Wiki

User Tools

Site Tools

Trace: configure_a_ubiquiti_unifi_security_gateway_with_external_bt_openreach_adsl_modem_to_work_with_ip_tv_services_bt_tv_youview
ubiquiti:security_gateway:configure_a_ubiquiti_unifi_security_gateway_with_external_bt_openreach_adsl_modem_to_work_with_ip_tv_services_bt_tv_youview

Table of Contents

Ubiquiti - Security Gateway - Configure a Ubiquiti Unifi Security Gateway with external BT Openreach ADSL modem to work with IP TV Services (BT TV / Youview)

BT TV and other IPTV services rely on a feature called “Multicast” to be able to stream live television over your broadband connection.

If you have the BT Smarthub, this is all configured out of the box to work without any configuration required.

If you have upgraded to a Unifi Security Gateway, there is about 15 minutes work necessary to configure it to correctly pass the “Multicast/IGMP” traffic from the Internet to your local network.

NOTE: BT Sports traffic uses IGMPv3 that is not supported on the USG, so be aware that some features may not work even with this config.

See: https://community.ui.com/questions/IGMPv3-and-IP-TV-does-not-work/6104f145-8314-47f2-94f3-68bee8c436bc

Make a Note of IP Addresses

  • Unifi CloudKey IP address: 192.168.1.10/24.
  • Unifi Security Gateway (USG) IP address: 192.168.1.1/24.
  • CIDR network address: 192.168.1.0/24.

Overview of process

There are the steps to get these services working through the USG:

  • Create a configuration file on the Cloud Key Controller that tells the USG to run a “IGMP Proxy” service
  • Instruct the Cloud Key Controller to “push” that configuration to the USG
  • Create some firewall rules to allow the multicast / IGMP traffic through

Create a Configuration File

Use notepad to create a file called config.gateway.json. Enter the following text EXACTLY in to that file. Take extreme care not to miss anything out or add anything:

config.gateway.json
{
 
"protocols": {
  "igmp-proxy": {
    "interface": {
      "eth0": {
        "alt-subnet": [
          "0.0.0.0/0"
        ],
        "role": "upstream",
        "threshold": "1"
      },
      "eth1": {
        "alt-subnet": [
          "192.168.1.0/24"
        ],
        "role": "downstream",
        "threshold": "1"
      }
    }
  }
},
 
"firewall": {"source-validation":"disable"},
 
"interfaces": {
  "ethernet": {
    "eth0": {
      "address": [
        "10.255.255.255/32"
      ],
      "mtu": "1508",
      "duplex": "auto",
      "firewall": {
        "in": {
          "name": "WAN_IN"
        },
        "local": {
          "name": "WAN_LOCAL"
        }
      },
      "pppoe": {
        "0": {
          "default-route": "auto",
          "firewall": {
            "in": {
              "name": "WAN_IN"
            },
            "local": {
              "name": "WAN_LOCAL"
            }
          },
          "mtu": "1492",
          "name-server": "auto",
          "password": "bt",
          "user-id": "bthomehub@btbroadband.com"
        }
      },
      "speed": "auto"
    },
    "eth1": {
      "address": [
        "192.168.1.1/24"
      ],
      "duplex": "auto",
      "firewall": {
        "in": {
          "name": "LAN_IN"
        },
        "local": {
          "name": "LAN_LOCAL"
        },
        "out": {
          "name": "LAN_OUT"
        }
      },
      "speed": "auto"
    },
    "eth2": {
      "disable": "''",
      "duplex": "auto",
      "speed": "auto"
    }
  },
  "loopback": {
    "lo": "''"
  }
}
 
}

NOTE: Replace the IP address and subnet mask after the Alt-Subnet line with your NETWORK address.

  • In this example this is 192.168.1.0/24.
  • This is NOT the same as your gateway or router address and will end in 0.

Replace the IP address and subnet mask after the “ETH1” and “Address” lines with your USG LAN IP Address.

  • In this example, 192.168.1.1/24.

Leave everything else EXACTLY as it’s presented above.

  • 0.0.0.0/0 is the default entry matching other addresses.
  • 10.255.255.255/32 is a placeholder address.

SSH into the Cloudkey

SSH to the CLOUDKEY CONTROLLER IP address. In this example case this is 192.168.1.10. 

ssh ubnt@192.168.1.10

NOTE: Accept the warning message about the SSH Thumbprint.

Use the same credentials used to login to the web interface.

Place the Config File onto the Controller

Place the above configured config file onto the controller. 

cd /srv/unifi/data/sites/default
 
vi config.gateway.json
...copy and paste the contents of the above configured file...and then save.

NOTE: There are many different approaches to get this file populated.

Here as an example, a copy-and-paste is used, but SCP could also be used etc. Use whatever is easiest to get the configuration file into the controller.

Have the Controller push the Configuration to the Security Gateway

Open a web browser and open the CloudKey Controller page. In this example case this is http://192.168.1.10.

  • Click on “Unifi Controller – Manage your Device“ by UniFI Controller.
  • Log in if required.
  • Click on the Devices icon. This is the fourth icon down on the left.
  • Click on your Unifi Security Gateway 3P device.
  • Under the Properties window that opens up, Click the Config tab.
  • Click Manage Device.
  • Click Provision

NOTE: This forces the CloudKey Controller to push the new configuration that has been created to the Unifi Security Gateway.

Optional Step:

  • Verify that the USG has received the new config and started the IGMP Proxy by doing the following:
    • SSH into the USG directly, here 192.168.1.1.
    • Type: 
      ps ax | grep igmp
    • This should show a line that reads /sbin/igmpproxy /etc/igmpproxy.conf, which indicates that the IGMP proxy process is successfully running!

Configure Firewall Rules

Open a web browser and open the CloudKey Controller page. In this case this is http://192.168.1.10.

  • Click on Unifi Controller – Manage your Device by UniFI Controller.
  • Log in if required
  • Click on the Settings icon. The second icon up from the bottom on the left.
  • Click on the Routing & Firewall tab.
  • Click on Firewall at the top of the screen.
  • Click on Groups at the top of the screen.
  • Click +Create new Group.
  • In Name call the group igmp group.
  • In Address, add the following 2 multicast address ranges. Use +Add to add each one separately. 
    224.0.0.0/4
109.159.247.0/24
  • Click Save.
  • Click on Rules. Next to the Groups tab at the top of the screen.
  • Click on WAN IN.
  • Click Create New Rule. Leave EVERYTHING as default except the following:
    • Name: Allow IGMP Group to LAN.
    • Enabled: On
    • Rule Applied: Before predefined rules.
    • Action: Accept.
    • Protocol: All.
    • Advanced: VERY IMPORTANT!
      • Check the boxes next to New, Established, Invalid and Related.
    • IPsec: Don’t match on IPsec packets.
    • Source: Leave as defaults.
    • Destination: Check “Address/Port Group.
    • Address Group: Select the igmp-group address group.
  • Click Save.
  • Click on Rules. Next to the Groups tab at the top of the screen.
  • Click on WAN LOCAL.
  • Click Create New Rule. Leave EVERYTHING as default except the following.
    • Name: Allow IGMP Group to LAN.
    • Enabled: On.
    • Rule Applied: Before predefined rules.
    • Action: Accept.
    • Protocol: All.
    • Advanced: VERY IMPORTANT!
      • Check the boxes next to New, Established, Invalid and Related.
    • IPsec: Don’t match on IPsec packets.
    • Source: Leave as defaults.
    • Destination: Check “Address/Port Group.
    • Address Group: Select the igmp-group address group.
  • Click Save.

NOTE: Wait for your firewall rules to update – and test the BT TV.

It should be working fine.

The above firewall rules can probably be tightened down a bit more if needed.

CLI command

show ip multicast interfaces
 
show ip multicast mfc
 
show protocols igmp-proxy
 
ps ax | grep igmp
 
ps -ef | grep igmp
ubiquiti/security_gateway/configure_a_ubiquiti_unifi_security_gateway_with_external_bt_openreach_adsl_modem_to_work_with_ip_tv_services_bt_tv_youview.txt · Last modified: 2021/02/10 11:04 by peter
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki