IPTV handling on OpenBSD soft router

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

IPTV handling on OpenBSD soft router

Максим
Hello,
I am trying to set up an IPTV-box behind a soft router.

When my internet (iptv) provider installed the IPTV box he said that
I need a switch before my soft router to let IPTV stream successfully
pass to the IPTV box.
I thought that a virtual bridge interface would be enough for this purpose.
I created a bridge0 interface and added three interfaces to it:
em0 - a physical one which delivers internet and iptv from my provider.
em2 - a physical one to which the IPTV-box is connected and which
receives a mac binded ip address from the local network of my provider
(100.65.129.0/24).
vether0 - a virtual one which receives an external ip address from dhcp
server of my provider (it therefore belongs to egress group) and through
which my home computers access the internet using NAT ({ vether1 em1 em3
athn0 }).

When PF is disabled the IPTV-box is working.
When PF is enabled the IPTV box works for several seconds and then the
picture freezes. When I change to another TV channel it works again for
several seconds and then it freezes again.
My pf settings are listed below (I used some of the config in PF user's
guide)
I do no filtering on the ports needed (em0, em2)

When I do:
tcpdump -n -e -i pflog0 not ifname vether0
It shows no blocked packets

What am I missing?


""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
router root ~ # cat /etc/pf.conf
# $OpenBSD: pf.conf,v 1.54 2014/08/23 05:49:42 deraadt Exp $
#
# See pf.conf(5) and /etc/examples/pf.conf

int_if = "{ vether1 em1 em3 athn0 }"
table <martians> { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16     \
            172.16.0.0/12 192.0.2.0/24 224.0.0.0/3 \
            192.168.0.0/16 198.18.0.0/15 198.51.100.0/24        \
            203.0.113.0/24 }
table <bad_ips> persist file "/etc/pf/bad_ip"

block log all

set block-policy drop
set loginterface egress
set skip on lo

match out on egress inet from (vether1:network) to any nat-to (egress:0)

block in quick on egress from <martians> to any
block return out quick on egress from any to <martians>
pass out quick inet
pass in on $int_if inet

#  IPTV
pass on em2
pass on em0

#
pass in on egress inet proto tcp from !<bad_ips> to (egress) port 22
pass in on egress inet proto tcp from !<bad_ips> to (egress) port 80
pass in on egress inet proto { tcp udp } from any to (egress) port {
51413 22034 6890:6999 6881 }  rdr-to 192.168.1.4
pass in on egress inet proto { tcp udp } from any to (egress) port {
50000 }  rdr-to 192.168.1.65

#block return # block stateless traffic
#pass # establish keep-state

# By default, do not permit remote connections to X11
#block return in on ! lo0 proto tcp to port 6000:6010
"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""

       
--
Best regards
Maksim Rodin

Reply | Threaded
Open this post in threaded view
|

Re: IPTV handling on OpenBSD soft router

Peer Janssen-2
Could it be that your IPTV is using a non-IP protocoll, e.g. an ethertype which is not IPv4 nor IPv6, but something different? Like Powerline, G.hn or so? -- And which is blocked by pf?There are several protocol and type fields on the different layers (MAC, IP, TCP/UDP), and I recently noticed that tools and man pages do not always identify them very clearly or are somewhat misnamed (for historical reasons I'd say).Btw., I'm looking for a pointer to packet formats of ethertypes 0x88e1 and 0x8912, which my current filter bubble or info availability didn't allow me to find until now. They show up in tcpdump although they are not TCP nor even IP, and wireshark doesn't decrypt the payload, which I'm interested in.
-------- Ursprüngliche Nachricht --------Von: Родин Максим <[hidden email]> Datum: 16.06.19  22:16  (GMT+01:00) An: OpenBSD general usage list <[hidden email]> Betreff: [misc] IPTV handling on OpenBSD soft router Hello,I am trying to set up an IPTV-box behind a soft router.When my internet (iptv) provider installed the IPTV box he said thatI need a switch before my soft router to let IPTV stream successfully pass to the IPTV box.I thought that a virtual bridge interface would be enough for this purpose.I created a bridge0 interface and added three interfaces to it:em0 - a physical one which delivers internet and iptv from my provider.em2 - a physical one to which the IPTV-box is connected and which receives a mac binded ip address from the local network of my provider(100.65.129.0/24).vether0 - a virtual one which receives an external ip address from dhcp server of my provider (it therefore belongs to egress group) and through which my home computers access the internet using NAT ({ vether1 em1 em3 athn0 }).When PF is disabled the IPTV-box is working.When PF is enabled the IPTV box works for several seconds and then the picture freezes. When I change to another TV channel it works again for several seconds and then it freezes again.My pf settings are listed below (I used some of the config in PF user's guide)I do no filtering on the ports needed (em0, em2)When I do:tcpdump -n -e -i pflog0 not ifname vether0It shows no blocked packetsWhat am I missing?""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""router root ~ # cat /etc/pf.conf# $OpenBSD: pf.conf,v 1.54 2014/08/23 05:49:42 deraadt Exp $## See pf.conf(5) and /etc/examples/pf.confint_if = "{ vether1 em1 em3 athn0 }"table <martians> { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16     \    172.16.0.0/12 192.0.2.0/24 224.0.0.0/3 \    192.168.0.0/16 198.18.0.0/15 198.51.100.0/24        \    203.0.113.0/24 }table <bad_ips> persist file "/etc/pf/bad_ip"block log allset block-policy dropset loginterface egressset skip on lomatch out on egress inet from (vether1:network) to any nat-to (egress:0)block in quick on egress from <martians> to anyblock return out quick on egress from any to <martians>pass out quick inetpass in on $int_if inet#  IPTVpass on em2pass on em0#pass in on egress inet proto tcp from !<bad_ips> to (egress) port 22pass in on egress inet proto tcp from !<bad_ips> to (egress) port 80pass in on egress inet proto { tcp udp } from any to (egress) port { 51413 22034 6890:6999 6881 }  rdr-to 192.168.1.4pass in on egress inet proto { tcp udp } from any to (egress) port { 50000 }  rdr-to 192.168.1.65#block return # block stateless traffic#pass # establish keep-state# By default, do not permit remote connections to X11#block return in on ! lo0 proto tcp to port 6000:6010""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" -- Best regardsMaksim Rodin
Reply | Threaded
Open this post in threaded view
|

Re: IPTV handling on OpenBSD soft router

Максим
When I disable PF and use tcpdump to monitor network activity on em2
(where the IPTV box is connected) I see a stream of udp packets (something like this:
233.33.210.7:5050)
This stream is interrupted in several seconds when I enable PF again.

-- 
Best regards
Maksim Rodin


17.06.2019, 10:20, "Peer" <[hidden email]>:
> Could it be that your IPTV is using a non-IP protocoll, e.g. an ethertype which is not IPv4 nor IPv6, but something different? Like Powerline, G.hn or so? -- And which is blocked by pf?There are several protocol and type fields on the different layers (MAC, IP, TCP/UDP), and I recently noticed that tools and man pages do not always identify them very clearly or are somewhat misnamed (for historical reasons I'd say).Btw., I'm looking for a pointer to packet formats of ethertypes 0x88e1 and 0x8912, which my current filter bubble or info availability didn't allow me to find until now. They show up in tcpdump although they are not TCP nor even IP, and wireshark doesn't decrypt the payload, which I'm interested in.
> -------- Ursprüngliche Nachricht --------Von: Родин Максим <[hidden email]> Datum: 16.06.19 22:16 (GMT+01:00) An: OpenBSD general usage list <[hidden email]> Betreff: [misc] IPTV handling on OpenBSD soft router Hello,I am trying to set up an IPTV-box behind a soft router.When my internet (iptv) provider installed the IPTV box he said thatI need a switch before my soft router to let IPTV stream successfully pass to the IPTV box.I thought that a virtual bridge interface would be enough for this purpose.I created a bridge0 interface and added three interfaces to it:em0 - a physical one which delivers internet and iptv from my provider.em2 - a physical one to which the IPTV-box is connected and which receives a mac binded ip address from the local network of my provider(100.65.129.0/24).vether0 - a virtual one which receives an external ip address from dhcp server of my provider (it therefore belongs to egress group) and through which my home computers access the internet using NAT ({ vether1 em1 em3 athn0 }).When PF is disabled the IPTV-box is working.When PF is enabled the IPTV box works for several seconds and then the picture freezes. When I change to another TV channel it works again for several seconds and then it freezes again.My pf settings are listed below (I used some of the config in PF user's guide)I do no filtering on the ports needed (em0, em2)When I do:tcpdump -n -e -i pflog0 not ifname vether0It shows no blocked packetsWhat am I missing?""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""router root ~ # cat /etc/pf.conf# $OpenBSD: pf.conf,v 1.54 2014/08/23 05:49:42 deraadt Exp $## See pf.conf(5) and /etc/examples/pf.confint_if = "{ vether1 em1 em3 athn0 }"table <martians> { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16     \    172.16.0.0/12 192.0.2.0/24 224.0.0.0/3 \    192.168.0.0/16 198.18.0.0/15 198.51.100.0/24        \    203.0.113.0/24 }table <bad_ips> persist file "/etc/pf/bad_ip"block log allset block-policy dropset loginterface egressset skip on lomatch out on egress inet from (vether1:network) to any nat-to (egress:0)block in quick on egress from <martians> to anyblock return out quick on egress from any to <martians>pass out quick inetpass in on $int_if inet#  IPTVpass on em2pass on em0#pass in on egress inet proto tcp from !<bad_ips> to (egress) port 22pass in on egress inet proto tcp from !<bad_ips> to (egress) port 80pass in on egress inet proto { tcp udp } from any to (egress) port { 51413 22034 6890:6999 6881 }  rdr-to 192.168.1.4pass in on egress inet proto { tcp udp } from any to (egress) port { 50000 }  rdr-to 192.168.1.65#block return # block stateless traffic#pass # establish keep-state# By default, do not permit remote connections to X11#block return in on ! lo0 proto tcp to port 6000:6010""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" -- Best regardsMaksim Rodin
Reply | Threaded
Open this post in threaded view
|

Re: IPTV handling on OpenBSD soft router

Stuart Henderson
On 2019-06-18, Максим <[hidden email]> wrote:
> When I disable PF and use tcpdump to monitor network activity on em2
> (where the IPTV box is connected) I see a stream of udp packets (something like this:
> 233.33.210.7:5050)
> This stream is interrupted in several seconds when I enable PF again.

It probably doesn't help that you have the multicast address range
in your <martians> table ..


Reply | Threaded
Open this post in threaded view
|

Re: IPTV handling on OpenBSD soft router

Максим
Yes, I too thought that the <martians> table could be the reason and even
tried to completely comment out the rules with this table. That did not
help and I later understood why. The rules with the <martians> table
affect the network stream on egress port which is vether0 by me. But
these rules do not apply neither to em0 nor em2. These are part of the
same virtual bridge0 as vether0 but they are not filtered.
As I understand if the iptv stream is blocked by PF it should be logged
by the rule "block log all". But there are no packets when I do "tcpdump
-n -e -i pflog0 not ifname vether0 and action block"

--
Best regardsMaksim Rodin

18:41, 18 июня 2019 г., Stuart Henderson <[hidden email]>:

  On 2019-06-18, Максим <[hidden email]> wrote:

    � When I disable PF and use tcpdump to monitor network activity
    on em2
    � (where the IPTV box is connected) I see a stream of udp packets
    (something like this:
    � 233.33.210.7:5050)
    � This stream is interrupted in several seconds when I enable PF
    again.


  It probably doesn't help that you have the multicast address range
  in your <martians> table ..