-= IDS Communications Blog =-
Bell Fibe Internet & IPTV with pfsense
If you go through my Blog, you will notice that I wrote an article in January 2018 in regards to using your own router with Bell Fibe. In the previous Blog I was giving people the option to either activate the advanced DNZ option on their Home Hub 3000 (HH3000) or simply remove the HH3000. I was suggesting devices to handle the Fiber Optic conversion and referred to Forums where you were able to find posts on how to accomplish this and configure your systems.
At the time I was using the advanced DMZ option from my HH3000 which worked fine for me. One year later I started experiencing issues with my Network, including the VPN connections. My Firewall would get the WAN address of the HH3000 but for some obscure reason I was unable to reach the Internet. I called Bell hoping to get some help but I was told that if the advanced option was not working, it was not their problem. The first technician who answered the phone even told me that nobody was using this function (I bet he didn't even know this function existed!) Well, as mentioned in my previous Blog Post, Bell Aliant came up with a PDF documenting this function which let me believe that it should have been supported!
Well guess what? I got tired of Bell's BS and I decided to look online hoping to find out how I could get rid of my HH3000. I found a few Forums with valuable information but the gold mine was the Netgate Forum. On this post from zax123 I found enough information to get me started. The issue I ran into was that I was using a Check Point Firewall and most users were running pfsense. Since I was due to renew my licence and support ($300+/year in my case), I was easy to convince and decided to give pfsense a try.
After a few weeks and many hours searching, googling, posting ... I managed to get my Bell Fibe Internet and IPTV to fully work without the HH3000! Finally, I was able to ditch the HH3000! in an attempt to help others, I decided to come up with my own updated post on how to accomplish this.
Now, like me if you live on the East Coast (I live in Nova Scotia) and you would like to ditch your Bell Aliant HH3000, this "How To" guide is for you!
First of all you have to install pfsense. This guide will not give you direction on how to install and configure pfsense. In my scenario, my pfsense box has multiple network cards to suit my needs but to follow this guide you will only need 3 i.e.: WAN, LAN and IPTV.
Let's get started, for this tutorial I was using pfsense v2.4.4-release-p3. Please also note that I will not discuss the Bell Phone service.
First you need to remove the Fiber Optic cable from your HH3000 Modem. It comes out with the GBIC which can then be used in many ways (Directly in a switch, EdgeRouter X, Converter etc). In my case I chose to buy a TP-Link MC220L Media Converter like this one which was reasonably priced and easy to use.
*** BE CAREFUL as routes and gateway may vary depending on your region. I recently moved and my IPTV was not working. After conducting a packet capture I found out that I needed to adjust my configuration (Gateway, Routes, IGM) to reflect the new IP addresses.
First of all, on your WAN interface, under MAC Address - You have to spoof the MAC address of your HH3000 for the IPTV to obtain an IP address from the Network.
Under System / General Setup, set the DNS Servers to Bell Aliant and check the option DNS Server Override as shown below
Under Interfaces / VLANs, create 2 VLANS. The first one will be VLAN35 for your Fibe Internet and the second one will be VLAN34 for IPTV. Assign both VLANS to your WAN Interface.
Under Interfaces / Interface Assignments, we will create and enable all our Interfaces:
- Add the VLAN35 Interface, I named it "Internet". This Interface is DHCP;
- Add the VLAN 34 Interface, I named it "IPTV". This Interface is also DHCP;
- Add and configure an Interface for your LAN (I suggest NOT using 192.168.2.0/24 since this is the range we are going to use for the IPTV_LAN Interface)
- Add the last Interface, I named it IPTV_LAN. This Interface is configured with a Static IP which I used 192.168.2.1/24. This is the Interface where I connected my VAP device (Bell Fibe Access Point).
Now, if you connect your TP-Link Converter, insert your Fiber Optic on one end and your CAT5 (or CAT6) cable on the other end and link this cable to your WAN card you should have Internet. That's pretty much all you have to do if you only have Internet Service with Bell Fibe. If you also have IPTV, you should have received an IP address for your TV Service but your pfsense is not configured to route IPTV yet. Let's continue...
Enable and configure the DHCP Server for the IPTV_LAN Interface to assign IP addresses to your other Wireless Bell Boxes. Make sure that the DNS Servers are the Bell Aliant ones.
Configuring the IPTV Gateway is a little bit more tricky. You will have to use a packet sniffer to find out what is your Gateway since it is assigned statically and not through the DHCP. I used the pfsense Packet Capture function under Diagnostic and chose the IPTV Interface. My configuration looked like this one...
To capture my Gateway, I opened another pfsense instance and selected Status / Interfaces. In the other window I started monitoring the IPTV Interface. I returned to my Status / Interfaces window and Released / Renew my IP for the IPTV Interface. I waited a minute then stopped the capture. You should see communication where an IP, in my case 10.195.128.3 using port 67 talking to your IPTV local IP ex: 10.195.XXX.XXX on port 68. The first address is your Gateway.
Now, under System / Routing / Gateways, add your newly discovered Gateway and make sure that your Default Gateway IPv4 is set to your Internet Connection Gateway. I ran into issues where I was unable to reach the Internet and found out that this was my issue. You can also deactivate the dynamic Gateway created by default after your created the IPTV Interface.
Under System / Routing / Static Routes, add the following Routes
All the Routes have to be linked to the IPTV Gateway you just created.
Be aware that it is possible to have different routes depending of your IP address, if your IPTV IP address is in a different IP range than mentioned above, you will have to modify some entries.
Under Services / IGMP Proxy, add the same routes for the upstream. Leave the downstream blank.
Now we need to create rules under the Firewall. For this part, I will let you tweak the rules if you want to but for this tutorial I kept things easy by allowing ALL traffic IPv4 and IPv6 for the IPTV and IPTV_LAN Interfaces. I do not think that Bell is using IPv6 yet but I might be wrong. Like I said, I am keeping things easy here for the tutorial.
One important thing you have to do while creating these 2 rules is to check the box under Advanced Option / Allow IP options.
One last thing, to be on the safe side, configure Domain Overrides under Services / DNS Resolver / General Settings to redirect the following requests:
- tv.fibreop.ca / 188.8.131.52
- tv.fibreop.ca / 184.108.40.206
- iptv.microsoft.com / 220.127.116.11
- iptv.microsoft.com / 18.104.22.168
If you followed this guide and did everything right you should now have Internet and IPTV working without the use of the Bell HH3000!!!
This is the basic setup to have both services working without the HH3000, I am sure you can tweak some of the settings as you please. Like I said earlier this is the basic configuration.
It took me quite a bit of time and I did a lot of research as well to accomplish this and I cannot take the credit for this configuration. All I can say is that I promised myself to put an updated "Configuration Guide" together once I got things working and this is what I did!
I hope you enjoy, let me know what you think!
PS: If you notice mistake(s) or configuration error(s), please let me know. Remember, the ultimate goal is to help each other out!
I want to Thank the following people for sharing their knowledge, you guys helped me a lot!
And the udmp is here. Took a while as purolator was very busy with the Valentine’s Day.
Still playing around but what I see is not a very impressive. Always having an all in one will be less than having specific devices.
Took the GPON and put it on the spf+, very plug and play after fired up.
However the first problem, only one vlan can be tagged from the wan2.
The only workaround will be to put a switch in between and then tag the ports. Bye bye Fibe TV (not a big deal, we don’t watch tv). The for the purpose of having the bell internet coming in, we are all good.
Speed was not affected, still is not synchronizing at 2.5 (shows only 1000). Then I’m getting 750/700 wired.
Has a lot of features. Networks, protection, firewall, but all very simple. Still I don’t adventure the ssh side, but my first feeling is that will work, but not sure how deep could be done the setup.
My two Asus AP are working, however if I want to adventure on IoT isolation and more vlan, etc. Looks like the only way will be to “upgrade” to the access point (thinking on a couple UAP-AC-Pro). However here are not that many options locally (Munro in SJ seems to have unifi devices).
For now I will just setup one of the asus AP to a specific wired port and vlan from there, just to at least have the playing time and all the possible setups investigated.
How about the access points?. I have a large sub-urban house to cover (2 floors + basement), 3 very demanding end users and around 70 devices (mainly IoT). Will be a 2-3 UAP-AC-PRO be enough?.
That's what I got from people's feedback. The device is great in general but lack in features and flexibility on the Firewall side. I agree with you, having a all in one device could be nice but with some drawback. I can see that you are already running into some configuration issues...
In regards to access point, I bought the NanoHD here and my coverage is sufficient (I have a bungalow with a walkout basement so fairly good size). I can't go too far in the driveway before I loose signal. I had an older AP-AC Lite which I added to my setup in the garage to cover some dead spot. So far so good.
Some people are being cautious now with Ubiquiti since they dropped the Unifi Video and "forced" people to sign in through their cloud to access their CloudKey Gen 2 (and UDMP)... some people are not happy, I personally would love to be able to keep everything local (no cloud sync or login).
You have a lot of devices for sure. Here I have 25 on WIFI and 24 Wired. No issues on my side. IoT devices don't usually take a lot of bandwidth unless you're including Streaming stick in IoT devices... As per Ubiquiti, "The UniFi nanoHD is a compact 4x4 MU-MIMO 802.11ac Wave 2 dual-band access point with an aggregate radio rate of over 2 Gbps and supports over 200 concurrent users."
Hope this helps. Keep me posted.
I saw the nano, interesting info, I will take a look maybe this week.
I just finished setting up my new office on the basement, as my wife is working from home, she got my office on the second floor as I really wanted to move closer to the fiber :-).
I get very decent speeds out of the udmp (~800 down / 950 up) very similar to the media convertor, but with all the extras. I don’t see big changes with idp and threat management enabled (750/800).
For the cloud stuff, I can see how some people could be unhappy. But the udmp only ask you for the cloud to start, after the setup is completed you can ditch the cloud user and manage all with a local one.
Before unifi I’ve contemplated the enGenius solution, but seems that there are some of the switches and ap that get locked to the user and can’t be associated with a new one.
Still I see the udmp as a very nice acquisition, next will be the AP (maybe 2-3). When I Tried to use the two asus as AP, even on different channels they kept crashing to each other. Thank you again.
I'm super happy to see someone has got a UDM-P and connected their Bell Fibe directly to it. I'm working on that also, but seem to be having issues.
On WAN2, I'm setting the DNS servers and tagging the interface with VLAN ID 35. I only have Fibe Internet, no TV or phone.
Per this article, I'm cloning the MAC address of the HH3000 onto eth9.35 via SSH with this command: ip link set dev eth9.35 address xx:xx:xx:xx:xx:xx (There doesn't appear to be a way to clone MAC addresses from within the Unifi Network web console for the UDM/P)
After connecting the SFP module and cable, that interface is not coming up and getting an IP address, am I missing anything? I think you rebooted your UDMP, will the MAC address clone command persist after reboot? Do I still need a switch in front of my UDMP for VLAN tagging?
Hey, I’m in New Brunswick, then could be different depending where you are.
On my case I just plug it in the port 10 and setup the vlan 35 for the spf +, and got the IP address. No setup, no Mac cloning, nothing.
However, I’ve read on people with the huawei ONT having issues. I have the Alcatel one, and was literally plug and play.
What I will try, connect the udmp to your existing modem and update the udmp, check if they support the model of gpon you have.
For fun I’ve tried just connecting the wan to the media convertor I used before and all was the same, just vlan 35.
I know in other places in Canada you have to put the PPPOE credentials, but ok the phone I don’t see a way to do it, then you may need to plug your udmp to the hh3k and then do that after setup.
Let me know how that goes.
Welcome to the blog! Someone mentioned to me that it wasn’t necessary to clone the MAC anymore, I haven’t tested this but that explains why it worked for @ironman.
Do I still need to provide Fibe in username and password to make this work? In your old post (https://www.idscomm.ca/blog/bell-fibe-with-your-own-router), you put in the username and password.
The reason I would like to ditch HH3K is because I have 1.5gbps speed (I get 1.2gbps when I speed test within HH3K) but I am only getting 900mbps.
Any suggestion on the hardware to get 1.5gbps speed or at least around 1.2gbps?
You only need a username and password if your connection uses PPPoE. In regards to the equipment to get the full speed, you’ll need something that supports 10Gb but keep in mind that if your local network uses 1Gb switch or 1Gb Network Cards, you will encounter a bottleneck...
The hh3k, I believe, can synchronize at 2.5gbps,but the Ethernet can’t give more than 1g. Then having the hh3k you can’t get more than 1g. The bottle neck is the hh3k Ethernet, and because bell use qos, you never will get more than what you have in the contract.
To improve that you will need some time equipment, then you have to define if that will be worth the 200-500mbps extra.
Unifi (Ubiquiti), mikrotik, méralo, others come to my head.
Currently I’m waiting for some unifi equipment, but I will have the same restriction as the synchronization on the one that I bought is only 1 or 10 at the spf+ and not 2.5.
What I’m trying to say, is that there are a lot of hardware that you can get, but will require some work and tuning to get the extra speed. If you are also looking for extra functionality, and obviously you have money to burn, you can design a nice unifi or mikrotik network and test what is the best for your own scenario.
To me the ideal world will be at least a switch that sync to 2.5g to the Bell gpon, and that will be anything between $500-$1000, and then you can put a router, firewall, etc. Then you may be looking for an over $1500 project...
Ironman & idscomm,
Seems I can't reply to your replies directly.
I'm in rural NS and just got Fibe last year with their big roll out. I've called their support a couple times and at least one tech said I needed to clone MAC address but that I should talk to Ubiquiti about the details, can't always trust those guys so it might be that I don't need to clone the MAC.
I've got the following SFP module: Nokia GPON ONT SFP G-010S-A
If it's not compatible with my UDMP, can I get a different one that is and have it still work with Bells service?
Are you using the GPON that came with the Bell Modem? Like I mentioned in this blog, Bell DHCP used the GPON serial number to give addresses to their clients. I was unable to obtain an IP address using a different GPON, I tired but it didn’t work (even when cloning the MAC). Unless it changed, you have to used their GPON.
Yup, that was the module in my Bell modem. I looked on Ubiquity's compatibility chart and can't find it: https://help.ui.com/hc/en-us/articles/212561258-UniFi-USW-Which-SFP-Modules-Can-be-Used
However, it seems like someone else got that GPON working with their UDM-P: https://www.reddit.com/r/Ubiquiti/comments/gh338z/dream_machine_pro_slow_wan_sfp_speeds/
Hope i'm not stuck...
If you are in rural NS, you should only need the vlan tag 35.
If you are using the bell’s gpon, then should be all good. No need to clone the MAC address as the validation goes against the gpon, not your modem.
Some people needed to release the public up address from their hh3k before.
I will suggest to test your network with the hh3k (assuming that you got one) and then when you have all working connect the gpon on the udmp.
Also, the udmp could take up to 10 min getting the connection.
Ensure that you are plugging the gpon correctly on the udmp (a light should be coming on in port 10)
I’ve added some pics here
Per your suggestions, I got it running! You were indeed correct, I didn't need to clone the MAC, just needed to set VLAN to 35 and rebooted my UDM-P. After it started, the connection lights started blinking for the SFP port and I got one of Bell's IP addresses on WAN2.
I did use your recommendation and released the IP from my HH3000 before powering it off and yanking the cable/GPON out. That might have also made a difference.
On WAN2, I also specified Bell's DNS servers, wasn't sure if those are required either?
I don’t have the dns there, and they came automatically.
Now waiting for the udmp to synchronize to 2.5 and eventually put the APs
Got my hands full lately and no progress at all on anything else than work. I should have time on the next week or two to see if I can get an ap to test . Still not very impressed with the udmp, I think will make a lot more sense with more equipment around.
Speed wise the udmp doesn’t compare to the hh3k, what at the end makes sense as bell customized to their needs.
Asked about Rogers business on my area and that also doesn’t work...1g / 80mbps
Will keep playing around and see if I can make it work. For now I’m with the Asus and the guest network for IoT.
I'm not getting matched speeds either, but i don't really blame that on the UDMP. I did some parallel downloading from an Amazon S3 bucket to a Linux server i'm running, about 10 files around 10GB each and it only took a couple minutes for all 10.
With Bell, you'll only get the full speed of the fiber connecting to their head-end office, mine appears to be Sydney NS. Even doing a speed test to Halifax, which is closer to me, I only see about 70% of my total bandwidth speed, but it's making a couple hops there. The UDMP's speed test server barely breaks 200 Mbps, but it appears to be a server in Quebec?
I have noticed way better latency consistancy in online gaming, playing Rocket League, i'm right around 50-60 ping. Before, on Eastlink, my ping would be anywhere between 60 and 150 ping, giving me lots of in-game lag.
Hi, This article has helped me so much. Thanks a lot for posting this.
In your set up you are using a TP-Link Converter Fiber to RJ45. I reckon this is Bell’s fiber that comer directly from the street.
I would like to achieve the same but I’m on a Bell Business Plan and there is Bell-installed Huawei GPON Router I am not sure I can replace. This is what I would like to ask about.
By default in a Bell Business Plan they install a GPON Router with an external battery and a Home Hub 2000. In my case I got the Huawei router that connects directly to Fiber coming from the street. I’ve already replaced the HH2K first with a Linksys WRT3200ACM and now with a Turris Omnia. The final step is connecting without the Huawei Device.
Would you happen to know if this device can be removed from the equation if I find my own Fiber SFP+ connector?