Overview
Most if not all of this information is already out on the internet regarding CenturyLink and connecting your own modem but I’d like to document my own steps as I’ve needed to gather data from a few sources. Almost everyone doing this online uses pfSense examples and not OpenBSD, so this information may be useful to others.
If you have CenturyLink and Prism, it is actually easier to connect your own router/firewall to the modem than without Prism! The TV part is just a minor fix. (and optional really)
Why is that? When you get Prism, CenturyLink disables the PPPoE authentication and uses IPoE which is just, IP over Ethernet, which is another term for what most of use for out home networks.
People have complained that pfSsense and other products cannot push 1gbps through their PPP daemon, so IPoE this eliminates that bottleneck. I don’t have 1Gbps service so I wouldn’t hit this bottleneck in any case
Overview of steps to connect your own firewall to CenturyLink
- Write down the MAC address of your CenturyLink provided router’s WAN port, likely the CT2000T, you can find this under the Status page on the router.
-
The CL modem would not give a DHCP address to my firewall until I cloned the MAC address of the router. Usually power cycling the modem should remove the learned MAC address of the router from the modem, this isn’t the case for my CL modem.
-
- Change the MAC address of your firewall’s WAN interface to match the one found in step 1.
In OpenBSD you can set this to change on boot via:
# cat /etc hostname.em0
lladdr c4:ea:1d:01:02:03
up
- Create a vlan with the tag 201 and put it on your firewall’s WAN interface.
- By default the CL modem communicates over VLAN 201 with the router. You can get this feature disabled if you talk to a knowledgeable CL technician but why bother.
In OpenBSD this is configured via:
# cat /etc/hostname.vlan201
dhcp vlan 201 vlandev em0 description “Modem Connection”
- Now you should be able to bring up the interface and receive an external address from the modem. If you can’t receive an address at this point, then something is wrong.
- Your external interface in pf.conf is vlan201 and not em0, (remember tagging), since everything that flows over the external interface (em0), needs the vlan tag.
Step to configure PRISM (IPTV) Setup
You will need install and configure the igmpproxy daemon and allow igmp and udp multicast streams to your CenturyLink STBs.
- Install the igmpproxy daemon on OpenBSD ( # pkg_add igmpproxy )
- Make sure igmpproxy is added to your pkg_scripts so it starts on reboot.
- Configure the igmproxy via /etc/igmpproxy.conf.
Here is a trimmed down example of mine:
# cat /etc/igmpproxy.conf
quickleave
phyint vlan201 upstream ratelimit 0 threshold 1
altnet 67.12.0.0/15
altnet 151.118.0.0/15
phyint em1 downstream ratelimit 0 threshold 1
phyint lo0 disabled
phyint re0 disabled
Since I don’t have a managed switch at home that has the IGMP snooping option, I didn’t want the igmp packets broadcasting over my WiFi APs (connected to re0), so I added a 3rd NIC and the IPTV STB is plugged directly into it. This way the IPTV is confined to just that NIC and not sent to other hosts in my network. Your desired configuration may be different.
- Allow the multicast UDP packets and IGMP packets on your ext interface (vlan201 remember) so the IGMPProxy can do it’s thing. Then, since they will be leaving on another interface that points to the STB, you need to allow them out that one as well
pf.conf:
table <iptv> const {151.118.0.0/16, 67.12.0.0/15, 224.0.0.0/4 }
pass quick on $ext_if inet proto udp from <iptv> to any allow-opts
pass quick on $ext_if inet proto igmp allow-opts allow-optspass quick on $iptv_if inet proto igmp allow-opts
pass quick on $iptv_if inet proto udp from any to any allow-opts
I found the list of source networks for the table in the 2nd link in my sources below.
- Don’t forget to enable multicast forwarding!
# echo “net.inet.ip.mforwarding=1” >> /etc/sysctl.conf
# echo “multicast=YES” >> /etc/rc.conf.local
# reboot (not sure if it’s necessary but the above changes will certainly take effect on reboot)
This isn’t a whole tutorial on setting up a firewall so I’m assuming you have a working pf.conf. Reboot for the multicast forwarding to take effect.
That’s it. Turn on your CenturyLink STB and make sure the TV works!
Great links from which I learned most about this process.
http://kmwoley.com/blog/bypassing-needless-centurylink-wireless-router-on-gigabit-fiber/
Bigmauler's Tech Blog 
I reciently signed up for CentryLink with Prism in the Minneapolis area and found that to get all channels working I also needed to include the following 3 subnets: 130.13.16.0/24, 130.13.18.0/24, and 69.179.237.0/24.
I suspect that there is a larger supernet for the 130.13.16 and 130.13.18 networks. I didn’t map out each channel’s ip, but it did seem like the addresses that start with 130 were used more for local channels then pay channels(ie HBO, Cinemax, etc)
Hope that helps others get it work in Minnesota.
Wondering if you’ve had any luck getting ipv6 to work on your Openbsd router. I’ve been trying for a while and no joy so far.
I tried setting up 6rd quickly but I couldn’t get it to work. The script to manually configure 6rd for OpenBSD mentioned on undeadly (after fixing some run-time problems) didn’t create a working config for me so I gave up. More research to do!