[Solved] Firewall rule applied inconsistently
-
Yep, so I have this one on the external interface as well, that should have me covered in both directions shouldn't it?
Ta.
-
… that should have me covered in both directions shouldn't it?
Why do you think so?
It only covers traffic coming in on the IP-TV interface with destination to 224.0.0.0/4 -
Why do you think so?
It only covers traffic coming in on the IP-TV interface with destination to 224.0.0.0/4Hi! :)
But coupled with the other rule on the LAN with the same parameters they do cover both directions is what I was trying to say. Is that right?
Thanks in advance.
-
Are you generating multicast traffic to 224./4 or do you want to receive and watch it (AKA consume)?
-
Afraid we won't ever learn what's 10.10.10.10, nor what are the IPs on other interfaces. But good that we now have a video and a drawing with ~27 colors, showing inexplicable things like the pinky PPPoE gateway connected to both WAN and some unknown re0 thing which in turn is connected to modem, but that WAN is somewhere behind pfSense or god knows
-
I saw this too late, I'm afraid.
27 colors is next to monochrome. I usually run my shows in 16,7m colors. SCNR
-
Are you generating multicast traffic to 224./4 or do you want to receive and watch it (AKA consume)?
I want to receive it. Well I am receiving it, but only on my external interface, it's not making it to the LAN, which is what I am trying to solve.
Afraid we won't ever learn what's 10.10.10.10, nor what are the IPs on other interfaces. But good that we now have a video and a drawing with ~27 colors, showing inexplicable things like the pinky PPPoE gateway connected to both WAN and some unknown re0 thing which in turn is connected to modem, but that WAN is somewhere behind pfSense or god knows
If you want to know what something is, just ask! 10.10.10.10 is a randomly selected 1918 IP I gave to the IPTV interface, interpreting these instructions. If you read that technical document I linked earlier you'll know that the IPTV streams come to the local cabinet over a dedicated 500mbps link and then the multicast is done from the local cabinet to the CPE.
What the diagram is trying to show is that there are 2 internal "logical" interfaces connected to one physical interface. One of them goes through a PPPoE gateway and serves my broadband connection, the other is just regular IPoE and that is the interface with the random 10.10.10.10. It could be any IP, it doesn't matter, as long as it is private.
I'm sorry the drawing is confusing to you, I made it quick and dirty. I can spend ages drawing a pretty one if you want but I'd hoped it would be useful to get the gist.
EDIT: Do I need udpxy?No, I don't.Thanks! ;)
-
Okedoke, done some more analysis, here's a multicast breakdown per channel:
BT Sport 1 109. 59.247. 1 > 234.81.131. 1
BT Sport Europe 109.155. 49.25 > 234.81.131. 3
BT Sport 2 109.159.247. 1 > 234.81.131. 2
BT Sport ESPN 109.159.247. 1 > 234.81.130.25
BT Sport 1 HD 109.159.247. 1 > 234.81.130.35
BT Sport Europe HD 109.159.247.17 > 234.81.130.40
BT Sport 2 HD 109.159.247. 1 > 234.81.130.36
BT Sport ESPN HD 109.159.247.10 > 234.81.130.44
BT Sport X1 109.159.247.26 > 234.81.131.92
BT Sport X2 109.159.247.26 > 234.81.131.93
BT Sport X3 109.159.247.26 > 234.81.131.94
BT Sport X4 109.159.247.26 > 234.81.131.95
BT Sport X5 109.159.247.10 > 234.81.131.96
BT Sport X6 109.159.247.10 > 234.81.131.97
BT Sport X7 109.159.247.10 > 234.81.131.98
BT Sport X1 HD 109.159.247.17 > 234.81.130.85
BT Sport X2 HD 109.159.247.17 > 234.81.130.86
BT Sport X3 HD 109.159.247.17 > 234.81.130.87
BT Sport X4 HD 109.159.247.17 > 234.81.130.88
BT Sport X5 HD 109.159.247.17 > 234.81.130.89
BT Sport X6 HD 109.159.247.17 > 234.81.130.90
BT Sport X7 HD 109.159.247.17 > 234.81.130.84The spec say that there is failover source for each multicast stream, so it's safe to assume that these source IP addresses are subject to change, but we can glean that 109.159.247.0/24 is probably all channels, do I need to add these as upstream networks in the IGMP proxy?
Cheers.
-
YES! That did it. ;D The source of the multicast stream also needs to be added as a network along with 224.0.0.0/4 on the upstream in IGMP Proxy.
Thank you for trying to help everybody anyway. ;) The sarcasm kept me motivated. ;D
-
Good work.
-
@KOM:
Good work.
Our great firewalls, fill the hallowed closets! \m/
I haven't had this good of a fixit high in ages. Better than drugs! Haven't sat down yet. ;D
-
I've been trying to follow these instructions, but when I do a packet capture I don't even see the IGMP traffic being generated.
My pfSense is on a VM (esxi 6) and I have no idea if that could be impacting things?