-= IDS Communications Blog =-
Bell Fibe Internet & IPTV with pfsense
If you go through my Blog, you will notice that I wrote an article in January 2018 in regards to using your own router with Bell Fibe. In the previous Blog I was giving people the option to either activate the advanced DNZ option on their Home Hub 3000 (HH3000) or simply remove the HH3000. I was suggesting devices to handle the Fiber Optic conversion and referred to Forums where you were able to find posts on how to accomplish this and configure your systems.
At the time I was using the advanced DMZ option from my HH3000 which worked fine for me. One year later I started experiencing issues with my Network, including the VPN connections. My Firewall would get the WAN address of the HH3000 but for some obscure reason I was unable to reach the Internet. I called Bell hoping to get some help but I was told that if the advanced option was not working, it was not their problem. The first technician who answered the phone even told me that nobody was using this function (I bet he didn't even know this function existed!) Well, as mentioned in my previous Blog Post, Bell Aliant came up with a PDF documenting this function which let me believe that it should have been supported!
Well guess what? I got tired of Bell's BS and I decided to look online hoping to find out how I could get rid of my HH3000. I found a few Forums with valuable information but the gold mine was the Netgate Forum. On this post from zax123 I found enough information to get me started. The issue I ran into was that I was using a Check Point Firewall and most users were running pfsense. Since I was due to renew my licence and support ($300+/year in my case), I was easy to convince and decided to give pfsense a try.
After a few weeks and many hours searching, googling, posting ... I managed to get my Bell Fibe Internet and IPTV to fully work without the HH3000! Finally, I was able to ditch the HH3000! in an attempt to help others, I decided to come up with my own updated post on how to accomplish this.
Now, like me if you live on the East Coast (I live in Nova Scotia) and you would like to ditch your Bell Aliant HH3000, this "How To" guide is for you!
First of all you have to install pfsense. This guide will not give you direction on how to install and configure pfsense. In my scenario, my pfsense box has multiple network cards to suit my needs but to follow this guide you will only need 3 i.e.: WAN, LAN and IPTV.
Let's get started, for this tutorial I was using pfsense v2.4.4-release-p3. Please also note that I will not discuss the Bell Phone service.
First you need to remove the Fiber Optic cable from your HH3000 Modem. It comes out with the GBIC which can then be used in many ways (Directly in a switch, EdgeRouter X, Converter etc). In my case I chose to buy a TP-Link MC220L Media Converter like this one which was reasonably priced and easy to use.
*** BE CAREFUL as routes and gateway may vary depending on your region. I recently moved and my IPTV was not working. After conducting a packet capture I found out that I needed to adjust my configuration (Gateway, Routes, IGM) to reflect the new IP addresses.
First of all, on your WAN interface, under MAC Address - You have to spoof the MAC address of your HH3000 for the IPTV to obtain an IP address from the Network.
Under System / General Setup, set the DNS Servers to Bell Aliant and check the option DNS Server Override as shown below
Under Interfaces / VLANs, create 2 VLANS. The first one will be VLAN35 for your Fibe Internet and the second one will be VLAN34 for IPTV. Assign both VLANS to your WAN Interface.
Under Interfaces / Interface Assignments, we will create and enable all our Interfaces:
- Add the VLAN35 Interface, I named it "Internet". This Interface is DHCP;
- Add the VLAN 34 Interface, I named it "IPTV". This Interface is also DHCP;
- Add and configure an Interface for your LAN (I suggest NOT using 192.168.2.0/24 since this is the range we are going to use for the IPTV_LAN Interface)
- Add the last Interface, I named it IPTV_LAN. This Interface is configured with a Static IP which I used 192.168.2.1/24. This is the Interface where I connected my VAP device (Bell Fibe Access Point).
Now, if you connect your TP-Link Converter, insert your Fiber Optic on one end and your CAT5 (or CAT6) cable on the other end and link this cable to your WAN card you should have Internet. That's pretty much all you have to do if you only have Internet Service with Bell Fibe. If you also have IPTV, you should have received an IP address for your TV Service but your pfsense is not configured to route IPTV yet. Let's continue...
Enable and configure the DHCP Server for the IPTV_LAN Interface to assign IP addresses to your other Wireless Bell Boxes. Make sure that the DNS Servers are the Bell Aliant ones.
Configuring the IPTV Gateway is a little bit more tricky. You will have to use a packet sniffer to find out what is your Gateway since it is assigned statically and not through the DHCP. I used the pfsense Packet Capture function under Diagnostic and chose the IPTV Interface. My configuration looked like this one...
To capture my Gateway, I opened another pfsense instance and selected Status / Interfaces. In the other window I started monitoring the IPTV Interface. I returned to my Status / Interfaces window and Released / Renew my IP for the IPTV Interface. I waited a minute then stopped the capture. You should see communication where an IP, in my case 10.195.128.3 using port 67 talking to your IPTV local IP ex: 10.195.XXX.XXX on port 68. The first address is your Gateway.
Now, under System / Routing / Gateways, add your newly discovered Gateway and make sure that your Default Gateway IPv4 is set to your Internet Connection Gateway. I ran into issues where I was unable to reach the Internet and found out that this was my issue. You can also deactivate the dynamic Gateway created by default after your created the IPTV Interface.
Under System / Routing / Static Routes, add the following Routes
All the Routes have to be linked to the IPTV Gateway you just created.
Be aware that it is possible to have different routes depending of your IP address, if your IPTV IP address is in a different IP range than mentioned above, you will have to modify some entries.
Under Services / IGMP Proxy, add the same routes for the upstream. Leave the downstream blank.
Now we need to create rules under the Firewall. For this part, I will let you tweak the rules if you want to but for this tutorial I kept things easy by allowing ALL traffic IPv4 and IPv6 for the IPTV and IPTV_LAN Interfaces. I do not think that Bell is using IPv6 yet but I might be wrong. Like I said, I am keeping things easy here for the tutorial.
One important thing you have to do while creating these 2 rules is to check the box under Advanced Option / Allow IP options.
One last thing, to be on the safe side, configure Domain Overrides under Services / DNS Resolver / General Settings to redirect the following requests:
- tv.fibreop.ca / 126.96.36.199
- tv.fibreop.ca / 188.8.131.52
- iptv.microsoft.com / 184.108.40.206
- iptv.microsoft.com / 220.127.116.11
If you followed this guide and did everything right you should now have Internet and IPTV working without the use of the Bell HH3000!!!
This is the basic setup to have both services working without the HH3000, I am sure you can tweak some of the settings as you please. Like I said earlier this is the basic configuration.
It took me quite a bit of time and I did a lot of research as well to accomplish this and I cannot take the credit for this configuration. All I can say is that I promised myself to put an updated "Configuration Guide" together once I got things working and this is what I did!
I hope you enjoy, let me know what you think!
PS: If you notice mistake(s) or configuration error(s), please let me know. Remember, the ultimate goal is to help each other out!
I want to Thank the following people for sharing their knowledge, you guys helped me a lot!
Thanks for the "kudo" for the article, it took a while to put this together but if I am helping people, I'm happy.
To answer your question properly I am trying to understand what you are trying to do. If I got this right you want to use a switch to manage VLAN 34 and your IPTV? If that is correct, do you also have Internet Services with Fibe? Question is that Bell "link" the client side with the GPON serial number (like a reserved DHCP with a MAC) therefore you will need to use the GPON provided by Bell. I don't know if you also have Internet with Fibe (which I'd say most likely yes) then how do you plan to get your Internet? Not sure if you see where I'm going with this?
I tried different GPON and I was never able to get an IP address from Bell if not using their device.
So what I have done is plugged the fiber cable into a media converter and then there is a Ethernet cable on that which goes into my existing Asus router. That router has an IPTV setting so I pop in the TV and Internet VLANs and specify which port on the Asus Router is for IPTV. Currently this works. The setup I am working towards moving the NIC from the Asus Router WAN port to a port on dell r720 I have. From there I have a vSwitch created and I will set it up two port groups, one on VLAN 35, one on VLAN 34. Those will be setup in the pfSense VM. Then after that I will be following your instructions for the IPTV and internet setup.
Once that is all done, I am thinking I can mostly likely create VLAN 34 (tagged) on my switch and assign that VLAN to the port(s) I would plug the set top box into and then have some firewall rules just dropping VLAN34 traffic to any of my other internal VLANS.
And yes, I have Internet & TV! Thanks!
ok, so yes our setup is similar as I am using the Media Converter to convert the Fiber to RJ45 which connects to my pfsense. From there I have all my Interfaces and LAN/VLAN configured. Your setup sounds similar other than the fact that you'll run everything through VMs.
I haven't tried setting up VMs and virtual switch (other than in pfsense, which was running on a physical machine with multiples NICs) but if you follow the guide and configure all the Networks and Route properly it should work. IPTV can sometimes be tricky tho so hope it'll work.
Keep me posted.
Im receiving the "0Gtek Gigabit Ethernet Media Converter, Multimode Dual LC Fiber, 1.25Gb/s SFP Module to 10/100/1000Base-Tx Fiber Media Converter with a SFP 1000Base-SX Module" tomorrow and will be attempting to replace the HH3000 with my Synology RT1900ac router.
All I have from bell is the fiber 1gbps internet (no phone or tv). I've been preparing the RT1900 as best I can, so far I spoofed the HH's MAC and setup all the LAN ports with VID: 35.
I'm leaving the WAN "connection type" on "Auto" assuming the router will get some DHCP info from Bell? The only other option I have in the router is ISP Settings: Hostname (option 12) / DHCP client ID (option 61) / DHCP class ID (option60) / DHCP client option
Will I need any of those settings filled in? also, in my bell HH there is a user: b1**** Pass:*** setup for internet access. Wont I need that setup in my synology somewhere?
Any help is much appreciated!
The Internet is pretty straight forward to configure. Depending where you are located, the VLAN can change. For the Atlantic Region in Canada, Internet is usually on VLAN 35. In my case, yes I left it to DHCP (or auto in your case) and I received my IP address since I am still using Bell's GPON (the serial number is recognized).
If you have a B1 username and password, your configuration will be different. Usually B1 username and password are PPPoE type connection. I did not configure any of the options you mentioned (12, 60 or 61). My best advice would be for you to look at the current config on your HH3000 and replicate the config on your Synology.
This should point you in the right direction to start.
Hey it worked first shot!
I tested without the VLAN 35 setup and that broke it so definitely need that. I'm curious if I really need the MAC spoofed since I have the PPPoE setup (I found where to set that up in my router) but I'll leave it like so for now.
Thanks for the write-up, you inspired me to finally attempt this, very happy I don't have bell's stupid router broadcasting that ultra high power 5ghz signal in my basement anymore (you can turn off the wifi signals but not the built in TV one). I confirmed this with a RF Acoustimeter.
Good to hear Matt!
For the Mac Spoofing, you can try without and see how it acts. Here we don't use PPPoE so I had to use the MAC of my router if not I was not getting an IP address from Bell. In your case, maybe the PPPoE authentication is all you need to get that IP.
Thanks for the feedback on my post, I'm happy if this write-up helped you! That's my goal when I write those posts, sharing the knowledge and helping others (it take time and a little bit of work but it's worth it)!
I totally agree with you, if you can make things work without the HH3000, go for it!
Good day! Working on my setup. I have it working, partially. TV plays for about 10 seconds and stops so I know that this is IGMP issue. I am a little fuzzy on where you got those other two gateways from?
10.2.0.0/16 - Where did this come from and what does it refer to?
10.237.0.0/16 - Where did this come from and what does it refer to?
10.195.0.0/16 - From packet capture
I am not sure if using the one gateway is all I need and then to put that into the igmp proxy? Also, just an FYI, for me in NB, I have never had to spoof the MAC address of the HH3000. From day one I was using a Asus router and it just worked.
These routes you are talking about are IPTV Routes. When you look at my packet capture, my Gateway was in the 10.195.0.0 Network (Gateway being 10.195.128.3). The other 2 were discussed on other posts (references are at the bottom of my post). I am not sure if these routes can change depending on your location or maybe they have been updated, hard to tell. The best way to find out is probably to run a packet sniffer again.
I now the Gateway changes depending on your location therefore you have to find yours if you want this to work properly.
Routes are going under IGMP Proxy but not your gateway. You have to manually entered your gateway under gateways as shown in this post.
Thanks for the update on the spoofing of the Mac, I was unaware that some users did not have to spoof. Good news, make things a bit easier.
I forgot to mention, yes you are correct. If your TV works for about 10 seconds, this is most likely a IGMP issue. Make sure that you have the right gateway configured (under gateway), the routes under static routes and IGMP Proxy and make sure the option ALLOW IP OPTIONS is checked, this one can cause this kind of behaviors if not checked.
Just so happens, I’m trying to do the same thing! I’ve been a loyal Bell customer for almost a decade (just moved to Nova Scotia from Quebec) and now i am trying to take advantages of new wifi technologies and want to get rid of the HH3000. In my case, i bought a LinksysMX5 becuase i want to use a mesh system, and have tons of wifi peripherals using both 2.4hz and 5hz channels.
Questions. Is this legal? I mean can Bell Aliant complain or charge me fees for manipulating their hardware setup?
If so, and i have the right to change modem/routers without breaking any legal issues with Bell, what easy steps do i need to do? I got the new modem, he spf media converter, cables... i have isp address...simply put, without getting that pfsense software...just using the linksys app...what info i need to update my network settings so i can get internet thru my linksys? I have bell aliant, nova scotia.
Let me know, thank you!
First of all, Welcome to Nova Scotia! This write-up was done for Atlantic Provinces using Bell Aliant therefore you are at the right place.
To answer your question if this is legal, I will say that yes it is (in my opinion). You are not doing anything illegal, you are simply using your own device to access a service you are paying for. You can't really "break" anything, worse case scenario is you won't be able to make things work with your own equipment and you can always revert back using their router.
If you were playing in the Bell Router config to a point where you "broke" something causing your service to stop then yes, they would most likely charge you fees to fix the issue. Other fees will depends on your contract with them (i.e.: unlimited Internet or not, etc). This has nothing to do with using your equipment or not. The decision is yours, I am not here to suggest people to use their own equipment but rather help them if this is what they want.
The only thing is that if you are using your own equipment and encounter issues, well, you're on your own!!! Bell will obviously not support clients using devices other than the modem they provided the them. My advice is that if you have issues, plug back their modem and see if things are working, if it does not, then you can call support. Since you are using their equipment they'll have to fix your problem.
To answer your question on how to do it with your LinksysMX5, I can't answer that since I am not using this type of router. You will have to look into the Router configuration to find similar options than the one discussed in this post for pfsense.
Thanks a lot for the quick reply! I don't' think either i'm doing anything bad by grabbing the fibre optic cable and plug it on a SPF converter, and then to a new router. I already tried. When I couldn't get the Linksys to work, I put it back as it was back to the HH3000, and nothing changed.
But I'll try again. I'll go over the specs you wrote in this article in more detail...and see if I can get the Linksys to work! The worst of this whole thing is that it's NOT made to be easy. I mean, transitioning between routers. It's not simply a "plug & play". I mean, we have all these new routers with better technology...and we are supposed to continue using the HH3000 just because Bell says so? My house is getting more and more smart products,...the bandwidth is getting narrower, the speed slower and the signal strength weaker. Now, I try to help improve my home internet by switching routers..and Bell doesn't seem to care. I talked to Tech Support department at Bell...and no one knows there what I'm asking, or worse, doesn't want to help! it's frustrating! I must've talked to 4-5different people...one didn't even know what a ISP is!! no joke!
If I can't make work the switch, i'll see if I can disable the wifi on the HH3000 and use it just a modem, then bridge the new Linksys router via LAN/WAN connection. it's not what I want, because i'd be limited by the 1gig LAN port...I think. But at least I'd be able to use a better WiFi technology. I think you mentioned an article about that DNZ thing...sounds like the "De nerd zone" ;-) Or...just change providers. Maybe Eastlink allow to have your own router?
Thanks again for your help! I might consult you again.
I hear you when you say you called Bell and nobody knew what you were talking about... been there done that my friend! Usually when I call I know the Level 1 can't assist me... I need to speak to someone higher than the first line Tech Support who answer the phone.
When you switch equipment, yes you have to configure and optimize things and make sure everything works like it should... not really plug and play like you said. Obviously your speed with be limited to your "weakest" link on your network... it you have a switch which supports 1gb per port then yes, this will be your limit.
If nothing works for you, yes you can "bridge" the HH3000 and use it with your own router. It's not the same as the HH3000 will still be present but it is what it is. If you look at my other post you can find the documentation from Bell in regards to the DMZ activation which will forward all the traffic to the device you select (in most cases the router). Nothing will be filtered or blocked by the router... everything will pass therefore you need to make sure your router/firewall is properly configured. The other option on the Bell HH3000 is to let your router have the Public IP instead of the private address usually issued by the router through DHCP... It worked for me then stopped. I called Bell and like you said nobody had a clue what I was talking about, I ended up being told that if it was not working it was not their problem! Quite the customer service here... it is an option on your router, if it does not work, it is YOUR problem (not mine)! That is another reason why I was trying to ditch the HH3000!
I am not sure about Eastlink to be honest... not sure about the Router and bundle available...
I wouldn't worry about Bell, I've had a tech here when I switched out TV receivers, and they saw my setup, watched me pull the gpon from my card to re-insert into the HH3000 so they could do their "setup". They don't care what you do after they leave, just don't expect support to be any assistance.
Here from NB. Cool stuff. I did removed my hh3k with a media convertor. Not a big deal, apart that I have to tag my vlan to port 35 and 34 for TV. The phone I don’t use it, but anyway I forwarded to my cell.
Now I want to replace the media convertor (on a 1.5/940 get 600/940), for something that I can manage and eventually get rid also of my consumer router (Asus GT-AX-11000).
Then my plan is like this :
Unifi UDMP to receive the gpon from bell on the wan2 spf+ -> Asus router -> wifi clients
Eventually that Asus router to be changed with some unifi router (udm) and access points from the same brand.
Is not about performance or issues, just why not.
Now, could be a pfsense thing, but I did not have to mirror any routing or hh3k stuff. Practically plug and play after the vlan tag).
I’m not a network expert, just an enthusiast, but the process could not be simple.
Thank you for sharing, I may give a try to pfsense on the future, but also I want to try the udm pro thing, just to take it out of my system.
@Ironman, since this post I changed my configuration a bit. I now have the Bell GPON coming straight to my Unifi 24-Ports Switch (SFP port) where I created a VLAN 35, then added a standard port in the VLAN which goes back to my Firewall Internet connection port. It works like a charm.
Let me know if you manage to test the UDMP, I would be interested to know how it goes. I know that the Firewall features of the UDMP are lacking in some areas compared to other firewall. On my side I am a big fan of Check Point, I've been working with Check Point firewall for over 20 years where I tried different line of products. Great firewall overall. I do have many Unifi products here (Cameras, Access Point, Switches, Cloud Keys, etc). I thought about the UDMP but kept my Check Point for now as I believe the features are far more superior in my opinion (and based on the reviews I read).
Keep me posted and thanks for your comment.
Finally I cleaned my media shelve and now that I have the space for the udmp, i’ve triggered the order.
Will definitely let you know how that goes.
Still I’m not sure if I will do the unifi ap part, but I think could be an interesting learning time. I may not be able to appreciate or test the firewall piece, as at this point I use only the asuswrt firewall , but I’m sure the checkpoint is better, as it’s a niche product.
I may at least be able to compare speeds, etc.
As today with the 10gtek media convertor I get pretty close to what I pay, I’m looking to learn and understand better what the udmp can give me.
Thank you for sharing your knowledge.
I like sharing knowledge, this is the main purpose of my Website. I really appreciate when I can find information on something I’m working on (and obviously not working like it should LOL). This site is my way to give back to people, tech or simply IT enthusiasts! Thanks for the comment.
Keep me posted for sure and if you decide to go forward with AP and need a hand, let me know, like I said I have a bunch of Unifi products here and I have been using them for the last 6-7 years.