How to get Bell Fibe in Quebec/Ontario (Internet and IPTV) working with pfSense



  • Hi all,

    I thought I'd post this for all to see as others may be interested in how I finally got this working.

    My mission was to replace the Bell Home Hub 2000 router which is a rather in-flexible device considering that I have 175mbps/175mbps service.  I wanted to replace it with a pfSense box I built on an APU.

    After doing some reading, I realized that Bell passes both internet and IPTV on one network wire using VLANs coming off the ONT (Optical Network Terminator) box.

    They use VLAN 35 for internet and PPPoE authentication on this VLAN and VLAN 36 for IPTV with DHCP.

    The steps to get internet working are quite simple.  You create a VLAN at 35 on the external interface that connects to the one active port on the ONT:
    .

    While you're in there, create a VLAN at 36 on the same interface for the IPTV connection.

    Then assign that VLAN to an interface and enable it and set it to use PPPoE authentication:

    That's pretty much all you need to do for internet.  pfSense does the NATing and routing setup for you automatically.

    Getting IPTV to work is a little more involved.

    First assign the VLAN 36 to an interface, and set it to DHCP:

    Your automatic gateways will look like this:

    Then set up a static route for 10.0.0.0/8 to go to the gateway discovered by DHCP on the IPTV WAN interface:

    Then set an advanced option on the LAN interface and the WAN-IPTV interface in the pass all firewall rules:


    Finally, set up IGMP proxying as such:

    If you've done everything correctly, you likely don't even need to restart pfSense, it'll just start working!

    If anyone has any questions about this, let me know.

    Robert


  • Netgate

    Does that Pass Any Any rule into WAN_IPTV give anyone else the willies?



  • yea, why not choose IGMP Protocol only on WAN-IPTV…?



  • Hi guys,

    Sorry I should have mentioned that the any/any/any rules can definitely be tweaked.

    First of all, yes, you can restrict the WAN_IPTV rule to UDP only.

    Keep in mind that WAN_IPTV is from the VLAN which is linked directly to a private network at Bell's data center and doesn't hit the public internet.

    I started with everything wide open, and I plan on closing things up a bit while the system is running.  I just didn't want a too-restrictive firewall rule to slow me down, it was hard enough as it was. :)

    –---

    I should also mention that one is supposed to set the QoS priority on the IPTV VLAN to 4.  I haven't done it because I have 175/175, but at 50/50 you might need to.  I might do it in future if I see my signal suffering.


  • Netgate

    I'd put in a syslog server and enable logging on that rule.  Or I'd put in a deny rule and log that for a while.  I don't give my ISP the ability to pass any traffic into my WAN.

    And your WAN doesn't get a public IP?  How do you port forward?

    What did all the interface IPs and netmasks end up being?

    Just curious.



  • And call it overkill, but since all you want is IGMP to pass thru, I would also add a Snort/Suricata rule on that interface to monitor/log/block.

    alert ip any any <> any any (msg:"IGMP PROTOCOL ONLY"; ip_proto:!2; classtype:policy-violation; sid:167115792; rev:1;)

    F.



  • @zax123:

    Hi all,

    I thought I'd post this for all to see as others may be interested in how I finally got this working.

    My mission was to replace the Bell Home Hub 2000 router which is a rather in-flexible device considering that I have 175mbps/175mbps service.  I wanted to replace it with a pfSense box I built on an APU.

    After doing some reading, I realized that Bell passes both internet and IPTV on one network wire using VLANs coming off the ONT (Optical Network Terminator) box.

    They use VLAN 35 for internet and PPPoE authentication on this VLAN and VLAN 36 for IPTV with DHCP.

    The steps to get internet working are quite simple.  You create a VLAN at 35 on the external interface that connects to the one active port on the ONT:
    .

    While you're in there, create a VLAN at 36 on the same interface for the IPTV connection.

    Then assign that VLAN to an interface and enable it and set it to use PPPoE authentication:

    That's pretty much all you need to do for internet.  pfSense does the NATing and routing setup for you automatically.

    Getting IPTV to work is a little more involved.

    First assign the VLAN 36 to an interface, and set it to DHCP:

    Your automatic gateways will look like this:

    Then set up a static route for 10.0.0.0/8 to go to the gateway discovered by DHCP on the IPTV WAN interface:

    Then set an advanced option on the LAN interface and the WAN-IPTV interface in the pass all firewall rules:


    Finally, set up IGMP proxying as such:

    If you've done everything correctly, you likely don't even need to restart pfSense, it'll just start working!

    If anyone has any questions about this, let me know.

    Robert

    a how-to and step by step youtube video would be appreciated… :^)



  • I'm going to guess that was a joke. :)

    If you need some clarification, though, don't hesitate to ask. :)



  • I have followed this guide to the letter and I mostly understand all of it. But I am having some issues.

    Internet works perfectly, 0 issues.

    IPTV works, but

    • apps and on demand content do not load
    • when the STB needs a to update, it wont work. I need to revert back to old setup
    • the switching to multicast causes a slight freeze on screen (does not freeze on old setup)
    • when navigating channels that I do not have, no message appears (there is usually a text indicating you don't have this channel and to call if you want to add it)
    • my wireless AP does not work when the PVR is connected to the network (the wireless clients dont't receives a ip, but when I remove the PVR, everything works. If I connect a device via the AP lan ports, everything works.)

    What I noticed so far:
    -  I get the following error message in the gateway section:
        apinger: Could not bind socket on address(10.247.211.144) for monitoring address 10.247.208.1(WAN_IPTV_DHCP) with error Can't assign requested address
    -  I get the following error in the resolver section:
        dnsmasq[33733]: possible DNS-rebind attack detected: beapp001.iptv.bell.ca

    • there might be DNS issue. I get assigned 4 DNS servers, 2 in the 10.0.0.0 range and 2 others in the 207.164.234.* range. From the error I get on screen when loading apps and on demand content, the STBs cant resolve certain host names.

    Is there a setting you have forgotten to give in your guide ? Have you experienced any of the issues ?



  • Hi there,

    I can't think of anything I left out… does your DNS resolution in the status page look something like this?

    127.0.0.1
    207.164.234.129
    207.164.234.193
    10.2.127.228
    10.2.127.196

    Do you have " Allow DNS server list to be overridden by DHCP/PPP on WAN " checked in the System | General Setup page?  I do.

    If you want to send me screenshots of your settings, I could compare to mine to see if there are any differences...

    My apinger log entries are virtually nil besides the typical starting service, etc...  that sounds like the main problem.  The fact that your AP goes down has something to do with IGMP packets flooding your LAN.  I don't know why that doesn't happen to me.  I remember reading about that.  You may want to put in some rules which restrict IGMP access to only a range of addresses your set-top boxes could be at.

    I'm sorry I couldn't be more help than that. :(

    Rob



  • Hey, thanks for the reply.

    My DNS had the 10.* before the 207.* servers. A part from that, yes thats what I have.

    At this time, I reverted back to using the HUB200 for TV. I'll retry to add IPTV back on pfSense tomorrow with your recommendations.

    If it still doesn't work, I'll send you my screenshots.



  • I retried everything last night.

    I'm getting the same issues. The STB are having DNS issues. I also do believe my network is getting bombarded by IGMP and multicast. I need to figure how to isolate the IPTV signal or create another subnet.

    Worst case scenario, I keep IPTV using the bell HUB2000 router. The important thing is that my internet isolated.



  • I have the same problem with the app on demand not working but the TV was working fine



  • @zax103, thanks a lot for this post. I recently switched from Videotron to Bell FTTH recently and after reading what you've done, I was sure I could also replicate such a setup. I didn't have a pfSense box at home (only at the office), so I was wondering if I could get this working on cheaper hardware (Linksys E4200 with custom firmware). In the process, I went through several issues that I had to debug, but actually got it fully working. I've wrote about it on a different forum and you can find my post if you search for 'Tossing the Home Hub 2000 while keeping TV', but I wanted to highlight a few things in your setup.

    Bell also uses VLAN 37 for what it seemed, some IPv6 traffic. Anyone thinking about simply bridging their WAN port to connect the HH2000 on it should also bring that VLAN on it. However, if you aren't using that HH2000 device, you don't have to worry about it at all.

    When my setup was completed, I could watch TV, but once in a while, it would simply cut off for a very short period of time, then resume. I tracked this down to a timeout mechanism used by Bell (upstream), or it could even be coming from the ONT. The interface on VLAN36 will receive an IGMP request to report the current subscription from 192.168.1.1. If the IGMP proxy doesn't answer that request, the multicast membership will be evicted. So you should add "192.168.1.0/24" to your upstream configuration to handle this.

    As for the 'Apps' and 'On Demand' features, you need to hijack the DNS queries that are going to "*.iptv.bell.ca". I didn't take any chance, and did hijack the entire "bell.ca" and "bell.com" domains redirecting these queries to one of the DNS servers I was getting back from the DHCP Ack. I'm not sure if you are using dnsmasq on your setup, but if you do, the configuration change is simple:
    rebind-domain-ok=bell.ca
    rebind-domain-ok=bell.com
    server=/bell.ca/10.2.127.228
    server=/bell.com/10.2.127.228

    The 'rebind-domain-ok' is only needed if you have 'stop-dns-rebind' in your configuration, which prohibits upstream servers from returning private addresses. For instance, "mdsfe001.iptv.bell.ca" has to resolve to "10.2.121.4".

    With all of this, an STB user wouldn't even noticed that the HH 2000 device isn't used anymore.

    Thanks again for your great post!



  • thanks for the info everything is working fine for the iptv but now i have igmp flooding and crashing my wlan.does anyone have a tip for controling those igmp broadcast

    ![Screenshot 2015-07-02 00.45.57.png](/public/imported_attachments/1/Screenshot 2015-07-02 00.45.57.png)
    ![Screenshot 2015-07-02 00.45.57.png_thumb](/public/imported_attachments/1/Screenshot 2015-07-02 00.45.57.png_thumb)



  • I want to thank everybody here, I was finally able to get everything working today. IPTV, Relaunch and OnDemand all working perfectly.

    • DNS resolving, forcing all *.bell.ca addresses to 10.2.127.228 fixed all DNS issue for me.

    • Adding the "192.168.1.0/24" to the upstream configuration resolved the freeze when the signal switched over too multicast.

    • As for the IGMP flooding on my wlan, I run DD WRT on my AP and blocked all multicast packets on all interfaces. Therefor no more wireless interruptions.

    Something I did noticed, making any modification on pfsense, requires a full reset of all devices for my configuration to stick.



  • @zax123:

    Hi guys,

    Sorry I should have mentioned that the any/any/any rules can definitely be tweaked.

    First of all, yes, you can restrict the WAN_IPTV rule to UDP only.

    Keep in mind that WAN_IPTV is from the VLAN which is linked directly to a private network at Bell's data center and doesn't hit the public internet.

    I started with everything wide open, and I plan on closing things up a bit while the system is running.  I just didn't want a too-restrictive firewall rule to slow me down, it was hard enough as it was. :)

    –---

    I should also mention that one is supposed to set the QoS priority on the IPTV VLAN to 4.  I haven't done it because I have 175/175, but at 50/50 you might need to.  I might do it in future if I see my signal suffering.

    Hi, thank you for your great tutorial. Could you give me the specific on how to set QoD on the IPTV VLAN to 4 please. I have been searching for days on traffic shaping and havn't find the right way yet.



  • @Icey898:

    @zax123:

    Hi guys,

    Sorry I should have mentioned that the any/any/any rules can definitely be tweaked.

    First of all, yes, you can restrict the WAN_IPTV rule to UDP only.

    Keep in mind that WAN_IPTV is from the VLAN which is linked directly to a private network at Bell's data center and doesn't hit the public internet.

    I started with everything wide open, and I plan on closing things up a bit while the system is running.  I just didn't want a too-restrictive firewall rule to slow me down, it was hard enough as it was. :)

    –---

    I should also mention that one is supposed to set the QoS priority on the IPTV VLAN to 4.  I haven't done it because I have 175/175, but at 50/50 you might need to.  I might do it in future if I see my signal suffering.

    Hi, thank you for your great tutorial. Could you give me the specific on how to set QoD on the IPTV VLAN to 4 please. I have been searching for days on traffic shaping and havn't find the right way yet.

    I meant QoS not QoD, sorry



  • @JetSter735180:

    I want to thank everybody here, I was finally able to get everything working today. IPTV, Relaunch and OnDemand all working perfectly.

    • DNS resolving, forcing all *.bell.ca addresses to 10.2.127.228 fixed all DNS issue for me.

    • Adding the "192.168.1.0/24" to the upstream configuration resolved the freeze when the signal switched over too multicast.

    • As for the IGMP flooding on my wlan, I run DD WRT on my AP and blocked all multicast packets on all interfaces. Therefor no more wireless interruptions.

    Something I did noticed, making any modification on pfsense, requires a full reset of all devices for my configuration to stick.

    Hi, can I ask you how you managed to force all bell.ca to 10.2.127.228 please ? I am using Outbound as my DNS resolver. Thanks



  • @Icey898:

    @JetSter735180:

    I want to thank everybody here, I was finally able to get everything working today. IPTV, Relaunch and OnDemand all working perfectly.

    • DNS resolving, forcing all *.bell.ca addresses to 10.2.127.228 fixed all DNS issue for me.

    • Adding the "192.168.1.0/24" to the upstream configuration resolved the freeze when the signal switched over too multicast.

    • As for the IGMP flooding on my wlan, I run DD WRT on my AP and blocked all multicast packets on all interfaces. Therefor no more wireless interruptions.

    Something I did noticed, making any modification on pfsense, requires a full reset of all devices for my configuration to stick.

    Hi, can I ask you how you managed to force all bell.ca to 10.2.127.228 please ? I am using Outbound as my DNS resolver. Thanks

    From here : https://forum.pfsense.org/index.php?topic=87738.msg534214#msg534214



  • Thank you !



  • I found fairly easy solution and no additional trouble with the routing/NAT and no need for IGMP proxy.

    Ok, I am not Canadian but my provider is also offering IPTV on VLAN 4.

    what I did:

    Had to create 3 additional interfaces under Interface Assignments.

    IPTV_IN would be VLAN4 taken from network card handling the WAN connection.
    IPTV_OUT would be physical NIC in pfSense box which you would connect to the IPTV STB
    IPTV_BRIDGE would be bridge between those two. And only this would have IP from DHCP. The previous 2 assignments are left without anything assigned to them.

    What's left to do after creating those intefaces is to add passing rules for them in Firewall settings. And you are good to go.

    I also changed Outbound NAT rules to manual and removed bunch of rules from there to tighten down subnet isolation but it's not really needed for watching TV.

    Im away from home working about week but if anyone is interested, I can provide screenshots from WebUI afterwards.



  • Hello,

    New user here.  I'm trying to achieve the same objective as the OP (Bell Fibe Internet + IPTV without the Bell-provided Home Hub).  Can someone who has done this please confirm whether the IPTV receiver can still obtain software updates with this setup?  My concern is that Bell might have some port forwarding for remote management hidden away in the configuration of the Home Hub (not visible to the end user), and without this the receiver can't update itself.

    Also, my setup is complicated by the fact that my LAN is on 10.10.1.0/24 which of course overlaps with Bell's IPTV range 10.0.0.0/8; I expect this will cause some routing issues.

    Thanks
    cinergi



  • Hi @cinergi,

    I've received updates with my configuration no problem.  I went through the whole setup with a senior bell engineer and he likely would have mentioned this shortcoming if it existed.

    I'm using 10.50.0.0/16 for my LAN and I have no problems whatsoever with the 10.0.0.0/8 probably because of the "downstream" setting on IGMPProxy.

    Incidentally, you aren't the same @cinergi from the TMC forums are you? :)

    Rob



  • Hello

    My objective was;

    Keep VLAN35 for Internet on HOMELAN on 192.168.2.0/24 (through pfsense) and keep VLAN36 for IPTV through the HH2000 on 192.168.10.0/24 + internet  to achieve wireless through the hub (simply because i like the app BELL FIBE TV and it as to be on same subnet of IPTV to work…) It was important for me to keep two separate subnet because i like to manage my things and the HUB, well, i don't like it.

    Ethernet cable from ONT through switch (cheap 8 ports switch from tplink)

    Something like this http://blog.ngpixel.com/post/104449747538/how-to-bypass-bell-fibe-hub-and-use-your-own-router

    SWITCH;
    port1 = Ont
    port2 = Hub2000
    port3 = Wan(pfsense)

    PFSENSE
    Setup VLAN35 + PPPOE WAN side
    LAN on 192.168.2.0/24, HOMELAN + dhcp server

    HUB2000
    I inserted my B1xxxxxx + password for Internet/fibe + setup wireless

    So i have 2 x PPPOE, one on pfsense for VLAN35 and one on the hub for IPTV.
    What its weird is that it worked so i kind have two public IP…?

    The HUB2000 crap help me to learn a lot in the past few weeks. I tried all kind of setup including the one described by shaqan wich is a nice approch, but i didn't achieve the goal, i don't have enough knowledge, help for this also http://www.dslreports.com/forum/r30116518-Tossing-the-Home-Hub-2000-while-keeping-TV, i understand only partially my problem so far, alot of readings to do…

    I keep reading



  • Out of curiosity, why didn't you do the full switchover to pfSense?  You wouldn't have the strange issues you're reporting had you done that.  The Bell Fibe app works and you have full functionality with the Bell TV system.



  • Hello

    I was not able to make it right, wasn't fluid enough, i was losing gateway with apinger and didn't have enough time to figure it out so i reverted back to my old setup, vlan35 on pfsense and vlan36 through hub2000, has i said i have much more readings to do. I take it one step at a time.

    thx again



  • Oh no worries, just curious.

    I assume you are getting two PPPoE addresses because you are passing the ONT signal through a switch which doesn't filter VLAN 35, so both the Home Hub 2000 and the pfSense box have access to VLAN 35.

    You could check that by using a service like whatismyip.com.  I'm betting your WiFi network (from the Home Hub) is on a different subnet than your wired pfSense network.  Might not be great for, for example, controlling wired devices from your Wi-Fi smartphone.



  • @zax123:

    Hi @cinergi,

    I've received updates with my configuration no problem.  I went through the whole setup with a senior bell engineer and he likely would have mentioned this shortcoming if it existed.

    I'm using 10.50.0.0/16 for my LAN and I have no problems whatsoever with the 10.0.0.0/8 probably because of the "downstream" setting on IGMPProxy.

    Incidentally, you aren't the same @cinergi from the TMC forums are you? :)

    Rob

    Hello @Zax123,

    Sorry for the delayed reply.  I thought the forum would notify me of new posts in this thread but it didn't, so I only saw your post now.

    It's good to know that the software updates still work with this setup!  I'm still working on my own setup.  I should have mentioned that I'm not actually using pfSense, but an Edgerouter from Ubiquiti Networks.  It runs a version of Vyatta.  I'm currently having problems with my multicast streams - the IPTV stream works for about 10 seconds on every new channel, then freezes.  I've read that Bell starts each stream as unicast and switches to multicast after approximately 10 seconds, so it seems that my receiver can't make the transition to multicast.  I'm working to troubleshoot this issue, but I can't find anything wrong with my IGMP proxy settings.

    My IPTV receiver is connected via coax cable (HPNA).  I've ordered an HPNA media converter, but in the meantime I've been using the Home Hub 2000 as a media converter by plugging my router into one of the LAN ports (not WAN) and letting the Home Hub bridge this to the HPNA port.  It only occurred to me afterwards that the Home Hub might be doing some IGMP and/or multicast filtering on its LAN ports, and since in a standard Fibe configuration this traffic comes from the WAN port, this could explain the issue I'm seeing.  I'll be able to confirm once I receive my HPNA converter to replace the Home Hub.

    As for the TMC Forums, I'm not sure what "TMC" stands for but I don't recall being a member of any forum with that acronym!  :)

    Thanks!

    -cinergi



  • Hello

    For now I have no Fibe Tv but Internet is ok. Yesterday i began troubleshooting with Bell and its a pain.

    I have lost connection with IPTV Gateway, it is offline and no tv, no hockey no baseball….

    I have reconnected all the cable as standard, just pfsense in a lan port of the Hub2000.

    I have seen a couple of this 16.10.2015 17:00:48 WRN DHCPC The WAN DHCP client process has successfully been terminated on Vlan 36

    Any idea?

    Thx



  • Hello

    Finally solve my problem, had to replace de HH2000…

    Thx



  • @cinergi,

    The 10 second thing is definitely a problem with IGMP proxy.  The settings I show at the beginning of this thread should help you to troubleshoot.  Not sure if another router (not pfSense) would have the same settings, but I know that once I implement IGMP proxy in pfSense, that problem went away instantly.

    Does your IPTV receiver not have the option of being connected by RJ45 port?  That would eliminate the need for the Home Hub 2000 to convert…



  • @esnesfp:

    Hello

    Finally solve my problem, had to replace de HH2000…

    Thx

    You also could bypass the HH2000 altogether.  When you plug pfSense into a HH2000 LAN port, the HH2000 goes into some kind of bridge mode, but it definitely slows down the connection and adds another layer that your packets have to travel through.

    My intention with this thread was to eliminate the need for the HH2000 which is definitely possible.  I've lived without it for more than a year now.

    Now I need to upgrade my hardware because I got gigabit fiber from Bell and my little APU can't handle the speed. :(



  • Hello

    Yes you're right.

    But after testing my speed i didn't a big diff between bridge mode and direct input from ONT.

    I'm on 50/50 i get 67mgb/s in and 6ms ping.

    I have also tried the gigabit plan i was getting 980 mgb/s wich is insanly fast but the plan only give me 150g of bandwith wich is ridiculous so i revert back to 50/50 unlimited.

    My pfsense is in and old computer that i have and put in some good ram, HD, 3 ethernet cards, access by ssh or webui, but i suspect that some of my ethernet card don't manage very well vlan tagging.

    Good luck



  • @esnesfp:

    Hello

    Yes you're right.

    But after testing my speed i didn't a big diff between bridge mode and direct input from ONT.

    I'm on 50/50 i get 67mgb/s in and 6ms ping.

    I have also tried the gigabit plan i was getting 980 mgb/s wich is insanly fast but the plan only give me 150g of bandwith wich is ridiculous so i revert back to 50/50 unlimited.

    My pfsense is in and old computer that i have and put in some good ram, HD, 3 ethernet cards, access by ssh or webui, but i suspect that some of my ethernet card don't manage very well vlan tagging.

    Good luck

    @esnesfp,

    Do you mind sharing what the specs of the old computer are?  I was looking into a SuperMicro motherboard and case, etc… and the price was coming close to $1000 which is ridiculous.

    Thanks!

    Robert



  • Hello

    Motherboard = And old Gigabyte
    CPU Type AMD Athlon™ 64 Processor 3500+
    2 g ram
    80 g HD

    2.2.4-RELEASE (amd64)
    built on Sat Jul 25 19:57:37 CDT 2015
    FreeBSD 10.1-RELEASE-p15

    Package installed and online = Squid3, File Manager , OpenVPN Client Export Utility

    thx




  • Hello

    Ethernet card have to be Gigabit, i bought 2 tplink at 10$ each.

    Also things to take into consideration for the motherboard, take one that has onboard video because yoou don't want to pay for a video card and for the energy that it consume because you don't need any its headless.

    Motherboard should have at least two empty mini pci express slots for gigabit ethernet cards.

    thx



  • @esnesfp:

    Hello

    Ethernet card have to be Gigabit, i bought 2 tplink at 10$ each.

    Also things to take into consideration for the motherboard, take one that has onboard video because yoou don't want to pay for a video card and for the energy that it consume because you don't need any its headless.

    Motherboard should have at least two empty mini pci express slots for gigabit ethernet cards.

    thx

    Cool thanks.  Nothing too fancy then.  Nice :)

    I'll hunt around for a machine with similar specs.  Appreciate you taking the time to write back!

    Rob



  • My specs are pretty simple :

    E8500 with 2 gigs of ram.

    an SSD for the os, the cheapest one.

    when running a speedtest, I have +- 38% cpu usage with bell gigabit. my usual speed is 932 or 933 mbit.

    Also, I was wondering if i can share this how to on dslreports under the bell forum… i'm sure people would love this how to !



  • Absolutely share! :)