IGMP and IPTV (understandig the logic)

RouterOS Forwarding Protocols
1

Hi all,

I’m hoping you can help me with a problem I can’t solve (and understand).

I’m using a RB3011 on a Dutch (KPN) fibernetwork. The ISP uses vlan6 for internettraffic and vlan4 for IPTV.

I’ve added an IGMP proxy:

/routing igmp-proxy interface
add alternative-subnets=213.75.0.0/17,10.142.64.0/18,213.75.112.0/21 interface=vlan4 upstream=yes
add interface=local-lan

And I’ve made all the necessary DHCP settings that are required:

/ip dhcp-client option
add code=60 name=option60-vendorclass value="'IPTV_RG'"
/ip dhcp-server option
add code=60 name=option60-vendorclass value="'IPTV_RG'"
add code=28 name=option28-broadcast value="'192.168.2.255'"
/ip dhcp-server option sets
add name=IPTV options=option60-vendorclass,option28-broadcast

The option set is also assigned to the settopboxes.

As far as I can understand, this should work, the stream coming from the subnets used in the IGMP proxy is then forwarded to the local-lan (this is the bridge).

For some reason this allows IPTV to work for about 2 seconds and then the image freezes.
If I then add the vlan4 tag to the bridge:

/interface bridge port
add bridge=local-lan interface=eth01
add bridge=local-lan interface=eth02
add bridge=local-lan interface=eth03
add bridge=local-lan interface=eth04
add bridge=local-lan interface=eth05
add bridge=local-lan interface=eth06
add bridge=local-lan interface=eth07
add bridge=local-lan interface=eth08
add bridge=local-lan interface=eth09
add bridge=local-lan interface=vlan4

IPTV works and keeps working, but the IGMP proxy is listed as inactive. Can someone explain to me why the above config works and what goes wrong with the IGMP proxy when the vlan4 is not added to the bridge.

(this does multicast the stream to all ports, that’s okay.)

Fullconfig:

# jul/27/2017 13:56:09 by RouterOS 6.40
# model = RouterBOARD 3011UiAS
/interface bridge
add arp=proxy-arp fast-forward=no name=local-lan
/interface ethernet
set [ find default-name=ether1 ] arp=proxy-arp mtu=1508 name=eth00-gw speed=1Gbps
set [ find default-name=ether2 ] name=eth01
set [ find default-name=ether3 ] name=eth02
set [ find default-name=ether4 ] name=eth03
set [ find default-name=ether5 ] name=eth04
set [ find default-name=ether6 ] name=eth05
set [ find default-name=ether7 ] name=eth06
set [ find default-name=ether8 ] name=eth07
set [ find default-name=ether9 ] name=eth08
set [ find default-name=ether10 ] name=eth09
set [ find default-name=sfp1 ] disabled=yes name=spf01
/ip neighbor discovery
set eth00-gw discover=no
set spf01 discover=no
/interface vlan
add interface=eth00-gw name=vlan4 vlan-id=4
add interface=eth00-gw name=vlan6 vlan-id=6
/interface pppoe-client
add add-default-route=yes allow=pap,mschap2 disabled=no interface=vlan6 keepalive-timeout=20 max-mru=1480 max-mtu=1480 name=pppoe-kpn password=##Password## user=##Username##
/ip neighbor discovery
set pppoe-kpn discover=no
set vlan4 discover=no
set vlan6 discover=no
/ip dhcp-client option
add code=60 name=option60-vendorclass value="'IPTV_RG'"
/ip dhcp-server option
add code=60 name=option60-vendorclass value="'IPTV_RG'"
add code=28 name=option28-broadcast value="'192.168.2.255'"
/ip dhcp-server option sets
add name=IPTV options=option60-vendorclass,option28-broadcast
/ip pool
add name=home ranges=192.168.2.1-192.168.2.50
/ip dhcp-server
add address-pool=home authoritative=after-2sec-delay disabled=no interface=local-lan lease-time=2h name=home-dhcp
/routing bgp instance
set default disabled=yes
/dude
set enabled=yes
/interface bridge port
add bridge=local-lan interface=eth01
add bridge=local-lan interface=eth02
add bridge=local-lan interface=eth03
add bridge=local-lan interface=eth04
add bridge=local-lan interface=eth05
add bridge=local-lan interface=eth06
add bridge=local-lan interface=eth07
add bridge=local-lan interface=eth08
add bridge=local-lan interface=eth09
add bridge=local-lan interface=vlan4
/ip address
add address=192.168.2.254/24 interface=local-lan network=192.168.2.0
/ip dhcp-client
add add-default-route=special-classless default-route-distance=254 dhcp-options=option60-vendorclass disabled=no interface=vlan4 use-peer-dns=no \
    use-peer-ntp=no
/ip dhcp-server lease
add address=192.168.2.51 comment="Decoder 1 - TV beneden" dhcp-option-set=IPTV mac-address=00:02:9B:D8:44:B7 server=home-dhcp
add address=192.168.2.52 comment="Decoder 1" dhcp-option-set=IPTV mac-address=00:02:9B:D8:44:99 server=home-dhcp
add address=192.168.2.53 comment="Decoder 1" dhcp-option-set=IPTV mac-address=00:02:9B:D8:44:C0 server=home-dhcp
add address=192.168.2.100 client-id=1:bc:5f:f4:e6:d9:d2 mac-address=BC:5F:F4:E6:D9:D2 server=home-dhcp
/ip dhcp-server network
add address=192.168.2.0/24 dns-server=192.168.2.254 domain=home.local gateway=192.168.2.254
/ip dns
set allow-remote-requests=yes cache-max-ttl=1d servers=8.8.8.8,195.121.1.66,8.8.4.4,195.121.1.34
/ip firewall address-list
add address=213.222.11.146 list=accept_rdp
add address=224.0.0.0/3 list=bogon
add address=0.0.0.0/8 list=bogon
add address=127.0.0.0/8 list=bogon
add address=86.95.39.70 list=accept_rdp
add address=81.206.128.234 list=accept_rdp
add address=169.254.0.0/16 list=bogon
add address=172.16.0.0/12 list=bogon
add address=192.0.2.0/24 list=bogon
add address=192.88.99.0/24 list=bogon
add address=198.18.0.0/15 list=bogon
add address=198.51.100.0/24 list=bogon
add address=203.0.113.0/24 list=bogon
/ip firewall filter
add action=drop chain=input comment="Drop ICMP" in-interface=pppoe-kpn protocol=icmp
add action=drop chain=input comment="Drop invalid connections" connection-state=invalid
add action=drop chain=tcp comment="Deny TFPT" dst-port=69 protocol=tcp
add action=drop chain=tcp comment="Deny RPC portmapper" dst-port=111,135 protocol=tcp
add action=drop chain=tcp comment="Deny NBT" dst-port=137-139 protocol=tcp
add action=drop chain=tcp comment="Deny cifs" dst-port=445 protocol=tcp
add action=drop chain=tcp comment="Deny NFS" dst-port=2049 protocol=tcp
add action=drop chain=tcp comment="Deny NetBus" dst-port=12345-12346 protocol=tcp
add action=drop chain=tcp comment="Deny NetBus" dst-port=20034 protocol=tcp
add action=drop chain=tcp comment="Deny BackOriffice" dst-port=3133 protocol=tcp
add action=drop chain=tcp comment="Deny DHCP" dst-port=67-68 protocol=tcp
add action=drop chain=udp comment="Deny TFTP" dst-port=69 protocol=udp
add action=drop chain=udp comment="Deny RPC portmapper" dst-port=111,135 protocol=udp
add action=drop chain=udp comment="Deny NBT" dst-port=137-139 protocol=udp
add action=drop chain=udp comment="Deny BackOriffice" dst-port=3133 protocol=udp
add action=accept chain=input in-interface=!pppoe-kpn src-address=192.168.2.0/24
add action=accept chain=input comment="Allow established connections" connection-state=established
add action=accept chain=input comment="Allow related connections" connection-state=related
add action=drop chain=input comment="Drop all"
add action=jump chain=forward jump-target=tcp protocol=tcp
add action=jump chain=forward jump-target=udp protocol=udp
add action=drop chain=forward comment="Drop bogon src addresses" src-address-list=bogon
add action=drop chain=forward comment="Drop bogon dst addresses" dst-address-list=bogon
add action=drop chain=forward comment="Drop invalid connections" connection-state=invalid
add action=accept chain=forward comment="Allow RDP from list accept_rdp" dst-port=3389 in-interface=pppoe-kpn protocol=tcp
add action=accept chain=forward comment="Allow established connections" connection-state=established
add action=accept chain=forward comment="Allow related connections" connection-state=related
add action=drop chain=forward comment="Drop all" in-interface=pppoe-kpn
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=3389 in-interface=pppoe-kpn protocol=tcp src-address-list=accept_rdp to-addresses=192.168.2.100 to-ports=3389
add action=masquerade chain=srcnat out-interface=l2tp-pia
add action=masquerade chain=srcnat out-interface=pppoe-kpn src-address=192.168.2.0/24
add action=masquerade chain=srcnat dst-address=10.142.64.0/18 out-interface=local-lan
add action=masquerade chain=srcnat dst-address=213.75.0.0/17 out-interface=local-lan
add action=masquerade chain=srcnat dst-address=213.75.112.0/21 out-interface=local-lan
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.2.0/24
set ssh disabled=yes
set api disabled=yes
set winbox address=192.168.2.0/24
set api-ssl disabled=yes
/ip upnp
set show-dummy-rule=no
/routing igmp-proxy interface
add alternative-subnets=213.75.0.0/17,10.142.64.0/18,213.75.112.0/21 interface=vlan4 upstream=yes
add interface=local-lan
/system clock
set time-zone-name=Europe/Amsterdam