@
biertjuh Klinkt inderdaad als een probleem met je IGMP proxy. Ik heb even naar je config gekeken, er zijn een paar kleine zaken die me opvallen:
code:
1
2
3
4
5
6
| /ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
ether1-gateway
add add-default-route=special-classless default-route-distance=254 \
dhcp-options=option60-vendorclass,hostname,clientid disabled=no \
interface=vlan1.4 use-peer-dns=no use-peer-ntp=no |
Waarom draai je nog een DHCP client op ether1? Je externe IP haal je op via je PPPoE verbinding
code:
1
2
3
4
5
6
| /ip firewall filter
add action=accept chain=input dst-address=224.0.0.0/8 protocol=igmp
add chain=input in-interface=vlan1.4 protocol=igmp
add chain=input in-interface=vlan1.4 protocol=udp
add chain=forward in-interface=vlan1.4 protocol=udp
add action=accept chain=forward dst-address=224.0.0.0/4 protocol=udp |
Volgens mij hoef je deze niet expliciet toe te staan in je firewall. Het kan potentieel ervoor zorgen dat je ongewenst verkeer op je netwerk krijgt.
code:
1
2
3
4
5
6
7
8
9
| /ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat dst-address=10.142.64.0/18 out-interface=\
vlan1.4
add action=masquerade chain=srcnat dst-address=213.75.112.0/21 out-interface=\
vlan1.4
add action=masquerade chain=srcnat dst-address=217.166.0.0/16 out-interface=\
vlan1.4 |
Het is netjes om alle 3 de subnets te masqueraden. Ik zie in eigen ervaring alleen maar pakketten op de tweede langskomen en heb de eerste en derde daarom verwijderd.
code:
1
2
3
4
| /routing igmp-proxy interface
add alternative-subnets=10.142.64.0/18,213.75.0.0/16,217.166.0.0/16 \
interface=vlan1.4 upstream=yes
add interface=bridge |
Het valt me op de dat de upstream subnets niet bij iedereen gelijk zijn. Wat je zou kunnen doen is om alle upstream multicast toe te staan door 0.0.0.0/0 als upstream aan te maken. Dan zou je IPTV moeten werken. Daarna zou ik in de MFC kijken welke sources er daadwerkelijk gebruikt worden voor de IPTV streams.
Heb je verder nog switches achter je Mikrotik staan die mogelijk IGMP snooping doen? Vooral TP-Link switches schijnen IGMP snooping niet netjes uit te voeren, wat voor problemen zou kunnen zorgen.
Tot slot zoals gevraagd mijn config (minus wat persoonlijke instellingen als VPN/IPSec tunnels).
Mijn config is op sommige plekken iets anders:
- Ik heb mijn glasvezel rechtstreeks in mijn Mikrotik geprikt via SFP
- Ik heb routed IPTV op een apart subnet (192.168.30.0/24) welke via VLAN 10 weer mijn netwerk op gaat. Ik heb switches staan die dat VLAN er weer afslopen voor ze het aan de STB's aanbieden.
- Ik deel de extra IPTV DHCP opties alleen uit aan de STB's, i.p.v. aan alle apparaten
- IPTV en LAN heb ik middels firewall rules van elkaar gescheiden
- Ik heb ook IPv6 draaiend in mijn LAN, maar niet op het IPTV netwerk.
code:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
| # jan/21/2019 08:20:09 by RouterOS 6.43.8
# software id = LVUE-83ZI
#
# model = 2011UiAS
# serial number = 6088058AXXXX
/interface bridge
add igmp-snooping=yes name=bridge-IPTV
add admin-mac=E4:8D:8C:29:XX:XX arp=proxy-arp auto-mac=no name=\
bridge-LAN-WLAN
/interface ethernet
set [ find default-name=ether1 ] name=ether1-downstream-core speed=100Mbps
set [ find default-name=ether2 ] name=ether2-zolder speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether7 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether8 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether9 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether10 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=sfp1 ] auto-negotiation=no name=sfp1-gateway
/interface vlan
add interface=sfp1-gateway name=vlan4-xs4all-iptv vlan-id=4
add arp=disabled interface=sfp1-gateway mtu=1594 name=vlan6-xs4all-internet \
vlan-id=6
add interface=ether1-downstream-core name=vlan10-IPTV-intern vlan-id=10
/interface pppoe-client
add add-default-route=yes allow=pap,mschap2 disabled=no interface=\
vlan6-xs4all-internet keepalive-timeout=disabled max-mru=1500 max-mtu=\
1500 name=pppoe-xs4all-inet password=mikrotik user=mikrotik
/interface list
add name=mactel
add name=mac-winbox
add exclude=dynamic name=discover
/ip dhcp-client option
add code=60 name=option60-vendorclass value="'IPTV_RG'"
/ip dhcp-server option
add code=60 name=option60-vendorclass value="'IPTV_RG'"
add code=28 name=option28-broadcast value="'192.168.30.255'"
/ip dhcp-server option sets
add name=IPTV options=option60-vendorclass,option28-broadcast
/ip pool
add name=DHCP-LAN ranges=192.168.25.100-192.168.25.200
add name=DHCP-VPN ranges=192.168.25.210-192.168.25.220
add name=DHCP-IPTV ranges=192.168.30.50-192.168.30.100
/ip dhcp-server
add address-pool=DHCP-LAN authoritative=after-2sec-delay disabled=no \
interface=bridge-LAN-WLAN lease-time=1h name=DHCP-LAN
add address-pool=DHCP-IPTV disabled=no interface=bridge-IPTV lease-time=1h \
name=DHCP-IPTV
/ppp profile
set *FFFFFFFE change-tcp-mss=default local-address=DHCP-VPN remote-address=\
DHCP-VPN use-ipv6=no
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/interface bridge port
add bridge=bridge-IPTV interface=ether6
add bridge=bridge-LAN-WLAN interface=ether2-zolder
add bridge=bridge-LAN-WLAN interface=ether3
add bridge=bridge-IPTV interface=ether7
add bridge=bridge-IPTV interface=ether8
add bridge=bridge-IPTV interface=ether9
add bridge=bridge-IPTV interface=ether10
add bridge=bridge-LAN-WLAN interface=ether1-downstream-core
add bridge=bridge-LAN-WLAN interface=ether4
add bridge=bridge-LAN-WLAN interface=ether5
add bridge=bridge-IPTV interface=vlan10-IPTV-intern
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface list member
add interface=ether1-downstream-core list=mactel
add interface=ether2-zolder list=mactel
add interface=ether1-downstream-core list=mac-winbox
add interface=ether2-zolder list=mac-winbox
add interface=ether1-downstream-core list=discover
add interface=ether2-zolder list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=ether6 list=discover
add interface=ether7 list=discover
add interface=ether8 list=discover
add interface=ether9 list=discover
add interface=ether10 list=discover
add interface=bridge-LAN-WLAN list=discover
add list=discover
add list=discover
add list=discover
/ip address
add address=192.168.25.1/24 comment=defconf interface=ether2-zolder network=\
192.168.25.0
add address=192.168.30.1/24 interface=ether6 network=192.168.30.0
/ip dhcp-client
add add-default-route=special-classless default-route-distance=254 \
dhcp-options=option60-vendorclass,hostname,clientid disabled=no \
interface=vlan4-xs4all-iptv use-peer-dns=no use-peer-ntp=no
/ip dhcp-server lease
# Een heleboel statische leases op mijn interne netwerk heb ik weggehaald
add address=192.168.30.10 comment="IPTV beneden" dhcp-option-set=IPTV \
mac-address=50:7E:5D:C6:XX:XX server=DHCP-IPTV
add address=192.168.30.11 comment="IPTV boven" dhcp-option-set=IPTV \
mac-address=50:7E:5D:C6:XX:XX server=DHCP-IPTV
/ip dhcp-server network
add address=192.168.25.0/24 comment=defconf dns-server=192.168.25.20 gateway=\
192.168.25.1 netmask=24
add address=192.168.30.0/24 dns-server=194.109.6.66,194.109.9.99 gateway=\
192.168.30.1
/ip dns
set allow-remote-requests=yes servers=\
192.168.25.20,208.67.220.200,208.67.222.222
/ip dns static
add address=192.168.25.1 name=router
/ip firewall filter
add action=accept chain=input comment="Allow ICMP" protocol=icmp
add action=accept chain=input comment="Allow established/related connections" \
connection-state=established,related
add action=accept chain=input comment="IPSec tunnel" dst-port=\
1701,500,4500 protocol=udp
add action=accept chain=input comment="IPSec tunnel" protocol=\
ipsec-esp
add action=accept chain=input comment="Winbox over ipsec tunnel" dst-port=\
8291 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=input comment="SSH over ipsec tunnel" dst-port=22 \
protocol=tcp src-address=192.168.1.0/24
add action=drop chain=input comment="Drop invalid packets" connection-state=\
invalid
add action=drop chain=input in-interface=pppoe-xs4all-inet
add action=drop chain=input in-interface=vlan6-xs4all-internet
add action=drop chain=input disabled=yes in-interface=ether1-downstream-core
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" \
connection-state=established,related
add action=drop chain=forward comment="Blokkeer verkeer van LAN --> IPTV" \
dst-address=192.168.30.0/24 src-address=192.168.25.0/24
add action=drop chain=forward comment="Blokkeer IPTV --> LAN" dst-address=\
192.168.25.0/24 src-address=192.168.30.0/24
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface=pppoe-xs4all-inet
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.1.0/24 src-address=\
192.168.25.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
out-interface=pppoe-xs4all-inet
add action=masquerade chain=srcnat dst-address=213.75.112.0/21 log=yes \
out-interface=vlan4-xs4all-iptv
/ip firewall raw
add action=notrack chain=prerouting dst-address=192.168.1.0/24 src-address=\
192.168.25.0/24
add action=notrack chain=prerouting dst-address=192.168.25.0/24 src-address=\
192.168.1.0/24
/ip upnp interfaces
add interface=bridge-LAN-WLAN type=internal
add interface=pppoe-xs4all-inet type=external
/ipv6 address
add address=::e68d:8cff:fe29:XXXX eui-64=yes from-pool=xs4all-v6prefix \
interface=bridge-LAN-WLAN
/ipv6 dhcp-client
add interface=pppoe-xs4all-inet pool-name=xs4all-v6prefix request=prefix \
use-peer-dns=no
/ipv6 firewall filter
add action=accept chain=input comment="Allow ICMP" protocol=icmpv6
add action=accept chain=input comment="Allow established/related connections" \
connection-state=established,related
add action=accept chain=input comment="Allow NTP XS4ALL ntp-service" \
dst-port=123 limit=10,5:packet protocol=udp
add chain=input comment="DHCPv6-prefix ontvangen van XS4ALL" dst-port=546 \
protocol=udp src-address=fe80::/10
add action=drop chain=input comment="Drop invalid packets" connection-state=\
invalid
add action=accept chain=input comment="Allow local network" in-interface=\
bridge-LAN-WLAN
add action=accept chain=input comment="Allow SSH to router" disabled=yes \
dst-port=22 protocol=tcp
add action=drop chain=input comment="Reject TCP connections by default" \
protocol=tcp
add action=drop chain=input comment="Reject other protocols by default"
add action=drop chain=input in-interface=pppoe-xs4all-inet
add action=drop chain=input in-interface=vlan6-xs4all-internet
add action=drop chain=input disabled=yes in-interface=ether1-downstream-core
add action=accept chain=forward comment="Allow ICMP" protocol=icmpv6
add action=accept chain=forward comment=\
"Allow established/related connections" connection-state=\
established,related
add action=drop chain=forward comment="Drop invalid packets" \
connection-state=invalid
add action=accept chain=forward comment="Allow any to internet" \
out-interface=pppoe-xs4all-inet
add action=accept chain=forward comment="Allow SSH to any machine" disabled=\
yes dst-port=22 protocol=tcp
add action=drop chain=forward comment="Reject TCP connections by default" \
protocol=tcp
add action=drop chain=forward comment="Reject other protocols by default"
add action=drop chain=forward connection-state=invalid
/lcd
set backlight-timeout=never default-screen=stats
/routing igmp-proxy
set quick-leave=yes
/routing igmp-proxy interface
add alternative-subnets=217.166.0.0/16,213.75.160.0/19 interface=\
vlan4-xs4all-iptv upstream=yes
add interface=bridge-IPTV
/system clock
set time-zone-autodetect=no time-zone-name=Europe/Amsterdam
/system logging
add action=email prefix=MikroTik topics=critical
add disabled=yes topics=ipsec,!debug
add disabled=yes topics=debug
add disabled=yes topics=igmp-proxy
/system ntp client
set enabled=yes primary-ntp=194.109.6.2 secondary-ntp=194.109.6.22
/tool graphing interface
add
add interface=vlan6-xs4all-internet
add interface=ether1-downstream-core
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox |
:strip_exif()/u/167373/crop58db73c135c84.gif?f=community)
