OPNsense Forum
Archive => 21.1 Legacy Series => Topic started by: Arno on May 13, 2021, 05:48:13 pm
-
Trying to configure IPTV.
I think (not fully 100% sure) fw is not blocking traffic and routing correct.
Not installed/upgraded any igmp proxy packages/plugins myself. It came with the installation :)
Configured igmpproxy with upstream/downstream.
These settings are correct. Working on other fw software.
Dashboard shows igmpproxy started but it isn't. (ps -ef|grep igmp)
Also see the log message.
How can igmpproxy be started?
-
Dashboard shows igmpproxy started but it isn't. (ps -ef|grep igmp)
Try
ps aux | grep igmp
You should see it if it shows as started in the UI since the UI relies on the process existing to show up as "Started".
-
ps aux | grep igmpReturns the process.
The error in the log remains so I can't use igmp proxy.
-
Not sure what your configs are but mine are this for Bell in Canada. They provide IPTV on VLAN36 and Internet on VLAN 35.
VLAN36 (Bell36 in my case) public Interface gets his IPTV IP using DHCP
Then IGMP proxy is configured like this. Make sure to select the right interface where you want to watch IPTV, in my case, I have a dedicated Interface for my receivers (LANTV) but this could simply be your LAN interface. Also, you do not put any network on the downstream interface, only on the upstream. The upstream network in my case is the network that Bell uses to provide IPTV service (not the same subnet as the IPTV Public IP subnet, it's another subnet beyond it)
Name-Type-Values
Bell36-upstream-10.2.0.0/16
LANTV-downstream
As for the rules on the public IPTV interface (Incoming IPTV traffic), you need to pass the IGMP and UDP for Multicast subnets so it reaches IGMP proxy.
PROTO - Source - Destination
IPv4 UDP - 10.2.0.0/16 - 239.0.0.0/8
IPv4 IGMP - ANY - 224.0.0.0/4
IMPORTANT - Make sure to enable "Allow options - This allows packets with IP options to pass" in the rules "Advanced Options" or else IGMP will not work.
Outbound rules should allow IPV4 and all protocols to all destinations for simplicity. If you prefer to add specific rules, here's what I have. You need to allow traffic for the receivers to connect to Bell servers for streaming and also allow traffic to reach IGMP proxy and also make sure DNS works.
Protocol Source Port Destination Port Gateway
IPv4 TCP/UDP LANTV net * 10.2.0.0/16 * BELL36_DHCP
IPv4 UDP LANTV net * 239.0.0.0/8 * *
IPv4 IGMP LANTV net * 224.0.0.0/4 * *
IPv4 TCP/UDP LANTV net * This Firewall 53 (DNS)
I also have a static route to reach 10.2.0.0/16 through the right interface and not the public Internet interface (since this IP range is not the DHCP range given to the public IPTV interface, for Bell we need to manually route it).
For Bell, we also need to use their servers for DNS resolution of some IPTV-related domain names, failure to add those exception will also result in non-working IPTV
Here's the unbound exceptions I have configured. For my case, the bell private IPTV DNS servers are 10.2.127.196 and 10.2.127.228 and we need to force *.iptv.bell.ca and also discovery.iptv.microsoft.com to those, nothing else. We discovered those IP by using a tcpdump during DHCP on the IPTV Public interface to find out what they were.
Domain Overrides
Domain IP
iptv.bell.ca 10.2.127.196
iptv.bell.ca 10.2.127.228
discovery.iptv.microsoft.com 10.2.127.196
discovery.iptv.microsoft.com 10.2.127.228
Like I said, this is for Bell Canada's, not sure who your provider is but your mileage may vary.
I hope this helps you out.
-
Sorry if it seems offtopic, but igmp proxy would require a LOT of documentation. As today practically its an undocumented piece of software. And I mean NOT source code level COMMENTING, but enduser level human readable DOCUMENTATION.
-
I beg to differ a bit with you on that point. The MAN page for igmpproxy and also igmpproxy.conf (man igmpproxy and man igmpproxy.conf) are pretty well written and clear about what igmpproxy does and how it is configured and the igmpproxy.conf MAN page describes quite well what should be present and why in the config file. Even the example in the igmpproxy.conf MAN page, actually works if you use it as is with many IPTV providers.
Maybe what is misunderstood by many is what is igmp and multicast is and how it works, which could be more complicated if you think about all it requires to properly pass multicast and IGMP through a firewall (rules, subnets, etc...) which is not in any way the problem of igmpproxy but the firewall's responsibility/problem to allow this traffic to reach igmpproxy properly and allow it to be passed between the networks.
If you don't do firewalling and only routing, you don't need to understand all the 239/x, 224/x networks, igmp, udp, etc... for your IPTV to work. You just need to start igmp proxy with the 2 interfaces I gave above and you're done. But if you run a firewall (like most of us), what is usually the though part is not igmp proxy itself, it's having the right rules so that udp traffic pass, igmp traffic pass, multicast networks and igmp protocol is accepted on both interfaces to reach igmp proxy, some weird routes because of the providers special networks and dns etc... Again none of that is the responsibility of igmp proxy. It's a matter of undertanding multicast, igmp, IPTV, networking, etc...
igmproxy is basically this (from the MAN page):
igmpproxy is a simple multicast routing daemon which uses IGMP
forwarding to dynamically route multicast traffic. Routing is done by
defining an "upstream" interface on which the daemon act as a normal
Multicast client, and one or more "downstream" interfaces that serves
clients on the destination networks.
This "means" it takes the multicast packets on one interface and forwards them (route them) on another interface to the clients that is all it does and nothing else.
If you check the wikis for Multicast and also for IGMP, you'll see why it gets complicated through a firewall.
-
I get what you mean. I am more or less familiar with the (complex) nature of multicast. Ok, its not the igmpproxy responsibility, to describe how to make it work under the Opnsense firewall. Then who should be the producer of such a guide, e.g. : how to send multicast traffic between Site-A and Site-B (back and forth), when there are Opnsense routers (1 or more) between the sites, connected via e.g. IPSEC VPN tunnel? Firewall is obviously in the picture, I guess there is a very good chance >99,99% of the opnsense users do use the firewall feature, so there is no real reason not to consider that part of the setup.
-
@RedVortex: Same configuration here. Only other vlan numbers.
> Also, you do not put any network on the downstream interface, only on the upstream.
The upstream networks are from the ISP(IPTV). They are correct (TV channels are visible now)
Downstream network is private subnet on seperate interface
Setup has three network interfaces: WAN/LAN/STB.
Rules:
IPTV (incoming):
IPv4 * * * gw IPTV if
Allow options was off (my bad, sorry) now enabled.
Difference now is that I can see the channels.
But only for a few seconds. Then it freezes.
Settop box:
I have specific rules for the separate network interface. No blocking traffic for what I can see.
DHCP (from OPNsense) works.
DNS is set in the DHCP server to DNS servers of the ISP.
I will review all the settings again. Done this so many time now I'm missing things (like allow options).
Thanks for your help.
Do you have any hints on the picture freeze? On forums I read other people posting this but can't remember what solved it.
-
Now I got no pictures at all.
No traffic from IPTV interface. Do have an IP address on IPTV interface (dhcp)
Upgraded to 21.1.6
When I switch to pfSense all is ok (no hardware or cable changes, only other vm and same configuration I think).
Anyone any idea what to check/configure?
-
I'm still running 21.1.5 so I can't say about 21.1.6.
I'll most likely upgrade to 21.1.7 soon, maybe I'll experience the same issue.
If IGMP proxy is running and well configured, the only thing that remains is your firewall rules (make sure they also contain the "Allow options" to make sure IGMP goes through).
Keep it simple to test it and put a allow all protocols IPV4 rule including the "Allow options" on each interface (ISP and you IPTV LAN interface).
When you first select a channel, igmp isn't used. Your receiver ask directly to get about 10 seconds of video to get the stream started. Then after about 10 seconds this is where multicast/igmp proxy kicks in to take over the continuous streaming.
If you get nothing, it means your receiver cannot talk at all to your ISP interface for IPTV, you should see all that being block in your logs when you switch channels. If it blocks after 10 seconds, it means multicast/igmp proxy is being blocked or not configured properly.
Also, post you igmp proxy config so we can check if anything is wrong with those.
-
Now I got no pictures at all.
No traffic from IPTV interface. Do have an IP address on IPTV interface (dhcp)
Upgraded to 21.1.6
When I switch to pfSense all is ok (no hardware or cable changes, only other vm and same configuration I think).
Anyone any idea what to check/configure?
Did you had pictures before?
I am struggling to get IPTV working via OPNsense. ISP: KPN (Netherlands), hw: Odroid H2.