Does the IPTV connection over vlan 4 also require usage of the standard Internet connection which comes in over vlan 6?
I was trying to setup a separate connection on an additional pfsense firewall but I see that no default route was assigned nor dns servers and the client is stuck trying to get a dns connection.
If it requires use of both the standard internet as well as vlan 4 based routing then I have to get it working on the one firewall/router. I wanted to avoid this option because it seems to only want to forward traffic over the internet connection and nothing over the VLAN 4 gateway.
Indeed, live stream (multicast) comes over vlan 4, paused and recorded is unicast and comes over vlan 6. Also, for the initial boot, vlan 6 is needed for DNS, timeservers and codes to decode encrypted channels.
The best way to route iptv seperately is to limit the set-top box to a separate vlan internally and have separate firewall settings for it. (don’t let it access anything internally)
Thanks! I’m making some progress. It can show me the tv programs and I see some multicast traffic going out VLAN 4. But I think something is going wrong there. I can Player error S815 for example.
Are there specific Networks that have to be routed out VLAN 4 that I should know about ?
What are the upstream networks that I need to set my igmp proxy to ? Currently, I’m trying a combination of Bart Schermers guide and a KPN one and I’ve set upstream networks to:
217.166.0.0/16, 213.75.0.0/16, 10.0.0.0/8
The only traffic apart from icmp ping I see happening on VLAN 4 is the following:
15:11:20.911879 IP 100.65.9.164 > 224.0.0.22: igmp v3 report, 1 group record(s)
15:11:21.963495 IP 100.65.9.164 > 224.0.0.22: igmp v3 report, 1 group record(s)
Any idea what’s missing?
I’ve given up on using two firewalls after I realised that the traffic is a combination of both VLAN 6 and VLAN 4.
Also, in Bart Schermers guide he says that one should have an inbound rule to port forward RTP sourced from 185.24.175.0/24 to the IPTV client through VLAN 4. I see 185.* traffic coming from the client, but if I route this via VLAN 4 instead of PPPoE then it says there are no programs available, suggesting that this does indeed need to go over the normal Internet, or am I missing something ?
Solved this. The problem was that I was switching vlan 4 and vlan 6 through the netgear switch towards to pfsense firewall. igmp snooping on the netgear can only look at one vlan. I chose the client side vlan, therefore vlan 4 igmp traffic was being dropped.
Also, it’s totally not as complex as I have seen written in different places. vlan 4 is multicast traffic only. Therefore no routes need to be added. Also, no outbound nat needs to be added because no traffic passes through the pfsense to vlan 4. It all happens through the igmp proxy, which means the packet source is the vlan 4 interface address. This also means you are protected by default because of the default deny rule, which should mean that NAT itself is not even needed to be enabled I’m guessing.
In fact, it was all the suggestions to use outbound NAT and adding extra static routes that made it all complex and difficult to setup. It was only later than I put the fiber cable into the switch and from there to the pfsense. That caused the last problem.
The important things to pay attention to are:
Setup igmp snooping on the switches monitoring the client side vlan. So all boxes should be on the same vlan.
Likely set rules to allow options on tcp connections to the 185.24.* addresses where the unicast comes from.
Connect the vlan 4 and vlan 6 cable directly into the pfsense firewall to avoid the problem with the igmp snooping limitation.
Obviously to setup the igmp proxy, it’s needed.
It’s possible that the architecture has simplified since some guides were written, though I doubt it. Who can tell
