Taking back the consumer LAN one step at a time…
As many have been, I’ve been tearing my hair out trying to get around using TELUS‘ blasted Actiontec router. Sure, I could have just bridged it but that’s just one more hop before it hits my network. I recently had PureFibre Gigabit installed (albeit the installer left a little too much of the fibre exposed which I’m nervous around) which runs from the pole in the back alley, over my back yard, and down into my basement. Note, this house was built in 1921 and has quite the history (being one of the first houses in my city to have have a POTS line being the fire chief at the time built the home) and I’m quite sure no one was thinking about CAT6 let alone fibre back then!
TELUS installed a Nokia branded ONT (of which I’m unsure the model as it’s screwed to the wall and I’m lazy) and left me with a Actiontec T3200M router. As soon as the installer left I threw a TP-Link PoE Gigabit switch I had laying around between the ONT and the Actiontec and ran CAT6 through the floor up into my den to my Unifi Security Gateway (USG). TELUS has no problem leasing a second IPv4 address. I could have left it this way however I prefer if I can to have things done in a centralized way (as far away from the ISP’s bloatware as possible).
Until today. After some research I’d left myself running in circles as to the right way to go about this (knowing that multicast is fidgety) and plugged the repurposed that same switch and plugged it into the WAN 2/LAN 2 port on the USG. From there I plugged both the 4K PVR receiver and 4K WiFi receiver into the switch and started cracking this nut.
Note: since writing this article, I’ve since moved the STBs to the USG port LAN 1
. This is due to problems with Optik on the Go. I’ve connected the STBs to a port on one of my Unifi Switch 8 60W switches and set the port accordingly in the Unifi SDN. Please watch for more writer’s notes as we go along. There’s also two Addendums located at the bottom of the article.
Starting with IPv6
First, because I’d prefer to be future forward, configure your WAN interface for IPv6. TELUS uses DHCPv6 with a Prefix Delegation Size of 56. Configure this in Settings > Networks.
IPTV Configuration
Network
Once you’ve got that physical connection out of the way and part of the IPv6 configuration taken care of (more on that later), head on into the Unifi SDR UI into Settings > Network and create a new network. I named mine “IPTV” and configured it as below:
It’s a good idea to segregate this traffic from the rest of your network by using the WAN 2/LAN 2 port for a number of reasons, firstly it’s not your own equipment – if it were somehow compromised I’d rather it be at an arm’s length. Most importantly – the IGMP proxy we’ll be configuring has a tendency to flood your network if it’s not just right. Having it on a separate interface prevents this.
DHCPv6 & IGMP Proxy
From here, you’ll see some activity light up that port and you’ll notice your TV start playing and then freeze about 15 seconds later. This is because of the way TELUS Optik IPTV works. TELUS licenses the use of Ericsson Mediaroom (formerly Microsoft Mediaroom prior to 2013) to deliver their service. You may remember the product as WebTV or MSN TV way back in the early 2000’s. When you initially tune to a channel the provider pushes a unicast connection to your receiver while your receiver joins the multicast stream (via IGMP) and starts listening. This takes less than 15 seconds and the transition is seamless. This means your provider can stream one connection to the multicast address and from there the network takes over. It’s impressive tech really.
You’re going to want to connect to your Unifi Controller, in this case my Unifi Cloud Key G2+. If you haven’t done this before I’d suggest having a look at this article in Ubiquiti’s Knowledge Base.
Once logged into your controller, go ahead and enter the following commands:
cd /srv/unifi/data/sites/default
apt update
apt install nano -y
This will change your directory to the default site configuration override directory and install nano
because I hate vi
. If your site name is different you’ll get an error. Change directory to /srv/unifi/data/sites/
and ls
to find out which directory is right for you.
We need to create a new file named config.gateway.json
. Go ahead and run nano config.gateway.json
.
There’s two things we need to accomplish here. First, finish up our IPv6 configuration.
"interfaces": {
"ethernet": {
"eth0": {
"dhcpv6-pd": {
"prefix-only": "''"
}
}
}
},
TELUS provides only endpoint addresses (DHCPv6-IA) and does not delegate prefixes (DHCPv6-PD). There’s no configuration in the web GUI to indicate this so we’re needing to add this here. Without it your USG will not get an IPv6 address from TELUS and your CPU will be pinned at 40-50%.
Next, we need to activate the IGMP proxy on the USG, this also is not configurable via the web GUI hence why we need to get down and dirty.
Append this to the previous chunk of JSON:
"protocols": {
"igmp-proxy": {
"disable-quicksave": "''",
"interface": {
"eth0": {
"alt-subnet": "0.0.0.0/0",
"role": "upstream",
"threshold": "1"
},
"eth2": {
"alt-subnet": "0.0.0.0/0",
"role": "downstream",
"threshold": "1"
}
}
}
}
}
We’re playing with some fire here, so it’s a good idea to run your JSON through a validator first before saving the file to your controller. What this JSON is doing is letting the USG know to start the IGMP proxy and configure eth0
(WAN) as the upstream IGMP interface and eth2
(WAN 2/LAN 2) as the downstream.
Note: if you use Optik on the Go or would otherwise prefer to have the Optik STBs on LAN 1, your downstream interface should be eth1
.
From here, save your file by pressing CTRL+X
, Y
, and ENTER
.
We need to do one more JSON configuration change and that will go into another new file, config.properties
.
Run nano config.properties
and put the following line into the file:
config.system_cfg.1=switch.igmp.header_checking=false
Normally if we were only making changes to these two files we would need to force provision the USG. As we’re going to continue on in the Unifi SDR UI we can skip that step. If you’re still following along, awesome work. You’re killing it. I’m proud of you. Really, I am. This, for me, is the culmination of about 7 hours of experimentation, WireShark-ing, and a bottle of Wine O’Clock Shiraz.
Static Routes
We can head back into the Unifi SDR and head to Settings > Routing & Firewall. We need to create three routes:
These routes will be consistent across the country however the “Next Hop” will be different. This is the USG’s gateway, something you can find by running a traceroute from your computer to somewhere on the internet. logging into the USG via SSH and executing: ip route show
Look for a line indicating your WAN IP address routed to a subnet such as below:
I blocked out my full IP address however you’ll see that eth0 is pointed to 209.89.184.0/22
. For the purposes of creating the routes in Unifi, the address will instead be 209.89.184.1
, in my example. This will ensure that the traffic to the Optik servers is routed as efficiently as possible.
Creating the routes in Unifi is pretty quick and painless, as depicted below:
These instruct the USG to route all traffic to any of the three subnets through the “Next Hop” and only the next hop. The Destination Networks we need to configure are:
- 207.0.0.0/8
- 209.0.0.0/8
- 216.0.0.0/8
Firewall Configuration
Next, we’ll jump over to the “Firewall” tab and configure a couple of firewall rules. Before we do that, click the “Groups” subtab and we’ll define a couple of firewall groups. Choose “Create new group” and configure your first group as follows:
This defines the groups of machines that will be permitted through the firewall into your IPTV network over UDP that we will create next. Before we can do that we need to define one more group as follows:
This group defines the subnet of IPv4 space reserved for multicasting. Move back to the “Rules IPv4” subtab, make sure you’re looking at the “WAN IN” rules and choose “Create new rule“. Configure your rule as follows:
This will allow all UDP traffic from the IPv4 Address Group we created just a moment ago through into the IGMP proxy we set up earlier. The IGMP proxy will do exactly as it’s named: proxy the IGMP packets into your network as we defined earlier, specifically to the eth2
interface. (Note: if you have the STBs connected via the USG’s LAN 1 port, this is the eth1
interface instead.)
We need to create one more firewall rule under “WAN LOCAL”:
This rule will allow IGMP packets to flow freely from the IGMP proxy into your IPTV network – your eth2
(WAN 2/LAN 2) interface. This also allows IGMP traffic to flow between receivers (for watching PVR recorded video). (Again, note: if you have the STBs connected via the USG’s LAN 1 port, this is the eth1
interface instead.)
Wrapping it up…
And with that, you should be able to tune your Optik TV receiver to a channel and have uninterrupted TV. So what we’ve accomplished is the following:
Thanks for reading along. If you have any questions or comments please reach out in the comments below. I hope that this helps you liberate yourself of that damn Actiontec router, too!
Addendum 1: Using the USG’s LAN 1 & VLAN
As with any project I learned a good amount and after writing this article decided to open TELUS’ Optik on the Go to find that I ran into the multicast issue. I quickly realized that this was due to all multicast traffic being routed to the USG’s WAN 2/LAN 2 (eth2
) interface.
I’ve made some writer’s notes to the guide above however the physical connection bears to be clarified. The STBs instead were connected to the Unifi Switch 8 60W and within the Unifi SDN I’ve manually assigned the IPTV VLAN we created to those ports.
Navigate to the Devices screen and click on the switch you wish to configure. From there, click on the Ports icon and choose the ports you wish to edit. For me, this was ports 2 and 3.
Choose your IPTV VLAN from the Switch Port Profile dropdown selector and choose Apply. If you have already connected your STBs to those ports you’ll need to reboot them for the changes to take effect.
Addendum 2: VDSL applications
A huge thanks to u/JACK_DAGNIELS on the r/telus subreddit for asking this rather important question for those that do not have the ability to remove the Actiontec router from their deployment due to it being the hardware that has the DSL modem in it.
Unfortunately in this type of installation we’ll have to consider the Actiontec router. To use the USG as your LAN’s gateway (and to prevent a painful double-NAT situation), log into the Actiontec’s configuration and enable Bridge Mode. Then connect the LAN 1 port on the Actiontec to the WAN 1 port on the USG. That’s it!
If you have any questions or comments about getting this sort of project done, please don’t hesitate to leave a comment!
24 replies on “TELUS Optik IPTV on Ubiquiti UniFi”
The Addendum 2 did not work for me, sort of. When I log into the USG via 192.168.1.1 it says it’s connected to the internet and to use the Controller to adopt it, but when I use the Controller it does not see the USG and my AP and switch are blackened out, and my computer does not have Internet.
This is my setup; Nokia fiber optik > Telus T3200 (WAN) > Port1 (Bridged) from Telus T3200 to Wan1 on USG > Port1 from USG to Unifi switch > computer.
I have the most basic understanding of networking, so I don’t know much about the IPs, DHCPs and all that. Any help would be appreciated to get this working, or my USG becomes an expensive coaster and I’ll have the constant nag of “no UniFi Gateway detected…” in my dashboard.
Hey Lyle, sorry to hear you’re facing some trouble getting the USG to the UniFi Controller.
Where do you have the UniFi Controller installed? On your PC? Raspberry Pi? CloudKey? If it’s on your PC, I’m wondering if there’s a Windows Firewall rule missing?
My Unifi Controller is installed on my PC, Window 10. I never thought of checking the firewall, this is something that has not come up in all the forums I’ve read about my issue. I will have a look at that and report back.
I have this working and can confirm lots of steps on this guide are far from right.
Hi Shaun, I’m sorry that the guide didn’t help as I’d have intended. I have my USG set up as I describe above and have had no problems. Let me know what you’d suggest I adjust. Thanks.
Any idea how this can be accomplished with the new UDM Pro given that it does not allow editing of the JSON file like the old USG does?
Hi Brendan! I’m sorry for the late reply – your comment fell into the depths of the spam filter. As far as I know, the UDM Pro does not have IGMP Proxy and because it’s not running the EdgeRouter software like the USG, currently multicast traffic won’t make it into a network with a UDM Pro.
I know there’s lots of folks begging for Ubiquiti to bring this feature to the UDM Pro on their forums but I haven’t seen any confirmation they’re working on it.
If you do need features like the SFP ports or IDS/IPS… I’ve been considering replacing the USG with a PFSense box.
Hey Chad,
Came across this today after upgrading to a UDM-PRO, having the same freezing issues you had and going on a maddening internet search. I searched around and seems the recommendation is to just stick a USG in between the ActionTec and the UDM-PRO and using it for it’s IGMP function. Do you know if I could achieve the same results with a cheaper piece of hardware running the same software such as an ER-X? I just need something in the middle for IGMP so if i can get away with using something cheaper I will.
Hey Gary,
I believe that a ER-X would still do the job that the USG is doing here in my write-up, being that the USG and ER-X both are running EdgeOS.
Do the directories differ between what you listed and what would be used in the first generation cloud key? When ssh into mine, the sites directory doesn’t seem to exist.
Hey Adam, not that I’m aware of. They should be the same even across the new UnifiOS upgrade.
I Got this working on a mikrotik router. with SPFFiber,
i beat the freezing issues with queues and priority
hey Chad, I’m about to hop on Telus PureFiber and I run a Unifi setup.
I’m trying to understand your addendums: if you plug the STB’s into your Unifi switch, does that mean you don’t need your TP link switch?
and such that you still configure everything, but on eth1, and then set the vlan tag appropriately for the ports with the STB’s?
Hey Hason, sorry for the late reply.
No need for the TP-Link switch, that was just part of my network topography at the time. Everything matters with how the USG is configured.
Sorry for my late reply too 🙂
I tried copying your JSON previously, but not sure if the formatting is correct. I ended up with the dreaded 50% CPU cycles issue.
I recently want to try this setup again, so does this look right for the config.gateway.json file?
{
“interfaces”: {
“ethernet”: {
“eth0”: {
“dhcpv6-pd”: {
“prefix-only”: “””
}
}
}
},
“protocols”: {
“igmp-proxy”: {
“disable-quicksave”: “””,
“interface”: {
“eth0”: {
“alt-subnet”: “0.0.0.0/0”,
“role”: “upstream”,
“threshold”: “1”
},
“eth1”: {
“alt-subnet”: “0.0.0.0/0”,
“role”: “downstream”,
“threshold”: “1”
}
}
}
}
}
The validation website passes it.
Apologies for the spam Chad, what settings did you do for setting the TV vlan? Namely, do you need any IPV6 settings? Or is that only from Telus -> USG?
Have you been able to get the Activation to work for a 4K PVR? I have a 1080 PVR, but when I plug on the 4K PVR it doesn’t want to activate. Any ideas?
Hey Colin, in terms of activation I’ve *always* had to bypass my Unifi network. Once the STP is activated though it’s clear sailing. Thanks for the comment – sorry for the late reply.
Hi Chad,
Thank you very much for this detailed tutorial. I have adapted this tutorial for the UDM/P, found here: https://github.com/peacey/udm-telus
Your tutorial was so detailed and easy to follow, and you didn’t miss a single step, that I was easily able to adapt it. So thank you very much for all your effort and attention to detail!
Amazing! Thank you for the credit, that’s very kind.
Getting this error when trying to test that everything is working
# ./igmpproxy -nd ./igmpproxy.conf
MRT_INIT failed; Errno(92): Protocol not available
Hi Magna,
Are you attempting this on a USG? I’m finding a host of results on Google about this with UDMs.
If you have a UDM, I’d highly recommend this solution: https://github.com/fabianishere/udm-kernel-tools
I hope this helps.
How would I go about uninstalling this modification?
Thanks
Hi, just reverse the directions.