Community discussions

MikroTik App
 
smotis
just joined
Topic Author
Posts: 5
Joined: Mon Sep 12, 2016 11:19 am

Internet and IPTV on one port together

Mon Nov 28, 2022 1:53 pm

hello
Internet and IPTV on one port together
From ISP came internet and IPTV in vlan6. I create this:
https://ibb.co/XC2W3Qg
https://ibb.co/hDX5LLB

Internet and IPTV works on same port. but are problem. PC gets IP from vlan6. Impossible filtering vlan6 ? need IP give only for TV box.
IPTV box gets IP from vlan6 (for TV box IP send ISP)
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Internet and IPTV on one port together

Mon Nov 28, 2022 9:52 pm

Your highly cropped screenshots provide near to zero information about actual configuration of device.

If you want to get any meaningful advice, post configuration. Open terminal window, execute /export hide-sensitive file=anynameyouwish, then fetch resulting file to management computer, open it with text editor, redact any remaining sensitive information (serial number, any usernames or passwords, public IP address). Then copy-paste the config inside [code] [/code] block (to make it forum-friendly).
 
smotis
just joined
Topic Author
Posts: 5
Joined: Mon Sep 12, 2016 11:19 am

Re: Internet and IPTV on one port together

Tue Nov 29, 2022 8:18 am

# model = RB750Gr3
# serial number = HCM07QFJY0T
/interface bridge
add name=IPTV_Bridge protocol-mode=none
add name=LAN_bridge protocol-mode=none
/interface vlan
add interface=ether1 name=vlan-IPTV vlan-id=6
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool1 ranges=192.168.1.10-192.168.1.170
add name=dhcp_pool2 ranges=192.168.2.10-192.168.2.170
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=LAN_bridge name=dhcp1
add address-pool=dhcp_pool2 always-broadcast=yes disabled=no interface=\
    IPTV_Bridge name=dhcp2
/interface bridge port
add bridge=LAN_bridge interface=ether2
add bridge=IPTV_Bridge interface=ether3
add bridge=IPTV_Bridge interface=ether5
add bridge=IPTV_Bridge interface=ether4
add bridge=IPTV_Bridge interface=vlan-IPTV
/ip address
add address=192.168.1.1/24 interface=LAN_bridge network=192.168.1.0
add address=192.168.2.1/24 interface=IPTV_Bridge network=192.168.2.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.1.0/24 gateway=192.168.1.1
add address=192.168.2.0/24 gateway=192.168.2.1
/ip dns
set allow-remote-requests=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=dst-nat chain=dstnat comment="WEB 80" dst-port=80 in-interface=\
    ether1 protocol=tcp to-addresses=192.168.1.176 to-ports=80
add action=dst-nat chain=dstnat comment="WEB 443" dst-port=443 in-interface=\
    ether1 protocol=tcp to-addresses=192.168.1.176 to-ports=443
add action=dst-nat chain=dstnat comment="Jono Katilas 1.1" dst-port=9000 \
    in-interface=ether1 protocol=tcp to-addresses=192.168.1.222 to-ports=9000
add action=dst-nat chain=dstnat comment="Jono Katilas 2.1" dst-port=9000 \
    in-interface=ether1 protocol=tcp to-addresses=192.168.2.222 to-ports=9000
/system clock
set time-zone-name=Europe/Vilnius
/system identity
set name=RouterOS
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Internet and IPTV on one port together

Tue Nov 29, 2022 11:58 am

One more question: how do IP TV set tip boxes expect IPTV, tagged? (My ISP expects does). Let's say you'll want to have separate LAN subnet to provide TV set top boxes with internet to keep it away from your LAN.

If that's so, then I propose to change whole sections with the ones below:
/interface bridge
add name=bridge protocol-mode=none vlan-filtering=yes

/interface vlan
add interface=bridge name=vlan_WAN vlan-id=100
add interface=bridge name=vlan_LAN vlan-id=200
add interface=bridge name=vlan_IPTV vlan-id=300

/interface bridge port
add bridge=bridge interface=ether1 pvid=100  # WAN port
add bridge=bridge interface=ether2 pvid=200  # normal LAN port, untagged
add bridge=bridge interface=ether3 pvid=200  # normal LAN port, untagged
add bridge=bridge interface=ether4 pvid=200  # normal LAN port, untagged
add bridge=bridge interface=ether5 pvid=300  # assuming your MoCA gateway is connected to this port

/interface bridge vlan
add bridge=bridge tagged=bridge untagged=ether1 vlan-ids=100
add bridge=bridge tagged=bridge untagged=ether2,ether3,ether4 vlan-ids=200
add bridge=bridge tagged=bridge untagged=ether5 vlan-ids=300
add bridge=bridge tagged=ether1,ether5 vlan-ids=6

/ip address
add address=192.168.1.1/24 interface=vlan_LAN
add address=192.168.2.1/24 interface=vlan_IPTV

/ip dhcp-client
add interface=vlan_WAN

/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=vlan_LAN name=dhcp1
add address-pool=dhcp_pool2 disabled=no interface=vlan_IPTV name=dhcp2

/interface list
add name=WAN
add name=LAN
add name=IPTV

/interface list member
add interface=vlan-WAN list=WAN
add interface=vlan-LAN list=LAN
add interface=vlan-IPTV list=IPTV

/ip firewall filter
# based largely on default firewall, changed only to accomodate IPTV interface list
add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
add chain=input action=drop connection-state=invalid comment="defconf: drop invalid"
add chain=input action=accept protocol=icmp comment="defconf: accept ICMP"
add chain=input action=accept dst-address=127.0.0.1 comment="defconf: accept to local loopback (for CAPsMAN)"
add chain=input action=accept in-interface-list=LAN comment="allow everything from LAN"
# add appropriate rules if any router's service should be allowed for IPTV devices, e.g.
#add chain=input action=accept in-interface-list=IPTV protocol=udp dst-port=53 comment ="IPTV: DNS"
#add chain=input action=accept in-interface-list=IPTV protocol=tcp dst-port=53 comment ="IPTV: DNS"
add chain=input action=drop comment="drop all the rest"

add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept in ipsec policy"
add chain=forward action=accept ipsec-policy=out,ipsec comment="defconf: accept out ipsec policy"
add chain=forward action=fasttrack-connection connection-state=established,related comment="defconf: fasttrack"
add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related, untracked"
add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"
add chain=forward action=drop connection-state=new in-interface-list=IPTV out-interface-list=LAN comment="drop connections from IPTV towards LAN"
# you may want not to apply the following one if you want to allow connections from LAN towards IPTV
add chain=forward action=drop connection-state=new in-interface-list=LAN out-interface-list=IPTV comment="drop connections from LAN towards IPTV"
add chain=forward action=accept connection-state=new connection-nat-state=dstnat in-interface-list=WAN comment="allow DST-NATed traffic from WAN"
add chain=forward action=drop comment="drop all the rest"

/ip firewall nat
# adjusted only to use WAN interface list
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat comment="WEB 80" dst-port=80 in-interface-list=WAN protocol=tcp to-addresses=192.168.1.176 to-ports=80
add action=dst-nat chain=dstnat comment="WEB 443" dst-port=443 in-interface-list=WAN protocol=tcp to-addresses=192.168.1.176 to-ports=443
add action=dst-nat chain=dstnat comment="Jono Katilas 1.1" dst-port=9000 in-interface-list=WAN protocol=tcp to-addresses=192.168.1.222 to-ports=9000
add action=dst-nat chain=dstnat comment="Jono Katilas 2.1" dst-port=9000 in-interface-list=WAN protocol=tcp to-addresses=192.168.2.222 to-ports=9000

Your current config doesn't have any firewall which makes it very dangerous. Even if ISP's router has firewall, it's still iffy (you have to trust ISP to do things right and ISP could mess with your LAN devices). The proposed changes above fix that.
 
smotis
just joined
Topic Author
Posts: 5
Joined: Mon Sep 12, 2016 11:19 am

Re: Internet and IPTV on one port together

Tue Nov 29, 2022 4:47 pm

thanks for respond, but for me need on eth 3, 4, 5 internet+IPTV. need send by wifi antenna (ubiquity) :)
originally on ISP router it work. ON same LAN port i have internet and IPTV... how ISP do it..
on my config work internet and IPTV but i get IPTV IP to PC...
maybe some rules are ? how drop dhcp from vlan6 ? but give only for tvbox MAC
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Internet and IPTV on one port together

Tue Nov 29, 2022 7:03 pm

Before I go any further, please describe wanted solution (functionality wise) in details. Like: what do you expect your RB to be ... simple switch (which will pass data between connected devices unaltered) or router/switch combo (routing/firewalling for intetnet but simply switching for IPTV).
Some diagram would be nice.
 
smotis
just joined
Topic Author
Posts: 5
Joined: Mon Sep 12, 2016 11:19 am

Re: Internet and IPTV on one port together

Wed Nov 30, 2022 11:19 am

i try to explain :)
from ISP came valn1 (internet) and vlan6 (IPTV, IP get from ISP DHCP)
mikrotik should work in router mode (routing/firewalling)
1 port - WAN
2 port - LAN (IP range 192.168.1.10 - 192.168.1.170)
3 port - LAN +IPTV (IP range 192.168.2.10 - 192.168.2.170, IPTV box gets IP from ISP DHCP)
4 port - LAN +IPTV (IP range 192.168.2.10 - 192.168.2.170, IPTV box gets IP from ISP DHCP)
5 port - LAN +IPTV (IP range 192.168.2.10 - 192.168.2.170, IPTV box gets IP from ISP DHCP)

if i correct understand IPTV box work in normal vlan1. when i use this config IPTV and LAN work ok. To get for PC IP from mikrotik DHCP i should disable vlan6 and get IP to PC. then turn ON valn6 and TV box get IP from ISP DHCP and all works.. but connect new devise, new device get IP from vlan6
thanks for patience
/interface bridge
add name=IPTV_Bridge protocol-mode=none
add name=LAN_bridge protocol-mode=none
/interface vlan
add interface=ether1 name=vlan-IPTV vlan-id=6
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool1 ranges=192.168.1.10-192.168.1.170
add name=dhcp_pool2 ranges=192.168.2.10-192.168.2.170
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=LAN_bridge name=dhcp1
add address-pool=dhcp_pool2 always-broadcast=yes disabled=no interface=\
    IPTV_Bridge name=dhcp2
/interface bridge port
add bridge=LAN_bridge interface=ether2
add bridge=IPTV_Bridge interface=ether3
add bridge=IPTV_Bridge interface=ether5
add bridge=IPTV_Bridge interface=ether4
add bridge=IPTV_Bridge interface=vlan-IPTV
/ip address
add address=192.168.1.1/24 interface=LAN_bridge network=192.168.1.0
add address=192.168.2.1/24 interface=IPTV_Bridge network=192.168.2.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.1.0/24 gateway=192.168.1.1
add address=192.168.2.0/24 gateway=192.168.2.1
/ip dns
set allow-remote-requests=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Internet and IPTV on one port together

Wed Nov 30, 2022 8:36 pm

1 port - WAN
2 port - LAN (IP range 192.168.1.10 - 192.168.1.170)
3 port - LAN +IPTV (IP range 192.168.2.10 - 192.168.2.170, IPTV box gets IP from ISP DHCP)
4 port - LAN +IPTV (IP range 192.168.2.10 - 192.168.2.170, IPTV box gets IP from ISP DHCP)
5 port - LAN +IPTV (IP range 192.168.2.10 - 192.168.2.170, IPTV box gets IP from ISP DHCP)

Assuming that on ports ether3-ether5 "IP range" applies to untagged traffic and "IPTV box gets IP from ISP DHCP" applies to traffic tagged with VLAN ID 6, this config differs from my example config only that in my case ports ether2-ether4 belong to LAN and port ether5 belongs to LAN+IPTV. To adapt it to your needs, simply configure ports ether3 and ether4 the same way as it's ether5 under /interface bridge (both port and vlan submenus).

Another interpretation is that port "personality" should automatically change between "LAN 192.168.1.0/24" and "LAN 192.168.2.0/24 + IPTV" depending on which device is plugged (normal computer versus TV box) ... that is not possible to do easily (if at all).

Who is online

Users browsing this forum: Bing [Bot], Google [Bot], johnson73, loloski and 98 guests