UDM Pro | IPTV Germany | Firewall rules #79
Replies: 5 comments 5 replies
-
|
Hello, i need help for firewall rules. Now, i've find via SAP multicast streams (udp), but i didn't get a stream. It can't start. My groups are IPTV_Source (91.137.0.0/16, 172.16.0.0/16) and IPTV_Dest (224.0.0.0/4). | | RULE INDEX | ACTION | COUNT | TYPE | DESCRIPTION | | 2001 | Accept | All | Internet In | Allow IGMP to LAN | Any -> IPTV_Source | | 2003 | Accept | UDP | Internet Local | IPTV | IPTV_Source -> IPTV_Dest Has anyone an idea???
|
Beta Was this translation helpful? Give feedback.
-
|
Hi, How did you find the needed IP addresses? I'm currently lost in my research to get my IPTV working with UI. By the way I also thought that I need FW rules but somehow this does not make sense as the Ubuiquiti FW works different as the standard which means that by default it lets everything pass (accepting all trafic - if there are no custom blocking rules it shall not block any trafic, at least that's my understanding. |
Beta Was this translation helpful? Give feedback.
-
|
Hello, I was able to find the IP address of the IPTV streams. I now only have the problem that the streams are displayed but not loaded, at least I think so. Apparently the FW blocks the connection to the registration at the multicast host. Rule without any FW, nothing arrives. |
Beta Was this translation helpful? Give feedback.
-
|
Maybe I have the same problem here.... but I have doubts as the Ubuiquiti FW works inverted to standard FWs which means by default all traffic is allowed. I'm just not sure if this is true for UDP trafic too etc. Another problem might be that multicast traffic is not routed between LAN and WAN ? If someone could explain how to verify this (maybe with wireshark? but how). As said, the FW should allow all trafic by default (which is not the case with all other enterprise level firewalls, but Ubuiquiti has implemented it that way...), so my point is that there might be another problem as multicast trafic not being routed. |
Beta Was this translation helpful? Give feedback.
-
|
I see it similar. The multicast traffic is probably blocked in principle in the FW. This is relatively easy to release. In the second step, I also think that the communication in the LAN must be configured. That's why I see the IPTV channels with me, but the stream doesn't come about. But I don't know how I have to set the FW for this. |
Beta Was this translation helpful? Give feedback.
-
|
are you able to trace traffic? I don't know how your provider has done the IPTV infrastructure / network setup. It might be that there are multicast inbound streams to specific ports that are "initiated" from outside based on your request, which would mean that for the firewall it's not related/established traffic. If that is the case you'll probably need to add FW rules to accept this (UDP-Unicast and/or UDP-Multicast) traffic on the specific ports. So the best would be to trace traffic with Wirkeshark and analyse what's going on starting at the moment where you request a channel and then look at the conversations between SRC and DST IPs as well as DST Ports etc |
Beta Was this translation helpful? Give feedback.
-
|
Current progress: I've been experimenting with the FW rules. Now the stream runs on the PC via SAP without any problems. I only had to allow the UDP stream from the known IPTV address. What is currently not working is that the UDPXY on my NAS recognizes the UDP streams in the LAN or there is no throughput. The rules also seem to be decisive here, which is more of a Unifi problem... |
Beta Was this translation helpful? Give feedback.
-
|
I thought the problems are solved... since the last update from Fabian there are no streams detected, no iptv in house, i've no idea whats the problem |
Beta Was this translation helpful? Give feedback.
-
|
I recommend looking at the suggestions from @horolux. We can't help you without more information. |
Beta Was this translation helpful? Give feedback.
-
|
2 months later: The problems were the firewall rules. These 2 rules make me happy to see UDP-Streams: Now, i can access to multicastgroups and it doesn't drop after 260 seconds ... Just now, does anyone know about an UPDXY on the UDM/P? I've installed one on my NAS, but here are also problems, because there is not throughput... |
Beta Was this translation helpful? Give feedback.
-
Hello, i've an UDM Pro. I need your help. The following conditions are anticipated:
My ISP told my, that VLC-Player could find the Streeams via SAP. This actually works if I use a different router (e.g. ASUS). So, I know the streams IP are 239.190.x.x.
Now, i've installed Fabian's Code. on my UDM Pro. I've configured it multiple times with different options. I get no stream. Also i think, the IP Link and Route never show iptv@eth8.
Have anyone any ideas?
=== Configuration 1 ===
WAN Interface: eth8
WAN Ranges: 224.0.0.0/4 91.137.0.0/16 239.190.0.0/16
WAN VLAN: 500 (dev iptv)
WAN DHCP options: -O staticroutes -V IPTV_RG
LAN Interfaces: br0 br10 br5
IGMP Proxy quickleave disabled: false
IGMP Proxy debug: true
=== IP Link and Route ===
=== Service Logs ===
Feb 23 16:57:10 ubnt systemd[1]: udm-iptv.service: Service RestartSec=5s expired, scheduling restart.
Feb 23 16:57:10 ubnt systemd[1]: udm-iptv.service: Scheduled restart job, restart counter is at 1.
Feb 23 16:57:10 ubnt systemd[1]: Stopped IPTV support for the UniFi Dream Machine.
Feb 23 16:57:10 ubnt systemd[1]: udm-iptv.service: Consumed 173ms CPU time.
Feb 23 16:57:10 ubnt systemd[1]: Started IPTV support for the UniFi Dream Machine.
Feb 23 16:57:10 ubnt udm-iptv[13662]: Device iptv already exists.. Deleting device
Feb 23 16:57:10 ubnt udm-iptv[13662]: Obtaining IP address for VLAN interface
Feb 23 16:57:10 ubnt udm-iptv[13662]: udhcpc (v1.22.1) started
Feb 23 16:57:10 ubnt udm-iptv[13662]: Sending discover...
Feb 23 16:57:13 ubnt udm-iptv[13662]: Sending discover...
=== Configuration 2 ===
WAN Interface: eth8
WAN Ranges: 224.0.0.0/4 91.137.0.0/16 239.190.0.0/16
WAN VLAN: 0 (dev iptv)
WAN DHCP options: -O staticroutes -V IPTV_RG
LAN Interfaces: br0 br10 br5
IGMP Proxy quickleave disabled: false
IGMP Proxy debug: true
=== IP Link and Route ===
4: eth8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc htb qlen 1000
inet 91.137.XXX.XXX/23 scope global dynamic eth8
valid_lft 68891sec preferred_lft 68891sec
91.137.XXX.XXX/23 dev eth8 src 91.137.XXX.XXX
=== Service Logs ===
Feb 23 17:09:41 ubnt udm-iptv[5709]: RECV V2 member report from 192.168.10.1 to 233.89.188.1
Feb 23 17:09:41 ubnt udm-iptv[5709]: The IGMP message was from myself. Ignoring.
Feb 23 17:09:41 ubnt udm-iptv[5709]: The source address 192.168.10.1 for group 233.89.188.1 is from downstream VIF[0]. Ignoring.
Feb 23 17:09:41 ubnt udm-iptv[5709]: Route activation request from 91.137.124.109 for 233.89.188.1 is from myself. Ignoring.
Feb 23 17:09:42 ubnt udm-iptv[5709]: RECV V2 member report from 192.168.1.21 to 239.254.127.63
Feb 23 17:09:42 ubnt udm-iptv[5709]: Inserted route table entry for 239.254.127.63 on VIF #1
Feb 23 17:09:42 ubnt udm-iptv[5709]: Joining group 239.254.127.63 on interface eth8
Feb 23 17:09:42 ubnt udm-iptv[5709]: RECV V2 member report from 192.168.1.10 to 239.192.152.143
Feb 23 17:09:42 ubnt udm-iptv[5709]: Inserted route table entry for 239.192.152.143 on VIF #1
Feb 23 17:09:42 ubnt udm-iptv[5709]: Joining group 239.192.152.143 on interface eth8
Beta Was this translation helpful? Give feedback.
All reactions