Setting up OPNsense for KPN FttH (KPN Glasvezel)

In my last post, I explained how I built my OPNsense on a Wyse 5070 setup. Migrating from my USG to an OPNsense box, I found out that it was a lot more straightforward than meddling around with a JSON file and hacking into controllers and USG scripts. In this post I’ll go through the settings I used to set up OPNsense for KPN’s FttH connection.

Please note that I am using the Wyse 5070 setup I referred to earlier. This is a box that has two physical network interfaces that I use for the inside and outside interfaces. Although it is possible to set up OPNsense as a one-armed instance, this is not the case here. Lastly, this post uses a setup that has the IPTV set-top boxes in the same LAN/VLAN as other local devices.

I found more than one guide for setting up OPNsense for KPN and everyone does it slightly differently. The settings in this post are exactly what I used to set up my home firewall that I have been using for a while now.

The first part of installing OPNsense has to be done through the console with an actual keyboard and monitor (lame), but after that, all of the actual config can be done headless through the web GUI.

If you are using a switch to conneect devices to the LAN-side interface of the OPNsense box, make sure you have a switch that supports IGMP snooping and make sure it’s enabled. KPN recommends using the Netgear GS105E.

This post only deals with getting internet and IPTV working on OPNsense. This is not a full OPNsense config guide and you may want to configure additional security settings on OPNsense afterwards.

Table of Contents

Installing OPNsense

Some of the configuration I describe in this post may be different from yours. My physical adapters are named vmx0 (LAN) and vmx1 (WAN) as I am installing on VMware ESXi for this post. These may be called differently in your setup, depending on your (virtualized) hardware.

Starting the installer

Once you have booted from the install medium as decribed in my previous post, OPNsense will welcome you with a little splash screen and some boot options you can select. For our purpose, we don’t need any specific boot settings so we’ll just wait for the time out running at the bottom and wait for OPNsense to boot into the live environment.

OPNsense boot screen

Once OPNsense has booted into the live environment, a login prompt is shown at the bottom of the screen. Your system is now running a complete copy of OPNsense on a RAM disk. So anything you configure right now will be lost once you reboot. To install OPNsense to the local drive, log in using the credentials installer/opnsense to start the installer wizard.

Logging in using the installer account

Keymap selection

Select the appropriate keymap for your keyboard. Mine is a US International keyboard so I left it on the default keymap.

Keymap selection

Select filesystem

For OPNsense you can choose to install using either the UFS or ZFS filesystem. I’m a big fan of ZFS as it is reliable, resilient, and has pretty good performance. One downside is that ZFS has a slighly larger RAM footprint. If your OPNsense has plenty of RAM (I’m using 8GB, which is plenty), go for ZFS. If you have to use it more sparingly, go for UFS. In this post I’ll be using ZFS from this point forward.

Filesystem selection

ZFS configuration

ZFS can do a RAID configuration that spreads data and parity information over several disks for increased performance and data resiliency. However, since our box only has one drive installed, I’m choosing the stripe option.

ZFS will ask you to select a disk to install OPNsense to. In my case, both disks are labeled VMware Virtual disk. However, in most cases, the label will show you the drive’s manufacturer and model data. Select the drive you want to install by using the arrow keys to highlight it and then press space to select it.

If you are using the Wyse 5070 with an extra M.2 SATA drive on top of the built-in eMMC storage like I did in my previous post or if you are using a box with more than one disk, make sure to select the correct disk.

Confirm the installation to the selected disk to start the installation process.

Danger, Will Robinson!

My installation progress screen got stuck a couple of times. Pressing enter will refresh the screen to the correct percentage.

Finalizing installation

When the installer finishes, you’re given the option to either Exit or to Change the root password. As a matter of principle, I would recommend changing the root password now. If you don’t, you will be able to change it through the web GUI later. Afterwards, choose Exit.

Make sure you remove the install medium after the box has shutdown to make sure you don’t boot right back into the live environment.

Final screen after installation

Configuring OPNsense

Logging into the web GUI

All of the necessary configuration after the initial installation can be done through OPNsense’s built-in web GUI. Make sure you have connected your computer on which you are going to do the configuration to the LAN interface. You should then get an IP address assigned in the same range as the configured LAN subnet. By default this is 192.168.1.0/24. The web GUI is available by default on its gateway address through https://192.168.1.1/.

Log on using the username root. The (default) password is opnsense unless you decided to change this during the initial installation process.

Login screen

After logging into a fresh OPNsense installation, you will be asked to go through the set-up wizard. We won’t be using the wizard in this configuration.

Setting up VLANs

KPN uses two VLANs on the WAN side that split regular internet and IPTV traffic. We need to create two VLANs in our configuration to be able to assign these to the interfaces.

In the menu on the left, go to Interfaces, Other types and then select VLAN. At the top right, click the [+] button to create the VLANs below:

Internet

Parent interfaceSelect the WAN side interface
VLAN tag6
VLAN priorityBest Effort (0, default)
DescriptionVLAN_INTERNET

IPTV

Parent interfaceSelect the WAN side interface
VLAN tag4
VLAN priorityBest Effort (0, default)
DescriptionVLAN_IPTV

This should look as pictured below.

Setting up the WAN-side interfaces

Before we can configure the WAN settings for both IPTV and internet, we have to create the appropriate interfaces first. In the menu on the left, go to Interfaces and then Assignments.

At the bottom next to New interface, from the dropdown menu, select VLAN 4 and enter WAN_IPTV for the description. Then click the [+] button to the right.

Add WAN_IPTV interface

On the right side of the interface WAN, from the dropdown menu, select VLAN 6. Then click Save to save the configuration so it looks as pictured below:

Configuring WAN interfaces

We now have all the interfaces we need set up, ready to configure PPPoE and to assign the appropriate VLANs to the WAN interfaces to make sure everything connects correctly. Let’s start with the WAN interface for internet first so that we have an active internet connection.

In the menu on the left, go to Interfaces and then select [WAN] from the list. Enter the settings from the table below.

Basic configuration: EnableEnable Interface checked
Basic configuration: DescriptionWAN
Generic configuration: Block private networksChecked
Generic configuration: Block bogon networksChecked
Generic configuration: IPv4 Configuration TypePPPoE
Generic configuration: IPv6 Configuration TypeDHCPv6 (Set this to None if you don’t want to enable IPv6 on the WAN side.)
Generic configuration: MTU1492
PPPoE configuration: Usernameinternet (any string will do)
PPPoE configuration: Passwordkpn (any string will do)

The settings below only apply if you have enabled IPv6 in the settings above.

DHCPv6 client configuration: Configuration ModeBasic
DHCPv6 client configuration: Request only an IPv6 prefixChecked
DHCPv6 client configuration: Prefix delegation size48
DHCPv6 client configuration: Use IPv4 connectivityChecked

The settings page for the WAN interface should now look like this:

Hit Save at the bottom of the page and then apply the settings by clicking Apply changes in the banner that appears at the top.

Next we set up the WAN interface for IPTV. In the menu on the left, go to Interfaces and then select [WAN_IPTV] from the list. Enter the settings from the table below.

Update 08-11-2021: I have now put the DHCP options “subnet-mask, routers, classless-routes” under Request options instead of under Require options. This prevents failure to get a DHCP lease on the IPTV WAN interface in some cases.

Basic configuration: EnableEnable Interface checked
Basic configuration: DescriptionWAN_IPTV
Generic configuration: IPv4 Configuration TypeDHCP
Generic configuration: IPv6 Configuration TypeNone
DHCP client configuration: Configuration ModeAdvanced
DHCP client configuration: Override MTUChecked
DHCP client configuration: Lease Requirements: Send Optionsdhcp-class-identifier “IPTV_RG”
DHCP client configuration: Request Optionssubnet-mask, routers, classless-routes

The settings page for the WAN_IPTV interface should now look like this:

Hit Save at the bottom of the page and then apply the settings by clicking Apply changes in the banner that appears at the top.

The WAN and WAN_IPTV interfaces have now been set up properly. The Assignments page (in the menu on the left, go to Interfaces and then Assignments) should now look like this:

Set up firewall rules

To allow all appropriate traffic for IPTV to pass through the interfaces/gateway, we’ll need to add a couple of firewall rules. Note that there are already some built-in rules that come with OPNsense. There may be some overlap in these rules and the rules we are creating. Should you decide to change the built-in rules, you’ll then already have the IPTV-related rules in place. We need to set up four rules in total.

In the menu on the left, go to Firewall, Rules and select LAN to set the rules for our LAN.

We will be adding one rule to this zone. To create a new rule, click the [+] button at the top on the right-hand side of the table. Enter the settings from the table below.

ActionPass
InterfaceLAN
Directionin
TCP/IP VersionIPv4
ProtocolIGMP
SourceAny
DestinationAny
Advanced features: allow optionsChecked

The settings for the rule should now look like this:

Hit Save at the bottom of the page and then apply the settings by clicking Apply changes in the banner that appears at the top.

Afterwards, the rule list for LAN should look like this:

In the menu on the left, go to Firewall, Rules and select WAN_IPTV to set the rules for our IPTV WAN interface.

We will be three rules to this zone. To create a new rule, click the [+] button at the top on the right-hand side of the table. Enter the settings from the tables below.

Rule 1

ActionPass
InterfaceWAN_IPTV
Directionin
TCP/IP VersionIPv4
ProtocolIGMP
SourceAny
DestinationSingle host or Network: 224.0.0.0/4
Advanced features: allow optionsChecked

Rule 2

ActionPass
InterfaceWAN_IPTV
Directionout
TCP/IP VersionIPv4
ProtocolIGMP
SourceAny
DestinationSingle host or Network: 224.0.0.0/4
Advanced features: allow optionsChecked

Rule 3

ActionPass
InterfaceWAN_IPTV
Directionin
TCP/IP VersionIPv4
ProtocolUDP
SourceAny
DestinationSingle host or Network: 224.0.0.0/4

Hit Save at the bottom of the page for each rule and then after creating the last rule, apply the settings by clicking Apply changes in the banner that appears at the top.

Afterwards, the rule list for WAN_IPTV should look like this:

Set up NAT rules

Network Address Translation or NAT for short, is a technology we use (primarily for IPv4 or IPv4-IPv6 translation) to map an address space into another address space (for example, mapping a public IP address to a private IP address).

NAT is one of the main mechanisms through which we conserve the ever-exhausting pool of IPv4 addresses available. If we were to give every device in the world a public IP address so it can talk to any other device using a public IP address, we would (very, very) soon run out! Hopefully, if we ever manage to make IPv4 obsolete and switch to IPv6 completely, we can get rid of NAT altogether.

Because we are working with two WAN interfaces (one for internet, one for IPTV) and thus have two interfaces through which traffic can enter and leave our private network, we need to map the correct address space to the correct interface.

In the menu on the left, go to Firewall, NAT and select Outbound to set the rules for our network.

First of all, set the NAT mode for our box to Hybrid outbound NAT rule generation and click Save.

Next, under the table Manual rules we need to set up a single rule. To add the rule, click the [+] button at the top on the right-hand side of the table. Enter the settings from the table below.

InterfaceWAN_IPTV
TCP/IP VersionIPv4
ProtocolAny
Source addressLAN net
Single host or Network213.75.112.0/21

The settings for the rule should now look like this:

Hit Save at the bottom of the page and then apply the settings by clicking Apply changes in the banner that appears at the top.

Afterwards, the NAT rule list should look like this:

Set up gateway metrics

Each WAN interface gets its own gateway in OPNsense. Because the one for IPTV is useless to us and KPN tells us not to use one for IPTV, we need to make sure OPNsense doesn’t use the automatically created one for the IPTV WAN interface. I chose to do this by setting the priority for the WAN_IPTV_DHCP gateway slightly higher than the others.

Make sure your firewall is now physically connected to the NT/KPN network so OPNsense gets the routes and gateway information from the KPN network. If a connection is not made, you will not see the necessary gateways in this step. See section Testing to see if OPNsense successfully connected to the KPN network and if it has retrieved routes and gateway information.

In the menu on the left, go to System, Gateways and select Single to see a list of the configured gateways. The ones that are active are listed as such.

As you can see, all gateways have the same priority. We need to change the one for WAN_IPTV that has a gateway in the 10.x.x.x range to a higher priority. Click the pencil icon to the right of the gateway to open its settings.

Next, change the Priority to 255 and hit the Save button. Make sure the other gateways stay on 254 and then apply the settings by clicking Apply changes in the banner that appears at the top.

Update system

You should now have a functioning internet and IPTV connection on your OPNsense box and any device connected to the LAN-side interface. If you want to check if this is the case, head on over to the Testing section.

To be able to install the IGMP proxy later, we need to make sure we’re fully patched and up-to-date. Otherwise it will fail to install. Of course, it’s always a good idea to keep up with updates securitywise.

In the menu on the left, go to System, Firmware and click Status. This should land you on the firmware overview and should have a button to check for updates. Click Check for updates and read through and close the release notes when they pop up.

You will be redirected to Updates tab that lists all updates available for you. Scroll all the way to the bottom and hit the Update button to start the update process. Wait for your OPNsense box to finish installing. It may reboot if necessary and will prompt you for approval before starting the update process.

Once OPNsense finishes installing, proceed to the next section to install the IGMP proxy.

Install IGMP Proxy

To make sure IPTV multicasting doesn’t turn into a battlefield, we use something that’s called Internet Group Management Protocol or IGMP for short. This is the reason that we need to install the IGMP proxy on OPNsense and it’s also the reason that any switch you connect to the LAN-side has to support IGMP snooping.

In the menu on the left, go to System, Firmware and click Plugins. This should land you on the available plugin overview.

Type IGMP in the search box at the top so that the os-igmp-proxy plugin pops up. Next, click the [+] button to the right to install it.

Configuring IGMP Proxy

The IGMP proxy plugin we just installed needs to know what the upstream and downstream interfaces are to act as a proxy.

In the menu on the left, go to Services and click IGMP Proxy. This should land you on the settings page that is empty by default. To add the appropriate settings, click the [+] button at the top right and make these two entries:

InterfaceWAN_IPTV
TypeUpstream Interface
Networks0.0.0.0/1
128.0.0.0/1
InterfaceLAN
TypeDownstream Interface
Networks192.168.1.0/24 (Or your LAN subnet if configured otherwise.)

Hit Save at the bottom of the page for each setting. Your IGMP proxy page should now look like this:

Testing

Interface status

You can check if all the interfaces are up in the Interface Overview. In the menu on the left, go to Interfaces and then Overview. For the WAN and WAN_IPTV interfaces, expand their sections and make sure that the interface (and PPPoE) is up and that they have an IP address, DNS servers and gateway assigned. For example, WAN should look a little like this:

Routes

You can then check to see if the default route was created to allow outbound internet traffic by going to System, Routes and then Status. The top entry should say default for a destination, pppoe0 under Netif and an IP address under Gateway as below.

For the purposes of IPTV routing, OPNsense requests classless routes. You can check to see if these got installed properly by going to System, Routes and then Status. At the top right, enter the name of the IPTV WAN interface WAN_IPTV to filter for routes on this interface. It should look similar to the list below without a default route (0.0.0.0).

Pingle bells, Pingle bells

You can try pinging a couple of targets to see if you have everything working correctly.

  • IPTV subnet routing: 213.75.112.1
  • Internet routing: 8.8.8.8 or 1.1.1.1 (These are Google DNS and CloudFlare DNS respectively.)
  • Check DNS: Ping a host you know will resolve like google.com

9 Replies to “Setting up OPNsense for KPN FttH (KPN Glasvezel)”

  1. Hey Tom,

    at the update line; you put date: Update 08-11-2012 i think this should be 08-11-2021, considering you wrote the blog in 2021?

    Also, I am having some issues with a stb-nmc-400 error… I tried to create a seperate subnet for the IPTV_STB’s… but I am going to try it your way, see if that works better…

    1. Good catch on the date, thanks!

      stb-nmc-400 is a very generic error that can mean all sorts of things. Usually this is one of these things:

      • IGMP Proxy not running or not configured correctly (wrong interfaces).
      • Firewall rules not adequate or missing.
      • VLAN configuration/assignment incorrect.

      You can help troubleshoot by checking these things:

      • Does the programme guide load?
      • Do you get no stream at all or just a few seconds and then it cuts out or shows artifacts?
      • Does the stb-nmc-400 error show on boot of the STB or only when trying to watch any channels?
    1. Hi qbeez! Glad it works for you.

      We indeed want to give the IPTV gateway a higher priority number to make sure OPNsense doesn’t put it at the top of the list when selecting a default gateway.

      It’s counterintuitive but a lower number will increase its real priority and vice versa.

      1. Correct!

        Anyway … In my setup I did not get that extra gateway for IPTV and think it has to do with the fact that I configured IPTV on a different VLAN.

        An extra tweak to consider:
        Create an interface that maps to the physical WAN-interface and give it an MTU of 1512 (I named it WANRAW). After that, assign an MTU of 1508 to the pppoe-interface. That leaves you with an effective MTU of 1500.

        1. Good suggestion! I really intended this post to be a base for people to experiment and tweak on. Great that it’s doing exactly that!

  2. Is there a specific reason why you only request 3 options using IPTV dhcp client (subnet-mask, routers, classless-routes)? The documentation states you need at least 4 options (subnet-mask, routers, broadcast-address, classless-routes).

    1. Hi qbeez, nothing deliberate. I copied over the settings from my old USG (based on https://github.com/coolhva/usg-kpn-ftth/blob/master/config.gateway.json) that only had these options. This has always worked well for me.
      After reading your comment, I looked into other people using OPNsense and PFsense and these setups also seem to use just the three options without the broadcast address option. I don’t see how a broadcast address would be required for IPTV but I guess adding the option won’t harm.

Leave a Reply to Tommy Cancel reply

Your email address will not be published. Required fields are marked *