HomePostsGetting Proximus IPTV to Behave on a Multi-Vendor Network (OPNsense + Cisco + UniFi)

Getting Proximus IPTV to Behave on a Multi-Vendor Network (OPNsense + Cisco + UniFi)

By tuabuh6 min read1 view
networkinghardware
Share:
Getting Proximus IPTV to Behave on a Multi-Vendor Network (OPNsense + Cisco + UniFi)
Swapping your ISP's router for your own hardware is one of those homelab milestones everyone eventually hits. For most setups, the pain ends once the WAN link comes up and you can ping the outside world. If you're on Proximus here in Belgium, that's roughly where it starts.

This is a follow-up of the my previous blog post: https://blog.nullbyte.be/en/posts/proximus-on-your-terms-running-internet-and-tv-with-your-own-gear

Getting a plain internet connection working on OPNsense is the easy half. The part that quietly eats a weekend is Proximus TV — and specifically, keeping IPTV alive as it crosses a switch network stitched together from three different vendors.

You'll know exactly when you've hit the wall: the stream plays beautifully for about three minutes, then freezes into a single static frame. That oddly specific failure mode is the calling card of multicast routing and IGMP timeouts, and it's what most of this post is about.

So here's how I got Proximus IPTV stable across a mixed network — an OPNsense firewall, a Cisco-like core switch, and a UniFi switch out at the TV. Architecture, VLAN layout, switch config, the whole thing.

1. The Layout

With the ISP's box, you never think about any of this — it handles everything internally. Once you segment the network yourself, the TV traffic has to physically travel through every layer you've built. Here's how mine is wired, both physically and logically:

  • The edge — OPNsense. Terminates the raw Proximus line and runs igmpproxy to shuttle the multicast streams between the provider and the rest of the house.
  • The core — Cisco-like switch. Plugged straight into the firewall, it fans connections out to the other rooms. Everything passes through here.
  • The TV-room switch — UniFi. Sits in the media center and is the last hop before the IPTV set-top box (STB).
 [Proximus ISP]        │
       ▼ (VLAN 20)
 [OPNsense Firewall (192.168.2.1)]

       ▼ (VLAN 1)
 [Cisco-like Core Switch] 

       ▼ (Trunk)
 [UniFi TV Room Switch] ───► [IPTV Set-Top Box]

2. The VLAN Layout

Three VLANs, each with a clear job. The goal is to keep multicast traffic where it belongs and out of everywhere it doesn't:

  • VLAN 1 (LAN) — the main home network. Regular devices live here, and so does the IPTV STB. That last detail matters more than it sounds.
  • VLAN 20 (WAN / provider upstream) — the dedicated link between OPNsense and the Proximus infrastructure, carrying both internet and the raw TV streams.
  • VLAN 99 (IoT) — a walled-off network for smart-home junk. I deliberately turn IGMP Snooping off here so all the device discovery chatter can't bleed into the real-time video plane.

3. The Core Switch

The core does most of the heavy lifting, and its main job for IPTV is figuring out where the multicast routers actually are using IGMP Snooping.

If you peek at its multicast tables, you can watch it learn the active queriers:

Switch#show ip igmp snooping mrouter           
Bridge 1: 
 VLAN: 1  Igmp Snooping Enabled 
    Mrouter -> ge1/1 (Learn't) 192.168.2.1
 VLAN: 20  Igmp Snooping Enabled 
    Mrouter -> ge1/2 (Learn't) 195.13.31.34

Here's the thing — I never manually switched on the core's own IGMP Querier. It works it out on its own:

  • On VLAN 20, it picks up 195.13.31.34, the upstream multicast router living inside Proximus's network.
  • On VLAN 1, it picks up 192.168.2.1, my local OPNsense box running igmpproxy.

This leads to the one rule I'd tattoo on anyone attempting this: if something upstream — OPNsense, the ISP, whatever — is already querying a VLAN, do not also enable the switch's built-in querier on that same VLAN. Two queriers on one segment means a querier election, and those election fights drop the stream every time they flare up. Pick one source of truth per VLAN and leave it alone.

4. The UniFi Switch

This is where most Proximus TV setups fall apart, and it took me a while to admit the problem was here and not in OPNsense.

UniFi gear really, really likes to run its own show. Drop a UniFi switch into a network already governed by a Cisco core and an OPNsense firewall, and it'll happily try to seize control of the IGMP plane out from under both of them. That's the root of the three-minute freeze.

The fix is to tell the UniFi switch, in no uncertain terms, that it's a guest here. In the IGMP Snooping profile for the LAN network:

  • Querier Selection → Off (3rd Party Switches). This stops UniFi from acting like a querier and forces it to just listen to the queries cascading down from the OPNsense/Cisco layer above. Passive is exactly what you want.
  • Fast Leave → Enabled. The moment you change a channel, this prunes the old stream off the STB's port instantly instead of letting it linger. Without it, the link can choke on several overlapping HD streams that should've already been dropped.

5. Why It Freezes After Three Minutes

If your stream comes up clean and then dies a few minutes later, you're almost certainly looking at an IGMP membership timeout. The mechanics are worth understanding, because once they click, the fix is obvious.

When the STB tunes a channel, it shouts an IGMP "Join" packet. The switches hear it, open the relevant port, and the picture appears. But that port doesn't stay open out of politeness — the network has to keep taking roll call with a periodic IGMP General Query to confirm someone's still watching.

Break that roll call and everything unravels. If UniFi is left in "Advanced Querier" mode, or if OPNsense's software igmpproxy misses its regular queries, the switches conclude the STB has wandered off. The snooping entry times out, the port gets pruned, and your picture locks up. Right around the three-minute mark, give or take.

The fallback that always works (Optional if none above worked)

If igmpproxy keeps hiccuping — and being software, it sometimes does — even after you've sorted the UniFi toggles, stop fighting it and hand query duty to real hardware instead:

  1. Keep igmpproxy running on OPNsense; you still need it to route the data between interfaces.
  2. Explicitly enable the IGMP Querier on VLAN 1 in the Cisco core, and give it a dedicated IP on that subnet.

A switch ASIC will hit a 60-second query interval like a metronome, every single time. That steadiness is what keeps the UniFi edge and the STB locked in step — and it's what finally killed the freeze for good on my setup.