Messages

1

23.7 Legacy Series / Re: IPTV in a bridge is not working

« on: September 19, 2023, 12:15:28 pm »

I did some research and figured out that VLAN 20 in my case is used for STB registration and sending IGMP queries. The actual multicast traffic itself is coming through another VLAN 9.

I faced lots of issues with igmp-proxy setup and want to share the knowledge to whom it may concern. This setup is relevant for ISPs MTS and MGTS in Moscow region with "anyservice" service turned off via tech support. It means that multicast traffic is delivered as tagged.

1. Create VLAN interfaces. Interfaces - Other Types - VLAN. I have interfaces vlan0.20 with tag 20 and priority 0 and vlan0.9 with tag 9 and priority 4. Both of them have parent WAN interface;
2. Assign VLAN interfaces. Interfaces - Assignments. Here I have IPTV_VLAN_9 and IPTV_VLAN_20 interfaces;
3. Assign an interface for STB. In my case I have a dedicated port on OPNsense box (igc1), called IPTV_PORT;
4. Enable all created interfaces. Interfaces - IPTV_PORT, IPTV_VLAN_9, IPTV_VLAN_20 - Enable interface, Promiscuous mode ON. IP configuration - none;
5. Create a bridge. Interface - other types - bridge. Members - IPTV_PORT, IPTV_VLAN_20;
6. Assign bridge interface. Interfaces - Assignments. I called it IPTV_BRIDGE;
7. Enable bridge interface. Interfaces - IPTV_BRIDGE, IPv4 configuration type - DHCP, promiscuous mode ON;
8. Enable filtering on the bridge interface: https://docs.opnsense.org/manual/how-tos/lan_bridge.html#step-six
9. Create firewall rules on the bridge interface. Firewall - Rules - IPTV bridge. Since it's just a bridge between dedicated STB port and STB subnet, I added two "allow any-any" rules for in and out direction, and enabled "allow options" checkbox in advanced features section.

At this moment you should have assigned IP addresses with DHCP for your STB and IPTV_BRIDGE interface from the same subnet. In my case it is 10.35.112.0/20. STB now should have access to on-demand services such as movies and TV shows.

Now we need to setup igmp-proxy service between IPTV_VLAN_9 and IPTV_BRIDGE. Here is where a major drawback of igmpproxy package comes into place. It requires IP addresses for both upstream and downstream interfaces to be present. That's why we enabled DHCP client on IPTV_BRIDGE interface. And we need to have a dummy IP address on IPTV_VLAN_9 interface in order to get things working.

10. Assign a static dummy IP address for IPTV_VLAN_9 interface. Interfaces - IPTV_VLAN_9, IPv4 Configuration Type - Static IPv4, IPv4 address - 254.254.254.254/32.
11. Create firewall rules for IPTV_VLAN_9 interface. Firewall - Rules - IPTV_VLAN_9. Again I just added two allow-any-any rules as for step 8.
12. Create upstream and downstream interfaces. Upstream interface IPTV_VLAN_9, networks 224.0.0.0/4 and 172.16.255.0/24, downstream interface is IPTV_BRIDGE, no need to describe specific network here.

After that I got it working. Hope it would help someone.

2

23.7 Legacy Series / Re: IPTV in a bridge is not working

« on: September 14, 2023, 09:16:02 am »

Thank you for sharing this links. The first one is about routed IPTV with igmp-proxy, I've seen it before, but that is not my case. The second one looks familiar, and uses tunables to apply packet filtering on the bridge interface itself instead of bridge members. I reproduced all the steps, but still no luck - black screen, though I can see allowed traffic passing by in logs.

3

23.7 Legacy Series / Re: IPTV in a bridge is not working

« on: September 13, 2023, 09:49:31 pm »

Screenshots for Live view

4

23.7 Legacy Series / IPTV in a bridge is not working

« on: September 13, 2023, 09:47:32 pm »

I have a GPON connection with my ISP. Previously I used a router provided by the ISP but I decided to get rid of it and go with OPNSense.

The diagram looks like this:

[ ISP ] -> [ GPON SFP ONU Stick ] -SFP->-Port9- [ Managed Switch ] -Port8->-WAN- [ OPNsense box ] -IPTV_PORT-> [IPTV box]

ISP itself provides two VLANs: one for the Internet (VLAN 30) and the second one for IPTV (VLAN 20). GPON SFP ONU Stick is configured in transparent mode in terms of VLANs, so it forwards tagged traffic from all VLANs to the managed switch. This SFP stick is plugged into port 9 of managed switch. OPNSense WAN port is connected to port 8 of managed switch. I added two VLANs on the switch for ports 8 and 9 and set both ports for tagged traffic.

For the OPNsense box I created two VLAN interfaces with parent WAN Interface - vlan0.30 and vlan0.20. The Internet part of the setup was easy - I received an IP from ISP via DHCP, configured firewall rules, NAT and so on, everything is working fine. But the IPTV part is challenging.

To simplify the diagram I decided to place IPTV box in a dedicated port for OPNSense and bridge all the traffic from VLAN 20 to this port. I assigned a port for IPTV box, a VLAN interface and the created a simple bridge with two members - IPTV_PORT and IPTV_VLAN interface.

For the firewall I added two rules for both interfaces: allow any-any in-out, allow-options. After that I can see in Live View allowed traffic entering IPTV_PORT interface and leaving IPTV_VLAN interface (igmp and udp). The IPTV box gets an IP address from VLAN 20, it has access to the Internet and video on-demand (movies, TV shows and other services) but it shows black screen when I try to watch TV channels.

I also tried to turn on and off IGMP Snooping on the managed switch, but that doesn't change anything.

Could I miss something in this setup? As for me it is a simple setup without IGMP-proxy needed and should work out of the box.