2 gescheiden LAN netwerken opzetten met FritzBox 7581 - Netwerken

Vraag

zaterdag 12 oktober 2019 23:03

Acties:

0 Henk 'm!

hans_1990

Topicstarter

Mijn netwerk bestaat momenteel uit een EdgeRouter die achter een FritzBox modem staat. De FritzBox deelt IP adresses uit in de 192.168.178.X range. De EdgeRouter deelt adressen uit op een ander subnet, zodat de apparaten achter de FritzBox niet bij de apparaten achter de EdgeRouter kunnen komen

FritzBox 7581 (modem & router: 192.168.178.1)
D-Link DIR-860L (router incl. WIFi: 192.168.178.2)
> iptv box xs4all
> pc
> printer
EdgerouterX (router: 192.168.178.3, deelt adressen uit met 192.168.1.38-243)
> pc
> UniFi AC LR (standelone mode for WiFi, 192.168.1.2)
> Netgear ProSafe plus switch (GS105Ev2, 192.168.1.3)
>> iptv box xs4all
>> playstation 3
>> IKEA tradfry hub

Kan iemand mij helpen met de firewall regel om de router IPTV van XS4ALL door de firewall te krijgen naar TV achter de EdgeRouter?
Ik heb onderstaande bronnen gebruikt:
https://community.ui.com/...ed-45c6-99d8-d820f01b7f08.
Onderstaand de output van $show ip multicast mfc:

code:

Group           Origin           In          Out                Pkts         Bytes  Wrong                                            
224.3.2.6       213.75.167.58    eth0        switch0            4216        1.46MB      0                                            
239.255.255.250 192.168.1.39     eth0        switch0             599      264.72KB    599         TV1                             
239.255.255.250 192.168.178.1    eth0        switch0              69       14.79KB      0          FritzBox                           
239.255.255.250 192.168.178.25   eth0        switch0             135       58.86KB      0         TV2                            
239.255.255.250 192.168.1.46     eth0        switch0              36       16.78KB     36          Laptop

- Waar ik niet uit kom is welke source en destination adressen/ranges ik moet gebruiken in de "Allow IPTV Multicast UDP" regel.
- Ook twijfel ik aan de alt-subnet van de IGMP snooping, klopt dit?

Zonder adressen in de firewall regel "Allow IPTV Multicast UDP" werkt de TV naar behoren, maar zo geef ik wel heel veel vrij in de firewall.

code:

----------------
Configuration File
----------------
firewall {
    all-ping enable
    broadcast-ping disable
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow IPTV Multicast UDP"
            destination {
                address ???????????????
            }
            log disable
            protocol udp
            source {
                address ???????????????
            }
        }
        rule 20 {
            action accept
            description "Allow IGMP"
            log disable
            protocol igmp
        }
        rule 30 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 40 {
            action accept
            description "Allow ICMP"
            log disable
            protocol icmp
        }
        rule 50 {
            action drop
            description "Drop invalid state"
            log disable
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
            description "Allow IPTV Multicast UDP"
            destination {
                address ???????????????
            }
            log disable
            protocol udp
            source {
                address ???????????????
            }
        }
        rule 20 {
            action accept
            description "Allow IGMP"
            log disable
            protocol igmp
        }
        rule 30 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 40 {
            action accept
            description "Allow ICMP"
            log disable
            protocol icmp
        }
        rule 50 {
            action drop
            description "Drop invalid state"
            log disable
            state {
                invalid enable
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address 192.168.178.10/24 ???????????????
        description Internet
        duplex auto
        firewall {
            in {
                name WAN_IN
            }
            local {
                name WAN_LOCAL
            }
        }
        speed auto
    }
    ethernet eth1 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth2 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth3 {
        description Local
        duplex auto
        speed auto
    }
    ethernet eth4 {
        description Local
        duplex auto
        speed auto
    }
    loopback lo {
    }
    switch switch0 {
        address 192.168.1.1/24
        description Local
        mtu 1500
        switch-port {
            interface eth1 {
            }
            interface eth2 {
            }
            interface eth3 {
            }
            interface eth4 {
            }
            vlan-aware disable
        }
    }
}
protocols {
    igmp-proxy {
        interface eth0 {
            alt-subnet 0.0.0.0/0
            role upstream
            threshold 1
        }
        interface eth2 {
            alt-subnet 0.0.0.0/0
            role downstream
            threshold 1
        }
    }
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name LAN {
            authoritative enable
            subnet 192.168.1.0/24 {
                default-router 192.168.1.1
                dns-server 192.168.1.1
                lease 86400
                start 192.168.1.38 {
                    stop 192.168.1.243
                }
                static-mapping GS105Ev2 {
                    ip-address 192.168.1.3
                    mac-address [REDACTED]
                }
                static-mapping UAP-AC-LR {
                    ip-address 192.168.1.2
                    mac-address [REDACTED]
                }
            }
        }
        use-dnsmasq disable
    }
    dns {
        forwarding {
            cache-size 150
            listen-on switch0
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        rule 5010 {
            description "masquerade for WAN"
            log disable
            outbound-interface eth0
            protocol all
            type masquerade
        }
    }
    unms {
        disable
    }
}
system {
    gateway-address 192.168.178.1 ???????????????
    [REDACTED]
}

[ Voor 104% gewijzigd door hans_1990 op 13-10-2019 20:40 ]

Reageer