config proxy
option scope global
option uplink wan
list downlink lan
config proxy
option scope global
option uplink wan6
list downlink lan
config rule
option src 'wan'
option name 'Multicast'
list dest_ip '224.0.0.0/4'
option target 'ACCEPT'
list proto 'udp'
list src_ip '89.86.96.0/24'
list src_ip '89.86.97.0/24'
list src_ip '193.251.97.0/24'
net.ipv4.conf.all.force_igmp_version=2
Le marquage p3 pour l'igmp peut se définir soous Openwrt (si oui comment ) où faut-il un switch externe ?
avec le marquage p3 sur l'IGMP sinon le flux coupe au bout de 5 minutes.
Cela doit être possible mais avec un risque de perdre l'offload, j'utilise un switch pour le faire.
Tu feras le test. ;)
Tu vas aussi pouvoir vérifier que les replays ne fonctionnent plus suite à cette mise à jour:
https://www.bbox-mag.fr/forum/viewtopic.php?f=149&t=2859
un reboot et ça repart.
for i in 0 1 2 3 4 5 6 7; do
## on définit pour chaque file une priorité
ip link set eth0.100 type vlan egress $i:$î > /dev/null
done
## On modifie la priorité de la file 1 à 0 c'est là qu'on renverra tous nos paquets, la file 0 qui est celle par défaut passe à 6
ip link set eth0.100 type vlan egress 1:0 > /dev/null
ip link set eth0.100 type vlan egress 0:6 > /dev/null
##IPV4
## Tout les protocoles changent de file vers le skb 01 dont on a mis la prio à 0
iptables -t mangle -A POSTROUTING -o eth0.100 -j CLASSIFY --set-class 0000:0001
##On maintient les paquets réseaux dans une file à prio 3 (IGMP) ou 5 (ICMP)
iptables -t mangle -A POSTROUTING -o eth0.100 -p igmp -j CLASSIFY --set-class 0000:0003
iptables -t mangle -A POSTROUTING -o eth0.100 -p icmp -j CLASSIFY --set-class 0000:0005
##Les paquets VOIP(SIP) sont taggués EF ont les met en prio 5 (j'utilise un VLAN dédié pour la bbox)
#iptables -t mangle -A POSTROUTING -o eth0.100 -m dscp --dscp 0x2e -j CLASSIFY --set-class 0000:0005
##Si votre client DHCP n'utilise pas les raw socket il faut envoyer les paquet DHCP dans la file 6 (prio 6)
iptables -t mangle -A POSTROUTING -o eth0.100 -p udp --dport 67 -j CLASSIFY --set-class 0000:0006
##IPV6
## Tout les protocoles changent de file vers le skb 01 dont on a mis la prio à 0
ip6tables -t mangle -A POSTROUTING -o eth0.100 -j CLASSIFY --set-class 0000:0001
##On maintient les paquets réseaux dans une file à prio 6
ip6tables -t mangle -A POSTROUTING -o eth0.100 -p ipv6-icmp -j CLASSIFY --set-class 0000:0005
##Si votre client DHCPv6 n'utilise pas les raw socket il faut envoyer les paquet DHCPv6 dans la file 6 (prio 6) (c'est le cas de dibbler)
ip6tables -t mangle -A POSTROUTING -o eth0.100 -p udp --dport 547 -j CLASSIFY --set-class 0000:0006
Chez certaines personnes (dont moi-même) sans marquage p3 des paquets IGMP en sortie, les flux TV coupent.Malheureusement je ne peux pas faire le marquage du CoS sur ce type de switch (le SG108E Support Port-based/802.1p/DSCP priority, mais pas Support 802.1p CoS/DSCP priority... :o). Je ne pense pas que çela m'empêche d'avoir le TV IP ? le marquage du CoS sert à la gestion des priorités (Class Of Services en 802.1Q)?
Les 3 préfixes d'IP 89.86.96.0/24, 89.86.97.0/24, 193.251.97.0/24 contiennent les IPs qui envoient les flux MC (le dernier 176.165.8.0/24 n'est pas utilisé par chez moi).ca vient de là : ? https://lafibre.info/remplacer-bbox/informations-de-connexion-ftth/120/
protocols {
igmp-proxy {
interface eth0.100 {
alt-subnet 193.251.97.0/24
alt-subnet 89.86.97.0/24
alt-subnet 176.165.8.0/24
alt-subnet 89.86.96.0/24
role upstream
threshold 1
}
interface eth1 {
alt-subnet 0.0.0.0/0
role downstream
threshold 1
}
interface eth2 {
role disabled
threshold 1
}
}
}
Pour les replays, il faut faire du port forward de paquets UDP vers la Miami.c'est cette règle :
config rule
option src 'wan'
option name 'Multicast'
list dest_ip '224.0.0.0/4'
option target 'ACCEPT'
list proto 'udp'
list src_ip '89.86.96.0/24'
list src_ip '89.86.97.0/24'
list src_ip '193.251.97.0/24'
à adapter pour mon edge routeur? config-file-header
Cisco
v2.5.5.47 / RTESLA2.5.5_930_364_286
CLI v1.0
file SSD indicator excluded
@
!
unit-type-control-start
unit-type unit 1 network gi uplink none
unit-type-control-end
!
bridge multicast filtering
vlan database
vlan 100
exit
voice vlan oui-table add 0001e3 Siemens_AG_phone
voice vlan oui-table add 00036b Cisco_phone
voice vlan oui-table add 00096e Avaya
voice vlan oui-table add 000fe2 H3C_Aolynk
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone
voice vlan oui-table add 00e075 Polycom/Veritel_phone
voice vlan oui-table add 00e0bb 3Com_phone
errdisable recovery cause loopback-detection
errdisable recovery cause dot1x-src-address
errdisable recovery cause stp-loopback-guard
green-ethernet energy-detect
bonjour interface range vlan 1
qos advanced
qos advanced-mode trust cos
mac access-list extended "VLAN100"
permit any any vlan 100 ace-priority 1
exit
ip access-list extended TV
permit igmp any any ace-priority 1
exit
class-map TVIP
match access-group TV
match access-group "VLAN100"
exit
policy-map VLANTV
class TVIP
set cos 3
exit
exit
hostname Cisco
line ssh
exec-timeout 30
exit
passwords complexity min-length 8
passwords complexity min-classes 3
username blablabla password encrypted blablabla privilege 15
ip ssh server
ip ssh password-auth
ip http timeout-policy 1800 http-only
clock timezone J +1
clock summer-time web recurring eu
clock source browser
clock dhcp timezone
!
interface vlan 100
name internet-iptv
!
interface GigabitEthernet1
description ONT
service-policy output VLANTV default-action permit-any
switchport mode trunk
switchport access vlan none
switchport general pvid 100
switchport trunk native vlan none
switchport trunk allowed vlan 100
!
interface GigabitEthernet2
description "WAN marque vers routeur"
switchport mode trunk
switchport access vlan none
switchport trunk native vlan none
switchport trunk allowed vlan 100
switchport customer vlan 100
!
interface GigabitEthernet3
description "LAN Vlan1 venant du routeur"
!
interface GigabitEthernet8
description "LAN Vlan1 vers Switchs TL-SG108E"
!
exit
macro auto enabled
ip igmp snooping
ip igmp snooping vlan 1
ip igmp snooping vlan 1 immediate-leave
ip igmp snooping vlan 1 querier
Pour les replays, il faut faire du port forward de paquets UDP vers la Miami.Quelle plage d'adresses pour les paquets UDP ? moi c'est une bboxTV 4K idem que la miami ? :(
set firewall name WAN_LOCAL rule 5 action accept
set firewall name WAN_LOCAL rule 5 description "Allow Multicast"
set firewall name WAN_LOCAL rule 5 destination address 224.0.0.0/4
set firewall name WAN_IN rule 5 action accept
set firewall name WAN_IN rule 5 description "Allow Multicast"
set firewall name WAN_IN rule 5 destination address 224.0.0.0/4
set firewall name WAN_IN rule 15 action accept
set firewall name WAN_IN rule 15 description "Allow UDP to Multicast"
set firewall name WAN_IN rule 15 destination address 224.0.0.0/4
set firewall name WAN_IN rule 15 protocol udp
set firewall name WAN_IN rule 15 state new enable
Il me reste toujours à faire marcher le REPLAY :(. Il doit pas me manquer grand chose.
4. TV:D :D :D merci mirtouf :) :) :) Ca y internet + TV&REPLAY fonctionnent ( à 85% : certains replays ne fonctionnent pas (la 5 et A2 par ex. et j'ai un popup "ethernet pas connecté! de temps en temps),
Les ports en entrée sont 1234, 8200 ou 8202 en UDP.
5. Replays
Pour les replays il s'agit de flux UDP émis (prestataire http://bytel.prod.spideo.com/) par les préfixes:
sur l'intervalle de ports 20000-30000 qu'il faudra natté vers la Miami
port-forward {
auto-firewall enable
hairpin-nat enable
lan-interface eth1
rule 10 {
description Bbox4K
forward-to {
address <IPBBOX4K>
port 20000-30000
}
original-port 20000-30000
protocol udp
}
rule 11 {
description Bbox4k_2
forward-to {
address <IPBBOX4K>
port 1234
}
original-port 1234
protocol udp
}
rule 12 {
description Bbox4k_3
forward-to {
address <IPBBOX4K>
port 8002
}
original-port 8002
protocol udp
}
rule 13 {
description Bbox4k_4
forward-to {
address <IPBBOX4K>
port 8000
}
original-port 8000
protocol udp
}
wan-interface eth0.100
}
firewall {
all-ping enable
broadcast-ping disable
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name WAN_IN {
default-action drop
description "WAN to internal"
rule 5 {
action accept
description "Allow Multicast"
destination {
address 224.0.0.0/4
}
}
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 15 {
action accept
description "Allow UDP to Multicast"
destination {
address 224.0.0.0/4
}
protocol udp
state {
new enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
rule 25 {
action accept
description "Allow ICMP"
protocol icmp
state {
established enable
related enable
}
}
rule 35 {
action accept
description "Allow IGMP"
protocol igmp
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
rule 5 {
action accept
description "Allow Multicast"
destination {
address 224.0.0.0/4
}
}
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
duplex auto
mac blablablabla...
speed auto
vif 100 {
address dhcp
description Internet
dhcp-options {
client-option "send vendor-class-identifier "BYGTELIAD";"
default-route update
default-route-distance 210
name-server update
}
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
}
}
ethernet eth1 {
address 192.168.1.1/24
description Local
duplex auto
speed auto
}
ethernet eth2 {
address 192.168.2.1/24
description "Local 2"
duplex auto
speed auto
}
loopback lo {
}
}
port-forward {
auto-firewall enable
hairpin-nat enable
lan-interface eth1
rule 10 {
description Bbox4k_2
forward-to {
address <IPBBOX4K>
port 1234
}
original-port 1234
protocol udp
}
rule 11 {
description Bbox4k_3
forward-to {
address <IPBBOX4K>
port 8002
}
original-port 8002
protocol udp
}
rule 12 {
description Bbox4k_4
forward-to {
address <IPBBOX4K>
port 8000
}
original-port 8000
protocol udp
}
rule 13 {
description Bbox4K
forward-to {
address <IPBBOX4K>
port 20000-30000
}
original-port 20000-30000
protocol udp
}
wan-interface eth0.100
}
protocols {
igmp-proxy {
interface eth0.100 {
alt-subnet 193.251.97.0/24
alt-subnet 89.86.97.0/24
alt-subnet 176.165.8.0/24
alt-subnet 89.86.96.0/24
role upstream
threshold 1
}
interface eth1 {
alt-subnet 0.0.0.0/0
role downstream
threshold 1
}
interface eth2 {
role disabled
threshold 1
}
}
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name LAN1 {
authoritative enable
subnet 192.168.1.0/24 {
default-router 192.168.1.1
dns-server 194.158.122.10
dns-server 194.158.122.15
lease 86400
start 192.168.1.200 {
stop 192.168.1.240
}
}
}
shared-network-name LAN2 {
authoritative disable
subnet 192.168.2.0/24 {
default-router 192.168.2.1
dns-server 192.168.2.1
lease 86400
start 192.168.2.200 {
stop 192.168.2.240
}
}
}
static-arp disable
use-dnsmasq disable
}
dns {
forwarding {
cache-size 4096
listen-on lo
listen-on eth1
listen-on eth2
name-server 1.1.1.1
name-server 1.0.0.1
name-server 8.8.8.8
name-server 8.8.4.4
}
}
gui {
http-port 80
https-port 443
older-ciphers enable
}
nat {
rule 5010 {
description "masquerade for WAN"
outbound-interface eth0.100
type masquerade
}
}
ssh {
port 22
protocol-version v2
}
unms {
disable
}
upnp2 {
listen-on eth1
listen-on eth2
nat-pmp enable
secure-mode enable
wan eth0.100
}
}
system {
host-name Ubnt
login {
user ubnt {
authentication {
encrypted-password blablablablabla
plaintext-password ""
}
level admin
}
}
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
offload {
hwnat disable
ipsec enable
ipv4 {
forwarding enable
vlan enable
}
ipv6 {
forwarding enable
vlan enable
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone Europe/Paris
traffic-analysis {
dpi enable
export enable
}
}
/* Warning: Do not remove the following line. */
/* === vyatta-config-version: "config-management@1:conntrack@1:cron@1:dhcp-relay@1:dhcp-server@4:firewall@5:ipsec@5:nat@3:qos@1:quagga@2:suspend@1:system@4:ubnt-pptp@1:ubnt-udapi-server@1:ubnt-unms@1:ubnt-util@1:vrrp@1:vyatta-netflow@1:webgui@1:webproxy@1:zone-policy@1" === */
/* Release version: v2.0.8-hotfix.1.5278088.200305.1640 */
firewall {
all-ping enable
broadcast-ping disable
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name WAN_IN {
default-action drop
description "WAN to internal"
rule 5 {
action accept
description "Allow Multicast"
destination {
address 224.0.0.0/4
}
}
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
rule 5 {
action accept
description "Allow Multicast"
destination {
address 224.0.0.0/4
}
}
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
duplex auto
mac blablablablabla
speed auto
vif 100 {
address dhcp
description Internet
dhcp-options {
client-option "send vendor-class-identifier "BYGTELIAD";"
default-route update
default-route-distance 210
name-server update
}
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
}
}
ethernet eth1 {
address 192.168.1.1/24
description Local
duplex auto
speed auto
vif 52 {
address 10.0.10.1/24
description vlanTV
mtu 1500
}
}
ethernet eth2 {
address 192.168.2.1/24
description "Local 2"
duplex auto
speed auto
}
loopback lo {
}
}
port-forward {
auto-firewall enable
hairpin-nat enable
lan-interface eth1.52
rule 10 {
description Bbox4k_2
forward-to {
address 10.0.10.52
port 1234
}
original-port 1234
protocol udp
}
rule 11 {
description Bbox4k_3
forward-to {
address 10.0.10.52
port 8002
}
original-port 8002
protocol udp
}
rule 12 {
description Bbox4k_4
forward-to {
address 10.0.10.52
port 8000
}
original-port 8000
protocol udp
}
rule 13 {
description Bbox4K
forward-to {
address 10.0.10.52
port 20000-30000
}
original-port 20000-30000
protocol udp
}
wan-interface eth0.100
}
protocols {
igmp-proxy {
interface eth0.100 {
alt-subnet 193.251.97.0/24
alt-subnet 89.86.97.0/24
alt-subnet 176.165.8.0/24
alt-subnet 89.86.96.0/24
role upstream
threshold 1
}
interface eth1 {
alt-subnet 0.0.0.0/0
role downstream
threshold 1
}
interface eth2 {
role disabled
threshold 1
}
}
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name LAN1 {
authoritative enable
subnet 192.168.1.0/24 {
default-router 192.168.1.1
dns-server 194.158.122.10
dns-server 194.158.122.15
lease 86400
start 192.168.1.200 {
stop 192.168.1.240
}
}
}
shared-network-name LAN2 {
authoritative disable
subnet 192.168.2.0/24 {
default-router 192.168.2.1
dns-server 192.168.2.1
lease 86400
start 192.168.2.200 {
stop 192.168.2.240
}
}
}
shared-network-name dhcp52 {
authoritative disable
subnet 10.0.10.0/24 {
default-router 10.0.10.1
dns-server 194.158.122.10
dns-server 194.158.122.15
lease 86400
start 10.0.10.60 {
stop 10.0.10.99
}
static-mapping Bbox4K {
ip-address 10.0.10.52
mac-address blablablablabla
}
}
}
static-arp disable
use-dnsmasq disable
}
dns {
forwarding {
cache-size 4096
listen-on lo
listen-on eth1
listen-on eth2
name-server 1.1.1.1
name-server 1.0.0.1
name-server 8.8.8.8
name-server 8.8.4.4
}
}
gui {
http-port 80
https-port 443
older-ciphers enable
}
nat {
rule 5010 {
description "masquerade for WAN"
outbound-interface eth0.100
type masquerade
}
}
ssh {
port 2022
protocol-version v2
}
unms {
disable
}
upnp2 {
listen-on eth1
listen-on eth2
nat-pmp enable
secure-mode enable
wan eth0.100
}
}
system {
host-name Ubnt
login {
user ubnt {
authentication {
encrypted-password blablablablabla
plaintext-password ""
}
level admin
}
}
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
offload {
hwnat disable
ipsec enable
ipv4 {
forwarding enable
vlan enable
}
ipv6 {
forwarding enable
vlan enable
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
}
time-zone Europe/Paris
traffic-analysis {
dpi enable
export enable
}
}
en fichier joint: le parametrage sur 2 switchs (TL-SG108E et cisco SG250 du vlan dédié tvIP par port). :ofirewall {
all-ping enable
broadcast-ping disable
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name WAN_IN {
default-action drop
description "WAN to internal"
rule 5 {
action accept
description "Allow Multicast"
destination {
address 224.0.0.0/4
}
}
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
rule 5 {
action accept
description "Allow Multicast"
destination {
address 224.0.0.0/4
}
}
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
firewall {
all-ping enable
broadcast-ping disable
group {
address-group IPTV-multicast {
address 224.0.0.0/4
description ""
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name WAN_IN2 {
default-action drop
description "WAN to internal"
rule 10 {
action accept
description "Allow IPTV multicast UDP"
destination {
group {
address-group IPTV-multicast
}
}
log disable
protocol udp
}
rule 20 {
action accept
description "Allow IGMP"
log disable
protocol igmp
}
rule 30 {
action accept
description "Allow established/related"
log disable
protocol all
state {
established enable
invalid disable
new disable
related enable
}
}
rule 40 {
action drop
description "Drop invalid state"
log disable
protocol all
state {
established disable
invalid enable
new disable
related disable
}
}
}
name WAN_LOCAL2 {
default-action drop
description "WAN to router"
rule 10 {
action accept
description "Allow IPTV multicast UDP"
destination {
group {
address-group IPTV-multicast
}
}
log disable
protocol udp
}
rule 20 {
action accept
description "Allow IGMP"
log disable
protocol igmp
}
rule 30 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 40 {
action drop
description "Drop invalid state"
log disable
state {
invalid enable
}
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
name WAN_IN {
default-action drop
description "WAN to internal"
rule 15 {
action accept
description "Allow UDP to Multicast"
destination {
address 224.0.0.0/4
}
protocol udp
state {
new enable
}
}
rule 25 {
action accept
description "Allow ICMP"
protocol icmp
state {
established enable
related enable
}
}
rule 35 {
action accept
description "Allow IGMP"
protocol igmp
}
}
tcpdump: listening on eth0.100, link-type EN10MB (Ethernet), capture size 262144 bytes
16:44:39.000602 IP (tos 0x0, ttl 1, id 63114, offset 0, flags [none], proto IGMP (2), length 32, options (RA))
0.0.0.0 > all-systems.mcast.net: igmp query v2
16:44:39.742779 IP (tos 0xc0, ttl 1, id 0, offset 0, flags [DF], proto IGMP (2), length 32, options (RA))
176-133-x-y.abo.bbox.fr > all-routers.mcast.net: igmp v2 report all-routers.mcast.net
16:44:40.302753 IP (tos 0xc0, ttl 1, id 0, offset 0, flags [DF], proto IGMP (2), length 32, options (RA))
176-133-x-y.abo.bbox.fr > igmp.mcast.net: igmp v2 report igmp.mcast.net
16:44:41.262736 IP (tos 0xc0, ttl 1, id 0, offset 0, flags [DF], proto IGMP (2), length 32, options (RA))
176-133-x-y.abo.bbox.fr > 232.0.64.238: igmp v2 report 232.0.64.238
16:46:44.081735 IP (tos 0x0, ttl 1, id 63248, offset 0, flags [none], proto IGMP (2), length 32, options (RA))
0.0.0.0 > all-systems.mcast.net: igmp query v2
16:46:51.262881 IP (tos 0xc0, ttl 1, id 0, offset 0, flags [DF], proto IGMP (2), length 32, options (RA))
176-133-x-y.abo.bbox.fr > 232.0.64.238: igmp v2 report 232.0.64.238
16:46:53.182789 IP (tos 0xc0, ttl 1, id 0, offset 0, flags [DF], proto IGMP (2), length 32, options (RA))
176-133-x-y.abo.bbox.fr > igmp.mcast.net: igmp v2 report igmp.mcast.net
16:46:53.182914 IP (tos 0xc0, ttl 1, id 0, offset 0, flags [DF], proto IGMP (2), length 32, options (RA))
176-133-x-y.abo.bbox.fr > all-routers.mcast.net: igmp v2 report all-routers.mcast.net
16:48:49.180922 IP (tos 0x0, ttl 1, id 63385, offset 0, flags [none], proto IGMP (2), length 32, options (RA))
0.0.0.0 > all-systems.mcast.net: igmp query v2
16:48:50.862810 IP (tos 0xc0, ttl 1, id 0, offset 0, flags [DF], proto IGMP (2), length 32, options (RA))
176-133-x-y.abo.bbox.fr > igmp.mcast.net: igmp v2 report igmp.mcast.net
16:48:54.782747 IP (tos 0xc0, ttl 1, id 0, offset 0, flags [DF], proto IGMP (2), length 32, options (RA))
176-133-x-y.abo.bbox.fr > 232.0.64.238: igmp v2 report 232.0.64.238
16:48:56.702776 IP (tos 0xc0, ttl 1, id 0, offset 0, flags [DF], proto IGMP (2), length 32, options (RA))
176-133-x-y.abo.bbox.fr > all-routers.mcast.net: igmp v2 report all-routers.mcast.net
^C
12 packets captured
59 packets received by filter
0 packets dropped by kernel
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1.52, link-type EN10MB (Ethernet), capture size 262144 bytes
17:41:27.797728 IP 10.0.10.1 > 224.0.0.1: igmp query v2
17:41:29.500008 IP 10.0.10.52 > 239.255.3.22: igmp v2 report 239.255.3.22
17:41:29.899691 IP 10.0.10.52 > 239.255.255.250: igmp v2 report 239.255.255.250
17:41:33.537161 IP 10.0.10.1 > 233.89.188.1: igmp v2 report 233.89.188.1
17:41:35.457147 IP 10.0.10.1 > 224.0.0.2: igmp v2 report 224.0.0.2
17:41:38.017139 IP 10.0.10.1 > 224.0.0.22: igmp v2 report 224.0.0.22
^C
6 packets captured
6 packets received by filter
0 packets dropped by kernel
18:05:24.301520 IP (tos 0xe0, ttl 63, id 18215, offset 0, flags [none], proto UDP (17), length 73)
176-144-x-y.abo.bbox.fr.49153 > nsabo1.bouyguesbox.fr.domain: [udp sum ok] 22826+ AAAA? time-a.timefreq.bld
18:05:24.301804 IP (tos 0xe0, ttl 63, id 58154, offset 0, flags [none], proto UDP (17), length 73)
176-144-x-y.abo.bbox.fr.49153 > nsabo2.bouyguesbox.fr.domain: [udp sum ok] 22826+ AAAA? time-a.timefreq.bld
18:05:24.304727 IP (tos 0x80, ttl 250, id 18215, offset 0, flags [none], proto UDP (17), length 147)
nsabo1.bouyguesbox.fr.domain > 176-144-x-y.abo.bbox.fr.49153: [udp sum ok] 22826 q: AAAA? time-a.timefreq.b
18:05:24.741020 IP (tos 0x0, ttl 64, id 10175, offset 0, flags [DF], proto UDP (17), length 73)
176-144-x-y.abo.bbox.fr.57386 > nsabo1.bouyguesbox.fr.domain: [udp sum ok] 44375+ PTR? 22.124.144.176.in-ad
18:05:24.745689 IP (tos 0x80, ttl 59, id 11531, offset 0, flags [none], proto UDP (17), length 113)
nsabo1.bouyguesbox.fr.domain > 176-144-x-y.abo.bbox.fr.57386: [udp sum ok] 44375 q: PTR? 22.124.144.176.in-
18:05:24.747107 IP (tos 0x0, ttl 64, id 10176, offset 0, flags [DF], proto UDP (17), length 73)
176-144-x-y.abo.bbox.fr.55454 > nsabo1.bouyguesbox.fr.domain: [udp sum ok] 19980+ PTR? 10.122.158.194.in-ad
18:05:24.750805 IP (tos 0x80, ttl 250, id 10176, offset 0, flags [none], proto UDP (17), length 108)
nsabo1.bouyguesbox.fr.domain > 176-144-x-y.abo.bbox.fr.55454: [udp sum ok] 19980 q: PTR? 10.122.158.194.in-
18:05:24.752067 IP (tos 0x0, ttl 64, id 10177, offset 0, flags [DF], proto UDP (17), length 73)
176-144-x-y.abo.bbox.fr.41881 > nsabo1.bouyguesbox.fr.domain: [udp sum ok] 2766+ PTR? 15.122.158.194.in-add
18:05:24.755300 IP (tos 0x80, ttl 59, id 16779, offset 0, flags [none], proto UDP (17), length 108)
nsabo1.bouyguesbox.fr.domain > 176-144-x-y.abo.bbox.fr.41881: [udp sum ok] 2766 q: PTR? 15.122.158.194.in-a
18:05:25.714798 IP (tos 0x0, ttl 63, id 0, offset 0, flags [DF], proto TCP (6), length 107)
176-144-x-y.abo.bbox.fr.51231 > 216.218.230.212.8002: Flags [P.], cksum 0xde4e (correct), seq 3379178099:33
18:05:25.779126 IP (tos 0x0, ttl 64, id 10217, offset 0, flags [DF], proto UDP (17), length 74)
176-144-x-y.abo.bbox.fr.34928 > nsabo1.bouyguesbox.fr.domain: [udp sum ok] 12867+ PTR? 212.230.218.216.in-a
18:05:25.811980 IP (tos 0x80, ttl 59, id 11597, offset 0, flags [none], proto UDP (17), length 131)
- ll 1/289 0%
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0.100, link-type EN10MB (Ethernet), capture size 262144 bytes
18:35:47.998797 IP 176.144.x-y > 224.0.0.2: igmp leave 232.0.64.206
18:35:48.027114 IP 176.144.x-y > 232.0.64.206: igmp v2 report 232.0.64.206
18:35:55.617146 IP 176.144.x-y > 232.0.64.206: igmp v2 report 232.0.64.206
18:36:05.217166 IP 176.144.x-y > 232.0.64.206: igmp v2 report 232.0.64.206
18:36:15.723767 IP 0.0.0.0 > 224.0.0.1: igmp query v2
18:36:16.357129 IP 176.144.x-y > 239.255.250.250: igmp v2 report 239.255.250.250
18:36:18.817128 IP 176.144.x-y > 233.89.188.1: igmp v2 report 233.89.188.1
18:36:20.177140 IP 176.144.x-y > 239.255.255.250: igmp v2 report 239.255.255.250
18:36:21.857131 IP 176.144.x-y > 239.255.3.22: igmp v2 report 239.255.3.22
18:36:24.417127 IP 176.144.x-y > 239.255.255.246: igmp v2 report 239.255.255.246
18:36:24.417271 IP 176.144.x-y > 232.0.64.206: igmp v2 report 232.0.64.206
^C
11 packets captured
11 packets received by filter
0 packets dropped by kernel
config-file-header
cisco
v2.5.5.47 / RTESLA2.5.5_930_364_286
CLI v1.0
file SSD indicator encrypted
@
ssd-control-start
ssd config
ssd file passphrase control unrestricted
no ssd file integrity control
ssd-control-end cb0.............
!
!
unit-type-control-start
unit-type unit 1 network gi uplink none
unit-type-control-end
!
bridge multicast filtering
vlan database
vlan 100
exit
voice vlan oui-table add 0001e3 Siemens_AG_phone________
voice vlan oui-table add 00036b Cisco_phone_____________
voice vlan oui-table add 00096e Avaya___________________
voice vlan oui-table add 000fe2 H3C_Aolynk______________
voice vlan oui-table add 0060b9 Philips_and_NEC_AG_phone
voice vlan oui-table add 00d01e Pingtel_phone___________
voice vlan oui-table add 00e075 Polycom/Veritel_phone___
voice vlan oui-table add 00e0bb 3Com_phone______________
bonjour interface range vlan 1
qos advanced
qos advanced-mode trust cos
mac access-list extended "vlan100"
permit any any vlan 100 ace-priority 1
exit
ip access-list extended IGMP
permit igmp any any ace-priority 1
exit
class-map TV
match access-group IGMP
match access-group "vlan100"
exit
policy-map bbox
class TV
set cos 3
exit
exit
hostname cisco
username blabla password encrypted blabla privilege 15
ip ssh server
ip ssh password-auth
ip ssh-client username admin
encrypted ip ssh-client password blabla
ip ssh-client server authentication
clock timezone J 1
clock source browser
!
interface vlan 1
ip address 192.168.1.8 255.255.255.0
no ip address dhcp
!
interface vlan 100
name Internet
!
interface GigabitEthernet1
description interco
!
interface GigabitEthernet2
description router-eth1
!
interface GigabitEthernet3
description router-eth5
switchport mode trunk
switchport access vlan none
switchport trunk native vlan none
switchport trunk allowed vlan 100
switchport customer vlan 100
!
interface GigabitEthernet4
description ONT
service-policy output bbox default-action permit-any
switchport mode trunk
switchport access vlan none
switchport general pvid 100
switchport trunk native vlan none
switchport trunk allowed vlan 100
!
interface GigabitEthernet5
switchport mode trunk
switchport access vlan none
switchport general pvid 100
switchport trunk native vlan none
switchport trunk allowed vlan 100
!
interface GigabitEthernet8
description Borne-wifi-room
!
exit
ip igmp snooping
ip igmp snooping vlan 1
ip igmp snooping vlan 1 immediate-leave
ip igmp snooping vlan 1 querier
firewall {
all-ping enable
broadcast-ping disable
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name WAN_IN {
default-action drop
description "WAN to internal"
enable-default-log
rule 20 {
action accept
description IPTV
destination {
address 224.0.0.0/4
group {
}
}
log disable
protocol all
}
rule 30 {
action accept
description "Allow Multicast UDP"
destination {
address 224.0.0.0/4
}
log disable
protocol udp
state {
established disable
invalid disable
new enable
related disable
}
}
rule 40 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 50 {
action drop
description "Drop invalid state"
log enable
state {
invalid enable
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
enable-default-log
rule 20 {
action accept
description IPTV
destination {
address 224.0.0.0/4
group {
}
}
log disable
protocol all
}
rule 30 {
action accept
description BBOX
log disable
protocol all
source {
address 192.168.2.123
}
}
rule 40 {
action accept
description BBOX2
destination {
address 192.168.2.123
}
log disable
protocol all
}
rule 50 {
action accept
description VPN-XYZ
log disable
protocol all
source {
address 192.168.42.0/24
}
}
rule 60 {
action accept
description OPENVPN
destination {
port 1194
}
log disable
protocol udp
source {
}
}
rule 70 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 80 {
action drop
description "Drop invalid state"
log enable
state {
invalid enable
}
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
duplex auto
speed auto
}
ethernet eth1 {
address 192.168.1.1/24
description Local
duplex auto
speed auto
}
ethernet eth2 {
address 192.168.2.1/24
description IPTV
duplex auto
poe {
output off
}
speed auto
}
ethernet eth3 {
duplex auto
speed auto
}
ethernet eth4 {
duplex auto
speed auto
}
ethernet eth5 {
address dhcp
description Internet
duplex full
speed 1000
vif 100 {
address dhcp
description INTERNET
dhcp-options {
client-option "send vendor-class-identifier "BYGTELIAD";"
default-route update
default-route-distance 210
name-server update
}
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
mtu 1500
}
}
loopback lo {
}
openvpn vtun0 {
mode server
server {
name-server 192.168.1.1
push-route 192.168.1.0/24
push-route 192.168.42.0/24
subnet 10.255.2.0/24
}
tls {
ca-cert-file /config/auth/cacert.pem
cert-file /config/auth/server2.pem
dh-file /config/auth/dh.pem
key-file /config/auth/server2.key
}
}
}
port-forward {
auto-firewall enable
hairpin-nat enable
lan-interface eth1
lan-interface eth2
rule 1 {
description "xxx http"
forward-to {
address 192.168.1.254
port 9988
}
original-port 9988
protocol tcp_udp
}
rule 2 {
description "xxx https"
forward-to {
address 192.168.1.254
port 9989
}
original-port 9989
protocol tcp_udp
}
rule 3 {
description Bbox4k_1
forward-to {
address 192.168.2.123
port 1234
}
original-port 1234
protocol udp
}
rule 4 {
description Bbox4k_2
forward-to {
address 192.168.2.123
port 8002
}
original-port 8002
protocol udp
}
rule 5 {
description Bbox4k_3
forward-to {
address 192.168.2.123
port 8000
}
original-port 8000
protocol udp
}
rule 6 {
description Bbox4K_4
forward-to {
address 192.168.2.123
port 20000-30000
}
original-port 20000-30000
protocol udp
}
wan-interface eth5.100
}
protocols {
igmp-proxy {
interface eth1 {
role disabled
threshold 1
}
interface eth2 {
alt-subnet 0.0.0.0/0
role downstream
threshold 1
}
interface eth5.100 {
alt-subnet 0.0.0.0/0
role upstream
threshold 1
}
}
static {
route 192.168.11.0/24 {
next-hop 192.168.42.1 {
description OPENVPN
distance 1
}
}
}
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name LAN1 {
authoritative enable
subnet 192.168.1.0/24 {
default-router 192.168.1.1
dns-server 194.158.122.10
dns-server 194.158.122.15
domain-name xyz.lan
lease 86400
start 192.168.1.90 {
stop 192.168.1.150
}
}
}
shared-network-name LAN2 {
authoritative disable
description TV
subnet 192.168.2.0/24 {
default-router 192.168.2.1
dns-server 194.158.122.10
dns-server 194.158.122.15
lease 86400
start 192.168.2.100 {
stop 192.168.2.149
}
static-mapping Bouygtel4K-1234567890 {
ip-address 192.168.2.123
mac-address blabla
}
}
}
static-arp disable
use-dnsmasq enable
}
dns {
forwarding {
cache-size 4000
listen-on eth1
listen-on eth2
name-server 208.67.222.222
name-server 208.67.220.220
name-server 208.67.222.220
options dhcp-vendorclass=set:bbox,stb_bytel
options dhcp-option=tag:bbox,42,194.158.119.97
options dhcp-option=tag:bbox,15,lan
options dhcp-option=tag:bbox,58,150
options dhcp-option=tag:bbox,59,262
options dhcp-option=tag:bbox,125,00:00:00....
}
}
gui {
http-port 80
https-port 443
older-ciphers enable
}
nat {
rule 5010 {
description "masquerade for WAN"
log disable
outbound-interface eth5.100
protocol all
type masquerade
}
}
ssh {
port 22
protocol-version v2
}
unms {
connection wss://192.168.1.11:443+.....
}
}
system {
analytics-handler {
send-analytics-report false
}
crash-handler {
send-crash-report false
}
domain-name xyz.lan
flow-accounting {
disable-memory-table
ingress-capture post-dnat
interface eth1
netflow {
enable-egress {
engine-id 1
}
engine-id 0
mode daemon
server 192.168.1.11 {
port 2055
}
timeout {
expiry-interval 60
flow-generic 60
icmp 60
max-active-life 60
tcp-fin 10
tcp-generic 60
tcp-rst 10
udp 60
}
version 9
}
syslog-facility daemon
}
host-name Router
login {
banner {
post-login "Now You are logged on Edge-MAX router !\n"
pre-login "*************************************************************\n*
.........................
*\n*************************************************************\n"
}
user admin {
authentication {
encrypted-password ****************
}
level admin
}
}
name-server 127.0.0.1
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
}
offload {
hwnat disable
ipsec enable
ipv4 {
forwarding enable
vlan enable
}
ipv6 {
forwarding enable
vlan enable
}
}
syslog {
global {
facility all {
level notice
}
facility protocols {
level debug
}
}
host 192.168.1.11:5514 {
facility all {
level info
}
}
}
time-zone Europe/Paris
traffic-analysis {
dpi enable
export enable
}
}
vpn {
ipsec {
allow-access-to-local-interface disable
auto-firewall-nat-exclude enable
esp-group FOO0 {
compression disable
lifetime 3600
mode tunnel
pfs enable
proposal 1 {
encryption aes128
hash sha1
}
}
ike-group FOO0 {
ikev2-reauth no
key-exchange ikev1
lifetime 28800
proposal 1 {
dh-group 14
encryption aes128
hash sha1
}
}
site-to-site {
peer abcd.com {
authentication {
mode pre-shared-secret
pre-shared-secret ****************
}
connection-type initiate
description VPN
ike-group FOO0
ikev2-reauth inherit
local-address any
tunnel 1 {
allow-nat-networks disable
allow-public-networks disable
esp-group FOO0
local {
prefix 192.168.1.0/24
}
remote {
prefix 192.168.42.0/24
}
}
tunnel 2 {
allow-nat-networks disable
allow-public-networks disable
esp-group FOO0
local {
prefix 192.168.1.0/24
}
remote {
prefix 192.168.11.0/24
}
}
}
}
}
}