KPN FTTH iptv not working how I want it to be

Hey I have a question about me iptv. I have openwrt 23.05.4 x86/64 running. I will post my current network, firewall and igmpproxy also I translated the KPN FTTH document of the network in an english.docx format: https://file.io/w7mnOLHpvTdg

Now I don't know if what I want is actually possible.

I don't know if it hurts having two bridges in the same network. I wanted to split my iptv fully from my network and set it up on a different bridge. Now I dont know if this is overkill and since it is already on vlan 4 it might already be split. Cause the internet is on vlan 6. But some of you guys can point that out to me.

The wan cable is in eth1. The network has two vlans. For internet it is vlan 6 and for iptv vlan 4. My gaming pc is on eth3 and my tp link archer x55 that I use for lan and wifi is on eth0. The iptv is connected to the tplink archer x55. The iptv is working but I want to see if my setup is good or that it can be better. This is why am reaching out on the forum.

The situation that am aiming for:
The situation that I want now my br-lan has eth0 and eth3 listed. What I want is that my iptv goes on eth2. Do I need to have eth2 on the br-lan bridge? Cause I try to route the eth1.4 to eth2 and not putting eth2 on the br-lan but on a seperate br-iptv bridge. But I could not get it to work, am not getting anything through. This could be of course that I am doing something wrong.

I will give me current setup config of openwrt 23.05.4 x86/64 and the setup that I had that does not work yet.

The current setup of my network config is:

 config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'
	list ports 'eth3'
	option igmp_snooping '1'
	option stp '1'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.1.1'
	option ip6assign '60'

config interface 'wan'
	option proto 'pppoe'
	option username 'xx@xx'
	option password 'ppp'
	option device 'eth1.6'
	option ipv6 '0'
	option mtu '1500'

config interface 'wan6'
	option proto 'dhcpv6'
	option device '@wan'
	option reqaddress 'try'
	option reqprefix 'auto'

config device
	option name 'eth1'
	option mtu '1508'

config device
	option name 'eth1.6'
	option type '8021q'
	option ifname 'eth1'
	option vid '6'

config device
	option name 'eth1.4'
	option type '8021q'
	option ifname 'eth1'
	option vid '4'
	option ipv6 '0'
	option mtu '1500'

config interface 'IPTV_WAN'
	option proto 'dhcp'
	option delegate '0'
	option defaultroute '0'
	option peerdns '0'
	option vendorid 'IPTV_RG'
	option device 'br-iptv'
	option ipv6 '0'


config device
	option name 'br-iptv'
	option type 'bridge'
	list ports 'eth1.4'

config device
	option name 'eth0'

config device
	option name 'eth3'

Current firewall config:

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	list network 'wan'
	list network 'wan6'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'IPTV_WAN'
	option input 'ACCEPT'
	option forward 'REJECT'
	option output 'ACCEPT'
	option masq '1'
	list network 'IPTV_WAN'
	option family 'ipv4'

config forwarding
	option dest 'IPTV_WAN'
	option src 'lan'

config forwarding
	option src 'IPTV_WAN'
	option dest 'lan'

config rule
	option name 'Allow-IGMP-Proxy'
	option proto 'udp'
	option family 'ipv4'
	option target 'ACCEPT'
	option dest_ip '224.0.0.0/4'
	option dest 'lan'
	option src 'IPTV_WAN'

Current igmpproxy config:

config igmpproxy
	option quickleave 1
	option verbose [0-3](none, minimal[default], more, maximum)

config phyint
	option network 'IPTV_WAN'
	option zone 'IPTV_WAN'
	option direction 'upstream'
	list altnet 'xx/16'
	list altnet 'xx0/16'
	list altnet 'xxx2.0/21'

config phyint
	option network 'lan'
	option zone 'lan'
	option direction 'downstream'

My dnsmasq config has these lines at the end for it to work:

dhcp-option=60,IPTV_RG
dhcp-option=28,192.168.1.255

The setup that I thought was going to work:

Future Network config:

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option packet_steering '1'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'eth0'
	list ports 'eth3'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option netmask '255.255.255.0'
	option ipaddr '192.168.1.1'
	option ip6assign '60'
	option stp '1'

config interface 'wan'
	option proto 'pppoe'
	option username 'xxx@internet'
	option password 'ppp'
	option device 'eth1.6'
	option ipv6 '0'
	option mtu '1500'

config interface 'wan6'
	option proto 'dhcpv6'
	option device '@wan'
	option reqaddress 'try'
	option reqprefix 'auto'

config device
	option name 'eth1'
	option mtu '1508'

config device
	option name 'eth1.6'
	option type '8021q'
	option ifname 'eth1'
	option vid '6'

config device
	option name 'eth1.4'
	option type '8021q'
	option ifname 'eth1'
	option vid '4'
	option ipv6 '0'
	option mtu '1500'

config interface 'IPTV_WAN'
	option proto 'dhcp'
	option delegate '0'
	option defaultroute '0'
	option peerdns '0'
	option vendorid 'IPTV_RG'
	option device 'eth1.4'
	option ipv6 '0'

config interface 'IPTV_LAN'
	option proto 'static'
	option device 'br-iptv'
	option ipaddr '192.168.2.1'
	option netmask '255.255.255.0'

config device
	option name 'br-iptv'
	option type 'bridge'
	list ports 'eth2'
	option igmp_snooping '1'

config device
	option name 'eth0'

config device
	option name 'eth2'

config device
	option name 'eth3'

Future Firewall config:

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	list network 'wan'
	list network 'wan6'

config zone
    option name 'IPTV_LAN'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'REJECT'
    list network 'IPTV_LAN'

config zone
	option name 'IPTV_WAN'
	option input 'ACCEPT'
	option forward 'REJECT'
	option output 'ACCEPT'
	option masq '1'
	list network 'IPTV_WAN'
	option family 'ipv4'

config forwarding
    option src 'IPTV_WAN'
    option dest 'IPTV_LAN'

config forwarding
    option src 'IPTV_LAN'
    option dest 'IPTV_WAN'

config rule
    option name 'Allow-IGMP-Proxy'
    option proto 'udp'
    option family 'ipv4'
    option target 'ACCEPT'
    option dest_ip '224.0.0.0/4'
    option src 'IPTV_WAN'
    option dest 'IPTV_LAN'

config rule
    option name 'Allow-IGMP'
    option src 'IPTV_LAN'
    option proto 'igmp'
    option target 'ACCEPT'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

Future Igmpproxy config:

config igmpproxy
	option quickleave 1
	option verbose [0-3](none, minimal[default], more, maximum)

config phyint
	option network 'IPTV_WAN'
	option zone 'IPTV_WAN'
	option direction 'upstream'
	list altnet 'xx0.0/16'
	list altnet 'xx0.0/16'
	list altnet 'xxx.0/21'

config phyint
	option network 'IPTV_LAN'
	option zone 'IPTV_LAN'
	option direction 'downstream'

Future dnsmasq config:

dhcp-option=60,IPTV_RG
dhcp-option=28,192.168.2.255

So the first config are from my current setup. I reverted since it was not working. The second part is the new setup which I am trying to create.

The only way this was working when I added eth2 to br-lan. But I don't want that. I want it completly seperated from the network bridge. I thought if I assigned a static ip, the problem would have been solved. Or is the igmpproxy not correct? To me I thought what I was going was correct.

If anyone could help me out and say if what am doing is actually possible. Since am not listing eth2 to the br-lan. So it is not connected to vlan 6, But I thought vlan 4 with static ip would have been enough.

Probably bridge vlan4 to stb.

1 Like

So you would say something like this?

Network config:

config device
    option name 'br-iptv'
    option type 'bridge'
    list ports 'eth1.4'
    list ports 'eth2'
    option igmp_snooping '1'

config interface 'IPTV_BRIDGE'
    option device 'br-iptv'
    option proto 'none'

Firewall config:

config zone
    option name 'IPTV_ZONE'
    option input 'ACCEPT'
    option output 'ACCEPT'
    option forward 'ACCEPT'
    option network 'IPTV_BRIDGE'

config forwarding
    option src 'IPTV_ZONE'
    option dest 'IPTV_ZONE'

config rule
    option name 'Allow-IGMP'
    option src 'IPTV_ZONE'
    option proto 'igmp'
    option target 'ACCEPT'

config rule
    option name 'Allow-Multicast'
    option src 'IPTV_ZONE'
    option proto 'udp'
    option dest_ip '224.0.0.0/4'
    option target 'ACCEPT'

The TV box probably expects packets tagged 4 (to support a direct connection to the ONT), so you should use eth2.4 on the port for the TV box.

    list ports 'eth1.4'
    list ports 'eth2.4'
2 Likes

And the IPTV firewall stuff can be removed entirely since it will be an unmanaged interface on a bridge.

Once you have incorporated the suggestions, let's see your latest config.

3 Likes