Verizon FIOS setup - advice needed!



  • I am a complete newbie and am looking for general advice from the public.
    So far I've tried bridging the LAN/WAN and having a separate subnet (192.168.0.1) for the LAN IP.  Both setup's seem to work but I'm not too sure if this is the best route.

    This is for my Verizon FIOS home network; the pfSense hardware has 3 physical NIC's, of which i am using 2

    FIBRE –> ONT --> ActionTec (DHCP Server) 192.168.1.1 
                                              --> pfSense (WAN) DHCP on WAN-Side (Probably not a good idea) - gets a 192.168.1.X IP
                                              --> pfSense (LAN) Output 192.168.1.9 connects to PC1 (192.168.1.10 IP)

    What's the best setup for this complicated mess? I've attached a picture to , hopefully, help make it more clear.  My goal is firewall PC1 from the internet, while allowing it to be accessible over the LAN.

    Thanks so much for your help



  • Is there any specific reason you still need your ActionTech router?  PfSense will do almost anything you can think of - especially in a simple setup like yours.  Do you need it for wireless?  Do you need to use it as your switch?  If either of these are true then disable DHCP on the ActionTech and do not use its WAN port.  Also, change the ActionTech IP to be something other than 192.168.1.1.  Use this IP for PfSense and make the ActionTech something like 192.168.1.2 if you still need to use it as an AP.  If you have a regular switch and don't need wireless, this all becomes a lot easier.

    Try setting up as follows:
    Fios->PfSense WAN interface
    PfSense LAN interface (DHCP enabled) to ActionTech LAN1 interface
    PC1 to ActionTech LAN2



  • He would need the Actiontec for the following reasons:

    • Newer (last 3 years) FiOS internet installs come in over coax using MoCA so the installers don't have to run coax for TV & cat5 for internet
    • Verizon STBs use IP & MoCA for VoD.

    If the feed comes in over cat5 then you can use pfSense as your WAN router, hook up a coax feed to your actiontec, hook up a LAN port on the actiontec (disable DHCP) to your LAN side of pfSense, and then leave the WAN side of the actiontec unhooked.  Alternatively, use a NIM in place of the actiontec.

    If your internet comes in over coax AND you have TV service then the install of pfSense gets a bit trickier.  There's a pretty good thread over at DSL reports on how to do it.



  • @mhab12:

    Is there any specific reason you still need your ActionTech router?  PfSense will do almost anything you can think of - especially in a simple setup like yours.  Do you need it for wireless?  Do you need to use it as your switch?  If either of these are true then disable DHCP on the ActionTech and do not use its WAN port.  Also, change the ActionTech IP to be something other than 192.168.1.1.  Use this IP for PfSense and make the ActionTech something like 192.168.1.2 if you still need to use it as an AP.  If you have a regular switch and don't need wireless, this all becomes a lot easier.

    Try setting up as follows:
    Fios->PfSense WAN interface
    PfSense LAN interface (DHCP enabled) to ActionTech LAN1 interface
    PC1 to ActionTech LAN2

    The ActionTec router is required as it as a newer install and thus over MoCA (as opposed to ethernet).
    So it has to be
    FiOS -> ONT -> ActionTec (Over MoCA) –------------------> pfSense ------------------->  PC1
                                         (LAN OUTPUT)            (WAN input)                    (LAN Output)

    I could make the ActionTec a bridge and make pFsense the DHCP Server.

    Also, I DO NOT have FiOS TV and thus DO NOT care about Widgets, VOD, etc.
    P.S. my network is a lot more complicated than this.  I've dumb'd it down to make it easier to understand



  • @jasonlitka:

    He would need the Actiontec for the following reasons:

    • Newer (last 3 years) FiOS internet installs come in over coax using MoCA so the installers don't have to run coax for TV & cat5 for internet
    • Verizon STBs use IP & MoCA for VoD.

    If the feed comes in over cat5 then you can use pfSense as your WAN router, hook up a coax feed to your actiontec, hook up a LAN port on the actiontec (disable DHCP) to your LAN side of pfSense, and then leave the WAN side of the actiontec unhooked.  Alternatively, use a NIM in place of the actiontec.

    If your internet comes in over coax AND you have TV service then the install of pfSense gets a bit trickier.  There's a pretty good thread over at DSL reports on how to do it.

    The comment you made (I've made it BOLD) is interesting.  Will this actually work? Basically you are saying…

    FiOS --> ONT --> CAT5e --> pFSense (WAN) --> pfSense (LAN OUT) --> ActionTec LAN (DHCP Disabled)



  • I have pfsense on FIOS.  If you are not using their TV, have VZ switch the ONT from COAX (MOCA) to CAT5 and just throw the AT in the rubbish.



  • @bhuwan:

    @jasonlitka:

    He would need the Actiontec for the following reasons:

    • Newer (last 3 years) FiOS internet installs come in over coax using MoCA so the installers don't have to run coax for TV & cat5 for internet
    • Verizon STBs use IP & MoCA for VoD.

    If the feed comes in over cat5 then you can use pfSense as your WAN router, hook up a coax feed to your actiontec, hook up a LAN port on the actiontec (disable DHCP) to your LAN side of pfSense, and then leave the WAN side of the actiontec unhooked.  Alternatively, use a NIM in place of the actiontec.

    If your internet comes in over coax AND you have TV service then the install of pfSense gets a bit trickier.  There's a pretty good thread over at DSL reports on how to do it.

    The comment you made (I've made it BOLD) is interesting.  Will this actually work? Basically you are saying…

    FiOS --> ONT --> CAT5e --> pFSense (WAN) --> pfSense (LAN OUT) --> ActionTec LAN (DHCP Disabled)

    Yes, it will work except that you don't need the ActionTec router at all.  You do however, need a means to convert the Fibre optic connection to Ethernet whether via modem (if Verizon wants to lock in the connection to accept only the modem's 'MAC ID') or transceiver module.

    Next generation broadband is being deployed over here in Singapore and the similar setups are being offered by the ISPs.  The network infrastructure provider will lay one fibre-optic connection with ONT free of charge (technically not free since the government paid of the project with tax monies) in every apartment/ house.
    One common method offered by ISPs is MoCA for houses that are not network ready because the ONT might not be located near the computers/ routers whereas nearly all houses are CaTV ready.

    For those of us with ready networks, we can lease a Huawei/ Ericsson modem and use them with our own routers.  The optic line is locked to the modem's ID so that optic ready houses cannot leech/ disrupt the connection without a ready plan (not unlike how cable connections are locked with modem HFC MAC ID).

    You need only request Verizon to do the same by providing/ leasing a FibreOptic modem instead of the MoCA device.  You would then hook up the pfsense box to the modem just like how a Cable Modem connection works.  You would then set the pfsense WAN to DHCP (or static if one is provided) and use the pfsense as a NAT router.
    i.e.
    FTTP -> ONT -> Modem -> pfsense router -> LAN

    As another user as stated, you can request for CAT 5e termination instead.  In this case, the modem/ transceiver and beyond would be outside of your premises.  You'll then connect the router directly into the wall socket.  The ActionTec would be hooked up your network via its LAN port to provide CaTV services (similar to hacking a wireless router into an AP).



  • I would be very surprised if verizon would agree to any non-standard HW in place of the ONT.  Also, as the OP said, he doesn't have TV, so I can't imagine how anything other than switching to cat5 and pitching the AT makes any sense.



  • @danswartz:

    I would be very surprised if verizon would agree to any non-standard HW in place of the ONT.  Also, as the OP said, he doesn't have TV, so I can't imagine how anything other than switching to cat5 and pitching the AT makes any sense.

    Works the same then (Optic -> Eth bridge is effectively an optic modem).
    Over here, the ONT is little more than a SC junction box coupled with a Huawei modem (Huawei MoCA capable router for those that subscribe to IPTV/ VOIP services).  At stock, without any internet plans, we just get the SC junction box.
    I've hooked up with the ISP (friend's company) to throw in a Cisco 891 running a PPTP to their routing core for a static block of IPs though.  Now just waiting for the infrastructure provider to run the optic into my home.



  • First of all, it isn't just an optical modem - the ONT involves POTS telephone support as well as TV.  Unless you have specific technical knowledge you haven't cited, I wouldn't make suggestions like this which are likely to be a dead end for the OP.  I think I wasn't clear: my point was that I can almost guarantee verizon is not going to do something non-standard like this, but for policy reasons, not technical reasons.  Let some customer hook up non-verizon approved HW to their fiber-optic network?  Not likely, IMO.



  • Yes, I understand it's not just a modem.  However, I fail to see why the OP cannot request that they (Verizon) provides the WAN IP off the CAT 5e link (since you stated that it is possible to request for this arrangement) instead of having an additional router tap the Coax and NAT route.

    Over here, we use a Huawei which provides POTS and CaTV when these services are subscribed to.  This is used to provide CaTV and POTS through the premises internal wiring.
    Another Huawei unit is used to tap the internal CaTV wiring in the premises to provide an Eth. connection for devices.
    The main difference is that we have the option, to request for Eth to be provided instead for network ready homes.  And a Huawei device (similar to the actiontek) can tap the network to provide the POTS/ CaTV service.  The router is provided by the customer in this instance.



  • I don't know if we are having a language issue here?  What you are saying about requesting WAN via the CAT5 link is exactly what I was suggesting - my quibble was about my understanding that you are suggesting an alternative involving some non-standard fiber-optic HW to replace the ONT.  If that isn't what you meant, what did you mean? :(



  • @danswartz:

    I don't know if we are having a language issue here?  What you are saying about requesting WAN via the CAT5 link is exactly what I was suggesting - my quibble was about my understanding that you are suggesting an alternative involving some non-standard fiber-optic HW to replace the ONT.  If that isn't what you meant, what did you mean? :(

    Communication issue, yes.  I meant requesting that Verizon provides the modem if it is possible.  In this case, the modem would obviously be approved h/w.
    Evidently, we have very different definitions of an ONT.  Over here, the ONT is just a SC junction box and a separate modem (upon specific request, we can use a media converter instead) would tap this for an Eth connection.
    In the event that TV and voice services are required, this would be a Huawei device that provides CaTV and POTS in addition to a Cat 5 link.
    It seems that on your side of the pond, the ONT is an entire box which encompasses all of these.



  • The verizon ONT is not just a modem - as I said, it provides telephone service, TV service and internet access, including special support for video on demand streamed over the internet.



  • @danswartz:

    The verizon ONT is not just a modem - as I said, it provides telephone service, TV service and internet access, including special support for video on demand streamed over the internet.

    Would 'media converter' be acceptable then?  I can't think of any other terms.  What I meant was to request for a 'media converter' that specifically delivers the data communications over Cat 5 rather than Coax.



  • I am not being clear, I guess :(  Verizon is a large company.  They have certain equipment (various makes of ONT) which are what they put at customer sites.  If you ask them to put some other item in (why, what is it doing the ONT is not doing?) they are going to say no.  What is wrong with calling them and saying "please switch the internet access from COAX to CAT5".  Done.  Free.  What problem are you trying to solve here?



  • You gave me the impression that the ONT in question doesn't serve out CAT 5e.  ;D



  • I suggest you work on your reading comprehension, then.  Here was my first reply on this: "I have pfsense on FIOS.  If you are not using their TV, have VZ switch the ONT from COAX (MOCA) to CAT5 and just throw the AT in the rubbish."  How that gave you the impression the ONT wouldn't do this is beyond me.  I am done with this thread :(


Log in to reply