[SOLVED] IPTV, IGMPProxy and Firewall issues

Mushoz · March 23, 2018, 4:33pm

I did. I even mentioned that pppoe-wan was incorrect.

That's what I had initially, until you mentioned the following:

Where you implied the igmpproxy should contain a zone.

Yes, wan is a different VLAN. I will use a separate iptv zone then. I was just wondering whether it would be possible to use a single wan zone for both wan and iptv. Obviously I was using this setup earlier as you mentioned, however, that was using the broken FORWARD rule. Going back to this rule fixes this issue with the current configuration as well, however it reintroduces the stuttering issue.

By the way, the wiki is also using a FORWARD rule: https://wiki.openwrt.org/doc/howto/udp_multicast
This should probably be changed, right?

lleachii · March 23, 2018, 4:40pm

No...I was just under the impression that you hadn't named the zone and interface identically, my apologies. In addition, I believe that was regarding the following:

Yes, as this is what I understood I was explaining to you:

I assume it does need to be edited....Interesting...I've never looked at that page, since I realized OpenWRT had igmpproxy from opkg.

Mushoz · March 23, 2018, 5:03pm

It definitely seems like a bug to me:

config igmpproxy
	option quickleave 0

config phyint
	option network iptv
	option direction upstream
	list altnet 0.0.0.0/0

config phyint
	option network lan
	option direction downstream

In either configuration this should be correct, since this references the interface, which is the same for both setups.

Changing the src in both the IGMP and UDP INPUT rules from iptv to wan
moving the iptv interface from iptv zone to wan zone (both zones have the same general setttings)

results in iptv stopping to work. Changing these few things back to the dedicated iptv zone OR changing the UDP from INPUT to FORWARD and iptv starts working again.

So it seems igmpproxy isn't properly binding to the iptv interface if the zone isn't called exactly the same, since it requires a FORWARD rule to lan, which probably means igmpproxy is listening on LAN.

To test my hypothesis I went to the working setup with the iptv zone. And now all I did was rename the iptv zone to test. And iptv stopped working again. I verified both firewall rules were properly updated with the new names, which they were. I also restarted igmpproxy to see if that changed anything, which it didn't. Changing the name of the zone back to iptv and it instantly came back alive. Very weird stuff happening.

lleachii · March 23, 2018, 5:11pm

To test, simply type:

netstat -l -u

This will show you all listening UDP services and the interfaces they're listening on (by IP).

Did you edit and restart igmpproxy too???

I suggest keeping the working configuration until you know a little more about the firewall.

Mushoz · March 23, 2018, 5:19pm

I didn't edit it, since the configuration should remain the same, as the igmpproxy configuration references interfaces rather than zones, which didn't change. But I did restart igmpproxy.

My fiancee just came back home, so that is exactly what I am going to do right now (she doesn't like me messing with our iptv connection ;)) and do some additional reading over the weekend. I'll go back to debugging / tinkering on monday. I'll let you know if I manage to find anything. Thank you very much for your amazing help and patience

Not sure how to locate igmpproxy with this command:

Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       
udp        0      0 0.0.0.0:domain          0.0.0.0:*                           
udp        0      0 0.0.0.0:bootps          0.0.0.0:*                           
udp        0      0 0.0.0.0:1900            0.0.0.0:*                           
udp        0      0 0.0.0.0:51820           0.0.0.0:*                           
udp        0      0 LEDE.lan:5351           0.0.0.0:*                           
udp        0      0 LEDE.lan:51439          0.0.0.0:*                           
udp        0      0 :::dhcpv6-client        :::*                                
udp        0      0 :::dhcpv6-server        :::*                                
udp        0      0 :::domain               :::*                                
udp        0      0 :::1900                 :::*                                
udp        0      0 :::51820                :::*                                
udp        0      0 :::36734                :::*                                
udp        0      0 :::5351                 :::*

lleachii · March 23, 2018, 5:51pm

Correction:

netstat -l -u -p

Mushoz · March 23, 2018, 5:58pm

Also doesn't show the required information unfortunately:

root@LEDE:~# netstat -l -u -p
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
udp        0      0 0.0.0.0:domain          0.0.0.0:*                           1715/dnsmasq
udp        0      0 0.0.0.0:bootps          0.0.0.0:*                           1715/dnsmasq
udp        0      0 0.0.0.0:1900            0.0.0.0:*                           1308/miniupnpd
udp        0      0 0.0.0.0:51820           0.0.0.0:*                           -
udp        0      0 LEDE.lan:5351           0.0.0.0:*                           1308/miniupnpd
udp        0      0 LEDE.lan:51439          0.0.0.0:*                           1308/miniupnpd
udp        0      0 :::dhcpv6-client        :::*                                1251/odhcp6c
udp        0      0 :::dhcpv6-server        :::*                                837/odhcpd
udp        0      0 :::domain               :::*                                1715/dnsmasq
udp        0      0 :::1900                 :::*                                1308/miniupnpd
udp        0      0 :::51820                :::*                                -
udp        0      0 :::36734                :::*                                1308/miniupnpd
udp        0      0 :::5351                 :::*                                1308/miniupnpd

lleachii · March 23, 2018, 6:02pm

Let's look for the IGMP subscription instead...omit the -u:

netstat -l -p

Mushoz · March 23, 2018, 6:31pm

Weird that is shows twice. Also it is listening on all IPs in this case and not restricted to a specific interface as far as I can tell. I will have a look on Monday in the non-working setup.

 root@LEDE:~# netstat -l -p
    Active Internet connections (only servers)
    Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
    tcp        0      0 0.0.0.0:www             0.0.0.0:*               LISTEN      894/uhttpd
    tcp        0      0 0.0.0.0:domain          0.0.0.0:*               LISTEN      1715/dnsmasq
    tcp        0      0 0.0.0.0:ssh             0.0.0.0:*               LISTEN      871/dropbear
    tcp        0      0 0.0.0.0:https           0.0.0.0:*               LISTEN      894/uhttpd
    tcp        0      0 :::5000                 :::*                    LISTEN      1308/miniupnpd
    tcp        0      0 :::www                  :::*                    LISTEN      894/uhttpd
    tcp        0      0 :::domain               :::*                    LISTEN      1715/dnsmasq
    tcp        0      0 :::ssh                  :::*                    LISTEN      871/dropbear
    tcp        0      0 :::https                :::*                    LISTEN      894/uhttpd
    udp        0      0 0.0.0.0:domain          0.0.0.0:*                           1715/dnsmasq
    udp        0      0 0.0.0.0:bootps          0.0.0.0:*                           1715/dnsmasq
    udp        0      0 0.0.0.0:1900            0.0.0.0:*                           1308/miniupnpd
    udp        0      0 0.0.0.0:51820           0.0.0.0:*                           -
    udp        0      0 LEDE.lan:5351           0.0.0.0:*                           1308/miniupnpd
    udp        0      0 LEDE.lan:51439          0.0.0.0:*                           1308/miniupnpd
    udp        0      0 :::dhcpv6-client        :::*                                1251/odhcp6c
    udp        0      0 :::dhcpv6-server        :::*                                837/odhcpd
    udp        0      0 :::domain               :::*                                1715/dnsmasq
    udp        0      0 :::1900                 :::*                                1308/miniupnpd
    udp        0      0 :::51820                :::*                                -
    udp        0      0 :::36734                :::*                                1308/miniupnpd
    udp        0      0 :::5351                 :::*                                1308/miniupnpd
    raw   164896      0 0.0.0.0:2               0.0.0.0:*               2           10167/igmpproxy
    raw        0      0 0.0.0.0:2               0.0.0.0:*               2           10167/igmpproxy
    raw        0      0 ::%1:58                 ::%4443948:*            58          1251/odhcp6c
    raw        0      0 ::%1:58                 ::%4443948:*            58          837/odhcpd
    raw        0      0 ::%1:58                 ::%4443948:*            58          837/odhcpd
    Active UNIX domain sockets (only servers)
    Proto RefCnt Flags       Type       State         I-Node PID/Program name    Path
    unix  2      [ ACC ]     STREAM     LISTENING         75 501/ubusd           /var/run/ubus.sock

lleachii · March 23, 2018, 6:47pm

That looks right, this is my configs:

raw 164224 0 0.0.0.0:2 0.0.0.0:* 2 3905/igmpproxy
raw 0 0 0.0.0.0:2 0.0.0.0:* 2 3905/igmpproxy

config igmpproxy
option quickleave 1

config phyint
option network wan
option direction upstream
list altnet 0.0.0.0/0

config phyint network2
option network network2
option direction downstream

I use the RAW iptable (so that I can also specify the Time-to-Live value); but as you see, it is an INPUT rule:

iptables -t raw -A PREROUTING -i eth0.2 -d 224.0.0.0/4 -m ttl --ttl-lt 7 -j ACCEPT

IGMP (IP Protocol No. 2) is only received on the LAN, no rule needed under normal configs. Just the inbound multicast traffic needs a rule.

Mushoz · March 23, 2018, 8:46pm

What happens if you rename your wan firewall zone to test or something random? Does iptv continue to function as it should?

shm0 · March 23, 2018, 9:13pm

iptables -t raw -A PREROUTING -i eth0.2 -d 224.0.0.0/4 -m ttl --ttl-lt 7 -j ACCEPT

I havent posted his in my thread about vlans and multicast routing.
I asked a question about that weird firewall log.

The problem was i didn't have specified the protocol (udp) in my ttl increase rule.
If you dont specify protocol udp here, also the ttl of the igmp packets gets increased.
I guess that is not wanted x)

lleachii · March 23, 2018, 9:47pm

What you describe would be a bug, have you reported this?
This rule states that any packet with a multicast DST - possessing a ttl of 6 or less should be ACCEPTED.
I noticed that I omitted UDP; but I haven't experienced any issues. Especially since only multicast traffic would reach me anyway.
It may be that igmpproxy adds TTL; I haven't looked at the code. This is done after the packet is received on the router, though.

lleachii · March 24, 2018, 1:52am

OK...I asked:

I asked this because you have multiple processes involved. Simply rebooting after making such changes would be better. I'll be honest, I'm not willing to change working configs to find Easter-Egg-like bugs. I would reboot after making such change to avoid quirks.

A fiancé that can watch her TV is a happy Wife...so...what about the "stutter?"

(If it ain't broke...don't fix it.)

Also, I cannot change my IPTV zone as you describe, I stated:

I should note, I use their device to bridge to IP, but my OpenWRT is the border device for Internet, hence why I need igmpproxy.

johnnysl · March 24, 2018, 11:53am

Based on your description it seems you are running KPN FTTH.
i'll give you a quick config dump of my setup so you can compare:

relevant interface in /etc/config/network:

<snip>
config interface 'IPTV_WAN'
        option proto 'dhcp'
        option ifname 'eth0.4'
        option delegate '0'
        option defaultroute '0'
        option peerdns '0'
        option vendorid 'IPTV_RG'
</snip>

relevant route added to the config (again in /etc/config/network):

config route
        option interface 'IPTV_WAN'
        option target '213.75.112.0/21'
        option gateway '10.202.96.1'  <- this changes per geo location you are situated, just check what gateway you get on your iptv vlan, and adjust accordingly. apparently the IPTV dhcp server can dynamically push this route to you as well, but i never bothered to figure out how to set that up.

/etc/config/igmpproxy setup

config igmpproxy
        option quickleave 1
#       option verbose [0-2]

config phyint IPTV_WAN
        option network IPTV_WAN
        option direction upstream
        list altnet 192.168.1.0/24   <- your internal network
        list altnet 213.75.0.0/16    <- this network needs to be routed over vlan 4

config phyint lan
        option network lan
        option direction downstream

Mushoz · March 24, 2018, 11:55am

I am indeed Good spot! Mind sharing your firewall config as well? Are you getting any weird igmpproxy messages in your logs?

Edit: The ip mroute command on your router while iptv is running would be amazing as well. Curious how your multicast routes look according to that.

johnnysl · March 24, 2018, 12:04pm

firewall config:

config zone
        option name 'IPTV_WAN'
        option input 'ACCEPT'
        option forward 'REJECT'
        option output 'ACCEPT'
        option network 'IPTV_WAN'
        option masq '1'

config forwarding
    option dest 'IPTV_WAN'
    option src 'lan'

config rule
    option name 'Allow-IGMP-Proxy'
    option proto 'udp'
    option family 'ipv4'
    option target 'ACCEPT'
    option dest_ip '224.0.0.0/4'
    option dest 'lan'
    option src 'IPTV_WAN'

errors in the log:
just the occasional error, but no flooding. TV is used daily

logread | grep igmp
Mon Mar 19 06:47:52 2018 user.warn igmpproxy[17518]: No interfaces found for source 169.254.92.109
Mon Mar 19 06:47:52 2018 user.warn igmpproxy[17518]: No interfaces found for source 169.254.92.109
Mon Mar 19 11:57:18 2018 user.warn igmpproxy[17518]: MRT_DEL_MFC; Errno(2): No such file or directory
Mon Mar 19 18:24:48 2018 user.warn igmpproxy[17518]: MRT_DEL_MFC; Errno(2): No such file or directory
Tue Mar 20 17:28:08 2018 user.warn igmpproxy[17518]: MRT_DEL_MFC; Errno(2): No such file or directory
Thu Mar 22 13:06:17 2018 user.warn igmpproxy[17518]: No interfaces found for source 169.254.48.125
Thu Mar 22 13:07:41 2018 user.warn igmpproxy[17518]: No interfaces found for source 169.254.48.125
Thu Mar 22 21:26:53 2018 user.warn igmpproxy[17518]: MRT_DEL_MFC; Errno(2): No such file or directory
Fri Mar 23 08:54:13 2018 user.warn igmpproxy[17518]: No interfaces found for source 169.254.138.97
Fri Mar 23 08:54:13 2018 user.warn igmpproxy[17518]: No interfaces found for source 169.254.138.97
Fri Mar 23 08:54:13 2018 user.warn igmpproxy[17518]: No interfaces found for source 169.254.138.97

ip mroute:
doesn't seem to be a valid command?

# ip mroute
(192.168.1.181, 239.255.255.250) Iif: eth0.4     Oifs: br-lan  State: resolved
(192.168.1.169, 239.255.255.250) Iif: eth0.4     Oifs: br-lan  State: resolved
(192.168.1.152, 239.255.255.250) Iif: eth0.4     Oifs: br-lan  State: resolved
(192.168.1.101, 239.255.255.250) Iif: eth0.4     Oifs: br-lan  State: resolved
(192.168.1.135, 239.255.255.250) Iif: eth0.4     Oifs: br-lan  State: resolved
(213.75.167.58, 224.3.2.6)       Iif: eth0.4     Oifs: br-lan  State: resolved
(213.75.167.22, 224.0.251.106)   Iif: eth0.4     Oifs: br-lan  State: resolved

Mushoz · March 24, 2018, 12:13pm

Now I am confused. I've read multiple guides, including the OpenWRT wiki and they all use a FORWARD rule, the same thing as you are using and the previous version I was using. However, @lleachii explicitly states this should be an INPUT rule since the igmpproxy daemon is running on the router itself, which makes sense. Did you follow one of those guides that I read as well and hence you are using a FORWARD rule? Or do you have a particular reason for using this?

Any particular reason for defining this static route? With the way your firewall is configured this shouldn't be required, correct?

Getting those as well. Really annoying for my OCD, but they seem harmless.

Adding the following line to your upstream igmpproxy configuration should fix these errors:
list altnet 169.254.0.0/16
Make sure you run /etc/init.d/igmpproxy restart to apply the changes

Weird, mine works fine:

root@LEDE:~# ip mroute
(213.75.167.14, 224.0.251.15)    Iif: eth0.4     Oifs: br-lan 
(213.75.167.58, 224.3.2.6)       Iif: eth0.4     Oifs: br-lan 
(192.168.1.153, 239.255.255.250) Iif: eth0.4     Oifs: br-lan 
(192.168.1.210, 239.255.255.250) Iif: eth0.4     Oifs: br-lan 
(192.168.1.144, 239.255.255.250) Iif: eth0.4     Oifs: br-lan 
(192.168.1.232, 239.255.255.250) Iif: eth0.4     Oifs: br-lan 
(192.168.1.203, 239.255.255.250) Iif: eth0.4     Oifs: br-lan 
(192.168.1.187, 239.255.255.250) Iif: eth0.4     Oifs: br-lan

johnnysl · March 24, 2018, 12:16pm

mroute: I had to install the full IP package to get it working. have it working now. updated my previous post.
169.x.x.x: i can't be bothered with this they are seldom and it's cosmetic
firewall: simply using this because it works. has worked fine for the last 3 years, so why change?

what exactly is your issue

Mushoz · March 24, 2018, 12:17pm

Consider changing the input rule to REJECT by the way. With your current configuration, you are ACCEPTing any packets coming from the IPTV_WAN interface to your router. While probably fine, you are relying on your ISP having everything in order. I prefer to only let packets reach my router that I want it to receive via INPUT rules.