At this point, these are more notes for fixing it between upgrades. I use this so that I can hook my UniFi Security Gateway 3P directly up to the ONT and allow all video services to work correctly on my network, with VLANs.
There are too many references to remember on how I built this over the years, but a lot comes from multiple articles on DSL reports, along with things friends have done over time.
My Home Setup
I have multiple networks setup at my house, but in this scenario I will be using my “Home” network, which has the following details:
- Network Name: Home
- VLAN: 2
- Subnet: 192.168.1.1/24
I have the following equipment in my home also that will be used for video:
- UniFi Security Gateway 3P
- UniFi Switch 24
- Actiontec 5240 MoCA Adapters
- One of my STB has access to Coax, but no Ethernet, so I use a MoCA adapter being my switch and another in front of the Cable Box)
- Amino Cable Box
- Entone and ZTE Cable Boxes could be used also. Those have MoCA built in, which reduces the need for a MoCA adapter connected to the Cable Box.
- An additional note. The Amino Cable Box is wireless, but requires WPS to sync up. Ubiquiti does not support WPS, so they will need to be connected up with Ethernet (or a MoCA adapter).
Network Setup
Still a TODO. This is just a helper.
Firewall
You need to add firewall rules to allow UDP and IGMP.
- Routing & Firewall -> Firewall -> Groups
- group IPTVMulticastSource with address spaces 10.0.0.0/8, 172.16.0.0/12
- group IPTVMulticastDest with address space 239.0.0.0/8
- Routing & Firewall -> Firewall -> Rules IPv4 -> WAN IN
- Accept UDP from group IPTVMulticastSource to group IPTVMulticastDest
- Accept IGMP
- Routing & Firewall -> Firewall -> Rules IPv4 -> WAN LOCAL
- Accept UDP from group IPTVMulticastSource to group IPTVMulticastDest
- Accept IGMP
IGMP Proxy
IGMP Proxy is used so that when multicast flows through the switch, that it does not flood all the ports with multicast. It will keep track of which hosts behind ports need the traffic and keep the packets flowing when at least one host needs the multicast video traffic.
SSH to USG and add the igmp-proxy settings via the CLI to test. You can do a show interfaces to get a listing of all of your interfaces. eth0 will be your upstream and whatever network you setup in step 1 will be your downstream.
After testing and to make sure the settings settings survive reboot and firmware updates, the setting needs to be added to a .json file on the controller. My USG is named gateway. I only have 1 site that is default site. So in my case, I created config.gateway.json and put it in /srv/unifi/data/sites/default on the controller. Below is what my config.gateway.json looks like.
{
"protocols": {
"igmp-proxy": {
"interface": {
"eth0": {
"alt-subnet": [
"0.0.0.0/0"
],
"role": "upstream",
"threshold": "1"
},
"eth1": {
"role": "disabled",
"threshold": "1"
},
"eth2": {
"alt-subnet": [
"0.0.0.0/0"
],
"role": "downstream",
"threshold": "1"
}
}
}
}
In my config, eth0 is coming from the ONT. I have a TiVo MOCA bridge on eth2. Older USG may call this interface “VOIP”. I disabled igmp-proxy on eth1 which is my data network. If you don’t set this up like mine, you may have a VLAN on eth1 that will be your downstream. Especially if you don’t use a MOCA adapter like I did. Regardless, you get the gist.
ADDITIONAL REFERENCE: https://help.ubnt.com/hc/en-us/articles/215458888-UniFi-How-to-further-customize-USG-configuration-with-config-gateway-json
NAT-RTSP
Need to enable nat rtsp directly on the USG which is as simple as sudo modprobe nf_nat_rtsp. To survive a reboot:
# sudo mkdir /config/scripts/pre-config.d # sudo vi /config/scripts/pre-config.d/load_nat_rtsp_module
Add the following code snippet:
#!/bin/sh
modprobe nf_nat_rtsp
And then enable it to run:
# sudo chmod ug+x /config/scripts/pre-config.d/load_nat_rtsp_module
NOTE: This survives a reboot but it may not survive a firmware update.
Additional References:
https://community.ubnt.com/t5/UniFi-Routing-Switching/Enabling-RTSP-conntrack-module-on-USG/m-p/1947251/highlight/true#M46532
UPnP
There are a few functions used by the Cable Box for UPnP, so it’s best to enable it. The STB will still work fine if you do not enable it though, but there might be some upgrade issues that will require a reboot possibly.
If you do have a fundamental issue with UPnP, you could either:
- Disable it. For the most part, this will not cause issues with the current features. This could possibly break features in the future in case anything like DVR management remotely start becoming a thing.
- Create another VLAN just for the STB, treat it like a DMZ, and enable UPnP just for that VLAN. I would recommend this approach.
If I understand correctly, CB won’t let you not pay the rental fee for their box, and they hand out multiple IP addresses from the ONT. Would it work to just throw a small switch behind the ONT and let their box feed the MOCA and the USG feed all the user devices? Seems simpler.
You can bring your own modem / gateway / router. The policy was put into place about two years ago. If you google, “Cincinnati Bell Bring Your Own Modem”, it will show up in the listing. With that said, if you have video, I’ve had it where Ubiquiti has changed something in an upgrade that took a while to figure out. If you have family that cannot stand the TV to be around, I would hang onto it.
Check their terms and conditions though if you do, as any issues could be billed to your house if a tech comes out and determines your gear was responsible.
To your question on throwing a small switch behind the ONT, you can do that. I would warn though that the small switch has to be able to handle IGMP / multicast correctly. In my previous job, we found a few non-smart or non-managed switches that would do it 100% correctly without any bugs or issues.