Categories
IT Sys Admin Networking Ubiquiti

TELUS Optik IPTV on Ubiquiti Unifi

Taking back the consumer LAN one step at a time…

As many have been, I’ve been tearing my hair out trying to get around using TELUS‘ blasted Actiontec router. Sure, I could have just bridged it but that’s just one more hop before it hits my network. I recently had PureFibre Gigabit installed (albeit the installer left a little too much of the fibre exposed which I’m nervous around) which runs from the pole in the back alley, over my back yard, and down into my basement. Note, this house was built in 1921 and has quite the history (being one of the first houses in my city to have have a POTS line being the fire chief at the time built the home) and I’m quite sure no one was thinking about CAT6 let alone fibre back then!

TELUS installed a Nokia branded ONT (of which I’m unsure the model as it’s screwed to the wall and I’m lazy) and left me with a Actiontec T3200M router. As soon as the installer left I threw a TP-Link PoE Gigabit switch I had laying around between the ONT and the Actiontec and ran CAT6 through the floor up into my den to my Unifi Security Gateway (USG). TELUS has no problem leasing a second IPv4 address. I could have left it this way however I prefer if I can to have things done in a centralized way (as far away from the ISP’s bloatware as possible).

Until today. After some research I’d left myself running in circles as to the right way to go about this (knowing that multicast is fidgety) and plugged the repurposed that same switch and plugged it into the WAN 2/LAN 2 port on the USG. From there I plugged both the 4K PVR receiver and 4K WiFi receiver into the switch and started cracking this nut.

Note: since writing this article, I’ve since moved the STBs to the USG port LAN 1. This is due to problems with Optik on the Go. I’ve connected the STBs to a port on one of my Unifi Switch 8 60W switches and set the port accordingly in the Unifi SDN. Please watch for more writer’s notes as we go along. There’s also two Addendums located at the bottom of the article.

Starting with IPv6

First, because I’d prefer to be future forward, configure your WAN interface for IPv6. TELUS uses DHCPv6 with a Prefix Delegation Size of 56. Configure this in Settings > Networks.

IPTV Configuration

Network

Once you’ve got that physical connection out of the way and part of the IPv6 configuration taken care of (more on that later), head on into the Unifi SDR UI into Settings > Network and create a new network. I named mine “IPTV” and configured it as below:

It’s a good idea to segregate this traffic from the rest of your network by using the WAN 2/LAN 2 port for a number of reasons, firstly it’s not your own equipment – if it were somehow compromised I’d rather it be at an arm’s length. Most importantly – the IGMP proxy we’ll be configuring has a tendency to flood your network if it’s not just right. Having it on a separate interface prevents this.

DHCPv6 & IGMP Proxy

From here, you’ll see some activity light up that port and you’ll notice your TV start playing and then freeze about 15 seconds later. This is because of the way TELUS Optik IPTV works. TELUS licenses the use of Ericsson Mediaroom (formerly Microsoft Mediaroom prior to 2013) to deliver their service. You may remember the product as WebTV or MSN TV way back in the early 2000’s. When you initially tune to a channel the provider pushes a unicast connection to your receiver while your receiver joins the multicast stream (via IGMP) and starts listening. This takes less than 15 seconds and the transition is seamless. This means your provider can stream one connection to the multicast address and from there the network takes over. It’s impressive tech really.

You’re going to want to connect to your Unifi Controller, in this case my Unifi Cloud Key G2+. If you haven’t done this before I’d suggest having a look at this article in Ubiquiti’s Knowledge Base.

Once logged into your controller, go ahead and enter the following commands:

cd /srv/unifi/data/sites/default
apt update
apt install nano -y

This will change your directory to the default site configuration override directory and install nano because I hate vi. If your site name is different you’ll get an error. Change directory to /srv/unifi/data/sites/ and ls to find out which directory is right for you.

We need to create a new file named config.gateway.json. Go ahead and run nano config.gateway.json.

There’s two things we need to accomplish here. First, finish up our IPv6 configuration.

         "interfaces": {
                 "ethernet": {
                         "eth0": {
                                 "dhcpv6-pd": {
                                         "prefix-only": "''"
                                 }
                         }
                 }
         },

TELUS provides only endpoint addresses (DHCPv6-IA) and does not delegate prefixes (DHCPv6-PD). There’s no configuration in the web GUI to indicate this so we’re needing to add this here. Without it your USG will not get an IPv6 address from TELUS and your CPU will be pinned at 40-50%.

Next, we need to activate the IGMP proxy on the USG, this also is not configurable via the web GUI hence why we need to get down and dirty.

Append this to the previous chunk of JSON:

    "protocols": {
            "igmp-proxy": {
                    "disable-quicksave": "''",
                    "interface": {
                            "eth0": {
                                    "alt-subnet": "0.0.0.0/0",
                                    "role": "upstream",
                                    "threshold": "1"
                            },
                            "eth2": {
                                    "alt-subnet": "0.0.0.0/0",
                                    "role": "downstream",
                                    "threshold": "1"
                            }
                    }
            }
    }
}

We’re playing with some fire here, so it’s a good idea to run your JSON through a validator first before saving the file to your controller. What this JSON is doing is letting the USG know to start the IGMP proxy and configure eth0 (WAN) as the upstream IGMP interface and eth2 (WAN 2/LAN 2) as the downstream.

Note: if you use Optik on the Go or would otherwise prefer to have the Optik STBs on LAN 1, your downstream interface should be eth1.

From here, save your file by pressing CTRL+X, Y, and ENTER.

We need to do one more JSON configuration change and that will go into another new file, config.properties.

Run nano config.properties and put the following line into the file:

config.system_cfg.1=switch.igmp.header_checking=false

Normally if we were only making changes to these two files we would need to force provision the USG. As we’re going to continue on in the Unifi SDR UI we can skip that step. If you’re still following along, awesome work. You’re killing it. I’m proud of you. Really, I am. This, for me, is the culmination of about 7 hours of experimentation, WireShark-ing, and a bottle of Wine O’Clock Shiraz.

Static Routes

We can head back into the Unifi SDR and head to Settings > Routing & Firewall. We need to create three routes:

These routes will be consistent across the country however the “Next Hop” will be different. This is the USG’s gateway, something you can find by running a traceroute from your computer to somewhere on the internet. logging into the USG via SSH and executing: ip route show

Look for a line indicating your WAN IP address routed to a subnet such as below:

I blocked out my full IP address however you’ll see that eth0 is pointed to 209.89.184.0/22. For the purposes of creating the routes in Unifi, the address will instead be 209.89.184.1, in my example. This will ensure that the traffic to the Optik servers is routed as efficiently as possible.

Creating the routes in Unifi is pretty quick and painless, as depicted below:

These instruct the USG to route all traffic to any of the three subnets through the “Next Hop” and only the next hop. The Destination Networks we need to configure are:

  • 207.0.0.0/8
  • 209.0.0.0/8
  • 216.0.0.0/8

Firewall Configuration

Next, we’ll jump over to the “Firewall” tab and configure a couple of firewall rules. Before we do that, click the “Groups” subtab and we’ll define a couple of firewall groups. Choose “Create new group” and configure your first group as follows:

This defines the groups of machines that will be permitted through the firewall into your IPTV network over UDP that we will create next. Before we can do that we need to define one more group as follows:

This group defines the subnet of IPv4 space reserved for multicasting. Move back to the “Rules IPv4” subtab, make sure you’re looking at the “WAN IN” rules and choose “Create new rule“. Configure your rule as follows:

This will allow all UDP traffic from the IPv4 Address Group we created just a moment ago through into the IGMP proxy we set up earlier. The IGMP proxy will do exactly as it’s named: proxy the IGMP packets into your network as we defined earlier, specifically to the eth2 interface. (Note: if you have the STBs connected via the USG’s LAN 1 port, this is the eth1 interface instead.)

We need to create one more firewall rule under “WAN LOCAL”:

This rule will allow IGMP packets to flow freely from the IGMP proxy into your IPTV network – your eth2 (WAN 2/LAN 2) interface. This also allows IGMP traffic to flow between receivers (for watching PVR recorded video). (Again, note: if you have the STBs connected via the USG’s LAN 1 port, this is the eth1 interface instead.)

Wrapping it up…

And with that, you should be able to tune your Optik TV receiver to a channel and have uninterrupted TV. So what we’ve accomplished is the following:

Thanks for reading along. If you have any questions or comments please reach out in the comments below. I hope that this helps you liberate yourself of that damn Actiontec router, too!

Addendum 1: Using the USG’s LAN 1 & VLAN

As with any project I learned a good amount and after writing this article decided to open TELUS’ Optik on the Go to find that I ran into the multicast issue. I quickly realized that this was due to all multicast traffic being routed to the USG’s WAN 2/LAN 2 (eth2) interface.

I’ve made some writer’s notes to the guide above however the physical connection bears to be clarified. The STBs instead were connected to the Unifi Switch 8 60W and within the Unifi SDN I’ve manually assigned the IPTV VLAN we created to those ports.

Navigate to the Devices screen and click on the switch you wish to configure. From there, click on the Ports icon and choose the ports you wish to edit. For me, this was ports 2 and 3.

Choose your IPTV VLAN from the Switch Port Profile dropdown selector and choose Apply. If you have already connected your STBs to those ports you’ll need to reboot them for the changes to take effect.

Addendum 2: VDSL applications

A huge thanks to u/JACK_DAGNIELS on the r/telus subreddit for asking this rather important question for those that do not have the ability to remove the Actiontec router from their deployment due to it being the hardware that has the DSL modem in it.

Unfortunately in this type of installation we’ll have to consider the Actiontec router. To use the USG as your LAN’s gateway (and to prevent a painful double-NAT situation), log into the Actiontec’s configuration and enable Bridge Mode. Then connect the LAN 1 port on the Actiontec to the WAN 1 port on the USG. That’s it!

If you have any questions or comments about getting this sort of project done, please don’t hesitate to leave a comment!