OpenBSD Journal

Forwarding IPTV Traffic with PF

Contributed by mitja on from the iptv-is-for-porn dept.

Since the day I got my shiny new FTTH internet connection complete with IPTV, I was curious about making the TV show on my desktop. Eventually, purchasing a network based video player that was capable of playing IPTV too was the final straw - the device only has one Ethernet port and I needed that for accessing the LAN.

My ISP (Siol) delivers its services through a VLAN-capable CPE device (commonly called a "modem") with separate ethernet ports for data and video - essentially they de-tag the two backbone VLANs into two native ethernet ports, one for each service. A quick look at the support forums showed that the majority of users don't bother at all and simply plug the video network into their LAN switch - completely bypassing the firewall. I didn't want to potentially compromise my LAN or alternatively send unwanted traffic into my ISP's video distribution network, so the obvious choice was to dedicate an unused ethernet port on my Soekris 5501 for the incoming video network and route that into my LAN - through pf!

My first attempt at implementing multicast forwarding did not go well - it seemed pretty simple in theory, but it just wouldn't work, and I kept adding complexity in attempt to solve it. Eventually it turned out that the problem lied elsewhere - I run -current on my firewall and coincidentally my first steps in multicasting world happened just as the multicast routing was briefly broken as a collateral damage to some network stack changes. Luckily, Henning quickly rolled back the change to the known working state, so it was time to try it again - with much better results this time. :)

So without further ado, here is my 4 step recipe:

1. Enable multicast forwarding on your OpenBSD gateway:

# echo "multicast_router=YES" >> /etc/rc.conf.local

(this step will require rebooting)

# sysctl net.inet.ip.mforwarding=1
(edit /etc/sysctl.conf to make the change permanent)

2. Install net/igmpproxy package:

# pkg_add igmpproxy
igmpproxy-0.1b2: ok

and edit its config file /etc/igmpproxy.conf to suit your networking environment

quickleave
altnet 0.0.0.0/0    # accept all igmp traffic even if from outside our upstream subnet
phyint vr2 upstream  ratelimit 0  threshold 1
phyint vr0 downstream ratelimit 0  threshold 1
phyint pppoe0 disabled

Also don't forget to add igmpproxy to /etc/rc.local so it starts after the next reboot!

3. Configure your video upstream inteface. igmpproxy requires an IP address on its upstream interface to serve as a source address. How to acquire this address is very provider specific - some nicely allow DHCP, others lock DHCP to MAC addresses of the set-top-box hardware or to a special option in DHCP request. In my case, I just manually assigned the IP address that my STB used to have - it was dynamically assigned, but hasn't changed in over a year.

4. Adjust your pf.conf rules to pass through the igmp traffic and the incoming multicast stream which in my case is UDP with destination port 5002. A common pitfall here is that igmp makes use of IP option Router Alert, and pf by default blocks packages with IP options. The solution is the allow-opts keyword:

LAN  = "vr0"
IPTV = "vr2"

block on $IPTV
pass in on $IPTV inet proto udp from any to any port 5002
pass on {$LAN, $IPTV} proto igmp allow-opts

And this is it! Any machine in my LAN is now capable of watching IP TV with VLC and a correct playlist - if your pipe is fat enough, even all at the same time!

To be fair, some of the details such as the topology, the addressing scheme and the playlists are very provider-specific. Your local tech enthusiasts' or ISP support forums can be a valuable resource for this kind of information and tcpdump can be of assistance. Some of the things that tcpdump can help you with is checking that the igmp traffic really flows in and out (and that you haven't forgotten about the allow-opts part), finding out the UDP port the video stream comes in, figuring out (by comparison with the other traffic you might see) the IP address to use on your upstream and in general, analyzing what is going on.

Also, according to my ISP's terms of service, as long as I am subscribed to the IPTV service I can watch multiple concurrent streams on multiple devices, so this makes my adventures in IPTV world legal. This might not be the case with your ISP, so do your homework first.

(Comments are closed)


Comments
  1. By phessler (phessler) spambox@theapt.org on http://theapt.org

    how do you build your playlist? How do you switch channels with vlc? Can you go more into detail?

    Comments
    1. By Mitja Muzenic (mitja) on .

      I'll admit that I've cheated by finding the playlist online on one of the forums :)

      There is also an excellent IPTV application for Windows that wife runs on her desktop (MulticastTV) that was probably used in the first place by those forum posters - besides watching TV it can scan also the whole multicast address range (or a predefined subset) for valid streams and generate a playlist.

      I too would be interested in finding a way to do it with VLC though.

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]