|
天津联通家庭宽带,光猫配置如下:
| 协议 |
模式 |
光猫接口 |
路由器接口 |
| INTERNET |
桥接 WAN |
eth1 |
eth1 |
| IPTV |
路由 WAN |
eth4 |
eth2 |
路由器配置:
bridge设置为eth3, eth4, eth5,去掉了eth1, eth2eth1设置 PPPoE ,此时路由器下接设备可以访问互联网- IP/DHCP Client ,在
eth2上添加 1 个 Client 。此时 IP/Addresses 出现一个动态地址
- Routing/IGMP Proxy 添加 2 个
interface
0 U ;;; iptv_upstream
interface=ether2 threshold=1 alternative-subnets=0.0.0.0/0 upstream=yes
1 ;;; iptv_downstream
interface=bridge threshold=1 alternative-subnets="" upstream=no
此时路由器下接设备可以收看组播 IPTV 。但是约 4 分钟后中断,切换频道后正常,4 分钟后再中断。
在 IP/Firewall 观察到这一项拦截了很多流量。禁用这一项之后,观看 4 分钟不再中断。
5 ;;; defconf: drop all not coming from LAN
chain=input action=drop in-interface-list=!LAN log=no log-prefix=""
在这项上面添加一条规则如下,观看 IPTV 不再中断。drop all not coming from LAN 一项也不再出现大流量。流量都出现在了 accept IPTV 。
4 ;;; accept IPTV
chain=input action=accept dst-address=224.0.0.0/4 log=no log-prefix=""
全部防火墙规则如下:
Flags: X - disabled, I - invalid; D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
1 ;;; defconf: accept established,related,untracked
chain=input action=accept connection-state=established,related,untracked
2 ;;; defconf: drop invalid
chain=input action=drop connection-state=invalid
3 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp
4 ;;; accept IPTV
chain=input action=accept dst-address=224.0.0.0/4 log=no log-prefix=""
5 ;;; defconf: drop all not coming from LAN
chain=input action=drop in-interface-list=!LAN log=no log-prefix=""
6 ;;; defconf: accept in ipsec policy
chain=forward action=accept ipsec-policy=in,ipsec
7 ;;; defconf: accept out ipsec policy
chain=forward action=accept ipsec-policy=out,ipsec
8 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection hw-offload=yes connection-state=established,related
9 ;;; defconf: accept established,related, untracked
chain=forward action=accept connection-state=established,related,untracked
10 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid
11 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN
请教几个问题:
- 设置 IGMP Proxy 时,为什么
upstream要设置alternative-subnets=0.0.0.0/0?没有这个属性可以吗?
- 为什么
drop all not coming from LAN规则拦截了大量数据,但是 IPTV 仍能正常播放?
- 第 3 条规则已经 accept ICMP ,我理解是放行了 IPTV 相关数据,为什么每隔 4 分钟仍然会中断?
- 为什么添加了 accept IPTV 规则之后就不再中断?我理解这条规则和上一条 accept ICMP 实际是重复的,因为组播地址发来的都是 ICMP 协议的数据。
- accept IPTV 这条规则有没有安全风险?
| 
