Hi.
This is my network:
The IPTV service works perfectly if i connect the iptv deco (10.11.12.69) directly to ISP router. If i connect to FGT, the live TV (multicast traffic) works perfect, but VOD (video on demmand) fails.
The IPTV works with this subnet:
I think the fortigate is routing correctly. But something is bad configured. The INTERNET ROUTER is configured with FULL CONE NAT is VLAN of IPTV service.
theoretically, the iptv decoder requests the resource to a server A, but the resource is returned by a server B, to which the IPTV decoder has not established a connection previously. That's what I think is the reason why it's required full cone nat
I try to:
Create manually static routes Configure Full Cone Nat in firewall policy.
Configure ip pool in policy
Nothing works.
This is the logs when i try play some VOD video.
2019.570072 lan out 10.64.0.1 -> 10.11.12.69: icmp: time exceeded in-transit
2020.252251 lan in 10.11.12.69.50865 -> 172.26.22.11.9153: syn 715401103
2020.280314 lan out 172.26.22.11.9153 -> 10.11.12.69.50865: syn 2394425056 ack 715401104
2020.282934 lan in 10.11.12.69.50865 -> 172.26.22.11.9153: ack 2394425057
2020.283786 lan in 10.11.12.69.50865 -> 172.26.22.11.9153: psh 715401104 ack 2394425057
2020.309367 lan out 172.26.22.11.9153 -> 10.11.12.69.50865: ack 715401530
2020.309458 lan out 172.26.22.11.9153 -> 10.11.12.69.50865: ack 715401530
2020.309541 lan out 172.26.22.11.9153 -> 10.11.12.69.50865: psh 2394425057 ack 715401530
2020.309623 lan out 172.26.22.11.9153 -> 10.11.12.69.50865: psh 2394425208 ack 715401530
2020.309703 lan out 172.26.22.11.9153 -> 10.11.12.69.50865: psh 2394425211 ack 715401530
2020.309783 lan out 172.26.22.11.9153 -> 10.11.12.69.50865: psh 2394425213 ack 715401530
2020.313724 lan in 10.11.12.69.50865 -> 172.26.22.11.9153: ack 2394425057
2020.313849 lan in 10.11.12.69.50865 -> 172.26.22.11.9153: ack 2394425208
2020.313937 lan in 10.11.12.69.50865 -> 172.26.22.11.9153: ack 2394425211
2020.317107 lan in 10.11.12.69.50865 -> 172.26.22.11.9153: fin 715401530 ack 2394425220
2020.339358 lan out 172.26.22.11.9153 -> 10.11.12.69.50865: fin 2394425220 ack 715401531
2025.962784 lan in 10.11.12.69.56115 -> 172.26.23.3.53: udp 52
2025.989311 lan out 172.26.23.3.53 -> 10.11.12.69.56115: udp 68
2025.990489 lan in 10.11.12.69.53139 -> 172.26.22.23.2001: syn 805039966
2026.010149 lan out 172.26.22.23.2001 -> 10.11.12.69.53139: syn 3065278316 ack 805039967
2026.010747 lan in 10.11.12.69.53139 -> 172.26.22.23.2001: ack 3065278317
2026.011445 lan in 10.11.12.69.53139 -> 172.26.22.23.2001: psh 805039967 ack 3065278317
2026.039239 lan out 172.26.22.23.2001 -> 10.11.12.69.53139: ack 805040278
2026.048763 lan in 10.11.12.69.53139 -> 172.26.22.23.2001: ack 3065279331
2028.730236 lan in 10.11.12.69.43028 -> 172.26.22.23.2001: syn 858176956
2028.748183 lan in 10.11.12.69.46830 -> 172.26.22.23.2001: syn 858690776
2028.753671 lan out 172.26.22.23.2001 -> 10.11.12.69.43028: syn 3071170399 ack 858176957
2028.755263 lan in 10.11.12.69.43028 -> 172.26.22.23.2001: ack 3071170400
2028.756185 lan in 10.11.12.69.43028 -> 172.26.22.23.2001: psh 858176957 ack 3071170400
2028.763299 lan out 172.26.22.23.2001 -> 10.11.12.69.46830: syn 3072783447 ack 858690777
2028.767782 lan in 10.11.12.69.46830 -> 172.26.22.23.2001: ack 3072783448
2028.768327 lan in 10.11.12.69.46830 -> 172.26.22.23.2001: psh 858690777 ack 3072783448
2028.773420 lan out 172.26.22.23.2001 -> 10.11.12.69.43028: ack 858177302
2028.773522 lan out 172.26.22.23.2001 -> 10.11.12.69.43028: psh 3071170400 ack 858177302
2028.777257 lan in 10.11.12.69.43028 -> 172.26.22.23.2001: ack 3071171686
2028.782719 lan out 172.26.22.23.2001 -> 10.11.12.69.46830: ack 858691118
2028.786327 lan in 10.11.12.69.46830 -> 172.26.22.23.2001: ack 3072784896
2028.786446 lan in 10.11.12.69.46830 -> 172.26.22.23.2001: ack 3072786344
2028.786695 lan in 10.11.12.69.46830 -> 172.26.22.23.2001: ack 3072787792
2028.786782 lan in 10.11.12.69.46830 -> 172.26.22.23.2001: ack 3072787829
2029.934207 lan in 10.11.12.69.50867 -> 172.26.23.3.53: udp 55
2030.058332 lan out 172.26.23.3.53 -> 10.11.12.69.50867: udp 128
2030.114251 lan in 10.11.12.69.41450 -> 172.26.84.199.554: syn 881177784
2030.118898 lan out 172.26.84.199.554 -> 10.11.12.69.41450: syn 2742258451 ack 881177785
2030.119537 lan in 10.11.12.69.41450 -> 172.26.84.199.554: ack 2742258452
2030.119904 lan in 10.11.12.69.41450 -> 172.26.84.199.554: psh 881177785 ack 2742258452
2030.128446 lan out 172.26.84.199.554 -> 10.11.12.69.41450: ack 881177841
2030.129955 lan out 172.26.84.199.554 -> 10.11.12.69.41450: psh 2742258452 ack 881177841
2030.131618 lan in 10.11.12.69.41450 -> 172.26.84.199.554: ack 2742258576
2030.131998 lan in 10.11.12.69.41450 -> 172.26.84.199.554: psh 881177841 ack 2742258576
2030.143307 lan out 172.26.84.199.554 -> 10.11.12.69.41450: psh 2742258576 ack 881178192
2030.148608 lan in 10.11.12.69.46131 -> 172.26.23.3.53: udp 55
2030.187072 lan in 10.11.12.69.41450 -> 172.26.84.199.554: ack 2742259034
2030.345787 lan out 172.26.23.3.53 -> 10.11.12.69.46131: udp 128
2030.348466 lan in 10.11.12.69.41450 -> 172.26.84.199.554: psh 881178192 ack 2742259034
2030.356213 lan out 172.26.84.199.554 -> 10.11.12.69.41450: psh 2742259034 ack 881178582
2030.359691 lan in 10.11.12.69.41450 -> 172.26.84.199.554: ack 2742259071
2030.359851 lan in 10.11.12.69.41450 -> 172.26.84.199.554: fin 881178582 ack 2742259071
2030.365052 lan out 172.26.84.199.554 -> 10.11.12.69.41450: fin 2742259071 ack 881178583
2030.367998 lan in 10.11.12.69.41450 -> 172.26.84.199.554: ack 2742259072
2030.526710 lan in 10.11.12.69.53171 -> 172.26.23.3.53: udp 57
2030.668324 lan out 172.26.23.3.53 -> 10.11.12.69.53171: udp 130
2030.751228 lan in 10.11.12.69.33828 -> 172.26.84.197.554: syn 892288408
2030.857631 lan out 172.26.84.197.554 -> 10.11.12.69.33828: syn 984321796 ack 892288409
2030.861581 lan in 10.11.12.69.33828 -> 172.26.84.197.554: ack 984321797
2030.865319 lan in 10.11.12.69.33828 -> 172.26.84.197.554: psh 892288409 ack 984321797
2030.867169 lan out 172.26.84.197.554 -> 10.11.12.69.33828: ack 892288465
2030.868500 lan out 172.26.84.197.554 -> 10.11.12.69.33828: psh 984321797 ack 892288465
2030.870125 lan in 10.11.12.69.33828 -> 172.26.84.197.554: ack 984321921
2030.870326 lan in 10.11.12.69.33828 -> 172.26.84.197.554: psh 892288465 ack 984321921
2030.892236 lan out 172.26.84.197.554 -> 10.11.12.69.33828: psh 984321921 ack 892288811
2030.895906 lan in 10.11.12.69.50099 -> 172.26.23.3.53: udp 57
2030.920904 lan out 172.26.23.3.53 -> 10.11.12.69.50099: udp 130
2030.922550 lan in 10.11.12.69.33828 -> 172.26.84.197.554: psh 892288811 ack 984322376
2030.927045 lan out 172.26.84.197.554 -> 10.11.12.69.33828: psh 984322376 ack 892289196
2030.929645 lan in 10.11.12.69.33828 -> 172.26.84.197.554: fin 892289196 ack 984322413
2030.936086 lan out 172.26.84.197.554 -> 10.11.12.69.33828: fin 984322413 ack 892289197
2030.938148 lan in 10.11.12.69.33828 -> 172.26.84.197.554: ack 984322414
2033.104736 lan in 10.11.12.69.60523 -> 172.26.23.23.4096: udp 64
2033.117570 lan out 172.26.23.23.4096 -> 10.11.12.69.60523: udp 1348
2033.118089 lan out 172.26.23.23.4096 -> 10.11.12.69.60523: udp 1344
2039.410193 lan out 10.64.0.1 -> 10.11.12.69: icmp: time exceeded in-transit
2041.169538 lan in 10.11.12.69.60523 -> 172.26.23.23.4096: udp 64
2041.173690 lan in 10.11.12.69 -> 172.26.23.23: icmp: 10.11.12.69 udp port 60523 unreachable
2041.173812 lan in 10.11.12.69 -> 172.26.23.23: icmp: 10.11.12.69 udp port 60523 unreachable
2041.173914 lan in 10.11.12.69 -> 172.26.23.23: icmp: 10.11.12.69 udp port 60523 unreachable
2041.174043 lan in 10.11.12.69 -> 172.26.23.23: icmp: 10.11.12.69 udp port 60523 unreachable
2041.178163 lan in 10.11.12.69 -> 172.26.23.23: icmp: 10.11.12.69 udp port 60523 unreachable
2041.178259 lan in 10.11.12.69 -> 172.26.23.23: icmp: 10.11.12.69 udp port 60523 unreachable
This is the config of policy:
config firewall policy edit 7 set name "MOVISTAR TV" set uuid e6bf73dc-9ada-51e7-3e34-796c61f8ecb3 set srcintf "lan" set dstintf "wan" set srcaddr "MOVISTAR DECO" (10.11.12.69) set dstaddr "all" set action accept set schedule "always" set service "ALL" set logtraffic all set nat enable set permit-any-host enable
I tried to create this ippool configured in previously policy with no results:
config firewall ippool edit "m+nat" set type port-block-allocation set startip 192.168.1.2 set endip 192.168.1.2 set permit-any-host enable set arp-reply disable
Any idea why exists this udp errors?
Thanks u
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Cheesy Food in Rawalpindi is a lively tapestry of flavors and aromas, reflecting the city's rich cultural heritage. Dominated by street food, Rawalpindi offers varieties ranging from sizzling kebabs to spicy chaat to hearty nihari, which is irreplaceable in the locals' hearts. From aromatic biryanis to ever-appealing samosas, bustling food stalls and restaurants dole out everything. Every dish carries a blend of spices that forms the spirit of Pakistani food; hence, Rawalpindi is one of those cities that any food lover will always crave to be in.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1679 | |
1085 | |
752 | |
446 | |
226 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.