Canadian TV, Computing and Home Theatre Forums banner

281 - 299 of 299 Posts

·
Registered
Joined
·
6 Posts
You need to be able to do IGMP proxying to resolve the 5 second cutout, as the first 5 seconds is unicast, after that it switches over to a multicast stream, and if you do not route VLAN 35 to the TV side, NOTHING like VOD, guide, search etc. will work properly.
Thanks AtlanticRebel, do you mean i need to configure "IGMP snooping" on switch?
 

·
Registered
Joined
·
448 Posts
No, IGMP Snooping is just a mechanism for optimizing multicast traffic. You actually need to proxy the multicast traffic from VLAN 35 to your STBs, where they lie in separate broadcast domains.
 

·
Registered
Joined
·
6 Posts
do I have to use an unmanaged switch between the ONT / Actiontec / pfsense? or can I use a managed switch utilizing vlans to segment things off or will this cause issues with the data coming from the Bell side?

 

·
Registered
Joined
·
6 Posts
Did you get this working? I have an SG200-18 I would like to utilize if I can find out what the right configuration needs to be.
 

·
Registered
Joined
·
41 Posts
do I have to use an unmanaged switch between the ONT / Actiontec / pfsense? or can I use a managed switch utilizing vlans to segment things off or will this cause issues with the data coming from the Bell side?
You can use VLANs but it's quite a bit of work to keep all the functionality if you want your IP TV to continue to work. If you don't want TV then you can just connect pfSense (VLAN 35) directly to the ONT (I have a Cisco ASA connected directly to the ONT at my office and it works great but no TV needed). If you want TV, an easier approach for someone that isn't a long time network veteran like me is to not put anything between the ONT and the Actiontec R3000 (other than a network cable) and to provide pfSense with Internet via the Advanced DMZ feature of the Actiontec R3000. You will need to determine the MAC address of the pfSense WAN interface and program it into the ActionTec R3000 in accordance with the instructions for using the Advanced DMZ feature. I use that technique for my Cisco ASA at home and it works OK.

I've read a lot of reports that the ActionTec R3000 Advanced DMZ feature doesn't work so well and I can confirm that at the office I had no end of problems with it in an effort to keep the setup in a supported fashion but ultimately for the Cisco ASA's ISP fail-over setup there was no choice but to eliminate the R3000 bugs (wasted half a day and eventually determined it was very much brain damaged) so I connected the firewall (Cisco ASA-5545X) directly and put the R3000 aside. At home, I'm not using fail-over to an alternate circuit so it seems to work pretty well for me with the firewall (Cisco ASA-5520 at home) connected via Advanced DMZ.
 

·
Registered
Joined
·
19 Posts
So I was poking around at a R3000, notes are below. My main goal is to gain access to a linux shell and figure out how VLAN 34 TV service is routed to allow multicast (10.xx net) as well as Internet access to the STB. Finding out how the R3000 works internally would simplify configuration of 3rd part routers (like pfSense) without having to use the Advanced DMZ feature (works for "most").



  • VLAN 33 on WAN is tagged with priority 2 and is bridged to the internal LAN. I was able to get a 192.168.2.0/24 address from the router and access the web interface, I added a VLAN 33 virtual interface on OS X and connected to the WAN port. HP switch had VLAN 33 tagged on the computer and router WAN port.
  • I may put a managed gigabit switch between my existing EdgeRouter and ONT to explore VLAN 33 more.
  • The R3000 attempts to get a DHCP address on VLAN 34 (priority 4). I used a HPE switch tagged 34 on computer and WAN port. I can see DHCP Request from the Actiontec. I do not have TV service so I can't explore this further right now.
  • R3000 has a serial header inside. Schematics are available online (https://fccid.io/LNQR3000/Schematics/Schema-2541435.iframe, page 5 "CONSOLE PORT"). 1=GND 2=Tx 3=Rx 5=VCC 3.3v logic level 115200 8n1
  • R3000 Broadcom CFE is password protected with login/password. Broadcom CFE password generator available online doesn't work.
  • Serial console will echo characters but nothing other than ^\ does anything, ^\ crashes consoled and immediately respawns.
  • JTAG port has the requisite resistors on the board, I do not currently have a JTAG device to explore this. I would like to get a clean copy of the firmware and config partitions to see exactly how the TV VLAN routing is done.
  • R3000 Runs a relatively modern Linux kernel, 128MB flash 256MB DDR3 RAM. It's not a bad device if you can unlock more config options or run OpenWRT on it.
  • TR-069 server is acsbsa.bellaliant.net which is will attempt a checkin after booting and successfully connecting to the internet via DHCP on VLAN 35. I believe firmware updates come from the ACS server.
  • R3000 doesn't do anything special for VLAN 35 DHCP, any DHCP server on that VLAN will work. I used Internet connection sharing on OS X with a switch tagging the packets as VLAN 35 before hitting the R3000 WAN.
  • One specific model ONT has a serial header inside, it boots a relatively old linux kernel (2.6.x) and drops you to busybox after boot.
 

·
Registered
Joined
·
19 Posts
Tonight's session reveals that there is a firmware recovery mechanism built into the R3000 CFE. Unplug power, hold down reset, plug in power, wait 10-15 seconds. Assign your PC 192.168.1.100/24 and go to http://192.168.1.1/ (use a LAN port). I still haven't figured out a way to dump the flash, there is no SPI chip for CFE. The unit boots directly from NAND. It's looking more and more like a JTAG job, anyone have a USBJTAG NT I could borrow?

Sorry for the multiple small posts, I realized afterwards that posts into this thread need to be approved by a moderator and I can't see them after submitting (only after approval).

Edit: So a revelation. When downloading a config backup it encrypts the file using the device serial or MAC address. The config backup may be a compressed copy of the NVRAM partition, if not it is a XML config file. This may be the code that does the encryption magic. https://github.com/vicgarin/Actiontec-V1000H/blob/master/bcm963xx_V1000H-31-121L-11/userspace/public/libs/cms_util/image.c
 

·
Registered
Joined
·
19 Posts

·
Registered
Joined
·
6 Posts
You can use VLANs but it's quite a bit of work to keep all the functionality if you want your IP TV to continue to work. If you don't want TV then you can just connect pfSense (VLAN 35) directly to the ONT (I have a Cisco ASA connected directly to the ONT at my office and it works great but no TV needed). If you want TV, an easier approach for someone that isn't a long time network veteran like me is to not put anything between the ONT and the Actiontec R3000 (other than a network cable) and to provide pfSense with Internet via the Advanced DMZ feature of the Actiontec R3000. You will need to determine the MAC address of the pfSense WAN interface and program it into the ActionTec R3000 in accordance with the instructions for using the Advanced DMZ feature. I use that technique for my Cisco ASA at home and it works OK.

I've read a lot of reports that the ActionTec R3000 Advanced DMZ feature doesn't work so well and I can confirm that at the office I had no end of problems with it in an effort to keep the setup in a supported fashion but ultimately for the Cisco ASA's ISP fail-over setup there was no choice but to eliminate the R3000 bugs (wasted half a day and eventually determined it was very much brain damaged) so I connected the firewall (Cisco ASA-5545X) directly and put the R3000 aside. At home, I'm not using fail-over to an alternate circuit so it seems to work pretty well for me with the firewall (Cisco ASA-5520 at home) connected via Advanced DMZ.
SteveMoores ... thanks for the reply.

If I simplify things a little by keeping the Actiontec router in place for the TV side of things, can I use a VLAN between the Actiontec and the set-top box as indicated in the image I have linked to? I have tried this setup but the set-top box is not able to reconnect and I am thinking it has to do with a multicast scenario I have not accounted for. Am I on the right track?

https://1drv.ms/u/s!AnElkFanLZ6biPhbQHz5yykJvqiJ1w
 

·
Registered
Joined
·
448 Posts
The biggest issue is that the STBs also need access to the internet VLAN for provisioning and updating. This is the same setup they use for their UC VoIP solution, all IP phones need to be ported to their service data center, AND have internet access for provisioning and updates.
 

·
Registered
Joined
·
6 Posts
With regards to the STB, based on the diagram (apologize for the first link being broken), I was keeping the Actiontec in the loop. So wouldn't be just like plugging the STB directly into the Actiontec router?
diagram I
 

·
Registered
Joined
·
448 Posts
Yes, you need to plug the STB directly into the Actiontec, without any trunking or anything in between. The Actiontec does all of the required L3 work. Extra trunking etc in between can cause issues, especially with the multicast streams.
 

·
Registered
Joined
·
6 Posts
AtlanticRebel … I believe I have figured out my switching issues and have now made the step to try and get my PFsense setup an IP from Bell. I have done the following ONT connected to simple GB Trendnet switch, both the Actiontec and Pfsense are plugged into the TrendNet. But, the pfsense interface setup on VLAN35 is not getting an IP address. The Actiontec seems to be working fine.

If I plug the same pfsense interface on VLAN35 directly into the ONT and cycle the interface it gets an IP.

Do you know if Bell has made any changes, that I need to account for since you first posted your setup?

So close .. any assistance is greatly appreciated.
 

·
Registered
Joined
·
448 Posts
That is your problem right there, if the Actiontec is connected, and getting an internet IP on VLAN 35, the pfSense WILL NOT work. You need to disable all internet capabilities on the Actiontec for the pfSense to get an internet IP. This will also break most of your TV service. If you have an Actiontec, and internet, your best bet now is to use the Advanced DMZ.
 

·
Registered
Joined
·
448 Posts
Yes, I also had it switched to PPPoE mode which disabled internet connectivity through the R1000h, and eventually caused most of the TV service to become degraded.
 
281 - 299 of 299 Posts
Top