Community discussions

 
PorcoMaster
just joined
Topic Author
Posts: 15
Joined: Thu Dec 07, 2017 3:20 pm

IPTV Lan Help.

Mon Jul 22, 2019 5:58 am

Hello guys, I am from brazil and I just bought an RB2011UiAS-RM and some Ubiquiti-AP-LR, I came from an old TP-link with OpenWRT.

thing is my ISP, VIVO Fibra, does use a horrible Router, and use Vlan for internet and IPTV, with OpenWRT I was able to follow some tutorials and bypass the ISP router.

and I was able to bypass internet Vlan with Mikrotik, but not IPTV, for the last 2 days I tried everything I could on every tutorial, Portuguese or English, and couldn't find any solution, I changed DHCP, changed routes, even installed multicast, but I couldn't find anything.

I will show you step by step, what I did on OpenWRT to get Internet and IPTV, and I what I did to get the internet on Mikrotik, any tips would be awesome. and sorry if there is an answer somewhere else.

OpenWRT Internet

Create a switch -> Vlan 10

CPU = Tagged
Ethernet1/wan connection = Tagged

Create an interface

Name: WAN
PPoE

user: cliente@cliente
password: cliente
physical setting Vlan interface: Eth0:10

Firewall
Lan => Wan // input: accept // output:accept // forward:accept

wan => reject // input:reject // output:accept // forward:reject // masquerade // mss clamping

OpenWRT IPTV

create a switch -> Vlan 20
CPU = Tagged
ethernet1/wan connection = Tagged
ethernet3/IPTV connection = Untagged

Create an interface
name: IPTV
static address: 192.168.2.245
IPV4 gateway: 255.255.255.0

Physical settings Vlan interface:eth0.20

Firewall

IPTV => WAN // input:accept // output:accept // forward:reject

obs: it does lose interactivity on ISP IPTV platform but does work, and I don't mind losing interactivity.

Mikrotik Internet:

Interface -> ADD -> Vlan

name: vlan10
arp: enabled
Vlan ID: 10
Interface: ether1

do NOT mark service tag

Interface -> add -> PPoE client

Name: Internet
Interface: vlan10
user: cliente@cliente
password: cliente

it does work for the internet, but I tried every possibility on IPTV and couldn't make it work, any tips would be awesome I tried for more than 10 hours last 2 days, and any light could be really useful.
 
mkx
Forum Guru
Forum Guru
Posts: 2807
Joined: Thu Mar 03, 2016 10:23 pm

Re: IPTV Lan Help.

Mon Jul 22, 2019 9:18 am

OpenWRT IPTV

create a switch -> Vlan 20
CPU = Tagged
ethernet1/wan connection = Tagged
ethernet3/IPTV connection = Untagged

Create an interface
name: IPTV
static address: 192.168.2.245
IPV4 gateway: 255.255.255.0

Physical settings Vlan interface:eth0.20

This part would be probably translated to ROSish like this:
/interface bridge
add name=bridge-IPTV protocol-mode=none
/interface vlan
add name=vlan20 interface=ether1 vlan-id=20
/interface bridge port
remove [ find interface=ether3 ]  # this removes ether3 from any other bridge (default makes it member of bridge1)
add bridge=bridge-IPTV interface=vlan20
add bridge=bridge-IPTV interface=ether3
/ip address
add address=192.168.2.245/24 interface=bridge-IPTV
I'm not sure the last step (adding IP address to the IPTV bridge) is really necessary because the above setup creates a simple "ethernet switch" which joins ether3 (untagged) with VLAN 20 on ether1 ... which means that IPTV device, connected to ether3, freely communicates on L2 to the ISP's IPTV network ... getting IP address from ISP's DHCP server etc.

If this is not the way IPTV is supposed to be working, describe (in words, not some openWRT config) how it is supposed to work and we'll see how that should be implemented in ROS.
BR,
Metod
 
sindy
Forum Guru
Forum Guru
Posts: 3805
Joined: Mon Dec 04, 2017 9:19 pm

Re: IPTV Lan Help.

Mon Jul 22, 2019 12:40 pm

A drawing will be even better than words.

But let me suppose - you need
  • LANs 10 and 20 to be both tagged on the uplink ethernet port to the ISP,
  • one ethernet port to work as an access one to VLAN 20 to connect the STB,
  • the PPPoE client acting as your WAN to acccess VLAN 10
Is that correct? If yes, it makes most sense to use the vlan filtering (and tagging/untagging) capabilities of the switch chip to let the IPTV frames completely bypass the CPU; to allow that, you have to change the configuration of the bridge and the PPPoE by activating vlan-filtering on the bridge and adding the uplink port to it.

Assumptions:
  • you start from the default configuration of the 2011, where ether1 is configured as WAN with DHCP and all other ethernet ports are all bridged together in a single bridge called "bridge",
  • ether1 will be the uplink to the ISP,
  • the STB will be connected to ether3.
If so, step 1:
/interface vlan
add interface=bridge vlan-id=10 name=internet-vlan

/interface pppoe-client
add name=pppoe-wan interface=internet-vlan username=xyz password=xyz 

/interface list member
remove [find interface=ether1]
add list=WAN interface=pppoe-wan

/ip dhcp-client
remove [find interface=ether1]

/interface bridge vlan
add vlan-ids=1 untagged=bridge,ether2,ether4,ether5,ether6,ether7,ether8,ether9,ether10
add vlan-ids=10 tagged=bridge,ether1
add vlan-ids=20 tagged=ether1 untagged=ether3

/interface bridge port
set [find interface=ether3] pvid=20
add bridge=bridge interface=ether1
Now switch on safe mode (on command line, it is done by pressing [Ctrl][X]) and do a single command:
/interface bridge set bridge vlan-filtering=yes
If you don't lose connection (i.e. some command, like /ip firewall filter print, can be issued repeatedly and returns some results), you can press [Ctrl][X] again to leave the safe mode.

At this stage, you can connect ether1 to the ISP, the PPPoE should come up so you should have internet connectivity, and the STB should get the IPTV data too. However, the data to the STB will flow through the CPU, which is not what you want.

So the following steps will be
/interface ethernet switch vlan
add vlan-id=0 switch=switch1 ports=ether2,ether4,ether5,switch1-cpu
add vlan-id=10 switch=switch1 ports=ether1,switch1-cpu independent-learning=yes
add vlan-id=20 switch=switch1 ports=ether1,ether3 independent-learning=yes

/interface ethernet port
set ether3 default-vlan-id=20 vlan-mode=secure
The following step may be dangerous so use [Ctrl][X] again before sending that:
/interface ethernet port set ether1,ether2,ether3,ether4,ether5,switch1-cpu vlan-mode=secure
Now you should be OK completely.

If it doesn't work, post your configuration at the stage you have reached following the hint in my automatic signature below.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
PorcoMaster
just joined
Topic Author
Posts: 15
Joined: Thu Dec 07, 2017 3:20 pm

Re: IPTV Lan Help.

Mon Jul 22, 2019 4:23 pm

Thank you mkx and sindy, I am working now, but as soon as I get home I will try both solutions, and get back to you.

Thank you very much for your help
 
mkx
Forum Guru
Forum Guru
Posts: 2807
Joined: Thu Mar 03, 2016 10:23 pm

Re: IPTV Lan Help.

Mon Jul 22, 2019 4:29 pm

Solution by @sindy is for sure more resource-effective. I just wrote minimum changes from your current setup. I'd suggest you first implement my changes and if IPTV starts to work, go ahead and implement what @sindy wrote.
BR,
Metod
 
PorcoMaster
just joined
Topic Author
Posts: 15
Joined: Thu Dec 07, 2017 3:20 pm

Re: IPTV Lan Help.

Tue Jul 23, 2019 2:06 am

you guys are amazing, both solutions worked, @mkx was simple, and @sindy worked and look like it will use less CPU is there any way to be sure?

on @sindy solution
/interface ethernet port set ether1,ether2,ether3,ether4,ether5,switch1-cpu vlan-mode=secure
crashed my router board, I was able to reconnect using ether6

on @mkx solution, you were right, it does not need to add this step
/ip address
add address=192.168.2.245/24 interface=bridge-IPTV
I would like to correct some code for future people that might need it.
/interface pppoe-client
add name=pppoe-wan interface=internet-vlan username=xyz password=xyz
it must add use peer DNS or user DNS to work, and need to add default route to work.
/interface ethernet port


should be
/interface ethernet switch port


i must say again, that you guys are amazing, thank you very much, you helped me so much.

that is my final code
# jul/22/2019 20:14:32 by RouterOS 6.45.2
# software id = xxxxxxx
#
# model = 2011UiAS
# serial number = xxxxxxxxx
/interface bridge
add admin-mac=xx:xx:xx:xx:xx:xx auto-mac=no comment=defconf name=bridge \
    vlan-filtering=yes
/interface vlan
add interface=bridge name=internet-vlan vlan-id=10
/interface pppoe-client
add add-default-route=yes disabled=no interface=internet-vlan name=pppoe-wan \
    use-peer-dns=yes user=cliente@cliente
/interface ethernet switch port
set 5 default-vlan-id=20
set 11 vlan-mode=secure
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.30.100-192.168.30.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5 pvid=20
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge untagged=\
    bridge,ether2,ether3,ether4,ether6,ether7,ether8,ether9,ether10 vlan-ids=1
add bridge=bridge tagged=bridge,ether1 vlan-ids=10
add bridge=bridge tagged=ether1 untagged=ether5 vlan-ids=20
/interface ethernet switch vlan
add independent-learning=no ports=ether2,ether3,ether4,switch1-cpu switch=\
    switch1
add independent-learning=yes ports=ether1,switch1-cpu switch=switch1 vlan-id=10
add independent-learning=yes ports=ether1,ether5 switch=switch1 vlan-id=20
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=pppoe-wan list=WAN
/ip address
add address=192.168.30.1/24 comment=defconf interface=bridge network=\
    192.168.30.0
/ip dhcp-server network
add address=192.168.30.0/24 comment=defconf gateway=192.168.30.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.30.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
    out,none out-interface-list=WAN
add action=masquerade chain=srcnat src-address=192.168.30.0/24
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/system clock
set time-zone-name=America/Sao_Paulo
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
sindy
Forum Guru
Forum Guru
Posts: 3805
Joined: Mon Dec 04, 2017 9:19 pm

Re: IPTV Lan Help.

Tue Jul 23, 2019 11:51 am

look like it will use less CPU is there any way to be sure?
Running /tool profile while watching TV should show you the difference in CPU load between the solutions.

on @sindy solution
/interface ethernet port set ether1,ether2,ether3,ether4,ether5,switch1-cpu vlan-mode=secure
crashed my router board, I was able to reconnect using ether6
Be more verbose here, please. Did you add the missing word switch as you've noted later? I suppose you did, otherwise the command should have been simply rejected, not crash the router.

Even if you did enter it properly, it should also not have crashed the router, it should in worst case just make it inaccessible via ports of switch chip 1, which seems to be the case as you could get there via port of switch chip 2. But why it has made the router inaccessible is currently beyond my understanding.

So maybe try just /interface ethernet switch port set ether1,ether5 vlan-mode=secure, that should be enough to prevent the broadcast traffic from the IPTV VLAN from leaking to the CPU.

What I cannot resolve myself is the /interface ethernet switch port set 11 vlan-mode=secure because I don't know the order of ports in configuration. It should be the CPU port of switch2 but in that case I'd expect some problems to happen.

Can you post the output of /interface ethernet switch port print?
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
PorcoMaster
just joined
Topic Author
Posts: 15
Joined: Thu Dec 07, 2017 3:20 pm

Re: IPTV Lan Help.

Tue Jul 23, 2019 6:14 pm

Be more verbose here, please. Did you add the missing word switch as you've noted later? I suppose you did, otherwise the command should have been simply rejected, not crash the router.
you are correct, i am sorry if was not clear enough, it did not crashed the routerboard, but it made impossible to connect through ether1->ether5, it made all ports secure, but for some reason TV, internet and connection stop working i will try
/interface ethernet switch port set ether1,ether5 vlan-mode=secure,
and i will get back to you, i am having some stutter on TV, it stops for 1-2s and get back, i will try your solution @sindy and @mkx to see which one will stutter less, but i would prefer yours as it will use less CPU

i don't know why
/interface ethernet switch port set 11 vlan-mode=secure
this code is there, and just now i saw it, i will research farther and get back to you, thank you very much for your help.
 
PorcoMaster
just joined
Topic Author
Posts: 15
Joined: Thu Dec 07, 2017 3:20 pm

Re: IPTV Lan Help.

Tue Jul 23, 2019 9:45 pm

you were right, port 11 is switch-CPU 1, I will disable it, thanks for this heads up
Flags: I - invalid 
 #   NAME             SWITCH             VLAN-MODE VLAN-HEADER    DEFAULT-VLAN-ID
 0   sfp1             switch1            disabled  leave-as-is               auto
 1   ether1           switch1            disabled  leave-as-is               auto
 2   ether2           switch1            disabled  leave-as-is               auto
 3   ether3           switch1            disabled  leave-as-is               auto
 4   ether4           switch1            disabled  leave-as-is               auto
 5   ether5           switch1            disabled  leave-as-is                 20
 6   ether6           switch2            disabled  leave-as-is                  0
 7   ether7           switch2            disabled  leave-as-is                  0
 8   ether8           switch2            disabled  leave-as-is                  0
 9   ether9           switch2            disabled  leave-as-is                  0
10   ether10          switch2            disabled  leave-as-is                  0
11   switch1-cpu      switch1            secure    leave-as-is               auto
12   switch2-cpu      switch2            disabled  leave-as-is                  
i will try your code now
 
PorcoMaster
just joined
Topic Author
Posts: 15
Joined: Thu Dec 07, 2017 3:20 pm

Re: IPTV Lan Help.

Tue Jul 23, 2019 10:02 pm

@sindy, it looked like it worked thank you very much, last code it was 2%-15% of cpu usage, now it looks like 4-9% so it's way better, thank you very much

this is my final code for now
/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf name=bridge \
    vlan-filtering=yes
/interface vlan
add interface=bridge name=internet-vlan vlan-id=10
/interface pppoe-client
add add-default-route=yes disabled=no interface=internet-vlan name=pppoe-wan \
    use-peer-dns=yes user=cliente@cliente
/interface ethernet switch port
set 1 vlan-mode=secure
set 5 default-vlan-id=20 vlan-mode=secure
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.30.100-192.168.30.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5 pvid=20
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge=bridge untagged=\
    bridge,ether2,ether3,ether4,ether6,ether7,ether8,ether9,ether10 vlan-ids=1
add bridge=bridge tagged=bridge,ether1 vlan-ids=10
add bridge=bridge tagged=ether1 untagged=ether5 vlan-ids=20
/interface ethernet switch vlan
add independent-learning=no ports=ether2,ether3,ether4,switch1-cpu switch=\
    switch1
add independent-learning=yes ports=ether1,switch1-cpu switch=switch1 vlan-id=10
add independent-learning=yes ports=ether1,ether5 switch=switch1 vlan-id=20
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=pppoe-wan list=WAN
/ip address
add address=192.168.30.1/24 comment=defconf interface=bridge network=\
    192.168.30.0
/ip dhcp-server network
add address=192.168.30.0/24 comment=defconf gateway=192.168.30.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.30.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
    out,none out-interface-list=WAN
add action=masquerade chain=srcnat src-address=192.168.30.0/24
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/system clock
set time-zone-name=America/Sao_Paulo
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
sindy
Forum Guru
Forum Guru
Posts: 3805
Joined: Mon Dec 04, 2017 9:19 pm

Re: IPTV Lan Help.

Tue Jul 23, 2019 10:53 pm

If you don't use internet and just watch TV, there should be almost no CPU load at all as the IPTV traffic bypasses the CPU completely: as vlan-mode at ether1 and ether5 is secure and switch1-cpu is not on the port list for vlan 20 in the switch chip, the IPTV frames tagged with VID 20 cannot get to the CPU at all. So I attribute those 4 to 9 % of CPU load to internet browsing and downloads, not to watching TV.

What disappoints me is that vlan-mode=secure on ether2,3,4 prevents tagless traffic from being allowed in although they are all, along with the CPU port, in vlan-id 0 row of /interface ethernet switch vlan. The last time I've tried this some months ago this was working. Especially as vlan-mode=secure on switch1-cpu could stay and ít didn't break anything.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.

Who is online

Users browsing this forum: Google [Bot] and 47 guests