FIOS VoD/Video success, and some helpful hints for getting pfsense in the middle



  • Hi all,

    Sorry for the length of the post, but some good info inside in any case.

    Those of you lucky enough to be in a verizon FIOS area, "cool, welcome" and you've likely noticed that the actiontec router has some bad limitations (intentional) which prevent you from using p2p programs and the like. the "state table" (in pfsense lingo) or NAT table in the actiontec is limited to 1024 connections, and they take 4 minutes to time out. Royal PITA. Start up bittorrent, or anything else, and you'll soon find you can't even get a dns query through.

    Following these directions, you can turn your actiontec into a "bridge" device. I have MoCa (coax) broadband to my actiontec, and ethernet out the other end of the actiontec. Directions for doing that are found here:
    http://www.dslreports.com/forum/r17679150-Howto-make-ActionTec-MI424WR-a-network-bridge

    Please please please pay attention to first doing a DHCP release on the actiontec router, or you'll not get any response from Verizon's DHCP server when pfsense makes its own request later. Also, a hint in case things go badly. You can power up the box, holding the reset button down, and start over. Second hint. If you see an error message that indicates your pfsense box is NOT getting assigned a DHCP address, power off the actiontec for two hours or so. It seems that the 'loss' of MoCa connectivity to the actiontec AND two hours time will unlock your DHCP lease(typically just under two hours by default). (otherwise, you have to call tech support and ask them to "break your DHCP lease" for you, and it's a longshot getting a tech that will 'just do that' upon asking. They'll go through the whole 'reset, etc, etc' setup on your router and you'll be back at the beginning.)  Note that if you have them unlock a bad DHCP lease, they'll ask you to power down the actiontec router, which is fairly normal, and power back up after they break the DHCP lease in their network management system.

    The ports on the actiontec are as follows in the default config:
    COAX WAN (one coax connector): connected to FIOS ONT. splitters on same coax go to tv's and set top boxes.
    (coax WAN operates on channel 0 (1000Mhz), coax LAN, a second logical interface, same coax, operates on channel 1, at 1150Mhz)
    Ethernet WAN: unused
    Ethernet LAN: 4 switch ports for LAN connections
    Wireless: (useless after you do the setup detailed below)

    Now, I have Tivo's in front of the two main TV's I watch, so I get my guide data from them, and didn't notice, HOWEVER, creating a bridge and using pfsense (or any other FW) as your firewall will break the set top box (STB) connection to verizon, thus you get no guide data, and no video on demand, etc. Normally, the STB's operate on a COAX LAN (same physical coax that is the WAN port, different channel), and the actiontec does NAT for them. When in bridge mode, this of course, is broken.

    I've figured out how to get past this.

    My own pfsense setup has a WAN port, a LAN port, and an OPT1 port which serves my wireless network only. It's firewalled carefully away from my LAN, and I leave it open just for convenience when friends or colleagues come over to my house and want wireless access.

    In following the above referenced directions, here are the additional steps you need to take:

    Login to your actiontec router. admin/password is the default user/password combo. MOST verizon installers change that password to "password1" (worked every time in my neighborhood at friend's homes who wanted help)
    Click on "My Network" at the top of the page.
    click on network connections.

    You'll see a "home network" which has several sub interfaces in it. (i.e. LAN switch ports, COAX LAN, and Wireless). click on the home network, click on settings, and uncheck the boxes by COAX LAN and Wireless. You'll need to disable the wireless anyway.

    Back to My network, and network connections. "home network" should no longer contain COAX LAN or wireless. If not, go back and repeat and click apply as many times as it takes ;-)  Now, click on COAX LAN.
    disable the DHCP server and IP address on that COAX LAN (typically, it is 192.168.3.1) and click apply.

    Back to My network, and network connections.  Click "add" (very bottom choice) and select "bridge" (the middle choice IIRC) and choose setup NEW BRIDGE.  You'll want to add in COAX LAN and Ethernet WAN to the new bridge. confusing, but you now have three physical interfaces, (COAX has two logical channel networks, COAX WAN and COAX LAN), Ethernet LAN, and Ethernet WAN (unused until now).

    Simply plug in a cat5 (et al) cable into the Ethernet WAN port, and connect this to your chosen "firewalled" interface. I put mine on OPT1 with the wireless, just to keep them off my LAN. I used one of the extra ports on the back of a netgear wireless box (setup as an access point only; pfsense does all the DHCP and so on).  Once this connection is physically made, you've now done the following:

    removed COAX LAN from 'home network' bridge setup (which includes Ethernet LAN, Wireless, and in default config, COAX LAN)
    Disabled DHCP and IP address on the COAX LAN port.
    Created a new second bridge to include COAX LAN and Ethernet WAN ports. (neither should have an IP address or anything).

    Your STB's will now (you can unplug them/restart/etc to get things moving faster) get their IP addresses from your LAN side of the pfsense box, and will pick up guide data, Video on Demand, and so on.

    So now your ports are connected something like:
    COAX WAN: still same coax to ONT and televisions and set top boxes.
    COAX LAN: (logical interface on same COAX cable)
    Ethernet LAN: one connection to your WAN port of your pfsense box.
    Ethernet WAN: connection to another pfsense "firewalled" port of your choice. Weird, but you're simply letting the STB's use your internet connection to get their info and video through your new setup.

    Video on demand for standard def seems to raise the pfsense box to about 4Mbps throughput by itself, and HD VoD will be more. No big deal, doesn't seem to take away from your normal IP connection.  I haven't stress tested this setup yet, but don't see any issues.

    My pfsense box is an old nforce2 motherboard and an athlon 2800, 256megs of ram, with 3 Intel 10/100 NIC cards. Doesn't seem bothered by VoD traffic at all. I've heard (and believe it to be accurate in my own testing) that processors with larger L1 caches will move traffic faster through pfsense, so a cheapy old AMD processor seems to be a good choice.

    Best regards,
    andy



  • Hey folks,

    See lots of reads on the topic. Glad it's gotten some interest.

    Also, I've been able to determine the following while getting all this to work:

    1- verizon has complete access to their provided actiontec router even when there is NO WAN IP ADDRESS on the box. I had VZ support login and verify my box firmware and config status even though my IP address lease was locked out. Unlike my GUI view of the logs, which show logins and failed attempts, NO logging of their activity is shown.

    2- Number one simply indicates they have full access to your "firewall" unless you put your own behind it. As they say, that's zero security in my book.

    What was it Pres Reagan said?  "Trust but verify"

    To that, I say "to heck with trust….."

    Best regards,
    andy

    p.s. several [of the most popular] commercial 'windows client' type software firewalls also have not so known backdoors built into them as well.



  • btw, followed the document, but I dont use "moca" for my wan, just for the lan. Got it to work with ethernet to the wan, and is working great. Now to replace my linksys with the pf and off to the races we go!

    kosta



  • Followed your link to dslreports and from there got linked to this post which has a very clear set of instructions similar to yours.  Much thanks for this, saved the day getting pfSense back up where my children live.

    http://www.dslreports.com/forum/r20006536-Make-your-actiontec-a-bridge-with-VOD-working-with-REV-D


Locked