OPNsense Forum
Archive => 17.7 Legacy Series => Topic started by: bringha on January 02, 2018, 05:58:24 pm
-
Hi all,
the same procedure as every year - but this time with progress: igmpproxy in 17.7 now working with Telekom Entertain and Opnsense behind a Fritzbox as Router. Several topics dealt with that over the last 18 months eg https://forum.opnsense.org/index.php?topic=1968.0 (https://forum.opnsense.org/index.php?topic=1968.0),https://forum.opnsense.org/index.php?topic=5295.0 (https://forum.opnsense.org/index.php?topic=5295.0).
Over the last year there has been some updates of igmpproxy coming from pfsense space and fed back to freebsd ports, eg https://redmine.pfsense.org/issues/6099 (https://redmine.pfsense.org/issues/6099). Also, the problems with the correct aging of mcast routes in the table seems to be fixed now. Although not knowing whether all of them are fully reflected in the igmpproxy plugin of the current Opnsense release 17.7.11, I could make it work at least for Telekom Entertain 1.0 (NOT yet proven for the new Telekom Entertain TV 2.0) at least for the following configuration:
----
+-+ S +------> DMZ <-----> Client
| | W |
Telekom ISP <--> Fritzbox 3490 <--> Opnsense <--+-+ I +------> LAN <-----> Client
| | T |
+-+ C +------> WLAN <-----> Client
| H |
----
The switch supports IGMPv3 snooping and provides separated networks for DMZ, LAN, WLAN via untagged VLANs
After installation of the igmpproxy plugin, the following upstream networks should be configured:
- 193.158.0.0/15
- 87.140.0.0/15
- 224.0.0.0/4
The downstream networks should contain the networks of the LAN side interfaces accordingly.
The resulting /usr/local/etc/igmpproxy.conf should look like eg
##------------------------------------------------------
## Enable Quickleave mode (Sends Leave instantly)
##------------------------------------------------------
quickleave
phyint igb1 upstream ratelimit 0 threshold 1
altnet 193.158.0.0/15
altnet 224.0.0.0/4
altnet 87.140.0.0/15
phyint igb0 downstream ratelimit 0 threshold 1
altnet 192.168.X.0/24
phyint igb2 disabled
phyint igb3 disabled
Indeed you can also configure more downstream interfaces (in my case disabled here) important is to have ONE single upstream interface with the shown networks .... At the moment, I don't have yet a BNG network connection (migration announced for Q1), might be that then the upstream networks needs to be adapted.
Then, some firewall rules need to be configured:
On WAN interface:
- IPv4 IGMP from all sources, all ports to dest 224.0.0.0/4, all ports, activate extension
- IPv4 UDP from all sources, all ports to dest 224.0.0.0/4, all ports, activate extension
On LAN
- activate also extensions on all general rules
Then, very important, under Interfaces->WAN, the box 'block private networks' may NOT be ticked. Otherwise, Opnsense igmpproxy does not see the IGMP Queries from the Fritzbox anymore which prevents in time answers with member reports from the Opnsense and the Fritzbox stops the UDP stream after 2-3 mins.
In my config, TV can be seen stable on all devices in my LAN and WLAN with the vlc player. Thanks to IGMPV3 snooping capable switch, the additional traffic load on the LAN is neglectible ....
I will go for testing of direct connected Opnsense to Draytec Modem (leave out fritzbox) in the next step; as well I am currently working on a full igmpv3 implementation on the downstream side (this seems to be a prerequisite to make Entertain TV 2.0 work)...
Br br