = 0
net.ipv6.neigh.lan4.base_reachable_time = 30
net.ipv6.neigh.lan4.base_reachable_time_ms = 30000
net.ipv6.neigh.lan4.delay_first_probe_time = 5
net.ipv6.neigh.lan4.gc_stale_time = 60
net.ipv6.neigh.lan4.locktime = 0
net.ipv6.neigh.lan4.mcast_resolicit = 0
net.ipv6.neigh.lan4.mcast_solicit = 3
net.ipv6.neigh.lan4.proxy_delay = 80
net.ipv6.neigh.lan4.proxy_qlen = 64
net.ipv6.neigh.lan4.retrans_time = 100
net.ipv6.neigh.lan4.retrans_time_ms = 1000
net.ipv6.neigh.lan4.ucast_solicit = 3
net.ipv6.neigh.lan4.unres_qlen = 91
net.ipv6.neigh.lan4.unres_qlen_bytes = 180224

/etc/config/network


config interface 'loopback'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'
	option device 'lo'

config globals 'globals'

config interface 'lan'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '64'
	option ip6hint '1'
	option device 'br-lan'

config interface 'wan'
	option proto 'dhcpv6'
	option reqaddress 'try'
	option reqprefix 'auto'
	option device 'eth2'

config interface 'VERO'
	option proto 'static'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'
	option ip6assign '64'
	option ip6hint '2'
	option device 'lan4'
	option igmp_snooping '1'

config interface 'WAN4'
	option proto 'dhcp'
	option device 'eth2'

config interface 'OpenVPN'
	option proto 'static'
	option auto '0'
	option device 'vtun0'

config route6
	option target 'IPV6_PREFIX:c::/64'
	option interface 'lan'
	option gateway 'fe80::MAC1'

config route
	option gateway '192.168.1.26'
	option interface 'lan'
	option target '172.18.0.0'
	option netmask '255.255.0.0'

config device 'br_lan'
	option name 'br-lan'
	option bridge_empty '1'
	list ports 'lan0'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	option type 'bridge'
	option macaddr 'MAC2'

Some extra info:

[/]@192.168.1.1
λ brctl show
bridge name	bridge id		STP enabled	interfaces
br-lan		7fff.d858d7003b55	no		lan2
							wlan0
							lan0
							lan3
							wlan1
							lan1

igmpproxy is also configured, but as the IGMP traffic is discarded somewhere before it can be seen by it then this should be irrelevant. Here's the configuration anyway:

[/]@192.168.1.1
λ cat etc/config/igmpproxy
config igmpproxy
	option quickleave 1
#	option verbose [0-3](none, minimal[default], more, maximum)

config phyint
	option network WAN4
	option zone wan
	option direction upstream
	list altnet 0.0.0.0/0

config phyint
	option network VERO
	option zone lan
	option direction downstream

Anything that could be useful to help debugging just ask.

Thanks again.

Something interesting is that if I listen to the same traffic on br-lan (which bridges wlan0, wlan1, lan0, lan1, lan2 and lan3) using

~ # tcpdump -i br-lan -vv igmp -n

and I generate IGMP traffic from different clients behind:

  • Traffic generated by clients in wlan0 (wireless) is visible, for example:
~ # tcpdump -i br-lan -vv igmp -n 
tcpdump: listening on br-lan, link-type EN10MB (Ethernet), capture size 262144 bytes
15:18:54.494610 IP (tos 0xc0, ttl 1, id 0, offset 0, flags [DF], proto IGMP (2), length 40, options (RA))
    192.168.1.101 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 239.77.3.52 to_ex { }]
  • Traffic generated by wired clients (for instance, a server wired to lan0) does not make it through.

So definitely something phisy with the switch is going on (DSA?).