PfSense + Verion FiOS (How To)
YES it can be done. YES it can be done without using the Actiontec router to control access to the internet.
I recently purchased Verizon FiOS, I did as much research as possible to ensure that I should be able to still use my pfSense box and my current network setup with FiOS as I was with Comcast Cable. Unfortunately there is not a lot of posts or documentation out there that really spell out whether you can or cannot do it and the specifics. There are a few that say it is possible, then there are a few that say it is possible but only if you are using Internet services only. This guide or how to details it all out for you to.
Inform the technician you want to run data over ethernet, my tech was very aimably to this so it wasn't a problem, some techs might not agree so quickly. (Be prepared to run the ethernet cable yourself.)
If your setup is like mine, you will get an internal backup battery unit and an external ONT unit, a hole will have to be drilled through your house for the battery backup power cable. Since you are wanting ethernet hookup a second hole will need to be drilled to pass the ethernet cable through to the external ONT box. During the setup of the ONT, the tech can enable the ethernet port for data. He will still need to connect the coax because the TV signal still travels over coax, only data connection goes over ethernet.
We strung the ethernet cable through the wall, and I terminated it into a wall mounted cat5e jack and plugged the cable into the ONT (rather the tech did). I then ran a cat5e cable from the jack to the actiontec router. (yes that is correct)
Unfortunately the way their software works to activate the line and to get the STBs setup they have to run a script from their laptop againts the actiontec that verifies connection, sets the password, uploads latest software to the STBs. Once the tech has done this you can proceed with the following steps.
1. After the tech has run his software against the actiontec router, login to the router.
2. Disable services you don't need, mainly for me this was the wireless.
3. If you have TV service DO NOT DISABLE DHCP (the STBs need DHCP over Coax to work)
4. Go to My Network > Network Connections -> Broadband Ethernet
5. Release the DHCP Lease
6. Disconnect the cable from the WAN port
7. Clone the Mac address of the Actiontec on your WAN of your pfSense box (this might not be necessary, but I find that in the past its best to mimic their technology)
8. Restart pfSense and during the restart connect the cable to the WAN port. (when it comes back up it should grab the IP from ONT)
9. Connect the WAN port of the Actiontec to the LAN port of your pfSense box (actually this can be any network inside your pfSense box, just make sure to give it 100% access outbound)
10. Log back into the actiontec (most likely you will need to connect a laptop or something to the lan port of the actiontec to do this)
11. Test internet connection using DHCP from the actiontec, if DNS is working OK (which it wasn't for me from behind the actiontec) then you are ok, if not then you might need to manually set your DNS servers (I found out what the verizon DNS servers where from my pfSense box and added them to the actiontec) You need DNS for the STBs to get guide data.
DO NOT connect a cable from your lan port of the actiontec into the lan side of your network, you will have conflicting DHCP services and it is not necessary to make it work. (some howtos and guides say it is necessary to create this loop, BS)
At this point it should all be working. Your STB's should be pulling IP Address from the DHCP server running on the Actiontec over the COAX connection. The Actiontec is supplying guide data to the STB's via the WAN port connection to the internet (even though it is behind the pfSense box). The video signal is coming into the STBs from the ONT over Coax.
I have the same configuration and everything works with the exception of the Remote DVR. Verizon states that Remote DVR will not work unless you use the Actiontec however other FIOS users at the dslreports.com forum report getting it to work with other routers. Does anyone have a working configuration that they can post using pfsense as the primary router.
Sorry to dig up this old topic but, I ran across it and thought I might be able to shed some light on a few other of the gaps. I used to work as a Verizon tech support agent for fios. They have been rolling out a few new features that include caller id to the stbs and remote dvr. Most of these new features are using a push notification to the stbs using an inbound port opened on the actiontec (or westell) router. I do not remember the port numbers that were used. If you want to use these features I would enable them before you switch to pfsense. Once you have them up and running, login to the Verizon router and take a look at the port forwarding. There should be rules created by Verizon's system in the router forwarding to the stbs.
Also if you are going to switch from coax to Ethernet after the install here is what you need to do to make it happen. 1st, make sure you have run an Ethernet cable from ONT inside the house. 2nd, call Verizon tech support (hint: option 2 should be for tech support, then say "agent" to skip to a rep). 3rd, when you get to the csa tell them you want to switch from coax to ethernet. If you get a csa that has a clue they will know what to do. If you get one that doesn't understand or says they can't, tell them they need to contact an nt and have them switch the wan ports to Ethernet. For testing purposes, after they have switched you to Ethernet hook up the actiontec router (doing so will allow the nt and csa to verify the Ethernet port is up and generally get them off the phone without anymore hassle). 4th, follow the rest of the guide above.
The Mac address is not "locked" at the ONT. The way it works is similar to most of the other residential ISP's I've dealt with. If you have a current valid dhcp lease the new Mac address will not be able to get a new lease until the old lease has expired or is broken. You need to either break your DHCP lease prior to changing devices or call support and have them do it.
Unfortunately, the new services (caller id on-screen and remote dvr) require more than port forwarding…the router reports its status (including WAN address) to VZ and if it's IP is not on the edge WAN (VZ provided routable IP) it won't provide those services. There is a very good FAQ on dslreports about using another router with the Actiontec/Westell provided by Verizon:
And a thread on the dslreports Verizon FIOS TV forum about putting your own router in front of the VZ router and retaining full functionality. Bit of a kludge but reading through the thread, there are a couple of ways to do it:
None of this is limited to pfSense, of course. And it only applies if you subscribe to VZ TV as well as internet. If you only subscribe to VZ FiOS Internet, you can use any router you choose.
Any router other than the VZ-supplied one connected to the ONT will require an ethernet connection, as omegadraconis points out. On the initial install, most techs will willingly activate the Ethernet port on the ONT if there's cat 5 available at the ONT location. If not, calling the FSC as he details works.
I'm using pfSense behind the FiOS-supplied Actiontec (Actiontec LAN ---> pfSense WAN) with no problem, even though it's double NATted. That said, I don't routinely do torrents or game, both of which can be adversely affected by this setup. I do have ethernet to the ONT and plan to try putting the pfSense box in front when I can get everything in place and plan for some down time.