Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
IPTV, multicast, IGMPv2
Hello everybody.
I' m trying to get my setup done for viewing IPTV on my Entone-IPTV-Box.
I dedicated to that box the dmz port of my FWF60C and the only policy ruling is " dmz-->wan1" without restrictions (any/any).
I need to have IGMPv2 support and as from the FortiOS Manual (I' m on MR3-Patch5) all three versions are supported.
What I achieved as a first step, is to enable " multicast-forwarding" via CLI:
config system settings
set multicast-forward enable
end
I also enabled multicast to pass either way with policies (dunno if it' s needed both ways):
config firewall multicast-policy
edit 1
set dstintf " wan1"
set srcintf " dmz"
next
edit 2
set dstintf " dmz"
set srcintf " wan1"
next
end
Now I connected the box on the dmz port, powered it on and it got to a good point: it came up, took it' s IP from the DHCP (had to mess around with a DHCP option too!), downloaded an INI-File from an http-server, then contacted some other server and then it stays there forever. On the TV I simply see that it' s not going past step 11/20. IPTV-Provider told me that this means that multicast is not yet being passed through the firewall.
With WireShark I could see that my box sends out a couple of IGMP " V2 Membership Report / Join group 233.60.157.112" (from my box IP 10.10.10.50 to 233.60.157.112) messages and immediately after this, it sends " V2 Leave Group 233.60.157.112" (from my box IP 10.10.10.50 to 224.0.0.2).
I do not know where to look for, I' ve got no experience in multicast scenarios.
Thus I' m asking here: anybody knows what' s missing in my setup? Is there a part about " multicast routing" which I should add?
Any help will be very appreciated!
Thanks and regards,
F.
14 REPLIES 14
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Do you have a IGMP querier on that interface? If you don' t that might be a problem unless the fortinet gate igmp proxy.
Do a dump for igmp on your host , plus minus your host address and seee if you ahve any other igmp traffic from anybody.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello emnoc,
glad to see that at least somebody has dropped its " 2 cents" on my thread :-)
As I am a perfect newbie in this multicast/IGMP thing, could you please explain any deeper what I should have/do?
BTW: on my host (my TV Box) I can' t do any dump/sniffing, the only place I am able to do it, is on the Fortigate itself.
Thanks and kind regards,
F.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You need to ensure your have a IGMP subscription and that a IGMP query enable for that subent.
> if the iptv host is a unix box, the netstat -g cmd will show your subscriptions
[emnoc@venusfly ~]$ netstat -ng
IPv6/IPv4 Group Memberships
Interface RefCnt Group
--------------- ------ ---------------------
lo 1 224.0.0.1
eth0 1 224.0.0.251
eth0 1 224.0.0.1
lo 1 ff02::1
eth0 1 ff02::fb
eth0 1 ff02::1:ffc4:be1a
eth0 1 ff02::1
eth5 1 ff02::fb
eth5 2 ff02::1:ff40:8112
eth5 1 ff02::1
eth6 1 ff02::fb
eth6 1 ff02::1:ff40:80a5
eth6 1 ff02::1
eth7 1 ff02::fb
eth7 1 ff02::1:ff40:80a4
eth7 1 ff02::1
eth8 1 ff02::fb
eth8 1 ff02::1:ff40:80a7
eth8 1 ff02::1
> for windows, I don' t know of any reasonable way to find your subscriptions
Next,
To look for a igmp querier, execute the following;
tcpdump igmp
or for wireshark you can use a display filter of igmp also. I guess you could do the same on the diagnostic packet sniffer on the FGT and specify the lan interface where the IPTV host(s) sits.
btw: If you have no querier , than this is going to break your multicast_forwarder. Also, if you have a l2 switch that support igmp-snooping, this would break also.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK, here I try to go...
2012-03-12 19:34:02.397547 10.10.10.50 -> 233.60.157.112: ip-proto-2 8
2012-03-12 19:34:04.723291 10.10.10.50 -> 233.60.157.112: ip-proto-2 8
2012-03-12 19:34:08.485210 10.10.10.50 -> 233.60.157.112: ip-proto-2 8
2012-03-12 19:34:11.957075 10.10.10.1 -> 224.0.0.1: ip-proto-2 8
2012-03-12 19:34:12.190978 10.10.10.50 -> 233.60.157.112: ip-proto-2 8
2012-03-12 19:34:14.816865 10.10.10.1 -> 224.0.0.13: ip-proto-2 8
2012-03-12 19:34:15.676842 10.10.10.1 -> 224.0.1.140: ip-proto-2 8
2012-03-12 19:34:17.424124 10.10.10.50 -> 224.0.0.2: ip-proto-2 8
2012-03-12 19:34:17.424385 10.10.10.50 -> 224.0.0.2: ip-proto-2 8
2012-03-12 19:34:17.424473 10.10.10.50 -> 224.0.0.2: ip-proto-2 8
2012-03-12 19:34:17.425463 10.10.10.1 -> 233.60.157.112: ip-proto-2 8
2012-03-12 19:34:17.425882 10.10.10.1 -> 233.60.157.112: ip-proto-2 8
2012-03-12 19:34:17.426228 10.10.10.1 -> 233.60.157.112: ip-proto-2 8
2012-03-12 19:34:18.417055 10.10.10.1 -> 233.60.157.112: ip-proto-2 8
2012-03-12 19:34:18.433812 10.10.10.50 -> 233.60.157.112: ip-proto-2 8
2012-03-12 19:34:21.226998 10.10.10.1 -> 224.0.0.2: ip-proto-2 8
2012-03-12 19:34:28.113179 10.10.10.50 -> 233.60.157.112: ip-proto-2 8
2012-03-12 19:34:30.906262 10.10.10.50 -> 233.60.157.112: ip-proto-2 8
2012-03-12 19:34:33.459674 10.10.10.50 -> 224.0.0.2: ip-proto-2 8
2012-03-12 19:34:33.459806 10.10.10.50 -> 224.0.0.2: ip-proto-2 8
2012-03-12 19:34:33.459878 10.10.10.50 -> 224.0.0.2: ip-proto-2 8
2012-03-12 19:34:33.460767 10.10.10.1 -> 233.60.157.112: ip-proto-2 8
2012-03-12 19:34:33.461156 10.10.10.1 -> 233.60.157.112: ip-proto-2 8
2012-03-12 19:34:33.461500 10.10.10.1 -> 233.60.157.112: ip-proto-2 8
2012-03-12 19:34:34.457045 10.10.10.1 -> 233.60.157.112: ip-proto-2 8
2012-03-12 19:34:34.475040 10.10.10.50 -> 233.60.157.112: ip-proto-2 8
2012-03-12 19:34:42.599168 10.10.10.50 -> 233.60.157.112: ip-proto-2 8
2012-03-12 19:34:49.499908 10.10.10.50 -> 224.0.0.2: ip-proto-2 8
2012-03-12 19:34:49.500033 10.10.10.50 -> 224.0.0.2: ip-proto-2 8
2012-03-12 19:34:49.500102 10.10.10.50 -> 224.0.0.2: ip-proto-2 8
2012-03-12 19:34:49.500999 10.10.10.1 -> 233.60.157.112: ip-proto-2 8
2012-03-12 19:34:49.501388 10.10.10.1 -> 233.60.157.112: ip-proto-2 8
2012-03-12 19:34:49.501734 10.10.10.1 -> 233.60.157.112: ip-proto-2 8
2012-03-12 19:34:50.497045 10.10.10.1 -> 233.60.157.112: ip-proto-2 8
2012-03-12 19:34:50.507177 10.10.10.50 -> 233.60.157.112: ip-proto-2 8
2012-03-12 19:34:50.552195 10.10.10.50 -> 233.60.157.112: ip-proto-2 8
2012-03-12 19:34:54.822448 10.10.10.50 -> 233.60.157.112: ip-proto-2 8
2012-03-12 19:35:05.532266 10.10.10.50 -> 224.0.0.2: ip-proto-2 8
2012-03-12 19:35:05.532402 10.10.10.50 -> 224.0.0.2: ip-proto-2 8
2012-03-12 19:35:05.532474 10.10.10.50 -> 224.0.0.2: ip-proto-2 8
2012-03-12 19:35:05.533358 10.10.10.1 -> 233.60.157.112: ip-proto-2 8
2012-03-12 19:35:05.533750 10.10.10.1 -> 233.60.157.112: ip-proto-2 8
2012-03-12 19:35:05.534092 10.10.10.1 -> 233.60.157.112: ip-proto-2 8
2012-03-12 19:35:06.527046 10.10.10.1 -> 233.60.157.112: ip-proto-2 8
2012-03-12 19:35:06.539416 10.10.10.50 -> 233.60.157.112: ip-proto-2 8
2012-03-12 19:35:16.358880 10.10.10.50 -> 233.60.157.112: ip-proto-2 8
What you see:
10.0.0.50 is my TV-Box
10.0.0.1 is the IP of my Fortigate' s DMZ-Port, on which I connected the TV-Box.
Can you now help me debugging further?
Many thanks!
F.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you get a debug off the firewall or host for IGMP on the external side?
( protocol #2 )
You want to see an IGMP query every 60 or 120 secs for group membership. Also where does the IPTV sender sits at in relation to the firewall ( DMZ or WAN ), I' m not 100% clear on this? but guess it' s on DMZ?
If yes, than the receivers are on WAN1 ? Where ever these 2 party sits at, you need to check for the groups and igmp being enable.If your have a igmp-snooping switch, it will need a querier on all subnet or vlans.
To break it all down;
1: do a sniffer on the subnet/vlan that holds the IPTV sender
2: do a sniffer on the subnet/vlan that holds the IPTV receiver
3: ensure igmp-snooping is off ( for test purpose ) and if you need it, than ensure a igmp querier is enable in that subnet
4: for the IPTV sender, make sure;
a: the fwpolicy is allow from it to sende ( I' m confident you have that done )
b: that the IPTV sender TTL is not expiring B4 it forward thru
5: run a diag debug flow to triple check
6: run a netstat -ng to ensure your actively subscribing to a mcast group ( linux ) or get the netsh.exe ( windows )
7: lastly, ensure the client is looking at the right port# of that group.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello emnoc.
Sorry for getting back late... I made some progress in my setup, yeah!
I' ve added to the external (wan1) interface individual IPs on the multicast router config. It now looks like this:
config router multicast
config interface
edit " dmz"
set pim-mode sparse-mode
config igmp
set version 2
end
next
edit " wan1"
set pim-mode sparse-mode
config join-group
edit 233.60.157.112
next
edit 233.60.157.102
next
edit 233.60.157.101
next
edit 239.129.10.2
next
edit 239.129.10.1
next
edit 224.0.1.140
next
end
config igmp
set version 2
end
next
end
set multicast-routing enable
end
The multicast IPs 239.129.10.1 and .2 are channels 1 and 2 of my set top box, nice! If I add .3 and .4 (just 2 more) the stream is cut off, sliced audio and video happening.
I guess this is because I' m enabling *at the same time* more than 1 stream down to my IPTV box, what do you think?
Thus, I' m still looking to get this thing correctly working.
First of all, I guess there should be some sort of " dynamic" in the system, which allows the IPTV box to switch from one stream to another without leaving the first stream " open" , do you get what I mean? How do you think this could be achieved?
I don' t want to add every and each single channel I' d like to have on my IPTV box in the config, you agree?
Thanks and regards,
F.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you draw a sketch of the network layout?
What you did in the above cfg was to set the firewall as a igmp subscriber. This might not be good.
e.g
config join-group
edit 233.60.157.112
next
edit 233.60.157.102
next
edit 233.60.157.101
next
edit 239.129.10.2
next
edit 239.129.10.1
next
edit 224.0.1.140
next
end
If you have no active subscriber, than the firewall is still subscribing for data that has no active subscriptions. Eating up your bandwidth and cpu/memory.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello emnoc,
your words have shed some light :-)
In fact it is as you described: the IPTV box asks on the " dmz" interface to join that IGMP group (239.129.10.1 is channel 1, 239.129.10.2 is channel 2, and so on).
If I open *more* than 2 of these (configure join-group on the wan1 interface), then my TV experience is deteriorating in a few seconds (as you said, the firewall is getting data which is *not* needed).
My goal would be to have some sort of " dynamic" subscription of my firewall, do you understand?
The sketch will be posted soon, sorry...
Many thanks!
F.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Awaiting for a sketch. FWIW I' ve never been very impress with mcast routing and firewalls. Typical I' ve set a cisco router as a mcast termination device and pretty much lock it down.
What you really need is for the fgt to proxy the IGMP request and handle the igmp subscriptions.
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
