How to get Bell Fibe in Quebec/Ontario (Internet and IPTV) working with pfSense
-
Hi guys,
Sorry I should have mentioned that the any/any/any rules can definitely be tweaked.
First of all, yes, you can restrict the WAN_IPTV rule to UDP only.
Keep in mind that WAN_IPTV is from the VLAN which is linked directly to a private network at Bell's data center and doesn't hit the public internet.
I started with everything wide open, and I plan on closing things up a bit while the system is running. I just didn't want a too-restrictive firewall rule to slow me down, it was hard enough as it was. :)
–---
I should also mention that one is supposed to set the QoS priority on the IPTV VLAN to 4. I haven't done it because I have 175/175, but at 50/50 you might need to. I might do it in future if I see my signal suffering.
-
I'd put in a syslog server and enable logging on that rule. Or I'd put in a deny rule and log that for a while. I don't give my ISP the ability to pass any traffic into my WAN.
And your WAN doesn't get a public IP? How do you port forward?
What did all the interface IPs and netmasks end up being?
Just curious.
-
And call it overkill, but since all you want is IGMP to pass thru, I would also add a Snort/Suricata rule on that interface to monitor/log/block.
alert ip any any <> any any (msg:"IGMP PROTOCOL ONLY"; ip_proto:!2; classtype:policy-violation; sid:167115792; rev:1;)
F.
-
Hi all,
I thought I'd post this for all to see as others may be interested in how I finally got this working.
My mission was to replace the Bell Home Hub 2000 router which is a rather in-flexible device considering that I have 175mbps/175mbps service. I wanted to replace it with a pfSense box I built on an APU.
After doing some reading, I realized that Bell passes both internet and IPTV on one network wire using VLANs coming off the ONT (Optical Network Terminator) box.
They use VLAN 35 for internet and PPPoE authentication on this VLAN and VLAN 36 for IPTV with DHCP.
The steps to get internet working are quite simple. You create a VLAN at 35 on the external interface that connects to the one active port on the ONT:
.While you're in there, create a VLAN at 36 on the same interface for the IPTV connection.
Then assign that VLAN to an interface and enable it and set it to use PPPoE authentication:
That's pretty much all you need to do for internet. pfSense does the NATing and routing setup for you automatically.
Getting IPTV to work is a little more involved.
First assign the VLAN 36 to an interface, and set it to DHCP:
Your automatic gateways will look like this:
Then set up a static route for 10.0.0.0/8 to go to the gateway discovered by DHCP on the IPTV WAN interface:
Then set an advanced option on the LAN interface and the WAN-IPTV interface in the pass all firewall rules:
Finally, set up IGMP proxying as such:
If you've done everything correctly, you likely don't even need to restart pfSense, it'll just start working!
If anyone has any questions about this, let me know.
Robert
a how-to and step by step youtube video would be appreciated… :^)
-
I'm going to guess that was a joke. :)
If you need some clarification, though, don't hesitate to ask. :)
-
I have followed this guide to the letter and I mostly understand all of it. But I am having some issues.
Internet works perfectly, 0 issues.
IPTV works, but
- apps and on demand content do not load
- when the STB needs a to update, it wont work. I need to revert back to old setup
- the switching to multicast causes a slight freeze on screen (does not freeze on old setup)
- when navigating channels that I do not have, no message appears (there is usually a text indicating you don't have this channel and to call if you want to add it)
- my wireless AP does not work when the PVR is connected to the network (the wireless clients dont't receives a ip, but when I remove the PVR, everything works. If I connect a device via the AP lan ports, everything works.)
What I noticed so far:
- I get the following error message in the gateway section:
apinger: Could not bind socket on address(10.247.211.144) for monitoring address 10.247.208.1(WAN_IPTV_DHCP) with error Can't assign requested address
- I get the following error in the resolver section:
dnsmasq[33733]: possible DNS-rebind attack detected: beapp001.iptv.bell.ca- there might be DNS issue. I get assigned 4 DNS servers, 2 in the 10.0.0.0 range and 2 others in the 207.164.234.* range. From the error I get on screen when loading apps and on demand content, the STBs cant resolve certain host names.
Is there a setting you have forgotten to give in your guide ? Have you experienced any of the issues ?
-
Hi there,
I can't think of anything I left out… does your DNS resolution in the status page look something like this?
127.0.0.1
207.164.234.129
207.164.234.193
10.2.127.228
10.2.127.196Do you have " Allow DNS server list to be overridden by DHCP/PPP on WAN " checked in the System | General Setup page? I do.
If you want to send me screenshots of your settings, I could compare to mine to see if there are any differences...
My apinger log entries are virtually nil besides the typical starting service, etc... that sounds like the main problem. The fact that your AP goes down has something to do with IGMP packets flooding your LAN. I don't know why that doesn't happen to me. I remember reading about that. You may want to put in some rules which restrict IGMP access to only a range of addresses your set-top boxes could be at.
I'm sorry I couldn't be more help than that. :(
Rob
-
Hey, thanks for the reply.
My DNS had the 10.* before the 207.* servers. A part from that, yes thats what I have.
At this time, I reverted back to using the HUB200 for TV. I'll retry to add IPTV back on pfSense tomorrow with your recommendations.
If it still doesn't work, I'll send you my screenshots.
-
I retried everything last night.
I'm getting the same issues. The STB are having DNS issues. I also do believe my network is getting bombarded by IGMP and multicast. I need to figure how to isolate the IPTV signal or create another subnet.
Worst case scenario, I keep IPTV using the bell HUB2000 router. The important thing is that my internet isolated.
-
I have the same problem with the app on demand not working but the TV was working fine
-
@zax103, thanks a lot for this post. I recently switched from Videotron to Bell FTTH recently and after reading what you've done, I was sure I could also replicate such a setup. I didn't have a pfSense box at home (only at the office), so I was wondering if I could get this working on cheaper hardware (Linksys E4200 with custom firmware). In the process, I went through several issues that I had to debug, but actually got it fully working. I've wrote about it on a different forum and you can find my post if you search for 'Tossing the Home Hub 2000 while keeping TV', but I wanted to highlight a few things in your setup.
Bell also uses VLAN 37 for what it seemed, some IPv6 traffic. Anyone thinking about simply bridging their WAN port to connect the HH2000 on it should also bring that VLAN on it. However, if you aren't using that HH2000 device, you don't have to worry about it at all.
When my setup was completed, I could watch TV, but once in a while, it would simply cut off for a very short period of time, then resume. I tracked this down to a timeout mechanism used by Bell (upstream), or it could even be coming from the ONT. The interface on VLAN36 will receive an IGMP request to report the current subscription from 192.168.1.1. If the IGMP proxy doesn't answer that request, the multicast membership will be evicted. So you should add "192.168.1.0/24" to your upstream configuration to handle this.
As for the 'Apps' and 'On Demand' features, you need to hijack the DNS queries that are going to "*.iptv.bell.ca". I didn't take any chance, and did hijack the entire "bell.ca" and "bell.com" domains redirecting these queries to one of the DNS servers I was getting back from the DHCP Ack. I'm not sure if you are using dnsmasq on your setup, but if you do, the configuration change is simple:
rebind-domain-ok=bell.ca
rebind-domain-ok=bell.com
server=/bell.ca/10.2.127.228
server=/bell.com/10.2.127.228The 'rebind-domain-ok' is only needed if you have 'stop-dns-rebind' in your configuration, which prohibits upstream servers from returning private addresses. For instance, "mdsfe001.iptv.bell.ca" has to resolve to "10.2.121.4".
With all of this, an STB user wouldn't even noticed that the HH 2000 device isn't used anymore.
Thanks again for your great post!
-
thanks for the info everything is working fine for the iptv but now i have igmp flooding and crashing my wlan.does anyone have a tip for controling those igmp broadcast
![Screenshot 2015-07-02 00.45.57.png](/public/imported_attachments/1/Screenshot 2015-07-02 00.45.57.png)
![Screenshot 2015-07-02 00.45.57.png_thumb](/public/imported_attachments/1/Screenshot 2015-07-02 00.45.57.png_thumb) -
I want to thank everybody here, I was finally able to get everything working today. IPTV, Relaunch and OnDemand all working perfectly.
-
DNS resolving, forcing all *.bell.ca addresses to 10.2.127.228 fixed all DNS issue for me.
-
Adding the "192.168.1.0/24" to the upstream configuration resolved the freeze when the signal switched over too multicast.
-
As for the IGMP flooding on my wlan, I run DD WRT on my AP and blocked all multicast packets on all interfaces. Therefor no more wireless interruptions.
Something I did noticed, making any modification on pfsense, requires a full reset of all devices for my configuration to stick.
-
-
Hi guys,
Sorry I should have mentioned that the any/any/any rules can definitely be tweaked.
First of all, yes, you can restrict the WAN_IPTV rule to UDP only.
Keep in mind that WAN_IPTV is from the VLAN which is linked directly to a private network at Bell's data center and doesn't hit the public internet.
I started with everything wide open, and I plan on closing things up a bit while the system is running. I just didn't want a too-restrictive firewall rule to slow me down, it was hard enough as it was. :)
–---
I should also mention that one is supposed to set the QoS priority on the IPTV VLAN to 4. I haven't done it because I have 175/175, but at 50/50 you might need to. I might do it in future if I see my signal suffering.
Hi, thank you for your great tutorial. Could you give me the specific on how to set QoD on the IPTV VLAN to 4 please. I have been searching for days on traffic shaping and havn't find the right way yet.
-
Hi guys,
Sorry I should have mentioned that the any/any/any rules can definitely be tweaked.
First of all, yes, you can restrict the WAN_IPTV rule to UDP only.
Keep in mind that WAN_IPTV is from the VLAN which is linked directly to a private network at Bell's data center and doesn't hit the public internet.
I started with everything wide open, and I plan on closing things up a bit while the system is running. I just didn't want a too-restrictive firewall rule to slow me down, it was hard enough as it was. :)
–---
I should also mention that one is supposed to set the QoS priority on the IPTV VLAN to 4. I haven't done it because I have 175/175, but at 50/50 you might need to. I might do it in future if I see my signal suffering.
Hi, thank you for your great tutorial. Could you give me the specific on how to set QoD on the IPTV VLAN to 4 please. I have been searching for days on traffic shaping and havn't find the right way yet.
I meant QoS not QoD, sorry
-
I want to thank everybody here, I was finally able to get everything working today. IPTV, Relaunch and OnDemand all working perfectly.
-
DNS resolving, forcing all *.bell.ca addresses to 10.2.127.228 fixed all DNS issue for me.
-
Adding the "192.168.1.0/24" to the upstream configuration resolved the freeze when the signal switched over too multicast.
-
As for the IGMP flooding on my wlan, I run DD WRT on my AP and blocked all multicast packets on all interfaces. Therefor no more wireless interruptions.
Something I did noticed, making any modification on pfsense, requires a full reset of all devices for my configuration to stick.
Hi, can I ask you how you managed to force all bell.ca to 10.2.127.228 please ? I am using Outbound as my DNS resolver. Thanks
-
-
I want to thank everybody here, I was finally able to get everything working today. IPTV, Relaunch and OnDemand all working perfectly.
-
DNS resolving, forcing all *.bell.ca addresses to 10.2.127.228 fixed all DNS issue for me.
-
Adding the "192.168.1.0/24" to the upstream configuration resolved the freeze when the signal switched over too multicast.
-
As for the IGMP flooding on my wlan, I run DD WRT on my AP and blocked all multicast packets on all interfaces. Therefor no more wireless interruptions.
Something I did noticed, making any modification on pfsense, requires a full reset of all devices for my configuration to stick.
Hi, can I ask you how you managed to force all bell.ca to 10.2.127.228 please ? I am using Outbound as my DNS resolver. Thanks
From here : https://forum.pfsense.org/index.php?topic=87738.msg534214#msg534214
-
-
Thank you !
-
I found fairly easy solution and no additional trouble with the routing/NAT and no need for IGMP proxy.
Ok, I am not Canadian but my provider is also offering IPTV on VLAN 4.
what I did:
Had to create 3 additional interfaces under Interface Assignments.
IPTV_IN would be VLAN4 taken from network card handling the WAN connection.
IPTV_OUT would be physical NIC in pfSense box which you would connect to the IPTV STB
IPTV_BRIDGE would be bridge between those two. And only this would have IP from DHCP. The previous 2 assignments are left without anything assigned to them.What's left to do after creating those intefaces is to add passing rules for them in Firewall settings. And you are good to go.
I also changed Outbound NAT rules to manual and removed bunch of rules from there to tighten down subnet isolation but it's not really needed for watching TV.
Im away from home working about week but if anyone is interested, I can provide screenshots from WebUI afterwards.
-
Hello,
New user here. I'm trying to achieve the same objective as the OP (Bell Fibe Internet + IPTV without the Bell-provided Home Hub). Can someone who has done this please confirm whether the IPTV receiver can still obtain software updates with this setup? My concern is that Bell might have some port forwarding for remote management hidden away in the configuration of the Home Hub (not visible to the end user), and without this the receiver can't update itself.
Also, my setup is complicated by the fact that my LAN is on 10.10.1.0/24 which of course overlaps with Bell's IPTV range 10.0.0.0/8; I expect this will cause some routing issues.
Thanks
cinergi