How to Block IGMP Multicast Flood on a WLAN When Watching Telus Optik TV (IPTV)

Article Index:

There are two approaches to blocking IGMP multicast flooding on a WLAN while watching IPTV:

1. Put your WLAN on a separate subnet from the wired LAN and block the multicast packets on network layer 3, or
2. Put your WLAN on the same subnet as the wired LAN and block the multicast packets on network layer 2.

In the first approach, your wired LAN would be on the subnet 192.168.1.0/24 and your WLAN would be on a separate subnet such as 192.186.2.0/24. I won’t go into the details of how to configure your router to do this other than to say you can do it with DD-WRT (and probably also with similar third party firmware such as OpenWrt and TomatoUSB). After configuring these separate subnets, you would block the packets with a layer 2 packet filter (i.e. layer 2 firewall) such as netfilter/iptables.

In my case, I didn’t want to use separate subnets because I wanted all of my clients, both wired and wireless, to be on the same broadcast domain. Having all clients on the same broadcast domain facilitates easier discover of network services such as DLNA media server streaming. In my case, I wanted all of my clients on the subnet 192.168.1.0/24, the default subnet used by the Telus’ V1000H firmware. Incidentally, as far as I know, this particular subnet cannot be changed in Telus’ firmware (at least not without some unsupported hacking).

Putting my second WLAN on the same subnet as the V1000H was the easy part. The hard part was figuring out how to block the IGMP multicast traffic on layer 2. Thankfully, after some googling, I discovered ebtables, which is essentially a layer 2 packet filter (i.e. layer 2 firewall). Some builds of DD-WRT include the ebtables kernel modules and as luck would have it, the build I was using on my Netgear WNR3500L has those modules!

The question is, how do you configure ebtables in DD-WRT so that it blocks IGMP multicast packets? I found most of what I needed on the DD-WRT website. In particular, I will point you to these helpful pages:

• IPTV – blocking multicast on WIFI
• Network Share not working via Wireless while blocking IPTV
• WNR3500L – Wireless Physical Interface wl0 Not Accessible

The first two pages had most of the ebtables-related commands I needed but I had to combine and adapt those solutions because I was getting error messages such as “The kernel doesn’t support a certain ebtables extension, consider recompiling your kernel or insmod the extension.” The third page helped me get the name of the physical wireless interface on my WNR3500L, namely eth1.

Without further ado, here is my script for blocking IGMP multicast packets with ebtables while watching IPTV on the Telus Optik TV network:

insmod ebtables
insmod ebtable_filter
insmod ebt_pkttype
ebtables -A FORWARD -o "eth1" --pkttype-type multicast -j DROP
ebtables -A OUTPUT -o "eth1" --pkttype-type multicast -j DROP

After applying that script to my WNR3500L WLAN, ping times while watching IPTV returned to 1 ms with no packet loss and wireless performance was excellent. To make the script run automatically every time I reboot my WNR3500L, I did the following:

1. Log into the DD-WRT web interface.
2. Click the Administration tab.
3. Click the Commands tab inside the Administration tab.
4. Paste my code into the Commands text box.
5. Click the Save Startup button.

If this how-to article helped you, please leave a comment! Cheers!

Epilog (Bonus Points for the Astute Reader)

I’m sure that the more astute readers out there are wondering whether Telus’s V1000H firmware uses ebtables. The answer is indeed, “yes”, as I discovered by using a back door “trick” to get command line shell access to the Actiontec V1000H (I won’t describe that trick here…). After getting a command line prompt on the V1000H, I ran ebtables -L, which returned this output:

# ebtables -L
Bridge table: filter

Bridge chain: INPUT, entries: 3, policy: ACCEPT
-p IPv4 –ip-dst 192.168.1.254 –ip-proto 6 –ip-dport 21 -j DROP
-p IPv4 –ip-dst 192.168.1.254 –ip-proto 6 –ip-dport 22 -j DROP
-p IPv4 –ip-dst 192.168.1.254 –ip-proto 6 –ip-dport 53 -j DROP

Bridge chain: FORWARD, entries: 0, policy: ACCEPT

Bridge chain: OUTPUT, entries: 0, policy: ACCEPT

To my utter surprise, the above output apparently contains no rules to block IGMP multicast packets on the V1000H’s WLAN. In fact, the above rules only block layer-2 LAN-side access to FTP (port 21), SSH (port 22) and DNS (port 53) services running on the V1000H. So, if the V1000H does indeed prevent IGMP multicast packets from reaching its WLAN, it doesn’t use ebtables to do it. Rather, I suspect perhaps it uses IGMP snooping to figure out which links need multicast streams. If someone out there knows for sure, please enlighten me be leaving a comment!

Astute readers may also be wondering whether it is possible to put your Telus Optik TV PVRs and STBs behind your own router. The answer is a qualified “yes”. Although I don’t currently have my network set up like that, I did try it for a day a few weeks ago and had some success after much trial and error. I may even write a how-to story about it in the near future. For now, all I will say is that I used pfSense with IGMP Proxy. The details, unfortunately, are a proverbial “exercise for the reader”.

Article Index: