Bypassing the Bell Gigahub using a WAS-110 ONT and VyOS 1.5

Overview

Context

The Bell provided Gigahub allows power users to use PPPoE passthrough to use their own routers, however it can restrict throughput and introduce latency while doing so. Some users may wish to bypass the Gigahub completely using third party devices. One such compatible device is the WAS-110 which has a well supported community firmware.

You can find details about the WAS-110 and where to buy one here:
https://pon.wiki/xgs-pon/ont/bfw-solutions/was-110/

Prerequisites

To follow this guide you should have already procured a WAS-110 and installed the 8311 community firmware.

Details how to configure the WAS-110 are available here:
https://pon.wiki/guides/masquerade-as-the-bce-inc-giga-hub-on-xgs-pon-with-the-bfw-solutions-was-110/

You should also have a basic understanding of how to use and configure VyOS.

Tested VyOS Version

At the time of writing, I was using VyOS 1.5-rolling-202408210022. If you are using rolling releases, things can and do break, so your mileage may vary...

VyOS Configuration

Firewall

The configuration below is for a basic firewall that blocks incoming traffic from the WAN and allows all outbound from LAN devices.

 1# Groups
 2set firewall group network-group BellTV_Subnet network '192.168.36.0/24'
 3set firewall group network-group LAN_Subnet network '192.168.0.0/24'
 4
 5# Forward
 6set firewall ipv4 forward filter default-action 'drop'
 7set firewall ipv4 forward filter default-log
 8set firewall ipv4 forward filter rule 10 action 'drop'
 9set firewall ipv4 forward filter rule 10 description 'Drop invalid'
10set firewall ipv4 forward filter rule 10 state 'invalid'
11set firewall ipv4 forward filter rule 20 action 'accept'
12set firewall ipv4 forward filter rule 20 description 'Allow established and related'
13set firewall ipv4 forward filter rule 20 state 'established'
14set firewall ipv4 forward filter rule 20 state 'related'
15set firewall ipv4 forward filter rule 30 action 'jump'
16set firewall ipv4 forward filter rule 30 inbound-interface name 'pppoe0'
17set firewall ipv4 forward filter rule 30 jump-target 'WAN-FORWARD-IPV4'
18set firewall ipv4 forward filter rule 40 action 'jump'
19set firewall ipv4 forward filter rule 40 inbound-interface name 'eth1'
20set firewall ipv4 forward filter rule 40 jump-target 'LAN-FORWARD-IPV4'
21set firewall ipv4 forward filter rule 50 action 'jump'
22set firewall ipv4 forward filter rule 50 inbound-interface name 'eth1.36'
23set firewall ipv4 forward filter rule 50 jump-target 'BELLTV-FORWARD-IPV4'
24set firewall ipv4 forward filter rule 60 action 'jump'
25set firewall ipv4 forward filter rule 60 inbound-interface name 'eth0.36'
26set firewall ipv4 forward filter rule 60 jump-target 'BELLTV-FORWARD-IPV4'
27set firewall ipv4 name BELLTV-FORWARD-IPV4 default-action 'drop'
28set firewall ipv4 name BELLTV-FORWARD-IPV4 rule 10 action 'accept'
29set firewall ipv4 name BELLTV-FORWARD-IPV4 rule 10 description 'Allow access to all except LAN'
30set firewall ipv4 name BELLTV-FORWARD-IPV4 rule 10 destination group network-group '!LAN_Subnet'
31set firewall ipv4 name BELLTV-FORWARD-IPV4 rule 10 inbound-interface name 'eth1.36'
32set firewall ipv4 name BELLTV-FORWARD-IPV4 rule 20 action 'accept'
33set firewall ipv4 name BELLTV-FORWARD-IPV4 rule 20 description 'Allow multicast'
34set firewall ipv4 name BELLTV-FORWARD-IPV4 rule 20 destination address '224.0.0.0/4'
35set firewall ipv4 name LAN-FORWARD-IPV4 default-action 'accept'
36set firewall ipv4 name WAN-FORWARD-IPV4 default-action 'drop'
37set firewall ipv4 name WAN-FORWARD-IPV4 default-log
38set firewall ipv6 forward filter default-action 'drop'
39set firewall ipv6 forward filter default-log
40
41# Input
42set firewall ipv4 input filter default-action 'drop'
43set firewall ipv4 input filter default-log
44set firewall ipv4 input filter rule 10 action 'accept'
45set firewall ipv4 input filter rule 10 description 'Allow established and related'
46set firewall ipv4 input filter rule 10 state 'established'
47set firewall ipv4 input filter rule 10 state 'related'
48set firewall ipv4 input filter rule 20 action 'jump'
49set firewall ipv4 input filter rule 20 inbound-interface group 'WAN_Interfaces'
50set firewall ipv4 input filter rule 20 jump-target 'WAN-INPUT-IPV4'
51set firewall ipv4 input filter rule 30 action 'jump'
52set firewall ipv4 input filter rule 30 inbound-interface name 'eth1'
53set firewall ipv4 input filter rule 30 jump-target 'LAN-INPUT-IPV4'
54set firewall ipv4 input filter rule 40 action 'jump'
55set firewall ipv4 input filter rule 40 inbound-interface name 'eth1.36'
56set firewall ipv4 input filter rule 40 jump-target 'BELLTV-INPUT-IPV4'
57set firewall ipv4 input filter rule 50 action 'jump'
58set firewall ipv4 input filter rule 50 inbound-interface name 'eth0.36'
59set firewall ipv4 input filter rule 50 jump-target 'BELLTV-INPUT-IPV4'
60set firewall ipv4 name BELLTV-INPUT-IPV4 default-action 'drop'
61set firewall ipv4 name BELLTV-INPUT-IPV4 rule 10 action 'accept'
62set firewall ipv4 name BELLTV-INPUT-IPV4 rule 10 description 'Allow multicast'
63set firewall ipv4 name BELLTV-INPUT-IPV4 rule 10 destination address '224.0.0.0/4'
64set firewall ipv4 name LAN-INPUT-IPV4 default-action 'accept'
65set firewall ipv4 name WAN-INPUT-IPV4 default-action 'drop'
66set firewall ipv4 name WAN-INPUT-IPV4 rule 10 action 'accept'
67set firewall ipv4 name WAN-INPUT-IPV4 rule 10 description 'ICMP'
68set firewall ipv4 name WAN-INPUT-IPV4 rule 10 protocol 'icmp'
69set firewall ipv6 input filter default-action 'drop'
70set firewall ipv6 input filter default-log
71
72# Output
73set firewall ipv4 output filter default-action 'accept'
74set firewall ipv6 output filter default-drop
75set firewall ipv6 output filter default-log

Interfaces

Five interfaces are created:

  • The physical WAN interface. This is the port the WAS-110 is plugged into. Bell supports baby jumbo frames so the MTU is set to 1508. An IP in the 192.168.11.0/24 range is also assigned for management of the WAS-110.
  • The WAN IPTV VLAN interface (VLAN36). The default route distance is set to 255 to avoid Internet traffic trying to get routed there as it wouldn't get anywhere.
  • The LAN interface.
  • The TV STB VLAN interface (VLAN36) attached to the LAN interface for Bell TV set top boxes.
  • The PPPoE WAN interface (1500 MTU)
 1# Physical WAN interface / ONT management
 2set interfaces ethernet eth0 address '192.168.11.10/24'
 3set interfaces ethernet eth0 description 'WAN - Bell Physical Interface / ONT Management'
 4set interfaces ethernet eth0 disable-flow-control
 5set interfaces ethernet eth0 hw-id 'xx:xx:xx:xx:xx:xx
 6set interfaces ethernet eth0 mtu '1508'
 7
 8# WAN IPTV VLAN
 9set interfaces ethernet eth0 vif 36 address 'dhcp'
10set interfaces ethernet eth0 vif 36 description 'WAN - Bell IPTV'
11set interfaces ethernet eth0 vif 36 dhcp-options default-route-distance '255'
12
13# LAN
14set interfaces ethernet eth1 address '192.168.0.1/24'
15set interfaces ethernet eth1 description 'LAN'
16set interfaces ethernet eth1 hw-id 'xx:xx:xx:xx:xx:xx
17
18# TV STB VLAN
19set interfaces ethernet eth1 vif 36 address '192.168.36.1/24'
20set interfaces ethernet eth1 vif 36 description 'WAN - Bell TV STB VLAN'
21
22# PPPoE interface
23set interfaces pppoe pppoe0 authentication password 'xyz'
24set interfaces pppoe pppoe0 authentication username 'xyz'
25set interfaces pppoe pppoe0 description 'Bell'
26set interfaces pppoe pppoe0 mtu '1500'
27set interfaces pppoe pppoe0 source-interface 'eth0'

Source NAT

There are four source NAT rules:

  • One to allow management of the WAS-110 from the LAN
  • One to allow LAN devices access to the Internet via the PPPoE interface
  • One to allow TV STB VLAN devices access to the Internet via the PPPoE interface
  • One to allow TV STB VLAN devices access to 10.0.0.0/8 via the WAN IPTV VLAN
 1set nat source rule 10 description 'Bell ONT Management'
 2set nat source rule 10 destination address '192.168.11.1'
 3set nat source rule 10 translation address 'masquerade'
 4
 5set nat source rule 20 description 'SNAT - LAN'
 6set nat source rule 20 outbound-interface name 'pppoe0'
 7set nat source rule 20 source group network-group 'LAN_Subnet'
 8set nat source rule 20 translation address 'masquerade'
 9
10set nat source rule 30 description 'SNAT - Bell TV - Internet'
11set nat source rule 30 destination address '!10.0.0.0/8'
12set nat source rule 30 outbound-interface name 'pppoe0'
13set nat source rule 30 source group network-group 'BellTV_Subnet'
14set nat source rule 30 translation address 'masquerade'
15
16set nat source rule 40 description 'SNAT - Bell TV - IPTV'
17set nat source rule 40 destination address '10.0.0.0/8'
18set nat source rule 40 outbound-interface name 'eth0.36'
19set nat source rule 40 source group network-group 'BellTV_Subnet'
20set nat source rule 40 translation address 'masquerade'

Policy Routing

The Bell TV set top boxes need to access servers on various 10.0.0.0/8 networks. We can use policy routing to force that traffic out the WAN IPTV VLAN interface.

1set policy route BELLTV interface 'eth1.36'
2set policy route BELLTV rule 1 destination address '10.0.0.0/8'
3set policy route BELLTV rule 1 set table '36'
4set protocols static table 36 description 'BELLTV'
5set protocols static table 36 route 10.0.0.0/8 interface eth0.36

IGMP Proxy

The IGMP proxy is needed to proxy multicast traffic required for the Bell TV boxes to the TV STB VLAN.

Sometimes this proxy can get stuck and you need to issue the "restart igmp-proxy" operational mode command in the VyOS CLI.

1set protocols igmp-proxy interface eth0.36 alt-subnet '10.0.0.0/8'
2set protocols igmp-proxy interface eth0.36 role 'upstream'
3set protocols igmp-proxy interface eth1.36 role 'downstream'

DHCP Servers

Nothing special here, just two DHCP servers, one for the LAN and one for the TV STB VLAN.

 1set service dhcp-server shared-network-name LAN authoritative
 2set service dhcp-server shared-network-name LAN option domain-name 'LAN.local'
 3set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 option default-router '192.168.0.1'
 4set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 option domain-name 'LAN.local'
 5set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 option name-server '1.1.1.1'
 6set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 option name-server '1.0.0.1
 7set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 range 0 start '192.168.0.100'
 8set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 range 0 stop '192.168.0.199'
 9set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 subnet-id '1'
10
11set service dhcp-server shared-network-name BellTV authoritative
12set service dhcp-server shared-network-name BellTV option domain-name 'TV.local'
13set service dhcp-server shared-network-name BellTV subnet 192.168.36.0/24 option default-router '192.168.36.1'
14set service dhcp-server shared-network-name BellTV subnet 192.168.36.0/24 option domain-name 'TV.local'
15set service dhcp-server shared-network-name BellTV subnet 192.168.36.0/24 option name-server '67.69.235.1'
16set service dhcp-server shared-network-name BellTV subnet 192.168.36.0/24 option name-server '207.164.234.193'
17set service dhcp-server shared-network-name BellTV subnet 192.168.36.0/24 range 0 start '192.168.36.100'
18set service dhcp-server shared-network-name BellTV subnet 192.168.36.0/24 range 0 stop '192.168.36.199'
19set service dhcp-server shared-network-name BellTV subnet 192.168.36.0/24 subnet-id '36'

Excluding WAN load balancing (if applicable)

This isn't applicable to the above example config, but if you are using WAN load balancing, you must exclude the STB VLAN from load balancing. Most people won't need to do this, but if you do, you can do it by doing something like this:

1set load-balancing wan rule 10 description 'Exclude Bell TV'
2set load-balancing wan rule 10 exclude
3set load-balancing wan rule 10 inbound-interface 'eth1.36'

VIP7802 and Low Power Idle (EEE)

The above configuration was working 100% for me while plugged into my core switch. When I tried moving it to my living room, I plugged the VIP7802 TV box into a small HPE OfficeConnect switch in the TV stand and the VIP7802 would show a red "error" LED and wouldn't get an IP. I plugged a laptop into the same port and got an IP from the STB VLAN.

I set up a mirror port and used Wireshark to see the traffic. I observed the DHCP discovery and offer packets, but didn't see a request or acknowledgement. Strangely, when I plugged a dumb switch in between the VIP7802 and the HPE switch it would work.

Assuming I was running into some sort of weird firmware bug on the HPE switch, I reset to factory defaults and reconfigured the VLAN configuration exactly the same. It worked! Assuming victory, I went through and reconfigured the rest of the settings to match what I had previously. I re-enabled Low Power Idle (EEE) mode and the TV stopped working. I disabled it again and the TV started to work again.

I guess the VIP7802 doesn't play nice with Low Power Idle (EEE).

Acknowledgements

Thanks to the 8311 Discord community user ibutsu for pointing me in the right direction and providing tips on how to get this to work! Their input definitely sped things up for me.

References

https://pon.wiki/guides/masquerade-as-the-bce-inc-giga-hub-on-xgs-pon-with-the-bfw-solutions-was-110/
https://pon.wiki/xgs-pon/ont/bfw-solutions/was-110/
https://docs.vyos.io/en/latest/
https://discord.com/servers/8311-886329492438671420
https://github.com/djGrrr/8311-was-110-firmware-builder