IGMP snooping on D-Link 504T

General networking problems and issues. Questions about cabling, switches, hubs etc. can go here.
User avatar
i3laze
Newbie
Newbie
Posts: 9
Joined: Mon Jan 05, 2009 10:30 pm

IGMP snooping on D-Link 504T

Post by i3laze » Wed Jan 07, 2009 10:54 pm

Hello,
1) How IGMP Snooping (& Proxy) is implemented on RouterTech 2.8 in my DSL-504T?

Current situation:
Got RT2.8 on my D-Link with two DSL-connections:
VPI/VCI: 1/50 PPPoE (Internet)
VPI/VCI: 1/91 Bridge (IP_TV)
My router has 4 LAN ports, which stand for 1 interface - eth0; multicast traffic is spamming every port.

When I watch IPTV via VLCplayer on my PC (IP: 192.168.1.2), I recieve tonns of UDP traffic:

Code: Select all

Source:                  Destination:
IP: 172.16.248.146:5500  239.255.0.97:5500 (so unicast IPTV_source is in 172.16.x.x/16)
MAC: 00:E0:FC:58:CB:4E   01:00:5E:7F:00:61
(unicast)                (multicast group)
The problem:
My WiFi access point (connected to one of router's ports) simply stops responding under such multicast flood :?
2) The question is how RT firmware can help me solve this trouble (4-port flood)?
3) Can LAN Groups help? Bridge MAC/IP filtering? IGMP Proxy?

Possible solution: (advice needed)
Got an idea to overcome multicast:
- "Static IP" (or DHCP-gained) on 1/91 and
- forwarding (unicast!:D) through NAT everything (UDP with destination 224.0.0.0/4 port 5500) incoming from 1/91
4) How RT can be configured for this?

Below are counters after 2 min watching IPTV (so u can figure out what interfaces are used for streaming):

Code: Select all

var # ifconfig
br0       Link encap:Ethernet  HWaddr 00:0F:3D:E0:88:91
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:200822 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3198 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:266348767 (254.0 MiB)  TX bytes:485099 (473.7 KiB)

br1       Link encap:Ethernet  HWaddr 00:00:00:00:00:00
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

br2       Link encap:Ethernet  HWaddr 00:00:00:00:00:00
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

eth0      Link encap:Ethernet  HWaddr 00:0F:3D:E0:88:91
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2865 errors:0 dropped:0 overruns:0 frame:0
          TX packets:129579 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:316624 (309.2 KiB)  TX bytes:172332864 (164.3 MiB)
          Base address:0x2800

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

nas0      Link encap:Ethernet  HWaddr 00:00:00:00:00:92
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2218 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2221 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:203466 (198.6 KiB)  TX bytes:312565 (305.2 KiB)

nas1      Link encap:Ethernet  HWaddr 22:00:00:00:00:92
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:197990 errors:0 dropped:0 overruns:0 frame:0
          TX packets:462 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:266074082 (253.7 MiB)  TX bytes:33954 (33.1 KiB)

ppp0      Link encap:Point-to-Point Protocol
          inet addr:85.141.250.249  P-t-P:85.141.248.1  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1492  Metric:1
          RX packets:2183 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2186 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:184348 (180.0 KiB)  TX bytes:241162 (235.5 KiB)
legume
Experienced
Experienced
Posts: 101
Joined: Fri Apr 13, 2007 11:57 pm

Post by legume » Thu Jan 08, 2009 1:46 pm

You nat idea should work, you could use the gui to make a port forwarding/firewall rule.

The problem then is how to keep the stream alive - normally multicast streams timeout unless the player responds to igmp queries. I guess you would have to run two instances of vlc (if you can) one just sitting there trying to play a stream that it never gets and one playing the dnated stream.

If you run linux there are things like smcroute you can use to start and stop streams, maybe you could find a workaround with something like that.
User avatar
i3laze
Newbie
Newbie
Posts: 9
Joined: Mon Jan 05, 2009 10:30 pm

Post by i3laze » Thu Jan 08, 2009 3:10 pm

TV streaming begins, when I make a request in VLC:
udp://@239.255.0.97:5500 (one of IPTV-channels, others are [url]udp://@239.255.0.x:5500[/url])

Next happens:
Image
Where 172.16.248.146->239.255.0.97 is a TV-stream I recieve (and my WiFi too!).

and on Layer 2+3:
Image
By TamoSoft CommView sniffer

Right now IGMP-request 192.168.1.2->239.255.0.97 directly transmitted over Bridge.
In case of using NAT I don't think there'll be trouble passing the request through NAT (2 violet packets on screen #2).

What exactly should I "click on RT web-interface" so my idea works, huh?
legume
Experienced
Experienced
Posts: 101
Joined: Fri Apr 13, 2007 11:57 pm

Post by legume » Thu Jan 08, 2009 4:08 pm

On the routertech GUI you need to setup a port forwarding rule in advanced -> port forwarding.

I can't see what the options in there are as my routertech won't let me in as I do not do nat.

I assume you will need to make a rule for nas1 so udp dst 239.255.0.0/24 gets forwarded to 192.168.1.2

You can then test to see if starting udp://@239.255.0.97:5500 results in a stream with dst 192.168.1.2:5500

If you can see that you will then need to start another vlc and try to get it to to play udp://@172.16.248.146:5500 maybe you will need to specify dst ip:port as well, I am not sure.
User avatar
i3laze
Newbie
Newbie
Posts: 9
Joined: Mon Jan 05, 2009 10:30 pm

Post by i3laze » Thu Jan 08, 2009 5:40 pm

When i switch second interface(1/91) from Bridge to Static or DHCP, whole routing hangs.. :( Even if I click off "Default Gateway" at 1/91.
I don't wanna mess with it & figure out why :?

btw, here are my normal iptables (1/50 PPPoE, 1/91 Bridge, Tools - Gateway System Information):

Code: Select all

Kernel IP routing table 
Destination Gateway Genmask Flags Metric Ref Use Iface 
91.76.60.1 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0 
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 br0 
239.0.0.0 0.0.0.0 255.0.0.0 U 1 0 0 br0 
0.0.0.0 91.76.60.1 0.0.0.0 UG 0 0 0 ppp0 
? (192.168.1.2) at 00:16:E6:5F:05:52 [ether] on br0 

Chain PREROUTING (policy ACCEPT 1568 packets, 112K bytes) 
pkts bytes target prot opt in out source destination 
7 656 DNAT udp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 udp dpt:6879 to:192.168.1.2:6879 
23 1144 DNAT tcp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:6879 to:192.168.1.2:6879 
43 4648 MINIUPNPD all -- ppp0 * 0.0.0.0/0 91.76.62.240 
31 2175 DNAT all -- ppp0 * 0.0.0.0/0 0.0.0.0/0 to:192.168.1.2 

Chain POSTROUTING (policy ACCEPT 208 packets, 18174 bytes) 
pkts bytes target prot opt in out source destination 
1368 99427 MASQUERADE all -- * ppp0 0.0.0.0/0 0.0.0.0/0 

Chain OUTPUT (policy ACCEPT 22 packets, 4606 bytes) 
pkts bytes target prot opt in out source destination 

Chain MINIUPNPD (1 references) 
pkts bytes target prot opt in out source destination 
Chain INPUT (policy ACCEPT 1612 packets, 138K bytes) 
pkts bytes target prot opt in out source destination 
34 5466 ACCEPT all -- ppp0 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 
0 0 ACCEPT icmp -- ppp0 * 0.0.0.0/0 0.0.0.0/0 icmp type 8 state NEW 
27 22152 DROP all -- ppp0 * 0.0.0.0/0 0.0.0.0/0 

Chain FORWARD (policy ACCEPT 21509 packets, 3405K bytes) 
pkts bytes target prot opt in out source destination 
7880 9867K ACCEPT all -- ppp0 * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 
11 1036 ACCEPT udp -- ppp0 * 0.0.0.0/0 192.168.1.2 udp dpt:6879 
28 1883 ACCEPT tcp -- ppp0 * 0.0.0.0/0 192.168.1.2 tcp dpt:6879 
1047 50288 TCPMSS tcp -- * ppp0 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x02 TCPMSS clamp to PMTU 
43 4648 MINIUPNPD all -- ppp0 !ppp0 0.0.0.0/0 0.0.0.0/0 
31 2175 ACCEPT all -- ppp0 * 0.0.0.0/0 192.168.1.2 

Chain OUTPUT (policy ACCEPT 2686 packets, 1984K bytes) 
pkts bytes target prot opt in out source destination 
0 0 DROP icmp -- * ppp0 0.0.0.0/0 0.0.0.0/0 icmp type 3 
0 0 DROP icmp -- * ppp0 0.0.0.0/0 0.0.0.0/0 state INVALID 

Chain MINIUPNPD (1 references) 
pkts bytes target prot opt in out source destination 
Any ideas in terms of IPTABLES? Maybe, you can advise some filtering commands (via telnet)?
legume
Experienced
Experienced
Posts: 101
Joined: Fri Apr 13, 2007 11:57 pm

Post by legume » Thu Jan 08, 2009 7:17 pm

I would try

Code: Select all

iptables -t nat -I PREROUTING -i nas1 -p udp -d 239.255.0.0/24 -j DNAT --to 192.168.1.2
iptables -I FORWARD -i nas1 -p udp -d 192.168.1.2 -j ACCEPT 
User avatar
i3laze
Newbie
Newbie
Posts: 9
Joined: Mon Jan 05, 2009 10:30 pm

Post by i3laze » Thu Jan 08, 2009 8:03 pm

Unfortunately, could't make Static+NAT mode working.
Bytheway, I found on my Vista mashine:

Code: Select all

C:\Users\>route print -4
      224.0.0.0        240.0.0.0         On-link       192.168.1.2    276
e.g. Multicast goes locally with TTL=1, so i deleted it on my PC. Still my IGMP-requests don't pass through the router.. :x

:arrow: Let's come back to Bridge mode..

Code: Select all

/var # route
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
91.76.60.1      *               255.255.255.255 UH    0      0        0 ppp0
192.168.1.0     *               255.255.255.0   U     0      0        0 br0
239.0.0.0       *               255.0.0.0       U     1      0        0 br0
default         ppp91-76-60-1.p 0.0.0.0         UG    0      0        0 ppp0
What's connection between nas1 & br0? (they both increase RX counters, when i stream TV)

I wonder, if I can filter incoming traffic and use kind of NAT?
How the inbound traffic passes through router and could it be modified?

What's the function of IGMP Snooping and IGMP Proxy in my situation?))
Is it easier to change my router? or buy additional Gigabit Switch with IGMP Snooping? :)
Seems this thing is IGMP-enabled: http://www.dlink.com/products/?pid=562
http://www.support.dlink.com/emulators/ ... ncfg2.html
legume
Experienced
Experienced
Posts: 101
Joined: Fri Apr 13, 2007 11:57 pm

Post by legume » Thu Jan 08, 2009 9:00 pm

Hmm, I guess iptables isn't going to see anything from nas1 if it's bridged with eth0 under br0.

I wonder if you could make a filter with brctl that blocks the multicast traffic to the problem wireless router. I can't test this, but you could try, via telnet just type brctl to list all the options.
User avatar
i3laze
Newbie
Newbie
Posts: 9
Joined: Mon Jan 05, 2009 10:30 pm

Post by i3laze » Thu Jan 08, 2009 9:37 pm

legume, thx for attention to my problem :)

here we go (i remind, i've got RouterTech 2.8 on my D-Link router) :

Code: Select all

/var # brctl
commands:
        addbr           <bridge>                add bridge
        addif           <bridge> <device>       add interface to bridge
        delbr           <bridge>                delete bridge
        delif           <bridge> <device>       delete interface from bridge
        show                                    show a list of bridges
        showmacs        <bridge>                show a list of mac addrs
        showstp         <bridge>                show bridge stp info

        setageing       <bridge> <time>         set ageing time
        setbridgeprio   <bridge> <prio>         set bridge priority
        setfd           <bridge> <time>         set bridge forward delay
        setgcint        <bridge> <time>         set garbage collection interval
        sethello        <bridge> <time>         set hello time
        setmaxage       <bridge> <time>         set max message age
        setpathcost     <bridge> <port> <cost>  set path cost
        setportprio     <bridge> <port> <prio>  set port priority
        stp             <bridge> <state>        turn stp on/off
        setigmpsnoop    <bridge> <state>        turn igmp snooping on/off
        showigmpsnoop   <bridge>                show bridge igmp snooping
        setfilter       <bridge> <state>        turn bridge filter on/off
        flushfilter     <bridge>                flush bridge filtering table
        showfilter      <bridge>                display bridge filtering table
        addfilter       <bridge> <dport> <sport> <dst_mac> <src_mac> <proto> <allow|deny>
                0 - deny   1 - allow            add entry to filter table
        delfilter       <bridge> <dport> <sport> <dst_mac> <src_mac> <proto> <allow|deny>
                0 - deny   1 - allow            delete entry to filter table

/var # brctl show
bridge name     bridge id               STP enabled     interfaces
br0             8000.000f3de08891       no              eth0
                                                        nas1
br1             8000.000000000000       no
br2             8000.000000000000       no
W/o TV_stream:

Code: Select all

/var # brctl showigmpsnoop br0
ID      IP Addr         Port    ageing timer
1       239.255.255.250 1       14
With running TV_stream:

Code: Select all

/var # brctl showigmpsnoop br0
ID      IP Addr         Port    ageing timer
1       239.255.255.250 1       4
2       239.255.000.097 1       4
Unfortunately, i see all my 4 ports as 1 interface eth0.
Mbe I should look for another router? )) 40$ to make me happy : )
User avatar
thechief
RouterTech Team
RouterTech Team
Posts: 12067
Joined: Wed Feb 01, 2006 10:22 pm
Location: England, the Centre of Africa
Contact:

Post by thechief » Thu Jan 08, 2009 9:57 pm

i3laze wrote:Unfortunately, i see all my 4 ports as 1 interface eth0.
Mbe I should look for another router? )) 40$ to make me happy : )
All this networking stuff is gobbledegook to me. However, the firmware is a full Linux distro, and, with Linux, you can do anything (including adding more network interfaces). An example from another thread

Code: Select all

ifconfig eth1 up
brctl addif br0 eth1
PS: I don't have the foggiest about what this is supposed to be doing. I am just using it as an example of what can be done.
The Chief: :afro: Be sure to read the Firmware FAQ and do a Forum Search before posting!
No support via PM. Ask all questions on the open forum.
User avatar
i3laze
Newbie
Newbie
Posts: 9
Joined: Mon Jan 05, 2009 10:30 pm

Post by i3laze » Thu Jan 08, 2009 10:04 pm

offtopic, ifc1-2-3 are linked to my eth0:

Code: Select all

ifc eth3 up;
ifc eth3 down
lead to Cold Restart O_o..

So what about my DSL-504T? Is my trouble named "embedded switch not managed & not supported":?:
legume
Experienced
Experienced
Posts: 101
Joined: Fri Apr 13, 2007 11:57 pm

Post by legume » Thu Jan 08, 2009 10:23 pm

I was thinking something like -

brctl showmacs br0

workout the macs for your wireless access point and for the iptv stream (in fact you already posted that one), then try and see if you can block traffic from iptv mac to wireless mac, hopefully without blocking any other traffic.

brctl addfilter br0 <dst_mac> <src_mac> 0
brctl setfilter br0 on

I don't know what you actually have to do ie. whether <dport> <sport> <proto> are required, but it may work for you.

I do have a linux box with a bridge and brctl but it doesn't have any filters, so maybe TI/mv enhanced the one used by routertech.
User avatar
thechief
RouterTech Team
RouterTech Team
Posts: 12067
Joined: Wed Feb 01, 2006 10:22 pm
Location: England, the Centre of Africa
Contact:

Post by thechief » Thu Jan 08, 2009 10:23 pm

i3laze wrote:So what about my DSL-504T? Is my trouble named "embedded switch not managed & not supported":?:
Maybe. Or it may just be a configuration issue. Firmwares come preconfigured for certain purposes. Anything beyond those will need to be done manually. Most of it can be done with configurations scripts, etc., - as long as the core logic supports it (including, with routers, editing the config.xml file - if you know what you're doing). Unfortunately, I'm no networking guru, so I can't help you. However, you may get expert assistance from a Linux networking forum.
The Chief: :afro: Be sure to read the Firmware FAQ and do a Forum Search before posting!
No support via PM. Ask all questions on the open forum.
User avatar
i3laze
Newbie
Newbie
Posts: 9
Joined: Mon Jan 05, 2009 10:30 pm

Post by i3laze » Thu Jan 08, 2009 10:31 pm

I looked through the forum.. for keyword :arrow: "IP175A" :arrow: . That's my embedded switch, so i can't see any way to separate ports.

Ok, i'l try to filter MACs.. Seems, it just delivers packet with multicast MAC to every port.
And the only way is to:
1) change dest multicast MAC to unicast (don't know how) or
2) change multicast IP to unicast, mbe via NAT (any more ideas?)
Right?

Btw, any tools in RT2.8 to monitor traffic? tcpdump, maybe?
Last edited by i3laze on Thu Jan 08, 2009 10:46 pm, edited 2 times in total.
legume
Experienced
Experienced
Posts: 101
Joined: Fri Apr 13, 2007 11:57 pm

Post by legume » Thu Jan 08, 2009 10:40 pm

Yea I guess you are right, if it's using multicast macs then filtering by mac isn't going to work.

I wonder if it's possible to remove nas1 from the bridge and then use it as a routed interface - I can't think how to do it at the moment.

Another think to consider is whether there is a way to modify the problematic wireless access point's nic so that it doesn't do multicast.
Post Reply