06-06-2014 06:23 AM
Hi,
I am trying to replace my ISP-provided Zyxel home router with a PA-200. I'm also subscribing to IPTV from the same ISP, with a Thomson DBI-8500E-TLN2 IPTV PVR.
The zyxel - while branded, appears to run standard zyxel firmware - the config doesn't contain anything related to IPTV, but it has an "IGMP Proxy enabled" setting. Is there a way to set up a similar setup on the PA-200?
I'm running interface1/4 as DHCP client to the internet side - "untrust" zone (public IP), and doing NAT to interface1/3 (192.168.1.1/24). I've been playing with the multicast settings on my virtual router, but have so far been unable to get anywhere - IGMP/multicasting is something I've never touched before.
Any pointers where I go from here? I'm running 6.0.2, and have played a bit with packet capture, so I can see "Membership Report group" and "Leave Group" messages coming from the Thomson, but can't see any other IGMP related traffic.
06-06-2014 08:03 AM
Hello,
You can check couple of things:
1) From Packet capture confirm the IGMP Version used by Thomson and enable same version on Palo Alto.
2) Under Virtual Router->default->Multicast check on Enable
3) Under Interface in above settings enable IGMP on interface 1/4 and select the version as you see in step1.
Regards,
Hari Yadavalli
06-06-2014 11:55 AM
Hi,
thanks, but so far, no luck.
Wireshark (and zyxel config) reports IGMP v2, so that's what I've been using.
Enabling IGMP on eth1/4 (or rather - creating an interface group on the vrouter) does not appear to give me anything more either. If I add eth1/3 (internal/trust interface), I get some output from igmp statistics and memberships:
admin@gw# run show routing multicast igmp membership
VIRTUAL ROUTER: default
interface group source up time expiry filter mode excl mode expiry v1 host timer v2 host timer last reporter
--------- ----- ------ ------- ------ ----------- ---------------- ------------- ------------- -------------
ethernet1/3 224.0.5.128 0.0.0.0 384.46 140.31 exclude 140.31 0.00 140.31 192.168.1.3
ethernet1/3 233.184.48.250 0.0.0.0 11.58 260.00 exclude 260.00 0.00 259.60 192.168.1.61
ethernet1/3 233.184.48.251 0.0.0.0 19.58 247.44 exclude 247.44 0.00 246.49 192.168.1.61
ethernet1/3 239.255.255.250 0.0.0.0 392.56 143.24 exclude 143.24 0.00 143.24 192.168.1.2
[edit]
admin@gw# run show routing multicast igmp statistics
VIRTUAL ROUTER: default
interface name: ethernet1/3
total groups: 4
total source-group pairs: 0
wrong version queries: 0
number of joins: 12
failed joins: 0
general queries sent: 5
specific queries sent: 54
total received messages: 123
received v1 messages: 0
received v2 messages: 123
received v3 messages: 0
received invalid messages: 8
peak number of groups: 6
[edit]
admin@gw# run show routing multicast igmp interface
VIRTUAL ROUTER: default
interface version querier querier up querier expiry robustness group limit source limit immediate leave
--------- ------- ------- ---------- -------------- ---------- ----------- ------------ ---------------
ethernet1/3 2 192.168.1.1 414.09 0.00 2 0 0 no
The Thomson IPTV PVR is a 192.168.1.61, and its membership changes whenever I change channels. (In the output above, it is listed twice - that is just because I changed channels rapidly, so I guess an older membership didn't time out yet).
However, I've tried doing the IGMP settings on eth1/4, eth1/3, a group with both 3 and 4, and two groups with 3 and 4 in each. I have no idea about the other multicast settings - Rendezvous Point, PIM etc - I haven't touched anything else.
admin@gw# show network virtual-router default multicast
multicast {
enable yes;
interface-group {
"IPTV IGMP" {
pim {
enable no;
dr-priority 1;
bsr-border no;
assert-interval 177;
hello-interval 30;
join-prune-interval 60;
}
interface ethernet1/3;
igmp {
max-sources unlimited;
max-groups unlimited;
query-interval 125;
last-member-query-interval 1;
max-query-response-time 10;
router-alert-policing no;
enable yes;
version 2;
immediate-leave no;
robustness 2;
}
}
}
}
- Håvard
01-26-2019 07:38 AM
sorry for digging this out- have you founda solution? I am facing the same problem
01-22-2021 09:26 AM
IGMP proxy is done by a router. Traditionally firewalls are not routers in terms of full routing functionality. So unless the Palo can do IGMP proxy, I don't see how it can work. The Cisco ASA has the ability to act as IGMP proxy agent.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
