Hello,
I am trying to set up an IPTV-box behind a soft router.
When my internet (iptv) provider installed the IPTV box he said that
I need a switch before my soft router to let IPTV stream successfully
pass to the IPTV box.
I thought that a virtual bridge interface would be enough for this purpose.
I created a bridge0 interface and added three interfaces to it:
em0 - a physical one which delivers internet and iptv from my provider.
em2 - a physical one to which the IPTV-box is connected and which
receives a mac binded ip address from the local network of my provider
(100.65.129.0/24).
vether0 - a virtual one which receives an external ip address from dhcp
server of my provider (it therefore belongs to egress group) and through
which my home computers access the internet using NAT ({ vether1 em1 em3
athn0 }).
When PF is disabled the IPTV-box is working.
When PF is enabled the IPTV box works for several seconds and then the
picture freezes. When I change to another TV channel it works again for
several seconds and then it freezes again.
My pf settings are listed below (I used some of the config in PF user's
guide)
I do no filtering on the ports needed (em0, em2)
When I do:
tcpdump -n -e -i pflog0 not ifname vether0
It shows no blocked packets
What am I missing?
""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
router root ~ # cat /etc/pf.conf
# $OpenBSD: pf.conf,v 1.54 2014/08/23 05:49:42 deraadt Exp $
#
# See pf.conf(5) and /etc/examples/pf.conf
int_if = "{ vether1 em1 em3 athn0 }"
table <martians> { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16 \
172.16.0.0/12 192.0.2.0/24 224.0.0.0/3 \
192.168.0.0/16 198.18.0.0/15 198.51.100.0/24 \
203.0.113.0/24 }
table <bad_ips> persist file "/etc/pf/bad_ip"
block log all
set block-policy drop
set loginterface egress
set skip on lo
match out on egress inet from (vether1:network) to any nat-to (egress:0)
block in quick on egress from <martians> to any
block return out quick on egress from any to <martians>
pass out quick inet
pass in on $int_if inet
# IPTV
pass on em2
pass on em0
#
pass in on egress inet proto tcp from !<bad_ips> to (egress) port 22
pass in on egress inet proto tcp from !<bad_ips> to (egress) port 80
pass in on egress inet proto { tcp udp } from any to (egress) port {
51413 22034 6890:6999 6881 } rdr-to 192.168.1.4
pass in on egress inet proto { tcp udp } from any to (egress) port {
50000 } rdr-to 192.168.1.65
#block return # block stateless traffic
#pass # establish keep-state
# By default, do not permit remote connections to X11
#block return in on ! lo0 proto tcp to port 6000:6010
"""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""
--
Best regards
Maksim Rodin
