Actualización:
Me las arreglé para hacerlo funcionar.
Movistar transmite el tráfico multicast de IPTV en una VLAN separada (diferente de la VLAN de control de IPTV). En mi caso era 180 para canales SD y 182 para canales HD.
El tráfico VOD ingresa a la VLAN de control de IPTV 6 (2) como envío UDP. Sólo necesito reenviarlo a Deco.
Pasé dos días verificando tres veces todas las configuraciones y todavía no puedo hacer funcionar la IPTV de Movistar. Internet está bien. Necesito la ayuda de la comunidad.
- Proveedor: Movistar
- Hardware: Mikrotik RB4011iGS+ (RouterOS 7.11.2) + modulo SFP GPON Odi DFP-34X-2C2 (V1.0-220923).
- VLAN: 1370 para Internet (asignadas a 6 en el enrutador original), 6 para IPTV (asignadas a 2 en el enrutador original). Vea abajo.
- El decodificador de TV de Movistar está conectado a eth4.
Puedo comunicarme con la puerta de enlace 10.128.0.1 y el servidor DNS 172.26.23.3.
¿IGMP o configuración de VLAN incorrecto? ¿Qué me estoy perdiendo? Agradezco cualquier pista.
Configuración
Data from SFP:
# omcicli mib get 84
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
VlanTagFilterData
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
=================================
EntityID: 0x1102
FilterTbl[0]: PRI 0,CFI 0, VID 1370
FwdOp: 0x10
NumOfEntries: 1
=================================
=================================
EntityID: 0x1103
FilterTbl[0]: PRI 0,CFI 0, VID 6
FwdOp: 0x10
NumOfEntries: 1
=================================
=================================
EntityID: 0x1104
FilterTbl[0]: PRI 0,CFI 0, VID 3
FwdOp: 0x10
NumOfEntries: 1
=================================
=================================
EntityID: 0x110b
FilterTbl[0]: PRI 0,CFI 0, VID 3
FilterTbl[2]: PRI 0,CFI 0, VID 6
FwdOp: 0x10
NumOfEntries: 2
=================================Data from original router:
> vlantable
Upstream:
TCONT_number GEMport VLAN_id UNI_interface Service Name
312 312 1370 ppp0.1 6
315 315 6 veip0.3 2
341 341 3 veip0.2 3
Downstream:
GEMport VLAN_id UNI_interface Service Name
312 1370 ppp0.1 6
315 6 veip0.3 2
2046 3,6
341 3 veip0.2 3
2047Mikrotik config:
# 2023-12-08 14:26:48 by RouterOS 7.12.1
# software id = 509T-I03N
#
# model = RB4011iGS+
# serial number = 000000000000
/interface bridge
add comment=defconf igmp-snooping=yes name=bridge
/interface ethernet
set [ find default-name=ether1 ] comment="Living Room Ethernet" name=eth1
set [ find default-name=ether2 ] comment="Living Room Cat's" name=eth2
set [ find default-name=ether3 ] comment=Kitchen name=eth3
set [ find default-name=ether4 ] comment="Kostiantyn's Office" name=eth4
set [ find default-name=ether5 ] comment="Massage BlackIron" name=eth5
set [ find default-name=ether6 ] comment="Karina's Office WiFi Repeater" \
name=eth6
set [ find default-name=ether7 ] comment=Unknown name=eth7
set [ find default-name=ether8 ] comment="Living Room WiFi" name=eth8
set [ find default-name=ether9 ] comment=Bedroom name=eth9
set [ find default-name=ether10 ] comment=Unused name=eth10
set [ find default-name=sfp-sfpplus1 ] l2mtu=1592 name=sfp rx-flow-control=\
auto tx-flow-control=auto
/interface vlan
add interface=sfp name=vlan-internet vlan-id=1370
add interface=sfp name=vlan-iptv vlan-id=6
add interface=sfp name=vlan-iptv-multicast1 vlan-id=180
add interface=sfp name=vlan-iptv-multicast2 vlan-id=182
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan-internet name=\
pppoe-internet user=adslppp@telefonicanetpa
/interface ovpn-client
add auth=null certificate=vpn.obfuscated.domain.tld cipher=aes128-cbc connect-to=\
obfuscated.domain.tld mac-address=02:27:DD:DC:A8:6A name=vpn.obfuscated.domain.tld \
use-peer-dns=no user=none
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=WAN-IPTV
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server option
add code=240 name=iptv-240 value=\
"':::::239.0.2.10:22222:v6.0:239.0.2.29:22222'"
add code=60 name=iptv-60 value="'[IAL]'"
/ip pool
add name=lan ranges=10.10.10.230-10.10.10.250
add name=iptv ranges=10.10.20.230-10.10.20.250
/ip dhcp-server
add address-pool=lan interface=bridge lease-time=12h name=defconf
/port
set 0 name=serial0
set 1 name=serial1
/routing rip instance
add disabled=no name=iptv
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=eth2
add bridge=bridge comment=defconf ingress-filtering=no interface=eth3
add bridge=bridge comment=defconf ingress-filtering=no interface=eth4
add bridge=bridge comment=defconf ingress-filtering=no interface=eth5
add bridge=bridge comment=defconf ingress-filtering=no interface=eth6
add bridge=bridge comment=defconf ingress-filtering=no interface=eth7
add bridge=bridge comment=defconf ingress-filtering=no interface=eth8
add bridge=bridge comment=defconf ingress-filtering=no interface=eth9
add bridge=bridge comment=defconf ingress-filtering=no interface=eth10
add bridge=bridge comment=defconf ingress-filtering=no interface=eth1
add bridge=bridge interface=vlan-iptv-multicast1
add bridge=bridge interface=vlan-iptv-multicast2
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=pppoe-internet list=WAN
add interface=sfp list=WAN
add interface=vlan-iptv list=WAN-IPTV
/interface ovpn-server server
set auth=sha1,md5 certificate=bcn.obfuscated.domain.tld
/ip address
add address=10.10.10.1/24 comment=defconf interface=bridge network=10.10.10.0
add address=192.168.1.250/24 comment=sfp interface=sfp network=192.168.1.0
add address=10.10.20.1/24 comment=iptv interface=bridge network=10.10.20.0
add address=10.150.xxx.xxx/9 comment=iptv interface=vlan-iptv network=\
10.128.0.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server lease
...
add address=10.10.20.250 comment="IPTV Deco" mac-address=\
A0:E7:AE:E7:C3:0A server=defconf
/ip dhcp-server network
add address=10.10.10.0/24 comment=defconf domain=Irons gateway=10.10.10.1 \
netmask=24
add address=10.10.20.0/24 comment=iptv dhcp-option=iptv-60,iptv-240 \
dns-server=172.26.23.3 gateway=10.10.20.1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip dns static
...
/ip firewall address-list
...
/ip firewall filter
add action=drop chain=input comment="drop ssh brute forcers" dst-port=222 \
protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=4w2d chain=input connection-state=new dst-port=222 \
protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m chain=input connection-state=new dst-port=222 \
protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=1m chain=input connection-state=new dst-port=222 \
protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=1m chain=input connection-state=new dst-port=222 \
protocol=tcp
add action=drop chain=forward comment="drop rdp brute forcers" dst-port=3389 \
in-interface=!bridge protocol=tcp src-address-list=rdp_blacklist
add action=add-src-to-address-list address-list=rdp_blacklist \
address-list-timeout=4w2d chain=forward connection-state=new dst-port=\
3389 protocol=tcp src-address-list=rdp_stage3
add action=add-src-to-address-list address-list=rdp_stage3 \
address-list-timeout=1m chain=forward dst-port=3389 protocol=tcp \
src-address-list=rdp_stage2
add action=add-src-to-address-list address-list=rdp_stage2 \
address-list-timeout=1m chain=forward connection-state=new dst-port=3389 \
protocol=tcp src-address-list=rdp_stage1
add action=add-src-to-address-list address-list=rdp_stage1 \
address-list-timeout=1m chain=forward connection-state=new dst-port=3389 \
protocol=tcp
add action=drop chain=forward comment="drop ssh brute downstream" dst-port=\
222 protocol=tcp src-address-list=ssh_blacklist
add action=accept chain=input comment=SNMP dst-port=161,162 protocol=udp \
src-address=xxx.xxx.xxx.xxx
add action=accept chain=input comment="wan access to port 222,443" dst-port=\
222,443 protocol=tcp
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment=iptv protocol=udp src-address=\
10.10.20.0/24
add action=accept chain=input comment=iptv protocol=igmp src-address=\
10.10.20.0/24
add action=accept chain=input comment=iptv in-interface-list=WAN-IPTV
add action=accept chain=input comment=iptv in-interface-list=WAN-IPTV \
protocol=udp
add action=accept chain=input comment=iptv in-interface-list=WAN-IPTV \
protocol=igmp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=accept chain=forward comment=iptv in-interface-list=WAN-IPTV \
protocol=udp
add action=accept chain=forward comment=iptv in-interface-list=WAN-IPTV \
protocol=igmp
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="Falcon Blocked" dst-address-list=\
falcon protocol=tcp
add action=drop chain=forward comment="LSAgent Blocked" dst-address-list=\
lsagent protocol=tcp
add action=drop chain=forward comment="Mosyle Blocked" dst-address-list=\
mosyle protocol=tcp
/ip firewall mangle
add action=set-priority chain=postrouting comment=internet new-priority=1 \
out-interface-list=WAN passthrough=no
add action=set-priority chain=postrouting comment=iptv new-priority=4 \
out-interface-list=WAN-IPTV passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment=iptv out-interface-list=WAN-IPTV
add action=masquerade chain=srcnat out-interface=vpn.obfuscated.domain.tld
add action=masquerade chain=srcnat out-interface=bridge
add action=dst-nat chain=dstnat comment=iptv dst-address=10.150.xxx.xxx \
in-interface=vlan-iptv protocol=udp to-addresses=10.10.20.250
add action=dst-nat chain=dstnat comment="BlackIron RDP" dst-port=3389 \
in-interface=pppoe-internet protocol=tcp to-addresses=10.10.10.10
add action=dst-nat chain=dstnat dst-port=3389 in-interface=bridge protocol=\
tcp to-addresses=10.10.10.10
add action=dst-nat chain=dstnat comment="PS4 ports" dst-port=1935 \
in-interface=pppoe-internet protocol=tcp to-addresses=10.10.10.120
add action=dst-nat chain=dstnat dst-port=1935 in-interface=pppoe-internet \
protocol=udp to-addresses=10.10.10.120
add action=dst-nat chain=dstnat dst-port=3074 in-interface=pppoe-internet \
protocol=tcp to-addresses=10.10.10.120
add action=dst-nat chain=dstnat dst-port=3074 in-interface=pppoe-internet \
protocol=udp to-addresses=10.10.10.120
add action=dst-nat chain=dstnat dst-port=3478-3480 in-interface=\
pppoe-internet protocol=tcp to-addresses=10.10.10.120
add action=dst-nat chain=dstnat dst-port=3478-3480 in-interface=\
pppoe-internet protocol=udp to-addresses=10.10.10.120
add action=dst-nat chain=dstnat dst-port=9295-9305 in-interface=\
pppoe-internet protocol=tcp to-addresses=10.10.10.120
add action=dst-nat chain=dstnat dst-port=9295-9305 in-interface=\
pppoe-internet protocol=udp to-addresses=10.10.10.120
add action=dst-nat chain=dstnat comment=certbot disabled=yes dst-port=80 \
in-interface=pppoe-internet protocol=tcp to-addresses=10.10.10.20
add action=dst-nat chain=dstnat comment=sfp-stats dst-port=8555 protocol=tcp \
src-address=xxx.xxx.xxx.xxx to-addresses=192.168.1.1 to-ports=80
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=222
set www-ssl certificate=bcn.obfuscated.domain.tld disabled=no
set api disabled=yes
set winbox disabled=yes
set api-ssl disabled=yes
/ip smb
set comment=MikroIron domain=Irons
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=pppoe-internet type=external
/routing bfd configuration
add disabled=no
/routing igmp-proxy
set query-interval=10s quick-leave=yes
/routing igmp-proxy interface
add comment=iptv interface=vlan-iptv upstream=yes
add comment=iptv interface=bridge
/routing rip interface-template
add disabled=no instance=iptv interfaces=vlan-iptv
/snmp
set enabled=yes trap-version=2
/system clock
set time-zone-name=Europe/Madrid
/system identity
set name=MikroIron
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=es.pool.ntp.org
add address=europe.pool.ntp.org
/system resource irq rps
set sfp disabled=no
/system routerboard settings
set auto-upgrade=yes
/tool graphing interface
add allow-address=10.10.10.0/24
/tool graphing queue
add allow-address=10.10.10.0/24
/tool graphing resource
add allow-address=10.10.10.0/24
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set filter-interface=vlan-iptv streaming-enabled=yes streaming-server=\
10.10.10.20
