AccueilArticlesProximus on your terms: running Internet and TV with your own gear

Proximus on your terms: running Internet and TV with your own gear

Par tuabuh7 min de lecture101 views
networkinghomelab
Partager :
Proximus on your terms: running Internet and TV with your own gear
Ever looked at your provider’s router, sighed, and thought “what if I drove this thing myself?” Same. This post is my battle-tested guide to using OPNsense with Proximus in Belgium for both Internet and TV. Expect VLANs, DHCP sorcery, and a little multicast magic. We’ll keep it practical, a bit playful, and 100% focused on helping you get to a working setup without rage-rebooting at 2 a.m. again.

What you'll get at the end

  • Internet via OPNsense using Proximus’ WAN requirements
  • Proximus TV working over multicast, with clean firewall rules
  • A sane DHCP setup that treats your decoder like a VIP in its own lounge

What this guide is not for.

Unfortunately, this will only work if you are a fiber client. Since you need to be migrated on the TITAN infrastructure of Proximus.

If you are a regular VDSL user, this will not work. Well this could work, but you will need to ask Proximus for a a-mod instead of a regular BBOX, but some adaptation would need to be done since internet and TV are two separate VLANs instead of a single setup like in this guide.

Why? Because you cannot just plug a regular VDSL router you buy on Amazon, since you need to support some specific VDSL2 profiles and vectoring:

  • VDSL2 profile 17a or 35b (depending on area)
  • Vectoring (G.993.5) to cancel crosstalk between copper pairs
  • Dynamic Line Management (DLM) to automatically adjust the line speed for stability

Proximus locks its DSLAMs to work only with approved modems that have been tested for:

  • Vectoring compatibility (the modem must support Proximus’ vectoring whitelist)
  • DLM interoperability (it must properly respond to Proximus’ management system)
  • TR-069 remote management (for firmware updates and diagnostics)

If the modem’s chipset or firmware isn’t on the Proximus vectoring whitelist, the DSLAM won’t enable vectoring for that line.

➡️ Result: your line operates without vectoring, meaning much higher crosstalk and a huge drop in attainable bitrate— sometimes from 70–100 Mbps down to 10–15 Mbps or less.

If you still want to go with a custom modem, you will need to use the Fritz!Box 7530/7590 Belgian variant which is compatible and approved by Proximus. But rest of this guide does not apply to Fritz!Box.

Quick map of the terrain

• WAN runs on VLAN 20

• DHCP on the WAN must request specific options to make TV work

• You’ll allow multicast and IGMP on both WAN and LAN

• The STB gets its own DHCP pool and some special options, including Proximus DNS, NTP, and a bootfile value you’ll fetch from your WAN lease

Yes, it’s a lot. No, it’s not impossible. Let’s go.

WAN setup: tagging the traffic

Proximus expects all WAN traffic to be tagged on VLAN 20.

  • Create a VLAN interface tagged 20 on your physical WAN port (e.g., igb0)
  • Assign that VLAN interface as your WAN in OPNsense

Navigation:

  • Interfaces ⇒ Other Types ⇒ VLAN to create VLAN 20
  • Interfaces ⇒ Assignments to set the new VLAN as WAN
  • Give it a helpful description like “WAN” so Future You smiles

DHCP on WAN: ask for the right things

Your OPNsense WAN client needs to request a set of DHCP options so Proximus gives you everything needed for Internet and TV.

Include these in Interface ⇒ [WAN] ⇒ DHCP client configuration ⇒ Lease Requirements (request options):

  • subnet-mask
  • routers
  • domain-name-servers
  • host-name
  • domain-name
  • ntp-servers
  • vendor-encapsulated-options
  • dhcp-lease-time
  • dhcp-server-identifier
  • bootfile-name
  • classless-routes

Why it matters: some of these values will be passed to your STB later. Without them, interactive TV acts like a moody cat. Looks alive. Doesn’t cooperate.

Firewall rules: be nice to multicast and IGMP

Multicast and IGMP are the lifeblood of IPTV. Drop them and your TV experience becomes… radio.

On WAN

Do two things:

  1. Allow UDP multicast streams from Proximus ranges
  2. Allow IGMP to 224.0.0.0/4

Helpful prep:

  • Create an alias for multicast ranges:

    • 239.192.0.0/16
    • 239.255.0.0/16

Rules to add in Firewall ⇒ Rules ⇒ WAN:

  • Pass UDP to the multicast alias
  • Pass IGMP to 224.0.0.0/4
  • Source for IGMP should be “WAN address”
  • Important: in Advanced features, enable “allow options” for both rules, otherwise OPNsense may silently drop packets with IP options. Multicast uses those.

You should see two clean pass rules on WAN, both with “allow options” enabled.

On LAN

Mirror the spirit:

  • Pass IGMP to 224.0.0.0/4
  • Pass UDP to the Proximus multicast ranges
  • Also enable “allow options” on both

At this point, your firewall is no longer the fun police for multicast.

IGMP Proxy: configure upstream and downstream

An IGMP proxy bridges multicast between your WAN and LAN so IPTV works end‑to‑end. We’ll install the plugin, then declare where multicast comes from (upstream) and where clients live (downstream).

  • System ⇒ Firmware ⇒ Plugins: ensure the IGMP proxy package is installed
  • Services ⇒ IGMP Proxy: open the configuration page

Upstream (WAN)

Proximus delivers VOD, live TV, and interactive streams from these networks:

  • 172.28.40.0/21
  • 172.28.48.0/21
  • 195.238.8.0/24

Add an interface with:

  • Interface: WAN
  • Type: Upstream interface
  • Networks: add the three ranges above

Downstream (LAN)

Downstream is where your multicast receivers sit. This is your LAN or the dedicated subnet/VLAN where the STB lives.

Add an interface with:

  • Interface: LAN (or your STB VLAN)
  • Type: Downstream interface
  • Networks: your client subnet(s). Example in this guide: 192.168.2.168/29

Start and verify

  • Start the service in Services ⇒ IGMP Proxy
  • Check status and logs in Firewall ⇒ Log Files ⇒ General and confirm there are no errors
  • You will only see multicast flows once the set‑top box is powered and joins a group

DHCP for the STB: roll out the red carpet

I like isolating the decoder in its own pool. It’s tidy and it mirrors how Proximus treats it. We’ll match on DHCP Option 60 (vendor-class-identifier), which starts with “IPTV” on Proximus decoders.

Note: I’m delegating DHCP to a Raspberry Pi here. Why you might do the same:

  • LAN stays up when the firewall restarts
  • Fewer services directly on the firewall
  • Maximum flexibility for DHCP config

If you do this, ensure DHCP server is disabled in OPNSense or you might have surprises 😄

Define a class and split your subnet into two pools: one for regular clients, one for the STB.

Example dhcpd.conf:

class "iptv" {
  match if substring (option vendor-class-identifier, 0, 4) = "IPTV";
}

subnet 192.168.2.0 netmask 255.255.254.0 {
  pool {
    option domain-name-servers 192.168.2.123;
    range 192.168.2.10 192.168.2.150;
    deny members of "iptv";
  }

  # 192.168.2.168/29 for PXS STB device
  pool {
    option domain-name-servers 195.238.2.21,195.238.2.22;
    option ntp-servers 81.240.251.105,81.244.255.77,81.240.251.109,81.244.255.82;
    option bootfile-name "CVT/2/239.255.1.218:64010+SA=239.255.1.218:64010+SAP/3/239.192.4.47:9875";
    option vendor-encapsulated-options 4:2:52:53;
    range 192.168.2.169 192.168.2.174;
    allow members of "iptv";
  }

  option routers 192.168.2.1;
}

Key details:

  • The STB pool must use Proximus DNS and NTP
  • The bootfile-name is required
  • vendor-encapsulated-options must be passed through

Where do you get bootfile-name? From your OPNsense WAN lease file for the VLAN interface, e.g.:

/var/db/dhclient.leases.igb0_vlan20

You’ll see a block like:

lease {
  interface "igb0_vlan20";
  fixed-address 81.X.X.X;
  option subnet-mask 255.255.240.0;
  option routers 81.X.X.X;
  option domain-name-servers 195.238.2.21,195.238.2.22;
  option ntp-servers 81.240.251.105,81.244.255.77,81.240.251.109,81.244.255.82;
  option vendor-encapsulated-options 4:2:52:53;
  option dhcp-server-identifier 10.24.145.49;
  option bootfile-name "CVT/2/239.255.1.218:64010+SA=239.255.1.218:64010+SAP/3/239.192.4.47:9875";
  ...
}

Copy the bootfile-name value as-is into your STB pool.

Pro tip: if interactive services are flaky, double-check the DNS and NTP options for the STB pool first. 80% of issues hide there.

Sanity checklist

  • WAN tagged on VLAN 20
  • DHCP client on WAN requests all required options
  • WAN and LAN both allow IGMP and UDP multicast, with “allow options” enabled
  • STB gets special pool with Proximus DNS, NTP, vendor-encapsulated-options, and the exact bootfile-name from your lease
  • Multicast aliases are set to Proximus ranges

If all went well, your TV should light up, your Internet should fly, and your rack should look smug.

That feeling when everything works!
That feeling when everything works!

Final thoughts

Not going to lie: getting multicast flowing can feel like deciphering ancient runes. But once it clicks, you’ve got a clean, controllable setup that makes your home network yours again. If you ran into any weird edge cases, I’m curious — and happy to help you dig.

Resources

These official guides from Proximus were the base reference for this setup: