Help getting IPTV working with the Altibox ISP

Installing and Using OpenWrt Network and Wireless Configuration
22

it wouldn't, basically what udpxy does is it lets you point a browser or something at the proxy then the proxy listens to the multicast traffic and repackages it to the TCP client.

2 Likes
23

Hi. Any chance you can summarize what was needed for other Altibox users? I need to copy you =)

24

I don't have an OpenWrt config but the requirements for forwarding Altbox IPTV and Internet between fiiber (with SFP or media converter) and a shared lanwith both STBs and Internet clients are simple:

  1. tag VLAN 101 (IPTV) and 102 (Internet) on wan
  2. (often, but not always required) clone mac address of ISP gateway on the wan.101 interface
  3. run DHCP client on both wan.101 and wan.102
  4. NAT between lan and both wan interfaces
  5. igmpproxy between wan.101 (upstream) and lan (downstream)
  6. default route out wan.102
  7. some specific routes out wan.101:
    10.133.0.0/16
    81.166.112.0/29
    81.166.113.0/24
    84.234.204.0/23
    84.234.250.128/25
    109.247.114.207/32
    109.247.114.209/32
    109.247.114.217/32
    109.247.116.128/27
    109.247.117.0/25
    109.247.118.0/24
    172.16.4.0/22
    172.21.0.0/16
    213.167.98.0/26

Standard Internet firwall rules on wan.102. Allow at least igmp and multicast to udp port 5501 on wan.101, but probably more. I recommend initial testing without firewalling on wan.101. The IPTV network is private anyway.

A note wrt the wan.101 routes: This is the current list as received from the Altibox DHCP server. It can change. The "private" RFC1918 routes are required. Most of the global addresses can probably be routed on either wan.101 or wan.102, so you can experiment without those.

The Altibox IPTVT DHCP server will send this list of routes to the DHCP client if the client requests option 121 (rfc3442-classless-static-routes) and sends vendor-class-identifier = "VMG8825-B50B". You may use this to automatically set up proper routing on wan.101.

Last note: Altibox is also using VLAN 100 for CPE management and most likely SIP (phone) traffic. If you want SIP to work, then you'll have to use the combined CPE/ATA from the ISP. But you can get way with simply switching wan.100 to a dedicated lan port for the CPE with VLAN 100 tagged. You should not trunk the other VLANs to this port. This will allow Altibox to manage the CPE and set up your SIP account without affecting Internet access or IPTV.

EDIT: Altibox have enabled native DHCPv6 in most of their network now, so you may also want to run a DHCPv6-PD client on wan.102. You will get a /56 prefix.

EDIT2: dnsmasq with rebind enabled (which I believe is default in OpenWrt) will break the IPTV setup. The STB looks up names like gmtvvscallb13.envision.services.altibox.net, which return RFC1918 addresses. This is obviously fine, even in a rebind protection context, since the returned address is routed out on the wan.101 interface.

<rant mode>The problem is the incredibly stupid and insecure "protection" offered by dnsmasq. Just disable it. A real rebind protection MUST look at the routing table. Making routing assumptions based on the IANA database is so stupid that it's hard to find words to describe it. </rant mode>

1 Like