Help with iptables (IPTV Routing)

[MastaG]

Hi there,

I'm trying to setup routed mode for my IPTV Provider KPN.
It's working out pretty well.
It requires me to setup VLAN4 (tagged) on the WAN interface and setup a NAT rule for it.

I have been following this guide (dutch):
http://netwerkje.com/routed-iptv

So far I have:
/jffs/scripts/wan-start:

#!/bin/sh

# Leave VOIP traffic tagged for original router
/usr/sbin/robocfg vlan 7 ports "0t 3t"
# Setup VLAN4 on the CPU as well so we can talk to it
/usr/sbin/robocfg vlan 4 ports "0t 4u 8t"
# Add VLAN4 as a physical interface
/sbin/vconfig add eth0 4
# Request an IP-address and setup static routes
udhcpc -i vlan4 -O msstaticroutes -O staticroutes -V IPTV_RG -s /jffs/scripts/vlan4.script -p /var/run/vlan4.pid -b -O33 -O249

/jffs/scripts/vlan4.script:

#!/bin/sh

[ -z "$1" ] && echo "Error: should be called from udhcpc" && exit 1

[ -n "$broadcast" ] && BROADCAST="broadcast $broadcast"
[ -n "$subnet" ] && NETMASK="netmask $subnet"

set_classless_routes() {
   local max=128
   local type
   while [ -n "$1" -a -n "$2" -a $max -gt 0 ]; do
     [ ${1##*/} -eq 32 ] && type=host || type=net
     echo "udhcpc: adding route for $type $1 via $2"
     /sbin/route add -$type "$1" gw "$2" dev "$interface"
     max=$(($max-1))
     shift 2
   done
}


case "$1" in
   deconfig)
     /sbin/ifconfig $interface 0.0.0.0
     ;;

   leasefail|nak)
     echo "Failed to obtain lease..."
     ;;

   renew|bound)
     /sbin/ifconfig $interface $ip $BROADCAST $NETMASK
     [ -n "$staticroutes" ] && set_classless_routes $staticroutes
     [ -n "$msstaticroutes" ] && set_classless_routes $msstaticroutes
     ;;
esac

exit 0

And the extra dhcp options for my IPTV receivers.
/jffs/configs/dnsmasq.conf.add:

dhcp-option=vendor:,1,IPTV_RG
dhcp-option=28,192.168.1.255

Upon reboot VLAN4 comes up like it should

vlan4  Link encap:Ethernet  HWaddr E0:3F:49:0A:D6:D8  
  inet addr:10.228.192.83  Bcast:10.228.255.255  Mask:255.255.192.0
  UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
  RX packets:661107 errors:0 dropped:0 overruns:0 frame:0
  TX packets:2 errors:0 dropped:0 overruns:0 carrier:0
  collisions:0 txqueuelen:0
  RX bytes:891204369 (849.9 MiB)  TX bytes:692 (692.0 B)

And the route gets added:

Kernel IP routing table
Destination  Gateway  Genmask  Flags Metric Ref  Use Iface
213.75.112.0  10.228.192.1  255.255.248.0  UG  0  0  0 vlan4
10.228.192.0  0.0.0.0  255.255.192.0  U  0  0  0 vlan4

Almost done now.

Except for the last part where I need to setup extra nat rules:
# NAT
add action=masquerade chain=srcnat dst-address=10.142.64.0/18 out-interface=vlan16.4
add action=masquerade chain=srcnat dst-address=213.75.112.0/21 out-interface=vlan16.4

I suppose iptables would be able to do the trick.
In the above example the out-interface should be vlan4.

Can anyone with some experience with iptables share some knowledge on how to add these destination addresses to the nat-chain with output interface vlan4?

Thanks in advance!

 

[MastaG]

So when a client (192.168.1.x) tries to reach something in the range of 10.142.64.0/18 or 213.75.112.0/21 the router should forward it using the VLAN4 instead of the default wan interface.

I think this can be achieved using the POSTROUTING command.

 

[Etz]

Did you manage to get it working?

Answer to your question:

iptables -t nat -A POSTROUTING -o vlan4 -d 10.142.64.0/18 -j MASQUERADE
iptables -t nat -A POSTROUTING -o vlan4 -d 213.75.112.0/21 -j MASQUERADE

Should do the trick.

And you probably need to allow those in FORWARD chain as well, or traffic would be probably dropped.

iptables -A FORWARD -s 10.142.64.0/18 -i vlan4 -j ACCEPT
iptables -A FORWARD -s 213.75.112.0/21 -i vlan4 -j ACCEPT

But what about IGMP proxy configuration?
By default it will listen on default WAN interface not on vlan4, how did you change that?

 

[Adam Kingsley]

I have XS4ALL which I assume is very similar to KPN. VLAN 4 for IPTV; VLAN 6 for Internet. For me the set-up was much simpler, I just went into "LAN" under advanced settings, IPTV tab, select "Manual Setting." Set internet to 6 for internet, and 4 for Lan Port 4. I left everything else set to their defaults and it works.

There may be some additional settings that would optimize the set-up, but I assume once it works it's good to go.

Maybe I missed the point completely and this went way over my head. What would the different be between IPTV Routing and just regular IPTV set-up?

 

[Etz]

Maybe I missed the point completely and this went way over my head. What would the different be between IPTV Routing and just regular IPTV set-up?

Your setup has IPTV vlan bridged trough router and STB is in separate subnet.

Our goal is to route IPTV and have STB in the same LAN subnet as all other devices, so STB or SmartTV could access internet as well.

 

[Adam Kingsley]

Your setup has IPTV vlan bridged trough router and STB is in separate subnet.

Our goal is to route IPTV and have STB in the same LAN subnet as all other devices, so STB or SmartTV could access internet as well.

Got it, I assume not all STB's need access to the internet though. Or is that a wrong assumption? At least I assume the ones that come direct from the provider wouldn't?

 

[Etz]

Got it, I assume not all STB's need access to the internet though. Or is that a wrong assumption? At least I assume the ones that come direct from the provider wouldn't?

Nope, correct...usually SmartTV apps only need it, or you would be stuck watching only TV.
On some Samsung models, App`s won`t even launch, if Internet connectivity is not detected so you won`t be able to watch IPTV either.

 

[Adam Kingsley]

Nope, correct...usually SmartTV apps only need it, or you would be stuck watching only TV.
On some Samsung models, App`s won`t even launch, if Internet connectivity is not detected so you won`t be able to watch IPTV either.

Cool. So I have a question then (sorry if this is annoying). Currently I have the STB from the provider running through the method I explained. I also have a Samsung Smart TV connect to the network via WiFi. So they're completely separate.

Are you saying you could get IPTV directly on the samsung TV and remove the STB completely once you figure out routed IPTV?

 

[Etz]

Are you saying you could get IPTV directly on the samsung TV and remove the STB completely once you figure out routed IPTV?

If your provider XS4ALL has created necessary App for your TV, then pretty much yes.

 

[Adam Kingsley]

If your provider XS4ALL has created necessary App for your TV, then pretty much yes.

Makes sense. Looks like XS4ALL went a different route for apps and stream the content over the internet as my Android Phone and other devices stream IPTV content without any special set-up. Even if I could, I'd probably stay away from IPTV on my Samsung Smart TV as it's anything but smart. More annoying and slow. But this is really good to know in case I need it. Thanks!

 

[ITXS]

Also trying to setup the same, partially it can be configed using the GUI (IGMP Proxy on the whole router), VLAN4 on a specific switchport.

Can some one confirm if the various scripts are used Routed IPTV works for KPN(Same as XS4all).

Do I need the physical interface mapping to VLAN4? or just VLAN4 using ROBOCFG.

Thx!

 

[Etz]

Do I need the physical interface mapping to VLAN4? or just VLAN4 using ROBOCFG.

No idea about particular providers, but you need an ip interface to do anykind of routing and it cannot be achieved with robocfg only.
I currently use robocfg & vconfig combination to create separate IPTV WAN interface.

# Setup iptv vlan on switch
robocfg vlan 4 ports "0t 8t"

# Add iptv vlan as a physical interface
vconfig set_name_type DEV_PLUS_VID_NO_PAD
vconfig add eth0 4

"vconfig set_name_type DEV_PLUS_VID_NO_PAD" is not actually mandatory, but I just like to have consistent interface naming in the router.
So instead of creating vlan4 ip interface, it creates eth0.4 interface, it is pure cosmetic tweak.

 

[ITXS]

I got it working for 99.9%,.....meaning I have 2 seconds of TV and it freezes, meaning IGMP Proxy is not set to the right VLAN.

Issue, IGMPROXY is automagically configured on boot of the router based on the settings in the GUI. I have tried to create a igmpproxy.conf.add but it does not seem to "Add" those settings to the .conf file. Upon Restart of the IGMP Proxy....it takes again default settings from GUI, from which I cannot configure the right VLAN (If defaults to the VLAN set in ISP setting)

Any one an idea to get arround that....based on scripts above and some tweaking I see the finish line....but can just yet cross it....due to IGMP..

 

[RadioactiveToy]

I got it working for 99.9%,.....meaning I have 2 seconds of TV and it freezes, meaning IGMP Proxy is not set to the right VLAN.

Issue, IGMPROXY is automagically configured on boot of the router based on the settings in the GUI. I have tried to create a igmpproxy.conf.add but it does not seem to "Add" those settings to the .conf file. Upon Restart of the IGMP Proxy....it takes again default settings from GUI, from which I cannot configure the right VLAN (If defaults to the VLAN set in ISP setting)

Any one an idea to get arround that....based on scripts above and some tweaking I see the finish line....but can just yet cross it....due to IGMP..

Disable igmproxy on GUI...
Create your config on /jffs/configs/igmpproxy.conf

On services-start:

sleep 60
killall igmpproxy
/usr/sbin/igmpproxy /jffs/configs/igmpproxy.conf

It works for me on Telefonica (Spain) IPTV. You probably can omit the killall if igmpproxy is disabled on gui.

Good luck.

 

[Etz]

I currently use services-start script to generate it on the fly to /tmp/igmpproxyalt.conf

Then killing original instance, if it is running already and relaunching it with generated config.

That way I don't need to hardcode altnets and up and downstream interfaces to it.

Also, if stream is stopping unexpectedly, try to disable rt_filter on that particular upstream interface...

Also I have made request to Merlin to add igmpproxy.conf to user overridable config files, you can support this idea by writing here...

http://www.snbforums.com/threads/merlin-custom-config-files-igmpproxy-override.28406/

 

[ITXS]

Still keeping an issue with IGMP Proxy, after 2 Seconds Screen Freezes,

How can I enable IGMP Snooping from the command line from MERLIN,
Can any one post a example how to enable Snooping on the ports

Have tried not defining altnet but that does not make a difference.

Current IGMP Proxy configuration, I have jus added VLAN4 as upstream (This is the VLAN network from which IPTV is comming instead of Default VLAN)

I think I mix up the UPSTREAM and DOWNSTREAM....

First VLAN6 was the UPSTREAM is VLAN (VLAN6 routes traffic to WAN)
br0 is bridge on witch Wifi (2.4 & 5), and internal Switch are connected.

So My guess is, if VLAN4 considered a Downstream or Upstream....

quickleave

phyint vlan4 upstream ratelimit 0 threshold 1
altnet 213.75.x.x/21
altnet 10.162.x.x/18

phyint br0 downstream ratelimit 0 threshold 1

 

[RadioactiveToy]

Still keeping an issue with IGMP Proxy, after 2 Seconds Screen Freezes,

How can I enable IGMP Snooping from the command line from MERLIN,
Can any one post a example how to enable Snooping on the ports

Have tried not defining altnet but that does not make a difference.

Current IGMP Proxy configuration, I have jus added VLAN4 as upstream (This is the VLAN network from which IPTV is comming instead of Default VLAN)

I think I mix up the UPSTREAM and DOWNSTREAM....

First VLAN6 was the UPSTREAM is VLAN (VLAN6 routes traffic to WAN)
br0 is bridge on witch Wifi (2.4 & 5), and internal Switch are connected.

So My guess is, if VLAN4 considered a Downstream or Upstream....

quickleave

phyint vlan4 upstream ratelimit 0 threshold 1
altnet 213.75.x.x/21
altnet 10.162.x.x/18

phyint br0 downstream ratelimit 0 threshold 1

Have you tried to disable the revese path filters on vlan4 and br0? I need this to make my IPTV work:

/bin/echo 0 > /proc/sys/net/ipv4/conf/vlan4/rp_filter
/bin/echo 0 > /proc/sys/net/ipv4/conf/br0/rp_filter

If this works you can add this start scripts (I've got them on firewall and nat start)

You could try to add altnet 0.0.0.0/0 too see if there's any net missing.

 

[Etz]

You could try to add altnet 0.0.0.0/0 too see if there's any net missing.

I personally, generate igmpproxy.conf dynamically and add all routes coming in from that interface as altnets, excluding default (which I dont actually have) and connected.

for a in $(ip route list | grep $wanifname.$iptvlanid | grep -v default | grep -v link |  awk '{ print $1 }')
do
  echo "    altnet $a" >> $altconfig
done

Have you tried to disable the revese path filters on vlan4 and br0? I need this to make my IPTV work:

/bin/echo 0 > /proc/sys/net/ipv4/conf/vlan4/rp_filter

If this works you can add this start scripts (I've got them on firewall and nat start)

You only need to disable it on upstream interface and only in case some ISP servers are not in the subnets for which they provide routes.

 

[RadioactiveToy]

I personally, generate igmpproxy.conf dynamically and add all routes coming in from that interface as altnets.

for a in $(ip route list | grep $wanifname.$iptvlanid | grep -v default | grep -v link |  awk '{ print $1 }')
do
  echo "    altnet $a" >> $altconfig
done

You only need to disable it on upstream interface and only in case some ISP servers are not in the subnets for which they provide routes for, excluding default (which I dont actually have) and connected.

Great info, will use this to make my config more robust in case provider config changes,
Thanks!

 

[MastaG]

Well for some reason I cannot get it to work anymore.
I've deleted the software on my KPN STB device and did a factory reset.
The STB will now display error code F14.

Here's what happens:

My vlan4 gets setup correctly and the route is also preset with the IPTV_RG and msstaticroutes option on VLAN4.

vlan4  Link encap:Ethernet  HWaddr E0:3F:49:0A:D6:D8
  inet addr:10.228.200.236  Bcast:10.228.255.255  Mask:255.255.192.0
  UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
  RX packets:493 errors:0 dropped:0 overruns:0 frame:0
  TX packets:58 errors:0 dropped:0 overruns:0 carrier:0
  collisions:0 txqueuelen:0
  RX bytes:175499 (171.3 KiB)  TX bytes:3784 (3.6 KiB)

195.190.228.X dev ppp0  proto kernel  scope link  src 86.85.254.X
192.168.1.0/24 dev br0  proto kernel  scope link  src 192.168.1.1
213.75.112.0/21 via 10.228.192.1 dev vlan4
10.228.192.0/18 dev vlan4  proto kernel  scope link  src 10.228.200.236
127.0.0.0/8 dev lo  scope link
default via 195.190.228.X dev ppp0

Here's my iptables config:

# Generated by iptables-save v1.3.8 on Wed Jan  6 22:36:30 2016
*nat
:PREROUTING ACCEPT [1028:116141]
:POSTROUTING ACCEPT [544:57867]
:OUTPUT ACCEPT [855:104021]
:DNSFILTER - [0:0]
:LOCALSRV - [0:0]
:PCREDIRECT - [0:0]
:VSERVER - [0:0]
:VUPNP - [0:0]
-A PREROUTING -d 86.85.254.X -j VSERVER
-A POSTROUTING -s ! 86.85.254.X -o ppp0 -j MASQUERADE
-A POSTROUTING -s 192.168.1.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -o br0 -j MASQUERADE
-A POSTROUTING -d 213.75.112.0/255.255.248.0 -o vlan4 -j MASQUERADE
-A POSTROUTING -d 10.228.192.0/255.255.192.0 -o vlan4 -j MASQUERADE
-A VSERVER -p tcp -m tcp --dport 2223 -j DNAT --to-destination 192.168.1.225
-A VSERVER -p tcp -m tcp --dport 8875 -j DNAT --to-destination 192.168.1.225
-A VSERVER -p tcp -m tcp --dport 554 -j DNAT --to-destination 192.168.1.225
-A VSERVER -p udp -m udp --dport 554 -j DNAT --to-destination 192.168.1.225
-A VSERVER -p udp -m udp --dport 5500:5550 -j DNAT --to-destination 192.168.1.225
-A VSERVER -p udp -m udp --dport 1900 -j DNAT --to-destination 192.168.1.225
-A VSERVER -j VUPNP
COMMIT
# Completed on Wed Jan  6 22:36:30 2016
# Generated by iptables-save v1.3.8 on Wed Jan  6 22:36:30 2016
*mangle
:PREROUTING ACCEPT [7438:1353585]
:INPUT ACCEPT [4416:1098358]
:FORWARD ACCEPT [2869:226022]
:OUTPUT ACCEPT [4054:1014688]
:POSTROUTING ACCEPT [7143:1271400]
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
-A FORWARD -s 192.168.1.0/255.255.255.0 -d 192.168.1.0/255.255.255.0 -o br0 -j MARK --set-mark 0x1
COMMIT
# Completed on Wed Jan  6 22:36:30 2016
# Generated by iptables-save v1.3.8 on Wed Jan  6 22:36:30 2016
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [3957:996148]
:FUPNP - [0:0]
:PControls - [0:0]
:SSHBFP - [0:0]
:logaccept - [0:0]
:logdrop - [0:0]
-A INPUT -i ppp0 -p icmp -m icmp --icmp-type 8 -j logdrop
-A INPUT -i ppp0 -m state --state INVALID -j logdrop
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -m state --state NEW -j ACCEPT
-A INPUT -i br0 -m state --state NEW -j ACCEPT
-A INPUT -d 224.0.0.0/240.0.0.0 -p igmp -j ACCEPT
-A INPUT -d 224.0.0.0/240.0.0.0 -p udp -m udp ! --dport 1900 -j ACCEPT
-A INPUT -p udp -m udp --sport 67 --dport 68 -j ACCEPT
-A INPUT -i ppp0 -p tcp -m tcp --dport 2210 -m state --state NEW -j SSHBFP
-A INPUT -p icmp -m icmp ! --icmp-type 8 -j ACCEPT
-A INPUT -j logdrop
-A FORWARD -d 224.0.0.0/240.0.0.0 -p udp -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i ! br0 -o ppp0 -j logdrop
-A FORWARD -i vlan6 -m state --state INVALID -j logdrop
-A FORWARD -i br0 -o br0 -j ACCEPT
-A FORWARD -m conntrack --ctstate DNAT -j ACCEPT
-A FORWARD -i br0 -j ACCEPT
-A FORWARD -s 213.75.112.0/255.255.248.0 -i vlan4 -j ACCEPT
-A FORWARD -s 10.228.192.0/255.255.192.0 -i vlan4 -j ACCEPT
-A PControls -j ACCEPT
-A SSHBFP -m recent --set --name SSH --rsource
-A SSHBFP -m recent --update --seconds 60 --hitcount 4 --name SSH --rsource -j logdrop
-A SSHBFP -j ACCEPT
-A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logaccept -j ACCEPT
-A logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options
-A logdrop -j DROP
COMMIT
# Completed on Wed Jan  6 22:36:30 2016

These four are added in the above chain using nat-start:
-A POSTROUTING -d 213.75.112.0/255.255.248.0 -o vlan4 -j MASQUERADE
-A POSTROUTING -d 10.228.192.0/255.255.192.0 -o vlan4 -j MASQUERADE
-A FORWARD -s 213.75.112.0/255.255.248.0 -i vlan4 -j ACCEPT
-A FORWARD -s 10.228.192.0/255.255.192.0 -i vlan4 -j ACCEPT
Everything else is there by default.

My igmpproxy config:

quickleave

phyint vlan4 upstream ratelimit 0 threshold 1
   altnet 213.75.112.0/21
   altnet 10.228.192.0/18
   altnet 192.168.1.0/24

phyint br0 downstream ratelimit 0 threshold 1

phyint lo disabled
phyint vlan1 disabled
phyint vlan6 disabled
phyint ppp0 disabled
phyint eth0 disabled
phyint eth1 disabled
phyint eth2 disabled

And my dnsmasq:

pid-file=/var/run/dnsmasq.pid
user=nobody
bind-dynamic
interface=br0
interface=ppp1*
no-dhcp-interface=ppp1*
resolv-file=/tmp/resolv.conf
servers-file=/tmp/resolv.dnsmasq
no-poll
no-negcache
cache-size=1500
min-port=4096
dhcp-range=lan,192.168.1.2,192.168.1.254,255.255.255.0,86400s
dhcp-option=lan,3,192.168.1.1
dhcp-option=lan,252,"\n"
dhcp-authoritative
read-ethers
addn-hosts=/etc/hosts.dnsmasq
dhcp-option=60,IPTV_RG
dhcp-option=28,192.168.1.255

The last two lines have been added by me, everything else is default.

I think there's something wrong with forwarding or masquerade in iptables.
But I can't seem to find out the cause why my STB doesn't download the software and boot.
I see no packets getting dropped from my STB in my syslog.

Any ideas?