IPTV with RB4011iGS+ (RouterOS 7.11.2) and DFP-34X-2C2 (V1.0-220923). Is it possible? > Yes. It works.

[rndm2]

Hi

I spent three days triple checked all config settings and still can't get Movistar's Spain IPTV working. Internet is fine. I need the community's help.

Provider: Movistar Spain Hardware: RB4011iGS+ (RouterOS 7.11.2) + DFP-34X-2C2 (V1.0-220923). VLANs: 1370 for internet (mapped to 6 on original router), 6 for IPTV (mapped to 2 on original router). Movistar's TV decoder is connected to eth4.

I am doing everything that is needed: IGMP proxy from VLAN2 to Deco eth4 DHCP Server + Option 60, 240 Firewall allow + NAT/Masquerade RIP (I can receive routes)

I can see 10.128.0.1 and query DNS from 172.26.23.3 but no IGMP traffic, even though Mikrotik stats show me 11 Mbps of traffic on SFP. But this traffic disappears after some time (maybe OLT stop sending it?).

I tried direct accesss to rtp://@239.0.0.77:8208 (which was taken from here) with VLC on local computer and it is not working as well.

Mikrotik config and some dump from SFP are at the very bottom.

As for the stick: VLAN_CFG_TYPE=1, DIRECT_BRIDGE_MODE=1, DUAL_MGMT_MODE=1 and I tried with VLAN_MANU_MODE. IGMP snooping on stick itself is disabled. All others settings are defaults. No luck so far :( Is it even supposed to work?

What am I missing? Appreciate any clues. Thanks.

---

Updated config that works:

# 2023-12-08 14:26:48 by RouterOS 7.12.1
# software id = 509T-I03N
#
# model = RB4011iGS+
# serial number = 000000000000
/interface bridge
add comment=defconf igmp-snooping=yes name=bridge
/interface ethernet
set [ find default-name=ether1 ] comment="Living Room Ethernet" name=eth1
set [ find default-name=ether2 ] comment="Living Room Cat's" name=eth2
set [ find default-name=ether3 ] comment=Kitchen name=eth3
set [ find default-name=ether4 ] comment="Kostiantyn's Office" name=eth4
set [ find default-name=ether5 ] comment="Massage BlackIron" name=eth5
set [ find default-name=ether6 ] comment="Karina's Office WiFi Repeater" \
    name=eth6
set [ find default-name=ether7 ] comment=Unknown name=eth7
set [ find default-name=ether8 ] comment="Living Room WiFi" name=eth8
set [ find default-name=ether9 ] comment=Bedroom name=eth9
set [ find default-name=ether10 ] comment=Unused name=eth10
set [ find default-name=sfp-sfpplus1 ] l2mtu=1592 name=sfp rx-flow-control=\
    auto tx-flow-control=auto
/interface vlan
add interface=sfp name=vlan-internet vlan-id=1370
add interface=sfp name=vlan-iptv vlan-id=6
add interface=sfp name=vlan-iptv-multicast1 vlan-id=180
add interface=sfp name=vlan-iptv-multicast2 vlan-id=182
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan-internet name=\
    pppoe-internet user=adslppp@telefonicanetpa
/interface ovpn-client
add auth=null certificate=vpn.obfuscated.domain.tld cipher=aes128-cbc connect-to=\
    obfuscated.domain.tld mac-address=02:27:DD:DC:A8:6A name=vpn.obfuscated.domain.tld \
    use-peer-dns=no user=none
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=WAN-IPTV
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server option
add code=240 name=iptv-240 value=\
    "':::::239.0.2.10:22222:v6.0:239.0.2.29:22222'"
add code=60 name=iptv-60 value="'[IAL]'"
/ip pool
add name=lan ranges=10.10.10.230-10.10.10.250
add name=iptv ranges=10.10.20.230-10.10.20.250
/ip dhcp-server
add address-pool=lan interface=bridge lease-time=12h name=defconf
/port
set 0 name=serial0
set 1 name=serial1
/routing rip instance
add disabled=no name=iptv
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=eth2
add bridge=bridge comment=defconf ingress-filtering=no interface=eth3
add bridge=bridge comment=defconf ingress-filtering=no interface=eth4
add bridge=bridge comment=defconf ingress-filtering=no interface=eth5
add bridge=bridge comment=defconf ingress-filtering=no interface=eth6
add bridge=bridge comment=defconf ingress-filtering=no interface=eth7
add bridge=bridge comment=defconf ingress-filtering=no interface=eth8
add bridge=bridge comment=defconf ingress-filtering=no interface=eth9
add bridge=bridge comment=defconf ingress-filtering=no interface=eth10
add bridge=bridge comment=defconf ingress-filtering=no interface=eth1
add bridge=bridge interface=vlan-iptv-multicast1
add bridge=bridge interface=vlan-iptv-multicast2
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=pppoe-internet list=WAN
add interface=sfp list=WAN
add interface=vlan-iptv list=WAN-IPTV
/interface ovpn-server server
set auth=sha1,md5 certificate=bcn.obfuscated.domain.tld
/ip address
add address=10.10.10.1/24 comment=defconf interface=bridge network=10.10.10.0
add address=192.168.1.250/24 comment=sfp interface=sfp network=192.168.1.0
add address=10.10.20.1/24 comment=iptv interface=bridge network=10.10.20.0
add address=10.150.xxx.xxx/9 comment=iptv interface=vlan-iptv network=\
    10.128.0.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server lease
...
add address=10.10.20.250 comment="IPTV Deco" mac-address=\
    A0:E7:AE:E7:C3:0A server=defconf
/ip dhcp-server network
add address=10.10.10.0/24 comment=defconf domain=Irons gateway=10.10.10.1 \
    netmask=24
add address=10.10.20.0/24 comment=iptv dhcp-option=iptv-60,iptv-240 \
    dns-server=172.26.23.3 gateway=10.10.20.1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip dns static
...
/ip firewall address-list
...
/ip firewall filter
add action=drop chain=input comment="drop ssh brute forcers" dst-port=222 \
    protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
    address-list-timeout=4w2d chain=input connection-state=new dst-port=222 \
    protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
    address-list-timeout=1m chain=input connection-state=new dst-port=222 \
    protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=1m chain=input connection-state=new dst-port=222 \
    protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=1m chain=input connection-state=new dst-port=222 \
    protocol=tcp
add action=drop chain=forward comment="drop rdp brute forcers" dst-port=3389 \
    in-interface=!bridge protocol=tcp src-address-list=rdp_blacklist
add action=add-src-to-address-list address-list=rdp_blacklist \
    address-list-timeout=4w2d chain=forward connection-state=new dst-port=\
    3389 protocol=tcp src-address-list=rdp_stage3
add action=add-src-to-address-list address-list=rdp_stage3 \
    address-list-timeout=1m chain=forward dst-port=3389 protocol=tcp \
    src-address-list=rdp_stage2
add action=add-src-to-address-list address-list=rdp_stage2 \
    address-list-timeout=1m chain=forward connection-state=new dst-port=3389 \
    protocol=tcp src-address-list=rdp_stage1
add action=add-src-to-address-list address-list=rdp_stage1 \
    address-list-timeout=1m chain=forward connection-state=new dst-port=3389 \
    protocol=tcp
add action=drop chain=forward comment="drop ssh brute downstream" dst-port=\
    222 protocol=tcp src-address-list=ssh_blacklist
add action=accept chain=input comment=SNMP dst-port=161,162 protocol=udp \
    src-address=xxx.xxx.xxx.xxx
add action=accept chain=input comment="wan access to port 222,443" dst-port=\
    222,443 protocol=tcp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment=iptv protocol=udp src-address=\
    10.10.20.0/24
add action=accept chain=input comment=iptv protocol=igmp src-address=\
    10.10.20.0/24
add action=accept chain=input comment=iptv in-interface-list=WAN-IPTV
add action=accept chain=input comment=iptv in-interface-list=WAN-IPTV \
    protocol=udp
add action=accept chain=input comment=iptv in-interface-list=WAN-IPTV \
    protocol=igmp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment=iptv in-interface-list=WAN-IPTV \
    protocol=udp
add action=accept chain=forward comment=iptv in-interface-list=WAN-IPTV \
    protocol=igmp
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="Falcon Blocked" dst-address-list=\
    falcon protocol=tcp
add action=drop chain=forward comment="LSAgent Blocked" dst-address-list=\
    lsagent protocol=tcp
add action=drop chain=forward comment="Mosyle Blocked" dst-address-list=\
    mosyle protocol=tcp
/ip firewall mangle
add action=set-priority chain=postrouting comment=internet new-priority=1 \
    out-interface-list=WAN passthrough=no
add action=set-priority chain=postrouting comment=iptv new-priority=4 \
    out-interface-list=WAN-IPTV passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment=iptv out-interface-list=WAN-IPTV
add action=masquerade chain=srcnat out-interface=vpn.obfuscated.domain.tld
add action=masquerade chain=srcnat out-interface=bridge
add action=dst-nat chain=dstnat comment=iptv dst-address=10.150.xxx.xxx \
    in-interface=vlan-iptv protocol=udp to-addresses=10.10.20.250
add action=dst-nat chain=dstnat comment="BlackIron RDP" dst-port=3389 \
    in-interface=pppoe-internet protocol=tcp to-addresses=10.10.10.10
add action=dst-nat chain=dstnat dst-port=3389 in-interface=bridge protocol=\
    tcp to-addresses=10.10.10.10
add action=dst-nat chain=dstnat comment="PS4 ports" dst-port=1935 \
    in-interface=pppoe-internet protocol=tcp to-addresses=10.10.10.120
add action=dst-nat chain=dstnat dst-port=1935 in-interface=pppoe-internet \
    protocol=udp to-addresses=10.10.10.120
add action=dst-nat chain=dstnat dst-port=3074 in-interface=pppoe-internet \
    protocol=tcp to-addresses=10.10.10.120
add action=dst-nat chain=dstnat dst-port=3074 in-interface=pppoe-internet \
    protocol=udp to-addresses=10.10.10.120
add action=dst-nat chain=dstnat dst-port=3478-3480 in-interface=\
    pppoe-internet protocol=tcp to-addresses=10.10.10.120
add action=dst-nat chain=dstnat dst-port=3478-3480 in-interface=\
    pppoe-internet protocol=udp to-addresses=10.10.10.120
add action=dst-nat chain=dstnat dst-port=9295-9305 in-interface=\
    pppoe-internet protocol=tcp to-addresses=10.10.10.120
add action=dst-nat chain=dstnat dst-port=9295-9305 in-interface=\
    pppoe-internet protocol=udp to-addresses=10.10.10.120
add action=dst-nat chain=dstnat comment=certbot disabled=yes dst-port=80 \
    in-interface=pppoe-internet protocol=tcp to-addresses=10.10.10.20
add action=dst-nat chain=dstnat comment=sfp-stats dst-port=8555 protocol=tcp \
    src-address=xxx.xxx.xxx.xxx to-addresses=192.168.1.1 to-ports=80
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=222
set www-ssl certificate=bcn.obfuscated.domain.tld disabled=no
set api disabled=yes
set winbox disabled=yes
set api-ssl disabled=yes
/ip smb
set comment=MikroIron domain=Irons
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=pppoe-internet type=external
/routing bfd configuration
add disabled=no
/routing igmp-proxy
set query-interval=10s quick-leave=yes
/routing igmp-proxy interface
add comment=iptv interface=vlan-iptv upstream=yes
add comment=iptv interface=bridge
/routing rip interface-template
add disabled=no instance=iptv interfaces=vlan-iptv
/snmp
set enabled=yes trap-version=2
/system clock
set time-zone-name=Europe/Madrid
/system identity
set name=MikroIron
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=es.pool.ntp.org
add address=europe.pool.ntp.org
/system resource irq rps
set sfp disabled=no
/system routerboard settings
set auto-upgrade=yes
/tool graphing interface
add allow-address=10.10.10.0/24
/tool graphing queue
add allow-address=10.10.10.0/24
/tool graphing resource
add allow-address=10.10.10.0/24
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set filter-interface=vlan-iptv streaming-enabled=yes streaming-server=\
    10.10.10.20

# omcicli mib get 84
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
VlanTagFilterData
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
=================================
EntityID: 0x1102
FilterTbl[0]: PRI 0,CFI 0, VID 1370
FwdOp:  0x10
NumOfEntries: 1
=================================
=================================
EntityID: 0x1103
FilterTbl[0]: PRI 0,CFI 0, VID 6
FwdOp:  0x10
NumOfEntries: 1
=================================
=================================
EntityID: 0x1104
FilterTbl[0]: PRI 0,CFI 0, VID 3
FwdOp:  0x10
NumOfEntries: 1
=================================
=================================
EntityID: 0x110b
FilterTbl[0]: PRI 0,CFI 0, VID 3
FilterTbl[2]: PRI 0,CFI 0, VID 6
FwdOp:  0x10
NumOfEntries: 2
=================================

> vlantable

Upstream:
TCONT_number   GEMport   VLAN_id   UNI_interface   Service Name
312            312       1370      ppp0.1          6           
315            315       6         veip0.3         2           
341            341       3         veip0.2         3           

Downstream:
GEMport   VLAN_id   UNI_interface   Service Name
312       1370      ppp0.1          6           
315       6         veip0.3         2           
2046      3,6    
341       3         veip0.2         3           
2047             

[stormwin]

try this:

https://danteng.org/ros-routing-igmp-proxy-to-watch-iptv/

[rndm2]

try this:

https://danteng.org/ros-routing-igmp-proxy-to-watch-iptv/

It is already done. Unfortunately no result :(

[rndm2]

I was able to watch IPTV with VLC, and Deco now can start playing, but freezes after 5-10 seconds. My provider sends multicast traffic to different VLAN (180). So I need to untag it and send it to deco.

I don't understand so far why it freezes, but I can confirm that the ODI stick handles multicast well, and probably the topic here could be closed at this point. I'll post an update once I solve the freezing problem.

[rndm2]

Solution found. It works. Movistar streams IPTV multicast in two VLANs, 180 and 182 in my case. In order to find the correct VLAN IDs, you need to add SFP to the temporary bridge together with the ethernet port, connect a computer with Wireshark to this port, and see what traffic comes and what tags it has.

I don't really understand how Movistar's original router does this mapping. The stick doesn't show these VLANs with omcicli, and the router doesn't have anything about multicast VLANs. Maybe it is OLT that tells Movistar's original ONU how to read those VLANs.

[rndm2]

Solution for VOD found: Movistar sends it as a UDP push. Just need to forward it to Deco.

Problem solved. Internet and IPTV work perfectly.