Fioptics TV service with Ubiquiti Setup

At this point, these are more notes for fixing it between upgrades. I use this so that I can hook my UniFi Security Gateway 3P directly up to the ONT and allow all video services to work correctly on my network, with VLANs.

There are too many references to remember on how I built this over the years, but a lot comes from multiple articles on DSL reports, along with things friends have done over time.

My Home Setup

I have multiple networks setup at my house, but in this scenario I will be using my “Home” network, which has the following details:

  • Network Name: Home
  • VLAN: 2
  • Subnet: 192.168.1.1/24

I have the following equipment in my home also that will be used for video:

  • UniFi Security Gateway 3P
  • UniFi Switch 24
  • Actiontec 5240 MoCA Adapters
    • One of my STB has access to Coax, but no Ethernet, so I use a MoCA adapter being my switch and another in front of the Cable Box)
  • Amino Cable Box
    • Entone and ZTE Cable Boxes could be used also. Those have MoCA built in, which reduces the need for a MoCA adapter connected to the Cable Box.
    • An additional note. The Amino Cable Box is wireless, but requires WPS to sync up. Ubiquiti does not support WPS, so they will need to be connected up with Ethernet (or a MoCA adapter).

Network Setup

Still a TODO. This is just a helper.

Firewall

You need to add firewall rules to allow UDP and IGMP.

  • Routing & Firewall -> Firewall -> Groups
    • group IPTVMulticastSource with address spaces 10.0.0.0/8, 172.16.0.0/12
    • group IPTVMulticastDest with address space 239.0.0.0/8
  • Routing & Firewall -> Firewall -> Rules IPv4 -> WAN IN
    • Accept UDP from group IPTVMulticastSource to group IPTVMulticastDest
    • Accept IGMP
  • Routing & Firewall -> Firewall -> Rules IPv4 -> WAN LOCAL
    • Accept UDP from group IPTVMulticastSource to group IPTVMulticastDest
    • Accept IGMP

IGMP Proxy

IGMP Proxy is used so that when multicast flows through the switch, that it does not flood all the ports with multicast. It will keep track of which hosts behind ports need the traffic and keep the packets flowing when at least one host needs the multicast video traffic.

SSH to USG and add the igmp-proxy settings via the CLI to test. You can do a show interfaces to get a listing of all of your interfaces. eth0 will be your upstream and whatever network you setup in step 1 will be your downstream.

After testing and to make sure the settings settings survive reboot and firmware updates, the setting needs to be added to a .json file on the controller. My USG is named gateway. I only have 1 site that is default site. So in my case, I created config.gateway.json and put it in /srv/unifi/data/sites/default on the controller. Below is what my config.gateway.json looks like.

{
    "protocols": {
            "igmp-proxy": {
                    "interface": {
                            "eth0": {
                                    "alt-subnet": [
                                            "0.0.0.0/0"
                                    ],
                                    "role": "upstream",
                                    "threshold": "1"
                            },
                            "eth1": {
                                    "role": "disabled",
                                    "threshold": "1"
                            },
                            "eth2": {
                                    "alt-subnet": [
                                            "0.0.0.0/0"
                                    ],
                                    "role": "downstream",
                                    "threshold": "1"
                            }
                    }
            }
    }

In my config, eth0 is coming from the ONT. I have a TiVo MOCA bridge on eth2. Older USG may call this interface “VOIP”. I disabled igmp-proxy on eth1 which is my data network. If you don’t set this up like mine, you may have a VLAN on eth1 that will be your downstream. Especially if you don’t use a MOCA adapter like I did. Regardless, you get the gist.

ADDITIONAL REFERENCE: https://help.ubnt.com/hc/en-us/articles/215458888-UniFi-How-to-further-customize-USG-configuration-with-config-gateway-json

NAT-RTSP

Need to enable nat rtsp directly on the USG which is as simple as sudo modprobe nf_nat_rtsp. To survive a reboot:

# sudo mkdir /config/scripts/pre-config.d
# sudo vi /config/scripts/pre-config.d/load_nat_rtsp_module

Add the following code snippet:

#!/bin/sh
    modprobe nf_nat_rtsp

And then enable it to run:

# sudo chmod ug+x /config/scripts/pre-config.d/load_nat_rtsp_module

NOTE: This survives a reboot but it may not survive a firmware update.

Additional References:
https://community.ubnt.com/t5/UniFi-Routing-Switching/Enabling-RTSP-conntrack-module-on-USG/m-p/1947251/highlight/true#M46532

UPnP

There are a few functions used by the Cable Box for UPnP, so it’s best to enable it. The STB will still work fine if you do not enable it though, but there might be some upgrade issues that will require a reboot possibly.

If you do have a fundamental issue with UPnP, you could either:

  • Disable it. For the most part, this will not cause issues with the current features. This could possibly break features in the future in case anything like DVR management remotely start becoming a thing.
  • Create another VLAN just for the STB, treat it like a DMZ, and enable UPnP just for that VLAN. I would recommend this approach.

Leave a Comment


NOTE - You can use these HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>