Issues with IPTV and IGMP proxy.
-
Hi all,
In advance sorry for long post.
I am having some issues with routed IPTV on pfSense.
I am running pfSense on ESXi 7.0 with single nic, i have setup promiscuous trunk between Cisco 3560CX and ESXi host.
My ISP are routing tv over vlan 101(WANIPTV), and i want to separate iptv from the rest of my network thus i have created IPTV_INSIDE(vlan90).
Have created WANIPTV interface with DHCP, dhcp-class-identifier, subnet-mask, routers, broadcast-address and classless-routes - this gives me ip and routes, so clearly that is working:[2.4.5-RELEASE][admin@pfSense.localdomain]/var/etc: netstat -nr | grep 10.194. 10.133.0.0/16 10.194.4.1 UGS vmx0.101 10.194.4.0/23 link#8 U vmx0.101 10.194.4.126 link#8 UHS lo0 81.166.112.0/29 10.194.4.1 UGS vmx0.101 81.166.113.0/24 10.194.4.1 UGS vmx0.101 84.234.204.0/23 10.194.4.1 UGS vmx0.101 84.234.250.128/25 10.194.4.1 UGS vmx0.101 109.247.114.207/32 10.194.4.1 UGS vmx0.101 109.247.114.209/32 10.194.4.1 UGS vmx0.101 109.247.114.217/32 10.194.4.1 UGS vmx0.101 109.247.116.128/27 10.194.4.1 UGS vmx0.101 109.247.117.0/25 10.194.4.1 UGS vmx0.101 109.247.118.0/24 10.194.4.1 UGS vmx0.101 172.16.4.0/22 10.194.4.1 UGS vmx0.101 172.21.0.0/16 10.194.4.1 UGS vmx0.101 213.167.98.0/26 10.194.4.1 UGS vmx0.101IPTV_INSIDE is created as a simple vlan with DHCP server running on pfSense - 192.168.90.0/24 - i can see STB getting ip from pfSense.
IGMP Proxy config:
[2.4.5-RELEASE][admin@pfSense.localdomain]/var/etc: cat igmpproxy.conf ##------------------------------------------------------ ## Enable Quickleave mode (Sends Leave instantly) ##------------------------------------------------------ quickleave phyint vmx0.101 upstream ratelimit 0 threshold 1 altnet 10.133.0.0/16 altnet 172.21.0.0/16 phyint vmx0.90 downstream ratelimit 0 threshold 1 phyint vmx0.102 disabled phyint vmx0 disabled phyint vmx0.99 disabled phyint vmx0.98 disabledpftop view i see alot of NO_TRAFFIC:SINGLE. Shouldnt i see ESTABLISHED or something in that matter? I am unsure what this means, or why i am seeing NO_TRAFFIC:SINGLE.
pfTop: Up State 1-44/49 (199), View: default, Order: none, Cache: 10000 02:06:12 PR DIR SRC DEST STATE AGE EXP PKTS BYTES igmp In 192.168.90.2:0 239.193.4.179:0 NO_TRAFFIC:SINGLE 00:33:57 00:00:11 175 5600 udp In 192.168.90.2:26791 109.247.114.4:53 NO_TRAFFIC:SINGLE 00:00:45 00:00:00 2 156 udp Out 192.168.90.2:26791 109.247.114.4:53 SINGLE:NO_TRAFFIC 00:00:45 00:00:00 2 156 udp In 192.168.90.2:53731 92.220.228.70:53 NO_TRAFFIC:SINGLE 00:00:44 00:00:00 2 194 udp Out 192.168.90.2:53731 92.220.228.70:53 SINGLE:NO_TRAFFIC 00:00:44 00:00:00 2 194 udp In 192.168.90.2:46936 92.220.228.70:53 NO_TRAFFIC:SINGLE 00:00:44 00:00:00 2 140 udp Out 192.168.90.2:46936 92.220.228.70:53 SINGLE:NO_TRAFFIC 00:00:44 00:00:00 2 140 udp In 192.168.90.2:51046 92.220.228.70:53 NO_TRAFFIC:SINGLE 00:00:44 00:00:00 2 170 udp Out 192.168.90.2:51046 92.220.228.70:53 SINGLE:NO_TRAFFIC 00:00:44 00:00:00 2 170 udp In 192.168.90.2:38139 109.247.114.4:53 NO_TRAFFIC:SINGLE 00:00:39 00:00:01 2 194 udp Out 192.168.90.2:38139 109.247.114.4:53 SINGLE:NO_TRAFFIC 00:00:39 00:00:01 2 194 udp In 192.168.90.2:46704 109.247.114.4:53 NO_TRAFFIC:SINGLE 00:00:39 00:00:01 2 170 udp Out 192.168.90.2:46704 109.247.114.4:53 SINGLE:NO_TRAFFIC 00:00:39 00:00:01 2 170 udp In 192.168.90.2:64859 109.247.114.4:53 NO_TRAFFIC:SINGLE 00:00:39 00:00:01 2 140 udp Out 192.168.90.2:64859 109.247.114.4:53 SINGLE:NO_TRAFFIC 00:00:39 00:00:01 2 140 udp In 192.168.90.2:65162 92.220.228.70:53 NO_TRAFFIC:SINGLE 00:00:34 00:00:06 2 180 udp Out 192.168.90.2:65162 92.220.228.70:53 SINGLE:NO_TRAFFIC 00:00:34 00:00:06 2 180 udp In 192.168.90.2:53459 92.220.228.70:53 NO_TRAFFIC:SINGLE 00:00:34 00:00:06 2 204 udp Out 192.168.90.2:53459 92.220.228.70:53 SINGLE:NO_TRAFFIC 00:00:34 00:00:06 2 204 udp In 192.168.90.2:51847 92.220.228.70:53 NO_TRAFFIC:SINGLE 00:00:30 00:00:10 2 180 udp Out 192.168.90.2:51847 92.220.228.70:53 SINGLE:NO_TRAFFIC 00:00:30 00:00:10 2 180 udp In 192.168.90.2:56768 109.247.114.4:53 NO_TRAFFIC:SINGLE 00:00:29 00:00:11 2 204 udp Out 192.168.90.2:56768 109.247.114.4:53 SINGLE:NO_TRAFFIC 00:00:29 00:00:11 2 204 udp In 192.168.90.2:51516 109.247.114.4:53 NO_TRAFFIC:SINGLE 00:00:29 00:00:11 2 180 udp Out 192.168.90.2:51516 109.247.114.4:53 SINGLE:NO_TRAFFIC 00:00:29 00:00:11 2 180 udp In 192.168.90.2:51351 109.247.114.4:53 NO_TRAFFIC:SINGLE 00:00:25 00:00:15 2 180 udp Out 192.168.90.2:51351 109.247.114.4:53 SINGLE:NO_TRAFFIC 00:00:25 00:00:15 2 180 udp In 192.168.90.2:37955 92.220.228.70:53 NO_TRAFFIC:SINGLE 00:00:24 00:00:16 2 194 udp Out 192.168.90.2:37955 92.220.228.70:53 SINGLE:NO_TRAFFIC 00:00:24 00:00:16 2 194 udp In 192.168.90.2:64370 92.220.228.70:53 NO_TRAFFIC:SINGLE 00:00:24 00:00:16 2 164 udp Out 192.168.90.2:64370 92.220.228.70:53 SINGLE:NO_TRAFFIC 00:00:24 00:00:16 2 164 udp In 192.168.90.2:47269 92.220.228.70:53 NO_TRAFFIC:SINGLE 00:00:24 00:00:16 2 140 udp Out 192.168.90.2:47269 92.220.228.70:53 SINGLE:NO_TRAFFIC 00:00:24 00:00:16 2 140 udp In 192.168.90.2:36085 109.247.114.4:53 NO_TRAFFIC:SINGLE 00:00:19 00:00:21 2 194 udp Out 192.168.90.2:36085 109.247.114.4:53 SINGLE:NO_TRAFFIC 00:00:19 00:00:21 2 194 udp In 192.168.90.2:59754 109.247.114.4:53 NO_TRAFFIC:SINGLE 00:00:19 00:00:21 2 164 udp Out 192.168.90.2:59754 109.247.114.4:53 SINGLE:NO_TRAFFIC 00:00:19 00:00:21 2 164 udp In 192.168.90.2:56731 109.247.114.4:53 NO_TRAFFIC:SINGLE 00:00:19 00:00:21 2 140 udp Out 192.168.90.2:56731 109.247.114.4:53 SINGLE:NO_TRAFFIC 00:00:19 00:00:21 2 140 udp In 192.168.90.2:43134 92.220.228.70:53 NO_TRAFFIC:SINGLE 00:00:14 00:00:26 2 204 udp Out 192.168.90.2:43134 92.220.228.70:53 SINGLE:NO_TRAFFIC 00:00:14 00:00:26 2 204 udp In 192.168.90.2:58156 129.6.15.28:123 NO_TRAFFIC:SINGLE 00:00:10 00:00:50 1 76 udp Out 192.168.90.2:58156 129.6.15.28:123 SINGLE:NO_TRAFFIC 00:00:10 00:00:50 1 76 udp In 192.168.90.2:63449 109.247.114.4:53 NO_TRAFFIC:SINGLE 00:00:09 00:00:51 1 102FW and NAT:
Basically i have created 1 rule for each interface(WANIPTV and IPTV_INSIDE) allow ipv4 any any with allow packets with IP options to pass. Otherwise they are blocked by default. This is usually only seen with multicast traffic.[2.4.5-RELEASE][admin@pfSense.localdomain]/var/etc: pfctl -sa | grep vmx0.101 nat on vmx0.101 inet from 192.168.90.0/24 to any -> 10.194.4.126 port 1024:65535 scrub on vmx0.101 all fragment reassemble pass in quick on vmx0.101 proto udp from any port = bootps to any port = bootpc keep state label "allow dhcp client out WANIPTV" pass out quick on vmx0.101 proto udp from any port = bootpc to any port = bootps keep state label "allow dhcp client out WANIPTV" block drop in log on ! vmx0.101 inet from 10.194.4.0/23 to any pass in quick on vmx0.101 inet proto udp all keep state allow-opts label "USER_RULE" pass in quick on vmx0.101 inet all flags S/SA keep state allow-opts label "USER_RULE" vmx0.101 pim 224.0.0.13 <- 10.194.0.1 NO_TRAFFIC:SINGLE vmx0.101 igmp 239.193.4.179 <- 10.194.4.126 NO_TRAFFIC:SINGLE vmx0.101 igmp 224.0.0.2 <- 10.194.0.1 NO_TRAFFIC:SINGLE vmx0.101 icmp 10.194.4.126:2685 -> 10.194.4.1:2685 0:0 [2.4.5-RELEASE][admin@pfSense.localdomain]/var/etc: pfctl -sa | grep vmx0.90 nat on vmx0.90 inet from 192.168.90.0/24 to any -> 192.168.90.1 port 1024:65535 scrub on vmx0.90 all fragment reassemble block drop in log on ! vmx0.90 inet from 192.168.90.0/24 to any pass in quick on vmx0.90 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server" pass in quick on vmx0.90 inet proto udp from any port = bootpc to 192.168.90.1 port = bootps keep state label "allow access to DHCP server" pass out quick on vmx0.90 inet proto udp from 192.168.90.1 port = bootps to any port = bootpc keep state label "allow access to DHCP server" pass in quick on vmx0.90 inet all flags S/SA keep state allow-opts label "USER_RULE" vmx0.90 igmp 224.0.0.1 <- 192.168.90.1 NO_TRAFFIC:SINGLE vmx0.90 igmp 192.168.90.1 -> 224.0.0.1 SINGLE:NO_TRAFFIC vmx0.90 igmp 239.193.4.179 <- 192.168.90.2 NO_TRAFFIC:SINGLE vmx0.90 igmp 224.0.0.22 <- 192.168.90.1 NO_TRAFFIC:SINGLE vmx0.90 igmp 224.0.0.2 <- 192.168.90.1 NO_TRAFFIC:SINGLE vmx0.90 udp 129.6.15.28:123 <- 192.168.90.2:55989 NO_TRAFFIC:SINGLE vmx0.90 udp 84.234.205.75:8050 <- 192.168.90.2:44543 NO_TRAFFIC:SINGLE vmx0.90 udp 129.6.15.28:123 <- 192.168.90.2:58630 NO_TRAFFIC:SINGLE vmx0.90 udp 109.247.114.4:53 <- 192.168.90.2:17492 NO_TRAFFIC:SINGLE vmx0.90 udp 92.220.228.70:53 <- 192.168.90.2:3730 NO_TRAFFIC:SINGLE vmx0.90 udp 109.247.114.4:53 <- 192.168.90.2:8914 NO_TRAFFIC:SINGLE vmx0.90 udp 92.220.228.70:53 <- 192.168.90.2:2298 NO_TRAFFIC:SINGLE vmx0.90 udp 109.247.114.4:53 <- 192.168.90.2:28166 NO_TRAFFIC:SINGLE vmx0.90 udp 92.220.228.70:53 <- 192.168.90.2:16474 NO_TRAFFIC:SINGLE vmx0.90 udp 92.220.228.70:53 <- 192.168.90.2:7637 NO_TRAFFIC:SINGLE vmx0.90 udp 109.247.114.4:53 <- 192.168.90.2:31915 NO_TRAFFIC:SINGLE vmx0.90 udp 109.247.114.4:53 <- 192.168.90.2:27219 NO_TRAFFIC:SINGLE vmx0.90 udp 92.220.228.70:53 <- 192.168.90.2:22086 NO_TRAFFIC:SINGLE vmx0.90 udp 92.220.228.70:53 <- 192.168.90.2:2800 NO_TRAFFIC:SINGLE vmx0.90 udp 92.220.228.70:53 <- 192.168.90.2:12605 NO_TRAFFIC:SINGLE vmx0.90 igmp 192.168.90.1 -> 224.0.0.22 SINGLE:NO_TRAFFIC vmx0.90 igmp 192.168.90.1 -> 224.0.0.2 SINGLE:NO_TRAFFIC
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.