Could it be that your IPTV is using a non-IP protocoll, e.g. an ethertype which
is not IPv4 nor IPv6, but something different? Like Powerline, G.hn or so? --
And which is blocked by pf?There are several protocol and type fields on the
different layers (MAC, IP, TCP/UDP), and I recently noticed that tools and man
pages do not always identify them very clearly or are somewhat misnamed (for
historical reasons I'd say).Btw., I'm looking for a pointer to packet formats
of ethertypes 0x88e1 and 0x8912, which my current filter bubble or info
availability didn't allow me to find until now. They show up in tcpdump
although they are not TCP nor even IP, and wireshark doesn't decrypt the
payload, which I'm interested in.
-------- Ursprüngliche Nachricht --------Von: Родин Максим
<[email protected]> Datum: 16.06.19 22:16 (GMT+01:00) An: OpenBSD general
usage list <[email protected]> Betreff: [misc] IPTV handling on OpenBSD soft
router Hello,I am trying to set up an IPTV-box behind a soft router.When my
internet (iptv) provider installed the IPTV box he said thatI need a switch
before my soft router to let IPTV stream successfully pass to the IPTV box.I
thought that a virtual bridge interface would be enough for this purpose.I
created a bridge0 interface and added three interfaces to it:em0 - a physical
one which delivers internet and iptv from my provider.em2 - a physical one to
which the IPTV-box is connected and which receives a mac binded ip address from
the local network of my provider(100.65.129.0/24).vether0 - a virtual one which
receives an external ip address from dhcp server of my provider (it therefore
belongs to egress group) and through which my home computers access the
internet using NAT ({ vether1 em1 em3 athn0 }).When PF is disabled the IPTV-box
is working.When PF is enabled the IPTV box works for several seconds and then
the picture freezes. When I change to another TV channel it works again for
several seconds and then it freezes again.My pf settings are listed below (I
used some of the config in PF user's guide)I do no filtering on the ports
needed (em0, em2)When I do:tcpdump -n -e -i pflog0 not ifname vether0It shows
no blocked packetsWhat am I
missing?""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""router
root ~ # cat /etc/pf.conf# $OpenBSD: pf.conf,v 1.54 2014/08/23 05:49:42
deraadt Exp $## See pf.conf(5) and /etc/examples/pf.confint_if = "{ vether1 em1
em3 athn0 }"table <martians> { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16
\ 172.16.0.0/12 192.0.2.0/24 224.0.0.0/3 \
192.168.0.0/16 198.18.0.0/15 198.51.100.0/24 \
203.0.113.0/24 }table <bad_ips> persist file "/etc/pf/bad_ip"block log allset
block-policy dropset loginterface egressset skip on lomatch out on egress inet
from (vether1:network) to any nat-to (egress:0)block in quick on egress from
<martians> to anyblock return out quick on egress from any to <martians>pass
out quick inetpass in on $int_if inet# IPTVpass on em2pass on em0#pass in on
egress inet proto tcp from !<bad_ips> to (egress) port 22pass in on egress inet
proto tcp from !<bad_ips> to (egress) port 80pass in on egress inet proto { tcp
udp } from any to (egress) port { 51413 22034 6890:6999 6881 } rdr-to
192.168.1.4pass in on egress inet proto { tcp udp } from any to (egress) port {
50000 } rdr-to 192.168.1.65#block return # block stateless traffic#pass
# establish keep-state# By default, do not permit remote connections
to X11#block return in on ! lo0 proto tcp to port
6000:6010""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" --
Best regardsMaksim Rodin
