Configuring IPTV Beeline via WiFi using Mikrotik routers

Being a subscriber to Beeline’s Home Internet + TV, you readily read the relevant forums, see the problems of subscribers, etc. And among these “Yaroslavna’s cries” there is definitely one task that either nobody managed to accomplish or through crutches with cut-off functionality. Namely - the transfer of IPTV to the console via Wi-Fi. And recently, I was asked for help with just such a question. Since our man first does, and then thinks, the repair in the new apartment has already been done, there are no cable channels, there are no RJ-45 sockets, no one will spoil the beauty and aesthetics, but you want to watch TV from Beeline in the kitchen.

What to do?
The following tasks are emerging:
1) Release all client devices (laptops, computers, tablets, etc.) to the Internet via Wi-Fi
2) Put a set-top box rented from Beeline IPTV on the kitchen TV and make it work, while maintaining all the functionality.
Well, if the first point does not cause difficulties, then the second makes you think.
Since I am a supporter and a long-time user of Mikrotik products, it was decided to solve the problem on the equipment of this vendor. In addition, the existing MTCNA certificate gave strength and convinced that "the devil is not as terrible as he is painted."
So, let me remind you the principle of connecting Beeline subscribers to the Internet.
The client equipment receives a “gray” address from the subnet from the DHCP server, which gives access to local resources, L2TP-BRAS, and the multicast of our IPTV wanders right there. To get access directly to the Internet itself, you need to log in using the L2TP connection at This scheme in the terminology of some manufacturers of home routers is called Russian Dual Access.
The choice fell on the RB / 751G-2HnD routers.

Their characteristics:

- Processor: Atheros AR7241 400MHz CPU
- Hard disk: 64MB onboard NAND storage chip
- Frequency: 2.4 GHz
- Ethernet: 5 independent 10/100/1000 ports
- USB: 1 port 2.0
- Power: via ethernet port 1 8-30V DC, via jack 8-30V DC (PSU included)
- Sensitivity: 802.11g: -96dBm @ 6Mbit / s to -81dBm @ 54Mbit / s, 802.11n: –96 dBm @ MCS0 to –78 dBm @ MCS7
- Power gain: 802.11g: 30dBm @ 6Mbps to 27dBm @ 54 Mbps, 802.11n: 30dBm @ MCS0 to 26dBm @ MCS7
- built-in radio module power: 1W
- gain of built-in antennas: 2.5dBi
- Power consumption : before 7W
- OS: RouterOS, level 4

I will not describe in detail where to find winbox, what it is and how to use it. This information is very much in the vast network. Therefore, I will describe thesis, but with explanations.
At the time of writing, software version 5.24. Download it we drop in Files and we reboot a router. On the second we do the same.
So, we determine for ourselves that R1 will be the router where the cable comes from our provider, and R2 is a kind of Wi-Fi receiver for an IPTV set-top box. The default configuration of devices offers us a DHCP client on the eth-1 port, and the eth2-eth5 ports are combined into a switch, plus a bridge to eth2 for wi-fi (wlan2) with a dhcp server in the range

So, setting up the R1

router We connect the Beeline cable to eth1 to the R1 router, and the computer to eth2 and start winbox. We connect to with the username admin and an empty password. In the RouterOS Default Configuration window, click OK.

Since RouterOS does not know how to use dns names in Connect-to fields, then first, by plugging the Beeline cable into the computer, we determine the address In my case, it turned out to be
/interface l2tp-client
add add-default-route=yes allow=pap,chap,mschap1,mschap2 connect-to=\ dial-on-demand=no disabled=no max-mru=1460 max-mtu=1460 \
    mrru=disabled name=l2tp-out1 password=password profile=\
    default-encryption user=login

(on the network you can find scripts that themselves will determine the current address of the brace and substitute it in the Connect-to field. because the provider uses round-robin dns to determine a less loaded brace)

Next, we set up two rules NAT One for the local network, the other for the Internet.
We go into IP-Firewall-NAT, delete the default configuration rule, and create our own.
/ip firewall nat
add action=masquerade chain=srcnat disabled=no dst-address= \
add action=masquerade chain=srcnat disabled=no dst-address=! \

We verify both rules:

The next step is to remove the wlan1 membership in the bridge from ether2 and turn it on to the bridge to ether1. To do this, open Bridge, create a new bridge with the name, for example, tv-wifi-bridge, and on the Ports tab add the wlan1 and ether1-gateway interfaces to it.

/interface bridge
add admin-mac=D4:CA:6D:20:E2:49 ageing-time=5m arp=enabled auto-mac=no \
    disabled=no forward-delay=15s l2mtu=1598 max-message-age=20s mtu=1500 name=\
    bridge-local priority=0x8000 protocol-mode=rstp transmit-hold-count=6
add admin-mac=00:00:00:00:00:00 ageing-time=5m arp=enabled auto-mac=yes \
    disabled=no forward-delay=15s l2mtu=1598 max-message-age=20s mtu=1500 name=\
    tv-wifi-bridge priority=0x8000 protocol-mode=none transmit-hold-count=6
/interface bridge port
add bridge=bridge-local disabled=no edge=auto external-fdb=auto horizon=none \
    interface=ether2-master-local path-cost=10 point-to-point=auto priority=\
add bridge=tv-wifi-bridge disabled=no edge=auto external-fdb=auto horizon=none \
    interface=wlan1 path-cost=10 point-to-point=auto priority=0x80
add bridge=tv-wifi-bridge disabled=no edge=auto external-fdb=auto horizon=none \
    interface=ether1-gateway path-cost=10 point-to-point=auto priority=0x80

Because The iptv set-top box also receives its address from the dhcp provider, then we need to change the interface of the dhcp client. If you remember, then it is assigned only to ether1. We reassign it to Bridge tv-wifi-bridge.

/ip dhcp-client
add add-default-route=yes comment="default configuration" \
    default-route-distance=1 disabled=no interface=tv-wifi-
    use-peer-dns=yes use-peer-ntp=yes

Now it's time to set up the wireless part of our venture. First of all, we will prepare the access point specifically for the iptv set-top box. There is nothing unusual here, a typical setting, with the exception of the most important point. This is a Multicast Helper. It should be in full position.

/interface wireless
set 0 adaptive-noise-immunity=none allow-sharedkey=no antenna-gain=0 antenna-mode=\
    ant-a area="" arp=enabled band=2ghz-b/g/n basic-rates-a/g=6Mbps basic-rates-b=\
    1Mbps bridge-mode=enabled channel-width=20/40mhz-ht-above compression=no \
    country=no_country_set default-ap-tx-limit=0 default-authentication=yes \
    default-client-tx-limit=0 default-forwarding=yes dfs-mode=none \
    disable-running-check=no disabled=no disconnect-timeout=3s distance=indoors \
    frame-lifetime=0 frequency=2412 frequency-mode=manual-txpower frequency-offset=0 \
    hide-ssid=no ht-ampdu-priorities=0 ht-amsdu-limit=8192 ht-amsdu-threshold=8192 \
    ht-basic-mcs=mcs-0,mcs-1,mcs-2,mcs-3,mcs-4,mcs-5,mcs-6,mcs-7 ht-guard-interval=\
    any ht-rxchains=0,1 ht-supported-mcs="mcs-0,mcs-1,mcs-2,mcs-3,mcs-4,mcs-5,mcs-6,m\
    cs-19,mcs-20,mcs-21,mcs-22,mcs-23" ht-txchains=0,1 hw-fragmentation-threshold=\
    disabled hw-protection-mode=none hw-protection-threshold=0 hw-retries=7 l2mtu=\
    2290 mac-address=D4:CA:6D:20:E2:4D max-station-count=2007 mode=ap-bridge mtu=\
    1500 multicast-helper=full name=wlan1 noise-floor-threshold=default \
    nv2-cell-radius=30 nv2-noise-floor-offset=default nv2-preshared-key="" nv2-qos=\
    default nv2-queue-count=2 nv2-security=disabled on-fail-retry-time=100ms \
    periodic-calibration=default periodic-calibration-interval=60 preamble-mode=both \
    proprietary-extensions=post-2.9.25 radio-name=D4CA6D20E24D rate-selection=\
    advanced rate-set=default scan-list=default security-profile=default ssid=tv \
    station-bridge-clone-mac=00:00:00:00:00:00 supported-rates-a/g=\
    6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps supported-rates-b=\
    1Mbps,2Mbps,5.5Mbps,11Mbps tdma-period-size=2 tx-power-mode=default \
    update-stats-interval=disabled wds-cost-range=50-150 wds-default-bridge=none \
    wds-default-cost=100 wds-ignore-ssid=no wds-mode=disabled wireless-protocol=any \

You configure encryption to your liking through Security Profiles, I will not dwell on this.

Now we create a virtual access point through which all our other pieces of iron (phones, tablets, laptops, etc.) will get on the Internet. But first add another security-profile so you don't get confused.

/interface wireless security-profiles
add authentication-types=wpa2-psk eap-methods="" group-ciphers=aes-ccm \
    group-key-update=5m interim-update=0s management-protection=allowed \
    management-protection-key="" mode=dynamic-keys name=inet-sec \
    radius-eap-accounting=no radius-mac-accounting=no \
    radius-mac-authentication=no radius-mac-caching=disabled \
    radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username \
    static-algo-0=none static-algo-1=none static-algo-2=none static-algo-3=\
    none static-key-0="" static-key-1="" static-key-2="" static-key-3="" \
    static-sta-private-algo=none static-sta-private-key="" \
    static-transmit-key=key-0 supplicant-identity="" tls-certificate=none \
    tls-mode=no-certificates unicast-ciphers=aes-ccm wpa-pre-shared-key="" \

Well, VirtualAP itself

/interface wireless
add area="" arp=enabled bridge-mode=enabled default-ap-tx-limit=0 \
    default-authentication=yes default-client-tx-limit=0 default-forwarding=yes \
    disable-running-check=no disabled=no hide-ssid=no l2mtu=2290 mac-address=\
    D6:CA:6D:20:E2:4D master-interface=wlan1 max-station-count=2007 mtu=1500 \
    multicast-helper=default name=wlan2 proprietary-extensions=post-2.9.25 \
    security-profile=inet-sec ssid=Inet update-stats-interval=disabled \
    wds-cost-range=0 wds-default-bridge=none wds-default-cost=0 wds-ignore-ssid=no \
    wds-mode=disabled wmm-support=disabled

And add the resulting wlan2 to the bridge to ether2

/interface bridge
add bridge=bridge-local disabled=no edge=auto external-fdb=auto horizon=none \
    interface=wlan2 path-cost=10 point-to-point=auto priority=0x80

On this, the settings of the R1 router are completed. Wired devices connect to the Internet through ports 2-5, wireless via a wlan2 access point with SSID “Inet”.

Setting up the R2 router

Setting up this router is generally banal. Because Having the default configuration, we just need to perform an ether scan, find the point with ssid “tv” and click the Connect button. If you use encryption, then make the appropriate amendments to the Security profiles. After that, you need to remove ether2 from the bridge, and add ehter1 instead. Caution! After that, you will lose connection with the router and winbox will close.

We turn on the prefix in the eth1 port and everything is ready.

Here we see the recording channel 1HD and the simultaneous download of the file. However, according to this scheme, I could not get more than 7-8 megabits from VirtualAP.
The load of the processor of the router used as an access point with this picture did not exceed 34-37%. The speed of channel switching by eye does not differ from cable connection.
During the experiments I tried to start it through IGMP - proxy. It seems to work, but HD channels are freezing, input of pin codes does not work, recording does not work.
A method was also tried when the physical AP was used for the Internet, and VirtualAP for television. In this case, the transmission speed was no more than 1 Mbps, which is naturally unacceptably small for watching TV. Instead of footage, there were still frames replacing each other once every 30 seconds.
On this experiment I consider successful and complete. There is wide scope for further tuning. Ready to answer all questions. Thanks for attention.

Also popular now: