IPTV VLAN doesn't work on my new router

Hi!
I've been using a TP-Link WDR4300 as my router for many years and IPTV with VLAN has been working fine.

Now I've upgraded to an APU2 board and can't figure out how the configuration should look like to make the IPTV traffic go further downstream in my LAN.
IPTV VLAN interface gets an IP from provider like before but that's it.

Because the TV itself is in another building it's a couple of switches in-between. This is how it physically looks like:
WDR4300 Wan-in with IPTV on VLAN845
Then a switch to split up a few cables for the first building.
Then one cable over to the other building connecting VLAN1 for LAN and VLAN845 to an Archer C7.
VLAN845 untagged and connected with cable to the STB/TV.

This has been working very well but now when I'm replacing the WDR4300 with something without an in-built switch i get very lost. Should there be an eth0.845 for WAN as well as an eth1.845 for LAN to be able to forward IPTV traffic? Should those be bridged together? Should wan eth0.845 be bridged together with main wan eth0? Been reading and thinking so much about this now if feels like in lost in a maze.

Would really appreciate some guidance!

-F

Your previous device (the WNDR4300) had a hardware switch built-in to the unit, which made passing VLANs easy. Your APU2 board has individually routed ports, though, and no hardware switch. While it is still possible to do what you want via bridging, it is not an optimal solution.

You may find that you'd be better off with an outboard switch that and handle passing the VLANs as required for your network. Often this needs to be done ahead of the router (i.e. between the ISP and your router), which means you need to properly configure the switch or you could encounter issues including security problems. And if this is the case, do not use a TP-Link TL-SG1xxE series switch -- these have a flawed design that can compromise the switch if it is on the WAN side of your router.

Ok, sounds like what I bought was a downgrade rather than an upgrade?

Still can't understand why having the switch built in can do such an impact compared to external.

From a routing perspective, it is almost certainly an upgrade. But for VLAN switching, it is a downgrade. Adding a managed switch to your setup will fix help you overcome the limitation.

Having a switch external to your router vs one built-in does not necessarily have a big "impact" provided that the switch is properly configured and designed properly.

  • A switch that is placed between your internet connection and your router means that the switch, technically speaking, is directly exposed to the internet.
  • As long as the VLANs are configured properly, it is possible to ensure that your internal/trusted networks are not exposed directly to the internet.
  • In addition, the switch has a management interface -- this must be set on the correct VLAN such that it is only accessible on the trusted internal network and so that it has an address on that trusted network.
  • Most managed switches can be configured such that all of the above considerations are handled properly.
  • The TL-SG1xxE series switches are fine for use behind your router, but should never be connected directly to the internet for two reasons: 1) security (the management VLAN cannot be set) 2) connectivity (the switch could actually grab an IP from your ISP and break connectivity on your router -- this can be mitigated by setting a static IP on the switch). This is a problem because of the way TP-Link has implemented the firmware on these devices; higher-end switches from TP-Link and most managed switches from all other companies do not have this issue.

A couple of years ago I bought an Edgerouter without internal switch, the plan was as an upgrade from my WDR. Even then I didnt get IPTV to work.
I thought it was me having too litle knowledge about their OS, returned it and kept on with OpenWRT. Now it turns out it wasnt my lack of knowledge for configuring Edgerouter but rather my knowledge of how networking, routing, switching and vlans works?

There must be something that I totaly have misunderstood or isnt able to figure out. Because I cant understand why I cant have WAN VLAN845 coming in from my ISP on ETH0 and then forward it out on my ETH1 to whereever i need it on LAN.

Im feeling very confused at the moment and doesnt realy know where to go from here. My plan on replacing my WDR with something newer and better and then letting WDR work only as AP somewhere else has failed.
I have a Netgear GS108Ev3 switch on my LAN but I guess that one isnt managed enough for the solution you are suggesting. Also, putting internet directly into a switch doesnt feel like best practice? Or am I wrong, is that a common solution?

Wish I understood VLAN a little bit better so I could understand why it doesn work.

1 Like

You can make a software bridge through the APU2. This does require its CPU to handle TV packets (since the Ethernet ports are connected only to the CPU with no direct path to each other like the 4300 switch chip), but with an X86 it's a negligible amount.

Create a bridge device named br-tv with ports eth0.845 and eth1.845. Then create a dummy network named tv with br-tv as it's device. The protocol would be Unmanaged in the GUI, also known as proto none in the CLI. This network doesn't do anything in practice, but unless you declare it the system won't create the bridge.

1 Like

With the Edgerouter series devices, there are switches built-in to the ones that have X in the model name (ER-X, ER-X-SFP, ER-10X, etc.). However, the ones that don't have switches built-in use individually routed ports. This means that the VLAN situation you want would require bridging (as @mk24 suggested for your current router). The problem trying to do this on the ERs is that the bridging operation is not compatible with the hardware offload functionality, which means that your maximum throughput gets destroyed. In the case of the ER-X running EdgeOS, you can route up to 1Gbps with HW offload enabled. If you disable HW offload (directly or due to using a bridge or other incompatible feature), the throughput will be limited to approximately 250Mbps.

@mk24 has given a completely reasonable answer, and the APU2 being an x86 platform should mean that you won't take too much of a hit on performance.

Sorry that you feel this way, but I think the good news is that you'll probably be in good shape with the bridge option.

The Netgear GS1xxE series is fine to use in this type of situation, but you must use caution in terms of the configuration of the VLANs and the management network. It is not necessarily 'best practice' but it is a totally reasonable use a managed switch when you need to handle VLANs in your type of situation. That said, you should try the bridge option first, and use the switch as a fallback option.

VLANs exist in the L2 -- switching -- domain. Once you move to routing (L3), you lose the concept of VLANs and instead are working with the idea of inter-VLAN routing (when you want to have traffic flow across those VLANs). Interfaces that are routed (and not switched) can accommodate VLANs in terms of working with tagged frames but because they are routed, they cannot have the same network on both sides of the routing engine (the router function itself always needs to have unique networks -- it is not possible to operate a router with networks that have the same/overlapping subnet on both sides of the routing engine).

Enter bridging. Bridges are essentially software switches. They allow individually routed interfaces to be combined together as if they are switched, bypassing the routing functions. The penalty and downside here is that bridging happens in software and thus requires (sometimes significant) CPU resources; that is in contrast to switches which have specialized hardware for the task. On x86, this is probably not an issue. On many embedded devices (including the ER series devices), the CPU and system architecture just doesn't have the power and/or bandwidth to handle bridging at line speeds.

1 Like

Hi @mk24 !
Yes, something like this you suggesting is what I was expecting to work but when it didnt i came here to ask. Now I have tried again following your exact setup, like this:

config interface 'IPTV'
        option macaddr ''
        option device 'br-iptv'
        option proto 'none'
        option delegate '0'
config device
        option type '8021q'
        option ifname 'eth0'
        option vid '845'
        option name 'eth0.845'
        option ipv6 '0'
config device
        option type '8021q'
        option ifname 'eth1'
        option vid '845'
        option name 'eth1.845'
        option ipv6 '0'
config device
        option type 'bridge'
        option name 'br-tv'
        list ports 'eth0.845'
        list ports 'eth1.845'

And at a first glance it doesnt look promising:

Protocol: Unmanaged
Uptime: 0h 18m 1s
RX: 3.38 KB (81 Pkts.)
TX: 1.52 KB (33 Pkts.)

Could it be that I need to do any other changes in the config? Now with this software bridge and unmanaged device maybe I would need to change something on the Archer C7 the TV is connected to?


Yes, the one i tested was ER-4, so not an X model.
I have (until now) :grin: liked the idea of separating stuff, one box for routing and one for switching.
But, are you saying that in my situation even an Edgerouter X-model isnt ideal?

Als, thank you guys for helping me out a bit. Felt like I had some understanding of VLAN when working with my 4300 but now feels like I fumble alot in the dark. Maybe doing best in puting away that new APU stuff and going back to the old gear.

You have br-iptv in one place and br-tv in the other place. There's a null MAC address and IP6 delegation-- the first is an error and the second is irrelevant on an interface of proto none. I don't think you need 8021q definitions at all, the VLAN numbers can be used directly in the bridge ports.

So all you really need is this:

config interface 'tv'
    option device 'br-tv'
    option proto 'none'

config device
    option name 'br-tv'
    option type 'bridge'
    list ports 'eth0.845'
    list ports 'eth1.845'

Running brctl show should show the bridge created.

Sorry if it was confusing. An x model would actually work very well in this context because of the built in switch - you don’t need to do any bridging. The er-4 would require bridging and is not a good option for your current setup.

But try the bridging on your apu2 device.

1 Like

Yes sorry, was messing up when pasted it into here. Now i have set it up exactly as in your post but still no success.
If i add a specific Mac and change to DHCP i at least get an IP from correct network. (The exact same as i used to get on 4300 as I'm using same.)
With my old setup i also got same IP on both WDR4300 and the Archer C7 on the other end. Looked a bit funny to me? But has always worked...

No problem, it is probably just me who is a bit confused over all after all this problems i have had now. Just wanted to ensure i understood you correct.

To clarify a bit I'll post a topology and the config files from my old working setup.

WDR4300 ifconfig

root@wdr4300:# ifconfig eth0.845
eth0.845  Link encap:Ethernet  HWaddr **:**:**:**:**:**
          inet addr:10.164.160.31  Bcast:10.164.160.255  Mask:255.255.255.0
          inet6 addr: fe80::a491:b1ff:fe36:147b/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:24010690 errors:0 dropped:0 overruns:0 frame:0
          TX packets:9948 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:30459136819 (28.3 GiB)  TX bytes:3401256 (3.2 MiB)

root@wdr4300:# ifconfig br-lan
br-lan    Link encap:Ethernet  HWaddr **:**:**:**:**:**
          inet addr:192.168.1.2  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fd5d:52c5:cae2::1/60 Scope:Global
          inet6 addr: fe80::92f6:52ff:feff:d7a6/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1274238 errors:0 dropped:24 overruns:0 frame:0
          TX packets:3967460 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:149372287 (142.4 MiB)  TX bytes:5237108225 (4.8 GiB)

WDR4300 /etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd5d:52c5:cae2::/48'

config interface 'lan'
        option type 'bridge'
        option ifname 'eth0.1'
        option proto 'static'
        option ip6assign '60'
        option netmask '255.255.255.0'
        option delegate '0'
        option ipaddr '192.168.1.2'
        option dns '1.1.1.1 1.0.0.1'

config interface 'wan'
        option ifname 'eth0.2'
        option proto 'dhcp'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '0t 2 3 4t 5t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '0t 1'
        option vid '2'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option vid '845'
        option ports '0t 1t 5t'

config interface 'IPTV'
        option proto 'dhcp'
        option ifname 'eth0.845'
        option vendorid 'IPTV_RGW_PRIV'
        option macaddr '**:**:**:**:**:**'
        option delegate '0'
        option defaultroute '0'

config switch_vlan
        option device 'switch0'
        option vlan '4'
        option vid '107'
        option ports '0t 2t 3t 4t 5t'

config interface 'IoT'
        option type 'bridge'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '192.168.107.2'
        option ifname 'eth0.107'

config route
        option interface 'lan'
        option target '10.13.13.0'
        option netmask '255.255.255.0'
        option gateway '192.168.1.64'

config interface 'Guest'
        option proto 'static'
        option netmask '255.255.255.0'
        option ipaddr '10.20.30.40'
        option dns '1.1.1.1'
        option type 'bridge'
        option ifname 'eth0.10'

config switch_vlan
        option device 'switch0'
        option vlan '5'
        option ports '0t'
        option vid '10'

Archer C7 ifconfig

root@archerc7:# ifconfig eth1.845
eth1.845  Link encap:Ethernet  HWaddr **:**:**:**:**:**
          inet addr:10.164.160.31  Bcast:10.164.160.255  Mask:255.255.255.0
          inet6 addr: fe80::a491:b1ff:fe36:147b/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2005923 errors:0 dropped:0 overruns:0 frame:0
          TX packets:222 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:2549527398 (2.3 GiB)  TX bytes:22507 (21.9 KiB)

root@archerc7:# ifconfig br-lan
br-lan    Link encap:Ethernet  HWaddr **:**:**:**:**:**
          inet addr:192.168.1.10  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::62e3:27ff:fe88:d4ad/64 Scope:Link
          inet6 addr: fd42:ac77:5c55::1/60 Scope:Global
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:4600 errors:0 dropped:0 overruns:0 frame:0
          TX packets:3564 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:655787 (640.4 KiB)  TX bytes:1138388 (1.0 MiB)

Archer C7 /etc/config/network

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd42:ac77:5c55::/48'

config interface 'lan'
        option force_link '1'
        option type 'bridge'
        option proto 'static'
        option netmask '255.255.255.0'
        option ip6assign '60'
        option _orig_ifname 'eth1 radio0.network1 wlan1'
        option _orig_bridge 'true'
        option ipaddr '192.168.1.10'
        option ifname 'eth1.1'
        option gateway '192.168.1.2'

config interface 'wan'
        option ifname 'eth0'
        option proto 'dhcp'

config interface 'wan6'
        option ifname 'eth0'
        option proto 'dhcpv6'
        option auto '0'
        option reqaddress 'try'
        option reqprefix 'auto'

config switch
        option name 'switch0'
        option reset '1'
        option enable_vlan '1'
        option mirror_source_port '0'
        option mirror_monitor_port '0'

config switch_vlan
        option device 'switch0'
        option vlan '1'
        option vid '1'
        option ports '0t 3 4 5t'

config switch_vlan
        option device 'switch0'
        option vlan '2'
        option ports '1 6'
        option vid '2'

config switch_vlan
        option device 'switch0'
        option vlan '3'
        option vid '845'
        option ports '0t 2 5t'

config switch_vlan
        option device 'switch0'
        option vlan '4'
        option ports '0t 5t'
        option vid '107'

config interface 'IoT'
        option _orig_ifname 'wlan1-1'
        option _orig_bridge 'false'
        option type 'bridge'
        option ifname 'eth1.107'
        option proto 'static'
        option ipaddr '192.168.107.10'
        option netmask '255.255.255.0'
        option gateway '192.168.107.2'

config interface 'IPTV'
        option ifname 'eth1.845'
        option _orig_ifname 'eth1.845'
        option _orig_bridge 'false'
        option proto 'dhcp'
        option macaddr '**:**:**:**:**:**'
        option vendorid 'IPTV_RGW_PRIV'

APU /etc/config/network


config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd53:ed4e:d99f::/48'

config interface 'lan'
        option proto 'static'
        option ip6assign '60'
        option device 'eth1'
        list ipaddr '192.168.1.9/24'

config interface 'wan'
        option proto 'dhcp'
        option macaddr '**:**:**:**:**:**'
        option device 'eth0'
        option peerdns '0'

config interface 'wan6'
        option device 'eth0'
        option proto 'dhcpv6'
        option auto '0'
        option reqaddress 'try'
        option reqprefix 'auto'

config interface 'docker'
        option device 'docker0'
        option proto 'none'
        option auto '0'

config device
        option type 'bridge'
        option name 'docker0'

config device
        option type '8021q'
        option ifname 'eth1'
        option vid '107'
        option name 'eth1.107'

config interface 'IoT'
        option proto 'static'
        option device 'eth1.107'
        option ipaddr '192.168.107.2'
        option netmask '255.255.255.0'

config device
        option name 'eth1'
        option ipv6 '0'

config device
        option name 'eth0'
        option ipv6 '0'
        option macaddr '**:**:**:**:**:**'

config interface 'tv'
        option device 'br-tv'
        option proto 'none'

config device
        option type 'bridge'
        option name 'br-tv'
        list ports 'eth0.845'
        list ports 'eth1.845'
        option macaddr '**:**:**:**:**:**'

I am spoofing macaddr to get same IP as I have had from beginning, those has been changed to * in post.

On another note, now when looking at the configs I have had option vendorid 'IPTV_RGW_PRIV' set on both routers. Wich one does actually count?

Also looking at the ifconfig output for VLAN845 interface on WDR4300 and ArcherC7 looks odd.. they have same IP??

In a layer 2 bridge the bridge / switch device doesn't need, and should not have, an IP address. It may or may not have a MAC address, but without the layer 3 function of ARP there's no way for other devices to use it.

I guess your other network is unchanged but it is a bit odd that the TV VLAN is tagged from the modem but the TV box gets it untagged. Usually it is set up so the TV box can be plugged directly into the modem as that would be the most common installation.

Im not sure what you refere to as modem? The router my ISP sent me?

Because the TV-box and TV is like 100m of TP-cable away from the router I replaced it with something that wasnt locked down for configuration.
So the ISP-router have never been used for its original purpose. But since the software on it is built on OpenWRT I have the /etc/config/network file:

config interface 'loopback'
        option ifname 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fd35:d4fe:6793::/48'
        option default_ps '0'

config interface 'lan'
        option type 'bridge'
        option proto 'static'
        option ipaddr '192.168.1.1'
        option netmask '255.255.255.0'
        option gateway '192.168.1.2'
        option dns '8.8.8.8'
        option force_link '0'
        option ip6hint '0'
        option igmp_snooping '0'
        option ipv6 '0'
        option ip6assign '64'
        option ifname 'vlan_eth0 vlan_eth1 vlan_eth2 vlan_eth3 vlan_eth5'
        list pppoerelay ''

config interface 'Guest1'
        option proto 'static'
        option ip6assign '64'
        option ipv6 '0'
        option ip6hint '1'
        option netmask '255.255.255.128'
        option ipaddr '192.168.168.126'
        option ifname 'wl0_1'
        option force_link '0'

config interface 'Guest1_5GHz'
        option proto 'static'
        option ip6assign '64'
        option ipv6 '0'
        option ip6hint '2'
        option netmask '255.255.255.128'
        option ipaddr '192.168.168.254'
        option ifname 'wl1_1'
        option force_link '0'

config device 'vlan_eth0'
        option type '8021q'
        option ifname 'eth0'
        option name 'vlan_eth0'
        option vid '1'

config device 'vlan_eth1'
        option type '8021q'
        option ifname 'eth1'
        option name 'vlan_eth1'
        option vid '1'

config device 'vlan_eth2'
        option type '8021q'
        option ifname 'eth2'
        option name 'vlan_eth2'
        option vid '1'

config device 'vlan_eth3'
        option type '8021q'
        option ifname 'eth3'
        option name 'vlan_eth3'
        option vid '1'

config device 'phy_eth3'
        option name 'eth3'
        option mtu '1500'

config switch 'bcmsw_int'
        option reset '1'
        option type 'bcmsw'
        option qosimppauseenable '0'
        option unit '0'
        option enable_vlan '0'

config switch 'bcmsw_ext'
        option reset '1'
        option type 'bcmsw'
        option qosimppauseenable '0'
        option unit '1'
        option enable_vlan '1'

config switch_vlan
        option device 'bcmsw_ext'
        option vlan '1'
        option ports '0* 1* 2* 3* 8t 5*'

config smartcontrol 'smartcontrol'
        option switch_port '0*'

config interface 'hotspot'
        option type 'bridge'
        option ifname 'gre-hotspot'

config device 'vlan_eth5'
        option type '8021q'
        option ifname 'eth5'
        option name 'vlan_eth5'
        option vid '1'
        option multicast_router '2'

config interface 'wan'
        option auto '0'
        option proto 'dhcp'
        option reqopts '1 3 6 15 33 42 51 121 125 249'
        option release '1'
        option iface6rd '6rd'
        option mtu6rd '1480'
        option vendorid 'LongLeaseTime'
        option ip4table 'main'
        option hostname 'Telia WiFi-router Plus v3-CP1752TASDZ-17.2.0339-1441018'
        option dns_metric '0'

config interface 'wan6'
        option ifname '@wan'
        option proto 'dhcpv6'
        option reqopts '23 25'
        option noslaaconly '1'
        option dns_metric '1'
        option auto '0'

config interface 'wwan'
        option auto '1'
        option metric '10'
        option proto 'mobiled'
        option session_id '0'
        option profile '1'

config interface 'iptv'
        option auto '0'
        option proto 'dhcp'
        option reqopts '1 3 6 15 33 42 51 121 249'
        option release '1'
        option iface6rd '0'
        option vendorid 'IPTV_RGW_PRIV'
        option ip4table 'iptv'
        option dnsset 'iptv'

config interface 'voip'
        option auto '0'
        option proto 'dhcp'
        option ip4table 'voip'
        option reqopts '1 3 6 15 33 42 51 121 249'
        option release '1'
        option iface6rd '0'
        option vendorid 'tel-002-'
        option dnsset 'voip'

config interface 'mgmt'
        option auto '0'
        option proto 'dhcp'
        option initboot '1'
        option ip4table 'mgmt'
        option reqopts '1 3 6 15 33 42 43 51 121 249'
        option release '1'
        option iface6rd '0'
        option dnsset 'mgmt'

config interface 'gre'
        option peeraddr '213.64.234.83'
        option mtu '1578'
        option df '1'
        option zone 'wan'
        option tunlink 'wan'
        option ttl '100'
        option proto 'gretap'
        option network 'hotspot'

config device 'phy_eth4'
        option name 'eth4'
        option mtu '1500'

config device 'phy_ptm0'
        option name 'ptm0'
        option mtu '1500'

config device 'vlan_data'
        option ifname 'eth4'
        option name 'phy_eth4'

config device 'phy_atm'
        option name 'atm_wan'
        option mtu '1500'

config device 'vlan_iptv'
        option type '8021q'
        option ifname 'eth4'
        option name 'vlan_iptv'
        option vid '845'
        option macaddr '**:**:**:**:**:**'
        option mtu '1500'

config device 'vlan_voip'
        option type '8021q'
        option ifname 'eth4'
        option name 'vlan_voip'
        option vid '855'
        option macaddr '**:**:**:**:**:**'
        option mtu '1500'

config device 'vlan_mgmt'
        option type '8021q'
        option ifname 'eth4'
        option name 'vlan_mgmt'
        option vid '294'
        option macaddr '**:**:**:**:**:**'
        option mtu '1500'

config config 'config'

Its way to complicated for me to understand their VLAN setup though... All I want is to be able to watch TV without the need of a second TP cable those 100meters to the other building.