6 min read

Routing my Belgacom IPTV over the internet

Routing my Belgacom IPTV over the internet
The Microtik hEX router and Belgacom set top box

I do not like to pay twice for things that I do not us that often, so paying two subscriptions for cable TV is something I will avoid. But during the weekend and mainly during the holidays we like to spend time at the coast and it would be nice to have cable TV sometimes.

So, since it is IPTV it should not be so difficult to forward that traffic over a VPN, I thought. But when checking the traffic with wireshark it was clear that it would be not that straight forward. When the modem get a DHCP request from the set top box it will not only provide an IP, but also some specific DHCP options for the streaming TV services. Additionally the channels are sent over the network using multicast.

Since broadcast and multicast cannot be routed, a simple WireGuard or other VPN would not work. I need to find a solution to tunnel ethernet traffic over a VPN. The first idea I had was using my little HP Elitedesk as a linux box at the coast that would make a WireGuard connect to my home network and use vxlan to forward all packets in a specific vlan over the tunnel.

At the same time we could use that linux box also as a media player to stream movies from the NAS, emulate some older games and act as an off site backup destination. In the future it could even run home assistant to automate some things.

But then I bought my new network switch from Microtik. I knew it could run RouterOS, but initially I had planned to run SwitchOS on it so it would be more familiar for me to use. After looking a the features of RouterOS I decided to keep running it and that was a good choice.

It can do all the things I need to make my set top box work remotely. It can run WireGuard as a server and client, has a good DHCP server and it can do vxlan. But in stead of vxlan I decided to try Mikrotik's own EoIP (Ethernet over IP) protocol.

To connect to my switch I have bought a small Hex router that is running the same software. I did not change the client side IP range on the Hex but decided to reconfigure one port for the TV so only devices connected to that port would be part of the home network. The other ports are just natted to the WAN port.

To configure the switch and the router I had them both connected to the same PC. The config tool Winbox can make a direct connection using the MAC address of the device. That way it is easy to setup the tunnels and copy the keys over.

First I added WireGuard on the switch. Just select WireGuard in the sidebar and click on the plus button. I gave it the name wireguardTV and clicked on ok to generate the keys. Do the same on the router.

The WireGuard Peer configuration on the switch

Now have you to configure the peer network. On the switch go to the tab Peers and click on the plus button Copy the public key from the WireGuard config on the router and paste it in Public key on the switch. Leave the endpoint empty, we only want the router connecting to the fixed IP of the switch. The default endpoint port 13231 is fine. Allow all IP's by entering 0.0.0.0/0, we can limit this after testing if necessary.

Do the same on the Router. Add a peer and give it the public key of the switch. Endpoint port and Allowed IP addresses should be the same, but now you have to fill in your Public IP of your home network in Endpoint. That way the router will try to connect to your switch.

Since your switch is (hopefully) not directly connected to your internet connection so you will have to forward all UDP traffic arriving on port 13231 to the IP of your switch. After that your WireGuard connection should be online, the last handshake time should be lower than a minute.

The EoIP config on the switch

The next part is even easier, setting up the EoIP connection. On the switch go to Interfaces / EoIP Tunnel and click on the plus-button. Give it a name like eoip-tunnelTV and make sure it has a random MAC address filled in. Give this tunnel a local and remote IP address. I have used 172.16.255.1 as local and 172.16.255.2 as remote on the switch. The tunnel ID was set to 10. Do the same on the router, but swap the local and remote IP address. That's all you have to do!

The configured tunnel

At this point we are nearly there. The Ethernet tunnel is up and packets are getting forwarded. The final config I will do is adding a bridge on the router and move the last ethernet port to it and the EoIP tunnel, that way the traffic will be completely separate from the the other ports. For now I will not change any of the other config and leave the NAT in place on the other ports, they will not get used at this time.

The bridge setup window

To add a bridge go to the router and select bridge. on the tab Bridge click the plus-button and give it a name. I have named it TV-bridge. Now we only have to add port 5 and the EoIP tunnel to this bridge.

On the same window go the next tab Ports and click the plus-button to add eop-tunnelTV if it is not in the list, select the TV-bridge and click on OK. Now double-click on ether5 and change it from the default bridge to the TV-bridge.

The ports added to the TV-bridge

All the basic config is now done to forward the network traffic to port 5 of the router. If you consider doing something similar there are some things you have to keep in mind. You need to have enough upstream bandwidth to forward the traffic. All traffic is forwarded at this point, so on a busy network the broadcast traffic can cause issues.

Another limitation of the double encapsulation is that some traffic might get fragmented. That will be the case with large ethernet frames like jumbo frames since the MTU of the tunnel will be lower than 1500. To have a clear idea of the fragmentation you will need to monitor the tunnel in the beginning.

At this time the DHCP server on the home network is used and that is working without issues, but I will change that in the future. It is better to run a DHCP server on the router in the same subnet, but with a different range of IP's. Then I will block DHCP traffic on the routers firewall from going through the tunnel. That will make sure the devices connected to the router will at least get an IP and be able to communicate locally when the tunnel is down.

My Proximus TV working over Telenet :)

A short update: When testing it on location for the first time it was very successful. I was afraid that the double encapsulation of RTSP multicast traffic and sending it over the internet using my basic home internet connection would result in more packet loss, but the quality is surprisingly good! Hardly any packet loss is visual on the TV.

At one time there was a lot of packet loss but I think that it was caused by turning on the set top box on my home network. That would have started a second multicast stream that was also going over the tunnel saturating the slow uplink. So if that keeps happening I will consider setting up IGMP on my home network, but that will be a fun next project. 😄