Community discussions

MikroTik App
  4. RouterOS
  5. Forwarding Protocols

MAC based VLAN (IPTV on VLAN from ISP) and IGMP proxy

Post Reply
 
jkaberg
just joined
Topic Author
Posts: 24
Joined: Sun Jul 17, 2016 5:00 am

MAC based VLAN (IPTV on VLAN from ISP) and IGMP proxy

Mon Jul 18, 2016 3:44 pm

Hi all,

My network is as follow:
CRS 125-24G-1S-IN ----> ether6 ----> dumb switch (no VLAN capabilities) ----> IPTV decoder (and many other devices on the switch)

The dumb switch has 8xGbit ports and 6 of them in use.

Now I know my ISP sends IPTV over VLAN 303 (DHCP), and it seem's my router should be able to only allow the IPTV decoder into the VLAN.

The problem is I don't know how-to set this up. I'd also like to setup an IGMP proxy to proxy all multicast IPTV streams to the local lan (so that I can use Tvheadend on my server aswell).

My current config is as follows:
Code: Select all
[joel@MikroTik] > export compact
# jul/18/2016 14:43:35 by RouterOS 6.35.4
# software id = 4ZWJ-QVRS
#
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=ether3 ] comment=Kontoret
set [ find default-name=ether4 ] comment=Dunder
set [ find default-name=sfp1 ] comment=WAN mac-address=E4:8D:8C:A6:C0:67
/ip neighbor discovery
set ether3 comment=Kontoret
set ether4 comment=Dunder
set sfp1 comment=WAN
/ip pool
add name=dhcp ranges=192.168.1.100-192.168.1.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge1 lease-time=3d name=dhcp1
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=ether9
add bridge=bridge1 interface=ether10
add bridge=bridge1 interface=ether11
add bridge=bridge1 interface=ether12
add bridge=bridge1 interface=ether13
add bridge=bridge1 interface=ether14
add bridge=bridge1 interface=ether15
add bridge=bridge1 interface=ether16
add bridge=bridge1 interface=ether17
add bridge=bridge1 interface=ether18
add bridge=bridge1 interface=ether19
add bridge=bridge1 interface=ether20
add bridge=bridge1 interface=ether21
add bridge=bridge1 interface=ether22
add bridge=bridge1 interface=ether23
add bridge=bridge1 interface=ether24
/interface ethernet switch mac-based-vlan
add new-customer-vid=303 new-service-vid=303 src-mac-address=44:AA:F5:5F:89:5A
/interface ethernet switch port
set 0 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 1 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 2 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 3 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 4 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 5 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 6 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 7 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 8 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 9 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 10 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 11 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 12 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 13 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 14 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 15 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 16 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 17 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 18 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 19 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 20 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 21 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 22 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 23 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 24 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 25 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
/interface ethernet switch vlan
add ingress-mirror=yes ports=ether24,sfp1 vlan-id=303
/ip address
add address=192.168.1.1/24 interface=ether1 network=192.168.1.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=sfp1
/ip dhcp-server network
add address=192.168.1.0/24 gateway=192.168.1.1 netmask=24
/ip firewall filter
add chain=forward dst-port=80 in-interface=sfp1 protocol=tcp
add chain=forward dst-port=443 in-interface=sfp1 protocol=tcp
add chain=forward dst-port=22 in-interface=sfp1 protocol=tcp
add chain=forward dst-port=32400 in-interface=sfp1 protocol=tcp
add action=drop chain=forward disabled=yes
/ip firewall nat
add action=masquerade chain=srcnat comment=MASQ out-interface=sfp1
add action=dst-nat chain=dstnat dst-port=443 in-interface=sfp1 log=yes protocol=tcp to-addresses=192.168.1.10 to-ports=443
add action=dst-nat chain=dstnat dst-port=80 in-interface=sfp1 protocol=tcp to-addresses=192.168.1.10 to-ports=80
add action=dst-nat chain=dstnat dst-port=22 in-interface=sfp1 protocol=tcp to-addresses=192.168.1.10 to-ports=22
add action=dst-nat chain=dstnat dst-port=32400 in-interface=sfp1 protocol=tcp to-addresses=192.168.1.10 to-ports=32400
add action=masquerade chain=srcnat dst-port=22,80,443,32400 protocol=tcp src-address=192.168.1.0/24
add action=dst-nat chain=dstnat dst-address=!192.168.1.0/24 dst-address-type=local dst-port=22,80,443,32400 protocol=tcp to-addresses=192.168.1.10
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.1.0/24
set ssh disabled=yes
set www-ssl address=192.168.1.0/24
set api disabled=yes
set winbox address=192.168.1.0/24
set api-ssl address=192.168.1.0/24 disabled=yes
/ip upnp
set enabled=yes
/system clock
set time-zone-name=Europe/Oslo
/system routerboard settings
set protected-routerboot=disabled
[joel@MikroTik] > 
Top
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4047
Joined: Wed May 11, 2011 6:08 pm

Re: MAC based VLAN (IPTV on VLAN from ISP) and IGMP proxy

Mon Jul 18, 2016 5:14 pm

Look in the routing menu for IGMP proxy settings.
If you don't have that menu, then you need to install the multicast package to your system.
Setting up multicast proxy is pretty simple - just set ether1 as the "upstream" interface, and the "any" interface as a downstream interface.
I didn't spend much time looking at your firewall rules, but you may need to allow multicast packets in the forward table.
e.g.:
/ip firewall filter
add chain=forward dst-address-type=multicast in-interface=ether1 action=accept
(and move this rule into a position of the forward chain so that it comes before any rule which would otherwise block your streams)

If you know what group addresses your IPTV streams tend to use, or what the source IP addresses tend to be, you can narrow down this rule with additional criteria:
src-address=x.x.x.x  (the IPTV server address)
or
src-address-list=IPTV_Servers
/ip firewall address-list
add list=IPTV_Servers address=x.x.x.x
add list=IPTV_Servers address=y.y.y.y
etc...
Top
 
jkaberg
just joined
Topic Author
Posts: 24
Joined: Sun Jul 17, 2016 5:00 am

Re: MAC based VLAN (IPTV on VLAN from ISP) and IGMP proxy

Mon Jul 18, 2016 7:08 pm

Thank you for replying ZeroByte,

My current config is as follow (the bits needed for IGMP and VLAN?... not complete, its not working!)
Code: Select all
/interface vlan
add interface=sfp1 mtu=1584 name=sfp1.4 vlan-id=303

/interface ethernet switch mac-based-vlan
add new-customer-vid=303 new-service-vid=303 src-mac-address=44:AA:F5:5F:89:5A


/interface ethernet switch multicast-fdb
add address=44:AA:F5:5F:89:5A bypass-vlan-filter=yes ports=ether2 vlan-id=303

/ip dhcp-client

add add-default-route=special-classless dhcp-options=clientid,hostname \
    disabled=no interface=sfp1.4

/ip firewall filter
add chain=forward comment=iptv dst-address-type=multicast in-interface=sfp1.4

/ip firewall nat
add action=masquerade chain=srcnat comment=iptv out-interface=sfp1.4

/routing igmp-proxy
set query-interval=1m5s
/routing igmp-proxy interface
add alternative-subnets=224.0.0.0/24,10.22.0.0/23 interface=sfp1.4 upstream=yes
Is that in line with what you suggested? (atleast the firewall rule is there)

The line
Code: Select all
add new-customer-vid=303 new-service-vid=303 src-mac-address=44:AA:F5:5F:89:5A
This is my poor attempt at locking in the MAC adress into the VLAN where it supposedly should get an IP from ISP DHCP, also not working.

In the IGMP Proxy->MFC table is see a few IP's, and I'm getting IP from my ISP (on the VLAN). See screenshot:

Image

While it seems like it's working I can't view any IPTV streams from VLAN via IGMP proxy? 

Entire router config here incase I forgot something:
Code: Select all
[joel@MikroTik] > export compact
# jul/18/2016 18:08:05 by RouterOS 6.35.4
# software id = 4ZWJ-QVRS
#
/interface bridge
add comment=LAN name=bridge1
/interface ethernet
set [ find default-name=ether3 ] comment="Kontoret - Dumb Switch"
set [ find default-name=ether4 ] comment="Server - Dunder"
set [ find default-name=ether5 ] comment="Stua - UniFi AP-AC-Pro"
set [ find default-name=ether6 ] comment="Stua - Dumb Switch"
set [ find default-name=sfp1 ] comment=WAN mac-address=E4:8D:8C:A6:C0:67
/ip neighbor discovery
set ether3 comment="Kontoret - Dumb Switch"
set ether4 comment="Server - Dunder"
set ether5 comment="Stua - UniFi AP-AC-Pro"
set ether6 comment="Stua - Dumb Switch"
set sfp1 comment=WAN
set bridge1 comment=LAN
/interface vlan
add interface=sfp1 mtu=1584 name=sfp1.4 vlan-id=303
/ip pool
add name=dhcp ranges=192.168.1.100-192.168.1.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge1 lease-time=3d name=dhcp1
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=ether9
add bridge=bridge1 interface=ether10
add bridge=bridge1 interface=ether11
add bridge=bridge1 interface=ether12
add bridge=bridge1 interface=ether13
add bridge=bridge1 interface=ether14
add bridge=bridge1 interface=ether15
add bridge=bridge1 interface=ether16
add bridge=bridge1 interface=ether17
add bridge=bridge1 interface=ether18
add bridge=bridge1 interface=ether19
add bridge=bridge1 interface=ether20
add bridge=bridge1 interface=ether21
add bridge=bridge1 interface=ether22
add bridge=bridge1 interface=ether23
add bridge=bridge1 interface=ether24
/interface ethernet switch mac-based-vlan
add new-customer-vid=303 new-service-vid=303 src-mac-address=44:AA:F5:5F:89:5A
/interface ethernet switch multicast-fdb
add address=44:AA:F5:5F:89:5A ports=ether2 vlan-id=303
/interface ethernet switch port
set 0 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 1 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 2 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 3 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 4 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 5 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 6 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 7 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 8 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 9 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 10 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 11 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 12 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 13 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 14 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 15 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 16 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 17 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 18 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 19 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 20 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 21 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 22 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 23 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 24 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 25 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
/ip address
add address=192.168.1.1/24 interface=ether1 network=192.168.1.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=sfp1
add add-default-route=special-classless dhcp-options=clientid,hostname disabled=no interface=sfp1.4
/ip dhcp-server network
add address=192.168.1.0/24 gateway=192.168.1.1 netmask=24
/ip firewall filter
add chain=forward comment=iptv dst-address-type=multicast in-interface=sfp1.4
add chain=forward dst-port=80 in-interface=sfp1 protocol=tcp
add chain=forward dst-port=443 in-interface=sfp1 protocol=tcp
add chain=forward dst-port=22 in-interface=sfp1 protocol=tcp
add chain=forward dst-port=32400 in-interface=sfp1 protocol=tcp
add action=drop chain=forward disabled=yes
/ip firewall nat
add action=masquerade chain=srcnat comment=MASQ out-interface=sfp1
add action=dst-nat chain=dstnat dst-port=443 in-interface=sfp1 log=yes protocol=tcp to-addresses=192.168.1.10 to-ports=443
add action=dst-nat chain=dstnat dst-port=80 in-interface=sfp1 protocol=tcp to-addresses=192.168.1.10 to-ports=80
add action=dst-nat chain=dstnat dst-port=22 in-interface=sfp1 protocol=tcp to-addresses=192.168.1.10 to-ports=22
add action=dst-nat chain=dstnat dst-port=32400 in-interface=sfp1 protocol=tcp to-addresses=192.168.1.10 to-ports=32400
add action=masquerade chain=srcnat dst-port=22,80,443,32400 protocol=tcp src-address=192.168.1.0/24
add action=dst-nat chain=dstnat dst-address=!192.168.1.0/24 dst-address-type=local dst-port=22,80,443,32400 protocol=tcp to-addresses=192.168.1.10
add action=masquerade chain=srcnat comment=iptv out-interface=sfp1.4
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.1.0/24
set ssh disabled=yes
set www-ssl address=192.168.1.0/24
set api disabled=yes
set winbox address=192.168.1.0/24
set api-ssl address=192.168.1.0/24 disabled=yes
/ip upnp
set enabled=yes
/routing igmp-proxy
set query-interval=1m5s
/routing igmp-proxy interface
add alternative-subnets=224.0.0.0/24,10.22.0.0/23 interface=sfp1.4 upstream=yes
add
/system clock
set time-zone-name=Europe/Oslo
/system routerboard settings
set protected-routerboot=disabled
[joel@MikroTik] > 
Top
 
jkaberg
just joined
Topic Author
Posts: 24
Joined: Sun Jul 17, 2016 5:00 am

Re: MAC based VLAN (IPTV on VLAN from ISP) and IGMP proxy

Tue Jul 19, 2016 7:36 am

Basically what I want to do is this http://wiki.mikrotik.com/wiki/Manual:CR ... #MAC_Based VLAN

But in addition I want devices (which MAC is not "tagged"/listed) on ether6 to receive IP from local DHCP

"Tagged" MAC: Receives IP via VLAN 303 from ISP DHCP
None tagged MAC: Receives IP from local DHCP

This due to on ether6 port I'm running an unmanaged switch with an IPTV decoder and a few other devices.

So how can I accomplish this?
Top
 
jkaberg
just joined
Topic Author
Posts: 24
Joined: Sun Jul 17, 2016 5:00 am

Re: MAC based VLAN (IPTV on VLAN from ISP) and IGMP proxy

Tue Jul 19, 2016 4:24 pm

So in an attempt to see if my IPTV dekoder actully is getting any traffic I did this
Code: Select all
/interface bridge
add name=bridge-iptv
/interface vlan
add interface=sfp1 name=sfp1-vlan303 vlan-id=303
/interface bridge port
add bridge=bridge-iptv interface=ether24
add bridge=bridge-iptv interface=sfp1-vlan303
/ip dhcp-client
add add-default-route=special-classless default-route-distance=0 dhcp-options=hostname,clientid disabled=no interface=ether24
But I'm not getting any DHCP on ether24, but sfp-vlan303 and bridge-iptv both gets DHCP if I choose thoes interfaces? The bridge doesn't seem to work? Am I missing something? Looking over guides on the internet it seems I covered everything (http://wiki.mikrotik.com/wiki/Manual:Interface/VLAN )

EDIT: My bad, forgot so spoof the MAC. When I did that, I got IP from DHCP :-)
Last edited by jkaberg on Tue Jul 19, 2016 6:59 pm, edited 1 time in total.
Top
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4047
Joined: Wed May 11, 2011 6:08 pm

Re: MAC based VLAN (IPTV on VLAN from ISP) and IGMP proxy

Tue Jul 19, 2016 5:57 pm

I think mac-based-vlan is part of the issue.
Multicast streams send traffic to a destination MAC address that is different than the MAC of any host receiving the traffic.
The dst MAC address is a mapping based on the target group IP address of the stream.

Is this for a home network? MAC based vlan is generally a host isolation scheme, so I'm a bit confused as to why you would be doing this.
Top
 
jkaberg
just joined
Topic Author
Posts: 24
Joined: Sun Jul 17, 2016 5:00 am

Re: MAC based VLAN (IPTV on VLAN from ISP) and IGMP proxy

Tue Jul 19, 2016 6:58 pm

I think mac-based-vlan is part of the issue.
Multicast streams send traffic to a destination MAC address that is different than the MAC of any host receiving the traffic.
The dst MAC address is a mapping based on the target group IP address of the stream.

Is this for a home network? MAC based vlan is generally a host isolation scheme, so I'm a bit confused as to why you would be doing this.
Yes this is a home network. And yes, I want to isolate the IPTV decoders inside the VLAN (since thats where they get thire DHCP IP from ISP + streams)
My problem is I have a shared ethernet cable going from ether6 to a unmanaged switch (on this switch amongst other things is an IPTV decoder), it's a huge task to get a seperate cable in so doing this over the same ethernet cable would be for the best. 
You think its possible? 
Top
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4047
Joined: Wed May 11, 2011 6:08 pm

Re: MAC based VLAN (IPTV on VLAN from ISP) and IGMP proxy

Tue Jul 19, 2016 7:40 pm

A managed, vlan-capable switch would be much better. The unmanaged switch causes some strangeness in that the hosts attached to it are actually in the same broadcast domain - and multicast domain for that matter. You can get a vlan-capable switch for less than $100, or even get an older model Cisco switch for dirt cheap on E-Bay. You could even use something like a 2011 or another CRS as a vlan-capable switch.

Split your devices into real vlans so that their layer 2 traffic doesn't interfere with each other.
Top
 
jkaberg
just joined
Topic Author
Posts: 24
Joined: Sun Jul 17, 2016 5:00 am

Re: MAC based VLAN (IPTV on VLAN from ISP) and IGMP proxy

Tue Jul 19, 2016 8:08 pm

A managed, vlan-capable switch would be much better. The unmanaged switch causes some strangeness in that the hosts attached to it are actually in the same broadcast domain - and multicast domain for that matter. You can get a vlan-capable switch for less than $100, or even get an older model Cisco switch for dirt cheap on E-Bay. You could even use something like a 2011 or another CRS as a vlan-capable switch.

Split your devices into real vlans so that their layer 2 traffic doesn't interfere with each other.
While I see your point, it is still possible? 
In the long run I plan on getting a pair of small managed switches, but for now a "hack" will have to do.
Top
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4047
Joined: Wed May 11, 2011 6:08 pm

Re: MAC based VLAN (IPTV on VLAN from ISP) and IGMP proxy

Wed Jul 20, 2016 12:40 am

Honestly, I'm not sure - the mac-based vlan topology is akin to having a bunch of drinking straws all going into one big tank. In the tank is every beverage you may want - soda, water, orange juice, beer, coffee, tea, milk, fruit punch, etc. In the tank, they're all mixed together. In the case of mac-based vlans, the straws have the amazing ability to drink only the specified beverage.
However, if you're dipping straight out of the tank, there's no way to separate them. This is the case for devices connected to an unmanaged switch - the switch cannot separate the various nodes, so the nodes are in actuality all in a single network.

For devices on the other end of the magic drinking straws (the per-mac vlan interfaces), it's possible to talk to only certain devices.

I'm really not sure how this will translate to a MAC-based vlan when multicast is intended to send a single MAC address out which is delivered only to the devices that want it..... especially when this MAC is not present on any of the devices themselves.
Top
 
jkaberg
just joined
Topic Author
Posts: 24
Joined: Sun Jul 17, 2016 5:00 am

Re: MAC based VLAN (IPTV on VLAN from ISP) and IGMP proxy

Wed Jul 20, 2016 5:24 am

Honestly, I'm not sure - the mac-based vlan topology is akin to having a bunch of drinking straws all going into one big tank. In the tank is every beverage you may want - soda, water, orange juice, beer, coffee, tea, milk, fruit punch, etc. In the tank, they're all mixed together. In the case of mac-based vlans, the straws have the amazing ability to drink only the specified beverage.
However, if you're dipping straight out of the tank, there's no way to separate them. This is the case for devices connected to an unmanaged switch - the switch cannot separate the various nodes, so the nodes are in actuality all in a single network.

For devices on the other end of the magic drinking straws (the per-mac vlan interfaces), it's possible to talk to only certain devices.

I'm really not sure how this will translate to a MAC-based vlan when multicast is intended to send a single MAC address out which is delivered only to the devices that want it..... especially when this MAC is not present on any of the devices themselves.
Alright I get what you're comeing at :-)

I decided to try IGMP proxy instead, in hopes that it might save the day but I'm getting the following error:
04:04:50 igmp-proxy,debug sending IGMP query to 224.0.0.1 on bridge-lan 
04:04:50 igmp-proxy,debug RECV IGMPv2 membership report from 192.168.1.251 to 239.255.255.250 on bridge-lan 
04:04:50 igmp-proxy,debug RECV IGMPv2 membership report from 192.168.1.155 to 239.192.152.143 on bridge-lan 
04:04:56 igmp-proxy,debug RECV IGMPv2 membership report from 192.168.1.10 to 233.89.188.1 on bridge-lan 
04:04:57 igmp-proxy,debug RECV IGMPv2 membership report from 192.168.1.155 to 224.0.54.34 on bridge-lan 
04:05:17 igmp-proxy,debug RECV IGMP membership query from 46.249.234.1 to 224.0.0.1 on sfp1 
04:05:17 igmp-proxy,debug ignoring IGMP message: received on the upstream interface 
04:05:18 igmp-proxy,debug ignoring IGMP message: source address is local: 
04:05:18 igmp-proxy,debug   source=46.249.***.*** 
04:05:18 igmp-proxy,debug   interface=sfp1 
04:05:18 igmp-proxy,debug ignoring request from myself: 
04:05:18 igmp-proxy,debug   source=46.249.***.*** 
04:05:18 igmp-proxy,debug   destination=239.192.***.*** 
04:05:21 igmp-proxy,debug ignoring IGMP message: source address is local: 
04:05:21 igmp-proxy,debug   source=46.249.***.*** 
04:05:21 igmp-proxy,debug   interface=sfp1 
04:05:21 igmp-proxy,debug ignoring request from myself: 
04:05:21 igmp-proxy,debug   source=46.249.***.*** 
04:05:21 igmp-proxy,debug   destination=224.0.54.34 
04:05:22 igmp-proxy,debug ignoring IGMP message: source address is local: 
04:05:22 igmp-proxy,debug   source=46.249.***.*** 
04:05:22 igmp-proxy,debug   interface=sfp1 
04:05:22 igmp-proxy,debug ignoring request from myself: 
04:05:22 igmp-proxy,debug   source=46.249.***.*** 
04:05:22 igmp-proxy,debug   destination=233.89.188.1 
04:05:25 igmp-proxy,debug ignoring IGMP message: source address is local: 
04:05:25 igmp-proxy,debug   source=46.249.***.*** 
04:05:25 igmp-proxy,debug   interface=sfp1 
04:05:25 igmp-proxy,debug ignoring request from myself: 
04:05:25 igmp-proxy,debug   source=46.249.***.*** 
04:05:25 igmp-proxy,debug   destination=239.255.255.250
Now I googled this and ended up at this post which suggests my config is faulty. But I can't see how it is?

My config as of now
Code: Select all
[joel@MikroTik] > export
# jul/20/2016 04:14:12 by RouterOS 6.35.4
# software id = 4ZWJ-QVRS
#
/interface bridge
add name=bridge-iptv
add name=bridge-lan
/interface ethernet
set [ find default-name=ether3 ] comment="Kontoret - Dumb Switch"
set [ find default-name=ether4 ] comment="Server - Dunder"
set [ find default-name=ether5 ] comment="Stua - UniFi AP-AC-Pro"
set [ find default-name=ether6 ] comment="Stua - Dumb Switch"
set [ find default-name=ether24 ] comment="Stua - Dekoder"
set [ find default-name=sfp1 ] comment=WAN mac-address=00:22:07:53:63:72
/ip neighbor discovery
set ether3 comment="Kontoret - Dumb Switch"
set ether4 comment="Server - Dunder"
set ether5 comment="Stua - UniFi AP-AC-Pro"
set ether6 comment="Stua - Dumb Switch"
set ether24 comment="Stua - Dekoder"
set sfp1 comment=WAN
/interface vlan
add interface=sfp1 name=sfp1-vlan303 vlan-id=303
/ip pool
add name=dhcp ranges=192.168.1.100-192.168.1.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge-lan lease-time=3d name=dhcp1
/interface bridge port
add bridge=bridge-lan interface=ether1
add bridge=bridge-lan interface=ether2
add bridge=bridge-lan interface=ether3
add bridge=bridge-lan interface=ether4
add bridge=bridge-lan interface=ether5
add bridge=bridge-lan interface=ether6
add bridge=bridge-lan interface=ether7
add bridge=bridge-lan interface=ether8
add bridge=bridge-lan interface=ether9
add bridge=bridge-lan interface=ether10
add bridge=bridge-lan interface=ether11
add bridge=bridge-lan interface=ether12
add bridge=bridge-lan interface=ether13
add bridge=bridge-lan interface=ether14
add bridge=bridge-lan interface=ether15
add bridge=bridge-lan interface=ether16
add bridge=bridge-lan interface=ether17
add bridge=bridge-lan interface=ether18
add bridge=bridge-lan interface=ether19
add bridge=bridge-lan interface=ether20
add bridge=bridge-lan interface=ether21
add bridge=bridge-lan interface=ether22
add bridge=bridge-iptv interface=ether23
add bridge=bridge-iptv interface=ether24
add bridge=bridge-iptv interface=sfp1-vlan303
/interface bridge settings
set allow-fast-path=no use-ip-firewall=yes
/interface ethernet switch egress-vlan-tag
add tagged-ports=ether24 vlan-id=303
/interface ethernet switch ingress-vlan-translation
add customer-vid=0 new-customer-vid=303 ports=ether24
/interface ethernet switch port
set 0 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 1 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 2 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 3 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 4 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 5 allow-fdb-based-vlan-translate=yes per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 6 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 7 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 8 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 9 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 10 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 11 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 12 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 13 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 14 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 15 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 16 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 17 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 18 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 19 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 20 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 21 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 22 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 23 allow-fdb-based-vlan-translate=yes per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 24 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 25 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
/ip address
add address=192.168.1.1/24 interface=ether1 network=192.168.1.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=sfp1
/ip dhcp-server lease
add address=192.168.1.149 client-id=1:28:f3:66:4d:b7:f9 comment="IP Camera Jonas" mac-address=28:F3:66:4D:B7:F9 server=dhcp1
/ip dhcp-server network
add address=192.168.1.0/24 gateway=192.168.1.1 netmask=24
/ip firewall filter
add chain=forward dst-port=80 in-interface=sfp1 protocol=tcp
add chain=forward dst-port=443 in-interface=sfp1 protocol=tcp
add chain=forward dst-port=22 in-interface=sfp1 protocol=tcp
add chain=forward dst-port=32400 in-interface=sfp1 protocol=tcp
add chain=forward protocol=udp
add chain=input protocol=udp
add chain=forward protocol=igmp
add chain=input protocol=igmp
add action=drop chain=forward disabled=yes
add action=drop chain=forward dst-address=!192.168.1.0/24 src-mac-address=28:F3:66:4D:B7:F9
/ip firewall nat
add action=masquerade chain=srcnat comment=MASQ out-interface=sfp1
add action=masquerade chain=srcnat dst-port=22,80,443,32400 protocol=tcp src-address=192.168.1.0/24
add action=dst-nat chain=dstnat dst-address=!192.168.1.0/24 dst-address-type=local dst-port=22,80,443,32400 protocol=tcp to-addresses=192.168.1.10
add action=dst-nat chain=dstnat dst-port=443 in-interface=sfp1 log=yes protocol=tcp to-addresses=192.168.1.10 to-ports=443
add action=dst-nat chain=dstnat dst-port=80 in-interface=sfp1 protocol=tcp to-addresses=192.168.1.10 to-ports=80
add action=dst-nat chain=dstnat dst-port=22 in-interface=sfp1 protocol=tcp to-addresses=192.168.1.10 to-ports=22
add action=dst-nat chain=dstnat dst-port=32400 in-interface=sfp1 protocol=tcp to-addresses=192.168.1.10 to-ports=32400
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.1.0/24
set ssh disabled=yes
set www-ssl address=192.168.1.0/24
set api disabled=yes
set winbox address=192.168.1.0/24
set api-ssl address=192.168.1.0/24 disabled=yes
/ip upnp
set enabled=yes
/routing igmp-proxy
set query-interval=1m5s quick-leave=yes
/routing igmp-proxy interface
add alternative-subnets=0.0.0.0/0 interface=sfp1 upstream=yes
add interface=bridge-lan
/system clock
set time-zone-name=Europe/Oslo
/system logging
add disabled=yes topics=igmp-proxy
/system routerboard settings
set protected-routerboot=disabled
[joel@MikroTik] >
Top
 
jkaberg
just joined
Topic Author
Posts: 24
Joined: Sun Jul 17, 2016 5:00 am

Re: MAC based VLAN (IPTV on VLAN from ISP) and IGMP proxy

Fri Jul 22, 2016 6:56 am

Honestly, I'm not sure - the mac-based vlan topology is akin to having a bunch of drinking straws all going into one big tank. In the tank is every beverage you may want - soda, water, orange juice, beer, coffee, tea, milk, fruit punch, etc. In the tank, they're all mixed together. In the case of mac-based vlans, the straws have the amazing ability to drink only the specified beverage.
However, if you're dipping straight out of the tank, there's no way to separate them. This is the case for devices connected to an unmanaged switch - the switch cannot separate the various nodes, so the nodes are in actuality all in a single network.

For devices on the other end of the magic drinking straws (the per-mac vlan interfaces), it's possible to talk to only certain devices.

I'm really not sure how this will translate to a MAC-based vlan when multicast is intended to send a single MAC address out which is delivered only to the devices that want it..... especially when this MAC is not present on any of the devices themselves.
Alright I get what you're comeing at :-)

I decided to try IGMP proxy instead, in hopes that it might save the day but I'm getting the following error:
04:04:50 igmp-proxy,debug sending IGMP query to 224.0.0.1 on bridge-lan 
04:04:50 igmp-proxy,debug RECV IGMPv2 membership report from 192.168.1.251 to 239.255.255.250 on bridge-lan 
04:04:50 igmp-proxy,debug RECV IGMPv2 membership report from 192.168.1.155 to 239.192.152.143 on bridge-lan 
04:04:56 igmp-proxy,debug RECV IGMPv2 membership report from 192.168.1.10 to 233.89.188.1 on bridge-lan 
04:04:57 igmp-proxy,debug RECV IGMPv2 membership report from 192.168.1.155 to 224.0.54.34 on bridge-lan 
04:05:17 igmp-proxy,debug RECV IGMP membership query from 46.249.234.1 to 224.0.0.1 on sfp1 
04:05:17 igmp-proxy,debug ignoring IGMP message: received on the upstream interface 
04:05:18 igmp-proxy,debug ignoring IGMP message: source address is local: 
04:05:18 igmp-proxy,debug   source=46.249.***.*** 
04:05:18 igmp-proxy,debug   interface=sfp1 
04:05:18 igmp-proxy,debug ignoring request from myself: 
04:05:18 igmp-proxy,debug   source=46.249.***.*** 
04:05:18 igmp-proxy,debug   destination=239.192.***.*** 
04:05:21 igmp-proxy,debug ignoring IGMP message: source address is local: 
04:05:21 igmp-proxy,debug   source=46.249.***.*** 
04:05:21 igmp-proxy,debug   interface=sfp1 
04:05:21 igmp-proxy,debug ignoring request from myself: 
04:05:21 igmp-proxy,debug   source=46.249.***.*** 
04:05:21 igmp-proxy,debug   destination=224.0.54.34 
04:05:22 igmp-proxy,debug ignoring IGMP message: source address is local: 
04:05:22 igmp-proxy,debug   source=46.249.***.*** 
04:05:22 igmp-proxy,debug   interface=sfp1 
04:05:22 igmp-proxy,debug ignoring request from myself: 
04:05:22 igmp-proxy,debug   source=46.249.***.*** 
04:05:22 igmp-proxy,debug   destination=233.89.188.1 
04:05:25 igmp-proxy,debug ignoring IGMP message: source address is local: 
04:05:25 igmp-proxy,debug   source=46.249.***.*** 
04:05:25 igmp-proxy,debug   interface=sfp1 
04:05:25 igmp-proxy,debug ignoring request from myself: 
04:05:25 igmp-proxy,debug   source=46.249.***.*** 
04:05:25 igmp-proxy,debug   destination=239.255.255.250
Now I googled this and ended up at this post which suggests my config is faulty. But I can't see how it is?

My config as of now
Code: Select all
[joel@MikroTik] > export
# jul/20/2016 04:14:12 by RouterOS 6.35.4
# software id = 4ZWJ-QVRS
#
/interface bridge
add name=bridge-iptv
add name=bridge-lan
/interface ethernet
set [ find default-name=ether3 ] comment="Kontoret - Dumb Switch"
set [ find default-name=ether4 ] comment="Server - Dunder"
set [ find default-name=ether5 ] comment="Stua - UniFi AP-AC-Pro"
set [ find default-name=ether6 ] comment="Stua - Dumb Switch"
set [ find default-name=ether24 ] comment="Stua - Dekoder"
set [ find default-name=sfp1 ] comment=WAN mac-address=00:22:07:53:63:72
/ip neighbor discovery
set ether3 comment="Kontoret - Dumb Switch"
set ether4 comment="Server - Dunder"
set ether5 comment="Stua - UniFi AP-AC-Pro"
set ether6 comment="Stua - Dumb Switch"
set ether24 comment="Stua - Dekoder"
set sfp1 comment=WAN
/interface vlan
add interface=sfp1 name=sfp1-vlan303 vlan-id=303
/ip pool
add name=dhcp ranges=192.168.1.100-192.168.1.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge-lan lease-time=3d name=dhcp1
/interface bridge port
add bridge=bridge-lan interface=ether1
add bridge=bridge-lan interface=ether2
add bridge=bridge-lan interface=ether3
add bridge=bridge-lan interface=ether4
add bridge=bridge-lan interface=ether5
add bridge=bridge-lan interface=ether6
add bridge=bridge-lan interface=ether7
add bridge=bridge-lan interface=ether8
add bridge=bridge-lan interface=ether9
add bridge=bridge-lan interface=ether10
add bridge=bridge-lan interface=ether11
add bridge=bridge-lan interface=ether12
add bridge=bridge-lan interface=ether13
add bridge=bridge-lan interface=ether14
add bridge=bridge-lan interface=ether15
add bridge=bridge-lan interface=ether16
add bridge=bridge-lan interface=ether17
add bridge=bridge-lan interface=ether18
add bridge=bridge-lan interface=ether19
add bridge=bridge-lan interface=ether20
add bridge=bridge-lan interface=ether21
add bridge=bridge-lan interface=ether22
add bridge=bridge-iptv interface=ether23
add bridge=bridge-iptv interface=ether24
add bridge=bridge-iptv interface=sfp1-vlan303
/interface bridge settings
set allow-fast-path=no use-ip-firewall=yes
/interface ethernet switch egress-vlan-tag
add tagged-ports=ether24 vlan-id=303
/interface ethernet switch ingress-vlan-translation
add customer-vid=0 new-customer-vid=303 ports=ether24
/interface ethernet switch port
set 0 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 1 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 2 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 3 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 4 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 5 allow-fdb-based-vlan-translate=yes per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 6 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 7 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 8 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 9 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 10 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 11 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 12 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 13 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 14 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 15 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 16 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 17 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 18 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 19 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 20 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 21 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 22 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 23 allow-fdb-based-vlan-translate=yes per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 24 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
set 25 per-queue-scheduling=wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128
/ip address
add address=192.168.1.1/24 interface=ether1 network=192.168.1.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=sfp1
/ip dhcp-server lease
add address=192.168.1.149 client-id=1:28:f3:66:4d:b7:f9 comment="IP Camera Jonas" mac-address=28:F3:66:4D:B7:F9 server=dhcp1
/ip dhcp-server network
add address=192.168.1.0/24 gateway=192.168.1.1 netmask=24
/ip firewall filter
add chain=forward dst-port=80 in-interface=sfp1 protocol=tcp
add chain=forward dst-port=443 in-interface=sfp1 protocol=tcp
add chain=forward dst-port=22 in-interface=sfp1 protocol=tcp
add chain=forward dst-port=32400 in-interface=sfp1 protocol=tcp
add chain=forward protocol=udp
add chain=input protocol=udp
add chain=forward protocol=igmp
add chain=input protocol=igmp
add action=drop chain=forward disabled=yes
add action=drop chain=forward dst-address=!192.168.1.0/24 src-mac-address=28:F3:66:4D:B7:F9
/ip firewall nat
add action=masquerade chain=srcnat comment=MASQ out-interface=sfp1
add action=masquerade chain=srcnat dst-port=22,80,443,32400 protocol=tcp src-address=192.168.1.0/24
add action=dst-nat chain=dstnat dst-address=!192.168.1.0/24 dst-address-type=local dst-port=22,80,443,32400 protocol=tcp to-addresses=192.168.1.10
add action=dst-nat chain=dstnat dst-port=443 in-interface=sfp1 log=yes protocol=tcp to-addresses=192.168.1.10 to-ports=443
add action=dst-nat chain=dstnat dst-port=80 in-interface=sfp1 protocol=tcp to-addresses=192.168.1.10 to-ports=80
add action=dst-nat chain=dstnat dst-port=22 in-interface=sfp1 protocol=tcp to-addresses=192.168.1.10 to-ports=22
add action=dst-nat chain=dstnat dst-port=32400 in-interface=sfp1 protocol=tcp to-addresses=192.168.1.10 to-ports=32400
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.1.0/24
set ssh disabled=yes
set www-ssl address=192.168.1.0/24
set api disabled=yes
set winbox address=192.168.1.0/24
set api-ssl address=192.168.1.0/24 disabled=yes
/ip upnp
set enabled=yes
/routing igmp-proxy
set query-interval=1m5s quick-leave=yes
/routing igmp-proxy interface
add alternative-subnets=0.0.0.0/0 interface=sfp1 upstream=yes
add interface=bridge-lan
/system clock
set time-zone-name=Europe/Oslo
/system logging
add disabled=yes topics=igmp-proxy
/system routerboard settings
set protected-routerboot=disabled
[joel@MikroTik] >
Nobody? :-(
Top
 
jkaberg
just joined
Topic Author
Posts: 24
Joined: Sun Jul 17, 2016 5:00 am

Re: MAC based VLAN (IPTV on VLAN from ISP) and IGMP proxy

Wed Jul 27, 2016 8:58 am

This issue got resolved in another thread: http://forum.mikrotik.com/viewtopic.php ... 87#p549269
Top
Post Reply
  4. RouterOS
  5. Forwarding Protocols