USG 3P - Multicast setup Telenor fibre

Perhaps, like me,  you’d also like to replace the Telenor Zyxcel router with the Unifi Security Gateway (USG)? Here’s how I set it up successfully after perhaps 20 hours of trial and error. It goes without saying, I’m not a pro at this, just an enthusiastic amateur. So after pouring over most of the relevant threads from 2016 – 2019 in the forum at , I eventually managed to get the IPTV from Telenor working.


Firstly, connect Telenor’s Fibre box to the USG’s WAN1, and connect the Telenor T-WE-box to the WAN2/LAN2 of the USG. The LAN 1 port should be connected to, in my case, the UniFi Switch 8 POE-60W.

In the Controller Settings, click on Networks, click + to add a new network; a local network assigned to the LAN2-port on the USG. Below is a screenshot of my setup.

IMPORTANT!  Enable IGMP snooping (read what it does here) AND UPnP LAN!

The Networks page will look something like this:


Next, in the Controller Settings, click on Routing & Firewall in the left column. Then at the top, click on Firewall -> Groups. Then click the + CREATE NEW GROUP button. Configure your new group in this way. You may name it whatever you’d like:

This group is the list of network addresses that we expect to receive IPTV- broadcasts from. I identified a block of addresses that work with the CL of  Telenor T-WE in Norway. If this does not work for you, look up on dsl-reports or other places to find what addresses CL is using in your area. Another slightly risky option, is leaving your firewall completely open to all incoming UDP traffic until you find the proper source address, but I obviously wouldn’t leave it that way for very long!

Once you are finished, your Groups page will look approximately like this:


The next step to take, is adding the two firewall rules needed. The first rule allows IGMP packets to hit the WAN port. Navigate at the top to Firewall -> Rules -> WAN LOCAL and click the + CREATE NEW RULE button. Configure the rule the following way (again, name it what you’d like):

Once finished, your WAN_LOCAL rules should look like this on a default setup:

The second rule will allow UDP packets originating from the source group that we configured in the beginning to pass through to the LAN. Navigate to Firewall -> Rules -> WAN IN and click the + CREATE NEW RULE button again. Configure the rule the following way (follow whatever naming conventions you’ve been using so as to recognize their functions, might be a worthwhile):

When you’ve completed setting that up, your WAN_IN rules will look like this on a default install:


This step could just as well have been done at the very beginning, but now will work just as well.

Click Services -> UPNP-> WAN IN and and switch on as shown below. Under Networks, LAN 2 should be ON since our local network assigns our multicast flow to that port.


That’s all there is to it for the GUI part of the configuration. Now you need to enable the IGMP proxy on the gateway. This cannot be done through the GUI at this time. In order to enable this, you need to place a custom config.gateway.json file in the appropriate site directory on your controller (where you have installed the Controller, in my case on a PC. Using your text editor of choice, for example Notepad++, create a file named config.gateway.json with the following contents:

        "protocols": {
                "igmp-proxy": {
                        "interface": {
                                "eth0": {
                                        "alt-subnet": [ "" ],
                                        "role": "upstream",
                                        "threshold": "1"
                                "eth1": {
                                        "alt-subnet": [ "" ],
                                        "role": "downstream",
                                        "threshold": "1"

You need to copy this file into the appropriate directory on the controller. You can refer to the instructions here for where to place the file.

Now all you need to do is reprovision your gateway. It will automatically start igmp-proxy on every reprovision. Below is where mine is located:

This section was added 18.4.2020

USG CloudKey

If you have the USG CloudKey, go to this USD Advance configuration which shows how to add the config.gateway.json to the Cloudkey. 

This is really important to do: On Cloud Key, the install path for the .json file is: /srv/unifi/data/sites/[site name/default]/. In my case, the folder “sites” and “site name” “default” did not exist, and I had to manually create them.

Below is a screen grab showing where you find the site name in the Controller panel.

Unifi Cloud Key - Unifi Controller - sites - site name

I hope this works out for you! All the best of luck!

18 replies
  1. Rune Stavdal
    Rune Stavdal says:

    I’ve gotten a few responses to this guide saying it does not work. Well, I also encountered problems when using the controller software from a PC/laptop. However, when setting up the unifi cloud key, it works smoothly.

    This USG Advanced configuration shows how to add the config.gateway.json to the Cloud key.

    This is really important to do: On Cloud Key the install path for the .json file is: /srv/unifi/data/sites/[site name/default]/. In my case, the folder “sites” and “site name” “default” did not exist, and I had to manually create them.

  2. Andreas Holm
    Andreas Holm says:


    Takk for fin guide. Jeg fikk dette til å fungere med min USG og T-We boks II fra Telenor 🙂


  3. Rune Stake Stavdal
    Rune Stake Stavdal says:

    The reason why this set up only works with the cloud key, and not the Controller is that there is a bug in the Windows Java run Controller whereas the cloud key runs on a Linux based os.

    So buying one of Unifi’s cloud key is what will resolve the issue.

    • That guy
      That guy says:

      The controller runs very well under Docker (linux based container) or on a Linux VM. You don’t need dedicated hardware to make it work as intended, even if you’re stuck on windows.

  4. Svein
    Svein says:


    Vil dette være mulig med unifi dream machine? Får t-we boks ii og fiber installert etter påske.

    Jeg hadde tenkt å koble t-we boksen trådløst. Har det noe å si? Det er grunnet plasseringen til fiberen.

    • Tom Reiertsen
      Tom Reiertsen says:

      Hei Svein,

      Jeg har nylig bestilt meg en Dream Machine også for å erstatte en gammel Asus RT-AC5300 og jeg har også T-We Box II. Fikk du dette til å fungere sammen?
      Jeg er veldig interessert i å høre om det fungerte sammen.


  5. Christian
    Christian says:

    Hi I also got this to work on my USG-3, but was unable to find /data/sites/site_ID

    I run Controller software in a container.
    So I had to run thise commands before placing config.gateway.json

    mkdir -p /usr/lib/unifi/data/sites/
    chown unifi:unifi /usr/lib/unifi/data/sites/
    mkdir -p /usr/lib/unifi/data/sites/default
    chown unifi:unifi /usr/lib/unifi/data/sites/default

    Add json file then:

    chown unifi:unifi config.gateway.json

    Otherwise super guide! Thanks for spending the 20 hours so I only had to use 20 min.

  6. Marcin
    Marcin says:

    Can i get some private assist? My provider is FiberLink (Toya group) (Poland)
    Internet works on PPPoE vlan 626 and IPTV works on vlan 3980.

    Internet works ok but cannot get working IPTV even on any port of my UniFi switch ;(



Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.