Hi all.
After gathering information here and there, some wireshark analysis (including getting your old 10/100 *hub* that you forgot you had and that is so useful for that purpose) and a few missed recording that made my wife mad (in the name of testing), Bell IPTV is working on my ERLite-3. And i feel sharing the whole story for those who wonder how the hell we do that.
This is a setup for Bell Canada Fibe Service (FTTH), for people who are using PPPoE logins. I think that this service is specific to Quebec and Ontario, Canada. (FibreOP is using slightly different shenanigans including DHCP instead of PPPoE and carry IPTV on VLAN34 instead of 36)
Before we start: My setup is a little weird. My LAN subnet is a little larger (/22 subnet), and i got a DHCP server elsewhere for the primary LAN, and some internal routes. I got OpenVPN, L2TP and Dynamic DNS update working. This is beyond the interest of this post, but feel free to check the config if you wonder how. DNS Forwarders are a bunch of fast DNS laying around gathered with NameBench.
The route for the IPTV network (10.x.x.x) is dependant on your DHCP lease on your VLAN 36 interface. Use this bunch of commands in CLI to know what route you need to input.
sudo su
r_ip=$(show dhcp client leases | grep router | awk '{ print $3 }');
iptv_static=$(echo "set protocols static route 10.0.0.0/8 next-hop $r_ip")
echo -e "$iptv_static"
exit
Here is the complete picture with my slightly edited configuraiton Also with some schematics and a good thanks to
First: Network topology. First one is the "normal" topology that Bell usually install. The other is my current topology Your's will be a tad different i'm sure, but you get the point.
Second: Here is my configuraiton. With some added bonuses (L2TP, OpenVPN, Inbound port mapping, minus usernames and passwords and personal info. As previously stated, I'm using an internal L3 switch for my internal network routing and DHCP server, so your configuration may vary.
Third, here is a cheat sheet for fast configuration. I think everything is there for some basic operation, but better check before doing copy/paste.
#### Pictures ####
Normal Bell Topology

My Topology, without HH2000. Internet and IPTV working
#### My Configuration ####
firewall {
all-ping enable
broadcast-ping disable
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians enable
name IPTV_IN {
default-action drop
description "IPTV to LAN"
rule 5 {
action accept
description "Accept Established"
log disable
protocol all
state {
established enable
related enable
}
}
rule 10 {
action accept
description "Allow IGMP"
log disable
protocol igmp
}
rule 20 {
action accept
description "Allow IPTV-Bell"
destination {
address 239.0.0.0/8
}
log disable
protocol udp
source {
address 10.0.0.0/8
}
}
rule 40 {
action drop
description "Drop Invalid IPTV"
log disable
protocol all
state {
invalid enable
}
}
}
name IPTV_LOCAL {
default-action drop
description "IPTV to router"
rule 10 {
action accept
description "Accept Established"
log disable
protocol all
state {
established enable
related enable
}
}
rule 20 {
action accept
description "Allow IPTV UDP"
destination {
address 239.0.0.0/8
}
log disable
protocol udp
source {
address 10.0.0.0/8
}
}
rule 30 {
action accept
description "Allow IGMP"
log disable
protocol igmp
}
rule 40 {
action accept
description "allow ICMP"
log disable
protocol icmp
}
rule 60 {
action drop
description "Drop Invalid"
log disable
protocol all
state {
invalid enable
}
}
}
name WAN_IN {
default-action drop
description "WAN to internal"
rule 10 {
action accept
description "Allow established/related"
log disable
protocol all
state {
established enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
log disable
protocol all
state {
invalid enable
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
rule 10 {
action accept
description "Allow established/related"
log disable
protocol all
state {
established enable
related enable
}
}
rule 11 {
action accept
description "Allow L2TP"
destination {
port 500,1701,4500
}
log disable
protocol udp
}
rule 12 {
action accept
description ESP
log disable
protocol esp
}
rule 13 {
action accept
description OpenVPN
destination {
port 993
}
log disable
protocol udp
}
rule 20 {
action drop
description "Drop invalid state"
log disable
protocol all
state {
invalid enable
}
}
}
options {
mss-clamp {
interface-type all
mss 1412
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
description "Bell ONT"
duplex auto
speed auto
vif 35 {
description "Bell PPPoE"
mtu 1492
pppoe 0 {
default-route force
description "Bell PPPoE"
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
mtu 1492
name-server none
password Your-Password-Goes-Here
user-id b1xxxx00
}
}
vif 36 {
address dhcp
description "Bell IPTV"
dhcp-options {
default-route no-update
default-route-distance 210
name-server no-update
}
egress-qos "0:4 1:4 2:4 3:4 4:4 5:4 6:4 7:4"
firewall {
in {
name IPTV_IN
}
local {
name IPTV_LOCAL
}
}
mtu 1500
}
}
ethernet eth1 {
address 172.22.43.0/22
description "GigE LAN Switch"
duplex auto
speed auto
}
ethernet eth2 {
address 172.22.100.1/24
description "GigE LAN Two"
duplex auto
speed auto
}
loopback lo {
}
openvpn vtun0 {
description "OpenVPN Interface"
encryption aes256
hash sha512
mode server
openvpn-option --tls-server
openvpn-option "--proto udp"
openvpn-option "--port 993"
openvpn-option "--tun-mtu 1400"
openvpn-option --persist-key
openvpn-option --persist-tun
openvpn-option "--keepalive 10 120"
openvpn-option --comp-lzo
openvpn-option "--user nobody"
openvpn-option "--group nogroup"
server {
name-server 172.22.43.5
push-route 172.22.40.0/22
subnet 172.22.50.0/24
topology subnet
}
tls {
ca-cert-file /config/auth/cacert.pem
cert-file /config/auth/host.pem
dh-file /config/auth/dhp.pem
key-file /config/auth/host-decrypted.key
}
}
}
port-forward {
auto-firewall enable
hairpin-nat enable
lan-interface eth1
rule 1 {
description HTTPS
forward-to {
address 172.22.43.5
port 443
}
original-port 443
protocol tcp_udp
}
rule 2 {
description HTTP
forward-to {
address 172.22.43.5
port 80
}
original-port 80
protocol tcp_udp
}
rule 3 {
description SCEP
forward-to {
address 172.22.43.5
port 1640
}
original-port 1640
protocol tcp_udp
}
wan-interface pppoe0
}
protocols {
igmp-proxy {
interface eth0.36 {
alt-subnet 0.0.0.0/0
role upstream
threshold 1
}
interface eth2 {
alt-subnet 0.0.0.0/0
role downstream
threshold 1
}
}
static {
route 10.0.0.0/8 {
next-hop 10.241.80.1 {
description "IPTV Route"
distance 1
}
}
route 10.0.180.0/24 {
next-hop 172.22.43.1 {
description "Route to Cisco 1811 Via 3560G"
distance 1
}
}
route 172.24.96.0/22 {
next-hop 172.22.43.1 {
description "Route to Cisco 3560G 172.24.96.x"
distance 1
}
}
route 192.168.43.0/24 {
next-hop 172.22.43.1 {
description "Route to Cisco 3560G 192.168.43.x"
distance 1
}
}
}
}
service {
dhcp-server {
disabled false
hostfile-update disable
shared-network-name LAN2 {
authoritative disable
description "LAN2 DHCP Server"
subnet 172.22.100.0/24 {
default-router 172.22.100.1
dns-server 10.2.127.228
dns-server 10.2.127.196
dns-server 172.22.100.1
domain-name home
lease 7200
start 172.22.100.50 {
stop 172.22.100.230
}
}
}
use-dnsmasq disable
}
dns {
dynamic {
interface pppoe0 {
service dyndns {
host-name hostname.no-ip.com
login username
password input-dynamic-dns-password
server dynupdate.no-ip.com
}
}
}
forwarding {
cache-size 300
listen-on eth2
listen-on eth1
name-server 205.236.148.130
name-server 205.236.148.131
name-server 205.151.222.251
name-server 74.82.42.42
name-server 156.154.70.1
name-server 8.8.4.4
name-server 4.2.2.4
options server=/bell.ca/10.2.127.196
options server=/bell.com/10.2.127.196
options server=/bell.com/10.2.127.22
options server=/bell.ca/10.2.127.228
system
}
}
gui {
http-port 80
https-port 443
older-ciphers disable
}
lldp {
interface eth1 {
}
interface eth2 {
}
}
nat {
rule 5010 {
description "Network NAT on PPPoE0 WAN"
log disable
outbound-interface pppoe0
type masquerade
}
rule 5011 {
description "Bell IPTV"
destination {
address 10.0.0.0/8
}
log disable
outbound-interface eth0.36
protocol all
type masquerade
}
}
ssh {
port 22
protocol-version v2
}
ubnt-discover {
disable
}
upnp {
listen-on eth1 {
outbound-interface pppoe0
}
listen-on eth2 {
outbound-interface pppoe0
}
}
upnp2 {
acl {
rule 10 {
action deny
description "Block Port 4500"
external-port 4500
local-port 0-65535
subnet 172.22.40.0/22
}
}
listen-on eth1
nat-pmp enable
secure-mode enable
wan pppoe0
}
}
system {
config-management {
commit-revisions 10
}
domain-name domain.com
host-name edge
login {
banner {
post-login "********************* Welcome Home ********************\n\n"
pre-login "************************************************************\n\n* * * * * * WARNING NOTICE. * * * * * *\n \n* This system is restricted solely to myself. *\n* The actual or attempted unauthorized access, use, *\n* or modification of this system is strictly prohibited. *\n* The use of this system may be monitored and recorded for *\n* administrative and security purpose. *\n \n************************************************************\n\n\n"
}
user sadmin {
authentication {
encrypted-password $6wEj14faDFvKDSL1uLzSqRa42.wYSs3Jl.3gqyDecR1
public-keys user@myfirstMacBook.local {
key PublicKey#1
type ssh-rsa
}
public-keys user@mysecondMacBook.local {
Key PublicKey#2
type ssh-rsa
}
}
level admin
}
}
name-server 127.0.0.1
ntp {
server 0.ubnt.pool.ntp.org {
}
server 1.ubnt.pool.ntp.org {
}
server 2.ubnt.pool.ntp.org {
}
server 3.ubnt.pool.ntp.org {
}
server time.apple.com {
prefer
}
}
offload {
hwnat disable
ipsec enable
ipv4 {
forwarding enable
gre enable
pppoe enable
vlan enable
}
}
package {
repository jessie {
components "main contrib non-free"
distribution jessie
password ""
url http://debian.mirror.gtcomm.net/debian
username ""
}
}
syslog {
global {
archive {
files 5
size 1024
}
facility all {
level notice
}
facility protocols {
level debug
}
}
}
task-scheduler {
task l2tp_IP_logrotate {
executable {
arguments /config/scripts/l2tp_iplogrotate.conf
path /usr/sbin/logrotate
}
interval 1d
}
task l2tp_IP_update {
executable {
arguments "2>&1 >> /var/log/l2tp_ipupdate.log"
path /config/scripts/l2tp_update_ip
}
interval 60m
}
}
time-zone America/Montreal
traffic-analysis {
dpi enable
export enable
}
}
vpn {
ipsec {
auto-firewall-nat-exclude disable
esp-group IKE {
compression disable
lifetime 7200
mode tunnel
pfs enable
proposal 1 {
encryption aes256
hash sha256
}
}
ike-group IKE {
dead-peer-detection {
action clear
interval 15
timeout 45
}
ikev2-reauth no
key-exchange ikev2
lifetime 14400
proposal 1 {
dh-group 14
encryption aes256
hash sha512
}
proposal 2 {
dh-group 5
encryption aes256
hash sha256
}
}
ipsec-interfaces {
interface pppoe0
}
nat-networks {
allowed-network 0.0.0.0/0 {
}
}
nat-traversal enable
}
l2tp {
remote-access {
authentication {
local-users {
username username {
password An othe Super Secret password
}
}
mode local
}
client-ip-pool {
start 172.22.43.100
stop 172.22.43.110
}
description "L2TP Interface"
dns-servers {
server-1 172.22.43.5
}
ipsec-settings {
authentication {
mode pre-shared-secret
pre-shared-secret SupeSecret
}
ike-lifetime 3600
}
mtu 1024
outside-address 65.66.171.213
}
}
}
↧
Bell PPPoE and IPTV with FTTH, Guide, configuration and tidbits.
↧