Firewall rules for IPTV

Firebat · May 22, 2020, 4:30pm

Hello community,
I’ve got VyOS up adn running, configured igmp-proxy fitting my needs but now I’m stuck at creating the correct firewall rules. I’m coming from pfSense and want to achieve the following ruleset:

But I’m a bit lost how these rules have to look and if anything additional/else is needed. I would really appreciate some help with this.

Source (netgate forums)

Dmitry · May 22, 2020, 6:55pm

Hi, do you have any firewall rules?
In this case, you need set firewall as local for new firewall rules

set interfaces ethernet eth0 firewall local name <NAME>

Firebat · May 25, 2020, 12:29pm

firewall {
all-ping enable
broadcast-ping disable
config-trap disable
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name WAN-IN {
    default-action drop
    rule 1000 {
        action accept
        destination {
            address 224.0.0.0/4
      }
        protocol igmp
    }
    rule 1001 {
        action accept
        destination {
            address 224.0.0.0/4
        }
        protocol udp
    }
    rule 1010 {
        action accept
        state {
            established enable
            related enable
        }
    }
}
name WAN-LOCAL {
    default-action drop
    rule 1000 {
        action accept
        destination {
            address 224.0.0.0/4
        }
        protocol all
    }
    rule 1010 {
        action accept
        state {
            established enable
            related enable
        }
    }
    rule 1020 {
        action accept
        icmp {
            type-name echo-request
        }
        protocol icmp
        state {
            new enable
        }
    }
}
receive-redirects disable
send-redirects disable
source-validation disable
syn-cookies enable
twa-hazards-protection disable

}

These are my current firewall rules. If needed, I can post the full config.boot file. With the current ruleset it’s not working as expected but I’m a bit further now. With MagentaTV from Deutsche Telekom the stream starts as unicast and after 10-20 seconds it switches to multicast. Unicast works fine, I can see a stream as expected. But after the switch to multicast traffic, the stuttering starts.

I’m not sure if this is still a firewall issue (because I can see a stream for a few seconds) or more an issue with igmp-proxy. All I can tell right now is, that it is working nicely with pfsense. But maybe we can get it to work with VyOS, too.

Dmitry · May 25, 2020, 5:18pm

Can I propose to disable the firewall for testing?

Dmitry · June 17, 2020, 12:11pm

Hello, @Firebat do you have success result with IGMP-proxy or firewall?

Firebat · September 3, 2020, 1:15pm

Haven’t had the time to look into this further, but I bought a second PCEngines APU so it’ll be easier to switch between the two devices for testing. I hope I’ll have some free time the next days. I’ll keep you updated.

Firebat · September 28, 2020, 1:24pm

I’m digging into this a bit deeper. Recent question is, if VyOS 1.3 supports source-specific multicast for IGMPv3?

I’ve already taken a look at Firewall — VyOS 1.4.x (sagitta) documentation
And I’m not a 100% sure if set firewall ip-src-route [enable | disable] is the correct setting but I THINK I’m on the right track now.

Or is there a possibilty to enable the netfilter IP options parameter manually?