Help with iptables (IPTV Routing)

[Rai80]

Finally I got it working with the same config as MastaG

Except for the below.

Only works with rp_filter turned off on vlan4

/bin/echo 0 > /proc/sys/net/ipv4/conf/vlan4/rp_filter​

Note! If your firewall is turned on, accept Multicast UDP traffic:

#Accept multicast
iptables -I INPUT -p udp -d 224.0.0.0/4 -j ACCEPT
iptables -I INPUT -p igmp -d 224.0.0.0/4 -j ACCEPT
iptables -I FORWARD -p udp -d 224.0.0.0/4 -j ACCEPT

#Masquerade
iptables -t nat -I POSTROUTING -d 213.75.112.0/255.255.248.0 -o vlan4 -j MASQUERADE
iptables -t nat -I POSTROUTING -d 10.196.128.0/255.255.192.0 -o vlan4 -j MASQUERADE​

igmpproxy.conf:

quickleave

phyint vlan4 upstream ratelimit 0 threshold 1
altnet 0.0.0.0/0

phyint br0 downstream ratelimit 0 threshold 1​

 

[Coolriku]

hello,

I can't get it to work.
All the packets are unreplied.
It looks like the router doesn't get an IP from VLAN4.
Could someone help me.

I have a Asus AC87U with firmware version: 380.59_0

 

[Rai80]

Check if VLAN4 is connected to the CPU port, in the example below the CPU port is 8. But can also be port 5. Check with robocfg show.

# Setup VLAN4 on the CPU as well so we can talk to it
/usr/sbin/robocfg vlan 4 ports "0t 4u 8t"

 

[Coolriku]

Check if VLAN4 is connected to the CPU port, in the example below the CPU port is 8. But can also be port 5. Check with robocfg show.

# Setup VLAN4 on the CPU as well so we can talk to it
/usr/sbin/robocfg vlan 4 ports "0t 4u 8t"

I configure everything from this topic and I can confirm that my cpu is on port 8.
But when I execute this command I get no lease.
# Request an IP-address and setup static routes
udhcpc -i vlan4 -O msstaticroutes -O staticroutes -V IPTV_RG -s /jffs/scripts/vlan4.script -p /var/run/vlan4.pid -b -O33 -O249

I've read that the "IPTV_RG" is very important for is ISP, if you don't sent the vendor name you don't get a response.
So maybe there is something wrong?
I'm curious how you did get it to work.
I hope you can help me.

 

[Rai80]

I configure everything from this topic and I can confirm that my cpu is on port 8.
But when I execute this command I get no lease.
# Request an IP-address and setup static routes
udhcpc -i vlan4 -O msstaticroutes -O staticroutes -V IPTV_RG -s /jffs/scripts/vlan4.script -p /var/run/vlan4.pid -b -O33 -O249

I've read that the "IPTV_RG" is very important for is ISP, if you don't sent the vendor name you don't get a response.
So maybe there is something wrong?
I'm curious how you did get it to work.
I hope you can help me.

Did you also create the interface after setting up VLAN's:

# Add VLAN4 as a physical interface
/sbin/vconfig add eth0 4

What shows the command: ifconfig

Is there an interface vlan4 with traffic flowing?

 

[Coolriku]

Did you also create the interface after setting up VLAN's:

# Add VLAN4 as a physical interface
/sbin/vconfig add eth0 4

What shows the command: ifconfig

Is there an interface vlan4 with traffic flowing?

When I look in the ifconfig there's no IP on VLAN4.
I've done everyting the same as this topic.

here are the configs I used.
note that on the vlan4 setup I've removed the 4u because that is not used(but I've tried the original config first, with no luck)
wan start:

Spoiler

#!/bin/sh

# Leave VOIP traffic tagged for original router on port 1
/usr/sbin/robocfg vlan 7 ports "0t 1t"
# Setup VLAN4 on the CPU as well so we can talk to it
/usr/sbin/robocfg vlan 4 ports "0t 8t"
# Add VLAN4 as a physical interface
/sbin/vconfig add eth0 4
# Request an IP-address and setup static routes
udhcpc -i vlan4 -O msstaticroutes -O staticroutes -V IPTV_RG -s /jffs/scripts/vlan4.script -p /var/run/vlan4.pid -b -O33 -O249

dnsmanq.conf.add:

Spoiler

#!/bin/sh
dhcp-option=vendor:,1,IPTV_RG
dhcp-option=28,192.168.1.255

firewall start:

Spoiler

#IPTV rules
iptables -t nat -A POSTROUTING -o vlan4 -d 10.142.64.0/18 -j MASQUERADE
iptables -t nat -A POSTROUTING -o vlan4 -d 213.75.112.0/21 -j MASQUERADE
iptables -A FORWARD -s 10.142.64.0/18 -i vlan4 -j ACCEPT
iptables -A FORWARD -s 213.75.112.0/21 -i vlan4 -j ACCEPT

#Accept multicast
iptables -I INPUT -p udp -d 224.0.0.0/4 -j ACCEPT
iptables -I INPUT -p igmp -d 224.0.0.0/4 -j ACCEPT
iptables -I FORWARD -p udp -d 224.0.0.0/4 -j ACCEPT

#Masquerade
iptables -t nat -I POSTROUTING -d 213.75.112.0/255.255.248.0 -o vlan4 -j MASQUERADE
iptables -t nat -I POSTROUTING -d 10.196.128.0/255.255.192.0 -o vlan4 -j MASQUERADE

nat start:

Spoiler

#!/bin/sh
/bin/echo 0 > /proc/sys/net/ipv4/conf/vlan4/rp_filter
/bin/echo 0 > /proc/sys/net/ipv4/conf/br0/rp_filter

services start:

Spoiler

#!/bin/sh
service restart_dnsmasq
sleep 60
killall igmpproxy
/usr/sbin/igmpproxy /jffs/configs/igmpproxy.conf

vlan4.script:

Spoiler

#!/bin/sh

[ -z "$1" ] && echo "Error: should be called from udhcpc" && exit 1

[ -n "$broadcast" ] && BROADCAST="broadcast $broadcast"
[ -n "$subnet" ] && NETMASK="netmask $subnet"

set_classless_routes() {
   local max=128
   local type
   while [ -n "$1" -a -n "$2" -a $max -gt 0 ]; do
     [ ${1##*/} -eq 32 ] && type=host || type=net
     echo "udhcpc: adding route for $type $1 via $2"
     /sbin/route add -$type "$1" gw "$2" dev "$interface"
     max=$(($max-1))
     shift 2
   done
}


case "$1" in
   deconfig)
     /sbin/ifconfig $interface 0.0.0.0
     ;;

   leasefail|nak)
     echo "Failed to obtain lease..."
     ;;

   renew|bound)
     /sbin/ifconfig $interface $ip $BROADCAST $NETMASK
     [ -n "$staticroutes" ] && set_classless_routes $staticroutes
     [ -n "$msstaticroutes" ] && set_classless_routes $msstaticroutes
     ;;
esac

exit 0

igmpproxy.conf:

Spoiler

quickleave

phyint vlan4 upstream ratelimit 0 threshold 1
altnet 10.142.64.0/18
altnet 213.75.0.0/16

phyint br0 downstream ratelimit 0 threshold 1

 

[Rai80]

My dnsmasq.conf.add is different, check option 60:

admin@RT-AC68U-3570:/jffs/configs# cat dnsmasq.conf.add
dhcp-option=60,IPTV_RG
dhcp-option=28,192.168.1.255



Can you post the output of: robocfg show
And ifconfig

Is the vlan4.script executable? Check permissions with ls -l /jffs/scripts:

-rwxr-xr-x 1 admin root 1071 Jan 31 18:49 vlan4.script

 

[Rai80]

I first configured IPTV via the web GUI and changed some stuff later on via SSH:

 

[Coolriku]

My dnsmasq.conf.add is different, check option 60:

admin@RT-AC68U-3570:/jffs/configs# cat dnsmasq.conf.add
dhcp-option=60,IPTV_RG
dhcp-option=28,192.168.1.255



Can you post the output of: robocfg show
And ifconfig

Is the vlan4.script executable? Check permissions with ls -l /jffs/scripts:

-rwxr-xr-x 1 admin root 1071 Jan 31 18:49 vlan4.script

I can't show the ifconfig anymore, because there are many users at home that can't live without tv and internet...
But from what I saw is that there strange VLAN's in the 1000 range.
And all the scripts and configs have chmod 755.
I will try the settings from the screenshot when I have the opportunity.

From the screenshot you have set vlan 3 on port 3?But VLAN 3 is not used bij KPN right?
And do it make a difference what port you use on the UDP proxy?

Thanks in advance.

 

[Rai80]

Thats correct. I couldn't upload my own screenshot. You can change vid 3 to vid 7 (VOIP).

The section below:

USE Dhcp routes: Disable
IGMP Proxy: Enable
IGMP Snooping: Enable
Udpxy: 0

 

[Coolriku]

I've got vlan4 working with cpu port 7.
but now the DHCP server doesn't sent the vendor class id...
Sow the IPTV boxes doesn't get a IP.

Can anyone help me?

 

[Rai80]

Check your dnsmasq.conf

admin@RT-AC68U-3570:/jffs/configs# cat dnsmasq.conf.add
dhcp-option=60,IPTV_RG
dhcp-option=28,192.168.1.255

Replace 192.168.1.255 broadcast with your own network.