23.01.b.20230106.0600 IGMP proxy stops TV stream
-
@stephenw10 OK, thank you!
-
@haraldinho Pausing live TV started working after several reboots. That was all :). I followed the instruction of Github "Eigen router":
https://github.com/Eigenrouter/eigenrouter/blob/main/guides/pfsense/KPN/pfSense-with-vlan.md
I recently learned that 0.0.0.0/0 for upstream IGMP suffices; I changed that after live pausing was working. Pausing recorded programs still not working. The player counts the time backwards, picture freezes, and that's it!
I guess I have to live with it?
-
@michiel But please see comment of Haraldinho... seems that there is still a bug with pfsenseplus on Netgate and pausing recorded programs. I just got confirmation of other KPN customers - with self build routers with pfsense - they do not have that problem. So, can you please look into this and come up with a solution?
-
@michiel there is no bug in the IGMP proxy. That proces is just stupid forwarding MC traffic.
Do you provide KPN DNS servers to your STB?
It could be the cause we are missing some configuration parts? The TV config is somehow reversed engineered over the years.
I’m also a KPN customer could you explain me in Dutch what you experience? I don’t have the recording subscription. Is the behavior different when you use the provider modem? Could you test that for us and report back?
If I know what you see I can try to rebuild it over here an capture the network traffic.
VIP5202 or KPN+ STB?
-
@thebear Hi, dank voor je hulp alvast. Ik heb de VIP5202 en heb IPTV opgezet via VLAN. Bij de DHCP settings van de de VLAN heb ik DNS 195.121.1.34 en 195.121.1.66 opgenomen.
De Fritzbox heb ik losgekoppeld, het probleem had ik daarmee niet.
-
@michiel and only with recorded programs? Not the paused programs?
-
@thebear Ja, dat klopt. In eerste instantie ook met live TV, maar nu alleen met opgenomen programma's... Kan ik een log raadplegen en hier posten?
-
@michiel nee dat is te complex als je niet zelf de TV beidend. Ik wil wel 1 poging doen, dan moet je een packetcapture maken op de VLAN interface waar je TV op kijkt. Full aanvinken en Count op 0 en dan de juiste TV interface selecteren.
Daarna kan je die file delen met mij, niet te lang wachten met zappen want het wordt dan een (te) groot bestand.
Net getest en als ik live tv pauzeer dan druk ik op play, en dan start hij na een seconden of 6 foutloos.
Je kan ook nog in je firewall logs kijken of daar iets wordt geblokkeerd vanuit de source interface van je TV interface.
-
@michiel I dove into the issue and I think I might have found a solution.
These are my adjusted mappings under NAT --> Outbound based on the blogpost I found from the travelling tech guy, where his NAT rules were different than mine.
https://travellingtechguy.blog/using-your-own-pfsense-router-with-kpn-fiber-and-kpn-itv/
Initially I had only the bottom mapping. I disabled it, and replaced them with the three topmost rules based on the blog post. Until now this seems to have fixed the issue for me, but I need some more testing. Can't do too much testing now as the Misses is also watching tv with me
.Obviously you should replace 192.168.70.0/24 with your specific subnet.
-
@haraldinho indeed the NAT is wrong in the first guide, that's what I mentioned with reversed engineered...everyone is making a guide for the clickbait with good intentions.
Still the second guide is not 100% correct, in that guide are the commonly used proxy upstream address used in the NAT config. The correct configuration for the proxy is the one from the first guide (in fact 0.0.0.0/0 splitter over two subnets).
The correct NAT rule is the one below, you only need to NAT the traffic to the route you receive from the DHCP advertisement from KPN. And that's a single subnet.
With these both configuration parts you are more persistent to future changes from the ISP side.
-
@haraldinho Thank you for diving into this. I added these rules to NAT --> Outbound, but still have the same issue. So I tried the option of @thebear but also that is not working. Live TV pauses and restarts. Recorded programs don't.
I do see these entries in my logging....
-
-
Now what I did not do yesterday evening because the family was watching tv, I did do this morning: reboot the firewall. But first I changed my settings to those of @thebear from his previous post. And guess what: it appears to work now. I did three tests: pause 5 seconds, pause 5 minutes and pause for 10 minutes. All successfully restarted the recorded stream. @michiel did you do a reboot after changing your settings and if not, can you try that?
-
Found some more evidence of what went wrong in the firewall logs:
I rebooted my device around 11:21. Before the reboot, you see that some address in the 213.75.112.x range is getting blocked. After the reboot, this block does not appear anymore. I was doing my testing after this period.
Unfortunately and in all honesty, I don't fully grasp all the settings that are required for IPTV, but it appears that the changes I made based on @thebear's settings made a change after the reboot.
I wonder though what the https request are that the box is trying to do and that get blocked... What functionality does this block? Anybody any clue?
-
Ok, pasting 45.57.40.1:443 into a browser leads to a site with a blocked Netflix certificate. So that gives some idea into what the box tries to do. The other IP, 52.19.109.21:443 does not reveal any information as far as I can see.
-
@haraldinho I did several reboots. I noticed earlier that reboots help in applying the firewall rules. I think (not sure) that is has to do with the stating tables?
However, reboot did not solve it. I just applied the exact same settings as @thebear and will reboot later this day. Kids are online now :).You did change the IP addresses to your own VLAN? So where the bear says 127*, you are using 192* in outbound rules and downstream proxy?
-
Can you guys build the firewall rules like this:
IPTV_WAN
IPTV_LAN
The screenshot showing that regular internet traffic is blocked, so also your DNS and TCP traffic which is needed to communicate with the streaming platform.
-
@michiel said in 23.01.b.20230106.0600 IGMP proxy stops TV stream:
@haraldinho I did several reboots. I noticed earlier that reboots help in applying the firewall rules. I think (not sure) that is has to do with the stating tables?
You can press the X next to a FW rule, to release the current state and rebuild the traffic without a reboot.
-
@haraldinho said in 23.01.b.20230106.0600 IGMP proxy stops TV stream:
Ok, pasting 45.57.40.1:443 into a browser leads to a site with a blocked Netflix certificate. So that gives some idea into what the box tries to do. The other IP, 52.19.109.21:443 does not reveal any information as far as I can see.
Indeed see my post above where I ask you to use my FW rules and delete all other rules for these two interfaces. You are blocking too much traffic which causes different issues. NTP, DNS issues but also proven by the logs that Netflix traffic is denied.
-
@thebear @haraldinho
It seems I got it to work; both live TV and recordings can be paused now! See the screenshots of my settings. I will keep these settings, and see if they remain working :).I disabled the rule in IPTV VLAN to LAN net. Can I put that back, and only grant access to "This firewall" and ports 53 (DNS) and 123 (NTP)?
