Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
albertcd
New Contributor

Problem with routing IPTV

Hi.

This is my network:

 

The IPTV service works perfectly if i connect the iptv deco (10.11.12.69) directly to ISP router. If i connect to FGT, the live TV (multicast traffic) works perfect, but VOD (video on demmand) fails.

 

The IPTV works with this subnet:

 

I think the fortigate is routing correctly. But something is bad configured. The INTERNET ROUTER is configured with FULL CONE NAT is VLAN of IPTV service.

theoretically, the iptv decoder requests the resource to a server A, but the resource is returned by a server B, to which the IPTV decoder has not established a connection previously. That's what I think is the reason why it's required full cone nat

I try to:

Create manually static routes Configure Full Cone Nat in firewall policy.

Configure ip pool in policy 

Nothing works.

 

This is the logs when i try play some VOD video.

2019.570072 lan out 10.64.0.1 -> 10.11.12.69: icmp: time exceeded in-transit
2020.252251 lan in 10.11.12.69.50865 -> 172.26.22.11.9153: syn 715401103
2020.280314 lan out 172.26.22.11.9153 -> 10.11.12.69.50865: syn 2394425056 ack 715401104
2020.282934 lan in 10.11.12.69.50865 -> 172.26.22.11.9153: ack 2394425057
2020.283786 lan in 10.11.12.69.50865 -> 172.26.22.11.9153: psh 715401104 ack 2394425057
2020.309367 lan out 172.26.22.11.9153 -> 10.11.12.69.50865: ack 715401530
2020.309458 lan out 172.26.22.11.9153 -> 10.11.12.69.50865: ack 715401530
2020.309541 lan out 172.26.22.11.9153 -> 10.11.12.69.50865: psh 2394425057 ack 715401530
2020.309623 lan out 172.26.22.11.9153 -> 10.11.12.69.50865: psh 2394425208 ack 715401530
2020.309703 lan out 172.26.22.11.9153 -> 10.11.12.69.50865: psh 2394425211 ack 715401530
2020.309783 lan out 172.26.22.11.9153 -> 10.11.12.69.50865: psh 2394425213 ack 715401530
2020.313724 lan in 10.11.12.69.50865 -> 172.26.22.11.9153: ack 2394425057
2020.313849 lan in 10.11.12.69.50865 -> 172.26.22.11.9153: ack 2394425208
2020.313937 lan in 10.11.12.69.50865 -> 172.26.22.11.9153: ack 2394425211
2020.317107 lan in 10.11.12.69.50865 -> 172.26.22.11.9153: fin 715401530 ack 2394425220
2020.339358 lan out 172.26.22.11.9153 -> 10.11.12.69.50865: fin 2394425220 ack 715401531
2025.962784 lan in 10.11.12.69.56115 -> 172.26.23.3.53: udp 52
2025.989311 lan out 172.26.23.3.53 -> 10.11.12.69.56115: udp 68
2025.990489 lan in 10.11.12.69.53139 -> 172.26.22.23.2001: syn 805039966
2026.010149 lan out 172.26.22.23.2001 -> 10.11.12.69.53139: syn 3065278316 ack 805039967
2026.010747 lan in 10.11.12.69.53139 -> 172.26.22.23.2001: ack 3065278317
2026.011445 lan in 10.11.12.69.53139 -> 172.26.22.23.2001: psh 805039967 ack 3065278317
2026.039239 lan out 172.26.22.23.2001 -> 10.11.12.69.53139: ack 805040278
2026.048763 lan in 10.11.12.69.53139 -> 172.26.22.23.2001: ack 3065279331
2028.730236 lan in 10.11.12.69.43028 -> 172.26.22.23.2001: syn 858176956
2028.748183 lan in 10.11.12.69.46830 -> 172.26.22.23.2001: syn 858690776
2028.753671 lan out 172.26.22.23.2001 -> 10.11.12.69.43028: syn 3071170399 ack 858176957
2028.755263 lan in 10.11.12.69.43028 -> 172.26.22.23.2001: ack 3071170400
2028.756185 lan in 10.11.12.69.43028 -> 172.26.22.23.2001: psh 858176957 ack 3071170400
2028.763299 lan out 172.26.22.23.2001 -> 10.11.12.69.46830: syn 3072783447 ack 858690777
2028.767782 lan in 10.11.12.69.46830 -> 172.26.22.23.2001: ack 3072783448
2028.768327 lan in 10.11.12.69.46830 -> 172.26.22.23.2001: psh 858690777 ack 3072783448
2028.773420 lan out 172.26.22.23.2001 -> 10.11.12.69.43028: ack 858177302
2028.773522 lan out 172.26.22.23.2001 -> 10.11.12.69.43028: psh 3071170400 ack 858177302
2028.777257 lan in 10.11.12.69.43028 -> 172.26.22.23.2001: ack 3071171686
2028.782719 lan out 172.26.22.23.2001 -> 10.11.12.69.46830: ack 858691118
2028.786327 lan in 10.11.12.69.46830 -> 172.26.22.23.2001: ack 3072784896
2028.786446 lan in 10.11.12.69.46830 -> 172.26.22.23.2001: ack 3072786344
2028.786695 lan in 10.11.12.69.46830 -> 172.26.22.23.2001: ack 3072787792
2028.786782 lan in 10.11.12.69.46830 -> 172.26.22.23.2001: ack 3072787829
2029.934207 lan in 10.11.12.69.50867 -> 172.26.23.3.53: udp 55
2030.058332 lan out 172.26.23.3.53 -> 10.11.12.69.50867: udp 128
2030.114251 lan in 10.11.12.69.41450 -> 172.26.84.199.554: syn 881177784
2030.118898 lan out 172.26.84.199.554 -> 10.11.12.69.41450: syn 2742258451 ack 881177785
2030.119537 lan in 10.11.12.69.41450 -> 172.26.84.199.554: ack 2742258452
2030.119904 lan in 10.11.12.69.41450 -> 172.26.84.199.554: psh 881177785 ack 2742258452
2030.128446 lan out 172.26.84.199.554 -> 10.11.12.69.41450: ack 881177841
2030.129955 lan out 172.26.84.199.554 -> 10.11.12.69.41450: psh 2742258452 ack 881177841
2030.131618 lan in 10.11.12.69.41450 -> 172.26.84.199.554: ack 2742258576
2030.131998 lan in 10.11.12.69.41450 -> 172.26.84.199.554: psh 881177841 ack 2742258576
2030.143307 lan out 172.26.84.199.554 -> 10.11.12.69.41450: psh 2742258576 ack 881178192
2030.148608 lan in 10.11.12.69.46131 -> 172.26.23.3.53: udp 55
2030.187072 lan in 10.11.12.69.41450 -> 172.26.84.199.554: ack 2742259034
2030.345787 lan out 172.26.23.3.53 -> 10.11.12.69.46131: udp 128
2030.348466 lan in 10.11.12.69.41450 -> 172.26.84.199.554: psh 881178192 ack 2742259034
2030.356213 lan out 172.26.84.199.554 -> 10.11.12.69.41450: psh 2742259034 ack 881178582
2030.359691 lan in 10.11.12.69.41450 -> 172.26.84.199.554: ack 2742259071
2030.359851 lan in 10.11.12.69.41450 -> 172.26.84.199.554: fin 881178582 ack 2742259071
2030.365052 lan out 172.26.84.199.554 -> 10.11.12.69.41450: fin 2742259071 ack 881178583
2030.367998 lan in 10.11.12.69.41450 -> 172.26.84.199.554: ack 2742259072
2030.526710 lan in 10.11.12.69.53171 -> 172.26.23.3.53: udp 57
2030.668324 lan out 172.26.23.3.53 -> 10.11.12.69.53171: udp 130
2030.751228 lan in 10.11.12.69.33828 -> 172.26.84.197.554: syn 892288408
2030.857631 lan out 172.26.84.197.554 -> 10.11.12.69.33828: syn 984321796 ack 892288409
2030.861581 lan in 10.11.12.69.33828 -> 172.26.84.197.554: ack 984321797
2030.865319 lan in 10.11.12.69.33828 -> 172.26.84.197.554: psh 892288409 ack 984321797
2030.867169 lan out 172.26.84.197.554 -> 10.11.12.69.33828: ack 892288465
2030.868500 lan out 172.26.84.197.554 -> 10.11.12.69.33828: psh 984321797 ack 892288465
2030.870125 lan in 10.11.12.69.33828 -> 172.26.84.197.554: ack 984321921
2030.870326 lan in 10.11.12.69.33828 -> 172.26.84.197.554: psh 892288465 ack 984321921
2030.892236 lan out 172.26.84.197.554 -> 10.11.12.69.33828: psh 984321921 ack 892288811
2030.895906 lan in 10.11.12.69.50099 -> 172.26.23.3.53: udp 57
2030.920904 lan out 172.26.23.3.53 -> 10.11.12.69.50099: udp 130
2030.922550 lan in 10.11.12.69.33828 -> 172.26.84.197.554: psh 892288811 ack 984322376
2030.927045 lan out 172.26.84.197.554 -> 10.11.12.69.33828: psh 984322376 ack 892289196
2030.929645 lan in 10.11.12.69.33828 -> 172.26.84.197.554: fin 892289196 ack 984322413
2030.936086 lan out 172.26.84.197.554 -> 10.11.12.69.33828: fin 984322413 ack 892289197
2030.938148 lan in 10.11.12.69.33828 -> 172.26.84.197.554: ack 984322414
2033.104736 lan in 10.11.12.69.60523 -> 172.26.23.23.4096: udp 64
2033.117570 lan out 172.26.23.23.4096 -> 10.11.12.69.60523: udp 1348
2033.118089 lan out 172.26.23.23.4096 -> 10.11.12.69.60523: udp 1344
2039.410193 lan out 10.64.0.1 -> 10.11.12.69: icmp: time exceeded in-transit
2041.169538 lan in 10.11.12.69.60523 -> 172.26.23.23.4096: udp 64
2041.173690 lan in 10.11.12.69 -> 172.26.23.23: icmp: 10.11.12.69 udp port 60523 unreachable
2041.173812 lan in 10.11.12.69 -> 172.26.23.23: icmp: 10.11.12.69 udp port 60523 unreachable
2041.173914 lan in 10.11.12.69 -> 172.26.23.23: icmp: 10.11.12.69 udp port 60523 unreachable
2041.174043 lan in 10.11.12.69 -> 172.26.23.23: icmp: 10.11.12.69 udp port 60523 unreachable
2041.178163 lan in 10.11.12.69 -> 172.26.23.23: icmp: 10.11.12.69 udp port 60523 unreachable
2041.178259 lan in 10.11.12.69 -> 172.26.23.23: icmp: 10.11.12.69 udp port 60523 unreachable

 

This is the config of policy:

 

config firewall policy edit 7 set name "MOVISTAR TV" set uuid e6bf73dc-9ada-51e7-3e34-796c61f8ecb3 set srcintf "lan" set dstintf "wan" set srcaddr "MOVISTAR DECO" (10.11.12.69) set dstaddr "all" set action accept set schedule "always" set service "ALL" set logtraffic all set nat enable set permit-any-host enable

 

I tried to create this ippool configured in previously policy with no results:

 

config firewall ippool edit "m+nat" set type port-block-allocation set startip 192.168.1.2 set endip 192.168.1.2 set permit-any-host enable set arp-reply disable

 

Any idea why exists this udp errors?

Thanks u

7 REPLIES 7
albertcd
New Contributor

Any idea?

Galo
New Contributor

Hi Albert,

I have a partial working solution. Live TV is working, menus, chanel description but VoD is still missing.

The only way is to enable multicast forwarding, it is not the best way because multicast traffic is flowing to all ports. This is why I have insolated the deco network.

 

Looking at your config, you should apply the "m+nat" to the policy that enable traffic from lan to wan.

 

Regards,

Galo

avecestampoco

Hi guys, I've been dealing with this same architecture for the last 2 couple of days and I could finaly make it work with VoD The issue was not only the IGMP snooping (that has to be solved as you guys are explaning) but also you have to take into account the inbound rule (to allow rtsp traffic from wan and forwarding through a VIP to the tvbox in lab) and also you nees to disable the rtsp session helper...otherwise the helper would be trying to forward packets to the rtsp signaling destination (the iptv vlan address in the ont) instead of the tvbox If anyone of you guys is still interested on this issue I can share configs. Cheers
knuten

Hi

Thanks for the info.

Do you have a config to share ?

 

Thanks

 

ARP

Have you achieved via PIM-SM or MC forwarding enable? 

 

Also can you let me know if multiple IPTV behind FTG is working fine?

AB1OC
New Contributor

I am struggling with this problem as well. Can someone who has made this work please share the necessary config files?

 

Thank you!

ccordero
New Contributor

Good day. I am struggling trying to setup a Fortigate 60E with Movistar FTTH. I did setup the Askey router in bridge mode and managed to get internet access working, but with my limited knowledge on FortiOS I am not able to setup voip and iptv. May anybody having this setup running please share his/her config?

Thank you very much in advance. Stay safe.

 Carlos

Labels
Top Kudoed Authors