When I disable PF and use tcpdump to monitor network activity on em2
(where the IPTV box is connected) I see a stream of udp packets (something like
this:
233.33.210.7:5050)
This stream is interrupted in several seconds when I enable PF again.
--
Best regards
Maksim Rodin
17.06.2019, 10:20, "Peer" <p...@pjk.de>:
> Could it be that your IPTV is using a non-IP protocoll, e.g. an ethertype
> which is not IPv4 nor IPv6, but something different? Like Powerline, G.hn or
> so? -- And which is blocked by pf?There are several protocol and type fields
> on the different layers (MAC, IP, TCP/UDP), and I recently noticed that tools
> and man pages do not always identify them very clearly or are somewhat
> misnamed (for historical reasons I'd say).Btw., I'm looking for a pointer to
> packet formats of ethertypes 0x88e1 and 0x8912, which my current filter
> bubble or info availability didn't allow me to find until now. They show up
> in tcpdump although they are not TCP nor even IP, and wireshark doesn't
> decrypt the payload, which I'm interested in.
> -------- Ursprüngliche Nachricht --------Von: Родин Максим
> <a23s4a2...@yandex.ru> Datum: 16.06.19 22:16 (GMT+01:00) An: OpenBSD general
> usage list <misc@openbsd.org> Betreff: [misc] IPTV handling on OpenBSD soft
> router Hello,I am trying to set up an IPTV-box behind a soft router.When my
> internet (iptv) provider installed the IPTV box he said thatI need a switch
> before my soft router to let IPTV stream successfully pass to the IPTV box.I
> thought that a virtual bridge interface would be enough for this purpose.I
> created a bridge0 interface and added three interfaces to it:em0 - a physical
> one which delivers internet and iptv from my provider.em2 - a physical one to
> which the IPTV-box is connected and which receives a mac binded ip address
> from the local network of my provider(100.65.129.0/24).vether0 - a virtual
> one which receives an external ip address from dhcp server of my provider (it
> therefore belongs to egress group) and through which my home computers access
> the internet using NAT ({ vether1 em1 em3 athn0 }).When PF is disabled the
> IPTV-box is working.When PF is enabled the IPTV box works for several seconds
> and then the picture freezes. When I change to another TV channel it works
> again for several seconds and then it freezes again.My pf settings are listed
> below (I used some of the config in PF user's guide)I do no filtering on the
> ports needed (em0, em2)When I do:tcpdump -n -e -i pflog0 not ifname vether0It
> shows no blocked packetsWhat am I
> missing?""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""router
> root ~ # cat /etc/pf.conf# $OpenBSD: pf.conf,v 1.54 2014/08/23 05:49:42
> deraadt Exp $## See pf.conf(5) and /etc/examples/pf.confint_if = "{ vether1
> em1 em3 athn0 }"table <martians> { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8
> 169.254.0.0/16 \ 172.16.0.0/12 192.0.2.0/24 224.0.0.0/3 \
> 192.168.0.0/16 198.18.0.0/15 198.51.100.0/24 \ 203.0.113.0/24
> }table <bad_ips> persist file "/etc/pf/bad_ip"block log allset block-policy
> dropset loginterface egressset skip on lomatch out on egress inet from
> (vether1:network) to any nat-to (egress:0)block in quick on egress from
> <martians> to anyblock return out quick on egress from any to <martians>pass
> out quick inetpass in on $int_if inet# IPTVpass on em2pass on em0#pass in on
> egress inet proto tcp from !<bad_ips> to (egress) port 22pass in on egress
> inet proto tcp from !<bad_ips> to (egress) port 80pass in on egress inet
> proto { tcp udp } from any to (egress) port { 51413 22034 6890:6999 6881 }
> rdr-to 192.168.1.4pass in on egress inet proto { tcp udp } from any to
> (egress) port { 50000 } rdr-to 192.168.1.65#block return # block stateless
> traffic#pass # establish keep-state# By default, do not permit remote
> connections to X11#block return in on ! lo0 proto tcp to port
> 6000:6010""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" --
> Best regardsMaksim Rodin
