Verizon FIOS and PFSense
Thought I'd make a post and help anyone out whose having the same issues as me.
Currently I use Verizon FIOS for TV, Internet and Phone. Initially the tech installed the Verizon Actiontec router and bridged my PFsense box through it. It worked, kind of. So after trying various online tutorials and messing with it, I called Verizon back and said this isn't working and fortunately got a tech who knew what he was doing.
The solution, have the Actiontec replaced with a NIM. The NIM basically converts your Ethernet to Coax so your TV boxes (Set-top Boxes - STP) can get internet for the guides, DVR, On Demand, works. Obviously this isn't required if you are not using TV, but if you are, this is the way to do it.
If you don't already have Ethernet from the ONT, you'll need a tech to come out and run an Ethernet connection from the ONT to your router, this is in addition to the Coax that's coming in for your TV. From what I've read, your STBs need to have an address near 192.168.1.10X. I'm sure like many of you all, I don't want my home network on 192.168.1.0. So to get around that, I installed a third NIC into my PFSense box and assigned it to the 192.168.1.0. You'll want to capture the MACs of your STBs so you can assign them reserved IPs - this is really only needed on your main DVR box.
To get the remote access working to manage your DVR, you'll need to forward a few ports (there may be more, but this is working for me):
WAN -> STB DVR (TCP 35000)
WAN -> STB DVR (UDP 63145)
So my physical connections are as follows:
ONT Ethernet -> PFSense WAN
PFSense LAN -> Home switch
PFSense LAN2 -> Verizon NIM -> Coax splitter – same splitter the STBs are connected to (I have 2 STBs and the NIM so a 3 way splitter was used here, the IN was coming from the ONT Coax).
ONT Coax -> 3 way splitter mentioned above
The Actiontec is boxed back up and in my closet never to be used again.
Hopefully this helps others like me.
I do like the part where you boxed up the actioncrap router. Perhaps a mini-bonfire would have also been nice.
I knew mine had to go when I called Verizon one day long ago to get some trouble taken care of and the lady on the phone started remarking on all the computers (and their names) that were connected. So, I though… This firewall is crap.
If their management interface gives them that much access, that router definitely has to go.
I just installed my pfsense firewall behind my Actiontech router. I will get in touch with Verizon to see about the steps you recommend. In the interim - I am trying to figure out how to forward ports through the Actiontech to the pfsense firewall and beyond.
I have an Asterisk PBX and I was forwarding a couple of ports to allow it to receive incoming calls. I tried changing these rules in the Actiontech to point to the WAN IP address of pfsense and then setting up NAT rules within pfsense to forward to the PBX (now behind pfsense). Should this work? (It didn't for me but I may not have configured it correctly).
You should have set up your actiontech in "bridged mode" so that your pfsense is getting the public IP on its WAN. There should be no need to forward any ports to pfsense. If you didn't set you actiontech router up this way, you should. If you go layering NAT, especially with SIP, you are screwing yourself.
I had issues with my Actiontec router several years ago and Verizon came out and connected it via ethernet from the ONT, so that was already taken care of. When I set up pfSense on an old PC I put together out of spare parts, I still had one set top box that required the Actiontec for guide data. I configured the pfSense setup so that the WAN from the ONT connected directly to the pfSense WAN NIC. The LAN side connected to a 24-port Dell gigabit switch in unmanaged mode. I just hung the Actiontec off one of the LAN ports with the wireless enabled. I have a laptop with wireless that we keep in the family room upstairs, but everything else in the house is hardwired. This setup appears to be working well and it keeps anyone with a wireless connection from getting into my server since the Actiontec is basically isolated from the rest of the network. I'm about to set up pfSense on a Watchguard Firebox so I'll probably connect the Actiontec on its own network port on the Firebox and assign it a different IP address to keep it totally separate from everything else.