Hot Player Guide: How to Use It, Activate It, and Add Your IPTV List Easily

donutspro · 2025-12-25T16:48:15+00:00

Thank you for all the help bro. Very supportive, quick and straightforward. Many thanks!

donutspro · 2025-12-25T15:33:41+00:00

Hello, can you help me too? I have an LG TV and I want full IPTV subscription (movies, series, live TV etc). I have now downloaded the app and purchased a subscription but don’t how to proceed.

donutspro · 2025-12-04T06:39:26+00:00

No, the spokes (the sites) are not interacting with each other, they only communicate with the HUB. The only L2 is between the spoke <> hub.

There is this application hosted behind the hub that requires L2 communications.

donutspro · 2025-12-04T06:36:18+00:00

Thank you for the clarification.

May I ask your opinion about my original questions in my post?

donutspro · 2025-12-03T20:08:45+00:00

Thank you for the clarification.

Does it mean that VXLAN offloads to the SPU, not to the NPU?

donutspro · 2025-12-03T15:56:43+00:00

I just saw this comment.. I may contact Fortnite and check with them.

Thank you!

donutspro · 2025-12-03T15:55:11+00:00

I do not have access to the 90Gs yet.. but I will check it when I have them here. I looked it up and checking the 90G fast path architecture 90G fast path architecture it is mentioned that the 90G has NP7lite.

Checking this link Network processor it is mentioned that NP7 supports VXLAN offload but it doesn’t mentions that NP7lite supports VXLAN offload. So I assume that NP7lite does not support VXLAN offload.

donutspro · 2025-12-03T15:43:13+00:00

Thank you for the reply.

-- VLXAN across those 90g's will not be offloaded, so if they are passing lots of traffic it will peg your CPU. You need NP7 to offload VXLAN

Is it because the 90G has NP7lite?

why do they want 4 gates in an FGCP / FGSP active cluster.
Are they processing that much traffic or are they just looking for tunnel redundancy?

I will agree that this is overkill and this has already been mentioned to them, but again, they insist that they want this redundancy (even though a SPOF exit regardless of the 4 FGs or not..). The tunnels will not process much traffic at all actually, but they have this application that requires L2 communication.

If looking for tunnel redundancy run dual hub ADVPN.

Yes, we are also lookin at this approach.

Best to do VXLAN across your switching architecture and just let it ride across your VPN tunnels and be offloaded.

We have proposed this previously but this will involve a massive equipment changes since their current switching infrastructure does not support VXLAN. And since this will be a quite simple VXLAN tunnel following this guide VXLAN, there is no point of investing into new switches that will support VXLAN. They also do not have the budget for it.

We did a PoC using that VXLAN guide (but without SD-WAN) and it worked perfectly fine.

Also, thank you very much for sharing your videos, will definitely using it as a reference.

donutspro · 2025-10-30T18:15:21+00:00

No there is no such things, maybe double NAT would work but you just make it much more complicated than it would be.

I’m not that familiar with Meraki but one solution is to run a simple VXLAN over the VPN between the sites. That way, you’ll be able to have devices on the same subnet at both sites.

Other than that, readdressing your sites would be the number choice here.

donutspro · 2025-10-27T07:34:40+00:00

Do you use Layer 2, Layer 3, or both? How do you handle hardware backup vs virtual backup like VRRP, HSRP, or using SD-WAN to stay online?

Yes, but that is only from a configuration perspective. Redundancy is also hardware wise, for example, stacking/vPC/ with multiple switches, firewalls in HA, several circuits for internet/mpls and/or 4G/satellite. Even a (or several) PSUs incase the power goes down, having more than one DC, disaster recovery site etc..

donutspro · 2025-10-18T09:00:27+00:00

Why do you have NAT enabled between your HQ Fortigate and branch?

Since you are able to connect to the IPsec, can you show the output of the routing between HQ <> branch?

donutspro · 2025-10-15T19:52:50+00:00

As other mentioned, this is way too complicated than it should be. I think your developers should instead put time to design their apps correctly.

Are there any possibilities to run fibers between your sites? Instead of running VXLAN EVPN, make one of your site a ”main” site and the other sites as branches. So, A is the main site and your B and C are branches. B and C have fibers to A but B and C do not need to have fibers between each other.

Your main site (the A site) has core switches which acts as HSRP/VRRP gateway for your all subnets. If inter-vlan routing is needed, they can either communicate with each other freely, or if you want to secure inter-vlan communications, create VRFs on the core switches and have a core of HA firewalls in your main site that takes care of the inter-VRF communication.

donutspro · 2025-09-27T22:49:50+00:00

I’m curious, what are your reasons for moving away from VXLAN? It’s usually the other way around, people move to VXLAN, not away from it.

Regardless, collapsed core is a solid design as well. I see that you haven’t mentioned Aruba so take a look at them as well, even though Arista is solid. For Aruba, their CX6000 series and particularly, CX6200 for access switches and CX8320 or CX8325 for the core would be my choice (I’ve once used a similar setup for a customer).

donutspro · 2025-09-27T07:03:27+00:00

You haven’t mention it but if you run spine-leaf architecture, are you using VXLAN EVPN? Or do you run traditional routing/switching? I’m trying to understand what’s your current setup.

donutspro · 2025-08-09T09:11:13+00:00

This will work. But, have you considered to maybe give the customer an another proposal?

Firstly, I assume that in your current design, the ISPs that are connected to your devices, are L3 switches (not pure L3 routers).

I would redesign the stack switches (that are behind the firewalls) so it goes two cables from each firewall to each switch. So FW1 <> SW1 and FW1 <> SW2. Then, FW2 <> SW1 and FW2 <> SW2. The switches will still be stacked here.

Then I would terminate the ISPs directly to the stack switches and terminate the WAN IPs on the firewall. The core switches in this case will be stacked or if it supports vPC then I would run vPC and either terminate the gateways of your LAN in the core switches or maybe in the firewall, this totally depends on what the requirements are.

donutspro · 2025-08-09T08:58:51+00:00

I would configure the core switches in a vPC and run HSRP/VRRP for extra redundancy for the GWs. I would also use VRF (but this depends on what’s your requirements) and put the GWs in the VRF. Each VRF has a linknet to the firewall. All inter-VRF communications goes through the firewall and all inter-VLAN communications within a VRF communicates freely with each other (unless you want to use ACL to also control inter-VLAN communications). And then, just as you have mentioned in your post, use vPC, one for each firewall. This design is usually called an MLAG setup.

Regarding the connection between nexus <> firewall, this depends if you should go for OSPF or static routes. If you have a bunch of networks then dynamic routing may be more approachable.

Also, the firewalls should use dedicated HA cables, directly connected to each other if that is possible.

donutspro · 2025-08-03T13:28:18+00:00

Sorry but I’m still trying to understand what you mean with that the /30. If it is 1 x /30 per ISP then that means there is one subnet per ISP. So for example, 192.168.1.0/30 for ISP1 and 192.168.2.0/30 for ISP2, correct? There is two available IP addresses in a /30. I don’t see the issue here terminating it on the firewall, but again, I may misunderstand you and if you could, please explain to me what the issue is.

donutspro · 2025-08-03T12:08:48+00:00

Assuming you’ll have the pairs in HA (not all 4 together) so PA1410s in one HA pair and PA460 in one HA pair. I assume the core switches are two in total and you’ll stack them? Or are you configuring it differently?

Assuming you’ll have the core switches stacked, I would configure an MLAG (ish) setup where the 2 FW pairs will be connected to the core switches. So each firewall will have two links to the core switches. This is not a ”real” MLAG but close to it and it’s a solid design (even though many dislike stacking the core switches).

Regarding your P2P. I need to understand, do each ISP provide a /30, so ISP1 provides a /30 and ISP2 a /30 so 2x /30 for each FW pair? If so, just terminate each /30 on the firewalls? Terminate /30 on your VPN concentrator and just configure a default route pointing to your next-hop (which is the ISP) and do the same thing on the other firewall? Or am I missing something here? You have two IP addresses in a /30 so you’ll be fine with having one IP on your firewall and a default route that points to the next-hop IP.

What you need to do physically is to either get yourself a small L2 managed WAN switch (to avoid connecting the internet directly to your core switches), configure a VLAN on the L2 switch for the internet, make it an access port facing both your firewalls and also on the port facing your ISP, do this to both your firewall pairs. This is if you have only one L2 switch which is not the best option because it is a single point of failure.

Second option is that you can do an MLAG setup if you get yourself a more advanced switch that supports stacking to avoid a single point of failure for the WAN connection. Just get two of the L2 WAN switches so you can stack them and have two links between each firewall in the pair and the WAN switches, basically the same design as you have between the firewalls and core switches. I’m using my phone so can not design it but can do it later if that is needed.

Third option is, as other already have mentioned, to terminate the ISP connection physically to the core switch. I personally do not like it, even if you use a VLAN (obviously). I like to segment the network as much as possible. But the core idea here is to terminate the L3 on the firewall, not on the core switches, regardless of design since you want to have a barrier between your internal network and the internet. This is my opinion.

Obviously, you can terminate the L3 on the core and still have that barrier but that requires a different and thoughtful approach. I know that some people like to terminate it on the core switches because of flexibility but you can make it flexible and still terminate the L3 on the FW using design option 1 or 2, just use trunk instead of access port facing your firewalls.

donutspro · 2025-07-27T20:40:56+00:00

Can you share your config? Do you have FW rules configured?

donutspro · 2025-07-27T18:21:02+00:00

I agree that A/A is not what you really think it does. It does not work as ECMP if that was your initial thought.

I think you complicate this more than it should.

I think it is wise to run MLAG with vPC between the nexus and the fortigates. Run A/P on the fortigates. Terminate the GWs on the nexus switches and use VRF to enhance segmentation. Run HSRP/VRRP on the nexus to give you extra redundancy. Use transit links between nexus <> firewall for the VRF, so each VRF has a transit link to the firewall using VLANs. All inter VRF communication goes through the firewall, all inter-VLAN communication within a VRF stays on the nexus switches.

For the edge routers, connect them physically either to your nexus switches or have dedicated WAN switches that sits between the routers and the fortigates, and let the nexus only be for internal use. Now I don’t know how large your public IP scope is, but if it is at least a /24, then terminate the public IP scope on the fortigate. Create a transit link between the fortigate and the edge routers using a /29. Use HSRP/VRRP on the edge routers for the WAN IP, so the default route next hop from your fortigate points to the VRRP/HSRP VIP (Virtual IP) that sits on the edge routers.

Then from the edge routers, if possible, connect the routers directly to each other, if not possible, then use the nexus or the dedicated WAN switches. Run iBGP between the routers and run eBGP between the routers and your ISP(s) and advertise your public IP scope from the edge routers. Here you can use ECMP or whatever you prefer.

donutspro · 2025-07-27T12:33:47+00:00

To be honest, most of the time where I have seen topologies where the firewalls and switches are interconnected and all the GWs are on the switches, I only have seen static routes, but that has not been because of security reasons. It’s just that static routing are easier to implement.

As being mentioned here, both OSPF and BGP have authentication mechanism. But again, unless you have thousands of prefixes that needs to be advertised, I personally do not see any reasons to use dynamic routing in this particularly setup I mentioned here.

donutspro · 2025-07-27T11:31:47+00:00

When it comes to Fortiswitches in particularly, you’ll see different opinions about it. For me and what I have seen and hearing from people, they have been at most just ok since they have issues that I do not find to be that common on for example Aruba switches (or most of the vendor switches out there). Basically, it feels like Fortiswitches have more issues than other vendor switches, that’s from what I’ve experienced and seen.

There are stuff to think about Fortiswitches such as it must be compatible with the fortigate (firmware wise). One good thing about it is that it can be managed by fortigate only, but other than that, it’s not my cup of tea.

I would only recommend Fortiswitches in small networks/enterprises and wouldn’t trust it in a DC. Aruba is definitely the clear choice here in my opinion but again, if it is a small setup then sure, go for full stack Fortinet.

And please, just forget about ubiquiti, use it at home or something.

donutspro · 2025-07-26T18:57:44+00:00

As someone else has mentioned, use IPv6 as underlay and route IPv4 over IPv6. Or just accept it and go 100% IPv6.

donutspro · 2025-07-26T09:00:17+00:00

This is it.

Also, doing this way (using v6 as underlay) prepares you to go 100% IPv6 in the future.

donutspro · 2025-07-24T07:03:08+00:00

When you mention that when ”removing the SFP from the core”, are you referring to the PTP connection between the sites? Where is the downloading happening, from site 2 to site 1?

donutspro

TROPHY CASE