My friend David asked me to help him tackle a problem with his network. He used a Unifi Security Gateway PRO 4 from Ubiquiti Networks but still wanted to run some Post IPTV STBs on his network. The solution took us some hours spread over several days, but finally the IPTV streams work fine.
Our solution
We ended up using the LAN 2 interface as the IPTV upstream port, it turns out that the Unifi Cloud configuration doesn’t allow a static IP and a PPPoE session on the same interface. Also the built-in WAN-LAN firewall blocking firewall does need adding manual rules to allow the Multicast Traffic back in via the WAN interface. Using LAN2 allowed us to handle Multicast traffic as “Corporate LAN”-to-“Corporate LAN” traffic, which Unifi allows by default, so we can add firewall rules for LAN2 as required using the Unifi Cloud Network Controller instead of using custom JSON files on the Cloud Key.
We still need a custom JSON file for the IGMP Proxy, but as this one has no configuration option inside the Unifi Cloud Network Controller and the Unifi Cloud Key, this allows us to have a clean separation between custom and Cloud configuration.
Our solution: The GUI Part
We configured a network on VLAN 35 of LAN2 according to the screenshot below.
Our solution: The JSON Part
Configuring the IGMP Proxy persistently required us to deploy a custom JSON file onto the Unifi Cloud Key. (The Cloud Controller rewrites the complete configuration on each configuration change in the network). We used the following tutorial as a starting point and inspiration. So we created a “config.gateway.json” file in /usr/lib/unifi/data/sites/$sitekey$/ with the content shown below. (This is an example. Please build your own JSON file, to make sure the JSON file is compatible with your equipment. You may do so on your own equipment and following the tutorial above.)
eth1.35 is the VLAN 35 on LAN 2 we’ve created above.
eth0 is the LAN 1 interface where we connected the Post IPTV STB. You may replace this with a VLAN interface e.g. eth0.34. Please note that the Unifi Controller doesn’t allow you to create the same numeric VLAN on 2 different interfaces (e.g. VLAN 35 on LAN1 (eth0) and LAN2 (eth1)).
{ "protocols": { "igmp-proxy": { "disable-quickleave": "''", "interface": { "eth1.35": { "alt-subnet": [ "0.0.0.0/0" ], "role": "upstream", "threshold": "1" }, "eth0": { "role": "downstream", "threshold": "1" } } } } }
Our solution: The Hardware Part
One slight problem remained. The PPPoE session to get access to the Internet is running on a WAN port, WAN1 in our case. So we had to connect the GigabitEthernet port of the POST-Fiber-ONT to the Unifi Security Gateway PRO 4’s WAN1 and LAN2 port. We did so by putting a switch between the ONT and the Unifi Security Gateway PRO 4, luckily the POST Bitstream service support several (16 AFAIR) MAC addresses per GPON line.
Thanks David for letting me publish our findings on my blog.
10 Comments
Leave a reply →