USG 3P - Multicast setup Telenor fibre

Perhaps, like me,  you’d also like to replace the Telenor Zyxcel router with the Unifi Security Gateway (USG)? Here’s how I set it up successfully after perhaps 20 hours of trial and error. It goes without saying, I’m not a pro at this, just an enthusiastic amateur. So after pouring over most of the relevant threads from 2016 – 2019 in the forum at , I eventually managed to get the IPTV from Telenor working.


Firstly, connect Telenor’s Fibre box to the USG’s WAN1, and connect the Telenor T-WE-box to the WAN2/LAN2 of the USG. The LAN 1 port should be connected to, in my case, the UniFi Switch 8 POE-60W.

In the Controller Settings, click on Networks, click + to add a new network; a local network assigned to the LAN2-port on the USG. Below is a screenshot of my setup.

IMPORTANT!  Enable IGMP snooping (read what it does here) AND UPnP LAN!

The Networks page will look something like this:


Next, in the Controller Settings, click on Routing & Firewall in the left column. Then at the top, click on Firewall -> Groups. Then click the + CREATE NEW GROUP button. Configure your new group in this way. You may name it whatever you’d like:

This group is the list of network addresses that we expect to receive IPTV- broadcasts from. I identified a block of addresses that work with the CL of  Telenor T-WE in Norway. If this does not work for you, look up on dsl-reports or other places to find what addresses CL is using in your area. Another slightly risky option, is leaving your firewall completely open to all incoming UDP traffic until you find the proper source address, but I obviously wouldn’t leave it that way for very long!

Once you are finished, your Groups page will look approximately like this:


The next step to take, is adding the two firewall rules needed. The first rule allows IGMP packets to hit the WAN port. Navigate at the top to Firewall -> Rules -> WAN LOCAL and click the + CREATE NEW RULE button. Configure the rule the following way (again, name it what you’d like):

Once finished, your WAN_LOCAL rules should look like this on a default setup:

The second rule will allow UDP packets originating from the source group that we configured in the beginning to pass through to the LAN. Navigate to Firewall -> Rules -> WAN IN and click the + CREATE NEW RULE button again. Configure the rule the following way (follow whatever naming conventions you’ve been using so as to recognize their functions, might be a worthwhile):

When you’ve completed setting that up, your WAN_IN rules will look like this on a default install:


This step could just as well have been done at the very beginning, but now will work just as well.

Click Services -> UPNP-> WAN IN and and switch on as shown below. Under Networks, LAN 2 should be ON since our local network assigns our multicast flow to that port.


That’s all there is to it for the GUI part of the configuration. Now you need to enable the IGMP proxy on the gateway. This cannot be done through the GUI at this time. In order to enable this, you need to place a custom config.gateway.json file in the appropriate site directory on your controller (where you have installed the Controller, in my case on a PC. Using your text editor of choice, for example Notepad++, create a file named config.gateway.json with the following contents:

        "protocols": {
                "igmp-proxy": {
                        "interface": {
                                "eth0": {
                                        "alt-subnet": [ "" ],
                                        "role": "upstream",
                                        "threshold": "1"
                                "eth1": {
                                        "alt-subnet": [ "" ],
                                        "role": "downstream",
                                        "threshold": "1"

You need to copy this file into the appropriate directory on the controller. You can refer to the instructions here for where to place the file.

Now all you need to do is reprovision your gateway. It will automatically start igmp-proxy on every reprovision. Below is where mine is located:

I hope this works out for you! All the best of luck!