Swisscom TV an Mikrotik / Multicast Problem?

@Losty you have to install an extra package on the CCR1009. https://microtik.com/download.

To PIM & co. to be able to use.

Your error messages definitely come from multicast. I have RB2011UiAS-RM and hAP ac at home.

I haven’t gotten further than you yet.

Maybe this will help you:[https://www.init7.net/de/support/routerinfos/microtik\_tv7\_d.pdf](https://www.init7.net/de/support/routerinfos/microtik_tv7_d. pdf)

You then have to adapt that to the SC-TV.

Settings:

[https://community.swisscom.ch/t5/Swisscom-TV/pfsense-gt-zyxel-gt-linksys-gt-TV/m-p/534164#M36045] (https://community.swisscom.ch/t5/Swisscom-TV/pfsense-gt-zyxel-gt-linksys-gt-TV/m-p/534164#M36045)

---

@Losty@ wrote:

Hey @user109 - thanks for the tip!

Actually, as soon as I install the package, the menu items are there… unfortunately no live TV yet…

The Init-7 instructions are pretty good. However, the question remains what needs to be adapted in terms of Swisscom. Just so we’re talking about the same thing here:
- Upstream-IF for the IGMP proxy is not SFP1 in this case, but the Swisscom VLAN (10)

Answer: Okay, that’s right.

- DNS server you should also be able to use the Mikrotik itself, I assume, which then uses the Swisscom DNS server set via DHCP and that should be OK, right?

Answer:

I have set up a bridge to have 2 network areas TV / Internet.

- IGMP snooping is not activated according to these instructions - I assume this is rather optional and probably simply not available in the RouterOS version of Init-7.

Answer:

I tried IGMP snooping using the pure switch function (no live TV there either)

-Perhaps the problem is a firewall setting with the Live TV.

- Alternative subnets - are these the details that are still floating around here in the forum: 224.0.0.0/4, 213.3.72.0/24 and 195.186.0.0/16? How important is this? 0.0.0.0/0 from Inits-7 sounds like EVERYTHING to me - but I have no idea how to understand that…

Answer:

The addresses are important for the multi/unicast and TV servers.

- Watch the firewall when you watch replay and call up TV functions, then these addresses appear in the firewall.

…that’s probably what’s different at Swisscom.

The Init 7 instructions say nothing about PIM. But for me I think so
if=register pim IGMPv2
…and…
if=vlan-swisscom pim IGMPv2
…dynamically activated - possibly. because of the IGMP proxy configuration.

…shouldn’t this also be on Protocol IGMP and IGMPv3? Creating new PIMs with IGMPv3 for the IFs is possible, but unfortunately it doesn’t help.

Otherwise I can still find the Rendevous Point 1.1.1.1. I also entered this under PIM -> RP (Group “0.0.0.0/0”, correct?) Unfortunately, there is still no live TV…

Answer: Yes, that is correct Rendevous Point 1.1.1.1, Group “0.0.0.0/0” or Multicast?, IGMPv3 is correct, but recently a DNS service in the public network can be reached at this address, but I don’t know how SC solved this (address conflict).

[https://community.swisscom.ch/t5/Archiv-Internet/Swisscom-TV-Mikrotik-VLAN/m-p/429550#M52119](https://community.swisscom.ch/t5/Archiv-Internet /Swisscom-TV-Mikrotik-VLAN/m-p/429550#M52119)

More ideas?

Answer: Everything about MT here:

https://www.youtube.com/watch?v=UHyTbfC6Pys&list=PLnzEbgyK52GvvgQ4L2s_kskQcFmTPVCX3

https://mikrotik-forum.de/index.php

Can you find anything helpful in the other tabs for IGMP proxy and PIM?

I’m somehow still afraid that the firewall is blocking these multicast packets. I did the firewall part from the Init 7 instructions, but the documentation isn’t particularly detailed. Is there any way to check whether the packages are getting through?

Answer: Yes, you can definitely do that with the MT tools, Fastpath is also an option.

Firewall is based on IP tables more information:

https://www.youtube.com/watch?v=3NBtrZxctbA&index=4&list=PLnzEbgyK52GvvgQ4L2s_kskQcFmTPVCX3

,MUM Videos:

https://www.youtube.com/watch?v=V9OIHKhosds

Here is another link to multicast:

https://de.slideshare.net/faisalr3za/mikrotik-multicast-routing-wwwimxpertco

---

                                                                            **>>>>>> IMPORTANT<<<<<<<<**

For info:

Please be sure to update the firmware on the CCR 1009 because of this matter:

[https://www.heise.de/security/melde/Cisco-Talos-deckt-riesiges-Router-und-NAS-Botnetz-auf-4056997.html](https://www.heise.de/security/ message/Cisco-Talos-exposes-huge-router-and-NAS-botnet-4056997.html)

[https://www.heise.de/security/melde/Router-und-NAS-Botnetz-VPNFilter-FBI-kapert-Controlserver-4057613.html](https://www.heise.de/security/melde/ Router-and-NAS-Botnet-VPNFilter-FBI-hijacked-control-server-4057613.html)

https://forum.mikrotik.com/viewtopic.php?f=21&t=134776

Greetings User109

@Losty I failed at that because of time constraints. But I believe with a lot of research and patience you will find a solution.

Now it gets interesting 🍿Because that’s pretty much the first thing I asked myself about the Cloudflare DNS servers. The RP can no longer be 1.1.1.1 and will no longer be hijacked into the Swisscom network…

BTW: I would recommend NOT following the Init-7 guide. A lot of effort is put into separating the interface with the Swisscom TV from the others. You can certainly do that and the instructions may also be a good help if you want to banish the Swisscom TV to its own VLAN, but it’s not necessary to just get the Swisscom TV running, so: Keep it simple , stupid!

The essentially required config is actually very simple:

- assuming the Swisscom Internet works and the Mikrotik Multicast/PIM package is installed!

- a firewall rule to allow IGMP packets from Swisscom and the internal network to pass through to the router. Everything else (UDP traffic,…) is obviously handled correctly by the usual NAT masquerading.

[admin@MikroTik] /ip firewall> filter print
Flags: X - disabled, I - invalid, D - dynamic
[…]
4 chain=input action=accept protocol=igmp in-interface=bridg1 log=no
5 chain=input action=accept protocol=igmp in-interface=vlan-swisscom log=no
[…]

- a (started;-)) IGMP proxy. I configured the downstream interfaces as “all” - “bridge1” was thus configured automatically (Mikrotik say “dynamic”). This is simply my normal bridge to which more or less all devices are attached…

[admin@MikroTik] /ip firewall> /routing igmp-proxy interface print detail
Flags: X - disabled, I - inactive, D - dynamic, U - upstream
0 U interface=vlan-swisscom threshold=1 alternative-subnets=224.0.0.0/4,213.3.72.0/24,195.186.0.0/16 upstream=yes

1 interface=all threshold=1 alternative-subnets="" upstream=no

2 D interface=bridge1 threshold=1 alternative-subnets="" upstream=no

For me, that’s enough for the Swisscom TV including live TV (multicast) to work on any port on the bridge.

Now you can/should activate IGMP snooping on the bridge so that the traffic is not distributed to all ports on the bridge. This obviously disables the bridge’s hardware offloading (…which should have little to no impact on at least a CCR 1009…).

I can’t claim that I understand exactly what’s happening down to the last detail, but that’s what multicast does for me.

\=> Hints / comments welcome!!!

Thank you for your tips!

PS: In order to improve my knowledge of multicast and IGMP, I took a good look at this YouTube channel: [https://www.youtube.com/channel/UC2xDUkd\_PuxDvhl4zQz67Aw/featured](https://www .youtube.com/channel/UC2xDUkd_PuxDvhl4zQz67Aw/featured). So… if you have time… I found it very well prepared and quite exciting…

@lostcarrier Thanks for the feedback, I’ll configure it that way.

user109

I’m trying to get IPTV from Wingo (actually Swisscom) to run via my Sophos UTM 10. But I have no idea what I have to enter where in the PIM-SM. I’ve tried various combinations that would make sense to me, but it doesn’t work. The target computer is connected directly to the LAN interface of the Sophos so as not to introduce any additional switch problems.

All IP information in the internal network has been changed so that everything is not immediately revealed on the Internet:

Wingo Router: NAT -> 192.168.0.0/24 (IP: 192.168.0.254)

Sophos: NAT -> 172.16.1.0/24 (WAN: 192.168.0.253, LAN: 172.16.1.254)

Computer with VLC: 172.16.1.1

I would have to configure the following on the Sophos, maybe someone can give me a tip as to where it should go:

Does the external connected interface have to have a special VLAN?

Sophos would need an igmpproxy. Something that is always requested but doesn’t seem to be implemented. You can’t really get anywhere with PIM sparse or dense mode.

[https://ideas.sophos.com/forums/17359-sg-utm/suggestions/185033-networking-add-igmp-proxy](https://ideas.sophos.com/forums/17359-sg-utm/ suggestions/185033-networking-add-igmp-proxy)

Years ago I saw a thread where someone built an igmpproxy for Astaro.

@Tux0ne

If the RP router was known for PIM-SM (it was once 1.1.1.1), would it then be possible to use PIM-SM immediately? I don’t really understand this protocol. Otherwise I would request Wingo, they explicitly allow 3rd party routers 😉

What works on my Sophos XG is to activate multicast forwarding and then define static forwards:

Src: 213.3.72.4

Dst: 239.186.x.x

But to do this I have to set up a static forward for each transmitter. This could be done quickly with a program via API, but should that be the solution?

Yes, please ask for Wingo. Once they really warm up, they can answer my inquiry about MTU at 6rd.

The answer was, they can’t provide any more support for third-party routers than what’s on their help page.

Although, not even Swisscom has answered the request regarding MTU so far 😁

It’s always helpful to look for Entertain TV. And if there isn’t even a working setup described anywhere regarding Sophos and Multicast, then things look a bit bleak.

Although it would basically be so easy with a Linux system. All you need is the existing igmpproxy package.

---

@Tux0ne wrote:

Yes, please request Wingo. Once they really warm up, they can answer my inquiry about MTU at 6rd.

The answer was, they can’t provide any more support for third-party routers than what’s on their help page.

Although, not even Swisscom has answered the request regarding MTU so far 😁

---

Isn’t the MTU 1480?

https://www.wingo.ch/de/help/article/view/30051

I’ll get back to you as soon as I have an answer

Yes, I questioned whether that was really the case. Theoretically there shouldn’t be a problem with PMTU. Apparently there are Fritzbox users who have an MTU of 1480, for example. www.sbb.ch cannot be accessed, but with 1472 you can. So that’s how it is at Swisscom. And Martin Gysi also has slides where he set the MTU to 1472, or a recommendation on swinog.

But now everyone would rather make the ostrich than simply give a reason.

The problems I had have now been resolved.

Now I use the Zisa G100 as a bridge modem and run pfSense on my Sophos hardware appliance. This also solved the problem with PIM-SM because I can use the ipmg proxy.

@Tux0ne

I tested with different MTUs today. Unfortunately, like you, I have significant problems with certain websites at 1480, but also at lower values.

I have now set the MSS to 1460 and have not touched the MTU. So everything is going very well. But honestly, I’m not sure what the consequences are of changing the MSS versus the MTU.

Have no problem, have a native IPv6 connection.

The fact that you had to reduce the MSS indicates an ICMP problem.

What kind of client has a problem on which pages? Does this affect legacy IP as well as IP?

Do you also block ICMP incoming or outgoing?

I mostly only tested with MacOS and there with Chrome, Safari and curl. I would have to test whether the Windows network stack would behave differently.

With standard MTU, 1480 or 1460, many pages (ipv6-test.com, sbb.ch, microsoft.com, post.ch,…) cannot be accessed and end in a timeout. Others like google.com, microsoft.com,… but work.

I even thought that IPv4 pages were not loading correctly (completely). If I remember clearly, there are often images, advertisements,… Without having examined it closely, it could be that exactly these things resolved after v6 and therefore did not work.

ICMP is only allowed LAN -> WAN (default rule). ICMPv6 is completely open in both directions (all types).

I’ll test again today and watch the logs to see if anything is blocked.