Hey all, posted in the forums, but I've had several queries from folks
on the list following my last post on the subject:
I finally took the time to dig, and got it to work. See my post:
http://forum.pfsense.org/index.php/topic,7791.0.html
My network looks like a loop of sorts, but the basic idea is in the
details of creating two logical bridges inside the actiontec router box
that verizon delivers with FIOS, thus giving you the security of
pfsense, and still the ability to get guide data and video on demand.
Note that I have the 'bridge to the set top boxes' on an OPT interface
that's well firewalled from my internal LAN where my own PC's are connected.
happy new year, and best regards,
andy
p.s. contents of the post:
Hi all,
Sorry for the length of the post, but some good info inside in any case.
Those of you lucky enough to be in a verizon FIOS area, "cool, welcome"
and you've likely noticed that the actiontec router has some bad
limitations (intentional) which prevent you from using p2p programs and
the like. the "state table" (in pfsense lingo) or NAT table in the
actiontec is limited to 1024 connections, and they take 4 minutes to
time out. Royal PITA. Start up bittorrent, or anything else, and you'll
soon find you can't even get a dns query through.
Following these directions, you can turn your actiontec into a "bridge"
device. I have MoCa (coax) broadband to my actiontec, and ethernet out
the other end of the actiontec. Directions for doing that are found here:
http://www.dslreports.com/forum/r17679150-Howto-make-ActionTec-MI424WR-a-network-bridge
Please please please pay attention to first doing a DHCP release on the
actiontec router, or you'll not get any response from Verizon's DHCP
server when pfsense makes its own request later. Also, a hint in case
things go badly. You can power up the box, holding the reset button
down, and start over. Second hint. If you see an error message that
indicates your pfsense box is NOT getting assigned a DHCP address, power
off the actiontec for two hours or so. It seems that the 'loss' of MoCa
connectivity to the actiontec AND two hours time will unlock your DHCP
lease(typically just under two hours by default). (otherwise, you have
to call tech support and ask them to "break your DHCP lease" for you,
and it's a longshot getting a tech that will 'just do that' upon asking.
They'll go through the whole 'reset, etc, etc' setup on your router and
you'll be back at the beginning.) Note that if you have them unlock a
bad DHCP lease, they'll ask you to power down the actiontec router,
which is fairly normal, and power back up after they break the DHCP
lease in their network management system.
The ports on the actiontec are as follows in the default config:
COAX WAN (one coax connector): connected to FIOS ONT. splitters on same
coax go to tv's and set top boxes.
(coax WAN operates on channel 0 (1000Mhz), coax LAN, a second logical
interface, same coax, operates on channel 1, at 1150Mhz)
Ethernet WAN: unused
Ethernet LAN: 4 switch ports for LAN connections
Wireless: (useless after you do the setup detailed below)
Now, I have Tivo's in front of the two main TV's I watch, so I get my
guide data from them, and didn't notice, HOWEVER, creating a bridge and
using pfsense (or any other FW) as your firewall will break the set top
box (STB) connection to verizon, thus you get no guide data, and no
video on demand, etc. Normally, the STB's operate on a COAX LAN (same
physical coax that is the WAN port, different channel), and the
actiontec does NAT for them. When in bridge mode, this of course, is broken.
I've figured out how to get past this.
My own pfsense setup has a WAN port, a LAN port, and an OPT1 port which
serves my wireless network only. It's firewalled carefully away from my
LAN, and I leave it open just for convenience when friends or colleagues
come over to my house and want wireless access.
In following the above referenced directions, here are the additional
steps you need to take:
Login to your actiontec router. admin/password is the default
user/password combo. MOST verizon installers change that password to
"password1" (worked every time in my neighborhood at friend's homes who
wanted help)
Click on "My Network" at the top of the page.
click on network connections.
You'll see a "home network" which has several sub interfaces in it.
(i.e. LAN switch ports, COAX LAN, and Wireless). click on the home
network, click on settings, and uncheck the boxes by COAX LAN and
Wireless. You'll need to disable the wireless anyway.
Back to My network, and network connections. "home network" should no
longer contain COAX LAN or wireless. If not, go back and repeat and
click apply as many times as it takes ;-) Now, click on COAX LAN.
disable the DHCP server and IP address on that COAX LAN (typically, it
is 192.168.3.1) and click apply.
Back to My network, and network connections. Click "add" (very bottom
choice) and select "bridge" (the middle choice IIRC) and choose setup
NEW BRIDGE. You'll want to add in COAX LAN and Ethernet WAN to the new
bridge. confusing, but you now have three physical interfaces, (COAX has
two logical channel networks, COAX WAN and COAX LAN), Ethernet LAN, and
Ethernet WAN (unused until now).
Simply plug in a cat5 (et al) cable into the Ethernet WAN port, and
connect this to your chosen "firewalled" interface. I put mine on OPT1
with the wireless, just to keep them off my LAN. I used one of the extra
ports on the back of a netgear wireless box (setup as an access point
only; pfsense does all the DHCP and so on). Once this connection is
physically made, you've now done the following:
removed COAX LAN from 'home network' bridge setup (which includes
Ethernet LAN, Wireless, and in default config, COAX LAN)
Disabled DHCP and IP address on the COAX LAN port.
Created a new second bridge to include COAX LAN and Ethernet WAN ports.
(neither should have an IP address or anything).
Your STB's will now (you can unplug them/restart/etc to get things
moving faster) get their IP addresses from your LAN side of the pfsense
box, and will pick up guide data, Video on Demand, and so on.
So now your ports are connected something like:
COAX WAN: still same coax to ONT and televisions and set top boxes.
COAX LAN: (logical interface on same COAX cable)
Ethernet LAN: one connection to your WAN port of your pfsense box.
Ethernet WAN: connection to another pfsense "firewalled" port of your
choice. Weird, but you're simply letting the STB's use your internet
connection to get their info and video through your new setup.
Video on demand for standard def seems to raise the pfsense box to about
4Mbps throughput by itself, and HD VoD will be more. No big deal,
doesn't seem to take away from your normal IP connection. I haven't
stress tested this setup yet, but don't see any issues.
My pfsense box is an old nforce2 motherboard and an athlon 2800, 256megs
of ram, with 3 Intel 10/100 NIC cards. Doesn't seem bothered by VoD
traffic at all. I've heard (and believe it to be accurate in my own
testing) that processors with larger L1 caches will move traffic faster
through pfsense, so a cheapy old AMD processor seems to be a good choice.