Upcoming Maintenance Alert:

The UBNT Community will be upgraded at 5pm MDT on April 25th. During this time the community forums will be set to read-only status.

Learn more

×
Reply
Highlighted
New Member
Posts: 12
Registered: ‎08-27-2016
Kudos: 12

Bell PPPoE and IPTV with FTTH, Guide, configuration and tidbits.

[ Edited ]

Hi all.
 
After gathering information here and there (mostly here...), some wireshark analysis (including getting your old 10/100 *hub* that you forgot you had and that is so useful for that purpose) and a few missed recording that made my wife mad (in the name of testing), Bell IPTV is working on my ERLite-3. And i feel sharing the whole story for those who wonder how the hell we do that.
 
This is a setup for Bell Canada Fibe Service (FTTH), for people who are using PPPoE logins. I think that this service is specific to Quebec and Ontario, Canada. (FibreOP is using slightly different shenanigans including DHCP instead of PPPoE and carry IPTV on VLAN34 instead of 36)
 
Before we start: My setup is a little weird. My LAN subnet is a little larger (/22 subnet), and i got a DHCP server elsewhere for the primary LAN, and some internal routes. I got OpenVPN, L2TP and Dynamic DNS update working. This is beyond the interest of this post, but feel free to check the config if you wonder how. DNS Forwarders are a bunch of fast DNS laying around gathered with NameBench.
 
The route for the IPTV network (10.x.x.x) is dependant on your DHCP lease on your VLAN 36 interface. Use this bunch of commands in CLI to know what route you need to input.
 
sudo su
r_ip=$(show dhcp client leases | grep router | awk '{ print $3 }');
iptv_static=$(echo "set protocols static route 10.0.0.0/8 next-hop $r_ip")
echo -e "$iptv_static"
exit
 
Here is the complete picture with my slightly edited configuraiton Also with some schematics and a good thanks to @DaveC for some tidbits regarding firewall rules.
 
 
First: Network topology. First one is the "normal" topology that Bell usually install. The other is my current topology Your's will be a tad different i'm sure, but you get the point.
 
Second: Here is my configuraiton. With some added bonuses (L2TP, OpenVPN, Inbound port mapping, minus usernames and passwords and personal info. As previously stated, I'm using an internal L3 switch for my internal network routing and DHCP server, so your configuration may vary.
 
Third, here is a cheat sheet for fast configuration. I think everything is there for some basic operation, but better check before doing copy/paste.
 
#### Pictures ####
 
My TopologyMy TopologyBell Usual Network TopologyBell Usual Network Topology

Normal Bell Topology


My Topology, without HH2000. Internet and IPTV working
 
#### My Configuration ####

firewall {
    all-ping enable
    broadcast-ping disable
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name IPTV_IN {
        default-action drop
        description "IPTV to LAN"
        rule 5 {
            action accept
            description "Accept Established"
            log disable
            protocol all
            state {
                established enable
                related enable
            }
        }
        rule 10 {
            action accept
            description "Allow IGMP"
            log disable
            protocol igmp
        }
        rule 20 {
            action accept
            description "Allow IPTV-Bell"
            destination {
                address 239.0.0.0/8
            }
            log disable
            protocol udp
            source {
                address 10.0.0.0/8
            }
        }
        rule 40 {
            action drop
            description "Drop Invalid IPTV"
            log disable
            protocol all
            state {
                invalid enable
            }
        }
    }
    name IPTV_LOCAL {
        default-action drop
        description "IPTV to router"
        rule 10 {
            action accept
            description "Accept Established"
            log disable
            protocol all
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action accept
            description "Allow IPTV UDP"
            destination {
                address 239.0.0.0/8
            }
            log disable
            protocol udp
            source {
                address 10.0.0.0/8
            }
        }
        rule 30 {
            action accept
            description "Allow IGMP"
            log disable
            protocol igmp
        }
        rule 40 {
            action accept
            description "allow ICMP"
            log disable
            protocol icmp
        }
        rule 60 {
            action drop
            description "Drop Invalid"
            log disable
            protocol all
            state {
                invalid enable
            }
        }
    }
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow established/related"
            log disable
            protocol all
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            log disable
            protocol all
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
            description "Allow established/related"
            log disable
            protocol all
            state {
                established enable
                related enable
            }
        }
        rule 11 {
            action accept
            description "Allow L2TP"
            destination {
                port 500,1701,4500
            }
            log disable
            protocol udp
        }
        rule 12 {
            action accept
            description ESP
            log disable
            protocol esp
        }
        rule 13 {
            action accept
            description OpenVPN
            destination {
                port 993
            }
            log disable
            protocol udp
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            log disable
            protocol all
            state {
                invalid enable
            }
        }
    }
    options {
        mss-clamp {
            interface-type all
            mss 1412
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        description "Bell ONT"
        duplex auto
        speed auto
        vif 35 {
            description "Bell PPPoE"
            mtu 1492
            pppoe 0 {
                default-route force
                description "Bell PPPoE"
                firewall {
                    in {
                        name WAN_IN
                    }
                    local {
                        name WAN_LOCAL
                    }
                }
                mtu 1492
                name-server none
                password Your-Password-Goes-Here
                user-id b1xxxx00 
            }
        }
        vif 36 {
            address dhcp
            description "Bell IPTV"
            dhcp-options {
                default-route no-update
                default-route-distance 210
                name-server no-update
            }
            egress-qos "0:4 1:4 2:4 3:4 4:4 5:4 6:4 7:4"
            firewall {
                in {
                    name IPTV_IN
                }
                local {
                    name IPTV_LOCAL
                }
            }
            mtu 1500
        }
    }
    ethernet eth1 {
        address 172.22.43.0/22
        description "GigE LAN Switch"
        duplex auto
        speed auto
    }
    ethernet eth2 {
        address 172.22.100.1/24
        description "GigE LAN Two"
        duplex auto
        speed auto
    }
    loopback lo {
    }
    openvpn vtun0 {
        description "OpenVPN Interface"
        encryption aes256
        hash sha512
        mode server
        openvpn-option --tls-server
        openvpn-option "--proto udp"
        openvpn-option "--port 993"
        openvpn-option "--tun-mtu 1400"
        openvpn-option --persist-key
        openvpn-option --persist-tun
        openvpn-option "--keepalive 10 120"
        openvpn-option --comp-lzo
        openvpn-option "--user nobody"
        openvpn-option "--group nogroup"
        server {
            name-server 172.22.43.5
            push-route 172.22.40.0/22
            subnet 172.22.50.0/24
            topology subnet
        }
        tls {
            ca-cert-file /config/auth/cacert.pem
            cert-file /config/auth/host.pem
            dh-file /config/auth/dhp.pem
            key-file /config/auth/host-decrypted.key
        }
    }
}
port-forward {
    auto-firewall enable
    hairpin-nat enable
    lan-interface eth1
    rule 1 {
        description HTTPS
        forward-to {
            address 172.22.43.5
            port 443
        }
        original-port 443
        protocol tcp_udp
    }
    rule 2 {
        description HTTP
        forward-to {
            address 172.22.43.5
            port 80
        }
        original-port 80
        protocol tcp_udp
    }
    rule 3 {
        description SCEP
        forward-to {
            address 172.22.43.5
            port 1640
        }
        original-port 1640
        protocol tcp_udp
    }
    wan-interface pppoe0
}
protocols {
    igmp-proxy {
        interface eth0.36 {
            alt-subnet 0.0.0.0/0
            role upstream
            threshold 1
        }
        interface eth2 {
            alt-subnet 0.0.0.0/0
            role downstream
            threshold 1
        }
    }
    static {
        route 10.0.0.0/8 {
            next-hop 10.241.80.1 {
                description "IPTV Route"
                distance 1
            }
        }
        route 10.0.180.0/24 {
            next-hop 172.22.43.1 {
                description "Route to Cisco 1811 Via 3560G"
                distance 1
            }
        }
        route 172.24.96.0/22 {
            next-hop 172.22.43.1 {
                description "Route to Cisco 3560G 172.24.96.x"
                distance 1
            }
        }
        route 192.168.43.0/24 {
            next-hop 172.22.43.1 {
                description "Route to Cisco 3560G 192.168.43.x"
                distance 1
            }
        }
    }
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name LAN2 {
            authoritative disable
            description "LAN2 DHCP Server"
            subnet 172.22.100.0/24 {
                default-router 172.22.100.1
                dns-server 10.2.127.228
                dns-server 10.2.127.196
                dns-server 172.22.100.1
                domain-name home
                lease 7200
                start 172.22.100.50 {
                    stop 172.22.100.230
                }
            }
        }
        use-dnsmasq disable
    }
    dns {
        dynamic {
            interface pppoe0 {
                service dyndns {
                    host-name hostname.no-ip.com
                    login username
                    password input-dynamic-dns-password
                    server dynupdate.no-ip.com
                }
            }
        }
        forwarding {
            cache-size 300
            listen-on eth2
            listen-on eth1
            name-server 205.236.148.130
            name-server 205.236.148.131
            name-server 205.151.222.251
            name-server 74.82.42.42
            name-server 156.154.70.1
            name-server 8.8.4.4
            name-server 4.2.2.4
            options server=/bell.ca/10.2.127.196
            options server=/bell.com/10.2.127.196
            options server=/bell.com/10.2.127.22
            options server=/bell.ca/10.2.127.228
            system
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers disable
    }
    lldp {
        interface eth1 {
        }
        interface eth2 {
        }
    }
    nat {
        rule 5010 {
            description "Network NAT on PPPoE0 WAN"
            log disable
            outbound-interface pppoe0
            type masquerade
        }
        rule 5011 {
            description "Bell IPTV"
            destination {
                address 10.0.0.0/8
            }
            log disable
            outbound-interface eth0.36
            protocol all
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
    ubnt-discover {
        disable
    }
    upnp {
        listen-on eth1 {
            outbound-interface pppoe0
        }
        listen-on eth2 {
            outbound-interface pppoe0
        }
    }
    upnp2 {
        acl {
            rule 10 {
                action deny
                description "Block Port 4500"
                external-port 4500
                local-port 0-65535
                subnet 172.22.40.0/22
            }
        }
        listen-on eth1
        nat-pmp enable
        secure-mode enable
        wan pppoe0
    }
}
system {
    config-management {
        commit-revisions 10
    }
    domain-name domain.com
    host-name edge
    login {
        banner {
            post-login "*********************   Welcome Home   ********************\n\n"
            pre-login "************************************************************\n\n* * * * * *            WARNING NOTICE.           * * * * * *\n \n* This system is restricted solely to myself.              *\n* The actual or attempted unauthorized access, use,        *\n* or modification of this system is strictly prohibited.   *\n* The use of this system may be monitored and recorded for *\n* administrative and security purpose.                     *\n \n************************************************************\n\n\n"
        }
        user superadmin {
            authentication {
                encrypted-password $6wEj14faDFvKDSL1uLzSqRa42.wYSs3Jl.3gqyDecR1
                public-keys user@myfirstMacBook.local {
                key  PublicKey#1
                     type ssh-rsa
                }
                public-keys user@mysecondMacBook.local {
                Key PublicKey#2   
                     type ssh-rsa
                }
            }
            level admin
        }
    }
    name-server 127.0.0.1
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
        server time.apple.com {
            prefer
        }
    }
    offload {
        hwnat disable
        ipsec enable
        ipv4 {
            forwarding enable
            gre enable
            pppoe enable
            vlan enable
        }
    }
    package {
        repository jessie {
            components "main contrib non-free"
            distribution jessie
            password ""
            url http://debian.mirror.gtcomm.net/debian
            username ""
        }
    }
    syslog {
        global {
            archive {
                files 5
                size 1024
            }
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    task-scheduler {
        task l2tp_IP_logrotate {
            executable {
                arguments /config/scripts/l2tp_iplogrotate.conf
                path /usr/sbin/logrotate
            }
            interval 1d
        }
        task l2tp_IP_update {
            executable {
                arguments "2>&1 >> /var/log/l2tp_ipupdate.log"
                path /config/scripts/l2tp_update_ip
            }
            interval 60m
        }
    }
    time-zone America/Montreal
    traffic-analysis {
        dpi enable
        export enable
    }
}
vpn {
    ipsec {
        auto-firewall-nat-exclude disable
        esp-group IKE {
            compression disable
            lifetime 7200
            mode tunnel
            pfs enable
            proposal 1 {
                encryption aes256
                hash sha256
            }
        }
        ike-group IKE {
            dead-peer-detection {
                action clear
                interval 15
                timeout 45
            }
            ikev2-reauth no
            key-exchange ikev2
            lifetime 14400
            proposal 1 {
                dh-group 14
                encryption aes256
                hash sha512
            }
            proposal 2 {
                dh-group 5
                encryption aes256
                hash sha256
            }
        }
        ipsec-interfaces {
            interface pppoe0
        }
        nat-networks {
            allowed-network 0.0.0.0/0 {
            }
        }
        nat-traversal enable
    }
    l2tp {
        remote-access {
            authentication {
                local-users {
                    username username {
                        password An othe Super Secret password
                    }
                }
                mode local
            }
            client-ip-pool {
                start 172.22.43.100
                stop 172.22.43.110
            }
            description "L2TP Interface"
            dns-servers {
                server-1 172.22.43.5
            }
            ipsec-settings {
                authentication {
                    mode pre-shared-secret
                    pre-shared-secret SupeSecret
                }
                ike-lifetime 3600
            }
            mtu 1024
            outside-address 65.66.171.213
        }
    }
}

 

New Member
Posts: 12
Registered: ‎08-27-2016
Kudos: 12

Re: Bell PPPoE and IPTV with FTTH, Guide, configuration and tidbits.

[ Edited ]

Aaaaaaaand, the cheat sheet:

 

#### Cheat Sheet ####
### Basic Stuff for firewall
set firewall all-ping enable
set firewall broadcast-ping disable
set firewall ipv6-receive-redirects disable
set firewall ipv6-src-route disable
set firewall ip-src-route disable
set firewall log-martians enable
set firewall receive-redirects disable
set firewall send-redirects enable
set firewall source-validation disable
set firewall syn-cookies enable

### Rules for IPTV IN - VLAN36 To LAN
set firewall name IPTV_IN default action drop
set firewall name IPTV_IN description "IPTV to LAN"
set firewall name IPTV_IN rule 5 action accept
set firewall name IPTV_IN rule 5 description "Accept Established"
set firewall name IPTV_IN rule 5 log disable
set firewall name IPTV_IN rule 5 protocol all
set firewall name IPTV_IN rule 5 state established enable
set firewall name IPTV_IN rule 5 state related enable
set firewall name IPTV_IN rule 10 action accept
set firewall name IPTV_IN rule 10 description "Allow IGMP"
set firewall name IPTV_IN rule 10 log disable
set firewall name IPTV_IN rule 10 protocol igmp
set firewall name IPTV_IN rule 20 action accept
set firewall name IPTV_IN rule 20 description "Allow IPTV-Bell"
set firewall name IPTV_IN rule 20 log disable
set firewall name IPTV_IN rule 20 protocol udp
set firewall name IPTV_IN rule 20 destination address 239.0.0.0/8
set firewall name IPTV_IN rule 20 source address 10.0.0.0/8
set firewall name IPTV_IN rule 30 action drop
set firewall name IPTV_IN rule 30 description "Drop Invalid"
set firewall name IPTV_IN rule 30 log disable
set firewall name IPTV_IN rule 30 protocol all
set firewall name IPTV_IN rule 30 state invalid enable

### Rules for IPTV LOCAL - VLAN36 To Router
set firewall name IPTV_LOCAL default action drop
set firewall name IPTV_LOCAL description "IPTV to Router"
set firewall name IPTV_LOCAL rule 5 action accept
set firewall name IPTV_LOCAL rule 5 description "Accept Established"
set firewall name IPTV_LOCAL rule 5 log disable
set firewall name IPTV_LOCAL rule 5 protocol all
set firewall name IPTV_LOCAL rule 5 state established enable
set firewall name IPTV_LOCAL rule 5 state related enable
set firewall name IPTV_LOCAL rule 10 action accept
set firewall name IPTV_LOCAL rule 10 description "Allow IPTV-UDP"
set firewall name IPTV_LOCAL rule 10 log disable
set firewall name IPTV_LOCAL rule 10 protocol udp
set firewall name IPTV_LOCAL rule 10 destination address 239.0.0.0/8
set firewall name IPTV_LOCAL rule 10 source address 10.0.0.0/8
set firewall name IPTV_LOCAL rule 20 action accept
set firewall name IPTV_LOCAL rule 20 description "Allow IGMP"
set firewall name IPTV_LOCAL rule 20 log disable
set firewall name IPTV_LOCAL rule 20 protocol igmp
set firewall name IPTV_LOCAL rule 30 action accept
set firewall name IPTV_LOCAL rule 30 description "Allow ICMP"
set firewall name IPTV_LOCAL rule 30 log disable
set firewall name IPTV_LOCAL rule 30 protocol icmp
set firewall name IPTV_LOCAL rule 60 action drop
set firewall name IPTV_LOCAL rule 60 description "Drop Invalid"
set firewall name IPTV_LOCAL rule 60 log disable
set firewall name IPTV_LOCAL rule 60 protocol all
set firewall name IPTV_LOCAL rule 60 state invalid enable

### Rules for WAN-IN WAN to LAN
set firewall name WAN_IN default action drop
set firewall name WAN_IN description "WAN to Internal"
set firewall name WAN_IN rule 5 action accept
set firewall name WAN_IN rule 5 description "Accept Established"
set firewall name WAN_IN rule 5 log disable
set firewall name WAN_IN rule 5 protocol all
set firewall name WAN_IN rule 5 state established enable
set firewall name WAN_IN rule 5 state related enable
set firewall name WAN_IN rule 60 action drop
set firewall name WAN_IN rule 60 description "Drop Invalid"
set firewall name WAN_IN rule 60 log disable
set firewall name WAN_IN rule 60 protocol all
set firewall name WAN_IN rule 60 state invalid enable

### Rules for WAN-Local - WAN To Router
set firewall name WAN_LOCAL default action drop
set firewall name WAN_LOCAL description "IPTV to Router"
set firewall name WAN_LOCAL rule 5 action accept
set firewall name WAN_LOCAL rule 5 description "Accept Established"
set firewall name WAN_LOCAL rule 5 log disable
set firewall name WAN_LOCAL rule 5 protocol all
set firewall name WAN_LOCAL rule 5 state established enable
set firewall name WAN_LOCAL rule 5 state related enable
set firewall name WAN_LOCAL rule 60 action drop
set firewall name WAN_LOCAL rule 60 description "Drop Invalid"
set firewall name WAN_LOCAL rule 60 log disable
set firewall name WAN_LOCAL rule 60 protocol all
set firewall name WAN_LOCAL rule 60 state invalid enable
### MSS Clamping (Well because of PPPoE)
set firewall options mss-clamp interface-type all
set firewall options mss-clamp mss 1412
### Ethernet0 - Bell ONT Interface
set interfaces ethernet eth0 description "Bell ONT"
set interfaces ethernet eth0 duplex auto
set interfaces ethernet eth0 speed auto
set interfaces ethernet eth0 vif 35 description "Bell VLAN35 Internet"
set interfaces ethernet eth0 vif 35 mtu 1492
set interfaces ethernet eth0 vif 35 pppoe 0 default-route force
set interfaces ethernet eth0 vif 35 pppoe 0 description "Bell PPPoE"
set interfaces ethernet eth0 vif 35 pppoe 0 firewall in name WAN_IN
set interfaces ethernet eth0 vif 35 pppoe 0 firewall local name WAN_LOCAL
set interfaces ethernet eth0 vif 35 pppoe 0 mtu 1492
set interfaces ethernet eth0 vif 35 pppoe 0 name-server none
set interfaces ethernet eth0 vif 35 pppoe 0 password your-bell-password
set interfaces ethernet eth0 vif 35 pppoe 0 user-id b1xxxxxx
set interfaces ethernet eth0 vif 36 address dhcp
set interfaces ethernet eth0 vif 36 description "Bell VLAN36 IPTV"
set interfaces ethernet eth0 vif 36 dhcp-options default-route no-update
set interfaces ethernet eth0 vif 36 dhcp-options default-route-distance 210
set interfaces ethernet eth0 vif 36 dhcp-options name-server no-update
set interfaces ethernet eth0 vif 36 egress-qos "0:4 1:4 2:4 3:4 4:4 5:4 6:4 7:4"
set interfaces ethernet eth0 vif 36 firewall in name IPTV_IN
set interfaces ethernet eth0 vif 36 firewall local name IPTV_LOCAL
set interfaces ethernet eth0 vif 36 mtu 1500
### Ethernet1 - Primary LAN Interface
set interfaces ethernet eth1 address 172.22.40.1/22
set interfaces ethernet eth1 description "Primary LAN"
set interfaces ethernet eth1 duplex auto
set interfaces ethernet eth1 speed auto
### Ethernet2 - Secondary LAN Interface - Where i put my IPTV Terminals
set interfaces ethernet eth2 address 172.22.100.1/24
set interfaces ethernet eth2 description "Primary LAN"
set interfaces ethernet eth2 duplex auto
set interfaces ethernet eth2 speed auto
### Set IGMP Proxy
set protocols igmp-proxy interface eth0.36 alt-subnet 0.0.0.0/0
set protocols igmp-proxy interface eth0.36 role upstream
set protocols igmp-proxy interface eth0.36 threshold 1
set protocols igmp-proxy interface eth2 alt-subnet 0.0.0.0/0
set protocols igmp-proxy interface eth2 role downstream
set protocols igmp-proxy interface eth2 threshold 1
### Static Routes
set protocols static route 10.0.0.0/8 next-hop 10.241.80.1 description "IPTV Route"
set protocols static route 10.0.0.0/8 next-hop 10.241.80.1 distance 1
### DHCP Server
set service dhcp-server disabled false
set service dhcp-server hostfile-update disable
set service dhcp-server use-dnsmasq disable
set service dhcp-server shared-network-name LAN1
set service dhcp-server shared-network-name LAN1 authoritative disable
set service dhcp-server shared-network-name LAN1 description "LAN1 DHCP Server"
set service dhcp-server shared-network-name LAN1 subnet 172.22.40.0/22
set service dhcp-server shared-network-name LAN1 subnet 172.22.40.0/22 default-router 172.22.40.1
set service dhcp-server shared-network-name LAN1 subnet 172.22.40.0/22 dns-server 172.22.40.1
set service dhcp-server shared-network-name LAN1 subnet 172.22.40.0/22 domain-name domain.com
set service dhcp-server shared-network-name LAN1 subnet 172.22.40.0/22 lease 3600
set service dhcp-server shared-network-name LAN1 subnet 172.22.40.0/22 start 172.22.40.100 stop 172.22.43.254
set service dhcp-server shared-network-name LAN2
set service dhcp-server shared-network-name LAN2 authoritative disable
set service dhcp-server shared-network-name LAN2 description "LAN2 DHCP Server"
set service dhcp-server shared-network-name LAN2 subnet 172.22.100.0/24
set service dhcp-server shared-network-name LAN2 subnet 172.22.100.0/24 default-router 172.22.100.1
set service dhcp-server shared-network-name LAN2 subnet 172.22.100.0/24 dns-server 172.22.100.1
set service dhcp-server shared-network-name LAN2 subnet 172.22.100.0/24 dns-server 10.2.127.228
set service dhcp-server shared-network-name LAN2 subnet 172.22.100.0/24 dns-server 10.2.127.196
set service dhcp-server shared-network-name LAN2 subnet 172.22.100.0/24 domain-name domain.com
set service dhcp-server shared-network-name LAN2 subnet 172.22.100.0/24 lease 7200
set service dhcp-server shared-network-name LAN2 subnet 172.22.100.0/24 start 172.22.100.50 stop 172.22.100.200

### DNS Service (Forwarder) - The forwarding DNS Servers are from various sources gathered using namebench
### Just adjust the set service dns forwarding name-server <dns server IP> for what you like
set service dns forwarding cache-size 300
set service dns forwarding listen-on eth2
set service dns forwarding listen-on eth1
set service dns forwarding name-server 205.236.148.130
set service dns forwarding name-server 205.236.148.131
set service dns forwarding name-server 205.151.222.251
set service dns forwarding name-server 74.82.42.42
set service dns forwarding name-server 156.154.70.1
set service dns forwarding name-server 8.8.4.4
set service dns forwarding name-server 4.2.2.4
set service dns forwarding options server=/bell.ca/10.2.127.196
set service dns forwarding options server=/bell.com/10.2.127.196
set service dns forwarding options server=/bell.com/10.2.127.22
set service dns forwarding options server=/bell.ca/10.2.127.228
set service dns forwarding system

### Other Misc Stuff (Not that much relevant but still)
set service gui http-port 80
set service gui https-port 443
set service gui older-ciphers disable

### NAT Rules for PPPoE and IPTV
set service nat rule 5010 description "Network NAT on PPPoE WAN"
set service nat rule 5010 outbound-interface pppoe0
set service nat rule 5010 type masquerade
set service nat rule 5010 log disable
set service nat rule 5011 description "Bell IPTV NAT"
set service nat rule 5011 destination address 10.0.0.0/8
set service nat rule 5011 log disable
set service nat rule 5011 outbound-interface eth0.36
set service nat rule 5011 protocol all
set service nat rule 5011 type masquerade

### System Settings
set system domain-name domain.com
set system host-name edgerouter
set system name-server 127.0.0.1
set system offload ipsec enable
set system offload ipv4 forwarding enable
set system offload ipv4 gre enable
set system offload ipv4 pppoe enable
set system offload ipv4 vlan enable
set system time-zone America/Montreal
 

Ubiquiti Employee
Posts: 2,082
Registered: ‎10-05-2015
Kudos: 631
Solutions: 186

Re: Bell PPPoE and IPTV with FTTH, Guide, configuration and tidbits.

Nice write-up! Thanks for posting @powermarc.

Senior Member
Posts: 3,101
Registered: ‎05-15-2014
Kudos: 1077
Solutions: 216

Re: Bell PPPoE and IPTV with FTTH, Guide, configuration and tidbits.

Just FYI, similar topic here Edgerouter Lite - Getting rid of Bell Canada's Homehub2000 ( Internet AND IPTV ) FTTH

TEKUX - IT Consulting and Services
New Member
Posts: 12
Registered: ‎08-27-2016
Kudos: 12

Re: Bell PPPoE and IPTV with FTTH, Guide, configuration and tidbits.

This is where i picked up my initial information. However, it was a little confused with multiple modificaitons. So i thougut writing up from scratch would serve everyone's interest.

Senior Member
Posts: 3,101
Registered: ‎05-15-2014
Kudos: 1077
Solutions: 216

Re: Bell PPPoE and IPTV with FTTH, Guide, configuration and tidbits.

Can you re-paste your config using the code formatting from toolbar? the </> 6th from left.

TEKUX - IT Consulting and Services
New Member
Posts: 12
Registered: ‎08-27-2016
Kudos: 12

Re: Bell PPPoE and IPTV with FTTH, Guide, configuration and tidbits.

Edited and done!

New Member
Posts: 7
Registered: ‎11-15-2016
Kudos: 1

Re: Bell PPPoE and IPTV with FTTH, Guide, configuration and tidbits.

Thanks for your great job powermarc!

 

TV and internet is working without the bell router here: this is GREAT!

 

However, I noticed I was not able to get the dyndns service working. With this configuration I can't curl https address (error 35). So when the ddclient launch itself, it cant connect to the url and update the ip...

 

Can you please confirm if you are able to use the dyndns service? If not can you check if you can curl a https address?

New Member
Posts: 12
Registered: ‎08-27-2016
Kudos: 12

Re: Bell PPPoE and IPTV with FTTH, Guide, configuration and tidbits.

I'm using no-ip.com service, and it does work with them (Using dyndns method) Just make sure that you apply the dynamic DNS setup to the pppoe interface (common mistake)

 

Some useful info links here:

 

https://help.ubnt.com/hc/en-us/articles/204952234-EdgeMAX-Dynamic-DNS-commands

https://community.ubnt.com/t5/EdgeMAX/DDNS-for-NO-IP/td-p/492809

https://community.ubnt.com/t5/EdgeMAX/Dynamic-DNS-problem-edge-router-lite/m-p/782656

 

 

 

 

 

 

New Member
Posts: 7
Registered: ‎11-15-2016
Kudos: 1

Re: Bell PPPoE and IPTV with FTTH, Guide, configuration and tidbits.

Thank you!

 

New Member
Posts: 1
Registered: ‎03-09-2017

Re: Bell PPPoE and IPTV with FTTH, Guide, configuration and tidbits.

[ Edited ]

Thanks for the great guide!

 

 

New Member
Posts: 5
Registered: ‎03-20-2017

Re: Bell PPPoE and IPTV with FTTH, Guide, configuration and tidbits.

[ Edited ]

re: powermarc

 Excellent thread, and special thanks to powermarc for sharing. I am considering purchasing the ERLite-3 and find one portion of the configuration a little puzzling, helas I can not test my assumptions yet.

The mtu configuration for the eth0 configuration seems a little odd to me, since the ppp session will take up 8 bytes? Should it not be the following:

set interfaces ethernet eth0 vif 35 description "Bell VLAN35 Internet"

set interfaces ethernet eth0 vif 35 mtu 1500
set interfaces ethernet eth0 vif 35 pppoe 0 mtu 1492


Also if the ERLite-3 and the dump switch between the ONT and the ERLite-3 support Jumbo frames. I believe the Bell pppoe support RFC4638 baby jumbo frames and the following configuration should also work:

set interfaces ethernet eth0 vif 35 description "Bell VLAN35 Internet"
set interfaces ethernet eth0 vif 35 mtu 1508
set interfaces ethernet eth0 vif 35 pppoe 0 mtu 1500

New Member
Posts: 6
Registered: ‎03-30-2017

Re: Bell PPPoE and IPTV with FTTH, Guide, configuration and tidbits.

Hi, anyone used this and just get the bell fibe logo forever on their pvr ?

 

 

New Member
Posts: 1
Registered: ‎01-23-2016

Re: Bell PPPoE and IPTV with FTTH, Guide, configuration and tidbits.

Nice thank you for your info, can you tell us what speed do you have after your mod ?

 

 

Can we get to 800 to 940 Mbps?

New Member
Posts: 6
Registered: ‎03-30-2017

Re: Bell PPPoE and IPTV with FTTH, Guide, configuration and tidbits.

I've given up on th x-sfp,  highest I ever got was about 500-600 with hw nat offload, and i always maxed out at 940 with the homehub 2000

 

so mine is sitting back in it's box, can't even get a refund

Member
Posts: 249
Registered: ‎06-17-2015
Kudos: 67
Solutions: 12

Re: Bell PPPoE and IPTV with FTTH, Guide, configuration and tidbits.

[ Edited ]

I'm on Rogers, and I am looking for another ERX SFP. PM me if you want to get rid of it.

New Member
Posts: 2
Registered: ‎05-27-2017

Re: Bell PPPoE and IPTV with FTTH, Guide, configuration and tidbits.

pjanerio do you still have your config?  I can't get my x-sfp to connect at all.

 

 

New Member
Posts: 1
Registered: ‎07-01-2016

Re: Bell PPPoE and IPTV with FTTH, Guide, configuration and tidbits.

Thank you very much for this configuration! It work praticly like a charm with my EdgeRouter X SFP.

 

But there's a problem that I can't resolve by myself, everything work but the live TV stop every 10 seconds. I mean, the PVR and my other receiver are working and booting fine and I change the channel and after exactly 10 seconds, it says : "Signal lost. Restart your decoder... blablabla...". I just change the channel and it work back... for 10 seconds exactly. Man Sad  The VoD and PVR and play/pause and replay are working correctly. The only way I can listen an program is by pressing "Replay" before the 10 seconds end.

Can someone help me there?

 

This is my configuration :
eth5/SFP is used with the Bell SFP
eth0 to eth3 is for LAN
eth4 is for IPTVs

 

firewall {
all-ping enable
broadcast-ping disable
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name IPTV_IN {
default-action drop
description "IPTV to LAN"
rule 5 {
action accept
description "Accept Established"
log disable
protocol all
state {
established enable
invalid disable
new disable
related enable
}
}
rule 6 {
action accept
description "Allow IGMP"
log disable
protocol igmp
}
rule 7 {
action accept
description "Allow IPTV-Bell"
destination {
address 239.0.0.0/8
}
log disable
protocol udp
source {
address 10.0.0.0/8
}
}
rule 8 {
action drop
description "Drop Invalid"
log disable
protocol all
state {
established disable
invalid enable
new disable
related disable
}
}
}
name IPTV_LOCAL {
default-action drop
description "IPTV to LAN"
rule 10 {
action accept
description "Accept Established"
log disable
protocol all
state {
established enable
invalid disable
new disable
related enable
}
}
rule 20 {
action accept
description "Allow IPTV-Bell"
destination {
address 239.0.0.0/8
}
log disable
protocol udp
source {
address 10.0.0.0/8
}
}
rule 30 {
action accept
description "Allow IGMP"
log disable
protocol igmp
}
rule 40 {
action accept
description "Allow ICMP"
log disable
protocol icmp
}
rule 50 {
action drop
description "Drop Invalid"
log disable
protocol all
state {
established disable
invalid enable
new disable
related disable
}
}
}
name WAN_IN {
default-action drop
description "WAN to internal"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
options {
mss-clamp {
interface-type all
mss 1412
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
description "Wireless AP"
duplex auto
poe {
output 24v
}
speed auto
}
ethernet eth1 {
description Local
duplex auto
speed auto
}
ethernet eth2 {
description Local
duplex auto
speed auto
}
ethernet eth3 {
description Local
duplex auto
speed auto
}
ethernet eth4 {
address 192.168.20.1/24
description IPTV
duplex auto
speed auto
}
ethernet eth5 {
description eth5/SFP
duplex auto
speed auto
vif 35 {
description "Bell VLAN35 Internet"
pppoe 1 {
default-route auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
mtu 1492
name-server auto
password ****************
user-id b1XXXXXX
}
}
vif 36 {
address dhcp
description "Bell VLAN36 IPTV"
dhcp-options {
default-route no-update
default-route-distance 120
name-server no-update
}
egress-qos "0:4 1:4 2:4 3:4 4:4 5:4 6:4 7:4"
mtu 1500
}
}
loopback lo {
}
switch switch0 {
address 192.168.11.1/24
description Local
mtu 1500
switch-port {
interface eth0 {
}
interface eth1 {
}
interface eth2 {
}
interface eth3 {
}
vlan-aware disable
}
}
}
port-forward {
auto-firewall enable
hairpin-nat enable
lan-interface switch0

protocols {
igmp-proxy {
interface eth3 {
alt-subnet 0.0.0.0/0
role downstream
threshold 1
}
interface eth4 {
alt-subnet 0.0.0.0/0
role downstream
threshold 1
}
interface eth5.36 {
alt-subnet 0.0.0.0/0
role upstream
threshold 1
}
}
static {
route 10.0.0.0/8 {
next-hop 10.180.128.1 {
}
}
}
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name IPTV_DHCP_Server {
authoritative disable
subnet 192.168.20.0/24 {
default-router 192.168.20.1
dns-server 192.168.20.1
dns-server 10.2.127.228
dns-server 10.2.127.196
lease 86400
start 192.168.20.10 {
stop 192.168.20.30
}
}
}
shared-network-name LAN {
authoritative disable
subnet 192.168.11.0/24 {
default-router 192.168.11.1
dns-server 192.168.11.1
lease 86400
start 192.168.11.30 {
stop 192.168.11.90
}
}
}
use-dnsmasq disable
}
dns {
forwarding {
cache-size 300
listen-on switch0
name-server 205.236.148.130
name-server 205.236.148.131
name-server 205.151.222.251
name-server 78.82.42.42
name-server 156.154.70.1
name-server 8.8.4.4
name-server 4.2.2.4
options server=/bell.ca/10.2.127.196
options server=/bell.com/10.2.127.196
options server=/bell.com/10.2.127.228
}
}
gui {
http-port 80
https-port 443
older-ciphers enable
}
nat {
rule 5010 {
description "Network NAT on PPPoE WAN"
log disable
outbound-interface pppoe1
type masquerade
}
rule 5011 {
description "Bell IPTV NAT"
destination {
address 10.0.0.0/8
}
outbound-interface eth5.36
protocol all
type masquerade
}
}
}

offload {
hwnat enable
ipsec enable
ipv4 {
}
}

time-zone America/Montreal
}

 

So, please! Man Wink

Reply