At home my FTTH Internet connection is provided by XS4ALL. They provide a FRITZ!Box router to connect to the Internet. Instead of using the FRITZ!Box I’ve always used my own Debian GNU/Linux machine to route traffic to the internet.
The XS4ALL uplink has 2 VLANs:
- VLAN4: TV (bridged, RFC1483)
- VLAN6: PPPoE IPv4 + IPv6 internet connection
My XS4ALL uplink is connected to a managed switch. My Motorola 1963 TV Receiver is directly connected to an untagged VLAN4 port on my switch. This way the TV Receiver is directly connected to the TV platform on OSI Layer 2.
Recently I got a letter from XS4ALL saying that this setup is going to change. The TV Receiver can not be connected to the TV platform directly anymore, but needs to be part of the internal network. This adds the ability to support Internet services (like Youtube, Netflix, etc.) on the TV Receiver.
Current setup
In my current setup the upstream connection is connected to a managed switch. VLAN4 and VLAN6 are tagged on this switchport. The TV Receiver is connected to an untagged VLAN4 switchport. It can directly communicate with the TV platform. The Debian Router is connected to a tagged VLAN6 switchport for internet access and a tagged VLAN1 switchport for the local network. Devices on the local network connect to the Internet via the Debian Router on VLAN1.
New setup
In the new setup the TV Receiver is not in untagged VLAN4 anymore. Instead VLAN4 is now tagged on the switchport of the Debian Router as it will function as a gateway to the TV Platform. I created VLAN104 in which the TV Receiver will be. It’s also possible to create a setup where the TV Receiver is in VLAN1, but my Managed Switch currently doesn’t support IGMP Snooping. The result of that would be that if you are watching TV, all other devices in VLAN1 also receive the IPTV multicast traffic.
Layer 2 / Layer 3 view
In a more detailed view, leaving out the physical hardware, it looks like the diagram below. Local devices on VLAN1 access the Internet through the Debian Router, which routes the traffic to VLAN6. The TV Receiver on VLAN104 accesses the TV Platfrom through the Debian router, which routes it to VLAN4. The Debian Router runs an igmpproxy to route Multicast Traffic (IPTV) from VLAN4 to VLAN104. The red arrow shows that the TV Receiver is now also able to access the Internet for for services like Youtube or Netflix.
How is the Debian Router configured?
First of all the Debian Router has 1 physical interface, 4 VLAN interfaces and 1 PPPoE interface. They are configured in /etc/network/interfaces:
auto eth0
iface eth0 inet manual
up ip link set up dev eth0
down ip link set down dev eth0
# LAN
auto vlan1
iface vlan1 inet manual
pre-up ip link add link eth0 name vlan1 type vlan id 1
up ip link set up dev vlan1
up ip addr add 10.0.1.1/24 brd + dev vlan1
down ip addr del 10.0.1.1/24 dev vlan1
down ip link set down dev vlan1
post-down ip link delete vlan1
# IPTV
auto vlan4
iface vlan4 inet manual
pre-up ip link add link eth0 name vlan4 type vlan id 4
up ip link set up dev vlan4
post-up dhclient vlan4
pre-down dhclient -x
down ip link set down dev vlan4
post-down ip link delete vlan4
# Internet (PPPoE)
auto vlan6
iface vlan6 inet manual
pre-up ip link add link eth0 name vlan6 type vlan id 6
up ip link set up dev vlan6
down ip link set down dev vlan6
post-down ip link delete vlan6
# IPTV (Internal)
auto vlan104
iface vlan104 inet manual
pre-up ip link add link eth0 name vlan104 type vlan id 104
up ip link set up dev vlan104
up ip addr add 10.0.104.1/24 brd + dev vlan104
down ip addr del 10.0.104.1/24 dev vlan104
down ip link set down dev vlan104
post-down ip link delete vlan104
# PPPoE
auto xs4all
iface xs4all inet ppp
provider xs4all
The DHCP client configuration in /etc/dhcp/dhclient.conf will request a subnet-mask (option 1), broadcast-address (option 28), routers (option 3) and Classless Static Routes (option 121) on VLAN4:
option rfc3442-classless-static-routes code 121 = array of unsigned integer 8;
interface "vlan4" {
request subnet-mask, broadcast-address, routers, rfc3442-classless-static-routes;
send vendor-class-identifier "IPTV_RG";
}
This will result in the fact that the vlan4 interface will get an IP address and additional routes will be added to the route table of the Debian Router to be able to access the TV Platform:
# ip addr show dev vlan4
5: vlan4@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 00:1b:21:c3:f8:90 brd ff:ff:ff:ff:ff:ff
inet 10.86.117.65/21 brd 10.86.119.255 scope global vlan4
valid_lft forever preferred_lft forever
# ip route | grep vlan4
10.86.112.0/21 dev vlan4 proto kernel scope link src 10.86.117.65
213.75.112.0/21 via 10.86.112.1 dev vlan4
Configure /etc/igmpproxy.conf to forward multicast traffic from VLAN4 to VLAN104:
phyint vlan4 upstream ratelimit 0 threshold 1
altnet 213.75.0.0/16
altnet 217.166.0.0/16
phyint vlan104 downstream ratelimit 0 threshold 1
altnet 10.0.104.0/24
Make sure IPv4 forwarding is enabled:
# cat /proc/sys/net/ipv4/ip_forward
1
And configure IPTables to allow the traffic we want to allow:
# allow igmpproxy traffic to the TV Receiver
iptables -A INPUT -i vlan104 -j ACCEPT
iptables -A OUTPUT -o vlan104 -j ACCEPT
# allow dhclient + igmpproxy traffic to the TV Platform
iptables -A INPUT -i vlan4 -d 224.0.0.0/4 -j ACCEPT
iptables -A OUTPUT -o vlan4 -p udp --dport 68 -j ACCEPT
iptables -A OUTPUT -o vlan4 -p igmp -d 224.0.0.22 -j ACCEPT
# allow TV Receiver traffic to the TV Platform and apply Source NAT
iptables -A FORWARD -i vlan104 -o vlan4 -j ACCEPT
iptables -A FORWARD -i vlan4 -o vlan104 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i vlan4 -o vlan104 -p udp -d 224.0.0.0/4 -j ACCEPT
iptables -t nat -A POSTROUTING -o vlan4 -j MASQUERADE
# allow TV Receiver traffic to the internet
iptables -A FORWARD -i vlan104 -o ppp0 -j ACCEPT
iptables -A FORWARD -i ppp0 -o vlan104 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE