So basically I allow ALL UDP traffic to my LAN-bridge, is that really good?
Can I in some way fetch and redirect all IPTV traffic to interface: ether4 before going through IP firewall filter?
Could I add an extra bridge (IPTV-bridge) and include interface: ether1 and ether4 there? - my internet dies then - right?
Any other ideas on how you can set up IPTV in a more "smooth" way?
Any hint, thoughts or comments are VERY MUCH appreciated
Cheers,
Kalle
Below is a config dump of most of the running router config:
[admin@MikroTik] > export
# apr/09/2018 20:32:26 by RouterOS 6.41.3
# software id = XXXXX
#
# model = RouterBOARD 962UiGS-5HacT2HnT
# serial number = XXXXXXXXXXXXXXXXX
/interface bridge
add admin-mac=CC:2D:E0:3F:06:7C auto-mac=no comment=defconf igmp-snooping=yes name=LAN-bridge
/interface ethernet
set [ find default-name=ether2 ] name=ether2-master
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce country=sweden disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=Larsson wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-Ceee country=sweden disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=Larsson wireless-protocol=802.11
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
add name=WAN
/ip pool
add name=dhcp ranges=1.1.1.100-1.1.1.200
/ip dhcp-server
add address-pool=dhcp disabled=no interface=LAN-bridge lease-time=10h name=defconf
/interface bridge port
add bridge=LAN-bridge comment=defconf interface=ether2-master
add bridge=LAN-bridge comment=defconf hw=no interface=wlan1
add bridge=LAN-bridge comment=defconf hw=no interface=wlan2
add bridge=LAN-bridge interface=ether4
/ip neighbor discovery-settings
set discover-interface-list=discover
/ip address
add address=1.1.1.10/24 comment=defconf interface=ether2-master network=1.1.1.0
add address=x.x.x.x/x interface=ether1 network=x.x.x.x
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server network
add address=1.1.1.0/24 comment=defconf gateway=1.1.1.10 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,195.54.122.200,195.54.122.204
/ip dns static
add address=1.1.1.10 name=router
/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=IPTV log-prefix=iptv2 protocol=igmp
add action=accept chain=input log-prefix=iptv4 protocol=udp
add action=accept chain=forward log-prefix=iptv3 protocol=udp
add action=accept chain=input comment="defconf: accept established,related" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=input comment="defconf: drop all from WAN" in-interface=ether1
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=ether1
/routing igmp-proxy interface
add alternative-subnets=0.0.0.0/0 interface=ether1 upstream=yes
add interface=LAN-bridge
/system clock
set time-zone-name=Europe/Stockholm
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
/tool traffic-monitor
add interface=ether4 name=tmon1 threshold=0 traffic=received
I have not had an ISP that provides IPTV streaming but cannot your IPTV that initiate traffic to a streaming server instead of having to accept all UDP traffic to your network? Accepting all UDP traffic does not sound good to me at all. Even so you don’t need allow UDP on input chain as it does not have to access the router itself. so UDP on input chian should be disabled. Would your IP TV work if you don’t open UDP on forward chain?
as for seperating ether 4, this require two IP address givan to you by the ISP. so that you router has one and IPTV on ether4 has one. Looks like you are getting one public IP on ether1 so you may have to pay for the 2nd one.
I’d sugess that you don’t really have to accept all UDP traffic. try this first.
PS: you should either blank out your real public IP address or using export hide-sensitive
Thank you VERY much for the hints (and also the tip about my IP
Indeed the IPTV seems to still work after disabling the UDP input rule, and that’s good.
So I guess that this is as tight as the firewall filters can be…
/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="IPTV" protocol=igmp
add action=accept chain=forward comment="IPTV" protocol=udp
add action=accept chain=input comment="defconf: accept established,related" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=input comment="defconf: drop all from WAN" in-interface=ether1
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=ether1
well the next stage can be you only allow UDP traffic from certain IP address only. you can either find out the source IP that connects to your IP TV from your ISP, or by just torch the WAN interface when the TV is on. You will see the steady UDP streaming connections and take a note of the source IP address. hopefully there will just be a few that they actually use.
then you can change the firewall rule to accept UDP from those IP , drop everything else.
Just wondering, is the IP TV service include live channels and as well as Video on Demand ? any webpage I can check this out? seems interesting…
Please don’t test IGMP snooping still doesn’t work.
I am asking engineers from Mikrotik to test it on my TV network, but they don’t want to.
So many years please Mikrotika to do IGMP snooping and nothing.
Why don’t you listen to your customers? krzysztof@pawluk.org
How much do you have connected TV box 100,200,1000?
How much do you have multicast groups?
Currently, I use 61 multicast groups.
The problem is extinguishing the multicast groups,
mikrotik doesn’t send information about leaving the groups to the pim router,
and transmissions are added for 2 minutes.
Because of this, port overloads occur
Cisco, Juniper, Huawei, Extreme networks - work without problems.
Only a few, but that is not the issue.
The issue is you asking us not to test a feature because it does not work for you.
How do you expect to raise feedback if we do not test it?
Just wait for someone at MT to fix something they do not know is broken?
The idea is to test it as much as we can, and supply reports if something does not work as expected.
You can not expect a fix for something nobody uses.
Good evening! For my Internet provider, I use the following configuration:
/routing igmp-proxy
set quick-leave=yes
/routing igmp-proxy interface
add alternative-subnets=0.0.0.0/0 (<-if you don’t know subnets for upstream) interface=WAN upstream=yes
add interface=LAN
I’ve tied the firewall source \ destination ports down, by using the IGMP Proxy → MFC and Torch on the WAN.
My only issue is I cannot get this to work unless the downstream interface is the bridge. I tried setting this to ether5 and it will not work for me at all. My ac2 is simple, just using the quick set. Is there anything else I would need to do? I figure having forwarding to a dedicated interface may be more secure and limit traffic?
You’re wrong.
You don’t read the forum.
Check how many requests to fix the IGMP.
TV operators are asking for it many years!
Nobody uses it because it doesn’t work, it’s easy.
I am asking for many years and not only me.
MikroTik switches, can not be bought.
Important not one multicast stream but a few dozen multicast streams.
I am asking you, please, read the forums from a few years ago.
Believe me, I read the forums, since 4.17, that’s some 8 years…
But you ask “don’t test IGMP snooping”. That’s what I am talking about. What is the logic behind this?
If YOU don’t want to test, that’s your own problem. If someone else does, why is this an issue for you?
Do you think if we do not test, someone else will do it for us, and will magically do something about it?
How can someone find an issue without trying it first?
Have you created a support ticket? Or maybe describe your issue and maybe some people around here may find a solution.
But asking others not to use it, just because you said so, is no solution at all.
Coming back to the technical part.
You talk about a pim router at your provider which does not stop the streaming after the leave.
Have you tried the PIM component instead of the igmp proxy, or the other way around?
From my understanding, there is a different protocol involved between PIMs and it does not rely solely on the group leave messages for managing the streams (PIM-SM?). On the other hand, the IGMP proxy acts purely as a client on behalf of the downstream requester, which may be the desired behavior.
In my case, I had some 8 multicast sources streaming all the time on one interface, and I needed to put them on the LAN using snooping, to limit the net flooding. This worked nicely with the proxy, but I did not manage to get them running properly using PIM. But the upstream cutting of was not an issue in this case, since it was not needed.
Re: [Ticket#2018020422000183] RouterOS 6.41.1 problem with IGMP snooping
Re: [Ticket#2016100722001021] RE: Errors in the IGMP
Re: [Ticket#2015072266000821] IGMP Snoping. When?
Re: [Ticket#2015011666000782] IGMP Snoping compatible with CISCO. When?
[Ticket#2014110466000108] RE: IGMP Snooping - when […]
Re: [Ticket#2014091566000986] I am a Polish ISP and IPTV operator.IGMP…
He writes that others will not test because time is valuable.
I have my labolatoria with thousands of devices, I am the owner of regional cable television.
You write too simple things, write something more complicated.
True, I wanted to learn it, and I keep the complicated things for my job . So running a few streams is easier to follow, like one streamed transponder, and it should scale knowledge wise.
But I think the topic here was a home setup, not IGMP snooping, which is quite new in the MTK world (since 6.41) and has its issues.
Anyway, IMHO I would not rely on a software bridge for snooping on a high volume cable network…
Without trying to be anti MTK, here other switches do a better job, including UBNT EdgeSwitches which share the same price range (and just work, at least the ES-24 and ES-8).
As PIM routers I use several Cisco ASR 1001-X and they work perfectly !! ALL Cisco switches also work perfectly !!
Huawei also work ok - sometimes he has problems.
All juniper machines also work perfectly !!
Extreme networks also work great !!
Totolink also works great
So why Mikrotik is not supposed to work well?
IGMP proxy can not use because I will not be able to properly authorize my clients.
I created a special lab with exemplary problems for MIkrotik’s engineers.
The subject is so extensive that I am not able to describe it here on the forum.
The problem occurs in networks where, for example, it has more than 400 TV channels.
The problem only appears on mikrotika devices during the quick change of TV channels.
I like mikrotika, it has many possibilities and only from these
large important things good IGMP and PIM is missing.
I am using BBB(Now Telenor) as well, and i managed to make the IPTV work similar like above configuration.
But i have a question about the firewall rule, why the second rule is needed? accept UDP on Input chain into the router.
It seems the TV UDP steam forks to input and forward chain in my case, I don’t have the second rule to accept the packets to the router so i see huge amount of packets got dropped on the input chain, the number is same as the packets accepted on the forward rule for IPTV, and of cause if i put the second rule, the IPTV packets are accepted by the router, i guess then they get dropped anyway.
and another question? is it possible to fastrack IPTV traffic? i put my forward rule after fasttrack rule, it doesn’t work.
I use Telenor for IP-TV, but in my case they might use VLAN since the IP-TV box gets an ip 10.x.x.x
If i connect a pc to either of the IP-TV port and use dhcp client the pc gets a 10.x.x.x address as well.
If there are any VLAN then i dont know about any ID. No one semms to wanna tell. Telenor or ISP..etc..
. So running a few streams is easier to follow, like one streamed transponder, and it should scale knowledge wise.