Categories
IT Sys Admin Networking Ubiquiti

TELUS Optik IPTV on Ubiquiti Unifi

Taking back the consumer LAN one step at a time…

As many have been, I’ve been tearing my hair out trying to get around using TELUS‘ blasted Actiontec router. Sure, I could have just bridged it but that’s just one more hop before it hits my network. I recently had PureFibre Gigabit installed (albeit the installer left a little too much of the fibre exposed which I’m nervous around) which runs from the pole in the back alley, over my back yard, and down into my basement. Note, this house was built in 1921 and has quite the history (being one of the first houses in my city to have have a POTS line being the fire chief at the time built the home) and I’m quite sure no one was thinking about CAT6 let alone fibre back then!

TELUS installed a Nokia branded ONT (of which I’m unsure the model as it’s screwed to the wall and I’m lazy) and left me with a Actiontec T3200M router. As soon as the installer left I threw a TP-Link PoE Gigabit switch I had laying around between the ONT and the Actiontec and ran CAT6 through the floor up into my den to my Unifi Security Gateway (USG). TELUS has no problem leasing a second IPv4 address. I could have left it this way however I prefer if I can to have things done in a centralized way (as far away from the ISP’s bloatware as possible).

Until today. After some research I’d left myself running in circles as to the right way to go about this (knowing that multicast is fidgety) and plugged the repurposed that same switch and plugged it into the WAN 2/LAN 2 port on the USG. From there I plugged both the 4K PVR receiver and 4K WiFi receiver into the switch and started cracking this nut.

Starting with IPv6

First, because I’d prefer to be future forward, configure your WAN interface for IPv6. TELUS uses DHCPv6 with a Prefix Delegation Size of 56. Configure this in Settings > Networks.

IPTV Configuration

Network

Once you’ve got that physical connection out of the way and part of the IPv6 configuration taken care of (more on that later), head on into the Unifi SDR UI into Settings > Network and create a new network. I named mine “IPTV” and configured it as below:

It’s a good idea to segregate this traffic from the rest of your network by using the WAN 2/LAN 2 port for a number of reasons, firstly it’s not your own equipment – if it were somehow compromised I’d rather it be at an arm’s length. Most importantly – the IGMP proxy we’ll be configuring has a tendency to flood your network if it’s not just right. Having it on a separate interface prevents this.

DHCPv6 & IGMP Proxy

From here, you’ll see some activity light up that port and you’ll notice your TV start playing and then freeze about 15 seconds later. This is because of the way TELUS Optik IPTV works. TELUS licenses the use of Ericsson Mediaroom (formerly Microsoft Mediaroom prior to 2013) to deliver their service. You may remember the product as WebTV or MSN TV way back in the early 2000’s. When you initially tune to a channel the provider pushes a unicast connection to your receiver while your receiver joins the multicast stream (via IGMP) and starts listening. This takes less than 15 seconds and the transition is seamless. This means your provider can stream one connection to the multicast address and from there the network takes over. It’s impressive tech really.

You’re going to want to connect to your Unifi Controller, in this case my Unifi Cloud Key G2+. If you haven’t done this before I’d suggest having a look at this article in Ubiquiti’s Knowledge Base.

Once logged into your controller, go ahead and enter the following commands:

cd /srv/unifi/data/sites/default
apt update
apt install nano -y

This will change your directory to the default site configuration override directory and install nano because I hate vi. If your site name is different you’ll get an error. Change directory to /srv/unifi/data/sites/ and ls to find out which directory is right for you.

We need to create a new file named config.gateway.json. Go ahead and run nano config.gateway.json.

There’s two things we need to accomplish here. First, finish up our IPv6 configuration.

}
         "interfaces": {
                 "ethernet": {
                         "eth0": {
                                 "dhcpv6-pd": {
                                         "prefix-only": "''"
                                 }
                         }
                 }
         },

TELUS provides only endpoint addresses (DHCPv6-IA) and does not delegate prefixes (DHCPv6-PD). There’s no configuration in the web GUI to indicate this so we’re needing to add this here. Without it your USG will not get an IPv6 address from TELUS and your CPU will be pinned at 40-50%.

Next, we need to activate the IGMP proxy on the USG, this also is not configurable via the web GUI hence why we need to get down and dirty.

Append this to the previous chunk of JSON:

    "protocols": {
            "igmp-proxy": {
                    "disable-quicksave": "''",
                    "interface": {
                            "eth0": {
                                    "alt-subnet": "0.0.0.0/0",
                                    "role": "upstream",
                                    "threshold": "1"
                            },
                            "eth2": {
                                    "alt-subnet": "0.0.0.0/0",
                                    "role": "downstream",
                                    "threshold": "1"
                            }
                    }
            }
    }
}

We’re playing with some fire here, so it’s a good idea to run your JSON through a validator first before saving the file to your controller. What this JSON is doing is letting the USG know to start the IGMP proxy and configure eth0 (WAN) as the upstream IGMP interface and eth2 (WAN 2/LAN 2) as the downstream.

From here, save your file by pressing CTRL+X, Y, and ENTER.

We need to do one more JSON configuration change and that will go into another new file, config.properties.

Run nano config.properties and put the following line into the file:

config.system_cfg.1=switch.igmp.header_checking=false

Normally if we were only making changes to these two files we would need to force provision the USG. As we’re going to continue on in the Unifi SDR UI we can skip that step. If you’re still following along, awesome work. You’re killing it. I’m proud of you. Really, I am. This, for me, is the culmination of about 7 hours of experimentation, WireShark-ing, and a bottle of Wine O’Clock Shiraz.

Static Routes

We can head back into the Unifi SDR and head to Settings > Routing & Firewall. We need to create three routes:

These routes will be consistent across the country however the “Next Hop” will be different. This is the USG’s gateway, something you can find by running a traceroute from your computer to somewhere on the internet.

These instruct the USG to route all traffic to any of the three subnets through the “Next Hop” and only the next hop. The Destination Networks we need to configure are:

  • 207.0.0.0/8
  • 209.0.0.0/8
  • 216.0.0.0/8

Firewall Configuration

Next, we’ll jump over to the “Firewall” tab and configure a couple of firewall rules. Before we do that, click the “Groups” subtab and we’ll define a couple of firewall groups. Choose “Create new group” and configure your first group as follows:

This defines the groups of machines that will be permitted through the firewall into your IPTV network over UDP that we will create next. Before we can do that we need to define one more group as follows:

This group defines the subnet of IPv4 space reserved for multicasting. Move back to the “Rules IPv4” subtab, make sure you’re looking at the “WAN IN” rules and choose “Create new rule“. Configure your rule as follows:

This will allow all UDP traffic from the IPv4 Address Group we created just a moment ago through into the IGMP proxy we set up earlier. The IGMP proxy will do exactly as it’s named: proxy the IGMP packets into your network as we defined earlier, specifically to the eth2 interface.

We need to create one more firewall rule under “WAN LOCAL”:

This rule will allow IGMP packets to flow freely from the IGMP proxy into your IPTV network – your eth2 (WAN 2/LAN 2) interface. This also allows IGMP traffic to flow between receivers (for watching PVR recorded video).

Wrapping it up…

And with that, you should be able to tune your Optik TV receiver to a channel and have uninterrupted TV. So what we’ve accomplished is the following:

Thanks for reading along. If you have any questions or comments please reach out in the comments below. I hope that this helps you liberate yourself of that damn Actiontec router, too!

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.