IPTV IGMP multicast problems with BT YouView on pfSense
-
My ISP (BT) provides additional TV channels via IPTV multicast as part of the YouView service. I'm trying to configure pfSense to provide IGMP proxying and to forward the UDP streams to my LAN. My configuration is as follows:
DEMARC -> VDSL Modem -> pfSense -> Switch (w/ IGMP Snooping enabled) -> IPTV STB/Reciever
I have replaced the pfSense router in this case with the original ISP supplied equipment and everything functions correctly. This eliminates all other equipment and configuration from the equation and puts the problem squarely in my configuration of pfSense.
It proves that there isn't a separate IPTV VLAN coming from the modem, and that IGMP Snooping is configured correctly.
I took the liberty of doing some packet captures while the ISP equipment was in place and here are the findings:
All IPTV channels are part of the the 234.81.130.0/24 and the 234.81.131.0/24 IGMP groups. To be on the safe side I have configured the upstream network of my IGMP Proxy as 224.0.0.0/4. The downstream is the 192.168.0.0/24 subnet of my LAN.
I can't see an issue with this configuration, where I think the problem lies is with my NAT/Firewall Rules. If I'm understanding this correctly, for connections to be made from WAN to LAN they have to be initiated by something on the LAN side. Otherwise it is just dropped. As far as the firewall is concerned the UDP streams appear from nowhere as it doesn't understand that they were managed by IGMP. So I think I need to allow UDP past the firewall. This is where my lack of understanding of multicast is letting me down.
From my packet analysis they don't hit the firewall addressed to me, but rather they come addressed to the group that the IPTV STB just subscribed to. With that in mind I created this firewall rule:
Allow IPv4 UDP w/ IP Options Dest: 224.0.0.0/4:5802
But no dice. I'm more confused now. Have I got the rule wrong? Is it possible the default "Block Bogon Networks" is also blocking the multicast packets because they have reserved address space? Is my IGMP configuration wrong? I know the problem is in pfSense but I don't have enough experience to fix it, at least not without the forums and they are down :( .
TIA!
After doing more testing I can provide the following additional information:
EDIT: Now the forums are back up I can check CYMRU's bogon list https://www.team-cymru.org/Services/Bogons/fullbogons-ipv4.txt and it DOES! include 224.0.0.0/4.
Anyone know a way to change the list without disabling the whole rule?
EDIT2: Still no worky. I think I'll need to fix this AND something else.
EDIT3: I've found /etc/bogons now after reading rc.update_bogons.sh so I can remove 224.0.0.0/4 I just need the rest of the solution. Also I could do with knowing if this is even necessary as it won't be permanent if bogons changes in the future.
EDIT4: Just run a pcap on the WAN interface, IGMP seems to be going out:
~SNIP~
15:18:27.594045 IP XXX.XXX.XXX.XXX > 224.0.0.22: igmp
15:18:27.932593 IP XXX.XXX.XXX.XXX > 234.81.130.84: igmp
~SNIP~Don't know why it reaches out to 224.0.0.22 multiple times but 234.81.130.84 is the group I am requesting to join.
No replies however. No UDP or IGMP. I would still see the traffic on the interface even if it was being blocked by firewall rules right?
Any help would be appreciated.
-
This thread useful maybe? https://community.bt.com/t5/YouView-Boxes/Extra-IPTV-channels-working-on-Mikrotik-750G-router-a-short/td-p/1137730 It describes the setup for a Mikrotik router, instead of all the other threads which talk about consumer rubbish.
It describes my setup pretty much exactly, apart from the main difference that it is actually working for him ;) This paragraph is of particular interest though:
The IGMP traffic won't appear to come through the PPPoE interface instead it will be on the ethernet interface that is physically connected to the Openreach modem, in my case eth1. You'll need to assign an IP address to this interface if you haven't already, making it anything in a private range but outside your LAN ranges, e.g. 10.20.30.1/24, only because RouterOS won't make use of the interface without an address assigned.
Not sure what he means here, I am using the ethernet interface - presumably WAN. I know you can see pppoe_WAN in other parts of the config but only WAN or LAN is selectable at the IGMP Proxy stage.
Also he sticks the STB on a seperate subnet, which I don't mind doing, but shouldn't be necessary.
-
Here's some pictures of firewall rules for your viewing pleasure: https://imgur.com/a/VBgwr (Embedded below)
To simplify, I'm pretty sure IGMP Proxying is working as intended, so just receiving multicast traffic I am having issues with. Does the bogon networks rule apply only to packets with a unassigned source address or one with an unassigned destination too (or both?).
Thanks again.
-
Now I'm really close. I was right on the money suspecting that paragraph of that Mikrotik post was highly relevant. I've finally deciphered what that means in this context, and it very nearly works! I needed to assign a new interface to the actual NIC. Whereas the WAN is assigned to the PPPoE which is in turn assigned to the NIC, by assigning to the actual NIC the packets are sent bare and unencapsulated and I get UDP replies, from 109.159.247.0/24 which corresponds with my earlier packet captures as to the multicast broadcast router/server. Now I just need to see why the default "Block all IPv4" rule is dropping them when I have a rule specifically set up to allow them. Not long now I think!
-
Hi,
This thread was the close to a solution (at least that I can understand) to fix the issue with BT TV.
2 days ago I installed PFSense and the BT TV stopped to work (Before that was working fine with my EdgeRouter X –> so all the IGMP proxy and rest of network settings is set correctly).Did you managed to get it fixed? what about the last portion of your investigation? what solved the issue in your case?
thanks!
Luis
-
I just stumbled across this older thread. Don't know if the OP still requires assistance. Still my 5ct: I suggest you put your Multicast PASS rules as floating rules (instead of the WAN interface). Make this two rules: one rule for UDP and one for IGMP (They cannot go into one rule. It just cannot be selected this way in the GUI.) If I understand that correctly the floating rules are used before the block bogon networks rule is checked. Btw. I also suggest in the beginning you don't limit the ports.
-
Hi, i think it is a bit old indeed, but was the closest i ever found to provide a solution.
I will try to adopt the floating rule.
But at the moment I am still not sure if I need to create another interface for the WAN (as the last post from Mech advise).
seems rather strange to have the WAN interface assigned to nowhere just to make the IGMP to work.anyway, if anyone have a good idea on how to make BT TV work with PFsense, I would very much appreciate!
Luis
-
Hi Luis, sorry the solution wasn't in this thread, I meant to do a bit of a write-up and then got distracted.
Here's the new thread I made that has the solution. https://forum.pfsense.org/index.php?topic=100464.msg560476#msg560476
Essentially this is the necessary configuration for the IGMP Proxy:
Create a brand new interface and assign it to the same physical interface as the PPPoE. In my case WAN is assigned to PPPoE which is assigned to re0, so I make a new interface called IPTV and assign it to re0 like so:
This is the configuration of that interface. The MAC doesn't matter, the static IP doesn't matter. Use whatever you like, although I used RFC1918 address space anyway for safety.
Then configure the IGMP Proxy with your local subnet as the downstream interface and 224.0.0.0/4 (Multicast subnet) and 109.159.247.0/24 (BT YouView source IPs) as the upstream subnets. VERY IMPORTANT. This is where I got stuck.
Finally you might need a firewall rule to make sure the incoming UDP isn't dropped. Make sure you allow "IP Options" as this will let it come from a multicast source. Here's mine, applied to the IPTV interface:
That should do it. It's working fine for me and my pfSense install is still pretty vanilla, so I don't see any unexpected problems. Hope it works ok for you.
Mech
-
:(
Did not worked for me….
I have every configuration identical to yours, but it doesnt show any image.I am using an ubiquiti router (which was previously linked directly to the openreach modem) as 1 additional element in my network (between the pfense and the TV box).
I even try to play the cables and the the TVBOX linked DIRECTLY into the PFsense (and kill all the rest of my home internet) to test it, but nothing!I notice that you only have a FW rule on IPTV interface, there is no need to have any other rule anywhere else?
I just installed PFSense (2 days ago), so it is all pretty standard too (well, except i also added snort, but there is nothing on the logs there).any hints of where to look?
tks!
Luis
-
Hmm, double natting, that adds a layer of complexity, I'd recommend you continue to try this with just one router for now until you find the problem - just to simplify the configuration. If you have VLC installed you can open the test channel on a computer to make it easier to generate the IGMP packets and test for the UDP packets. To do that open VLC and go to MEDIA > OPEN NETWORK STREAM… > and paste this into the box "rtp://234.81.130.4:5802" (no quotes). That's the BT YouView Test Channel. That way you can connect your computer directly to the router and still have internet access while debugging.
Then what I did was run a packet capture in pfSense on the IPTV interface by going to DIAGNOSTICS > PACKET CAPTURE set the interface to IPTV and the count to 0. Start a packet capture, then open the test stream for a couple of seconds, close the stream again and then stop the capture. You should have something that looks like this:
That's the IPTV traffic being "requested" via IGMP and arriving, you'll see it intermingled with the PPPoE packets. Only do a short capture because these packets mount up quickly! If you don't see that traffic, then the IGMP traffic isn't making it out to BT, so the problem lies there, if you do, then check the IGMP proxy configuration and the firewall rules. The source IP of the packet (here it is 109.159.247.1) is the subnet you should use in the upstream category (109.159.247.0/24) it will be different for different ISPs. (We are talking about the same BT right? - British Telecom?)
See what you get in your capture and have a fiddle. Post here if no luck. ;)
I notice that you only have a FW rule on IPTV interface, there is no need to have any other rule anywhere else?
No that's the only rule I have, and I'm not sure you even need that.
Mech
EDIT: Oh, and I use 192.168.0.1 for my local network, but if you use something else, make sure you change that in the proxy settings!
-
Hi,
Still no luck!
I tried to get the PFsense linked direct to the BT TV (and kill the internet in my entire place) but no success.
My network is 192.168.10.X, and I have adjusted accordingly.
Before Pfsense (which is 4 days old here) I had a Ubiquiti router as a main gateway connected to openreach modem.
the BTTV device was behind a second router (Netgear), so it was working as "NAT behind NAT" scenario.I will try to capture a log from the Pfsense linked direct to the BTTV and will post here.
thanks for the help!
Luis
-
So, quite useless tentative.
i started the package collection, zap down to the cables, linked ONLY the BTTV equipment on PFsense, which was configured as described by Mech (only change was my LAN address, it was 192.168.10.11). So I had it configured as 192.168.10.11/24.
The BTTV fail to work (again it was openreach modem <-> Pfsense <-> BT TV, nothing else connected).the log was pretty useless to me, the only thing that draw my attention was a few ICMP packages lost to amazonWBS and AKATAI (or ATAMAKI, or something similar) technologies.
a bunch of TCP messages
a good number of UDP (nearly all of them to DNS servers –> port 53).i can see the "frame" working on the TV, with the channels, time, program grade, etc, but there is no content and a few seconds later the message that some problem happen pops in....
At the moment i dont think the ubiquiti router is the issue, as i took it away to test.
the PFsense, is the latest version, the only additions i've made were OPENDNS and Snort.
any ideas of where to look next?
tks
luis
-
Hi,
Just a feedback.
I made it work.
your configuration is exactly right.
I added another NIC on the PFSense box and get rid of the router/double NAT.everything is fine now!
thanks!
Luis
-
Hello,
I have configured my pfsense 2.2.6 as per yours above but with 192.168.1.0/24 as the LAN, but no joy with BT TV for the IP channels.
https://www.dropbox.com/s/xt1r1ccq0lq7gco/IGMP%20Proxy%20Settings.jpg?dl=0
I have the firewall rule set up as above and have changed the DNS to BT's as I was using Google DNS.
https://www.dropbox.com/s/wljwikj5or2nw3l/IPTV%20Firewall%20Rules.jpg?dl=0
https://www.dropbox.com/s/8iqobb752ccxhq5/WAN%20Firewall%20Rules.jpg?dl=0
Any other suggestions as to troubleshooting? I'm trying to get hold of a HH to bypass the pfsense box and confirm all is ok if using a standard BT setup.
Only difference is I do not have a switch which has IGMP Snooping on it.
-
Hello,
Managed to get it working. One thing to add to the above instruction from Mech:-
- Your DNS must be set to BT's DNS, I was using google DNS
The problem I have now is that I can not use the internet when watching a IPTV channel. BT Sport HD Europe is taking up about 8 - 10 Mb of bandwidth when watching it. I am on a 45 Mb connection. When watching the IPTV channel I can not do anything else on the internet, timeouts, errors, pages just not loading.
Any ideas as to what the cause could be?
============================================= UPDATES ======================================================
I have had to rebuild my pfSense router following an upgrade to 3.x.x which has broken the IGMP Proxy. The above config will not currently (24/09/2016) work with any 3.x.x build.
One other small thing to add…
- You must modify the "Default allow LAN to any rule" and enable the option "This allows packets with IP options to pass. Otherwise they are blocked by default. This is usually only seen with multicast traffic.". It is found under "Advanced Options" near the bottom of the page, when editing this rule.
-
Hello,
Managed to get it working. One thing to add to the above instruction from Mech:-
- Your DNS must be set to BT's DNS, I was using google DNS
The problem I have now is that I can not use the internet when watching a IPTV channel. BT Sport HD Europe is taking up about 8 - 10 Mb of bandwidth when watching it. I am on a 45 Mb connection. When watching the IPTV channel I can not do anything else on the internet, timeouts, errors, pages just not loading.
Any ideas as to what the cause could be?
Good find on the DNS. I didn't even think to check that.
My only guess could be that your switch doesn't do IGMP snooping and so that traffic is being broadcast to all ports and swamping your switch. Doesn't seem very likely though. If that doesn't work you might be better off starting a new thread and asking there.
Cheers.
-
Looking for some ideas. Having read about Mech's success in getting this working I thought I'd try.
I have my BT Openreach HG612 VDSL modem connected to my pfSense box.
I started with a vanilla install of pfSense.
I started by configuring a PPPoE connection and the default/quick setup.
I now have a working LAN that I can access the internet from. All good.
I am using BT's DNS on pfSense as configured by their DHCP servers - again everything default.
So next I setup the secondary connection to the HG612 as described by Mech in an earlier post.
The configuration BT uses call for two logical connections on one physical interface:
1. PPPoE for Internet
2. Multicast
Then I set up IGMP proxy, again following the recipe described by Mech - with one small exception: the default LAN IP is 192.168.1.x which is what I am using, so I use 192.168.1.1/24 in the IGMP Downstream.
Now I add a rule to the firewall, again as Mech describes to pass UDP on port 5802.So this all ought to work… but I still get the dreaded IPC6023 error on the set-top box.
Looking at the firewall log, it was blocking some IGMP traffic from 0.0.0.0 to 224.0.0.1 so I added a rule to pass this on the IPTV interface. This removed the blocked packets from the log, but does not allow the Set Top box to work.
What have I missed? What else can I check or try?
Any ideas greatly appreciated.
Andrew
-
Hello,
I've followed the instructions above but I couldn't get it working.
I have a BT Youview ultraHD box and an PC Engines Apu2c4 device with pfSense 2.3.2-RELEASE (amd64) on it.
I have 3 network interfaces;
igb0 : WAN (pppoe)
igb1 : LAN
igb2 : IPTVHere's the configuration I've set :
https://gyazo.com/ab1d7e5472e2d93c5386625f640c8d96
https://gyazo.com/08c10df137b7ee5bb149450f2306f701
https://gyazo.com/466688bfc4ed35065513900974ac2195On my TV I'm getting "Can't Connect to the Internet" error message at the moment. YouView box is connected to igb2 interface.
Can you please help?
Thanks
OmurEdit: Do I need to do anything on youview box? I still don't understand how it would get internet from igb2 interface.
-
Hello,
I've followed the instructions above but I couldn't get it working.
Hey, before I take a look at your exact configuration, it's worth pointing out that in the latest versions of pfSense they've broken IGMP proxy when using vlans, take a look at this issue on the bug tracker: https://redmine.pfsense.org/issues/6099
So I'm still on version 2.2.6 until this regression is fixed.
Are you using vlans at all?
Cheers
-
Updates added to earlier post with extra step and warning around latest versions of pfSense.