Hi.
This is my network:
The IPTV service works perfectly if i connect the iptv deco (10.11.12.69) directly to ISP router. If i connect to FGT, the live TV (multicast traffic) works perfect, but VOD (video on demmand) fails.
The IPTV works with this subnet:
I think the fortigate is routing correctly. But something is bad configured. The INTERNET ROUTER is configured with FULL CONE NAT is VLAN of IPTV service.
theoretically, the iptv decoder requests the resource to a server A, but the resource is returned by a server B, to which the IPTV decoder has not established a connection previously. That's what I think is the reason why it's required full cone nat
I try to:
Create manually static routes Configure Full Cone Nat in firewall policy.
Configure ip pool in policy
Nothing works.
This is the logs when i try play some VOD video.
2019.570072 lan out 10.64.0.1 -> 10.11.12.69: icmp: time exceeded in-transit
2020.252251 lan in 10.11.12.69.50865 -> 172.26.22.11.9153: syn 715401103
2020.280314 lan out 172.26.22.11.9153 -> 10.11.12.69.50865: syn 2394425056 ack 715401104
2020.282934 lan in 10.11.12.69.50865 -> 172.26.22.11.9153: ack 2394425057
2020.283786 lan in 10.11.12.69.50865 -> 172.26.22.11.9153: psh 715401104 ack 2394425057
2020.309367 lan out 172.26.22.11.9153 -> 10.11.12.69.50865: ack 715401530
2020.309458 lan out 172.26.22.11.9153 -> 10.11.12.69.50865: ack 715401530
2020.309541 lan out 172.26.22.11.9153 -> 10.11.12.69.50865: psh 2394425057 ack 715401530
2020.309623 lan out 172.26.22.11.9153 -> 10.11.12.69.50865: psh 2394425208 ack 715401530
2020.309703 lan out 172.26.22.11.9153 -> 10.11.12.69.50865: psh 2394425211 ack 715401530
2020.309783 lan out 172.26.22.11.9153 -> 10.11.12.69.50865: psh 2394425213 ack 715401530
2020.313724 lan in 10.11.12.69.50865 -> 172.26.22.11.9153: ack 2394425057
2020.313849 lan in 10.11.12.69.50865 -> 172.26.22.11.9153: ack 2394425208
2020.313937 lan in 10.11.12.69.50865 -> 172.26.22.11.9153: ack 2394425211
2020.317107 lan in 10.11.12.69.50865 -> 172.26.22.11.9153: fin 715401530 ack 2394425220
2020.339358 lan out 172.26.22.11.9153 -> 10.11.12.69.50865: fin 2394425220 ack 715401531
2025.962784 lan in 10.11.12.69.56115 -> 172.26.23.3.53: udp 52
2025.989311 lan out 172.26.23.3.53 -> 10.11.12.69.56115: udp 68
2025.990489 lan in 10.11.12.69.53139 -> 172.26.22.23.2001: syn 805039966
2026.010149 lan out 172.26.22.23.2001 -> 10.11.12.69.53139: syn 3065278316 ack 805039967
2026.010747 lan in 10.11.12.69.53139 -> 172.26.22.23.2001: ack 3065278317
2026.011445 lan in 10.11.12.69.53139 -> 172.26.22.23.2001: psh 805039967 ack 3065278317
2026.039239 lan out 172.26.22.23.2001 -> 10.11.12.69.53139: ack 805040278
2026.048763 lan in 10.11.12.69.53139 -> 172.26.22.23.2001: ack 3065279331
2028.730236 lan in 10.11.12.69.43028 -> 172.26.22.23.2001: syn 858176956
2028.748183 lan in 10.11.12.69.46830 -> 172.26.22.23.2001: syn 858690776
2028.753671 lan out 172.26.22.23.2001 -> 10.11.12.69.43028: syn 3071170399 ack 858176957
2028.755263 lan in 10.11.12.69.43028 -> 172.26.22.23.2001: ack 3071170400
2028.756185 lan in 10.11.12.69.43028 -> 172.26.22.23.2001: psh 858176957 ack 3071170400
2028.763299 lan out 172.26.22.23.2001 -> 10.11.12.69.46830: syn 3072783447 ack 858690777
2028.767782 lan in 10.11.12.69.46830 -> 172.26.22.23.2001: ack 3072783448
2028.768327 lan in 10.11.12.69.46830 -> 172.26.22.23.2001: psh 858690777 ack 3072783448
2028.773420 lan out 172.26.22.23.2001 -> 10.11.12.69.43028: ack 858177302
2028.773522 lan out 172.26.22.23.2001 -> 10.11.12.69.43028: psh 3071170400 ack 858177302
2028.777257 lan in 10.11.12.69.43028 -> 172.26.22.23.2001: ack 3071171686
2028.782719 lan out 172.26.22.23.2001 -> 10.11.12.69.46830: ack 858691118
2028.786327 lan in 10.11.12.69.46830 -> 172.26.22.23.2001: ack 3072784896
2028.786446 lan in 10.11.12.69.46830 -> 172.26.22.23.2001: ack 3072786344
2028.786695 lan in 10.11.12.69.46830 -> 172.26.22.23.2001: ack 3072787792
2028.786782 lan in 10.11.12.69.46830 -> 172.26.22.23.2001: ack 3072787829
2029.934207 lan in 10.11.12.69.50867 -> 172.26.23.3.53: udp 55
2030.058332 lan out 172.26.23.3.53 -> 10.11.12.69.50867: udp 128
2030.114251 lan in 10.11.12.69.41450 -> 172.26.84.199.554: syn 881177784
2030.118898 lan out 172.26.84.199.554 -> 10.11.12.69.41450: syn 2742258451 ack 881177785
2030.119537 lan in 10.11.12.69.41450 -> 172.26.84.199.554: ack 2742258452
2030.119904 lan in 10.11.12.69.41450 -> 172.26.84.199.554: psh 881177785 ack 2742258452
2030.128446 lan out 172.26.84.199.554 -> 10.11.12.69.41450: ack 881177841
2030.129955 lan out 172.26.84.199.554 -> 10.11.12.69.41450: psh 2742258452 ack 881177841
2030.131618 lan in 10.11.12.69.41450 -> 172.26.84.199.554: ack 2742258576
2030.131998 lan in 10.11.12.69.41450 -> 172.26.84.199.554: psh 881177841 ack 2742258576
2030.143307 lan out 172.26.84.199.554 -> 10.11.12.69.41450: psh 2742258576 ack 881178192
2030.148608 lan in 10.11.12.69.46131 -> 172.26.23.3.53: udp 55
2030.187072 lan in 10.11.12.69.41450 -> 172.26.84.199.554: ack 2742259034
2030.345787 lan out 172.26.23.3.53 -> 10.11.12.69.46131: udp 128
2030.348466 lan in 10.11.12.69.41450 -> 172.26.84.199.554: psh 881178192 ack 2742259034
2030.356213 lan out 172.26.84.199.554 -> 10.11.12.69.41450: psh 2742259034 ack 881178582
2030.359691 lan in 10.11.12.69.41450 -> 172.26.84.199.554: ack 2742259071
2030.359851 lan in 10.11.12.69.41450 -> 172.26.84.199.554: fin 881178582 ack 2742259071
2030.365052 lan out 172.26.84.199.554 -> 10.11.12.69.41450: fin 2742259071 ack 881178583
2030.367998 lan in 10.11.12.69.41450 -> 172.26.84.199.554: ack 2742259072
2030.526710 lan in 10.11.12.69.53171 -> 172.26.23.3.53: udp 57
2030.668324 lan out 172.26.23.3.53 -> 10.11.12.69.53171: udp 130
2030.751228 lan in 10.11.12.69.33828 -> 172.26.84.197.554: syn 892288408
2030.857631 lan out 172.26.84.197.554 -> 10.11.12.69.33828: syn 984321796 ack 892288409
2030.861581 lan in 10.11.12.69.33828 -> 172.26.84.197.554: ack 984321797
2030.865319 lan in 10.11.12.69.33828 -> 172.26.84.197.554: psh 892288409 ack 984321797
2030.867169 lan out 172.26.84.197.554 -> 10.11.12.69.33828: ack 892288465
2030.868500 lan out 172.26.84.197.554 -> 10.11.12.69.33828: psh 984321797 ack 892288465
2030.870125 lan in 10.11.12.69.33828 -> 172.26.84.197.554: ack 984321921
2030.870326 lan in 10.11.12.69.33828 -> 172.26.84.197.554: psh 892288465 ack 984321921
2030.892236 lan out 172.26.84.197.554 -> 10.11.12.69.33828: psh 984321921 ack 892288811
2030.895906 lan in 10.11.12.69.50099 -> 172.26.23.3.53: udp 57
2030.920904 lan out 172.26.23.3.53 -> 10.11.12.69.50099: udp 130
2030.922550 lan in 10.11.12.69.33828 -> 172.26.84.197.554: psh 892288811 ack 984322376
2030.927045 lan out 172.26.84.197.554 -> 10.11.12.69.33828: psh 984322376 ack 892289196
2030.929645 lan in 10.11.12.69.33828 -> 172.26.84.197.554: fin 892289196 ack 984322413
2030.936086 lan out 172.26.84.197.554 -> 10.11.12.69.33828: fin 984322413 ack 892289197
2030.938148 lan in 10.11.12.69.33828 -> 172.26.84.197.554: ack 984322414
2033.104736 lan in 10.11.12.69.60523 -> 172.26.23.23.4096: udp 64
2033.117570 lan out 172.26.23.23.4096 -> 10.11.12.69.60523: udp 1348
2033.118089 lan out 172.26.23.23.4096 -> 10.11.12.69.60523: udp 1344
2039.410193 lan out 10.64.0.1 -> 10.11.12.69: icmp: time exceeded in-transit
2041.169538 lan in 10.11.12.69.60523 -> 172.26.23.23.4096: udp 64
2041.173690 lan in 10.11.12.69 -> 172.26.23.23: icmp: 10.11.12.69 udp port 60523 unreachable
2041.173812 lan in 10.11.12.69 -> 172.26.23.23: icmp: 10.11.12.69 udp port 60523 unreachable
2041.173914 lan in 10.11.12.69 -> 172.26.23.23: icmp: 10.11.12.69 udp port 60523 unreachable
2041.174043 lan in 10.11.12.69 -> 172.26.23.23: icmp: 10.11.12.69 udp port 60523 unreachable
2041.178163 lan in 10.11.12.69 -> 172.26.23.23: icmp: 10.11.12.69 udp port 60523 unreachable
2041.178259 lan in 10.11.12.69 -> 172.26.23.23: icmp: 10.11.12.69 udp port 60523 unreachable
This is the config of policy:
config firewall policy edit 7 set name "MOVISTAR TV" set uuid e6bf73dc-9ada-51e7-3e34-796c61f8ecb3 set srcintf "lan" set dstintf "wan" set srcaddr "MOVISTAR DECO" (10.11.12.69) set dstaddr "all" set action accept set schedule "always" set service "ALL" set logtraffic all set nat enable set permit-any-host enable
I tried to create this ippool configured in previously policy with no results:
config firewall ippool edit "m+nat" set type port-block-allocation set startip 192.168.1.2 set endip 192.168.1.2 set permit-any-host enable set arp-reply disable
Any idea why exists this udp errors?
Thanks u
Any idea?
Hi Albert,
I have a partial working solution. Live TV is working, menus, chanel description but VoD is still missing.
The only way is to enable multicast forwarding, it is not the best way because multicast traffic is flowing to all ports. This is why I have insolated the deco network.
Looking at your config, you should apply the "m+nat" to the policy that enable traffic from lan to wan.
Regards,
Galo
Hi
Thanks for the info.
Do you have a config to share ?
Thanks
Have you achieved via PIM-SM or MC forwarding enable?
Also can you let me know if multiple IPTV behind FTG is working fine?
I am struggling with this problem as well. Can someone who has made this work please share the necessary config files?
Thank you!
Good day. I am struggling trying to setup a Fortigate 60E with Movistar FTTH. I did setup the Askey router in bridge mode and managed to get internet access working, but with my limited knowledge on FortiOS I am not able to setup voip and iptv. May anybody having this setup running please share his/her config?
Thank you very much in advance. Stay safe.
Carlos
It sounds like you're dealing with a challenging situation involving multicast traffic and NAT configurations. The issue you're facing with your IPTV setup, where multicast traffic works but VOD fails, is likely due to the Full Cone NAT requirements not being fully met on your FortiGate firewall.
Full Cone NAT Configuration: Ensure that the Full Cone NAT is correctly configured. This type of NAT allows any external host to send a packet to the internal host, even if the internal host hasn't initiated a connection with that specific external host. If your FortiGate's NAT setup isn't doing this correctly, it could explain why VOD is failing, as it may involve connections initiated by different servers.
Firewall Policy: The configuration of your firewall policy seems correct, but double-check if "permit-any-host" is working as intended. You might want to test with a different NAT mode (such as one-to-one NAT) to see if it resolves the issue.
IP Pool Configuration: The IP pool you've set up may not be correctly applied to the VOD traffic. Consider using a different range or ensuring that the pool is properly mapped to the policy.
Logs and UDP Errors: The UDP errors you're seeing indicate that the return traffic isn't being handled as expected, possibly due to the FortiGate dropping packets that don’t match expected connections. Look into the FortiGate's session table to verify that sessions are being tracked correctly.
If you're working on configuring your network and dealing with video traffic, it's a bit like editing videos—precision is key. Just as you'd use a reliable tool like CapCut to ensure everything aligns perfectly in your videos, you'll want to make sure your network configuration is equally precise.
Click here to explore CapCut, a tool that offers the kind of reliability and precision you need, whether you're editing videos or fine-tuning your network setup.
It sounds like you're dealing with a complex network issue with your IPTV setup. While I can’t dive deep into network configurations, I can say that sometimes issues like this stem from misconfigurations in NAT or IP pools. On a slightly related note, if you ever need to work on editing videos for your IPTV content or for any other media, I highly recommend CapCut. It's a powerful video editor that allows you to easily edit and customize your videos with a variety of effects, filters, and transitions. Furthermore, if you are into capcut video editing and do not know how to Convert a Normal Video Clip to High Quality in CapCut then click here and follow the guide. You can even export in different formats, making it handy for various platforms. It might be a great tool for enhancing any media you handle!
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1735 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.