I had an idea that I could connect the STB to 1 of the 2 ports on the Lyra node in the living room and the node in the basement and presto, IPTV over wifi. That worked with the other hosts (connected to a Netgear switch that is connected to a port on the Lyra node) so why wouldn't it work with the STB? Well it didn't.
I'm not sure why the stream breaks. I suspected that by inserting a router (NAT) between CPE and STB breaks the IPTV stream as the IP address on the STB must be 10.xxx.xx.xxx. Searching the internet on similar cases with the IPTV provider I have I suspected tagged VLANS were in play. But all those cases were on different fiber network operated by an other company so It's not a perfect analogy (they use dedicated ports on their CPE for the different services). The installation guide the IPTV provider have regarding multiple STB looks like this:
Allente IPTV.png
It's in Swedish but basically says what it shows: Add a switch (not provided by the IPTV provider) between STB's and CPE (not provided by the IPTV provider). It does not mention anything about VLAN, tagged frames or IEEE 802.1Q in the instructions. What do I make of that? I'm guessing here but since there are no dedicated service ports on the CPE there must be VLAN involved that the STB is pre-configured to. My following question to is it possible to detect that VLAN tag with the Hex router?
Sorry for the novel length response, but details matter.
There are multiple possible reasons why the router could be causing problems. It may be NAT, it may be just the fact that it is going through a router (not on the same L2 network), it may be that there is a vlan tag, and the Lyra just ignored tagged traffic (and besides, it may need to be on the same L2 network too).
While the sniffer that @tangent recommended is a powerful debugging tool, I am not convinced it will help here, because my reading of the
documentation is that it can only sniff what is going through the routing engine, and the IPTV traffic won't be. So I am not convinced it is the correct tool for this specific troubleshooting job. And if it doesn't work, then the assumption that it is working can lead to a big time sink trying to troubleshoot the wrong problem. I've been there, done that.
And we need to know for sure whether the STB is expecting tags or not. Because that will affect how the RB750Gr3 needs to be configured.
BTW, you do have the RB750Gr3, correct? What version of firmware are you using? If you haven't upgraded to v7 (probably best to use v7.4 stable at this time) I recommend doing so. v6 doesn't support hardware assisted vlan-filtering on the bridge with the MT7621A Soc that the RB750Gr3 uses, but v7.2 and above do, and doing bridging and vlans in software will adversely affect your router's performance.
I assume from the attachment name the provider is Allente. What type of STB do you have? What is the link to the support page you found the instructions on?
What seems odd to me is that in the diagram you provided:
- They connect to a different port than you did (the yellow one) port 2 instead of what you said you are using (port 3 for IPTV and port 4 for your Lyra Router/mesh wifi
- If all ports in the Inteno XG6846 are configured in the same LAN/broadcast domain, then why would there be any need for an external switch? I suppose one reason would be that you had two STBs at the end of a long single cable, and you wanted to avoid pulling another cable.
- What is the * after the switch representing? Is that leading to a footnote stating that the switch is not provided, or does it list some requirements for the switch e.g. vlan-transparency
- The only thing they show being connected to the switch is STBs. Which could imply that only IPTV was available on that connection, or it could just be a "simplified diagram" to reduce confusion for non-technical folks, and increase the confusion for the technical audience.
Does the "WAN" ip address on your "internet router" agree with what you get when you browse to ipchicken.com? If they agree, then your router is getting a globally valid ip address, and there is no other layer of NAT between your router and the "internet". If you get a different address, then your ISP is adding another layer of NAT between you and the internet. (Another indication would be if your "WAN" interface has an ip address between 100.64.0.0 and 100.127.255.255, as this is the 100.64.0.0/10 CGNAT private block).
I don't have IPTV, and have never worked on a network with it, so I am not really qualified to be giving advice. However looking at this from a "black box" point of view, we don't know if tagged vlans are being used of not, given the information we have. Most "consumer" "dumb" plug and play switches made in the last ten years (e.g. NetGear GS105 (not E), TP-Link TL-SG105 (not E), Trendnet, Dlink, Tenda) are all vlan-transparent, meaning they ignore the ethertype field immediately following the SRC MAC address in the
Ethernet frame, and treat it only as data and it is excluded from any forwarding decision made by the switch. When there is an
IEEE 802.1Q tag in the frame, the ethertype immediately following the SRC MAC address will have the value 0x8100, which is an indication this is a tagged frame.
If you already own the Netgear GS105E switch, and if it is similar to the GS908E switch I have, then you can use it to easily determine if tagged vlans are being used. In the Switching Menu, there should be a VLAN submenu, and under that 3 modes, (1) no vlans, (2) port based vlans (basic), and (3) 802.1Q vlans (advanced) The "factory default out of the box configuration", the GS908E is in "No VLANs" mode, so it behaves like a vlan-transparent ethernet switch, i.e. it just passes ethernet frames as is and chooses which ports to forward to based only on mac addresses it has seen and the destination mac address in the frame it receives (as described in
Everything Switches do - Part 1 - Networking Fundamentals - Lesson 4). But to drop all ethernet frames with IEEE 802.1Q tags, you can use 802.1Q VLANs, which will configure all ports to be access ports in VLAN 1. It this mode, untagged traffic will pass as is, but tagged traffic will be dropped. (I didn't test the special case of vlan id 0 (priority only tags), so I am not sure what it would do in that case). My GS908E has a "Port based VLAN mode" that can partition the switch into multiple broadcast domains and affects what ports it will forward frames to based on port numbers, not tags. This mode is also IEEE 802.1Q tag transparent, i.e. it will forward tagged frames as well as untagged frames to other ports, as long as the ports are members of a common "vlan". I had never used this until today when I was responding to this post, and I had wrongly assumed that it was just using IEEE 802.1Q "under the covers", but that turned out to be a false assumption.
So the test you could do to determine if your STB is using tagged frames or not, would be to
configure a laptop with the "public" windows firewall (where it blocks inbound communication it did not initiate, RDP and other "dangerous" protocols should be blocked), connect to the GS105E with the browser (you will need to determine what IP address it has; if it is connected to your MikroTik, you can look as the leases it has given out
/ip dhcp-server/lease/print, and if you have made any configuration changes to the GS105E, make a backup of the configuration, because the next steps will be making changes and you could lose work. After you are satisfied with your GS105E backup, put a secure password on the GS105E if it doesn't have one, configure the GS105E with a static ip address in a private network you are not using and isn't in the 10 network used by your ISP (e.g. 172.23.253.100/24). When you change the switches IP address, you will loose access to the switch until you manually change the ip address of your laptop to an address in the same subnet, e.g. 172.23.253.101/24 (and leave Default gateway blank, so the laptop can only communicate with ip addresses in 172.23.253.0/24) then plug it into one of the Inteno XG6846 ports you were using, and then plug both of the wires you removed from the Inteno XG6846 into other ports of the GS105E (e.g. the connection to the huvudbox (main STB) and to your current internet router. Both should work if the GS105E is in the default "No VLANs" mode. But if you then use the laptop to change the GS105E into IEEE 802.1Q VLAN mode, then until more configuration is done, only untagged traffic will pass. If the IPTV STB still works, then the STB is not using tagged ethernet frames.
This is the testing layout I am trying to describe, except that you should use one of the ports you know works with the STB and Router, so either port 3 or port 4.
Note well: Make sure you have your windows firewall enabled, because the laptop will be directly connected to your internet feed, which may be a on the internet. Although if you have manually set your ip address to 172.23.253.101/24 with no default gateway set, it will limit what the PC can talk to.
172.23.253.101 internet protocol version 4 no gateway.png
from output of ipconfig /all
Ethernet adapter Ethernet 4:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : ASIX AX88772 USB2.0 to Fast Ethernet Adapter
Physical Address. . . . . . . . . : 8C-AE-4C-F5-19-E8
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::d475:2f63:851f:cbd4%18(Preferred)
IPv4 Address. . . . . . . . . . . : 172.23.253.101(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
DHCPv6 IAID . . . . . . . . . . . : 546090572
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1B-EB-E8-D9-BC-30-5B-A4-E5-01
DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
fec0:0:0:ffff::2%1
fec0:0:0:ffff::3%1
NetBIOS over Tcpip. . . . . . . . : Enabled
C:\WINDOWS\system32>
vlan_testing.png
If the IPTV works with both "No VLANs" mode and the default "IEEE 802.1Q VLAN (advanced)" mode, then everything is in the same broadcast domain and using untagged ethernet frames. Which makes we wonder how the ISP hands out ip addresses, but it is possible they only give out ip addresses in the IPTV range to "registered" mac addresses for the STBs they provide (but that seems like weak authentication).
But if the IPTV does not work when the GS105E is in "default config" of IEEE 802.1Q mode where everything is an access port in the same broadcast domain, then that would be an indication that the STB is using tagged vlans, and you would need to take further action to determine which tagged vlan is being used. The method I would recommend would be to use the port mirroring capability in the GS105E (on my GS908E this is under "Monitoring"), and loading wireshark on your PC to capture the data. But this can be a relatively steep learning curve too, if you have never used wireshark.
Here was my test setup with my GS908E to test the different vlan modes on my switch (to verify that the "no VLANs mode" was vlan-transparent and did pass ethernet frames with vlan tags). Note that being able to relay tagged frames is different than being vlan-aware with the ability to tag and untag ethernet frames, that capability will be required whether or not the STB needs IEEE 802.1Q tags, or does not use tags, because we want to use the same wire to pass two separate LANS, and be able to extract the correct LAN at the other end of the cable. So you will need to configure the GS105E switches to be in the 802.1Q vlan mode, and you will need to add at least one additional vlan to the switch (for the "IPTV" lan).
I have a Raspberry Pi 4 with the vlan package loaded; eth0 is untagged, eth0.241 is tagged for vlan 241. I have a single cable connected to an ER-X with 192.168.101.0/24 and 192.168.241 on tagged vlan 241. I inserted the GS908E in "No VLANs" mode between the Raspberry Pi 4 and the ER-X, and connected to the Raspberry Pi 4 with the untagged interface 192.168.101.78/24 with ssh, then from Raspberry Pi pinged ER-X on tagged vlan 241 (192.168.241.1/24). This shows that the GS908E is vlan-transparent in "No VLANS" mode, since the tagged traffic passed through. I then selected the IEEE 802.1Q VLAN mode and pings stopped working. This shows that when in default IEEE 802.1Q mode, all ports are configured as access ports for the default vlan 1 (and since untagged it is the switch that is determining what vlan it is in). Tagged packets are blocked. Selecting the Port based VLAN mode also allowed the tagged frames to pass through.
If you made it this far... Here's a great short Swedish documentary about how things can turn out to be more difficult than you first thought it would be. Not network related but very interesting.
HOPPTORNET (TEN METER TOWER) by Axel Danielson & Maximilien Van Aertryck
You do not have the required permissions to view the files attached to this post.