Help getting hEX S router working with KPN(Dutch ISP) IPTV

pwny_pwns · February 25, 2026, 8:26pm

Hi all,

N00b here, trying in vain to get this Mikrotik RB760iGS (hEX S router) up, so I can switch from my ISP’s all-in-one router. Got the Internet established at long last, now onto the TV Set Top Box from the ISP. KPN is the ISP. I’m running RouterOS 7.21.3 and using the Terminal from within WinBox 4.

I’m on a fiber-to-the-home (glasvezel) connection. I have an ONT that converts fiber to ethernet.

I followed this guide to get Internet established on the Mikrotik. Internet is up and well.
Following this guide for getting TV setup, I rang KPN to confirm VLAN4 needs to be set with IGMP Snooping enabled. The TV Set Top Box isn’t able to get online, The “vlan1.4” interface is showing no traffic. “vlan1.6” is fine.

Here’s my current configuration: https://termbin.com/h8fj

Thanks in advance!
Greetings from The Netherlands,
pwny_pwns

CGGXANNX · February 26, 2026, 4:04am

I only took a glance at your posted configuration, but at first sight, it appears that currently you still have all of your ports in the bridge bridge (under /interface bridge port). You need to take the port that has the Set Top Box currently connected to, out of the bridge bridge and put it in the local bridge.

It's easiest to use WinBox and go to Bridge -> Ports, open the entry corresponding to the port, for example the entry for ether5 and change the Bridge drop down value from bridge to local. If using the Terminal, you can run something like:

/interface bridge port
set [find bridge=bridge interface=ether5] bridge=local

(change ether5 if that's not the port the TV Box is connected to).

Also, the order of the rules in the firewall filter table is important. Currently, this rule that you've added:

/ip firewall filter
# ...
add action=accept chain=input comment="IPTV IGMP" dst-address=224.0.0.0/4 \
    in-interface=vlan1.4 protocol=igmp

is not effective because it's at the bottom of the input chain. You need to move it (again, it's much easier using WinBox and drag & drop) above this rule:

/ip firewall filter
# ...
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
# ...

If the TV works, I would proceed next to improve your firewall configuration by using interface list and the existing defconf rules, instead of adding new rules like you did:

The pppoe-client, vlan1.4, and vlan1.6 interfaces should be members of the WAN interface list:

/interface list member
add interface=vlan1.4 list=WAN
add interface=vlan1.6 list=WAN
add interface=pppoe-client list=WAN

and the local bridge should be member of the LAN list (like the bridge interface):

/interface list member
add interface=local list=LAN

If you did those changes, then the following firewall rules that you previously added can be removed because they are no longer needed:

/ip firewall filter
# ...
add action=accept chain=input in-interface=pppoe-client protocol=icmp
add action=accept chain=input connection-state=established,related
add action=drop chain=input in-interface=pppoe-client
# ...

and in the NAT table, remove:

/ip firewall nat
# ...
add action=masquerade chain=srcnat out-interface=pppoe-client
add action=masquerade chain=srcnat comment=IPTV dst-address=213.75.0.0/16 \
    out-interface=vlan1.4
add action=masquerade chain=srcnat comment=IPTV dst-address=217.166.0.0/16 \
    out-interface=vlan1.4
add action=masquerade chain=srcnat comment=IPTV dst-address=10.207.0.0/20 \
    out-interface=vlan1.4

Please make sure you only remove the right rules, the ones you added, do not remove the rules that have defconf: in the comments!

BUT then for IPTV to work, you'll now have to add a few rules (because the firewall is now tighter with regards to the vlan1.4 interface). Add this rule:

/ip firewall filter
add action=accept chain=forward comment="IPTV" dst-address=224.0.0.0/4 \
   in-interface=vlan1.4 out-interface=local protocol=udp

and move it (with drag & drop) above the rule with the comment "defconf: drop invalid" of the forward chain (not the rule of the input chain!).

Optionally, you can also add this rule to the input chain:

/ip firewall filter
add action=drop chain=input comment="IPTV" dst-address=224.0.0.0/4 \
   in-interface=vlan1.4 protocol=udp

and move that rule before the rule

/ip firewall filter
# ...
add action=accept chain=input comment="IPTV IGMP" dst-address=224.0.0.0/4 \
    in-interface=vlan1.4 protocol=igmp
# ...

mentioned above. Doing so allows you to remove the count of the IPTV packets from the counter of the "defconf: drop all not coming from LAN" rule.

wavestar · February 26, 2026, 8:39am

These rules must not be removed and are needed for KPN ITV/KPN TV+ decoders to work.

/ip firewall nat
# ...
add action=masquerade chain=srcnat out-interface=pppoe-client
add action=masquerade chain=srcnat comment=IPTV dst-address=213.75.0.0/16 \
    out-interface=vlan1.4
add action=masquerade chain=srcnat comment=IPTV dst-address=217.166.0.0/16 \
    out-interface=vlan1.4
add action=masquerade chain=srcnat comment=IPTV dst-address=10.207.0.0/20 \
    out-interface=vlan1.4

I have the same setup. This setup worked with the old KPN ITV decoders and with the new KPN TV+ decoders. With the old KPN ITV decoders the non IGMP TV streams traffic (playback from TV guide or self recorded) needs to masquerade to vlan1.4 with destination networks 213.75.0.0/16, 217.166.0.0/16 and 10.207.0.0/20. With the KPN TV+ decoders the non IGMP TV streams traffic (playback from TV guide or self recorded) are streamed from the internet via PPPoE over vlan1.6.

CGGXANNX · February 26, 2026, 8:45am

If you read the rest of my posts, you'll see that those rules are no longer necessary, because both pppoe-client and vlan1.4 have been added to the WAN interface list, and masquerading is then covered by the defconf rule:

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN

Adding the interfaces to the WAN list is the correct thing to do (because those interfaces are actually on the WAN side of your network) and that provides you with free masquerade and firewall forward protection courtesy of the defconf firewall that OP already uses.

The only forwarding (from vlan1.4 towards local) that needs to be allowed are then the multicast UDP stream, that's was the needs for this rule:

CGGXANNX:

BUT then for IPTV to work, you'll now have to add a few rules (because the firewall is now tighter with regards to the vlan1.4 interface). Add this rule:
/ip firewall filter
add action=accept chain=forward comment="IPTV" dst-address=224.0.0.0/4 \
   in-interface=vlan1.4 out-interface=local protocol=udp
and move it (with drag & drop) above the rule with the comment "defconf: drop invalid" of the forward chain (not the rule of the input chain!).