You are not logged in.
Hello everybody!
How can I make my ISP's STB work when it is connected to an Arch Router, that, in turn, is behind my ISP router.
Please take a look at the image URLs:
Global overview of my home network topology
Global overview of my home network topology, Imgur link
I seek solution to the questions depicted here
I seek solution to the questions depicted here, Imgur link
Forgive me if the way I posed this topic seems awkward.
Thank you.
Last edited by mccurly (2024-09-16 19:50:05)
Offline
Since you didn't mention it - I can only presume that the underlying motivation for this elaborate VLAN setup is treating the networks differently inside the arch router. Since you didn't explicitly mention it (only as part of a question) - I presume your STB works as expected when connected to the ISP router.
Since IPTV and STBs use a wide range of protocols and IP stack features (multicast, unicast, QoS/QoE, RTP over UDP, HTTP/H.222/HLS/RTMP over TCP, UPnP AV....) you have to know what your STB "expects" to work - either by documentation or packet analysis (wireshark & al.).
Offline
-thc says it better.
Does your provider give clients the option to use their own modem/router ?
Last edited by Lone_Wolf (2024-08-24 10:24:20)
Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.
clean chroot building not flexible enough ?
Try clean chroot manager by graysky
Offline
Hello again and forgive me for not returning here sooner and answering your very pertinent questions.
Since you didn't mention it — I can only presume that the underlying motivation for this elaborate VLAN setup is treating the networks differently inside the arch router.
Indeed, the different VLAN networks are in place exactly for network segregation, and security and privacy concerns of mine. This is a home network that I manage (or not so… “apparently”, perhaps, because there is actually a whole lot that I should know before considering myself as a manager of my own network… oh well… moving on). But the present setup does work as expected, and it does work as planned. The only thing now that is missing is the chance to make that STB work behind this firewalld NAT(ted?) systemd-networkd managed Arch router. (Also bring pi-hole to the equation, as the DHCP and DNS local server). When I first set up this apparent 'mess' of a router… It indeed took me a lot to complete it.
By the way, the reason that took me so long to answer here was that I was also seeking help from the OpenWrt community and was considering (and not yet quite convinced that it would be the best solution) to migrate that router box to an OpenWrt 'distro'. What is preventing me right now to do are some other factors that I would rather leave out of this thread here, at least for now.
Since you didn't explicitly mention it (only as part of a question) — I presume your STB works as expected when connected to the ISP router.
Correct, it works alright.
It works as well when I connect the STB with an (ISP Huawei K562 wireless repeater/extender, and it, the K562, wirelessly connected to the router gateway); besides it also worked when I had it connected to the x86 box running an OpenWrt image, almost with no modification, just being a plain (almost) out of the box x86 OpenWrt router. Nevertheless, in this latter case, I had to activate both the IGMP snooping and force IGMPv3 on the Luci configuration web interface for the “device” that would be “responsible” for that connection between the ISP router gateway and the ISP STB. (I think I had to create a bridge “network” device on the network page ⇒ devices tab for this particular purpose, otherwise I wouldn't have the way to choose, inside Luci web interface, the way to activate IGMP snooping).
And amazingly it went quite well. But then I couldn't take advantage of the rest of the network setup to maintain its segregation and desired security and privacy. So it made me think that I should look somewhere else to make the most out of these two aspects which were both the existing network segregation and security and to get the STB to work correctly behind my routers.
I could even make a VLAN (sort of) connection, between the x86 OpenWrt box, and a Cudy router that I had lying around with an mt7621 SoC(?), It also worked (although slightly worse). But I still did not have time to figure out if the “glitches” that were present on those tested broadcasts, were caused by the x86 machine, the mt7621 one, or both of them, or due to some other overlooked circumstance, but it did strike me as a (somehow) agreeable surprise that it was indeed possible to get that signal through those two routers and still have an observable transmission on the other end… Although I was looking for this, my hopes were set low. Do you understand?
Why do I say “A VLAN (sort of) connection”? Well, because the purpose was to, exactly, make a trunk VLAN between the x86 OpenWrt and the Cudy devices. But, for instance, every time I did connect the STB to the VLAN that I wanted it to connect to, apparently, I would lose connectivity to the internet with the devices connected to the other ports/VLAN. In some cases I could ping the router gateway from those ports with the testing equipment. In other cases I could only ping the router that was directly connected to the port where the testing equipment was. Either I was already very tired of testing, or some of the equipment that I was trying/testing wasn't behaving consistently (I could vouch for the former more than the latter), the fact remained that I was observing unexpected behavior that I couldn't sort out just quite yet.
Since IPTV and STBs use a wide range of protocols and IP stack features (multicast, unicast, QoS/QoE, RTP over UDP, HTTP/H.222/HLS/RTMP over TCP, UPnP AV…) you have to know what your STB “expects” to work — either by documentation or packet analysis (Wireshark & al.).
Actually I did try to inspect packages with tshark (I think, and I apologize for not being more assertive), installed on the x86 OpenWrt machine (or a tcpdump capture) that I then exported to the testing computer and read with the aforementioned tshark software. But as you may already have guessed my knowledge in this field is a bit limited and I would have to read up on these matters to have that needed protocol information and make the best decisions about how should I proceed then.
Still, I am thinking on the reasons how would it be possible (if at all) to listen to the traffic with tcpdump (or the like), when the STB would connect to get its multicast stream(s). After all I could place an unmanaged switch that I own, to allow capturing (and analyze) traffic generated by the multicast session, with the testing equipment that I am using for this purpose. If I were to follow this route, I would still need more information on the subject, namely the intricacies of making the testing equipment listen in promiscuous mode, and the tcpdump/Wireshark commands that would be more adequate for this matter.
By the way, could anyone of you @-thc or @Lone_Wolf, give any pointers on this? They would be most welcome.
Does your provider give clients the option to use their own modem/router ?
Only a router and in bridged mode. (Although I could use one such equipment/hardware, I would: have to purchase it; set it up accordingly; and, finally hope that the ISP/or service would not significantly hinder/be hindered by this decision or procedure of mine)
Besides, I would have to purchase more than one device/gadget because my ISP also provides telephony (VoIP) service, so I would have to hunt for hardware that would fulfill that requirement as well.
I hope I have somehow answered your questions. I hope as well, that these “answers” somehow enlightened your curiosity.
Furthermore, I have some questions that I would like to “append” to the OP as well (perhaps, to explain myself better. Sorry if this seems a repetition):
Is it somehow possible to make the current x86 arch router with dual 2.5 Gb Ethernet adapters, (let's say) “transparently” connect (or, by all means, hand out the connection to) the ISP STB connected to the underlying OpenWrt Wired and Wireless Access Points, by means of a wired Ethernet cable, and yet, make that ISP STB, “think” it is directly attached to the ISP router gateway, and have an address in the range that this ISP router gateway hands out to its clients? (You might think that this is exactly the purpose of this thread I initiated some week, or so, ago, and although it is implied, I can, somehow, confirm, that the best way that I could test the connection of the ISP STB behind my equipment, happened when that ISP STB did get its IP address from the range of IPs handed out by the aforementioned ISP router gateway), Perhaps I was able, then, although not sure, to bridge those x86 OpenWrt box dual adapters in such a way, that the bridge was handing out that range of IPs, and, furthermore, didn't intervene (hinder) that connection that the STB was establishing with the ISP router (and this is only a guess).
So (repeating and summing up): Is it possible to have a (transparent) “bridge” from one of the x86 (Arch router adapters) end and extend that bridge/connection seamlessly to the OpenWrt (router) port where the ISP STB would connect to and (make it “believe”) that it was otherwise connected to the ISP router gateway?
Does this make sense to any of you?
I hope so.
As well as hoping to get some assistance from you.
And, finally, to thank you for taking time to have read this “testament” and to have intervened before, in the first place.
Cheers. See you, hopefully, soon!
Offline
So (repeating and summing up): Is it possible to have a (transparent) “bridge” from one of the x86 (Arch router adapters) end and extend that bridge/connection seamlessly to the OpenWrt (router) port where the ISP STB would connect to and (make it “believe”) that it was otherwise connected to the ISP router gateway?
I've realized a virtual "transparent firewall" (or "bridge firewall") that does exactly that - but only as a POC. The network devices are bound together in a bridge and the firewall will work without an IP address. Firewalling is realized via "ebtables" or with nftables via "bridge" address family. Since that firewall works on OSI level 2 a lot of level 3 stuff (VLAN, routing) will be severely impaired.
Offline
I've realized a virtual “transparent firewall” (or “bridge firewall”) that does exactly that — but only as a POC. The network devices(…)
Hi again @-thc and I can't thank you enough for the contributions you've kindly made so far. Well by POC I am thinking you are referring to this objective of mine as a theoretical design. Correct? And when you say you've “realized a virtual “transparent firewall” (or “bridge firewall”)”; you are perhaps saying that you understood what I did want for this particular (picky??? ) network set up of mine, and not in the sense that you've already “built” one such set up. Correct as well, isn't it? (Do forgive me if I am being very cautious about the words or expressions that I use/choose): I am not a native English speaker; and, as I suspect that you may already have perceived, I always look forward to using the specific precise word or expression. Even if I fail too bluntly to achieve this goal. I believe that the 'deviations' inherent to communicating, whereupon, by communicating, I mean the process outlined by this 'sort' of flowchart, should be brought to the minimum level possible. So, please, forgive me if I am being too stressed about this… This is a very dear topic to me.
(...)Since that firewall works on OSI level 2 a lot of level 3 stuff (VLAN, routing) will be severely impaired.
About your prediction that I could only have one or the other functions (that is on one hand a “transparent firewall” or a (current) VLAN configuration) you are implying the whole network, correct? Not only the router machine, is that so? If you were implying only the router machine, perhaps with a proxmox kind of 'situation' I could (theoretically) achieve that goal of mine. But since I would have to rely on other network equipment, it would be very difficult to implement that. (I am thinking like this: How could I make the subrouters identify what was meant for them and subsequently for each of their ports, correct?)
I hope this is not a 'nuisance' of mine, and it may be readable enough. I am looking forward for your continuous insight, and I thank you very much, for your already provided assistance.
Thank you!
Offline
I actually build a virtual transparent firewall and tinkered a little with it.
AFAIK adding network adapters as slaves to a bridge "robs" them of all higher (> OSI level 2) functions (i.e. routing).
VLAN also works on OSI level 2 but I am unaware of a working combination of tagged VLANs and bridge firewalling.
Offline
Hi again!
Thank you @-thc for your interest and participation. That, for me, does mean a lot!
Well, since I am on a hybrid setup here, meaning, Arch Linux router, and OpenWrt access points, I have sought help on the OpenWrt community as well. And, behold, there is, somehow, a news update to this problem of mine. I have reached the point of “satisfaction” (albeit with some concerns).
Could you please take a look to the URL I am posting below?
Please, let me know what are your thoughts on that.
Thank you!
Cheers!
Offline
As I understand your OpenWRT configuration you use the relayd service to "extend" the uplink (ISP router) network (115) to the STB.
Your overview PNG from your first posting suggested (at least to my eyes) that the 115 subnet is used only as the uplink to the arch router and is not available to the downstream OpenWRT router - you somehow bypassed the Arch router.
Offline
@mccurly if you wonder where your post went, you sent it as a report to the moderation staff instead of as a reply here.
Inofficial first vice president of the Rust Evangelism Strike Force
Online
Hello @schard.
Yes indeed, I was surely wondering where did it go.
This goes to show, how distracted one can be (in this case, my own self), and how plain and in that sense difficult and user-unfriendly can a forum interface be.
I was even looking for a way to recover that stray message.
Guess what, apparently I cannot since there is no record that I could resource to, and this seems even more awkward. Even in a lawful perspective, since this presents a somewhat loop hole or even an illegality in the way that I don't have access to a piece of information that I've produced. Do I?
Even if the forum rules do state it clear that the information posted here becomes available to the public as such and has its copyright changed accordingly. Not having access to information, or not granting access to that information to those who emitted it in the first place, does otherwise seem strange to say the least.
Having said that, I have a question for you dear @schard: is there any way I could recover that post that I so much unintentionally forwarded to you the moderators?
It did seem pertinent to this thread here, and even more so harmless. And since I did not keep a record of it, I would be most happy if it were indeed published where it was indeed intended. (Who's telling that? Well me, the author of the message, coming clean about the purpose of that message).
Would you or anyone of the mods agree?
By the way, I could not thank you enough for having me warned about the whereabouts of that message.
Cheers!
Last edited by mccurly (2024-09-10 04:49:19)
Offline
Moderator Note :
Anything submitted using the report button is only visible to forum staff.
If the report button was used by mistake sometimes a moderator posts the content as a courtesy to the sender.
I have copied the content you submitted verbatim below.
Lone_Wolf
End of Moderator Note
Hi again @-thc.
Yes, correct. The Arch router didn't make part of this workaround. So that's precisely why I called this a workaround and not the actual solution to the posted questions.
It was my understanding and own conclusions, from your previous posts that:
EITHER it was a too advanced setup for me, and, of course, my present knowledge of networking,
OR that if I were to undergo the way of taking advantage of the current topology, most likely, I would break its present working state. Correct?
So, although not achieving what I wanted, in a "tidier"/neater way this second best of a solution does provide what I am after.
So this is truly a case of the second best it's the best solution here. Do you agree?
Would such a solution be possible in the Arch router and then extend it to the openwrt devices?
Also, and forgive me to repeat this question:
Are 600GB of traffic data, on any of the Access point, for 8h up time, to considered normal?
Finally, if you, or any moderator, may think it should be wiser to move this thread onto some other forum.
Thank you!
Do you, -thc,
Disliking systemd intensely, but not satisfied with alternatives so focusing on taming systemd.
clean chroot building not flexible enough ?
Try clean chroot manager by graysky
Offline
EITHER it was a too advanced setup for me, and, of course, my present knowledge of networking,
OR that if I were to undergo the way of taking advantage of the current topology, most likely, I would break its present working state. Correct?
Yes - I think so. There are architectural hurdles (Bridge OSI level 2/Router OSI level 3) and unknowns enough for me to agree.
So this is truly a case of the second best it's the best solution here. Do you agree?
Yes. I would have suggested a direct (cable?) connection between STB and ISP router which would serve the same purpose.
Would such a solution be possible in the Arch router and then extend it to the openwrt devices?
I doubt it. Forwarding unicast traffic is simple but the STB probably expects broadcasts/multicast packages and/or packets with special IP headers which are possibly non-trivial in routers.
Are 600GB of traffic data, on any of the Access point, for 8h up time, to considered normal?
That depends on the registered devices. But intuitively I would say no. My servers nftables show 34 GB input / 24 GB output in 6 days.
Last edited by -thc (2024-09-10 11:11:35)
Offline
Moderator Note :
Anything submitted using the report button is only visible to forum staff.If the report button was used by mistake sometimes a moderator posts the content as a courtesy to the sender.
I have copied the content you submitted verbatim below.Lone_Wolf
End of Moderator Note
Thank you very much! Yes it was by mistake (distraction, poor eyesight, cellphone usage…), all things considered ended up in a mess… Therefore, I thank you for your kindness and I hope you do forgive me for this… well, mess…
Considering the “hurdles” of an “endeavor” such as the one proposed by myself on the OP, and your last post, dear @-thc, I am inclined as to settle this case. One question remains for that final procedure of editing the thread title and adding the “Solved” magical word… It's from your statement (that I quote hereafter):
(...)But intuitively I would say no. My servers nftables show 34 GB input / 24 GB output in 6 days(…)
Do you have a STB connected to any of those devices/interfaces/adapters for which you kindly reported those stats?
Could I be somewhat misconfiguring things in a way that there is data leakage in here to the outside WAN?
If this seems noobish enough, well it actually is…
Thank you already for your considerations.
Cheers to both of you @Lone_Wolf and @-thc! (And everyone else visiting and reading, and perhaps learning from some or all of this…)!
Offline
Do you have a STB connected to any of those devices/interfaces/adapters for which you kindly reported those stats?
No - it's just for comparison. Another example: I manage a virtual firewall for a network with 25 client PCs - it has forwarded 160 GB in 6 days.
Could I be somewhat misconfiguring things in a way that there is data leakage in here to the outside WAN?
A single video stream (FullHD ~ 2 GB/hr; 4K ~ 11 GB/hr) is still not enough to reach this number. I suspect that your OpenWRT router is relaying/forwarding more traffic than just the streams from the STB - possibly everything that traverses the 115 subnet.
Offline
No - it's just for comparison. Another example: I manage a virtual firewall for a network with 25 client PCs - it has forwarded 160 GB in 6 days.
A single video stream (FullHD ~ 2 GB/hr; 4K ~ 11 GB/hr) is still not enough to reach this number. I suspect that your OpenWRT router is relaying/forwarding more traffic than just the streams from the STB - possibly everything that traverses the 115 subnet.
Hi again, I am guessing the network environment could have changed a bit since I last looked at the relayd stats. Namely, I think the network traffic around here could be a little less hectic due to fewer users, well, accessing the 115 subnet. And therefore I shall wait a little “until” I render myself to the evidence.
To illustrate better, @-thc, please take a look at this image that I've just gathered a few moments ago. (Mind you that I did not use the STB that much since I last reset those stats when I last rebooted the relayd router):
Image with a more sensible network traffic toll
But admitting that relayd interface bridge is relaying/forwarding more traffic than it would be required, could you please suggest what should I consider to mitigate this unwanted behavior? I am thinking on the likes of “summoning” the relayd router firewall and therefore “forwarding” this question elsewhere as well.
Thank you once again for your time and patience @-thc!
Cheers!
Offline
Those statistics look a little weird (maybe TX and RX change direction while traversing the bridge?) but are no longer in the same range as you mentioned earlier. Just disconnect the STB physically for a few hours, reattach it (while "off" or not actively used) for a few hours and stream something for a few hours and compare the statistic values after each phase - do they make sense?
Offline
Those statistics look a little weird (maybe TX and RX change direction while traversing the bridge?) but are no longer in the same range as you mentioned earlier. Just disconnect the STB physically for a few hours, reattach it (while "off" or not actively used) for a few hours and stream something for a few hours and compare the statistic values after each phase - do they make sense?
Hi, I'll do that. Thank you again.
Offline
Hello again, after a while of testing I think this current situation is stable enough to be considered as a “solution”, don't you agree?
Waiting for your input to mark this one as solved.
Thank you @-thc
P.s.:
Proofing images:
After rebooting the router but with no connection to the ISP STB (and, of course, no streaming)
Offline
Hi again everyone.
I'm marking this thread as solved.
It's stable enough now.
Thank you to all the participants and "lurkers"
Cheers!
Offline