IPTV, multicast, IGMPv2

FlavioB · ‎03-05-2012

Hello everybody. I' m trying to get my setup done for viewing IPTV on my Entone-IPTV-Box. I dedicated to that box the dmz port of my FWF60C and the only policy ruling is " dmz-->wan1" without restrictions (any/any). I need to have IGMPv2 support and as from the FortiOS Manual (I' m on MR3-Patch5) all three versions are supported. What I achieved as a first step, is to enable " multicast-forwarding" via CLI: config system settings set multicast-forward enable end I also enabled multicast to pass either way with policies (dunno if it' s needed both ways): config firewall multicast-policy edit 1 set dstintf " wan1" set srcintf " dmz" next edit 2 set dstintf " dmz" set srcintf " wan1" next end Now I connected the box on the dmz port, powered it on and it got to a good point: it came up, took it' s IP from the DHCP (had to mess around with a DHCP option too!), downloaded an INI-File from an http-server, then contacted some other server and then it stays there forever. On the TV I simply see that it' s not going past step 11/20. IPTV-Provider told me that this means that multicast is not yet being passed through the firewall. With WireShark I could see that my box sends out a couple of IGMP " V2 Membership Report / Join group 233.60.157.112" (from my box IP 10.10.10.50 to 233.60.157.112) messages and immediately after this, it sends " V2 Leave Group 233.60.157.112" (from my box IP 10.10.10.50 to 224.0.0.2). I do not know where to look for, I' ve got no experience in multicast scenarios. Thus I' m asking here: anybody knows what' s missing in my setup? Is there a part about " multicast routing" which I should add? Any help will be very appreciated! Thanks and regards, F.

emnoc · ‎03-12-2012

Do you have a IGMP querier on that interface? If you don' t that might be a problem unless the fortinet gate igmp proxy. Do a dump for igmp on your host , plus minus your host address and seee if you ahve any other igmp traffic from anybody.

PCNSE

NSE

StrongSwan

FlavioB · ‎03-12-2012

Hello emnoc, glad to see that at least somebody has dropped its " 2 cents" on my thread :-) As I am a perfect newbie in this multicast/IGMP thing, could you please explain any deeper what I should have/do? BTW: on my host (my TV Box) I can' t do any dump/sniffing, the only place I am able to do it, is on the Fortigate itself. Thanks and kind regards, F.

emnoc · ‎03-12-2012

You need to ensure your have a IGMP subscription and that a IGMP query enable for that subent. > if the iptv host is a unix box, the netstat -g cmd will show your subscriptions [emnoc@venusfly ~]$ netstat -ng IPv6/IPv4 Group Memberships Interface RefCnt Group --------------- ------ --------------------- lo 1 224.0.0.1 eth0 1 224.0.0.251 eth0 1 224.0.0.1 lo 1 ff02::1 eth0 1 ff02::fb eth0 1 ff02::1:ffc4:be1a eth0 1 ff02::1 eth5 1 ff02::fb eth5 2 ff02::1:ff40:8112 eth5 1 ff02::1 eth6 1 ff02::fb eth6 1 ff02::1:ff40:80a5 eth6 1 ff02::1 eth7 1 ff02::fb eth7 1 ff02::1:ff40:80a4 eth7 1 ff02::1 eth8 1 ff02::fb eth8 1 ff02::1:ff40:80a7 eth8 1 ff02::1 > for windows, I don' t know of any reasonable way to find your subscriptions Next, To look for a igmp querier, execute the following; tcpdump igmp or for wireshark you can use a display filter of igmp also. I guess you could do the same on the diagnostic packet sniffer on the FGT and specify the lan interface where the IPTV host(s) sits. btw: If you have no querier , than this is going to break your multicast_forwarder. Also, if you have a l2 switch that support igmp-snooping, this would break also.

PCNSE

NSE

StrongSwan

FlavioB · ‎03-12-2012

OK, here I try to go... 2012-03-12 19:34:02.397547 10.10.10.50 -> 233.60.157.112: ip-proto-2 8 2012-03-12 19:34:04.723291 10.10.10.50 -> 233.60.157.112: ip-proto-2 8 2012-03-12 19:34:08.485210 10.10.10.50 -> 233.60.157.112: ip-proto-2 8 2012-03-12 19:34:11.957075 10.10.10.1 -> 224.0.0.1: ip-proto-2 8 2012-03-12 19:34:12.190978 10.10.10.50 -> 233.60.157.112: ip-proto-2 8 2012-03-12 19:34:14.816865 10.10.10.1 -> 224.0.0.13: ip-proto-2 8 2012-03-12 19:34:15.676842 10.10.10.1 -> 224.0.1.140: ip-proto-2 8 2012-03-12 19:34:17.424124 10.10.10.50 -> 224.0.0.2: ip-proto-2 8 2012-03-12 19:34:17.424385 10.10.10.50 -> 224.0.0.2: ip-proto-2 8 2012-03-12 19:34:17.424473 10.10.10.50 -> 224.0.0.2: ip-proto-2 8 2012-03-12 19:34:17.425463 10.10.10.1 -> 233.60.157.112: ip-proto-2 8 2012-03-12 19:34:17.425882 10.10.10.1 -> 233.60.157.112: ip-proto-2 8 2012-03-12 19:34:17.426228 10.10.10.1 -> 233.60.157.112: ip-proto-2 8 2012-03-12 19:34:18.417055 10.10.10.1 -> 233.60.157.112: ip-proto-2 8 2012-03-12 19:34:18.433812 10.10.10.50 -> 233.60.157.112: ip-proto-2 8 2012-03-12 19:34:21.226998 10.10.10.1 -> 224.0.0.2: ip-proto-2 8 2012-03-12 19:34:28.113179 10.10.10.50 -> 233.60.157.112: ip-proto-2 8 2012-03-12 19:34:30.906262 10.10.10.50 -> 233.60.157.112: ip-proto-2 8 2012-03-12 19:34:33.459674 10.10.10.50 -> 224.0.0.2: ip-proto-2 8 2012-03-12 19:34:33.459806 10.10.10.50 -> 224.0.0.2: ip-proto-2 8 2012-03-12 19:34:33.459878 10.10.10.50 -> 224.0.0.2: ip-proto-2 8 2012-03-12 19:34:33.460767 10.10.10.1 -> 233.60.157.112: ip-proto-2 8 2012-03-12 19:34:33.461156 10.10.10.1 -> 233.60.157.112: ip-proto-2 8 2012-03-12 19:34:33.461500 10.10.10.1 -> 233.60.157.112: ip-proto-2 8 2012-03-12 19:34:34.457045 10.10.10.1 -> 233.60.157.112: ip-proto-2 8 2012-03-12 19:34:34.475040 10.10.10.50 -> 233.60.157.112: ip-proto-2 8 2012-03-12 19:34:42.599168 10.10.10.50 -> 233.60.157.112: ip-proto-2 8 2012-03-12 19:34:49.499908 10.10.10.50 -> 224.0.0.2: ip-proto-2 8 2012-03-12 19:34:49.500033 10.10.10.50 -> 224.0.0.2: ip-proto-2 8 2012-03-12 19:34:49.500102 10.10.10.50 -> 224.0.0.2: ip-proto-2 8 2012-03-12 19:34:49.500999 10.10.10.1 -> 233.60.157.112: ip-proto-2 8 2012-03-12 19:34:49.501388 10.10.10.1 -> 233.60.157.112: ip-proto-2 8 2012-03-12 19:34:49.501734 10.10.10.1 -> 233.60.157.112: ip-proto-2 8 2012-03-12 19:34:50.497045 10.10.10.1 -> 233.60.157.112: ip-proto-2 8 2012-03-12 19:34:50.507177 10.10.10.50 -> 233.60.157.112: ip-proto-2 8 2012-03-12 19:34:50.552195 10.10.10.50 -> 233.60.157.112: ip-proto-2 8 2012-03-12 19:34:54.822448 10.10.10.50 -> 233.60.157.112: ip-proto-2 8 2012-03-12 19:35:05.532266 10.10.10.50 -> 224.0.0.2: ip-proto-2 8 2012-03-12 19:35:05.532402 10.10.10.50 -> 224.0.0.2: ip-proto-2 8 2012-03-12 19:35:05.532474 10.10.10.50 -> 224.0.0.2: ip-proto-2 8 2012-03-12 19:35:05.533358 10.10.10.1 -> 233.60.157.112: ip-proto-2 8 2012-03-12 19:35:05.533750 10.10.10.1 -> 233.60.157.112: ip-proto-2 8 2012-03-12 19:35:05.534092 10.10.10.1 -> 233.60.157.112: ip-proto-2 8 2012-03-12 19:35:06.527046 10.10.10.1 -> 233.60.157.112: ip-proto-2 8 2012-03-12 19:35:06.539416 10.10.10.50 -> 233.60.157.112: ip-proto-2 8 2012-03-12 19:35:16.358880 10.10.10.50 -> 233.60.157.112: ip-proto-2 8 What you see: 10.0.0.50 is my TV-Box 10.0.0.1 is the IP of my Fortigate' s DMZ-Port, on which I connected the TV-Box. Can you now help me debugging further? Many thanks! F.

emnoc · ‎03-12-2012

Can you get a debug off the firewall or host for IGMP on the external side? ( protocol #2 ) You want to see an IGMP query every 60 or 120 secs for group membership. Also where does the IPTV sender sits at in relation to the firewall ( DMZ or WAN ), I' m not 100% clear on this? but guess it' s on DMZ? If yes, than the receivers are on WAN1 ? Where ever these 2 party sits at, you need to check for the groups and igmp being enable.If your have a igmp-snooping switch, it will need a querier on all subnet or vlans. To break it all down; 1: do a sniffer on the subnet/vlan that holds the IPTV sender 2: do a sniffer on the subnet/vlan that holds the IPTV receiver 3: ensure igmp-snooping is off ( for test purpose ) and if you need it, than ensure a igmp querier is enable in that subnet 4: for the IPTV sender, make sure; a: the fwpolicy is allow from it to sende ( I' m confident you have that done ) b: that the IPTV sender TTL is not expiring B4 it forward thru 5: run a diag debug flow to triple check 6: run a netstat -ng to ensure your actively subscribing to a mcast group ( linux ) or get the netsh.exe ( windows ) 7: lastly, ensure the client is looking at the right port# of that group.

PCNSE

NSE

StrongSwan

FlavioB · ‎03-18-2012

Hello emnoc. Sorry for getting back late... I made some progress in my setup, yeah! I' ve added to the external (wan1) interface individual IPs on the multicast router config. It now looks like this: config router multicast config interface edit " dmz" set pim-mode sparse-mode config igmp set version 2 end next edit " wan1" set pim-mode sparse-mode config join-group edit 233.60.157.112 next edit 233.60.157.102 next edit 233.60.157.101 next edit 239.129.10.2 next edit 239.129.10.1 next edit 224.0.1.140 next end config igmp set version 2 end next end set multicast-routing enable end The multicast IPs 239.129.10.1 and .2 are channels 1 and 2 of my set top box, nice! If I add .3 and .4 (just 2 more) the stream is cut off, sliced audio and video happening. I guess this is because I' m enabling *at the same time* more than 1 stream down to my IPTV box, what do you think? Thus, I' m still looking to get this thing correctly working. First of all, I guess there should be some sort of " dynamic" in the system, which allows the IPTV box to switch from one stream to another without leaving the first stream " open" , do you get what I mean? How do you think this could be achieved? I don' t want to add every and each single channel I' d like to have on my IPTV box in the config, you agree? Thanks and regards, F.

emnoc · ‎03-19-2012

Can you draw a sketch of the network layout? What you did in the above cfg was to set the firewall as a igmp subscriber. This might not be good. e.g config join-group edit 233.60.157.112 next edit 233.60.157.102 next edit 233.60.157.101 next edit 239.129.10.2 next edit 239.129.10.1 next edit 224.0.1.140 next end If you have no active subscriber, than the firewall is still subscribing for data that has no active subscriptions. Eating up your bandwidth and cpu/memory.

PCNSE

NSE

StrongSwan

FlavioB · ‎03-19-2012

Hello emnoc, your words have shed some light :-) In fact it is as you described: the IPTV box asks on the " dmz" interface to join that IGMP group (239.129.10.1 is channel 1, 239.129.10.2 is channel 2, and so on). If I open *more* than 2 of these (configure join-group on the wan1 interface), then my TV experience is deteriorating in a few seconds (as you said, the firewall is getting data which is *not* needed). My goal would be to have some sort of " dynamic" subscription of my firewall, do you understand? The sketch will be posted soon, sorry... Many thanks! F.

emnoc · ‎03-19-2012

Awaiting for a sketch. FWIW I' ve never been very impress with mcast routing and firewalls. Typical I' ve set a cisco router as a mcast termination device and pretty much lock it down. What you really need is for the fgt to proxy the IGMP request and handle the igmp subscriptions.

PCNSE

NSE

StrongSwan