Tutoriel réalisé avec une VM OpenWRT 22.03.
0. Prérequis.
Avoir au moins 2 ports réseaux physiques (voire 3 si on branche la Bbox en tant qu'adaptateur SIP et qu'on ne veut pas se compliquer la vie avec les VLAN).
Comprendre les problèmes liés à la diffusion de trames multicast sur son réseau (et la solution de l'IGMP snooping)
Avec une architecture x86, le switch est logiciel, les problématiques de switch hardware ou d'offload ne seront pas détaillées.
Paquets à installer:
- igmpproxy
- ip-full (au cas où)
1. Accès internet et firewall.
Si vous utilisez les règles fw par défaut d'OpenWRT, vous aurez accès à Internet (au moins IPv4) avec cette configuration (le spoof de l'@ MAC n'est obligatoire si et seulement si le bail DHCP est libéré proprement).
Pour IPv6 il faut calculer votre clientid en fonction de l'adresse MAC de votre bbox, il s'agit d'avoir '00030001 + @MAC bbox'.
Dans mon cas, j'ai une configuration avec le téléphone fixe dont on peut se passer d'autant plus que ByTel ne fournit qu'un /60 malheureusement.
J'ai également fait le choix de pouvoir au moins faire des requêtes ICMP sur l'ONT Huawei HG8010H (IP 192.168.100.1).
Je force l'IGMP en version 2, obligatoire pour la TV.
/etc/config/network
config interface 'loopback'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
option device 'lo'
config globals 'globals'
option packet_steering '1'
config interface 'lan'
option proto 'static'
option ipaddr '192.168.1.1'
option netmask '255.255.255.0'
list dns '80.67.169.12'
list dns '80.67.169.40'
option ip6ifaceid '::e1'
option ip6assign '64'
option device 'br-lan'
config interface 'wan'
option proto 'dhcp'
option vendorid 'BYGTELIAD'
option device 'eth1.100'
option delegate '0'
config interface 'wan6'
option proto 'dhcpv6'
option device 'eth1.100'
option ip6assign '64'
option ip6ifaceid '::1'
option reqprefix '60'
option clientid '00030001506f0c1a2b34'
option reqaddress 'none'
config interface 'telephone'
option proto 'static'
option ipaddr '192.168.9.1'
option netmask '255.255.255.0'
option device 'br-telephone'
option ip6ifaceid '::f1'
option ip6assign '63'
config interface 'ONT'
option proto 'static'
option ipaddr '192.168.100.99'
option netmask '255.255.255.0'
option device 'eth1'
option delegate '0'
config device
option name 'br-lan'
option type 'bridge'
list ports 'eth0'
list ports 'eth2'
option igmpversion '2'
option acceptlocal '1'
option sendredirects '0'
config device
option name 'br-telephone'
option type 'bridge'
list ports 'br-lan.100'
option acceptlocal '1'
option ip6segmentrouting '0'
option sendredirects '0'
config device
option name 'eth1.100'
option type '8021q'
option ifname 'eth1'
option vid '100'
option igmpversion '2'
option macaddr '50:6F:0C:1A:2B:34'
config device
option name 'br-lan.100'
option type '8021q'
option ifname 'br-lan'
option vid '100'
option ipv6 '1'
Veuillez noter la zone dédiée pour la bbox et la marquage prévu pour avoir la TV.
En outre, j'ai préféré séparer les règles pour wan et wan6 (question de goût).
/etc/config/firewall
config defaults
option output 'ACCEPT'
option synflood_protect '1'
option forward 'DROP'
option drop_invalid '1'
option input 'ACCEPT'
config zone
option name 'lan'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
option masq_allow_invalid '1'
list network 'lan'
list network 'ONT'
config zone
option input 'ACCEPT'
option name 'telephone'
option output 'ACCEPT'
option forward 'ACCEPT'
option masq_allow_invalid '1'
list network 'telephone'
config zone
option name 'wan'
option output 'ACCEPT'
option masq '1'
option mtu_fix '1'
option input 'DROP'
option forward 'DROP'
option family 'ipv4'
list network 'wan'
config forwarding
option src 'lan'
option dest 'wan'
config rule
option name 'Allow-DHCP-Renew'
option src 'wan'
option proto 'udp'
option dest_port '68'
option target 'ACCEPT'
option family 'ipv4'
config rule
option name 'Allow-Ping'
option src 'wan'
option proto 'icmp'
option icmp_type 'echo-request'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-IGMP'
option src 'wan'
option proto 'igmp'
option family 'ipv4'
option target 'ACCEPT'
config rule
option name 'Allow-DHCPv6'
option proto 'udp'
option dest_port '546'
option family 'ipv6'
option target 'ACCEPT'
option src 'wan6'
config rule
option name 'Allow-MLD'
option proto 'icmp'
option family 'ipv6'
option target 'ACCEPT'
list src_ip 'fe80::/10'
option src 'wan6'
config rule
option name 'Allow-ICMPv6-Input'
option proto 'icmp'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
list icmp_type 'destination-unreachable'
list icmp_type 'echo-reply'
list icmp_type 'echo-request'
list icmp_type 'neighbour-advertisement'
list icmp_type 'neighbour-solicitation'
list icmp_type 'packet-too-big'
list icmp_type 'router-advertisement'
list icmp_type 'router-solicitation'
list icmp_type 'time-exceeded'
option src 'wan6'
config rule
option name 'Allow-ICMPv6-Forward'
option dest '*'
option proto 'icmp'
option limit '1000/sec'
option family 'ipv6'
option target 'ACCEPT'
list icmp_type 'destination-unreachable'
list icmp_type 'echo-reply'
list icmp_type 'echo-request'
list icmp_type 'neighbour-advertisement'
list icmp_type 'neighbour-solicitation'
list icmp_type 'packet-too-big'
list icmp_type 'redirect'
list icmp_type 'router-advertisement'
list icmp_type 'router-solicitation'
list icmp_type 'time-exceeded'
option src 'wan6'
config rule
option name 'Allow-IPSec-ESP'
option src 'wan'
option dest 'lan'
option proto 'esp'
option target 'ACCEPT'
option family 'ipv4'
config rule
option family 'ipv6'
list proto 'esp'
option src 'wan6'
option dest 'lan'
option target 'ACCEPT'
option name 'Allow-IPSec-ESP-v6'
config rule
option name 'Allow-ISAKMP'
option src 'wan'
option dest 'lan'
option dest_port '500'
option proto 'udp'
option target 'ACCEPT'
option family 'ipv4'
config include 'bytel_rules'
option enabled '1'
option type 'nftables'
option path '/etc/nftables.d/nft-prio6-rules.include'
option position 'chain-append'
option chain 'mangle_postrouting'
config rule
option name 'Allow-ISAKMP-v6'
option family 'ipv6'
list proto 'udp'
option src 'wan6'
option dest 'lan'
option dest_port '500'
option target 'ACCEPT'
config redirect
option dest_port '20000-30000'
option src 'wan'
option name 'Miami replay 1'
option src_ip '212.195.48.0/24'
option target 'DNAT'
option dest 'lan'
option src_dport '20000-30000'
list proto 'udp'
option dest_ip '192.168.1.2'
option enabled '0'
config redirect
option dest_port '20000-30000'
option src 'wan'
option name 'Miami replay 2'
option src_ip '212.195.244.0/24'
option target 'DNAT'
option dest 'lan'
option src_dport '20000-30000'
list proto 'udp'
option dest_ip '192.168.1.2'
option enabled '0'
config redirect
option dest_port '20000-30000'
option src 'wan'
option name 'Miami replay 3'
option src_ip '62.34.201.0/24'
option target 'DNAT'
option dest 'lan'
option src_dport '20000-30000'
list proto 'udp'
option dest_ip '192.168.1.2'
option enabled '0'
config redirect
option dest_port '20000-30000'
option src 'wan'
option name 'Miami replay 4'
option src_ip '194.158.119.0/24'
option target 'DNAT'
option dest 'lan'
option src_dport '20000-30000'
list proto 'udp'
option dest_ip '192.168.1.2'
option enabled '0'
config redirect
option dest_port '20000-30000'
option src 'wan'
option name 'Miami replay 5'
option target 'DNAT'
option dest 'lan'
option src_dport '20000-30000'
list proto 'udp'
option src_ip '195.36.152.0/24'
option dest_ip '192.168.1.2'
option enabled '0'
config redirect
option src 'wan'
option name 'CMS1'
option src_dport '8443'
option target 'DNAT'
option dest_ip '192.168.1.2'
option dest 'lan'
list proto 'tcp'
option dest_port '8443'
config redirect
option dest_port '51005'
option name 'TR-069'
option src_dport '51005'
option target 'DNAT'
option dest_ip '192.168.9.2'
list proto 'tcp'
option dest 'telephone'
option src 'dmz'
config rule
option dest_port '8443'
option src 'wan'
option name 'CMS1'
option dest 'lan'
list dest_ip '192.168.1.2'
option target 'ACCEPT'
list proto 'tcp'
option family 'ipv4'
config zone
option name 'wan6'
option input 'DROP'
option output 'ACCEPT'
option forward 'DROP'
option mtu_fix '1'
option family 'ipv6'
list network 'wan6'
list device 'br-lan'
config forwarding
option src 'lan'
option dest 'wan6'
config rule
option dest_port '20000-30000'
option src 'wan'
option name 'Miami replays'
list src_ip '212.195.48.0/24'
list src_ip '212.195.244.0/24'
list src_ip '62.34.201.0/24'
list src_ip '194.158.119.0/24'
list src_ip '195.36.152.0/24'
option family 'ipv4'
option target 'ACCEPT'
option dest 'lan'
list proto 'udp'
list dest_ip '192.168.1.2'
option enabled '0'
config rule
option dest_port '51005'
option name 'TR-069'
option target 'ACCEPT'
list proto 'tcp'
option dest 'telephone'
list dest_ip '192.168.9.2'
option family 'ipv4'
option src 'dmz'
config include 'miniupnpd'
option type 'script'
option path '/usr/share/miniupnpd/firewall.include'
config zone
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'ACCEPT'
list device 'br-telephone'
list network 'wan6'
option masq_allow_invalid '1'
option name 'dmz'
option masq '1'
config forwarding
option src 'telephone'
option dest 'dmz'
2. TV & replays
Il faut installer igmpproxy (mcproxy ou omcproxy ne sont pas suffisamment développés).
Les paquets installés ajoutent des règles pour le multicast à la règle déjà existante pour l'IGMP.
Il faut aussi installer miniupnpd pour que la Miami (ici 192.168.1.2) puisse ouvrir un port pour le service TR-069
/etc/sysctl.conf devrait contenir ceci (à vérifier toutefois).
# Defaults are configured in /etc/sysctl.d/* and can be customized in this file
net.ipv4.conf.all.force_igmp_version=2
net.ipv4.conf.all.mc_forwarding = 1
/etc/config/igmpproxy
config igmpproxy
option quickleave 1
# option verbose [0-3](none, minimal[default], more, maximum)
config phyint
option network wan
option zone wan
option direction upstream
list altnet 193.251.97.0/24
list altnet 89.86.97.0/24
list altnet 89.86.96.0/24
config phyint
option network lan
option zone lan
option direction downstream
list altnet 192.168.1.0/24
Vous noterez que, j'ai aussi inclus d'autres modifications de DSCP pour copier au mieux la Bbox (on ne sait jamais).
/etc/nftables.d/nft-prio6-rules.include
oifname "eth1.100" counter meta priority set 0:1
oifname "eth1.100" ip protocol icmp counter meta priority set 0:5
oifname "eth1.100" ip protocol igmp counter meta priority set 0:5
oifname "eth1.100" udp dport 67 counter meta priority set 0:6
oifname "eth1.100" udp dport 547 counter meta priority set 0:6
oifname "eth1.100" udp dport 5060 counter meta priority set 0:5
oifname "eth1.100" ip protocol icmpv6 counter meta priority set 0:5
SI vous n'avez pas le télé de façon optimale (coupure 5 min après avoir lancé le flux), vous pouvez faire tourner ce script (paquet ip-full requis) :
#!/bin/sh
set -x
## on définit pour chaque file une priorité
for i in 0 1 2 3 4 5 6 7; do
ip link set eth1.100 type vlan egress $i:$i >/dev/null
done
## On modifie la priorité de la file 1 à 0 c'est là qu'on renverra tout nos paquets, la file 0 qui est celle par défaut passe à 6
ip link set eth1.100 type vlan egress 1:0 >/dev/null
ip link set eth1.100 type vlan egress 0:6 >/dev/null
SI la TV mais surtout les replays ne fonctionnent pas malgré un marquage correctement appliqué, il faudrait peut-être avoir une VM (par exemple) qui a pour hostname gestionbbox et qui contient un serveur web pour servir:
ls -lR /var/www/api/
/var/www/api/:
total 4
drwxr-xr-x 3 root root 4096 Oct 16 2021 v1
/var/www/api/v1:
total 4
drwxr-xr-x 3 root root 4096 Oct 24 2021 wan
/var/www/api/v1/wan:
total 20
-rw-r--r-- 1 root root 7729 Oct 24 2021 diags.json
drwxr-xr-x 2 root root 4096 Oct 24 2021 ftth
-rw-r--r-- 1 root root 363 Jan 21 13:35 ip.json
-rw-r--r-- 1 root root 331 Oct 16 2021 xdsl.json
/var/www/api/v1/wan/ftth:
total 4
-rw-r--r-- 1 root root 56 Oct 24 2021 stats.json
ip.json (les informations se trouvent dans les menus OpenWRT):
[{"wan":{"internet":{"state":2},"interface":{"id":8,"default":0,"state":1},"ip":{"address":"IP4_publique","cgnatenable":0,"maptenable":0,"state":"Up","gateway":"GW_IP4","dnsservers":"194.158.122.10,194.158.122.15","subnet":"255.255.255.255","dnsserversv6":"2001:860:b0ff:1::1,2001:860:b0ff:1::2","ip6state":"Up","ip6address":[{"ipaddress":"IP6","status":"Preferred","valid":"9999-12-31T23:59:59Z","preferred":"9999-12-31T23:59:59Z"}],"ip6prefix":[{"prefix":"IP6_prefixe/64","status":"Preferred","valid":"2023-04-14T19:34:00+0200","preferred":"2023-04-14T19:04:00+0200"}],"mac":"50:6f:0c:1a:2b:34","mtu":1500},"link":{"state":"Up","type":"ftth"}}}]
xdsl.json:
[{"wan":{"xdsl":{"state":"Idle","modulation":"","showtime":0,"atur_provider":"","atuc_provider":"","sync_count":0,"up":{"bitrates":0,"noise":0,"attenuation":0,"power":0,"phyr":0,"ginp":0,"nitro":"","interleave_delay":0},"down":{"bitrates":0,"noise":0,"attenuation":0,"power":0,"phyr":0,"ginp":0,"nitro":0,"interleave_delay":0}}}}]
stats.json:
[{"wan":{"ftth":{"mode":"1000baseT-FD","state":"Up"}}}]
et pour nginx:
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name gestionbbox.lan;
# Everything is a 404
# location / {
# return 404;
# }
# You may need this to prevent return 404 recursion.
# location = /404.html {
# internal;
# }
root /var/www;
if ($request_uri ~ ^/([^?]*)\.json(\?.*)?$) {
return 302 /$1$2;
}
try_files $uri $uri.json =404;
}
3. Téléphone
En branchant la bbox, cela devrait fonctionner si celle-ci reçoit un /64 depuis OpenWRT.
4. Bugs connus
igmpproxy renvoie ce genre de messages chez moi:
Fri Apr 14 16:57:31 2023 user.warn igmpproxy[7256]: MRT_DEL_MFC; Errno(2): No such file or directory
sans impact notable mais cela pourrait ne pas être le cas chez vous.
Remplacer la Bbox par un routeur