I spent two days triple checked all config settings and still can't get Movistar's IPTV working. Internet is fine.
I need the community's help.
Provider: Movistar Spain
Hardware: RB4011iGS+ (RouterOS 7.11.2) + DFP-34X-2C2 (V1.0-220923).
VLANs: 1370 for internet (mapped to 6 on original router), 6 for IPTV (mapped to 2 on original router). See below.
Movistar's TV decoder is connected to eth4.
I can reach gateway 10.128.0.1 and DNS server 172.26.23.3.
What am I missing?
Appreciate any clues.
Thanks.
---
Data from SFP:
Code: Select all
# omcicli mib get 84
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
VlanTagFilterData
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
=================================
EntityID: 0x1102
FilterTbl[0]: PRI 0,CFI 0, VID 1370
FwdOp: 0x10
NumOfEntries: 1
=================================
=================================
EntityID: 0x1103
FilterTbl[0]: PRI 0,CFI 0, VID 6
FwdOp: 0x10
NumOfEntries: 1
=================================
=================================
EntityID: 0x1104
FilterTbl[0]: PRI 0,CFI 0, VID 3
FwdOp: 0x10
NumOfEntries: 1
=================================
=================================
EntityID: 0x110b
FilterTbl[0]: PRI 0,CFI 0, VID 3
FilterTbl[2]: PRI 0,CFI 0, VID 6
FwdOp: 0x10
NumOfEntries: 2
=================================
Data from original router:
Code: Select all
> vlantable
Upstream:
TCONT_number GEMport VLAN_id UNI_interface Service Name
312 312 1370 ppp0.1 6
315 315 6 veip0.3 2
341 341 3 veip0.2 3
Downstream:
GEMport VLAN_id UNI_interface Service Name
312 1370 ppp0.1 6
315 6 veip0.3 2
2046 3,6
341 3 veip0.2 3
2047
Mikrotik config:
Code: Select all
# 2023-11-12 17:24:15 by RouterOS 7.11.2
# software id = 509T-I03N
#
# model = RB4011iGS+
# serial number = 000000000000
/interface bridge
add admin-mac=00:00:00:00:00:00 auto-mac=no comment=defconf name=bridge
add name=bridge-iptv
/interface ethernet
set [ find default-name=ether1 ] comment="Living Room Ethernet" name=eth1
set [ find default-name=ether2 ] comment="Living Room Cat's" name=eth2
set [ find default-name=ether3 ] comment=Kitchen name=eth3
set [ find default-name=ether4 ] comment=Office name=eth4
set [ find default-name=ether5 ] comment="Massage BlackIron" name=eth5
set [ find default-name=ether6 ] comment="Office WiFi Repeater" \
name=eth6
set [ find default-name=ether7 ] comment=Unknown name=eth7
set [ find default-name=ether8 ] comment="Living Room WiFi" name=eth8
set [ find default-name=ether9 ] comment=Bedroom name=eth9
set [ find default-name=ether10 ] comment=Unused name=eth10
set [ find default-name=sfp-sfpplus1 ] l2mtu=1592 name=sfp rx-flow-control=\
auto tx-flow-control=auto
/interface vlan
add interface=sfp name=sfp-vlan6 vlan-id=6
add interface=sfp name=sfp-vlan1370 vlan-id=1370
/interface pppoe-client
add add-default-route=yes disabled=no interface=sfp-vlan1370 name=\
pppoe-vlan1370 user=adslppp@telefonicanetpa
/interface ovpn-client
add auth=null certificate=vpn.obfuscated.domain.lol cipher=aes128-cbc connect-to=\
obfuscated.domain.lol mac-address=00:00:00:00:00:00 name=vpn.obfuscated.domain.lol \
use-peer-dns=no user=none
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=LAN-IPTV
add name=WAN-IPTV
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server option
add code=240 force=yes name=iptv-240 value=\
"':::::239.0.2.10:22222:v6.0:239.0.2.30:22222'"
add code=60 force=yes name=iptv-60 value="'[IAL]'"
/ip pool
add name=lan ranges=10.10.10.230-10.10.10.250
add name=iptv ranges=192.168.1.100-192.168.1.200
/ip dhcp-server
add address-pool=lan interface=bridge lease-time=12h name=defconf
/port
set 0 name=serial0
set 1 name=serial1
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=eth2
add bridge=bridge comment=defconf ingress-filtering=no interface=eth3
add bridge=bridge comment=defconf ingress-filtering=no interface=eth5
add bridge=bridge comment=defconf ingress-filtering=no interface=eth6
add bridge=bridge comment=defconf ingress-filtering=no interface=eth7
add bridge=bridge comment=defconf ingress-filtering=no interface=eth8
add bridge=bridge comment=defconf ingress-filtering=no interface=eth9
add bridge=bridge comment=defconf ingress-filtering=no interface=eth10
add bridge=bridge comment=defconf ingress-filtering=no interface=eth1
add bridge=bridge-iptv comment=defconf ingress-filtering=no interface=eth4
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=LAN internet-interface-list=LAN lan-interface-list=\
LAN wan-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=pppoe-vlan1370 list=WAN
add interface=sfp-vlan1370 list=WAN
add interface=sfp list=WAN
add interface=bridge-iptv list=LAN-IPTV
add interface=sfp-vlan6 list=WAN-IPTV
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=10.10.10.1/24 comment=defconf interface=bridge network=10.10.10.0
add address=10.10.100.1/24 interface=sfp network=10.10.100.0
add address=192.168.1.1/24 interface=bridge-iptv network=192.168.1.0
add address=10.150.xxx.yyy/9 comment=iptv interface=sfp-vlan6 network=\
10.128.0.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server
add address-pool=iptv dhcp-option-set=iptv interface=bridge-iptv name=iptv
/ip dhcp-server lease
...whatever
/ip dhcp-server network
add address=10.10.10.0/24 comment=defconf domain=Irons gateway=10.10.10.1 \
netmask=24
add address=192.168.1.0/24 dhcp-option-set=iptv dns-server=172.26.23.3 \
gateway=192.168.1.1
/ip dhcp-server option sets
add name=iptv options=*5,iptv-60,*6,iptv-240
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
...whatever
/ip firewall address-list
...whatever
/ip firewall filter
add action=drop chain=forward comment="PS4 Block Internet" disabled=yes \
src-address=10.10.10.120
add action=drop chain=input comment="drop ssh brute forcers" dst-port=222 \
protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=4w2d chain=input connection-state=new dst-port=222 \
protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m chain=input connection-state=new dst-port=222 \
protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=1m chain=input connection-state=new dst-port=222 \
protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=1m chain=input connection-state=new dst-port=222 \
protocol=tcp
add action=drop chain=forward comment="drop rdp brute forcers" dst-port=3389 \
in-interface=!bridge protocol=tcp src-address-list=rdp_blacklist
add action=add-src-to-address-list address-list=rdp_blacklist \
address-list-timeout=4w2d chain=forward connection-state=new dst-port=\
3389 protocol=tcp src-address-list=rdp_stage3
add action=add-src-to-address-list address-list=rdp_stage3 \
address-list-timeout=1m chain=forward dst-port=3389 protocol=tcp \
src-address-list=rdp_stage2
add action=add-src-to-address-list address-list=rdp_stage2 \
address-list-timeout=1m chain=forward connection-state=new dst-port=3389 \
protocol=tcp src-address-list=rdp_stage1
add action=add-src-to-address-list address-list=rdp_stage1 \
address-list-timeout=1m chain=forward connection-state=new dst-port=3389 \
protocol=tcp
add action=drop chain=forward comment="drop ssh brute downstream" dst-port=\
222 protocol=tcp src-address-list=ssh_blacklist
add action=accept chain=input comment=SNMP dst-port=161,162 protocol=udp \
src-address=0.0.0.0
add action=accept chain=input comment="wan access to port 222,443" dst-port=\
222,443 protocol=tcp
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="Falcon Blocked" dst-address-list=\
falcon protocol=tcp
add action=drop chain=forward comment="LSAgent Blocked" dst-address-list=\
lsagent protocol=tcp
add action=drop chain=forward comment="Mosyle Blocked" dst-address-list=\
mosyle protocol=tcp
add action=accept chain=input comment=iptv in-interface-list=WAN-IPTV \
protocol=udp
add action=accept chain=input comment=iptv in-interface-list=WAN-IPTV \
protocol=igmp
add action=accept chain=input comment=iptv protocol=udp src-address=\
192.168.1.0/24
add action=accept chain=input comment=iptv protocol=igmp src-address=\
192.168.1.0/24
add action=accept chain=forward comment=iptv in-interface-list=WAN-IPTV \
protocol=udp
add action=accept chain=forward comment=iptv in-interface-list=WAN-IPTV \
protocol=igmp
/ip firewall mangle
add action=set-priority chain=postrouting comment=iptv new-priority=4 \
out-interface-list=WAN-IPTV passthrough=yes
add action=set-priority chain=postrouting comment=internet new-priority=1 \
out-interface-list=WAN passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=vpn.obfuscated.domain.lol
add action=masquerade chain=srcnat out-interface=bridge
add action=dst-nat chain=dstnat comment="BlackIron RDP" dst-port=3389 \
in-interface=pppoe-vlan1370 protocol=tcp to-addresses=10.10.10.10
add action=dst-nat chain=dstnat dst-port=3389 in-interface=bridge protocol=\
tcp to-addresses=10.10.10.10
add action=dst-nat chain=dstnat comment="PS4 ports" dst-port=1935 \
in-interface=pppoe-vlan1370 protocol=tcp to-addresses=10.10.10.120
add action=dst-nat chain=dstnat dst-port=1935 in-interface=pppoe-vlan1370 \
protocol=udp to-addresses=10.10.10.120
add action=dst-nat chain=dstnat dst-port=3074 in-interface=pppoe-vlan1370 \
protocol=tcp to-addresses=10.10.10.120
add action=dst-nat chain=dstnat dst-port=3074 in-interface=pppoe-vlan1370 \
protocol=udp to-addresses=10.10.10.120
add action=dst-nat chain=dstnat dst-port=3478-3480 in-interface=\
pppoe-vlan1370 protocol=tcp to-addresses=10.10.10.120
add action=dst-nat chain=dstnat dst-port=3478-3480 in-interface=\
pppoe-vlan1370 protocol=udp to-addresses=10.10.10.120
add action=dst-nat chain=dstnat dst-port=9295-9305 in-interface=\
pppoe-vlan1370 protocol=tcp to-addresses=10.10.10.120
add action=dst-nat chain=dstnat dst-port=9295-9305 in-interface=\
pppoe-vlan1370 protocol=udp to-addresses=10.10.10.120
add action=dst-nat chain=dstnat comment=certbot disabled=yes dst-port=80 \
in-interface=pppoe-vlan1370 protocol=tcp to-addresses=10.10.10.20
add action=dst-nat chain=dstnat comment=sfp-stats dst-port=8555 protocol=tcp \
src-address=0.0.0.0 to-addresses=10.10.100.100 to-ports=80
add action=masquerade chain=srcnat comment=iptv out-interface-list=WAN-IPTV
add action=masquerade chain=srcnat comment=iptv out-interface=bridge-iptv
/ip ipsec policy
add dst-address=0.0.0.0/0 group=*3 proposal=*1 src-address=0.0.0.0/0 \
template=yes
/ip route
add comment=iptv disabled=no distance=1 dst-address=10.128.0.0/9 gateway=\
10.128.0.1 pref-src="" routing-table=main suppress-hw-offload=no
add comment=iptv disabled=no dst-address=172.23.96.0/21 gateway=10.128.0.1 \
routing-table=main suppress-hw-offload=no
add comment=iptv disabled=no dst-address=172.26.22.0/26 gateway=10.128.0.1 \
routing-table=main suppress-hw-offload=no
add comment=iptv disabled=no dst-address=172.26.23.0/27 gateway=10.128.0.1 \
routing-table=main suppress-hw-offload=no
add comment=iptv disabled=no dst-address=172.26.80.0/21 gateway=10.128.0.1 \
routing-table=main suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=222
set www-ssl certificate=bcn.obfuscated.domain.lol disabled=no
set api disabled=yes
set winbox disabled=yes
set api-ssl disabled=yes
/ip smb
set comment=MikroIron domain=Irons
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=pppoe-vlan1370 type=external
/routing bfd configuration
add disabled=no
/routing igmp-proxy
set query-interval=10s quick-leave=yes
/routing igmp-proxy interface
add alternative-subnets=0.0.0.0/0 interface=sfp-vlan6 upstream=yes
add interface=bridge-iptv
/snmp
set enabled=yes trap-version=2
/system clock
set time-zone-name=Europe/Madrid
/system identity
set name=MikroIron
/system note
set show-at-login=no
/system resource irq rps
set sfp disabled=no
/system routerboard settings
set auto-upgrade=yes
/tool e-mail
set address=smtp.gmail.com from=mikroiron@obfuscated.domain.lol port=587 tls=\
starttls user=mikroiron@obfuscated.domain.lol
/tool graphing interface
add allow-address=10.10.10.0/24
/tool graphing queue
add allow-address=10.10.10.0/24
/tool graphing resource
add allow-address=10.10.10.0/24
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool netwatch
add disabled=no down-script="/tool e-mail send to=random@obfuscated.domain.lol subject\
=\"random@obfuscated.domain.lol is down :(\" body=\"Hey, human! I can't reach obfu\
cated.domain.lol :(\"" host=0.0.0.0 interval=1m timeout=1s type=simple
/tool sniffer
set filter-interface=eth1 filter-ip-address=10.10.10.110/32 \
filter-ip-protocol=tcp