Vlan setup

Hi, I have a Flint GL-AX1800 connected to a Nokia G-010G-p (ont). I setup a pppoe connect with my isp vlan id 6 (couldn't find the way to set up priority to 1). my situation is as follow: my isp Movistar in Spain has 3 vlan

internet vlan id 6 priority 1
iptv vlan id 2 priority 4
ip phone vlan id 3 priority 4

can I create a vlan for the iptv on port 4 for example?

Probably the AX1800 can be responsible only for Internet service

IPTV and IP Phone services should be handled on the ONT?

Depending what your isp uses as protocol it could be possible and likely you don't need vlans for this on its port itself.

However this cannot be done on the gl ui but via luci.

A small brief what we gonna do:

first we remove one port from the lan bridge so we can use this port later to have a secondary network on it for the iptv devices to host on.

Then we create a iptv dhcp client on vlan 2 which supplies us all the routing from the isp.

Then we install a proxy called igmpproxy to forward the igmp/multicast stream for iptv only to this newly created interface on the port.

The Steps:

So first login to luci by navigating to system ->advanced settings.

username: root
password: same as gl ui

  1. Then navigate to network -> interfaces and click there on the tab devices.

  2. Edit br-lan, on its front page you see devices these are the physical ports on the bridge, please select one to uncheck make sure this is not your pc connected one !, for ease i assume it is eth3/or lan3, click save, then click save apply.

  3. Click on the tab interfaces again, scroll down and click on the button add interface.

  4. set protocol to static and fill in the following settings:

name: tvnet
device: eth3 / or lan3
ip: 192.168.x.1 (x you can use any aslong its not above 254 and doesn't use other subnets).
subnet: 255.255.255.0 (makes 192.168.x.1-192.168.x.254)
gateway: leave empty

click on the tab advanced settings, and uncheck ipv6 delegation and default gateway.

click on firewall zone and create a new one or keep it on lan, if you prefer isolation towards lan, you may want call it iptv.

click on dhcp server and create one, you don't have to edit more into here.

great!, you now created your own isolated network to port lan3/eth3, you only need to adjust the firewall zone of iptv, please navigate to luci -> network -> firewall scroll down to zones and on the zone iptv you click edit, set input to accept, and to forwarding zone wan, when done it will look similar as the lan zone, now you can test it with a cable if you get a dhcp ip.

lets create the iptv client now.

  1. Navigate to luci network -> interfaces click add interface.

  2. Use the following settings:

name:iptv
Protocol: dhcp
device: eth0.2 (eth0 is your wan port, 2 is tagged on wan).

Click on advanced, and uncheck jpv6 delegation and default gateway, click on firewall zone and select wan and don't setup any dhcp.

you now will see that the iptv interface gets a ip from the isp, if not then the isp might supplied you with older information, often from my experience with isps, it takes a long time for isps to publish newer actual settings, with kpn but also odido/t-mobile all these tv boxes use http/https streaming and no longer igmp/multicast yet i sometimes still find this dated information, it never hurts to contact them for this.

lets install igmpproxy:

  1. First navigate to luci -> system -> software and click update to refresh the list this fetches all the download locations in a list, now type igmpproxy and install it.

^ warning: like the gl ui plugins feature this shares the same system, but this system is not for the ease of upgrading all packages this can softbrick the router because it can cause mismatches with the kernel build, so only use it when you know how to use it, igmpproxy is fine, most user packages, these other upgrades are supplied in the image upgrades :+1:

  1. Here it becomes a little more difficult because now you need access to the raw configuration of igmpproxy since it doesn't use a ui.

You can use a CLI and ssh via putty:
ip: from router
User: root
Pass: pass from ui

Use cd /etc/config to locate all config files and then use vi igmpproxy, use the INSERT key to allow writing use ESC to stop writing and use vims options such as :wq which means write quit, or :q for quit, and :q! to not save and quit.

You can also as alternative to the cli download winscp:

like ftp/filezilla alikes, you add a server make sure the protocol is set to scp, user: root, pass: from gl ui, then on the right use the folder to navigate back to the root of the system and then go to /etc/config/igmpproxy

You want a config like this:

config igmpproxy
        option quickleave 1
#       option verbose [0-3](none, minimal[default], more, maximum)

config phyint
        option network iptv
        option zone wan
        option direction upstream
        list altnet 0.0.0.0/0

config phyint
        option network tvnet
        option zone tvnet (or lan)
        option direction downstream

You might also need a multicast rule either accepted from zone iptv or zone wan (depends where firewall zone is set to for interface iptv).

navigate to luci -> firewall -> traffic rules and add one.

src: tvnet
dest: wan/iptv
Dest ip: 224.0.0.251
action/target: accept.

^ it's a while i used this type of setup, it might be reversed but i think this is fine :+1:

Restart router to have igmproxy work.

Feel free to ask me for any questions :grinning:

Hi, Thanks I will try.

One more question if I may. How difficult is it to have one port on it's own subnet and wireguard vpn?

This is not easy from out gl software :slight_smile:

You have to modify the function for the vpn policies where the logic gets routed to and also add your own interface for that port.

The script is here:

/usr/bin/route_policy

Or... if you don't use guests network, edit this network in luci and change device from br-lan to eth1-eth4 and then use it with vlan policy, make sure that you have this eth device removed from br-lan.

Unfortunately i cannot share modifications to the script, this is part by gl-inet and copyrighted.