Directions for a conditional bridge to bypass IPTV device


I'm new to openwrt. I'd appreciate if I can get some help on this.

Due to my unfortunate home network setting, I have below connectivity:

ISP Router --WAN< openwrt >LAN-- sw1 -- sw2 -- (iptvbox, wifi AP)

My IPTV box doesn't work if I put openwrt between ISP router and sw1, but works fine if we remove openwrt.

After investigation I see that the iptvbox as some "magic" DHCP behavior and relies on DHCP to assign multiple IP addresses (one in the subnet, another seems not) by two different DHCP queries.

I kind of hope that the openwrt router can act as a bridge (or switch) if it receives eth packet with src or dest with the iptvbox's mac address, while behaving as a router otherwise. I admittedly lack the Linux networking knowledge on whether possible or how to achieve, but here's what I intend:

  1. Forward LAN packet to WAN if src matches IPTVMAC
  2. Forward WAN packet to LAN if dest matches IPTVMAC
  3. Forward WAN packet to LAN if it is DHCP Offer(bcast and UDP dest port 68)
  4. Otherwise resume regular router behavior

Not sure if I missed something, let me know if further information is needed.


With some further investigation, my guess is it can be done with ebtables -t broute -A BROUTING if I use DROP most packets (which means it goes to routing instead of bridging) unless the MAC address matches. However it seems the 22.03 (and dev) has ebtables-nft and shows error table "'broute'" does not exist.

So another way I'm exploring now is to use nftables which includes DUP which should work on inet (so I can filter for port 68), and FWD that can work netdev directly, I'll try further.

What I end up doing (and it finally works):

  1. Configure promisc mode for both wan and lan nic
  2. opkg install kmod-nft-netdev
  3. Apply nft script.

The nft script I use now:

#!/usr/sbin/nft -f
define IPTVMAC = 00:00:00:00:00:00

table netdev iptv
flush table netdev iptv
table netdev iptv {
    chain lan_ingress {
        type filter hook ingress device eth1 priority filter;
        ether saddr $IPTVMAC fwd to eth0
        # allow devices in subnet to send igmp multicast packets to WAN
        meta pkttype multicast meta l4proto igmp fwd to eth0
    chain wan_ingress {
        type filter hook ingress device eth0 priority filter;
        ether daddr $IPTVMAC fwd to eth1
        # forward udp and igmp multicast packets to LAN
        meta pkttype multicast meta l4proto {udp, igmp} fwd to eth1

Note that I don't need IGMP snooping as I have IGMP snooping enabled switches behind the openwrt router, and I'm using a device that only has 2 ports, eth0 for WAN and eth1 for LAN. It might be a bit different if wifi and/or multiple LAN ports are involved.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.