IPTV Configuration with VLAN ID

Installing and Using OpenWrt Network and Wireless Configuration
1

Hello everyone. I'm new to OpenWrt. I have been trying to set up IPTV configuration for 3 days but I could not get it to work that's why I decided to get help from the community.

My router: Xiaomi Mi WiFi AC1200 Router 4A.
OpenWrt Version: openwrt-21.02 branch (git-21.081.28565-73b420b) / OpenWrt 21.02-SNAPSHOT r15926-fdc0342704

Here is my network topology. My router takes the Internet connection via WAN and shares it through its 2 LAN ports LAN1 and LAN2.

LAN2 works fine where an Apple AirPort Time Capsule is shares its ethernet connection via its WiFi network.

What I'm trying to do is to get my IPTV STB to work. Since my STB does not have any wireless connection and far away from the router itself I had to connect it to the network via a Power Line Adapter (PLA) which works fine. If I plug in some other device to the Ethernet on PLA there is internet connection but when it comes to IPTV, my ISP requires some configuration in order to make it work.

The router I previously had the IPTV configuration right which you can see below. I'm trying to replicate the same configuration on my new router running OpenWrt.

4ab46b194a4df06874bebfca5fca6e08
4ab46b194a4df06874bebfca5fca6e08762×841 52 KB

I'm not sure but looking at my previous router's configuration I believe I need to create an Interface using LAN1 with VLAN ID 103 and IGMP v2 enabled in order to make my IPTV work again.

Below is my OpenWrt config;
/etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option packet_steering '1'
        option ula_prefix 'fd81:a08f:b812::/48'

config interface 'lan'
        option type 'bridge'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option ifname 'lan1 lan2'

config interface 'wan'
        option ifname 'wan'
        option proto 'pppoe'
        option username '*************'
        option password '*************'
        option ipv6 'auto'
        option macaddr '*************'
        option mtu '1492'

/etc/config/igmpproxy

config igmpproxy
        option quickleave 1
#       option verbose [0-3](none, minimal[default], more, maximum)

config phyint
        option network wan
        option zone wan
        option direction upstream
        list altnet 192.168.1.0/24

config phyint
        option network lan
        option zone lan
        option direction downstream

/etc/config/firewall

config defaults
	option syn_flood '1'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option src_ip 'fc00::/6'
	option dest_ip 'fc00::/6'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Support-UDP-Traceroute'
	option src 'wan'
	option dest_port '33434:33689'
	option proto 'udp'
	option family 'ipv4'
	option target 'REJECT'
	option enabled 'false'

config include
	option path '/etc/firewall.user'

config redirect
	option target 'DNAT'
	option name 'XBOX Live'
	option src 'wan'
	option src_dport '3074'
	option dest 'lan'
	option dest_ip '192.168.1.250'
	option dest_port '3074'
	list proto 'tcp'
	list proto 'udp'

/etc/config/dhcp

	option domainneeded '1'
	option boguspriv '1'
	option filterwin2k '0'
	option localise_queries '1'
	option rebind_protection '1'
	option rebind_localhost '1'
	option local '/lan/'
	option domain 'lan'
	option expandhosts '1'
	option nonegcache '0'
	option authoritative '1'
	option readethers '1'
	option leasefile '/tmp/dhcp.leases'
	option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
	option nonwildcard '1'
	option localservice '1'
	option ednspacket_max '1232'

config dhcp 'lan'
	option interface 'lan'
	option start '100'
	option limit '150'
	option leasetime '12h'
	option dhcpv4 'server'
	option dhcpv6 'server'
	option ra 'server'
	option ra_slaac '1'
	list ra_flags 'managed-config'
	list ra_flags 'other-config'
	option ra_management '1'

config dhcp 'wan'
	option interface 'wan'
	option ignore '1'

config odhcpd 'odhcpd'
	option maindhcp '0'
	option leasefile '/tmp/hosts/odhcpd'
	option leasetrigger '/usr/sbin/odhcpd-update'
	option loglevel '4'

Any help would be appreciated. Thank you in advance.

2

Please, post the complete network configuration.

3

I have updated the original post. You can see complete versions of network, igmpproxy, dhcp and firewall configs.

4

Is the "network" file complete? It does not contain the info I would expect, there is something I do not understand...

5

Yes it is complete, I copied all of it. What does it lack ?

I am connected to the Internet with this configuration right now. I just need to add the IPTV configuration.

6

In /etc/config/network, the wan ifname should be wan.100 to match the other router which was configured to use a VLAN for Internet. Something about the modem or ONT is different if it is letting you reach the Internet with untagged packets. This may also mean that IPTV packets will not get through on that interface.

Remove lan1 from the lan, so it can be the connection to the IPTV box. lan2 remains in lan.

Then create a bridge from wan.103 to lan1.103:

config interface 'iptv'
   option proto none
   option type bridge
   option ifname 'wan.103 lan1.103'

Since it is proto none, the IPTV packets will not interact with the OpenWrt routing, so you don't need a firewall zone etc, just define this bridge. If the DSA system is working properly, it won't even be a kernel bridge, it will be configured as hardware switching.

Make sure your powerline adapters can pass VLANs by connecting directly to the modem or ONT. Without the router involved, IPTV has to work. In other words modem-->powerline adapter<.....>powerline adapter-->IPTV box.

7

OK, my ISP does not require a VLAN ID for internet access so both 100 and none or 0 work fine. With this exact setup I used to have IPTV working. The only thing changed is the main router.

I removed lan1 from lan and added this new bridge interface. Now IPTV complains about DHCP timeout. I think when we removed lan1 from lan it has lost its internet connection. I can't even browse to the PLA's web UI which is on 192.168.1.2.

There are 6 steps displayed on the screen when my IPTV tries to connect to the internet and start streaming. Before this new bridge it would stop at step 4 which is due to the VLAN ID misconfiguration. I don't know which step does what exactly behind the scenes but now with this bridge config it stops at step 1 which is clearly DHCP as you can tell from the error message. Any other suggestions ?

8

Change the wan to wan.100 as it can be problematic to mix tagged and untagged on the same cable.

Of course when you removed the lan1 Ethernet port from the lan it is no longer useful for lan devices. You will need to connect all your lan devices through lan2 or to wifi. The new setup passes VLAN 103 from lan1 to wan. Thus the packets tagged 103 from the TV box go to the modem with a tag of 103, and enter the ISPs private TV network. Packets sent to lan1 with other tags or no tag will not pass at all.

9

OK done. I'm on wan.100 still have internet connection but IPTV is still saying DHCP timeout.

I understand that when I remove lan1 from lan I can't reach it via my laptop which is connected to the lan via lan2 over the air.

I think if I can resolve the DHCP problem I'm having atm it could work but right now I have that issue with proto none bridge config.

10

The proto none bridge should simply forward every packet tagged 103 over to the modem as a layer 2 switch. That would include DHCP requests. I suggest you try TV box connected directly to the modem.

11

The STB expects untagged frames, so tagged interface lan1.103 will not work.
To configure tagged and untagged VLANs properly on DSA, you should use bridge-vlan configuration in LuCI, which was merged to master branch less than a week ago.

But the LuCI support is not backported to 21.02 yet, so you have to manually configure it in /etc/config/network, or switch to snapshot version,

12

For manual configuration, remove both interface 'lan' and interface 'wan' sections from /etc/config/network, and add the following

config device
    option type 'bridge'
    option name 'switch'

config bridge-vlan
    option device 'switch'
    option vlan '1'
    option ports 'lan2:u*'

config bridge-vlan
    option device 'switch'
    option vlan '100'
    option ports 'wan:t'

config bridge-vlan
    option device 'switch'
    option vlan '103'
	option local '0'
    option ports 'wan:t lan1:u*'

config interface 'lan'
    option ifname 'switch.1'
    option type 'bridge'
    option proto 'static'
    option ipaddr '192.168.1.1'
    option netmask '255.255.255.0'
    option ip6assign '60'

config interface 'wan'
    option ifname 'switch.100'
    option proto 'pppoe'
    option username '*************'
    option password '*************'
    option ipv6 'auto'
    option macaddr '*************'
2 Likes
13

Unfortunately, this config causes loss of Internet connection. I'm going to lose it over this problem :slight_smile:

14

Does the STB work, at least?
And is the VLAN bridge set up properly? Install ip-bridge and run bridge vlan to list all VLANs.

1 Like
15

No, it did not work. Intermet connection might be lost due to the VLAN ID 100. Could you share the same config without any VLAN ID config for PPPoE ? I tried to do it myself but I failed :confused:

16

In VLAN 100 section

config bridge-vlan
    option device 'switch'
    option vlan '100'
    option ports 'wan:t'

Replace wan:t with wan:u*

2 Likes
17

OK great, thanks for that but we still have option vlan '100' there. Isn't it going to affect the configuration ? I need to remove it completely so there is no VLAN config for PPPoE. I'm trying to understand at the same time, instead of just copying and pasting so please bear with me :slight_smile:

Btw, my router doesn't have a switch menu under Network tab. Maybe that's why this didn't work ? I guess my router doesn't have the switch capabilities.

18

u* means "PVID and untagged" port, so it is only tagged internally, and referenced by switch.100.

You can take a look at this pull request

1 Like
19

That's it. Now I have both internet connection and STB feed.

Thank you so much for your help. I appreciate it! I wouldn't have known that switch feature existed and we can't even configure it from the UI but only from config files.

Edit: I think I'm having speed problems now. My connection is 200Mbps but now I only get 90Mbps.
This is what I have in system logs rebooting the router;

Fri Mar 26 13:59:44 2021 daemon.info dnsmasq-dhcp[3175]: DHCPDISCOVER(br-lan) 192.168.1.195 *************
Fri Mar 26 13:59:44 2021 daemon.info dnsmasq-dhcp[3175]: DHCPOFFER(br-lan) 192.168.1.196 *************
Fri Mar 26 13:59:44 2021 daemon.debug dnsmasq[3175]: listening on wlan0(#13): *************%wlan0 port 53
Fri Mar 26 13:59:44 2021 daemon.info dnsmasq-dhcp[3175]: DHCPREQUEST(br-lan) 192.168.1.171 *************
Fri Mar 26 13:59:44 2021 daemon.info dnsmasq-dhcp[3175]: DHCPACK(br-lan) 192.168.1.171 *************
Fri Mar 26 13:59:45 2021 kern.info kernel: [   31.450890] mt7530 mdio-bus:1f lan2: Link is Up - 1Gbps/Full - flow control rx/tx
Fri Mar 26 13:59:45 2021 kern.info kernel: [   31.458473] switch: port 1(lan2) entered blocking state
Fri Mar 26 13:59:45 2021 kern.info kernel: [   31.463704] switch: port 1(lan2) entered forwarding state
Fri Mar 26 13:59:45 2021 daemon.notice netifd: Network device 'lan2' link is up
Fri Mar 26 13:59:47 2021 daemon.notice netifd: Network device 'lan2' link is down
Fri Mar 26 13:59:47 2021 kern.info kernel: [   33.498908] mt7530 mdio-bus:1f lan2: Link is Down
Fri Mar 26 13:59:47 2021 kern.info kernel: [   33.503767] switch: port 1(lan2) entered disabled state
Fri Mar 26 13:59:50 2021 kern.info kernel: [   36.570893] mt7530 mdio-bus:1f lan2: Link is Up - 1Gbps/Full - flow control rx/tx
Fri Mar 26 13:59:50 2021 kern.info kernel: [   36.578476] switch: port 1(lan2) entered blocking state
Fri Mar 26 13:59:50 2021 kern.info kernel: [   36.583705] switch: port 1(lan2) entered forwarding state
Fri Mar 26 13:59:50 2021 daemon.notice netifd: Network device 'lan2' link is up
Fri Mar 26 13:59:51 2021 kern.info kernel: [   37.594736] mt7530 mdio-bus:1f lan2: Link is Down
Fri Mar 26 13:59:51 2021 kern.info kernel: [   37.599582] switch: port 1(lan2) entered disabled state
Fri Mar 26 13:59:51 2021 daemon.notice netifd: Network device 'lan2' link is down
Fri Mar 26 13:59:57 2021 kern.info kernel: [   43.738891] mt7530 mdio-bus:1f lan2: Link is Up - 1Gbps/Full - flow control rx/tx
Fri Mar 26 13:59:57 2021 kern.info kernel: [   43.746462] switch: port 1(lan2) entered blocking state
Fri Mar 26 13:59:57 2021 kern.info kernel: [   43.751685] switch: port 1(lan2) entered forwarding state
Fri Mar 26 13:59:57 2021 daemon.notice netifd: Network device 'lan2' link is up
Fri Mar 26 13:59:58 2021 kern.info kernel: [   44.762734] mt7530 mdio-bus:1f lan2: Link is Down
Fri Mar 26 13:59:58 2021 kern.info kernel: [   44.767581] switch: port 1(lan2) entered disabled state
Fri Mar 26 13:59:58 2021 daemon.notice netifd: Network device 'lan2' link is down
Fri Mar 26 14:00:01 2021 kern.info kernel: [   47.834890] mt7530 mdio-bus:1f lan2: Link is Up - 1Gbps/Full - flow control rx/tx
Fri Mar 26 14:00:01 2021 kern.info kernel: [   47.842460] switch: port 1(lan2) entered blocking state
Fri Mar 26 14:00:01 2021 kern.info kernel: [   47.847685] switch: port 1(lan2) entered forwarding state
Fri Mar 26 14:00:01 2021 daemon.notice netifd: Network device 'lan2' link is up
Fri Mar 26 14:00:02 2021 kern.info kernel: [   48.858745] mt7530 mdio-bus:1f lan2: Link is Down
Fri Mar 26 14:00:02 2021 kern.info kernel: [   48.863592] switch: port 1(lan2) entered disabled state
Fri Mar 26 14:00:02 2021 daemon.notice netifd: Network device 'lan2' link is down
Fri Mar 26 14:00:05 2021 kern.info kernel: [   51.930977] mt7530 mdio-bus:1f lan2: Link is Up - 100Mbps/Full - flow control rx/tx
Fri Mar 26 14:00:05 2021 kern.info kernel: [   51.938693] switch: port 1(lan2) entered blocking state
Fri Mar 26 14:00:05 2021 kern.info kernel: [   51.943935] switch: port 1(lan2) entered forwarding state
Fri Mar 26 14:00:05 2021 daemon.notice netifd: Network device 'lan2' link is up

lan2 enters blocking state and it decreases the link speed from 1Gbps/Full to 100Mbps/Full. That's probably why but I don't know why it enters blocking state.

20

That may indicate a faulty or loose cable.

1 Like