Pfsense and verizon's actiontec MoCa router, how to get it working well
-
the current and future verizon connections will look like this:
fiber–ONT--coax--actiontec router-- wireless/wired LAN.
the coax is using 'moca' and allows any tv set top boxes to work over the coax in the home (including whole house dvr, etc) and get their updates via IP. MoCa runs up to 270Mbps currently.
the actiontec is a fast hardware appliance. one issue though. has small (non adjustable) NAT table of approx 1k connections. bittorrent, etc, easily trash this, even with pfsense box as DMZ host. consider my house with a few machines and no p2p can often exceed 400 connections as reported by the pfsense state number. with p2p, that easily goes 3k or higher. (I've had to powercycle the actiontec more than once just so http would work....)
using the following directions, I was able to put actiontec in bridge mode, let pfsense do the heavy lifting, and everyone is happier for it. actiontec crumbles at gy=undreds of connections, pfsense doesn't break a sweat even at 5k connections(as much as I've tossed at it)
my connection looks like this now, and the network seems far more responsive.
hope this is useful to others. works like a charm here.
http://www.dslreports.com/forum/remark,17679150?hilite=bridge+actiontec
/begin copy
How-to: make ActionTec MI424-WR a network bridge
After searching all over the web for definitive information about making the actiontec MI424-WR as a network bridge, I was unable to find any. I've experienced hell trying to make the actiontec a bridge and after finding some loose information on making a router of your choice (a thread here and a thread at the techimo forums stated that you needed to release your router IP first before doing anything else), I was able to get everything to work.
Why make the MI424-WR a bridge?
New FiOS installations now connect you using the MoCA system from the ONT, not ethernet, thus preventing you from directly connecting a router of your choice to the ONT (some of you may say that the ethernet jack at the ONT is still there and you could run an ethernet cable to it, but it will NOT work because the ONT was not configured for ethernet connectivity during initial install by verizon).
As part of the new FiOS installations, you are given an actiontec MI424-WR router
The MI424-WR is a pretty decent router (is powerful, has lots of features, and is quite flexible), however the major issue with it at the moment is the puny NAT table (only 1kb in size). The NAT table is easily overflowed just by running a single bittorrent or in some cases, playing games. When the NAT table is overflowed, you will get the "No IP for NAT - connections may fail" error logged in your MI424-WR's security log. During this time, you will unable to browse, ping, or connect to anything until you wait about 3 minutes. This problem seems to be widespread with this router, regardless of which firmware release is used. No one has been able to produce a workaround for this issue and neither actiontec or Verizon has acknowledged this issue officially. This problem makes your FiOS connection next to useless. While your overall throughput may drop when using a store bought consumer grade router, your actual usability may increase. I personally would take this trade off over NAT errors any day.
Instead of paying at least $100 to fix something that's not your fault (buying a MoCA to ethernet bridge), make the MI424-WR as a bridge and use a router of your choice!
This is what you will need to do:
- Connect your computer to the MI424-WR using an ethernet connection if you have not done so
- Open your web browser and type in 192.168.1.1 in the URL and press "enter"
- The default username and password for the MI424-WR is "admin" and "password, however verizon techs tend to change the password to "password1". If neither works, you will need to do a hard reset on the router (hold down the reset pinhole with a paperclip for about 10 seconds). If you did a hard reset, you may not be able to reconnect to the ONT due to a configuration issue with the default router settings (I will explain how to get it working as you keep reading).
- Once you are logged in, go ahead and reset the router to the default settings if you have done numerous customizations in the past, otherwise don't worry about it. To reset the config to defaults, click on "Advanced" at the top, then click yes in the confirmation box. You will then see "Restore Defaults" at the lower left side of the screen (under the red toolbox icon). The router will now reboot itself. Remember that the username and password resets itself to the actiontec default of "admin" and "password". It's a good idea to change the password after this is all done of course.
- Go ahead and log back into the router if you have "Restore Defaults", otherwise just click on "My Network" at the top of the screen. Once you are there, click on "Network Connections" at the menu on the left.
- You should now see a list of interfaces that exist in the router. To see them all, click on the "Advanced" button below that list.
- Now you will need to do this very important step. you will need to release your MI424-WR's IP from the ONT or you will NOT be able to have your new router DHCP an IP for itself!. To do this, click on the "Broadband Connection (Coax)" from the connection list. Then click on the "Settings" button at the bottom. You will now see a bunch of settings for this interface. Make sure the "Privacy" option is enabled (if you have reset your MI424-WR to defaults earlier, it maybe disabled. Not having this setting enabled will cause the connection to the ONT to fail!). You can click on the "Release" button if an IP address is currently assigned to the MI424-WR. Click the "Release" button and immediately change the "Internet Protocol" option to "No IP Address" (default setting is "Obtain an IP Address Automatically"). Click on "Apply" afterwards, then "Yes" (if there's a confirmation message), then "Apply" again.
- Now you will need to turn the MI424-WR into a bridge. In the connection list, click on "Network (Home/Office)", then click on the "Settings" button. You will see a list of interfaces under "bridge". Check the box next to the "Broadband Connection (Coax)", then check the box under the STP column. Click on "Apply" afterwards, then "Yew" (if there's a confirmation message), then "Apply" again.
- Since the MI424-WR will no longer be used for routing, go ahead and disable its wireless interface also. Click on "Wireless Access Point" in the interface list and then click on "Disable". You can also disable this in the "Wireless Settings" section.
- Just in case the MI424-WR will do something wacky, I disabled the built-in firewall also. Click on "Firewall Settings" and then select "Minimum", then click on "Apply".
- Verify that the MI424-WR no longer has a connection to the internet by looking at the status information in "Main". It should have a red light and say it's on PPPOE right now. The MI424-WR should still have a connection to the ONT. You can check this by going back into "My Network", then "Network Connections", then clicking on the "Full Status" button at the bottom of the list. "Broadband Connection (Coax)". Should say it's connected still.
- Next, disconnect all computers from the MI424-WR. Setup the router of your choice (for me, I'm using a Linksys WRT54G v4 running dd-wrt). Make sure your new router's IP address is something different from 192.168.1.1 or it will conflict! Your new router should now DHCP an IP from verizon without any problems.
The only way to access the MI424-WR after this setup is to directly connect a computer to it (via ethernet) and using a static 192.168.1.* IP address. It will no longer DHCP an IP to you. You will also notice that the "Internet" light (may look like a map globe) on the router will now be lit orange and blink red. This is normal. The MI424-WR control panel will also perpetually say you're not connected to the internet. That too is normal.
You will know everything is working when you see your new router getting an IP from verizon.
/end copy
-
Wow! This is VERY insightful. I would like to thank you for taking the time to note all of this. This behavior (not targeting Ethernet by default) is in quite contrast to the pfSense model so listen up! This model is actually endangering our existence! Yes, I am not being alarmist here. If you have to pay 100$ extra to get a bridge to Ethernet this is basically trying to eliminate solutions such as ours!
Please contact your Verizon FIOS rep and tell him/her how much this is really hurting the open source industry! Thanks!
-
hmm…I only wish I had your problem ;) Thanks for the writeup.
--Bill
-
ok, I admit I didn't read the entire thing, but…
The thing I am wondering about now is can you still get fios TV with this setup?
Or does this procedure mess with that?
One wouldn't think so, but who knows.I hear the ATT Uverse router can be set to not do NAT a little easier than this.
Good to know that you can bridge it out though. -
Just FYI, I just built a house in a newer community that is ALL FiOS but still has timewarner cable access. The houses come prewired with cat 5e to every room etc.. (nice home builder) and they run 2 cat 5e to the outside of the house. Basically the coax installs are for people who don't have extra cat 5 laying around. Almost everyone has extra coax going into their house from previous cable tv installs, so basically this is just installers being lazy.
For less than $100 you can have a private installer run cat 5e into your house to a central junction point, or the room in which you want to use your pfsense router. Me, personally, I'm using the huge junction box for nothing but telephone and networking that they built into the laundry room (central point in the house), and it's big enough for my mini-itx pfsense box too!
If you want to minimize cost, get your lazy butt into the attic and run cat 5e or cat 6 to the outside of the house where the ONT terminal will go. When the installer arrives just inform him that he will be using that connection, not the coax. Personally, I have 4 coax running into the house from a directv 5 lnb satellite for HD DVR etc in every room. FiOS still doesn't have an HDDVR so until they do, I'm sticking with directv and their superior mpeg 4 HDTV (yes I know off topic).
Anyways, point is, the installers use WHATEVER is easiest. They are just as lazy as the next guy and will do the absolute minimum work necessary to make it work. That includes using existing wiring if at all physically possible. They will NOT volunteer for anything.
Heck, you have to write checks under the table to get satellite installers to do things PROPERLY (ie not tack up coax outside a beautifully bricked house etc..). Doing it properly, requires running 4 coax into the attic and strapping a 6x8 multiswitch to a rafter and wiring internally to your already run quad shield coax or running more down the walls by pulling it through yanked onto the end of existing ratty RG59.
The point is, they're not going to put forth an ounce of effort more than necessary, so do your self a favor and prewire anything you want done before they get there, so it gets done right.
Just my 2 cents and a kitchen sink.
-
Can anyone explain how to do this with the Broadband Ethernet connection? I connected another router to the ethernet jack they installed and it gets an IP address fine. The problem is is that we have the FiOS TV so we need the MoCA interface on the LAN. I was able to bridge the Broadband Ethernet to the Network/Office connection (along with Ethernet, Coax, and Wireless). I then gave it a manually assigned IP address and turned off DHCP. All was almost good- devices attached to the LAN section of the Actiontec got an IP address from the Linksys router and I could access the Actiontec control panel from the Linksys LAN. But the devices on the Actiontec LAN (ethernet and coax) can't access the Internet. I turned off the firewall (or set it to low) on the Actiontec, but I don't know what else to try.
I'm doing this because the Actiontec router sucks but I need to get the Coax devices on the LAN. I got so close by making it a bridge and getting them IPs but they can't hit the WAN. Can anyone help?
Edit: I'm not currently trying to connect a pfsense box here but once I get it working with DD-WRT it should be cake to get it connected to my bsd boxen. Thanks!
-
I don't think that this will work at all. From what the tech's have told me, and what I've read about the MoCA technology is that it uses unprovisioned bandwidth from the ONT using the MoCA protocol in order to provide video services to your motorola boxes. Otherwise, you'd be sharing your 5 mbit or 15 mbit or 30 mbit connection with 2-10 mbit of video, and that wouldn't work very well at ALL.
As far as I know the only way to get verizon FiOS TV is through the MoCA trash Actiontec. There's a reason I had them install via ethernet, and why I still have DirecTV HD. I pole-mounted a DirecTV slimline 5 LNB dish outside my house so if at some point in the future verizon decides to get rid of the crappy MoCA actiontec non-sense I can switch over. But until they do, the actiontec router is a deal breaker. I refuse to use it, it's just plain crappy in 500 different ways. It locks up, has a small state table, is slow, and unreliable.
Besides, DirecTV has more HD's anyways, and is about to pwn't the HD cable/sat industry once their next 2 birds go live. (excuse the shameless plug)
I'm currently running with a cisco router for my house internet, but trying to get pfSense to work. Apparently the DHCP client portion of pfSense is either currently broken, or the mac address cloning in combination with DHCP doesn't work.