dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
12092
dcorder
join:2005-06-03
990004

4 recommendations

dcorder

Member

[Prism TV] HOWTO: Use pfSense with CenturyLink FTTH and Prism TV in Seattle

Hi all,

I want to share how I configured my pfSense system to work with my Prism TV service in Seattle, WA, in case any one else was interested in doing so as well.

I had Prism TV installed yesterday in Seattle with my FTTH gig service. The tech set it up with the Technicolor C2000T router, and then I spent the rest of the day getting it working with my original pfSense setup. After paring my network down to the bare minimum, some trial and error, and a little bit of luck, I was able to get it working using bits of information gathered from a number of other sources and similar setups, and I wanted to gather it all in one place to help others.

Here's my setup:

CenturyLink FTTH 1 Gbps service
Calix 716GE-I interior ONT
pfSense Router x86-64 2.2.4 (Celeron 1037U mini-PC with dual Intel gigabit NICs (em driver in pfSenese))
WAN connection is type IPoE on tagged VLAN 201
LAN is default 192.16.1.1/24
ZyXEL GS1920-24 network switch
Prism TV service with HD and DVR via Pace IPH8010 STB

I had the FTTH service installed about three weeks ago, and it was originally set up using PPPoE on VLAN 201. I followed other guides here to get that up and running with pfSense without too much difficulty.

I moved everything back to the stock CenturyLink router (the C2000A) before the installer came yesterday so he'd have a normal install to work with. The first thing the installer did yesterday was reprovision my service from PPPoE to IPoE and go through a process of reconfiguring the C2000A router with some QoS (done automatically through some interface on his laptop, it seemed). He then went through the normal set-top box setup process and got it provisioned (had to reboot it a couple extra times, and swap my C2000A for the C2000T when the C2000A started making a high-pitched whine). According to the installer (and mentioned elsewhere on this board and others) Prism TV users are all on IPoE service and still on VLAN 201.

Quick overview at a high level of how the Prism IPTV service works, based on my understanding, anyway. Please correct me if I'm wrong, but this should be good enough to understand what follows:

TV channels are broadcast on the fiber network as multicast UDP streams. Multicast groups are used to direct the traffic to all the subscribing devices (i.e., STBs tuned to that channel).
Multicast groups are managed via the IGMP protocol (not the more common TCP or UDP). This allows the stream to be sent only to the parts of the network that need it (instead of flooding the entire network with traffic). IGMP doesn't normally pass networks/NAT setups - there needs to be some kind of proxy to relay the IGMP messages between networks.
When you switch to a channel on the STB, it will first start receiving the channel as a regular UDP unicast stream, then send the necessary IGMP messages to going the multicast group and then seamlessly switch to the UDP multicast stream.

That last part is why, when your router isn't configured correctly, you'll see a channel freeze 10-15 seconds after switching to it: the STB isn't able to subscribe to the multicast stream to view the channel. Either the IGMP messages or the UDP packets aren't making it through the router properly (or both).

So, now that we know what the issue is, we can fix it, and it's actually pretty straightforward now that we know what we're trying to do: set up an IGMP proxy and configure the necessary firewall rules to allow the IGMP and UDP traffic.

One thing I got stuck on is that the IGMP proxy service in pfSense requires you to specify the upstream multicast networks. It seems that the equivalent service in WRT firmwares doesn't require that - you just enable the "IGMP proxy" option and you're good to go. So far I've found two networks that traffic comes from, but there may be others, possibly for channels I don't have or haven't tried to view yet. Hopefully other users will report back with any other networks they find and we can maintain a comprehensive list.

First, you need to upgrade the version of igmpproxy that comes with pfSense. Get to a shell on the pfSense machine (either via SSH or the console) and run:
pkg
pkg update
pkg install igmpproxy
 
This should install the package igmpproxy version 0.1_2,1.

Screenshot: »i.imgur.com/P6Jk0Bs.png

This version of igmpproxy has different command-line arguments than the default version, so we need to update the way it is launched:

1. Go into the pfSense Web UI and navigate to "Diagnostics" -> "Edit File".
2. Browse to the file "/etc/inc/services.inc"
3. Find the line which reads: "/* NOTE: -d4 means everything LOG_WARNING and smaller */"
4. Edit the line underneath to change -d4 to -v -v:
mwexec("/usr/local/sbin/igmpproxy -v -v {$g['tmp_path']}/igmpproxy.conf");
Screenshot: »i.imgur.com/yrrQL1s.png

5. Save the file

(sources: »forum.pfsense.org/index. ··· .0;nowap and »redmine.pfsense.org/issues/4672)

Now to configure the IGMP proxy
1. Go into the pfSense Web UI and navigate to "Services" -> "IGMP proxy"
2. Click the "+" button to add a new upstream proxy as follows:
Interface: WAN
Description: Prism Upstream
Type: Upstream Interface
Threshold: Leave empty
Networks: 67.12.0.0/15, 151.118.0.0/15
Screenshot: »i.imgur.com/QKPRRAY.png

Save the changes

3: Back at the IGMP proxy screen, click the "+" button to add a new downstream proxy as follows:
Interface: LAN
Description: Prism Downstream
Type: Downstream Interface
Threshold: Leave empty
Networks: Leave empty
Save the changes

Screenshot: »i.imgur.com/XutmhHx.png

4. Your IGMP proxy settings should look like this: »i.imgur.com/wgDyjxO.png
5. Click the "Apply Changes" button in the red banner to restart the IGMP proxy with the new configuration. (Note: in my experience, the page will hang on reloading and if you reload it the "apply changes" message is still there, even though the changes have actually been applied and the service restarted. Not sure why that is.)

I found these networks by looking at the debug messages from the igmpproxy service and from what the firewall was blocking. I only saw one or two IPs in each network in the logs, but I did a whois on the address to find the entire network block and added that, just in case CenturyLink changes things in the future.

Also, some threads on igmpproxy on pfSense said you may have to create an interface using the underlying network adapter for your WAN and give it a fake static IP, just so igmpproxy doesn't complain about it and refuse to work. I didn't have to do that here (it may only apply to the outdated version included by default), but YMMV.

Now that the igmpproxy is configured, on to the firewall rules...

1. In the web UI, navigate to "Firewall" -> "Rules"
2. In the WAN tab, add the following rules:
Action: Pass
Interface: WAN
TCP/IP Version: IPv4
Protocol: IGMP
Source: any
Destination: any
Log: unchecked
Description: CenturyLink Prism IGMP Messages
Advanced features -> Advanced options -> Check the box next to "This allows packets with IP options to pass. Otherwise they are blocked by default. This is usually only seen with multicast traffic."
Action: Pass
Interface: WAN
TCP/IP Version: IPv4
Protocol: UDP
Source: Network, 224.0.0.0/4
Destination: any
Log: unchecked
Description: CenturyLink Prism Multicast UDP
Advanced features -> Advanced options -> Check the box next to "This allows packets with IP options to pass. Otherwise they are blocked by default. This is usually only seen with multicast traffic."
Action: Pass
Interface: WAN
TCP/IP Version: IPv4
Protocol: UDP
Source: Network, 67.12.0.0/15
Destination: any
Log: unchecked
Description: CenturyLink Prism Multicast UDP
Advanced features -> Advanced options -> Check the box next to "This allows packets with IP options to pass. Otherwise they are blocked by default. This is usually only seen with multicast traffic."
Action: Pass
Interface: WAN
TCP/IP Version: IPv4
Protocol: UDP
Source: Network, 151.118.0.0/16
Destination: any
Log: unchecked
Description: CenturyLink Prism Multicast UDP
Advanced features -> Advanced options -> Check the box next to "This allows packets with IP options to pass. Otherwise they are blocked by default. This is usually only seen with multicast traffic."
NB: 224.0.0.0/4 is the block of reserved multicast addresses. The other two networks are the same as those added to the IGMP proxy configuration.
3. In the LAN tab, edit the "Default allow LAN to any rule" rule and under "Advanced features" -> "Advanced options" -> Check the box next to "This allows packets with IP options to pass. Otherwise they are blocked by default. This is usually only seen with multicast traffic."

WAN rules screenshot: »i.imgur.com/QO8njQW.png
LAN rules screenshot: »i.imgur.com/OzpoQ9g.png

4. Reload the filter rules

These are the rules that are working for me. It's more than likely that finer-grained networks or network addresses could be used than what I've got, but I haven't looked into that yet.

Once pfSense is configured, you need to enable IGMP snooping on your switch(es). Well, this is not strictly necessary, but since the UDP multicast stream is sent as (I think) broadcast traffic at the layer 2 level, it'll be sent out to every port on your switch unless the switch is able to inspect (snoop) the IGMP messages and send the traffic only out to the port(s) with clients of the multicast group. If everything's hard-wired, this isn't so bad since the stream doesn't seem to use a whole lot of bandwidth, but if you've got a wireless access point you definitely don't want the broadcast traffic going over the air (the AP will spend all its time sending traffic to nowhere and clients won't be able to send or receive much real data). Any halfway decent smart or managed switch should have an IGMP snooping option somewhere in its settings...you should just need to find it and enable it.

On my GS1920-24 (running FW version "V4.10(AAOB.5) | 05/05/2015"), which has a very non-intuitive menu system, it's in "Advanced Application" -> "Multicast" on the left menu, then click on the "Click Here" link next to "IPv4 Multicast" in the right pane, then "IGMP Snooping" on the next screen. I just needed to enable the checkbox next to "Active", then click the "Apply" button at the bottom to save and activate the new setting, then "Save" up in the top banner to save the running config to flash so it persists across switch reboots. I didn't have to change any other settings or port configuration.

My GS1920-24 config screenshot: »i.imgur.com/mo89tZc.png

Your switch will likely differ (and I hope it's easier than mine). All switches that are between your router and your STB (including any build into, e.g., consumer routers you're running in AP mode) will need to have IGMP snooping enabled.

The next step is to add the appropriate QoS service to prioritize the IPTV traffic across your network (this is done by default in the C2000A and C2000T routers). I haven't done that yet, but as soon as I get it set up I will add it to this document.

I've successfully recorded programs, paused live TV, and viewed free on-demand content with this configuration.

I hope this information has been helpful to others. If you see anything that needs clarification or more information, or have any questions/need help, please let me know and I will do my best to assist.
dsheli
Premium Member
join:2002-02-05
Atlanta, GA

1 recommendation

dsheli

Premium Member

Dcorder,
Thank you so much for your post, I will be attempting the same configuration with CL Prism and GPON service in Denver. When I will let you know what happens in regards the Prism servers in CO.
David

Brett C
join:2004-08-03
Olathe, KS

2 recommendations

Brett C to dcorder

Member

to dcorder
Very nice write up. This is one of the few times that I think a post like this would be a good fit for the FAQ: »Embarq/CenturyLink DSL !

Have bookmarked this - as it may be of use in the near future for me.

SeattleMatt
Streaming Tech Director
Premium Member
join:2001-12-28
Seattle, WA

SeattleMatt to dcorder

Premium Member

to dcorder
D-
What neighborhood in Seattle are you in? Patiently waiting for them to launch it here in Fremont. Fiber was strung on all the poles around here about a month ago.
zhando
join:2015-09-11
USA

zhando to dcorder

Member

to dcorder
Any insights into how to substitute the Prism TV set top box with another platform e.g. Kodi w/ a special addon?

Any insights into any iptv standards used by Prism?
zhando

zhando

Member

Ok after some googling I find CL is using Ericsson's Mediaroom (first developed by Microsoft). Proprietary, strongly encrypted..

No way around leasing CL's set top box. This sours me a bit on CL fiber. They should have some kind of solution like a cablecard that allows you to use your own equipment like a silicon dust hdhomerun prime that just serves up channels over two or more tuners.

I suppose I could tolerate Prism's stb if there's a way to use my own (preferably open source) DVR solution.

SeattleGuy
@qwest.net

SeattleGuy to SeattleMatt

Anon

to SeattleMatt
I'm in Fremont and haven't noticed the same overhead boxes that you see in Greenwood. Are you in upper or lower Fremont? (I'm on 42nd and Fremont Ave)

SeattleMatt
Streaming Tech Director
Premium Member
join:2001-12-28
Seattle, WA

SeattleMatt

Premium Member

Seattle Guy-
Near 39th and Fremont Ave.

wesm
Premium Member
join:1999-07-29
Seattle, WA

wesm to dcorder

Premium Member

to dcorder
Thanks for this, saved it for future reference. Namely, the future when CenturyLink allows customers with static IP service to subscribe to Prism.

Theta
join:2003-07-24
Wentzville, MO

Theta to dcorder

Member

to dcorder
Thank you for this - it should prove quite helpful when adding our new CTL fiber into the load balancer stack with pFSense. Now if only it didn't take an act of God to get them to switch it over to Static like it should have been the first time around...

Kudos!
Barleyman
join:2015-09-20
United State

Barleyman to dcorder

Member

to dcorder
@dcorder Thanks for post. Did you ever address adding QOS? Does this setup require a "smart" switch?

dburkland
Student
join:2004-03-05
Minneapolis, MN

dburkland to dcorder

Member

to dcorder
Just wanted to say thanks for this excellent guide, I will be performing this setup shortly now that I removed the C2000T out of the way.

Thanks again,

Dan
dburkland

1 edit

dburkland

Member

After following the guide I had to add the following rules to both the firewall ruleset and igmpproxy config file:

69.179.0.0/16
184.156.0.0/14
130.13.0.0/16

Everything seems to work fine however I noticed that there is a 10-15 second delay after switching channels. I am no longer seeing any CL-related IP address in my firewall logs so I'm almost positive this issue isn't a result of that. Any help with resolving this minor issue would be greatly appreciated, thanks!

Dan
dcorder
join:2005-06-03
990004

dcorder to SeattleMatt

Member

to SeattleMatt
said by SeattleMatt:

D-
What neighborhood in Seattle are you in? Patiently waiting for them to launch it here in Fremont. Fiber was strung on all the poles around here about a month ago.

I'm in South Seattle, near Kubota Gardens. I didn't notice when the fiber went up on the poles, so I can't tell you how long it'll be before it's orderable, though I hear it's usually only a matter of weeks.
dcorder

dcorder to Barleyman

Member

to Barleyman

HOWTO: Use pfSense with CenturyLink FTTH and Prism TV in Seattle

You do need to have a switch with some amount of intelligence to do the IGMP snooping on your local network. The IPTV is sent as broadcast traffic, so with a dumb switch it'll be sent out all the ports on the switch. With IGMP snooping, the switch can figure out which ports should actually be receiving the traffic and only send it down those wires.

Strictly speaking, I guess you don't need IGMP snooping if you don't mind flooding your network with broadcast traffic (this is a bad idea if you have a separate wifi access point connected to your switch, but if you had all hard-wired devices maybe you could get away with it).
I haven't gotten around to the QOS piece yet. I've been too busy setting up the rest of my home theater That said, it's been just fine for me even when downloading at 150+ Mbps (knock on wood).
Barleyman
join:2015-09-20
United State

Barleyman

Member

Perfect, thanks for the response. That clarifies it for me. I did try it on a dumb switch and my wifi network slowed way down and I had trouble connecting at times, so I went back to CL router for now. Good to know what was happening and I think about adding a switch with IGMP snooping.

Did you add QOS rules for IPTV traffic?
dcorder
join:2005-06-03
990004

dcorder

Member

Re: [Prism TV] HOWTO: Use pfSense with CenturyLink FTTH and Prism TV in Seattle

I can't seem to edit the original post, so here are a couple of minor updates.

First, in the section where you install a newer version of igmpproxy and update the services.inc file, mwexec should really be mwexec_bg

mwexec_bg("/usr/local/sbin/igmpproxy -v -v {$g['tmp_path']}/igmpproxy.conf");

This fixes the apparent hang on boot up and hang on reloading the igmpproxy configuration page.

Also, it looks like you need to have "Block private networks" and "Block bogon networks" disabled (unchecked) on the WAN interface.
dcorder

dcorder to Barleyman

Member

to Barleyman

Re: HOWTO: Use pfSense with CenturyLink FTTH and Prism TV in Seattle

Haven't tried QoS rules yet. Haven't seemed to need them, but I do want to work that part out to make the guide complete.

Man, I didn't realize how cheap smart switches are getting these days. The TP-LINK TL-SG108E, for example, is only $24 after rebate on Amazon right now (8-port gigabit switch with VLANs and IGMP snooping).
Barleyman
join:2015-09-20
United State

Barleyman

Member

Yeah, prices are nice. I didn't read entire thread to see your issue with "guide". I got the internet piece working right away using ubiquiti edge router lite. But stumbled on the Prism side of the setup. I followed this post originally => »community.ubnt.com/t5/Ed ··· e#M77969

I am kicking myself because I bought a "dumb" TP-link 16 port switch about 3 months before CL fiber was avail at my address in Greenwood. I had planned to just get internet and keep Comcast for use with my Tivo's because internet was $105/mo at the time. But since then they added Prism to this market they price it so it is $150/mo with just internet and ~$160 for Prism/Internet with promos.

dburkland
Student
join:2004-03-05
Minneapolis, MN

dburkland

Member

Re: [Prism TV] HOWTO: Use pfSense with CenturyLink FTTH and Prism TV in Seattle

After creating post on the pfsense forums I attempted to put the stb on its own VLAN and what do you know, no more channel freezing! I am guessing one of my devices on the old VLAN must have been conflicting with the multicast traffic somehow. Anyways happy to finally have a fully functional IPTV stb
and now I can finally ditch the technicolor modem for good!

Dan
tired_runner
Premium Member
join:2000-08-25
CT

tired_runner to zhando

Premium Member

to zhando
I was searching and came across this document discussing CenturyLink, CableCARD, and communicating data via network interface.

Perhaps they're looking into it?