Hi Community,
Similar to this guy (Firewall rules for IPTV) I have got VyOS up and running but I think I am struggling with setting the correct firewall rules.
For background I live in the UK and subscribe to BT’s IPTV service. I had it working using EdgeOS on an ER-X but I can see now that the default firewall rules are more basic.
I have followed the VyOS from scratch guide and set up the zone based firewall. (This is all quite new to me and I am slowly getting to grips with VyOS) I think the reason I cannot get it to work is likely due to my firewalls.
My internet is authenticated via pppoe with source interface of eth0.
However my understanding is that the IPTV data arrives on eth0.
I am trying to make the IPTV data available on VLAN40
I have tried to make a configuration which I thought would work but no joy! I am not sure if I have tried to over-complicate things! I would be grateful for any feedback.
Version: VyOS 1.4-rolling-202209200218
firewall {
group {
network-group IPTV-Multicast {
network 224.0.0.0/4
network 109.159.247.0/24
}
}
name LAN-LOCAL {
default-action accept
}
name LAN-WAN {
default-action accept
}
name LOCAL-LAN {
default-action accept
}
name LOCAL-VLAN40 {
default-action accept
}
name LOCAL-WAN {
default-action accept
}
name VLAN40-LOCAL {
default-action accept
}
name VLAN40-WAN {
default-action accept
}
name WAN-LAN {
default-action drop
rule 5 {
action accept
description "Allow EST/Related Traffic"
state {
established enable
related enable
}
}
rule 50 {
action accept
destination {
address 192.168.20.15
port 80,443
}
protocol tcp
state {
new enable
}
}
rule 70 {
action accept
destination {
address 192.168.20.3
port 32400,32555
}
protocol tcp
state {
new enable
}
}
}
name WAN-LOCAL {
default-action drop
rule 5 {
action accept
description "Allow EST/Related Traffic"
state {
established enable
related enable
}
}
rule 10 {
action accept
description "Allow IPTV Mulicast UDP"
destination {
group {
network-group IPTV-Multicast
}
}
protocol udp
}
rule 15 {
action accept
description "Allow IGMP"
protocol igmp
}
}
name WAN-VLAN40 {
default-action drop
rule 5 {
action accept
description "Allow EST/Related Traffic"
state {
established enable
related enable
}
}
rule 10 {
action accept
description "Allow IPTV Multicast UDP"
destination {
group {
network-group IPTV-Multicast
}
}
protocol udp
}
rule 15 {
action accept
description "Allow IGMP"
protocol igmp
}
}
zone LAN {
default-action drop
from LOCAL {
firewall {
name LOCAL-LAN
}
}
from WAN {
firewall {
name WAN-LAN
}
}
interface eth1
interface eth2
}
zone LOCAL {
default-action drop
from LAN {
firewall {
name LAN-LOCAL
}
}
from VLAN40 {
firewall {
name VLAN40-LOCAL
}
}
from WAN {
firewall {
name WAN-LOCAL
}
}
local-zone
}
zone VLAN40 {
default-action drop
from LOCAL {
firewall {
name LOCAL-VLAN40
}
}
from WAN {
firewall {
name WAN-VLAN40
}
}
interface eth1.40
}
zone WAN {
default-action drop
from LAN {
firewall {
name LAN-WAN
}
}
from LOCAL {
firewall {
name LOCAL-WAN
}
}
from VLAN40 {
firewall {
name VLAN40-WAN
}
}
interface pppoe0
interface eth0
}
}
interfaces {
ethernet eth0 {
address 10.225.225.225/32
hw-id
}
ethernet eth1 {
address 192.168.20.1/24
hw-id
vif 40 {
address 192.168.40.1/24
description "VLAN 40 IPTV"
}
}
ethernet eth2 {
address dhcp
hw-id
}
loopback lo {
}
pppoe pppoe0 {
authentication {
password ****************
user bthomehub@btbroadband.com
}
description WAN
ip {
adjust-mss clamp-mss-to-pmtu
}
mtu 1492
source-interface eth0
}
}
nat {
destination {
rule 100 {
description "HTTP Caddy"
destination {
port 80
}
inbound-interface pppoe0
protocol tcp_udp
translation {
address 192.168.20.15
}
}
rule 105 {
description "HTTPS Caddy"
destination {
port 443
}
inbound-interface pppoe0
protocol tcp_udp
translation {
address 192.168.20.15
}
}
rule 300 {
description PLEX
destination {
port 32555
}
inbound-interface pppoe0
protocol tcp
translation {
address 192.168.20.3
port 32400
}
}
}
source {
rule 100 {
outbound-interface pppoe0
source {
address 192.168.0.0/16
}
translation {
address masquerade
}
}
}
}
protocols {
igmp-proxy {
interface eth0 {
alt-subnet 0.0.0.0/0
role upstream
threshold 1
}
interface eth1.40 {
alt-subnet 0.0.0.0/0
role downstream
threshold 1
}
}
}