HELP! Multicast Filtering? How?

Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware
Goto page Previous  1, 2, 3  Next
Author Message
helheimr
DD-WRT Novice


Joined: 29 Apr 2010
Posts: 2

PostPosted: Tue May 04, 2010 21:38    Post subject: further optimizing the firewall Reply with quote
thanks for your tip on saving the iptables rule in the firewall - but it seems the insmod commands are causing the trouble.

Another tip for those interested:

I wanted to use the excellent DVBLogic IPTV server to stream the XMS IPTV via UPNP on my LAN so I can view IPTV via UPNP using any UPNP client (including WMP12). However, using the firewall rules I posted earlier the UPNP discovery multicast (UPD port 1900 multicast) was also blocked. the easy solution, add another rule to let the UPNP discovery SSDP through...:

insmod ebtables
insmod ebtable_filter
iptables -I FORWARD -m pkttype --pkt-type multicast -i br0 -j DROP
iptables -I FORWARD -p udp --dport 1900 -i br0 -j ACCEPT

hope it helps someone....
Sponsor
ner0
DD-WRT Novice


Joined: 02 May 2010
Posts: 4

PostPosted: Thu May 06, 2010 21:29    Post subject: Re: Linksys 610N with mini build Reply with quote
helheimr wrote:

Solution:
the easy way: just unbridge the WLAN and enable filtering of multicast. however the problem with this is that your WLAN clients will no longer be part of the same network (to browse files easily etc.)


Im trying to do that to no avail.
I want to watch IPTV with a STbox connected to eth0 port of a WRT54GS (f/w. dd-wrt micro, build 13064) which is bridged over WLAN with a Thomson TG784 ADSL gateway. How should the WRT54GS router be connected over WLAN, client/repeater/bridge? In dd-wrt WebGUI, where exactly do I unbridge and set multicast filtering? I'm noob at this, someone help me out please.

Thanks.
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10141

PostPosted: Thu May 06, 2010 21:38    Post subject: Re: Linksys 610N with mini build Reply with quote
ner0 wrote:
Im trying to do that to no avail.
I want to watch IPTV with a STbox connected to eth0 port of a WRT54GS (f/w. dd-wrt micro, build 13064) which is bridged over WLAN with a Thomson TG784 ADSL gateway. How should the WRT54GS router be connected over WLAN, client/repeater/bridge? In dd-wrt WebGUI, where exactly do I unbridge and set multicast filtering? I'm noob at this, someone help me out please.

Thanks.

What you want is NOT multicast filtering, you want the multicast to go over the WLAN to your router. See the wiki guide for Client Bridge mode.

_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
ner0
DD-WRT Novice


Joined: 02 May 2010
Posts: 4

PostPosted: Thu May 06, 2010 23:24    Post subject: Re: Linksys 610N with mini build Reply with quote
phuzi0n wrote:

What you want is NOT multicast filtering, you want the multicast to go over the WLAN to your router. See the wiki guide for Client Bridge mode.


Thanks, but that won't help. I tried several configurations but it all comes down to the multicast rate wich brings down WLANs bandwidth very fast. I tried all wireless modes and firewall settings.
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10141

PostPosted: Fri May 07, 2010 1:11    Post subject: Re: Linksys 610N with mini build Reply with quote
ner0 wrote:
Thanks, but that won't help. I tried several configurations but it all comes down to the multicast rate wich brings down WLANs bandwidth very fast. I tried all wireless modes and firewall settings.

The difference is that the OP's IPTV box wasn't using the WLAN but the IPTV multicast packets were still flooding their WLAN. You are using the WLAN to send the traffic to your IPTV box so you MUST allow the IPTV multicast packets to be transmitted. Also, your Thomson TG784 ADSL gateway is what is sending the IPTV multicast packets, your dd-wrt router just receives them.

If you don't want your WLAN flooded with multicast then you need to either wire the STbox or add a WAP on another channel for your other devices to use.

_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
ozeraser
DD-WRT Novice


Joined: 18 Sep 2010
Posts: 3

PostPosted: Sat Sep 18, 2010 12:26    Post subject: Reply with quote
Sorry to bring this back up.
Right now I have the issue same as the OP. Running a server that is sending multicast packets from one ethernet to another ethernet (or several others), but the router keeps sending the multicast packets over the wlan (ath0). I have tried:

iptables -I FORWARD -m pkttype --pkt-type multicast -o ath0 -j DROP

AND

iptables -I FORWARD -m pkttype --pkt-type multicast -o eth1 -j DROP


Which if my limited knowledge is correct that is saying any packets going out ath0 or eth1 should be dropped.

At the moment ath0, vlan1 and vlan2 are all bridged together which i think is correct.

Any help greatly appreciated.
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10141

PostPosted: Sat Sep 18, 2010 16:09    Post subject: Reply with quote
Iptables only acts upon routed traffic by default. You need to load ebtables for your bridged traffic to be seen by iptables. I already explained this earlier.
_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
ozeraser
DD-WRT Novice


Joined: 18 Sep 2010
Posts: 3

PostPosted: Mon Sep 20, 2010 13:04    Post subject: Reply with quote
Yes sorry about that phuzi0n i left that part out as i thought it was a given.

I have

insmod ebtables
insmod ebtable_filter

before the lines i stated before. No go.
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10141

PostPosted: Mon Sep 20, 2010 17:03    Post subject: Reply with quote
Telnet/ssh to the router and run these commands to check that ebtables is loaded and that the iptables rule is being added correctly.

lsmod
iptables -vnL FORWARD

_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
ozeraser
DD-WRT Novice


Joined: 18 Sep 2010
Posts: 3

PostPosted: Wed Sep 22, 2010 9:11    Post subject: Reply with quote
So i have run that and i get;

Code:

Chain FORWARD (policy ACCEPT 6737K packets, 5274M bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       0    --  *      ath0    0.0.0.0/0            0.0.0.0/0           PKTTYPE = multicast


Which i think means its working but now all packets die at the router.

BTW thanks a lot for your input on this.
Hilbe
DD-WRT Novice


Joined: 18 Feb 2007
Posts: 13

PostPosted: Fri Dec 31, 2010 3:35    Post subject: Reply with quote
I have been battling with this tonight. My Uverse is sending about 5 to 6 Mbps to my ath0 and ath1 wireless interfaces. I ran the commands provided earlier, and am still seeing 5 to 6 Mbps going to my wireless interfaces while I have live TV on.

root@DD-WRT:~# lsmod
Module Size Used by
ebtable_filter 944 0
ebtables 15013 1 ebtable_filter

root@DD-WRT:~# iptables -vnL FORWARD
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
102 70584 DROP 0 -- br0 * 0.0.0.0/0 0.0.0.0/0 PKTTYPE = multicast

Any suggestions on how to kill off that traffic without unbridging?
phuzi0n
DD-WRT Guru


Joined: 10 Oct 2006
Posts: 10141

PostPosted: Fri Dec 31, 2010 4:39    Post subject: Reply with quote
Do like ozeraser did.

insmod ebtables
insmod ebtable_filter
iptables -I FORWARD -o ath0 -m pkttype --pkt-type multicast -j DROP
iptables -I FORWARD -o ath1 -m pkttype --pkt-type multicast -j DROP

_________________
Read the forum announcements thoroughly! Be cautious if you're inexperienced.
Available for paid consulting. (Don't PM about complicated setups otherwise)
Looking for bricks and spare routers to expand my collection. (not interested in G spec models)
2q2
DD-WRT User


Joined: 09 Jul 2006
Posts: 148

PostPosted: Sun Apr 03, 2011 13:16    Post subject: Reply with quote
Hello,

I tried the same for my WNDR3700 router, but didn't manage to suppress the multicast flooding at the wireless interface. What am I doing wrong ?
Any help is very much appreciated !

Router: WNDR3700
Firmware: build 16454


Code:
insmod ebtables
insmod ebtable_filter
iptables -I FORWARD -o ath0 -m pkttype --pkt-type multicast -j DROP
iptables -I FORWARD -o ath1 -m pkttype --pkt-type multicast -j DROP



Output from the router:

lsmod:

Module Size Used by
ebtable_filter 944 0
ebtables 22375 1 ebtable_filter
nf_nat_pptp 1376 0
nf_conntrack_pptp 3344 1 nf_nat_pptp
nf_nat_proto_gre 944 1 nf_nat_pptp
nf_conntrack_proto_gre 2501 1 nf_conntrack_pptp
etherip 4240 0
bonding 75296 0
ath_mimo_pci 442702 0
ath_mimo_hal 215720 3 ath_mimo_pci
ag7100_mod 82220 0

iptables -vnL FORWARD

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP 0 -- * ath1 0.0.0.0/0 0.0.0.0/0 PKTTYPE = multicast
0 0 DROP 0 -- * ath0 0.0.0.0/0 0.0.0.0/0 PKTTYPE = multicast
0 0 ACCEPT 47 -- * ppp0 192.168.1.0/24 0.0.0.0/0
0 0 ACCEPT tcp -- * ppp0 192.168.1.0/24 0.0.0.0/0 tcp dpt:1723
191K 258M ACCEPT 0 -- eth1.0008 * 0.0.0.0/0 0.0.0.0/0
66 10356 ACCEPT 0 -- * eth1.0008 0.0.0.0/0 0.0.0.0/0
377 241K ACCEPT 0 -- br0 br0 0.0.0.0/0 0.0.0.0/0
1308 68612 TCPMSS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU
10817 2487K lan2wan 0 -- * * 0.0.0.0/0 0.0.0.0/0
9845 2427K ACCEPT 0 -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT udp -- eth1.0008 * 0.0.0.0/0 224.0.0.0/4 udp
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.100 tcp dpt:3
184 10080 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.100 tcp dpt:2
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.100 tcp dpt:5
0 0 ACCEPT tcp -- * * 0.0.0.0/0 192.168.1.100 tcp dpt:4
0 0 TRIGGER 0 -- ppp0 br0 0.0.0.0/0 0.0.0.0/0 TRIGGER type:in match:0 relate:0
788 50403 trigger_out 0 -- br0 * 0.0.0.0/0 0.0.0.0/0
750 47321 ACCEPT 0 -- br0 * 0.0.0.0/0 0.0.0.0/0 state NEW
38 3082 DROP 0 -- * * 0.0.0.0/0 0.0.0.0/0
jonsiii
DD-WRT Novice


Joined: 27 Apr 2011
Posts: 1

PostPosted: Wed Apr 27, 2011 10:00    Post subject: Reply with quote
2q2 wrote:
Hello,

I tried the same for my WNDR3700 router, but didn't manage to suppress the multicast flooding at the wireless interface. What am I doing wrong ?
Any help is very much appreciated !


I also have a WNDR3700 router and experienced the same problem. I can't get it to drop the multicast packets.

But then I tried the first part in

http://www.dd-wrt.com/wiki/index.php/IPTV_-_blocking_multicast_on_WIFI

and this worked like a charm. Basically I did all the things under heading 2, except for 2.4 and 2.5 (# 2.4 Setup an additional VLAN and # 2.5 Disable multicast traffic to reach the LAN Ports 1,2,3).
crash9877
DD-WRT Novice


Joined: 23 May 2010
Posts: 12
Location: Germany

PostPosted: Tue May 03, 2011 21:55    Post subject: Reply with quote
jonsiii wrote:
2q2 wrote:
Hello,

I tried the same for my WNDR3700 router, but didn't manage to suppress the multicast flooding at the wireless interface. What am I doing wrong ?
Any help is very much appreciated !


I also have a WNDR3700 router and experienced the same problem. I can't get it to drop the multicast packets.

But then I tried the first part in

http://www.dd-wrt.com/wiki/index.php/IPTV_-_blocking_multicast_on_WIFI

and this worked like a charm. Basically I did all the things under heading 2, except for 2.4 and 2.5 (# 2.4 Setup an additional VLAN and # 2.5 Disable multicast traffic to reach the LAN Ports 1,2,3).


yes, i can confirm that. doing that already since i have my 3700 but now i have a linksys e3000 and when i do the same my android mobile won´t even get an ip. only if i disable wireless encryption completely but i don´t want that. tried even "Unbridged" and iptables -I FORWARD -i br0 -o "interface to block" -m pkttype --pkt-type multicast -j DROP.

can anybody confirm this with a linksys e3000 (latest ddwrt r16785)?
Goto page Previous  1, 2, 3  Next Display posts from previous:    Page 2 of 3
Post new topic   Reply to topic    DD-WRT Forum Index -> Broadcom SoC based Hardware All times are GMT

Navigation

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum