[SOLVED] IPTV, IGMPProxy and Firewall issues

Mushoz · March 23, 2018, 12:23pm

I am using Lede with igmpproxy to view routed IPTV on my television. It is already working, but especially for higher bitrate channels I am getting the occasional stutter even though the connection is otherwise idle. I enabled firewall logging for the zone that is used in my iptv connection and I am seeing packets being rejected which shouldn't be rejected.

iptv interface (iptv comes in as vlan4 tagged from the ISP):

config interface 'iptv'
	option proto 'dhcp'
	option ifname 'eth0.4'
	option classlessroute '1'
	option vendorid 'IPTV_RG'
	option defaultroute '0'
	option peerdns '0'
	option gateway '0'

Igmpproxy configuration:

config igmpproxy
	option quickleave 1

config phyint
	option network iptv
	option direction upstream
	list altnet 0.0.0.0/0

config phyint
	option network lan
	option direction downstream

Relevant firewall configuration snippets:

config zone
	option name 'iptv'
	option forward 'REJECT'
	option network 'iptv'
	option input 'REJECT'
	option log '1'
	option output 'ACCEPT'

config rule
	option target 'ACCEPT'
	option src 'iptv'
	option name 'iptv-IGMP'
	option family 'ipv4'
	option proto 'igmp'

config rule
	option target 'ACCEPT'
	option dest 'lan'
	option family 'ipv4'
	option proto 'udp'
	option dest_ip '224.0.0.0/4'
	option name 'iptv'
	option src 'iptv'

My first question: Should masquerading be enabled on the iptv firewall zone? Since traffic only flows from/to the router (to/from igmpproxy) I would assume masquerading isn't needed.

My second question: Should mss clamping be enabled on this zone? Since MTU is properly set to 1500 I would assume no, although I guess it doesn't really hurt to enable it regardless.

My third question pertains some rejected packages I am seeing in that firewall zone:

Fri Mar 23 13:05:43 2018 kern.warn kernel: [ 1748.905498] REJECT(src iptv)IN=eth0.4 OUT= MAC=XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX SRC=213.75.167.58 DST=224.3.2.6 LEN=377 TOS=0x04 PREC=0x00 TTL=14 ID=0 DF PROTO=UDP SPT=56863 DPT=9875 LEN=357

Seeing that the destination is 224.3.2.6 and it is an UDP packet, that last firewall rule should trigger and accept this packet, right? Mind you, the firewall rule is actually doing something. If I disable it, iptv stops working completely. I'm just stumped I am still seeing these rejects. By the way, the rejects only seem to show up when changing channels. Unfortunately, they don't seem to be correlated with the stutters I am seeing. Leaving a single channel on will not show any rejects for longer periods of time (I tested for 20 minutes straight), while I am getting the stutters.

My fourth question: Does anyone happen to know what's causing the occasional stutter, even with an otherwise idle internet connection? Some channels are SD quality, some are HD quality and lastly some are fibre quality, in increasing order of bitrate. SD quality channels are completely smooth, HD quality channels stutter very rarely, while fibre channels stutter occasionally (around once a minute I'd say).

My fifth and final question: Does it even make sense to use a separate firewall zone for my iptv interface? Would putting the iptv interface in the WAN zone make more sense / be more efficient / be best practice?

lleachii · March 23, 2018, 1:37pm

Only if your LAN has public IPs, otherwise, masquerade is needed.

It shouldn't hurt.

These rejected packets are likely due to this rule:

Try making this an INPUT rule, instead of a FORWARD...as you're running a proxy on the router, not FORWARDING.

Are you doing any other packet inspections?

...I'm kinda lost about this, unless your TV is delivered on a separate VLAN form Internet. In my case, TV is Ethernet-based, but delivered only on Coax (so I just bridge it to the LAN).

Mushoz · March 23, 2018, 2:02pm

Thank you very much for your extensive response

How come it is working without masquerading? I've enabled it for now, but I see no differences. Just trying to understand the reasons behind all the different settings.

Got it. So this looks better, right?:

config rule
	option target 'ACCEPT'
	option family 'ipv4'
	option proto 'udp'
	option dest_ip '224.0.0.0/4'
	option name 'iptv'
	option src 'iptv'

The rejects seem to be gone as well now Thank you!

No, anything I can do to try and debug the stuttering? Even with aforementioned changes I am still getting the same occasional stutter. Again, my internet is completely idle and the router CPU is not doing much either during the stutters (>95% idle). Would a tcpdump be of any help?

Internet and iptv are both delivered over a single ethernet cable. Internet is vlan tagged with 6, while iptv is vlan tagged with 4. Voip is vlan tagged with 7, but I am not using that connection, so I don't have it configured. Not sure whether a separate zone for iptv makes any sense, or what best practice is. But either should be fine.

One more thing that suddenly popped up in my logs is the following line:

Fri Mar 23 14:57:11 2018 user.warn igmpproxy[1865]: MRT_DEL_MFC; Errno(2): No such file or directory

And this is also a message I am seeing in the logs:

Fri Mar 23 15:07:56 2018 user.warn igmpproxy[1893]: The origin for route 239.255.255.250 changed from 192.168.1.203 to 192.168.1.153
Fri Mar 23 15:08:40 2018 user.warn igmpproxy[1893]: The origin for route 239.255.255.250 changed from 192.168.1.153 to 192.168.1.210

Maybe it is related to the stuttering? It does not seem correlated with the stutters though.

lleachii · March 23, 2018, 2:11pm

Please see: https://www.tldp.org/HOWTO/IP-Masquerade-HOWTO/ipmasq-background2.1.html

Also, you have not clearly described your ISP's network configuration, I couldn't tell you. But it seems your TV VLAN uses private IPs...

If it's working, it's right.

The traffic is UDP...and you see the TV, so it's being received...do you receive "slutters" with your ISP's router?

Well...that seems there's a changes in who requested the subscription...maybe changing the quickleave...?

Mushoz · March 23, 2018, 2:44pm

NAT does not equal masquerading, correct? That page even describes masquerading as a one to many setup. But isn't this technically a one to one setup? Since only the router itself (as igmpproxy is running on the router) is using the IPTV VLAN.

The iptv interface on the router is using DHCP to receive an IP from the ISP. It looks like a private IP, since it has the following IP assigned to it: 10.0.37.96/19
I guess this means masquerading should be disabled?

I don't. But I'd prefer to use only the LEDE router for security reasons and customization possibilities. Actually, after rebooting my router the stutters seem to be gone Not sure if I'm just lucky now, or they are really gone. Not sure why changing the settings via LUCI didn't do the magic straight away and required a reboot, but I'm more than hopeful. Thank you, thank you, thank you I've been procrastinating fixing this issue for more than half a year now, falling back to HD channels just to get a stutter free experience

Are those warnings ever "normal" in some circumstances? Like when changing channels? Or should those messages never be there? I'm testing with just a single TV being used on my LAN. I'll try playing around with disabling quickleave. But if they are harmless I might as well leave it as is.

Regarding the different firewall zones again: I used to run the same setup with the iptv interface in the wan firewall zone. It also ran fine, except the stutters, but they didn't seem to be related to the zone, since I had them in this new iptv zone as well before I applied your suggestions. However, when I reboot the router now (with the new iptv zone) I have to run:

/etc/init.d/igmpproxy restart

Apparently, the igmpproxy startup script runs before everything has fully been initialized and generates a igmpproxy config file without an upstream definition. Restarting igmpproxy after the router has fully booted via the above command fixes that, but it's annoying having to do after each reboot. So preferably I'd move it back to the WAN zone if this doesn't compromise on security or goes against best practices.

Mushoz · March 23, 2018, 2:47pm

One more question. My lan bridge defintion currently looks like this:

config interface 'lan'
	option type 'bridge'
	option ifname 'eth0.1'
	option proto 'static'
	option ipaddr '192.168.1.1'
	option netmask '255.255.255.0'
	option ip6assign '60'
	option broadcast '192.168.1.255'
	option igmp_snooping '1'

I understand every single option, except for the broadcast option. I got this from a guide, but I am not sure whether it is required and what is even does. There is no device on my lan network with the 192.168.1.255 IP.

lleachii · March 23, 2018, 2:56pm

Please see: https://en.wikipedia.org/wiki/Broadcast_address

Some services LANs need to know the broadcast IP.

If you need more guidance on that, see: http://www.oreilly.com/openbook/linag2/book/ch11.html

While that is a private range, it's inside your ISP's network. The question is - if they are routing to your private IP space, that answer is likely 'no,' therefore you masquerade.

I just suggested editing the quickleave setting, see: https://manpages.debian.org/testing/igmpproxy/igmpproxy.conf.5.en.html for what that setting does.

It doesn't change anything it's on an different physical interface/VLAN. If you need more information about how the firewall works, see: https://openwrt.org/docs/guide-user/firewall/start

Consider marking this thread "[SOLVED]".

Mushoz · March 23, 2018, 3:20pm

You're absolutely right. Since the WAN zone and iptv zone are identical now after the aforementioned changes, there is no reason to split them into two separate albeit identical zones. It's much easier to use a single zone. I've moved the iptv interface back to the wan firewall zone, changed to two firewall rules from iptv source zone to wan source zone, changed the igmpproxy config to accommodate the changes, aaaaand...... nothing

iptv stopped working. Strangely enough, changing the firewall rule from ACCEPT to a FORWARD rule to lan fixes iptv (although with the stutters). So igmpproxy seems to be listening on lan instead of the iptv interface. However, my configuration looks correct:

igmpproxy uci configuration:

config igmpproxy
	option quickleave 1

config phyint
	option network iptv
	option direction upstream
	list altnet 0.0.0.0/0

config phyint
	option network lan
	option direction downstream

And the generated igmpproxy config file:

root@LEDE:~# cat /var/etc/igmpproxy.conf 
quickleave

phyint eth0.4 upstream ratelimit 0 threshold 1
	altnet 0.0.0.0/0

phyint br-lan downstream ratelimit 0 threshold 1

Could this be a bug? I also noticed when running /etc/init.d/firewall restart I can see the following lines:

root@LEDE:~# /etc/init.d/firewall restart
Warning: Warning: ubus rule (ubus:igmpproxy[instance1] rule 0) refers to not existing zone 'iptv'
Warning: Warning: ubus rule (ubus:igmpproxy[instance1] rule 1) refers to not existing zone 'iptv'
Warning: Warning: ubus rule (ubus:igmpproxy[instance1] rule 0) refers to not existing zone 'iptv'
Warning: Warning: ubus rule (ubus:igmpproxy[instance1] rule 1) refers to not existing zone 'iptv'
...

Mind you, these warnings were already there before I even started playing around with a separate iptv firewall zone. Could it be there's a bug somewhere that makes igmpproxy interpret the iptv interface as a zone and therefore throwing these warnings and binding to the lan interface instead of the iptv interface as it should?

It would explain why suddenly a FORWARD rule is required instead of an ACCEPT rule. And it would explain why having both the zone and interface named as iptv makes things work properly. Or am I just rambling now?

lleachii · March 23, 2018, 3:31pm

I though you said:

So, I'm very lost on how the zone is still 'iptv' in your igmpproxy config. Shouldn't it be 'wan' now?

You've totally lost me...I'm not sure what you're saying makes sense...why did you change the working INPUT rule back to a broken FORWARD rule???

Per what I told you in an earlier post:

Mushoz · March 23, 2018, 4:02pm

Just for troubleshooting. Obviously it is not something I want to keep.

My bad. I thought that the igmpproxy configuration file requires an interface and not a zone. Hence the iptv value, since the interface is called iptv, but now part of the wan zone. The generated igmpproxy file in my previous post located in /var/etc/igmpproxy.conf looks correct, right? eth0.4 is properly defined as the upstream interface.

I've just changed the iptv value to wan in the igmpproxy configuration file (and changed back to the previously working INPUT rule) and it is still not working. The generated igmpproxy file also looks incorrect now:

root@LEDE:~# cat /var/etc/igmpproxy.conf 
quickleave

phyint pppoe-wan upstream ratelimit 0 threshold 1
	altnet 0.0.0.0/0

phyint br-lan downstream ratelimit 0 threshold 1

Notice the incorrect pppoe-wan interface as the defined upstream. For reference, the igmpproxy uci configuration file:

root@LEDE:~# cat /etc/config/igmpproxy
config igmpproxy
	option quickleave 1

config phyint
	option network wan
	option direction upstream
	list altnet 0.0.0.0/0

config phyint
	option network lan
	option direction downstream

lleachii · March 23, 2018, 4:23pm

OK...I' not certain you looked at the Firewall config website...

If you're having issues properly specifying the interfaces when merged into one firewall zone, go back to the working configuration. To be clear, though, in the igmpproxy config file, you are specifying Interfaces, not Firewall Zones.

I don't think you will be successful given that the WAN is probably a different VLAN/interface; and that you'd need to bridge or something else.

Mushoz · March 23, 2018, 4:33pm

I did. I even mentioned that pppoe-wan was incorrect.

That's what I had initially, until you mentioned the following:

Where you implied the igmpproxy should contain a zone.

Yes, wan is a different VLAN. I will use a separate iptv zone then. I was just wondering whether it would be possible to use a single wan zone for both wan and iptv. Obviously I was using this setup earlier as you mentioned, however, that was using the broken FORWARD rule. Going back to this rule fixes this issue with the current configuration as well, however it reintroduces the stuttering issue.

By the way, the wiki is also using a FORWARD rule: https://wiki.openwrt.org/doc/howto/udp_multicast
This should probably be changed, right?

lleachii · March 23, 2018, 4:40pm

No...I was just under the impression that you hadn't named the zone and interface identically, my apologies. In addition, I believe that was regarding the following:

Yes, as this is what I understood I was explaining to you:

I assume it does need to be edited....Interesting...I've never looked at that page, since I realized OpenWRT had igmpproxy from opkg.

Mushoz · March 23, 2018, 5:03pm

It definitely seems like a bug to me:

config igmpproxy
	option quickleave 0

config phyint
	option network iptv
	option direction upstream
	list altnet 0.0.0.0/0

config phyint
	option network lan
	option direction downstream

In either configuration this should be correct, since this references the interface, which is the same for both setups.

Changing the src in both the IGMP and UDP INPUT rules from iptv to wan
moving the iptv interface from iptv zone to wan zone (both zones have the same general setttings)

results in iptv stopping to work. Changing these few things back to the dedicated iptv zone OR changing the UDP from INPUT to FORWARD and iptv starts working again.

So it seems igmpproxy isn't properly binding to the iptv interface if the zone isn't called exactly the same, since it requires a FORWARD rule to lan, which probably means igmpproxy is listening on LAN.

To test my hypothesis I went to the working setup with the iptv zone. And now all I did was rename the iptv zone to test. And iptv stopped working again. I verified both firewall rules were properly updated with the new names, which they were. I also restarted igmpproxy to see if that changed anything, which it didn't. Changing the name of the zone back to iptv and it instantly came back alive. Very weird stuff happening.

lleachii · March 23, 2018, 5:11pm

To test, simply type:

netstat -l -u

This will show you all listening UDP services and the interfaces they're listening on (by IP).

Did you edit and restart igmpproxy too???

I suggest keeping the working configuration until you know a little more about the firewall.

Mushoz · March 23, 2018, 5:19pm

I didn't edit it, since the configuration should remain the same, as the igmpproxy configuration references interfaces rather than zones, which didn't change. But I did restart igmpproxy.

My fiancee just came back home, so that is exactly what I am going to do right now (she doesn't like me messing with our iptv connection ;)) and do some additional reading over the weekend. I'll go back to debugging / tinkering on monday. I'll let you know if I manage to find anything. Thank you very much for your amazing help and patience

Not sure how to locate igmpproxy with this command:

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       
udp        0      0 0.0.0.0:domain          0.0.0.0:*                           
udp        0      0 0.0.0.0:bootps          0.0.0.0:*                           
udp        0      0 0.0.0.0:1900            0.0.0.0:*                           
udp        0      0 0.0.0.0:51820           0.0.0.0:*                           
udp        0      0 LEDE.lan:5351           0.0.0.0:*                           
udp        0      0 LEDE.lan:51439          0.0.0.0:*                           
udp        0      0 :::dhcpv6-client        :::*                                
udp        0      0 :::dhcpv6-server        :::*                                
udp        0      0 :::domain               :::*                                
udp        0      0 :::1900                 :::*                                
udp        0      0 :::51820                :::*                                
udp        0      0 :::36734                :::*                                
udp        0      0 :::5351                 :::*

lleachii · March 23, 2018, 5:51pm

Correction:

netstat -l -u -p

Mushoz · March 23, 2018, 5:58pm

Also doesn't show the required information unfortunately:

root@LEDE:~# netstat -l -u -p
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
udp        0      0 0.0.0.0:domain          0.0.0.0:*                           1715/dnsmasq
udp        0      0 0.0.0.0:bootps          0.0.0.0:*                           1715/dnsmasq
udp        0      0 0.0.0.0:1900            0.0.0.0:*                           1308/miniupnpd
udp        0      0 0.0.0.0:51820           0.0.0.0:*                           -
udp        0      0 LEDE.lan:5351           0.0.0.0:*                           1308/miniupnpd
udp        0      0 LEDE.lan:51439          0.0.0.0:*                           1308/miniupnpd
udp        0      0 :::dhcpv6-client        :::*                                1251/odhcp6c
udp        0      0 :::dhcpv6-server        :::*                                837/odhcpd
udp        0      0 :::domain               :::*                                1715/dnsmasq
udp        0      0 :::1900                 :::*                                1308/miniupnpd
udp        0      0 :::51820                :::*                                -
udp        0      0 :::36734                :::*                                1308/miniupnpd
udp        0      0 :::5351                 :::*                                1308/miniupnpd

lleachii · March 23, 2018, 6:02pm

Let's look for the IGMP subscription instead...omit the -u:

netstat -l -p

Mushoz · March 23, 2018, 6:31pm

Weird that is shows twice. Also it is listening on all IPs in this case and not restricted to a specific interface as far as I can tell. I will have a look on Monday in the non-working setup.

 root@LEDE:~# netstat -l -p
    Active Internet connections (only servers)
    Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
    tcp        0      0 0.0.0.0:www             0.0.0.0:*               LISTEN      894/uhttpd
    tcp        0      0 0.0.0.0:domain          0.0.0.0:*               LISTEN      1715/dnsmasq
    tcp        0      0 0.0.0.0:ssh             0.0.0.0:*               LISTEN      871/dropbear
    tcp        0      0 0.0.0.0:https           0.0.0.0:*               LISTEN      894/uhttpd
    tcp        0      0 :::5000                 :::*                    LISTEN      1308/miniupnpd
    tcp        0      0 :::www                  :::*                    LISTEN      894/uhttpd
    tcp        0      0 :::domain               :::*                    LISTEN      1715/dnsmasq
    tcp        0      0 :::ssh                  :::*                    LISTEN      871/dropbear
    tcp        0      0 :::https                :::*                    LISTEN      894/uhttpd
    udp        0      0 0.0.0.0:domain          0.0.0.0:*                           1715/dnsmasq
    udp        0      0 0.0.0.0:bootps          0.0.0.0:*                           1715/dnsmasq
    udp        0      0 0.0.0.0:1900            0.0.0.0:*                           1308/miniupnpd
    udp        0      0 0.0.0.0:51820           0.0.0.0:*                           -
    udp        0      0 LEDE.lan:5351           0.0.0.0:*                           1308/miniupnpd
    udp        0      0 LEDE.lan:51439          0.0.0.0:*                           1308/miniupnpd
    udp        0      0 :::dhcpv6-client        :::*                                1251/odhcp6c
    udp        0      0 :::dhcpv6-server        :::*                                837/odhcpd
    udp        0      0 :::domain               :::*                                1715/dnsmasq
    udp        0      0 :::1900                 :::*                                1308/miniupnpd
    udp        0      0 :::51820                :::*                                -
    udp        0      0 :::36734                :::*                                1308/miniupnpd
    udp        0      0 :::5351                 :::*                                1308/miniupnpd
    raw   164896      0 0.0.0.0:2               0.0.0.0:*               2           10167/igmpproxy
    raw        0      0 0.0.0.0:2               0.0.0.0:*               2           10167/igmpproxy
    raw        0      0 ::%1:58                 ::%4443948:*            58          1251/odhcp6c
    raw        0      0 ::%1:58                 ::%4443948:*            58          837/odhcpd
    raw        0      0 ::%1:58                 ::%4443948:*            58          837/odhcpd
    Active UNIX domain sockets (only servers)
    Proto RefCnt Flags       Type       State         I-Node PID/Program name    Path
    unix  2      [ ACC ]     STREAM     LISTENING         75 501/ubusd           /var/run/ubus.sock