Theme

Welcome · log in · join	food

	All Forums		Hot Topics		Gallery

Forums → O Canada! → Canadian →

Telus → Re: [ALL] Telus IGMP settings 2016 pfsense

uniqs
961

« Just Venting... • [BC] Fool me once...Wall of text »

This is a sub-selection from [ALL] Telus IGMP settings 2016 pfsense

abirkill join:2016-08-11 Squamish, BC 3 recommendations	abirkill to revenue Member 2016-Aug-11 10:26 pm to revenue Re: [ALL] Telus IGMP settings 2016 pfsense I recently switched from the Telus router to pfSense on my GPON connection, so this was something I needed to figure out too. I've spent a couple of hours on it today and have come up with some settings that are working well for me. The settings mentioned at the beginning of the thread are still basically correct, but there are a number of other things I had to do to get things to work properly. I'm using a clean install of the latest stable version of pfSense, 2.3.2 -- these settings may not work on earlier versions. More specifically, from reading the pfSense issue tracker, I understand that igmpproxy was updated from a 2005 version to a much more recent version in the 2.3 stream, so I imagine there are a lot of bugfixes that aren't in the 2.2 releases of pfSense. I have also not yet enabled IPv6 on my pfSense router yet. I doubt this will cause any problems, as my understanding is that the IPTV services are entirely IPv4 based even if IPv6 is available, but for completeness this needs to be mentioned. Once I'm happy this is stable for a couple of weeks I'll probably tackle IPv6. Here is what I believe are the required settings, although I haven't done a factory reset and tried applying these alone, so I may have missed something. There's also a good chance that some settings may not be required -- it's quite tedious to try and ensure you have the minimum settings. Where possible I've added a brief description as to why I think the setting may be necessary, and I've included screenshots in case there are settings that I forgot I've changed, or settings that have new defaults which may not have been updated if you've upgraded pfSense from an earlier version. Interfaces/LAN The setting I've changed here is to uncheck 'Block bogon networks'. Bogon networks are IP addresses which are reserved but not allocated to anyone. However, the bogon list includes the 224.0.0.0/4 range, which is used for multicast. Note that it's almost certainly possible to leave this setting enabled, and use a more restrictive firewall policy to just allow the multicast range. However, when I briefly tried this, I was unable to get my custom rule to appear above the bogon rule in the pfSense firewall, so it would not be reached. For the moment, I've gone with the easy approach. Interfaces/WAN Here I've again unchecked the 'Block bogon networks' setting, but also unchecked the 'Block private networks and loopback addresses' setting. Some communications with Telus appear to occur in the 10.10.x.x IP range, which is considered a private network, so if this setting is checked these communications will be blocked. Again, it's almost certainly possible to use a firewall rule to allow the specific ranges without needing to fully disable this setting, but I couldn't get the rule to go high enough. Firewall/Rules/WAN These are the two WAN firewall rules I needed to create. (The blurred rule is irrelevant to the operation of IPTV). We need a UDP rule, which allows the traffic that arrives in the first ten seconds of the stream, before the multicast handover takes place, and then we need a rule to allow the multicast traffic in from the Telus internal IP range. Here are the two rules in more detail: WAN Rule 1 Here's the UDP rule. We only need to pass traffic on port 6288 for this to work. Also note that you do not need to go into the Advanced Options section and enable the 'Allow IP options' setting on this rule (although I doubt doing so would cause problems). WAN Rule 2 Here's the IGMP rule. For this rule we do need to expand the 'Advanced Options' section and enable the 'Allow IP options' setting. Firewall/Rules/LAN In the LAN section of the firewall rules, I didn't have to create any rules, but I did have to edit the default IPv4 rule to again enable the 'Allow IP options' setting in the 'Advanced Options' section. Without this, it appears that the multicast requests coming from the Telus IPTV box were not being passed out to the WAN connection. Services/IGMP Proxy Finally, here I had to create the usual two rules. For the LAN rule, I left the networks section blank. This seems to be commonly used by other routers which run IGMPProxy, and presumably allows any local network address to be accepted. Note that if you add a network in this rule in pfSense, it will not let you remove it -- it insists on one network remaining. However, if you delete the rule and re-create it, you can leave the network section blank and it works fine. Again, I suspect it would probably work fine if you explicitly enter your local network CIDR range, but why bother if you don't need to? For the WAN rule, I added the 10.0.0.0/8 and 207.0.0.0/8 ranges as documented earlier in this thread, which worked great for some channels, but failed for some others. Doing some packet captures revealed that the other channels used the 209.0.0.0/8 range, so I added that as well. I only have a small number of channels, if you have lots of channels you may need additional ranges too. Conclusion And that (I think!) is everything! One thing I did discover was that not all of these settings are needed for multicast to start to work -- for quite a while I had a situation where the first 10 seconds would come over UDP, it would switch to multicast, run for 2-3 minutes, and then drop out for about a minute before automatically re-establishing. I believe this is because the STB sends some kind of acknowledgement to the Telus end every couple of minutes to confirm it's still listening, to prevent Telus from constantly bombarding your network with a multicast stream in the situation where the box has crashed. If the Telus end doesn't get this, it stops the multicast stream, and it takes a minute or so for the box to re-request it. So if you get these settings working but want to tweak them, make sure you watch for at least 3-4 minutes before deciding if a change has worked, as otherwise you may get constant drop-outs every few minutes. Just to confirm everything's working for me, here's a traffic graph while watching CNN HD, showing a nice solid ~5.4mbps stream. Note that the traffic breakdown by IP doesn't show any traffic related to the stream, as it's multicast -- but it will show the first ten seconds or so as they are sent over UDP. And here's a table from darkstat showing the traffic is indeed coming in as multicast data: Let me know if you have any questions and I'll try my best to help!
	actions · 2016-Aug-11 10:26 pm ·
58391701 (banned) join:2014-06-30 New Westminster, BC Actiontec T1200H Ubiquiti EdgeRouter X Netgear R7000 1 edit 1 recommendation	58391701 (banned) Member 2016-Aug-11 11:11 pm cool, thanks! i now got this working on edgemax , i have working IPV6 and there is no conflict ETH1 is my WAN SWITCH0 is my LAN admin@ERX:~$ configure [edit] admin@ERX# edit protocols igmp-proxy [edit protocols igmp-proxy] admin@ERX# set interface eth1 role upstream [edit protocols igmp-proxy] admin@ERX# set interface eth1 alt-subnet 207.0.0.0/8 [edit protocols igmp-proxy] admin@ERX# set interface eth1 alt-subnet 209.0.0.0/8 [edit protocols igmp-proxy] admin@ERX# set interface eth1 alt-subnet 10.0.0.0/8 [edit protocols igmp-proxy] admin@ERX# commit [ protocols igmp-proxy ] Error: must define an upstream and at least 1 downstream Commit failed [edit protocols igmp-proxy] admin@ERX# set interface switch0 role downstream [edit protocols igmp-proxy] admin@ERX# commit [ protocols igmp-proxy ] Starting IGMP proxy [edit protocols igmp-proxy] admin@ERX# those are the firewall rules applied to my wan in and wan local and traffic monitoring works for me now to figure out how to connect boxes over VPN
	actions · 2016-Aug-11 11:11 pm ·

Forums → O Canada! → Canadian → Telus	« Just Venting... • [BC] Fool me once...Wall of text »
This is a sub-selection from [ALL] Telus IGMP settings 2016 pfsense