Well, as you probably have read on my other posts, I am some sort enthusiast to use my KPN internet and iTV subscription with my own gear (and not with the Experiabox that KPN included with my subscription). So that said, I also know that there are some difficulties where I can run in to. One of them was to successfully route the iTV traffic (which is multicast) through a FortiGate firewall. It works, yes, but I found that there are some “side-effects” which I didn’t like. One of the most annoying thing is that the internet-performance drops dramatically when both TV receivers are actively requesting a multicast stream. Mwa, that’s definitely not what I want :-(.
So I decided to split functionality over 2 devices; Internet traffic is routed through my FortiGate firewall, while multicast traffic is routed through a dedicated router (in my case this is a Mikrotik router). Be aware that if you want to use a router for the iTV multicast traffic, that it has to support some features to get it working.
Let’s begin with some graphics the show what I have build. See the basic drawings below:
I have a separate vlan where the TV-receivers reside. This vlan is directly routed through my Mikrotik router which handles the multicast traffic. The reason why the FortiGate is also present in the vlan, is that the receivers need internet-access for some services (such as Netflix). In my case, I made the FortiGate the DHCP server for this vlan, and points the default-gateway to the Mikrotik router.
Physically, I needed to handle the vlan ID’s which are present on my NTU. These ID’s are vlan 4 (for iTV) and vlan 6 (for internet). Vlan 5 is for telephony services, which I don’t use.
I configured pppoe on my FortiGate on the wan1 interface, which is connected to a port on the Mikrotik router in vlan 6. I don’t need to configure a subinterface on the FortiGate, because it is a native vlan port on the Mikrotik where I connect my FortiGate wan port. With this configuration, I keep the public IP address directly associated on my FortiGate’s wan port. Great!
The Mikrotik router is having a subinterface in vlan 4, where it is running a DHCP client to get an IP address from the KPN network. For this to work, you have to sent 2 options in the DHCP request.
|DHCP client option
|55 (parameter 121)
Option 60 is mandatory, otherwise you will not get an IP address at all.
Option 55 is a special one, which gets the route-information for the KPN network. If you have a Mikrotik router, this step is easy because the options can simple be enabled in the configuration with the “special classless” option.
The learned prefix from KPN is printed below.
For the multicast to work, I had to take care about firewalling (nat-masquerade) and IGMP proxying as well.
For your convenience, I have published my Mikrotik configuration on Github here.