CCR1009 and VLAN multicast 480 Mbps - CC errors

DmitryAVET · December 12, 2020, 8:09pm

Hello

Have some problems with forwarding multicast traffic on CCR1009 (model CCR1009-7G-1C-1S+), RouterOS v6.47.7, RouterBOOT 6.47.7

From ISP side we have streaming server with dedicated streaming port, that connected directly to Dell Force10.

Then from Dell Force10 we have dedicated / direct fiber-optical line to user. Line 19.5 km, loss 9.5 dB, used 40-km modules.

On user side connected CCR1009. Fiber connected to Combo. On Combo we have 2 VLANs:

VLAN 3008 – internet from ISP (200 Mbps/200 Mbps PPPoE);
VLAN 777 – multicast from ISP (average downstream 480 Mbps, IPTV);

On CCR1009 installed multicast package. Incoming VLAN 777 added to IGMP Proxy as upstream. Bridge bridge-multicast added to IGMP Proxy (as downstream).
Local IP on VLAN 10.253.0.1, remote stream server 10.253.0.100.
Ports ether5 (10.253.0.11), ether6 (10.253.0.12) and ether7 (10.253.0.13) added to bridge-multicast. On this bridge enabled IGMP Snooping, STP disabled. To this ports connected 3x RF transmodulators TERRA miq440 (IP to DVB-C).

TV work, but… with CC errors on TERRA. Every few seconds on transmodulators new CC-errors and squars on TV / crashing image.

What we try:

physical changing port on stream server;
checked downstream from dell – no errors on multicast;
checked bridge RX/TX – 0 drops, 0 errors;
checked ETH-ports 5/6/7 RX/TX – 0 drops, 0 errors, 0 collisions;
checked multicast VLAN RX/TX – 0 drops, 0 errors;
tried add multicast VLAN directly to bridge-multicast without IGMP Proxy (“dummy / unmanaged switch” mode) - no result, same CC errors;
disabling all firewall filter rules (drop, jump, return) - no result, same CC errors;
tried using different IP/subnet for multicast VLAN and bridge/ports;

CPU load less than 10-20%. Memory used only 350 MB.

Any ideas?

/interface bridge
add igmp-snooping=yes name=bridge-multicast protocol-mode=none

/interface bridge port
add bridge=bridge-multicast interface=ether5
add bridge=bridge-multicast interface=ether6
add bridge=bridge-multicast interface=ether7

/interface vlan
add interface=combo1-wan name=vlan-777-catv vlan-id=777
add interface=combo1-wan name=vlan-3008-internet vlan-id=3008

/interface list
add name=LAN
add name=WAN

/interface list member
add interface=combo1-wan list=WAN
add interface=vlan-777-catv list=LAN
add interface=vlan-3008-internet list=WAN
add interface=pppoe-internet list=WAN
add interface=bridge-multicast list=LAN

/ip address
add address=10.253.0.1/24 interface=bridge-multicast network=10.253.0.0
add address=10.253.0.2/24 interface=vlan-777-catv network=10.253.0.0

/routing igmp-proxy interface
add alternative-subnets=0.0.0.0/0 interface=bridge-multicast
add alternative-subnets=0.0.0.0/0 interface=vlan-777-catv upstream=yes
	
/ip settings
set tcp-syncookies=yes

/ip firewall filter
add action=add-src-to-address-list address-list=ddos-blacklist \
    address-list-timeout=30m chain=input comment="===== DDOS =====" \
    connection-limit=50,32 in-interface-list=WAN protocol=tcp
add action=drop chain=input connection-limit=3,32 in-interface-list=WAN \
    protocol=tcp src-address-list=ddos-blacklist
add action=jump chain=forward comment="===== SYN-FLOOD =====" \
    connection-state=new in-interface-list=WAN jump-target=SYN-Protect \
    protocol=tcp tcp-flags=syn
add action=jump chain=input connection-state=new in-interface-list=WAN \
    jump-target=SYN-Protect protocol=tcp tcp-flags=syn
add action=return chain=SYN-Protect connection-state=new limit=200,5:packet \
    protocol=tcp tcp-flags=syn
add action=drop chain=SYN-Protect connection-state=new protocol=tcp \
    tcp-flags=syn
add action=accept chain=input comment=\
    "===== INPUT: accept established,related,untracked =====" \
    connection-state=established,related,untracked
add action=drop chain=input comment="===== INPUT: drop invalid =====" \
    connection-state=invalid
add action=accept chain=input comment="===== INPUT: accept ICMP =====" \
    protocol=icmp
add action=accept chain=input comment="===== MULTICAST CATV INPUT =====" \
    in-interface=vlan-777-catv
add action=accept chain=forward comment=\
    "===== MULTICAST CATV FORWARDING =====" dst-port=20002 in-interface=\
    vlan-777-catv protocol=udp
add action=drop chain=input comment=\
    "===== INPUT: drop all not coming from LAN =====" in-interface-list=!LAN
add action=accept chain=forward comment=\
    "===== FORWARD: accept established,related, untracked =====" \
    connection-state=established,related,untracked
add action=drop chain=forward comment="===== FORWARD: drop invalid =====" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "===== FORWARD: drop all from WAN not DSTNATed =====" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

Screenshot_2020-12-12 miq440 - MFA-ACADEMY-3.png

DmitryAVET · December 21, 2020, 8:34pm

Problem solved by using D-Link DGS-1210-28/ME before CCR1009 for handling multicast. All work fine.
Resume: Mikrotik + Multicast >450 Mbit = NOT COMPATIBLE