About Tools Blog
Angelique Dawnbringer

Complete Network Setup Ubiquiti + KPN Experia & IPTV

This blog-post is referring to having a dual router set-up. e.g. router behind a router or "Routed Mode" instead of "bridged". This post is meant for those wanting to segregate their network behind the Experia-Box and still use their IPTV. This is often referred to as a Dual-NAT setup. This setup will work perfectly for most office and personal use. For Bridged or FTTH without the Experia Box, scroll all the way down.

In this example, we will have a lower and upper floor with two IP-TV's upstairs, one downstairs. 1 Access-point upstairs, 1 Access-point downstairs very nearby the IPTV's. Very little cabled network. 5 Devices downstairs, 5 Devices upstairs and some random IoT devices in a DMZ which will be our Native VLAN 1 (default VLAN LAN). Our routers are in the maintenance room or "cabinet". This is where our gas, telephone and electricity comes into the house.

The goal of this setup is to create 3 virtual network segments. A WAN with DMZ, a private networking part, and a segregated network segment for IP TV which is routed separately by the original router. We are in other words, introducing a wall between IPTV and the regular network and by default not mixing the two. The Experia router is going to handle this traffic. You can also let the Ubiquiti USG take care of this, but if you have bonded ADSL or are not so technical, it is just not worth the hassle.

The major advantage of introducing this kind of setup; is that it is enterprise grade, though while I am not going in full detail on how to do additional firewalling, it allows you to implement such on top of it.

This guide will set up trusted zones only. No firewall rules from WAN to LAN or between VLAN's are being created. Only virtual separation. In enterprise networks, you should add routing and more strict firewall rules between these network segments. This setup will have ALLOW:ALL between the Local Area Network and Wireless as it's standard rule-set.

Preview

The UniFi Management Dashboard

One of the major product highlights is the UniFi dashboard. It is feature rich and enterprise grade, free of charge. It comes with a great sense of configurability and there is the expert option, allowing you to change settings in the command-line interface. You will either install this software on one of your computers or you use a small appliance like the Ubiquiti Cloud Key which is extremely convenient and easy to use.

 

Your new Network Topology

This layout, will allow you to have a private network for your home or office (port 5 on main switch) purposes, a default network which is "less-secure and default", and a network segment for your IPTV. The wireless access-points will be able (if you so choose to) to give entry to those networks based on settings you will give to each of these wireless networks. You can add up to 4 wireless networks to an access-point.

Approximation of Ubiquiti UniFi Hardware Needed

  • A Ubiquiti Router per Site (1 UniFi Security Gateway per house-address)
  • A Ubiquiti Managed Switch per 7 or 15 wired devices
  • A Ubiquiti Access Point per 40m2 / 120m3 on a single floor

In this example we have:

  • 1 Ubiquiti UniFi Security Gateway (UBI-USG)
  • 2 Ubiquiti UniFi Switch, 8-Port, 60W PoE (US-8-60W)
  • 2 Ubiquiti UniFi AP-AC Pro (UAP-AC-PRO has two uplinks for chaining or fallback)
  • 1 Ubiquiti UniFi Cloud Key

Setup Time!

Depending if you have Cloud Key and Internet Access etc, your initial time is mostly spend on getting the management tools working. This tutorial is made in a way that is relatively easy to follow and requires no specific additional knowledge like Terminal Console or Others. You can even start with a local PC installation instead of Cloud Key and Import these later.

Priority & Expectation list

  1. Get Management Facilities Running (UniFi management dashboard)
  2. Create Basic VLAN structure
  3. Onboard Router (enabling Internet behind Secure Router)
  4. Onboard Switches and Accesspoints in Management Network
  5. Move Management Facilities behind Router (On PoE Switch)
  6. Onboard All Computers (Basic Wireless, Basic Network)
  7. Onboard Secure Network (Network Segregation)
  8. Onboard IP TV

Activities in Order:

  1. Unpack all new hardware
  2. Install or Connect the UniFi Management Software/Tool (follow product manual)
  3. Create & configure your site settings (follow product manual)
  4. Create & configure your networks (vlans)
  5. Create & configure your wireless networks
  6. Create your Switch Port Profiles
  7. Physical Configuration: Connecting all equipment except for the Red Cable
  8. Adopt each Switch and Accesspoint into the Management Dashboard
  9. Configure all Management Service vlans on each Switch and Accesspoint
  10. Configure your network ports by selecting the correct switch port profile
  11. Configure the network ports to the ExperiaBox and those with IPTV behind them.
  12. Connect Red Cable
  13. Restart All IPTV
  14. Done

Configuration Screenshots

Below you will find instructions, screenshots and diagrams on how to configure and achieve the activities mentioned above. There is no real strict order except the part when you connect the network cable marked as "RED" in text and diagrams as this might kill or fully interrupt your network if necessary configuration isn't in place.

Physical Configuration

  1. Green: Management Tooling (UniFi Management Software)
  2. Set Up your Site and Basic configuration first
  3. Blue: Switches and USG and adopt them
  4. Gray: Adopt Accesspoints and configure them
  5. Continue Network & Profile Configuration First!
  6. Yellow: Connect IPTV boxxes
  7. Continue Port Configuration First!
  8. After Port Configuration - Connect the Red cable from Switch1 to ExperiaBox
  9. Power-cycle / Restart the IPTV boxxes

You do not need the Power-over-Ethernet injectors or USB adaptors that follow with the access points or Cloud-Key if you connect these directly on the PoE ports of the PoE Switches as shown in the diagram. You can use regular UTP/RJ45 for this as long as it is regular (un)shielded Cat5.e or Cat6.e (e.g. not cross-link). The power will then be provided over the network ports and cables to the Access point if it is connected "directly" (you can use wallmount plates or limited patch panels etc in between). It is generally recommended to not use cables longer than 50 meters or you might run into unexpected issues.

Network Configuration

The first thing we will be doing after initial physical installation, is installing the Management Dashboard. As soon as we have the UniFi Management software running, We will be creating a few virtual networks besides the default local network. We will after that also create a (or few) wireless networks.

Default Networks

  • VLAN 1: LAN - Default Network

Custom Networks

  • VLAN 4: KPN IPTV
  • VLAN 6: KPN Internet
  • VLAN 10: Custom Private Network
  • VLAN 100: Custom Management Network

Wireless Networks

  • Create any Wireless network. Make sure to add VLAN 10 to it.

We will configure all computers to connect to VLAN 10. Custom Private Network. All IPTV boxxes will connect to VLAN4 and VLAN6. All UniFi equipment's management ports will be communicating on VLAN 100 instead of VLAN 1. We will be changing this standard setting on each device besides the router and the cloud-key.

Before you connect the "RED" cable, You must do some configuration which you will do in later steps. The step I am referring to is the "add the Port-Profile "v4+6 Uplink red" to the red-arrow-marked port/connection on the switch"-step. Only after this is done, you can connect the red cable, but only THEN! The network will otherwise end up in an endless-loop or simply send the network traffic everywhere else you didn't want it to be available. (And your IPTV's will stutter / not work.

Detailed Configuration

Network - Default VLAN (LAN)

  • Navigate to Settings > Networks > Create New Network in the UniFi Network Controller (If this one doesn't exist).

  • Verify the necessary fields as shown in the image below:

    • Name: Local Network (LAN)
    • Purpose: Corporate
    • Network Group: LAN1
    • Gateway: 192.168.1.1/24 (or 10.0.0.1/24 or 172.19.1.1/24)
    • IGMP Snooping: Enable IGMP Snooping (needed for filtering IPTV etc).
    • DHCP Mode: DHCP Server. -> Click Update Ranges

  • Click create/save

 

Network - VLAN 4 KPN IPTV

  • Navigate to Settings > Networks > Create New Network in the UniFi Network Controller

  • Fill in the necessary fields as shown in the image below:

    • Name: KPN IPTV
    • Purpose: VLAN Only
    • VLAN: 4
    • IGMP Snooping: Enable IGMP Snooping

  • Click create/save

 

Network - VLAN 6 KPN Internet

  • Navigate to Settings > Networks > Create New Network in the UniFi Network Controller

  • Fill in the necessary fields as shown in the image below:

    • Name: KPN Internet
    • Purpose: VLAN Only
    • VLAN: 6
    • IGMP Snooping: Enable IGMP Snooping

  • Click create/save

 

Network - VLAN 10 Your Private Network

  • Navigate to Settings > Networks > Create New Network in the UniFi Network Controller

  • Fill in the necessary fields as shown in the image below:

    • Name: Private Network or Internet
    • Purpose: Corporate
    • Network Group: LAN1
    • VLAN: 10
    • Gateway: 192.168.5.1/24
    • IGMP Snooping: Enable IGMP Snooping
    • DHCP Mode: DHCP Server. -> Click Update Ranges

  • Click create/save

 

Network - VLAN 100 Management Network

  • Navigate to Settings > Networks > Create New Network in the UniFi Network Controller

  • Fill in the necessary fields as shown in the image below:

    • Name: Management
    • Purpose: Corporate
    • Network Group: LAN1
    • VLAN: 100
    • Gateway: 192.168.200.1/24
    • IGMP Snooping: Enable IGMP Snooping
    • DHCP Mode: DHCP Server. -> Click Update Ranges

  • Click create/save

 

Wireless Network - VLAN 10 Some chosen made-up name

You will need a name for your wireless network. You can pick anything using A-Z0-9. As for the security key (wireless-password), try to make it between 10-16 characters long and easy enough to use, but not guessable by others. (Example Wireless: HomeSweetHome - Pass: W3L0v3Y4m)

  • Navigate to Settings > Wireless Networks > Create New Wireless Network in the UniFi Network Controller (or Edit an existing one).

  • Fill out the (mostly) necessary fields as shown in the image below:

    • Name/SSID: Some Name
    • Enabled: Check Enable this Wireless Network
    • Security: Select WPA Personal
    • Security Key: Known as the Wireless Password, will be entered when connecting.
    • Click Advanced Settings to open up additional required configuration
      • Use VLAN: Check Enable VLAN and enter 10 in the input field.
      • Multicast Enhancement: Enable Multicast Enhancement (IGMPv3)
  • You can leave the rest of the settings as default.
  • Click save

 

Management Configuration

For all Switches and Accesspoints, go into the device setting and set the service setting: Management VLAN to 100.

This will potentially lead to Catch-22 situations, if you have existing network settings or already changed the Port Profiles in the next part of this document, for situations where you haven't configured your switch to send Management Network to those ports if you have configured the port to something else then the All Port profile. If you do so, temporarily set those port profiles to all and try again. (and revert it to the correct setting afterwards)

 

Port Profiles

You can find these by navigating to Settings > Profiles > Switch Ports in the UniFi Network Controller

Profile - Default VLAN (LAN)

There is also an ALL profile. This allows for too much activity, hence us creating a new "Default" you "should" use.

  • Navigate to Settings > Profiles > Switch Ports > Add New Port Profile in the UniFi Network Controller

  • Fill in the necessary fields as shown in the image below:

    • Profile Name: Local Network (Default LAN)
    • Native Network: Select Local Network (Default LAN)
    • Tagged Networks: Uncheck! all boxxes

  • Click create/save

 

Profile - All

This default profile, allows for all networks to be converged. You should only use this profile for network ports that are chaining together the network / switches behind switched / up-link ports. Normally you should make a custom profile to enable the virtual network to spread only to those places you want it to reach. For ease and simplicity we will let this port be "active" for now.

  • Navigate to Settings > Profiles > Switch Ports > Edit Port Profile in the UniFi Network Controller

  • Click and select the necessary fields as shown in the image below:

    • Profile Name: All
    • Native Network: Select Local Network (Default LAN)
    • Tagged Networks: Check all boxxes

  • Click create/save

 

Profile - VLAN 4 KPN IPTV

  • Navigate to Settings > Profiles > Switch Ports > Add New Port Profile in the UniFi Network Controller

  • Fill in the necessary fields as shown in the image below:

    • Profile Name: KPN IPTV
    • Native Network: Select KPN IPTV (4)
    • Tagged Networks: Uncheck! all boxxes

  • Click create/save

 

Profile - VLAN 6 KPN Internet

  • Navigate to Settings > Profiles > Switch Ports > Add New Port Profile in the UniFi Network Controller

  • Fill in the necessary fields as shown in the image below:

    • Profile Name: KPN Internet
    • Native Network: Select KPN Internet (6)
    • Tagged Networks: Uncheck! all boxxes

  • Click create/save

 

Profile - VLAN 10 Your Private Network

  • Navigate to Settings > Profiles > Switch Ports > Add New Port Profile in the UniFi Network Controller

  • Fill in the necessary fields as shown in the image below:

    • Profile Name: Private Network
    • Native Network: Select Private Network (10)
    • Tagged Networks: Uncheck! all boxxes

  • Click create/save

 

Profile - VLAN 100 Management Network

  • Navigate to Settings > Profiles > Switch Ports > Add New Port Profile in the UniFi Network Controller

  • Fill in the necessary fields as shown in the image below:

    • Profile Name: Management
    • Native Network: Select Management(100)
    • Tagged Networks: Uncheck! all boxxes

  • Click create/save

 

(REQUIRED)VLAN4+6 Uplink (RED)

  • Navigate to Settings > Profiles > Switch Ports > Add New Port Profile in the UniFi Network Controller

  • Fill in the necessary fields as shown in the image below:

    • Profile Name: VLAN4+6 Uplink (RED)
    • Native Network: Select KPN IPTV(4)
    • Tagged Networks: check
      • Select All so to it shows - not +
      • KPN Internet(6)

  • Click create/save

 

(Optional)Daisy Chain AP to IPTV instead of Switch Port

Don't forget to click the management network. Otherwise you will not be able to reach your Accesspoints later on.

  • Navigate to Settings > Profiles > Switch Ports > Add New Port Profile in the UniFi Network Controller

  • Fill in the necessary fields as shown in the image below:

    • Profile Name: Accesspoints-chain-IPTV
    • Native Network: Select KPN IPTV(4)
    • Tagged Networks: check
      • Select All so to it shows - not +
      • KPN Internet(6)
      • Private Network(10)
      • Management(100)

  • Click create/save

I usually add Enable Topology Change notification to this one, as I would like to be informed in the Management Dashboard as an event when someone has fiddled with the AccessPoints with a IPTV device behind them. For example someone hooking up a device that shouldn't be there... It is simply good practice to do it to any but still...

Actual Per Port Switch Profile Configuration

I have a network cable to the main port of each access point and use Power-over-Ethernet to power these. The secondary network port on the Access Points allow me to daisy-chain the network to the other IPTV boxes. This is why I have a custom profile to the Access-points. In any other setting, you would just use the default setting.

Any cabled network connection directly to an IPTV should use the "v4+6 Uplink red" Port-Profile. Port 2 From the Switch to the ExperiaBox uses this port-setting as well! Any indirect up-link should use the daisy chain setting.

 

Any switch behind switch situations, should receive the "ALL" port profile setting when you have anything behind it that needs access to anything but the private network. If you are daisy chaining two switches and then an IPTV, you must configure the ALL-profile to both the uplink ports and the 4+6 profile for the port on the second switch connecting to the IPTV.

In my example, Switch 1 port 1 and 8 plus Switch 2 port 1 receive the "ALL" profile. Switch 1 port 2 receives the 4+6 profile. Switch 1 port 3 received the 4+6 profile. Switch 1 port 7 and Switch 2 port 7 received the AP-daisy-chain profile.

Port Profile Reason
1-1 All Uplink between Switch and USG
1-2 VLAN4+VLAN6 Uplink(Red) Uplink between Switch and ExperiaBox for TV connectivity
1-3 VLAN4+VLAN6 Uplink(Red) Directly connected to an IPTV box
1-4 Private Network + Internet (10) Private Computer
1-5 Private Network + Internet (10) Private Computer
1-6 All Cloud Key, need access to all Networks and communicate to all devices.
1-7 Accesspoint-Chain-IPTV I have Daisychained the AP with the IPTV box.
1-8 All Switch to Switch Up-link
2-1 All Switch to Switch Up-link
2-2 Disabled Nothing Connected
2-3 Private Network + Internet (10) Private Computer
2-4 Private Network + Internet (10) Private Computer
2-5 Private Network + Internet (10) Private Computer
2-6 Disabled Nothing Connected
2-7 Accesspoint-Chain-IPTV I have Daisychained the AP with the IPTV box.
2-8 Disabled Nothing Connected

Party Time!

Done !?!?! Let me know if you didn't or have feedback by mailing me

Troubleshooting, Debugging & Comments

In general, if it used to work and isn't now: Check if the dashboard still works. Check if you have internet. If you do, check if you have any warnings or errors that could indicate what it is about. In all other cases, simply turning it off and starting it again (powercycle) usually does the trick if it was just a hick-up. (Yes you can debug it, but usually people reading this don't know how and the point of this blog-post was to keep it "relatively" simple.

For your convenience, I have added some lessons-learned and often occurring issues here.

Names, Ranges, VLAN ID's and schematics etc

All names mentioned, ranges, vlan id's etc can simply be changed or replaced. Just make sure that nothing overlaps or is too small for purpose when you create them. There are a couple of vendor specific settings like in this case the Operator KPN which has VLAN 4 for IPTV and VLAN 6 for Internet...

Other Providers

This tutorial will work for most internet providers using routed IPTV instead of bridged. The settings you will need to change are the ones for VLAN 4 and VLAN 6. You will need to figure out which VLAN's your operator is using in their system and change the identities accordingly.

Lessons Learned etc

Management of the Router, Switches, Camera's and Access-points

Most issues around this have to do with correctly setting up the "Management VLAN". After you have done this, you need to configure the device to use that network segment instead for the Maintenance ports. You do this by going into the settings of that particular device in the dashboard > services > management vlan > dropdown > Management, scroll down (its sometimes hard to see, but there is an OK / Apply button all the way below.

  • Adoption Failed

    This can have a couple of root causes. In case of it being your router: You are using the same network IP for your router as your other router. Create a different network than 192.168.1.1. Something like 10.0.0.1 works just as well, or 192.168.10.1.

    In the case of your Access point or switch: Most likely you forgot to change the Management VLAN setting in the Switch Port Profile or you forgot to change the devices Management VLAN and it is still running in VLAN 1 and that one is not reachable on that network segment. This last one will lead to catch-22 and you might need to temporarily enable ALL as the default network setting to rescue this device. All connected devices will be affected as well so be cautious.

  • Heartbeat missed

    This can have many reasons. Start by power-cycling the affected device and check if lights are turning on. Sometimes this happens after you selected a new Management network for the device. Usually you have mis-configured a network switch port profile in the connection chain leading up to the device, as the Management VLAN is not in the Port-Profile configuration. Ensure that Management VLAN 100 is tagged and added to the Profile when working with any other but the default "ALL" setting. This is common for the daisy-chain setting or VLAN 4+6 Setting. Do not add the management vlan to the VLAN4+6 setting. Check if it is a daisy-chain you've created. If that is the case try to either re-arrange it, or double check if you can manually configure the rest of the devices to work on VLAN 10 and select KPN4 as native vlan for such profile.

  • Final attempt

    If all else failed, use the factory reset button on the device, and try to adopt it again. Please note that it will be wiped of any settings, and that it will end up being in the Default VLAN 1. You will need to adopt and reconfigure it to be on the Management VLAN. It is recommended to take note of the settings you intended, write these down, and forget the device prior to factory resetting it. This will ensure that the device does not return to faulty state should the configuration being transmitted, is wrong and causing the issue again (configuration-loop after factory reset)

PC's, Tables, Phones...

  • Wireless PC's cant reach the internet

    Check if the switch-profile of the port connecting towards the Access Point is checked with ALL or has Daisy-Chain or has a custom profile that allows you to have the intended private network (VLAN 10) and the management vlan (VLAN 100). If the management vlan is not checked in that profile, you will most likely see heartbeat missed or adoption failed on the accesspoints.

  • Wireless PC's cannot see the Private Network very well

    Check your wireless-network settings and double check that they have the correct VLAN set-up. By default no vlan is selected. This will route all traffic over vlan 1 instead of vlan 10. In more "tight" setups, this will make you unable to access resources there. Simply edit the configuration to VLAN 10 and restart your devices. (or pick up new dhcp-leases/discover) and you should be fine.

IPTV

  • A single IPTV box is stuttering or pauses after 4 seconds of play for indefinite time

    Most likely you misconfigured the KPN IPTV wrongly or misconfigured a port's switch profile. If other's are working, start by taking the power from the IPTV device and put it back on to it. If it still isn't working, go into the dashboard, and verify that the port it is connected to matches the intended switch-port-profile. For Example:

    • IPTV connected behind Secondary Port of the Accesspoint -> This should have the daisy-chain-profile.
    • Connected solely behind behind a Switchport: This should have the VLAN4+6 profile configured to that switch-port.

    If it is still not working, yet the others are, you might want to restart the switches and the USG. Still not working? Double check if it is connected to Switch 2. If that one is and others are two, I have no real clue how to continue. If they are separate (Two on switch 1 and the issue occurs on Switch 2: The network port on Switch 1 is most likely configured to only transmit a specific VLAN and 4 and 6 aren't selected.

  • All IPTV boxxes are stuttering or state: No Connection

    Do you have internet at all? If so, you most likely might have configured the KPN IPTV VLAN wrongly or not connected the "RED" cable yet in the way you should. If it goes from a working to non-working situation, check the cable and configuration referring to the "Red: Uplink Cable Switch Port 2 to Experia Box"-section of this post. Most likely something shifted or is off, check if the lights are on and blinking (ensure the cable is fitted correctly). A good starting point though, if you are 100% sure nothing has changed, is to restart the Experia Box instead; first; and then continue with the debugging. Note: You will lose internet during this time! (And thus your VOIP, Skype... whatever IP voice you are using).

Remote VPN / Corona Virus

This just builds a "secure" network behind the router usable for Working From Home... I will add L2TP config for you too and Dynamic DNS howto.

You will need to forward the ports from your experia box to the USG. You will need to do so for RADIUS, L2TP and a few others. Will add the list and settings some other day. This port-forwarding is not needed for FTTH and bridged-mode. Just Routed mode.

A "silent" non-descriptive youtube video shows you the principles around creating this:

 

Configure the L2TP Network

  • Navigate to Settings > Networks > Create New Network in the UniFi Network Controller (or Edit an existing one).

  • Fill out the necessary fields as shown in the video above / image below:

    • Purpose: Remote User VPN
    • VPN Type: L2TP Server
    • Pre-Shared Key:Known as the pre-shared secret, will be entered along with the username and password (created in RADIUS users) on L2TP clients.
    • Gateway/Subnet: Will need to be non-conflicting with any other networks present on the controller.
    • (Optional) Name Server Let this be auto unless you have specific configuration demands.
    • (Optional) WINS Servers can be left unchecked, unless you need this for legacy Windows Server Access.
    • (Optional) Site-to-Site VPN (if visible in your configuration) If you're using the "Auto" VPN type to connect sites, the L2TP VPN subnet will be included in those automatic routes if this option is selected.
  • Choose the Default RADIUS profile from the drop-down.
  • Click save
IMAGE HERE:.... (missing) OTHER IMAGE HERE:.... (missing) Check the video instead. Adding these later again...

Older Windows 10 versions might need a registry tweak. The latest and fully updated version 1909/2004 doesn't need this.

REG ADD HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgent /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 0x2 /f

 

Scribbling for FTTH / Vrije Modem Keuze etc

IGMP v2 v3 Snooping, fast leaving... DHCP Option 50, 60 etc

Well, you most likely are still reading this but erm, yeah: You need this setting to facilitate IPTV and to ensure not all IPTV traffic goes through your entire network. Further more, you are most likely looking into a situation where you are fully replacing your Fiber to the Home router. Basically you can perform all the above steps mentioned, but you won't be done yet. You will need to set a static route, which the Webconsole, currently doesn't allow you to do. Also you will need to set up a PPPoE connection for your Internet connection in the WAN segment. You can do this under Network Settings (WAN). Ubiquiti is going to add a console option to be able to create and manage an IGMP proxy and easier way of manually configuring it. If... IF... you know how SSH and SCP works, you could factory reset your USG and use information from https://github.com/coolhva/usg-kpn-ftth. This will set you up with the basics to get it to work. You will then have basic internet just like this example. From that point on, everything else in this tutorial will WORK!

Author: Angelique Dawnbringer Published: 2019-05-30 15:40:52 Keywords:
  • Ubiquiti
  • Unifi
  • IPTV
  • KPN
  • Routed Mode
Modified: 2020-09-05 01:11:47