IGMP, VLANS, pfSense 2.3.2, IPTV, FTTH

kolpinkb

Just noticed under known regressions for pfSense 2.3.2 (https://blog.pfsense.org/?cat=53) that IGMP proxy might not be working correctly with VLANS.

Just wondering if this will interfere with users attempting to bypass routers typically distributed to customers with IPTV and FTTH.  A user on dslreports.com who is a customer at Bell in Canada has manged to take the Ethernet feed from the ONT (optical network terminal) and feed it directly into his pfSense router. (https://forum.pfsense.org/index.php?topic=87738.75)  The STBs are working correctly once the appropriate VLANS and IGMP proxy settings are provisioned in pfSense.

It's mentioned in the pfSense 2.3.2 that this feature is little used and might not get that much attention in the near future.  However, this is an extremely useful because most wirelessrouters/homehubs supplied by ISPs are junk.  Can anyone comment on whether or not bug 6099 wil cause problems for users subscribed to IPTV services via FTTH?

froussy

It was working fine with 2.2.6… but on 2.3.2, iptv with bell not working anymore :(

singerie

for me it's a major regression :(

shaqan

you don't REALLY need IGMP proxy for IPTV. First create separate network interface from whatever VLAN is carrying necessary IPTV signals.  (Interface assignments, VLANs). Parent interface is whatever is providing WAN.

Let's name it IPTV_IN. Then assign name IPTV_OUT on real physical until now unused network card in pfSense machine. Do not assign any IP/DHCP on them. Create bridge now using both IPTV_IN and IPTV_OUT and for bridge interface, rename it IPTV_BRIDGE then set it's IP configuration "DHCP".

Now, use interface grouping to group together IPTV_IN, IPTV_OUT, IPTV_BRIDGE and name it whatever you want. Be it simple IPTV. Then go to firewall rules and allow necessary traffic from interface group tab. Point of grouping interfaces is that it's easier to make rules that affect all component interfaces at once in one place. Firewall rules under interface group tab take precedence over the rules under the tabs of group's component interfaces. Just "allow all from any to any" and start testing. When you get TV working, you can start working on additional, stricter firewall rules.

Particular interfaces are named according to my own habit..

While configuring firewall rules, you need to keep in mind that for passing rules, you have to also go into Advanced settings and tick on "This allows packets with IP options to pass. This is usually only seen with multicast traffic" or your TV is going to remain blank.

singerie

@shaqan:

you don't REALLY need IGMP proxy for IPTV. First create separate network interface from whatever VLAN is carrying necessary IPTV signals.  (Interface assignments, VLANs). Parent interface is whatever is providing WAN.

Let's name it IPTV_IN. Then assign name IPTV_OUT on real physical until now unused network card in pfSense machine. Do not assign any IP/DHCP on them. Create bridge now using both IPTV_IN and IPTV_OUT and for bridge interface, rename it IPTV_BRIDGE then set it's IP configuration "DHCP".

Now, use interface grouping to group together IPTV_IN, IPTV_OUT, IPTV_BRIDGE and name it whatever you want. Be it simple IPTV. Then go to firewall rules and allow necessary traffic from interface group tab. Point of grouping interfaces is that it's easier to make rules that affect all component interfaces at once in one place. Firewall rules under interface group tab take precedence over the rules under the tabs of group's component interfaces. Just "allow all from any to any" and start testing. When you get TV working, you can start working on additional, stricter firewall rules.

Particular interfaces are named according to my own habit..

While configuring firewall rules, you need to keep in mind that for passing rules, you have to also go into Advanced settings and tick on "This allows packets with IP options to pass. This is usually only seen with multicast traffic" or your TV is going to remain blank.

By doing this, the apps in the pvr that use regular internet won't work

shaqan

Can't comment. My ISP provides "Internet services needed by TV or anything connected to it" through IPTV's gateway.. Browse internet through TV settop box or whatever..