IPTV VLAN & LAN on one port / multicast issue

Question

I have read half of the internet for this, but for the love of God I can't figure out the following problem:

The situation:

I have an utility closet, where the ISP optical terminal (ONT GPON) is. The ISP ONT is in bridge mode, and LAN4 is used for IPTV (VLAN 2513), and LAN1 is Internet (The ISP is using two separate ports and apparently VLANs to route IPTV/Internet traffic). I have two separate ethernet sockets between the utility closet and the living room, one is currently directly plugged into IPTV STB (ONT LAN4 > STB), and the other is plugged into WAN port on the Unifi router (LAN1 > WAN port).

I would like to connect an additional AP for better coverage to the utility closet and for this, I need to route my internal LAN back from Unifi router to the utility closet while also being able to route IPTV traffic from ISP ONT to the router where STB will be connected.

For this, I have purchased a managed switch with VLANs, IGMP snooping, etc, which I have put to the utility closet before unifi router.

I connected them as following, and configured the following:

1. Created new IPTV VLAN only network, VLAN 2513, IGMP snooping enabled

2. Created a new trunk port profile LAN + IPTV (Native untagged LAN + tagged IPTV)

The connections:

Managed switch (USW) port assignment:

LAN1 - Port connection : Unifi router uplink, Port profile: Native LAN + tagged IPTV (VLAN 2513) trunk

LAN2 - Port connection: ISP Fiber ONT terminal, Port profile: IPTV network (VLAN 2513)

LAN3 - empty, port profile LAN, will host UAP

Unifi router port assignment (living room):

LAN3 - Port connection: IPTV STB, Port profile: IPTV network (VLAN 2513)

LAN4 - Port connection : USW uplink, Port profile: Native LAN + tagged IPTV (VLAN 2513) trunk

The issue:

While the solution works, and TV and Internet is working, I can see about 4 uknown MACs, most likely STB and GPON ONT MACs in my client list in the unifi router all belonging to the IPTV network with no IP visible (which apparently points out to multicast issue with IPTV STB or something similar), so I have a bad feeling that I am exposing my network to outside world (or at least ISP's). I don't want my network to be exposed to ISPs networks or see anyone else's devices.

Is the above behavior expected and can this be safely ignored or am I on my way to the gates of internet hell?

Thank you so much for any input.

Answer 1

"I can recommend that you change the password on your router. And the variant 12345678 is not a password, as well as all its derivatives like 01234567, and they are picked up in the first place. A password should consist of at least eight symbols, and something like alena1980 would be much safer, and the password should be rich with capital and upper case letters, as well as characters. For example, @LENA!98O. Of course, it's harder to remember, but for those cases, don't be lazy, write it down on a piece of paper and stick it on the back of the router itself. No one will see it without you knowing it, you'll never lose it, and you'll be able to refresh your memories at any time. I am currently using the Roomba TV. I like it best here. It's $15 a month, and you have all the channels you need. You may become a reseller iptv here, which is an excellent option for a business or freelancer due to the inexpensive investment."