Network details
eth0 = interneteth1 = LAN
eth0.252 = IPTV VLAN
LAN subnet = 192.168.1.0/24
Steps
1. Add new VLAN interface
2. For interface MAC, set MAC of your Inteno router (not sure if this is needed)
3. For interface DHCP / route settings set the values
4. For firewall create address group IPTV for multicast traffic
address-group IPTV { address 239.16.116.0/24 address 239.16.117.0/24 description "" }
name IPTV_IN
{
default-action drop
description ""
rule 10
{
action accept
description "Allow established/related"
log disable
protocol all
state
{
established enable
invalid disable
new disable
related enable
}
}
rule 20
{
action accept
description "Allow multicast"
destination {
group {
address-group IPTV
}
}
log disable
protocol udp
}
rule 30
{
action drop
description "Drop invalid state"
log disable
protocol all
state {
established disable
invalid enable
new disable
related disable
}
}
}
name IPTV_LOCAL {
default-action drop
description "WAN to router"
rule 10
{
action accept
description "Allow established/related"
log disable
protocol all
state {
established enable
related enable
}
}
rule 20
{
action accept
description "Allow multicast"
destination {
group {
address-group IPTV
}
}
log disable
protocol udp
source {
}
}
rule 30
{
action accept
description "Allow IGMP"
log disable
protocol igmp
}
rule 40
{
action drop
description "Drop invalid state"
log disable
protocol all
state {
invalid enable
}
}
}
7. Done!
Full(ish) config.boot
firewall {
all-ping enable
broadcast-ping disable
group {
address-group IPTV {
address 239.16.116.0/24
address 239.16.117.0/24
description ""
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name IPTV_IN {
default-action drop
description ""
rule 10 {
action accept
description "Allow established/related"
log disable
protocol all
state {
established enable
invalid disable
new disable
related enable
}
}
rule 20 {
action accept
description "Allow multicast"
destination {
group {
address-group IPTV
}
}
log disable
protocol udp
}
rule 30 {
action drop
description "Drop invalid state"
log disable
protocol all
state {
established disable
invalid enable
new disable
related disable
}
}
}
name IPTV_LOCAL {
default-action drop
description "WAN to router"
rule 10 {
action accept
description "Allow established/related"
log disable
protocol all
state {
established enable
related enable
}
}
rule 20 {
action accept
description "Allow multicast"
destination {
group {
address-group IPTV
}
}
log disable
protocol udp
source {
}
}
rule 30 {
action accept
description "Allow IGMP"
log disable
protocol igmp
}
rule 40 {
action drop
description "Drop invalid state"
log disable
protocol all
state {
invalid enable
}
}
}
name WAN_IN {
default-action drop
description "WAN to internal"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 70 {
action drop
description "Drop invalid state"
log enable
state {
invalid enable
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 60 {
action accept
description IGMP
log disable
protocol igmp
}
rule 70 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address dhcp
description WAN
duplex auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
poe {
output off
}
speed auto
vif 252 {
address dhcp
description IPTV
dhcp-options {
default-route no-update
default-route-distance 210
name-server no-update
}
firewall {
in {
name IPTV_IN
}
local {
name IPTV_LOCAL
}
}
mac IN:TE:NO:MA:CC:CC
}
}
ethernet eth1 {
address 192.168.1.1/24
description LAN
duplex auto
poe {
output off
}
speed auto
}
ethernet eth2 {
disable
duplex auto
poe {
output off
}
speed auto
}
ethernet eth3 {
disable
duplex auto
poe {
output off
}
speed auto
}
ethernet eth4 {
address 192.168.10.1/24
description Management
duplex auto
poe {
output off
}
speed auto
}
ethernet eth5 {
address dhcp
description SFP
duplex auto
speed auto
}
loopback lo {
}
switch switch0 {
description Switch0
mtu 1500
}
}
port-forward {
auto-firewall enable
hairpin-nat disable
wan-interface eth0
}
protocols {
igmp-proxy {
interface eth0 {
role disabled
threshold 1
}
interface eth0.252 {
alt-subnet 0.0.0.0/0
role upstream
threshold 1
}
interface eth1 {
alt-subnet 192.168.1.0/24
role downstream
threshold 1
}
}
static {
}
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name LAN {
authoritative enable
subnet 192.168.1.0/24 {
default-router 192.168.1.1
dns-server 208.67.222.222
dns-server 208.67.220.220
lease 86400
start 192.168.1.50 {
stop 192.168.1.199
}
}
}
use-dnsmasq disable
}
dns {
forwarding {
cache-size 150
listen-on eth1
}
}
gui {
http-port 80
https-port 443
older-ciphers enable
}
nat {
rule 5010 {
description "masquerade for WAN"
outbound-interface eth0
type masquerade
}
}
ssh {
port 22
protocol-version v2
}
ubnt-discover {
disable
}
}
Keywords: Sonera Viihde, Fibre, Fiber, sonera telia viihde iptv omalla reitittimellä
Hello
ReplyDeleteIm trying to follow your guide, but I cant seem to find where to make the changes in step 2 and 3, I dont know if its because i´m on a newer FW or if i´m just stupid or blind (maybe both). Can you please point me in the right direction?
Behind Config Tree button second right of main tabs.
DeleteThanks for the quick reply. You dont have to publish this comment, I just have to ask you if I maybe just can buy your config.boot-file to upload to my router. Because I have taken water WAY over my head here. I have tried to follow so many guides on how to fix this but I always get stuck on a step and I cant get pass it, obviously I just dont have the skills required.
DeleteSo as I said, I will be more than happy to pay you for your config-file.
Added full (removed some non-public details, though) config file, if you compare it side by side with yours you should be able to make relevant changes. I don't have this up and running anymore as gave up with Telia TV, but in case it helps you get it working, you can find me at paypal.me/jussipalo.
DeleteGreat! Thanks alot!
DeleteHi,
ReplyDeleteThanks for a great write-up. May I ask what is the purpose of the firewall rules in this case? I'm guessing that IPTV should work without any firewall rules, right?
I doubt it will work without any firewall rules. You need to allow IGMP and multicast and I don't think you want to completely turn off firewall for that interface although it would only be the IPTV vlan.
DeleteThanks, yes, that makes sense. For the testing purposes, I've started with no firewall on eth0.6 (iptv come on vlan6 in my case), but unfortunately the STB says that the service is not available in this network. Not sure what's the problem, but someone suggested that I may need to use policy based routing or load balancing to force all STB traffic through eth0.6, although I don't really know how to do that. Also, there seems to be some issues with ER-X and igmp-proxy needing restart.. It's not as simple as I thought it would be. I'm now using a VLAN aware solution, but I don't really like it.
DeleteCould you please explain why you used 'no-update' for both 'default route' and 'name server'?
ReplyDeleteNeeded to modify default route that came in from DHCP, believe found it from here: https://community.ubnt.com/t5/EdgeRouter/Some-traffic-taking-wrong-route-on-WAN/m-p/1009661/highlight/true#M42029
DeleteHi! i was just wondering how to do this with the ubequiti USG, my menyes looks totaly diffrent than yours.
ReplyDeletethank you!
I'm glad you were able to find this document through Google search. I configured the IPTV provided by China Telecom on my er-x-sfp using the following configuration method:
ReplyDelete#Set up the bridge
set interfaces bridge br0 aging 300
set interfaces bridge br0 bridged-conntrack disable
set interfaces bridge br0 hello-time 2
set interfaces bridge br0 max-age 20
set interfaces bridge br0 priority 32768
set interfaces bridge br0 promiscuous disable
set interfaces bridge br0 stp false
#Create a VLAN on eth5 and add it to the bridge (China Telecom IPTV VLanID 43)
set interfaces ethernet eth5 vif 43 bridge-group bridge br0
set interfaces ethernet eth5 vif 43 description IPTV
Add eth4 to the bridge
set interfaces ethernet eth4 bridge-group bridge br0
set interfaces ethernet eth4 description 'IPTV'
set interfaces ethernet eth4 duplex auto
set interfaces ethernet eth4 speed auto
At this point, the IPTV box can successfully log in, and I can watch on-demand content (movies/TV shows). However, when watching live TV, it freezes after playing for about 10 seconds. I believe this is caused by incorrect configuration of IGMP snooping.
Could you please explain what the following code in this article means? I have a feeling that the multicast addresses 239.16.116.0/24 and 239.16.117.0/24 in this code are multicast addresses. How can I obtain the multicast addresses from the service provider?
address-group IPTV
{
address 239.16.116.0/24
address 239.16.117.0/24
description ""
}
Yes, those are the multicast address spaces, so basically the channel-per-IP-address IP addresses from which channel is streamed. In my case they were udp://@239.16.116.1:5555, udp://@239.16.116.2:5555, etc.
DeleteI used multicast scanner such as https://uross-digital-tools.appspot.com/iptvtools/?subpage=mctv_scanner to find the channels not sure if it was exactly this app, but something similar).