Community discussions

MikroTik App
 
User avatar
matrixfueller
just joined
Topic Author
Posts: 10
Joined: Mon Mar 20, 2023 8:08 pm

Telekom MagentaTV and Mikrotik Routers

Wed Jun 07, 2023 8:30 pm

So I already asked for help in the Telekom forums in German but it seems they are of no use atm. The only idea is that the service of the ISP seems to have trouble with IPv6 (which I have set up) and as such I will try and disable that tomorrow to limit the problem to either IPv4 and/or IPv6.

Link here: https://telekomhilft.telekom.de/t5/Fern ... -p/6204095

The situation is the following: I have a CCR2004-16G-2S connected to my fibre modem and the Mikrotik is acting as the main router. There is only one service not working in the network and that is Telekom MagentaTV. Netflix, Amazon Prime etc are all working fine. The catch is that the problems only seem to occur on Android-based devices (such as phones and SmartTVs). Windows-based devices can use MagentaTV quite fine. So by my logic, it can't be that this is due to my firewall.

Full config I will post tomorrow once the router is up again but the IPv4 firewall logs are not showing any package drops with all drops (except ICMP) logging turned on.

Is there anything with such a specific device that could trigger the Mikrotik Firewall? I am not aware of any rules that could cause such a problem with my current setup.
/ip firewall address-list
add address=192.168.178.2-192.168.178.254 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/24 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
    not_in_internet
add address=hd408e3hnnc.sn.mynetname.net list=public_ip
add address=192.168.178.0/24 list=expected-address-from-LAN
add comment="Current network" list=expected-address-from-LAN
add address=224.0.0.0/4 comment=Multicast list=expected-address-from-LAN
add address=255.255.255.255 comment=Local list=expected-address-from-LAN
add address=vpn.schoolguy.de comment="IP of secondary-location" list=\
    secondary-location
add address=192.168.178.0/24 list=local_networks
add address=192.168.171.0/24 list=local_networks
add address=10.10.10.0/30 list=expected-address-from-LAN
add address=192.168.171.0/24 list=expected-address-from-LAN
add address=192.168.171.0/24 list=allowed_to_router
/ip firewall filter
add action=accept chain=input comment="default configuration" \
    connection-state=established,related
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input protocol=icmp
add action=accept chain=input dst-port=13233 protocol=udp src-address-list=\
    secondary-location
add action=drop chain=input log=yes log-prefix=invalid-input
add action=fasttrack-connection chain=forward comment=FastTrack \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="Established, Related" \
    connection-state=established,related
add action=accept chain=forward comment="Accept Samsung TV" log-prefix=\
    "forward - accept samsung tv" out-interface=pppoe-out1 src-address=\
    192.168.178.56
add action=accept chain=forward comment="Accept Traffic from secondary site" \
    connection-state=new in-interface=wg-site-to-site src-address=\
    192.168.171.0/24
add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
    log=yes log-prefix=invalid-forward
add action=drop chain=forward comment=\
    "Drop tries to reach not public addresses from LAN" dst-address-list=\
    not_in_internet in-interface-list=LAN log=yes log-prefix=!public_from_LAN \
    out-interface-list=!LAN
add action=accept chain=forward comment="Port Forwarding" \
    connection-nat-state=dstnat
add action=accept chain=forward in-interface-list=LAN out-interface=\
    pppoe-out1
add action=jump chain=forward comment="jump to ICMP filters" jump-target=icmp \
    protocol=icmp
add action=drop chain=forward comment=\
    "Drop incoming from internet which is not public ip" in-interface=\
    pppoe-out1 log=yes log-prefix=!public src-address-list=not_in_internet
add action=drop chain=forward comment=\
    "Drop packets from LAN that do not have LAN IP" in-interface=bridge1 log=\
    yes log-prefix=LAN_!LAN src-address-list=!local_networks
add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=\
    icmp
add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 \
    protocol=icmp
add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 \
    protocol=icmp
add action=accept chain=icmp comment=\
    "host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 \
    protocol=icmp
add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 \
    protocol=icmp
add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 \
    protocol=icmp
add action=drop chain=icmp comment="deny all other types" log=yes log-prefix=\
    drop-icmp
add action=drop chain=forward comment="drop all else" log=yes log-prefix=\
    drop-rest
/ip firewall nat
add action=masquerade chain=srcnat comment=HairpinNAT dst-address=\
    192.168.178.0/24 src-address=192.168.178.0/24
add action=masquerade chain=srcnat comment=NAT out-interface=pppoe-out1
add action=dst-nat chain=dstnat comment="HTTP main server" dst-address-list=\
    public_ip dst-port=80 protocol=tcp to-addresses=192.168.178.46 to-ports=\
    80
add action=dst-nat chain=dstnat comment="HTTPS main server" dst-address-list=\
    public_ip dst-port=443 protocol=tcp to-addresses=192.168.178.46 to-ports=\
    443
add action=dst-nat chain=dstnat comment="Wireguard main server" \
    dst-address-list=public_ip dst-port=51820 protocol=udp to-addresses=\
    192.168.178.46 to-ports=51820
/ip firewall raw
add action=drop chain=prerouting comment=\
    "drop non-legit src-addresses hitting WAN side" in-interface=pppoe-out1 \
    log=yes log-prefix=raw-non-legit-src-address-wan src-address-list=\
    not_in_internet
add action=drop chain=prerouting comment=\
    "drop non-legit dst-addresses hitting WAN side" disabled=yes \
    dst-address-list=!public_ip in-interface=pppoe-out1 log-prefix=\
    "raw, non-legit-dst-address-wan"
add action=drop chain=prerouting comment=\
    "drop non-legit traffic coming from LAN" in-interface-list=listBridge \
    log=yes log-prefix=raw-non-legit-from-wan src-address-list=\
    !expected-address-from-LAN
/ipv6 address
add from-pool=telekom interface=bridge1
/ipv6 dhcp-client
add add-default-route=yes interface=pppoe-out1 pool-name=telekom \
    pool-prefix-length=56 request=prefix
/ipv6 firewall address-list
add address=fe80::/10 comment="defconf: RFC6890 Linked-Scoped Unicast" list=\
    no_forward_ipv6
add address=ff00::/8 comment="defconf: multicast" list=no_forward_ipv6
add address=::1/128 comment="defconf: RFC6890 lo" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: RFC6890 IPv4 mapped" list=\
    bad_ipv6
add address=2001::/23 comment="defconf: RFC6890" list=bad_ipv6
add address=2001:db8::/32 comment="defconf: RFC6890 documentation" list=\
    bad_ipv6
add address=2001:10::/28 comment="defconf: RFC6890 orchid" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: RFC6890 Discard-only" list=\
    not_global_ipv6
add address=2001::/32 comment="defconf: RFC6890 TEREDO" list=not_global_ipv6
add address=2001:2::/48 comment="defconf: RFC6890 Benchmark" list=\
    not_global_ipv6
add address=fc00::/7 comment="defconf: RFC6890 Unique-Local" list=\
    not_global_ipv6
add address=::/128 comment="defconf: unspecified" list=bad_dst_ipv6
add address=::/128 comment="defconf: unspecified" list=bad_src_ipv6
add address=ff00::/8 comment="defconf: multicast" list=bad_src_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept ICMPv6 after RAW" \
    protocol=icmpv6
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/16
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
    src-address-list=no_forward_ipv6
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
    dst-address-list=no_forward_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6 after RAW" \
    protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/ipv6 firewall raw
add action=accept chain=prerouting comment=\
    "defconf: enable for transparent firewall" disabled=yes
add action=accept chain=prerouting comment="defconf: RFC4291, section 2.7.1" \
    dst-address=ff02::1:ff00:0/104 icmp-options=135 protocol=icmpv6 \
    src-address=::/128
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    src-address-list=bad_ipv6
add action=drop chain=prerouting comment="defconf: drop bogon IP's" \
    dst-address-list=bad_ipv6
add action=drop chain=prerouting comment=\
    "defconf: drop packets with bad SRC ipv6" src-address-list=bad_src_ipv6
add action=drop chain=prerouting comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_dst_ipv6
add action=drop chain=prerouting comment="defconf: drop non global from WAN" \
    in-interface-list=WAN src-address-list=not_global_ipv6
add action=jump chain=prerouting comment="defconf: jump to ICMPv6 chain" \
    jump-target=icmp6 protocol=icmpv6
add action=accept chain=prerouting comment=\
    "defconf: accept local multicast scope" dst-address=ff02::/16
add action=drop chain=prerouting comment=\
    "defconf: drop other multicast destinations" dst-address=ff00::/8
add action=accept chain=prerouting comment=\
    "defconf: accept everything else from WAN" in-interface-list=WAN
add action=accept chain=prerouting comment=\
    "defconf: accept everything else from LAN" in-interface-list=LAN
add action=accept chain=icmp6 comment="defconf: dst unreachable" \
    icmp-options=1:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: packet too big" icmp-options=\
    2:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: limit exceeded" icmp-options=\
    3:0-1 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: bad header" icmp-options=\
    4:0-2 protocol=icmpv6
add action=accept chain=icmp6 comment=\
    "defconf: Mobile home agent address discovery" icmp-options=144:0-255 \
    protocol=icmpv6
add action=accept chain=icmp6 comment=\
    "defconf: Mobile home agent address discovery" icmp-options=145:0-255 \
    protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: Mobile prefix solic" \
    icmp-options=146:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: Mobile prefix advert" \
    icmp-options=147:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: echo request limit 5,10" \
    icmp-options=128:0-255 limit=5,10:packet protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: echo reply limit 5,10" \
    icmp-options=129:0-255 limit=5,10:packet protocol=icmpv6
add action=accept chain=icmp6 comment=\
    "defconf: rfc4890 router solic limit 5,10 only LAN" hop-limit=equal:255 \
    icmp-options=133:0-255 in-interface-list=LAN limit=5,10:packet protocol=\
    icmpv6
add action=accept chain=icmp6 comment=\
    "defconf: rfc4890 router advert limit 5,10 only LAN" hop-limit=equal:255 \
    icmp-options=134:0-255 in-interface-list=LAN limit=5,10:packet protocol=\
    icmpv6
add action=accept chain=icmp6 comment=\
    "defconf: rfc4890 neighbor solic limit 5,10 only LAN" hop-limit=equal:255 \
    icmp-options=135:0-255 in-interface-list=LAN limit=5,10:packet protocol=\
    icmpv6
add action=accept chain=icmp6 comment=\
    "defconf: rfc4890 neighbor advert limit 5,10 only LAN" hop-limit=\
    equal:255 icmp-options=136:0-255 in-interface-list=LAN limit=5,10:packet \
    protocol=icmpv6
add action=accept chain=icmp6 comment=\
    "defconf: rfc4890 inverse ND solic limit 5,10 only LAN" hop-limit=\
    equal:255 icmp-options=141:0-255 in-interface-list=LAN limit=5,10:packet \
    protocol=icmpv6
add action=accept chain=icmp6 comment=\
    "defconf: rfc4890 inverse ND advert limit 5,10 only LAN" hop-limit=\
    equal:255 icmp-options=142:0-255 in-interface-list=LAN limit=5,10:packet \
    protocol=icmpv6
add action=drop chain=icmp6 comment="defconf: drop other icmp" protocol=\
    icmpv6
Thanks for your input and help!
Enno aka matrixfueller
 
User avatar
matrixfueller
just joined
Topic Author
Posts: 10
Joined: Mon Mar 20, 2023 8:08 pm

Re: Telekom MagentaTV and Mikrotik Routers  [SOLVED]

Thu Jun 08, 2023 4:32 pm

Topic solved. The issue is on Telekom side. There is a year-old post already that describes the problems as well: https://telekomhilft.telekom.de/t5/Fern ... -p/5217632

Who is online

Users browsing this forum: Amazon [Bot], Google [Bot] and 48 guests