I’m generally happy with Verizons FiOS internet service seeing the full bandwidth from my subscription at low latencies. However being forced into using the Verizon router due to my new homes original coaxial cable supply from Verizons ONT wasn’t particularly rewarding after being spoilt by a custom built pfSense firewall. The original MoCA coaxial network is perfectly fine for distributing video for the TV service around the home, however its limited in comparison to good old Cat5 when it comes to distributing TCP/IP around the home, something I knew I’d be needing as wifi coverage across the larger property im now living in was spotty, and a camera security system install was approaching. To further complicate matters, Verizon rely on their modem to provide functionality such as Video on Demand (VOD), program guide information and premium pay per view purchasing, all of which my family make use of.
Here’s a diagram of what I wanted to accomplish
First thing is to get the ONT switched from providing a coaxial based network feed to a UTP Cat5 one. Call Verizon and see what options are open to you to accomplish this, for me an upgrade to a service of > 75mbps required the conversion be done and Verizon will cover the call out costs of this conversion to collect the additional revenue. If you already have a newish ONT installed and can run your own Cat5 cable, you may just require Verizon to remotely reconfigure your ONT which can be done quickly and freely with a simple phone call.
I had a few issues actually getting pfSense to acquire a WAN address from Verizon, even after releasing the address from within the Verizon modem it still wouldn’t acquire a new address. I spent a while working through some issues with Verizons technician on the phone and in the end decided it was just easier to just clone the Mac address from my modem into pfSense’s WAN network interface.
To discover the MAC address your Verizon modem is using, Log in to your existing Verizon modem. This works with both the newer G1100 and the older Actiontec MW424 - rev I models.
Navigate to Advanced (in the top menu bar) > Mac Cloning (in the side bar) where you will see the MAC address displayed.
Make a note of this address.
Log into pfSense and Navigate to Interfaces > WAN.
Enter the MAC address from your Verizon modem into the MAC controls field like this
Save and Apply.
Disconnect your WAN connection from your Verizon modem and connect it to your pfSense WAN interface. Reboot pfSense and when it reloads you should have acquired a WAN address.
Navigate to Firewall > Aliases > IP
Navigate to Firewall > Aliases > Ports
NOTE: As this guide is building upon my previous guides, I’m going to use a VLAN connection to segregate the traffic. Its possible to simply use an available NIC from the Available network ports though, you’ll just need to substitute my VLAN Interface name for yours.
Navigate to Interfaces > (assign) > VLANs
Navigate to Interfaces > (assign) > Interface assignments
Configure the interface as follows
General Configuration
Static IPv5 configuration
Private networks
The Verizon modem wont be able to allocate any DHCP addresses when we shift it into bridged mode so we need to handle this from pfSense. I like to set each interface to use x.x.x.100-199 for dynamic addresses and reserve x.x.x.10-99 for static allocations. I also set the NTP server to look to my pfSense for time synchronisation rather than rely on external servers.
Navigate to Services > DHCP Server
Select VL60_FiOS_DMZ tab and set the DHCP server as follows:-
I run all DNS queries via my local DNS Resolver to reduce the amount of info I leak to Verizon.
Navigate to Services > DNS Resolver > General Settings
As our firewall rules will block all external access to port 123, the NTP port, we have to handle NTP locally. Anything which reduces our public footprint is beneficial so long as functionality doesn’t suffer. No need for this ‘ping’ beacon to be noticeable.
Navigate to Services > NTP
Create a rule to allow the Verizon modem which will be on 192.168.60.x subnet to access the public internet address range. I exit traffic through the default gateway rather than the VPN gateway. I done think Verizon monitor it but they might be surprised if they saw my IP changing from state to state or country to country!
Navigate to Firewall > NAT
Translation
Misc
-No XMLRPC Sync = [ ]
-Description = VL60_FiOS_DMZ to WAN
The rule order of the NAT rules is important too so drag the VL60_FiOS_DMZ rule up to above the VPN gateway rules.
Your NAT rule should look like this when you’ve done.
Allow DNS lookups to our pfSense router and the DNS Resolver only.
Allow NTP lookups to our pfSense router only.
Verizons modem only needs access to a few limited ports which we defined in the Allowed_OUT_ports_FIOS_DMZ alias.
As this is a critical rule, validate your settings against the image below
To put our modem in a DMZ where its unable to snoop on any other network devices or services, we need to block any and all access to other subnets and network devices.
As this is another critical rule, validate your settings against the image below
Verify your VL60_FIOS_DMZ firewall rules look like this when complete - the separators are to aid readability, they don’t affect functionality so feel free to omit.
Either the Actiontec MI424WR Rev I or the newer G1100 both work fine.
I’m going to use the MI424WR Rev I as its possible to buy one off ebay for less than $30 delivered where as the G1100 is closer to $130. There’s no functional differences when used in this way.
First lets reset the device to its default configuration, press and hold the small red reset button on the back of the router for 10 seconds, you’ll notice eventually the green power LED will start to flash whilst it reconfigures itself and boots up.
Connect a network cable to one of the LAN ports and log in at 192.168.1.1
Default username is admin and password is physically found on a label on the side of the router itself.
We’ll use the modems LAN ports as a management interface for the remainder of this configuration guide. We will set the interface to a fixed address and move it off the commonly used 192.168.1.x segment and disable DHCP to ensure we can always get back in to the user configuration screens.
Navigate to My Network > Network Connections
Configure the interface as follows:
You will need to adjust your PC’s interface settings to be in the same subnet as the address we just programmed into our modem e.g 192.168.2.2.
Once this has been done, we can log back in at the new address.
Once you are logged back in, disable some unneeded services.
We wont be using the wireless features so lets disable them completely.
Navigate to Wireless Settings > Basic Security Settings
As pfSense is now shielding us from WAN attacks, we can disable the firewall feature set too.
Navigate to Firewall Settings
Configure the broadband connection interface to operate in bridge mode.
Navigate to My Network > Network Connections
Configure the interface as follows:
Navigate to My Network > Network Connections
Update the interface as follows:-
Connect the coaxial line from the ONT to the coaxial input of your modem, connect your pfSense configured interface to the LAN port of your modem.
Navigate to My Network > Network Connections > Full Status
If you log into pfSense and Navigate to Status > DHCP leases you should observe a DHCP allocation for the Verizon box.
Lets assign a fixed IP address to make it easier to handle port forwards later on which are a requirement for remote DVR and caller ID functionality. Click the ‘+’ sign to the right of the device to assign a static IP address. You can mouse-over to ensure you get the right one.
Provide a IP address for this device which will be reserved and allocated everytime it performs a DHCP lookup. The IP address assigned needs to be outside of the DHCP scope for the interface.
Assign parameters as follows:
It’s worth restarting your Verizon box at this stage to ensure it picks up the reserved IP address, initialises correctly and permits you to meaningfully validate your work so far.
If you go to one of your TV’s and access the Verizon Menu:
Navigate to Settings > System Information and press ‘Info’ to get more details you can verify connectivity.
Navigate back to the main menu and try and access On Demand services, verify they still work correctly.
Navigate back to the main menu and try and access ‘Widgets & Apps’, verify they still work correctly.
I added this additional functionality to my system about 6 months ago shortly after I published the original article. Its been reliable for me since so I figured I’d add the additional steps for others too.
To enable remote recording and on screen caller displays, we need to add a couple of port forwards to enable the traffic from Verizon which arrives at our pfSense WAN interface to make its way via our internal network to our STB.
There’s a need for two ports to be forwarded to enable Caller-ID and remote DVR functionality.
Note: If you have more than one STB/DVR, you will need to increase the port range by 1 for every box in the creation steps, for example, if you had four boxes you would use 35000>35003 and 63145>63148.
TCP Port 4567 is used by Verizon support technicians to gain access to your modem but given this setup is unsupported there isn’t much point so I’ve omitted it.
Navigate to Firewall > NAT
Navigate to Firewall > NAT
When this is complete, your Port Forwards should look like this (I’ve highlighted the Verizon port forwards for clarity)
When we created the two port forwards, associated firewall rules were created in the WAN interface to allow the inbound traffic to reach the DVR. They are however created at the bottom of the list and because rules are processed top to bottom, need to be reordered manually.
Navigate to Firewall > Rules > WAN
Drag the Verizon ports up so they are above the default block rules if you have them. When you are complete your interface should look something like this
I logged into the Verizons user portal and accessed the ‘TV Listings & DVR’ section where it’s possible to view and manage my authorised devices, view scheduled programming…
…and selected ones for recording.
All the functionality I tested worked as expected, please let me know if you find something that isn’t working and I’ll see if I can improve this guide and help.
To verify this works, ensure the option is enabled on your STB first, then call your Verizon number. You should see a blue box appear on screen notifying you of the call and name/number calling.
November 3 2016
Updated modem/pfSense connection info
August 7 2016
Added fixed IP assignment to DVR
Added remote DVR and Caller-ID port forwards