[Verizon FiOS] “Piggy Backs” Juniper’s Netscreen Router

My wife recently informed me our FiOS TV listing information was not showing up. The Set Top Box (STB) would not display any channel information and the Guide Listing was practically useless. “Call Verizon and let them know.” I said. Their solution, “your FiOS modem is bad. We cannot even ping it. We are sending a replacement unit in the mail!” After hearing this I said to myself “there is nothing wrong with the modem…” Ahhh… Just remembered we are using a Netscreen SSG-5 and all traffic is indeed blocked from the outside! But, internal traffic is allowed so I don’t see what the problem is.

To make a long story short, a FiOS representative visited our home a day or two later and said the STB will not work if we use our own firewall. Aparently the STB needs its own IP and since we are using the non-MOCCA setup (Ethernet for Internet and Coax for TV) We must use and “piggy back” of the FiOS modem in order for anything to work right and to get channel listing information. Well, there are only four ports for the local LAN on the FiOS router! “That’s the only way!” he said, “sorry, there is nothing we can do and it is not possible any other way!”

Ha! Okay, thanks for coming! Several minutes later our FiOS router was “piggy backing” on the Netscreen! The STB box with a little configuration was able to get an IP to pull down channel listing information. I will try and detail this configuration in another posting. Basically, the WAN port of the FiOS router connects to one of the six-ports on the netscreen and receives an IP that allows it to communicate with the outside. Since the FiOS router has its own internal DHCP server it can dish out a local IP to the STB, which must now be authorized by the Netscreen. The good thing about this setup is I can sniff the traffic between the FiOS router and the devices it tries to communicate with.

FiOS Router WAN port receiving a local IP

FiOS STB passing traffic through our Netscreen

This entry was posted in Security. Bookmark the permalink.

16 Responses to [Verizon FiOS] “Piggy Backs” Juniper’s Netscreen Router

  1. ACA says:

    I just got FiOS installed yesterday. Plugged my SSG5 behind the FiOS modem, changed the LAN subnet to 192.168.10.x as the 192.168.1.x conflicts with network one of my VPN connections. Noticed if I am behind the SSG5 my download speed does not pass 5mbps but if i connect straight to FiOS modem i get over 15Mbps. What steps did you take that made your solution work?

    • swinful says:

      Hi ACA,

      My SSG5 works pretty well behind VzFiOS and like you mentioned the network performance is not as good compared to using Verizon’s router. My upload/down rate is better then 5mbps, but not as high with the Verizon’s router. This part I have not been able to figure out why yet. However, I am able to get online with my SSG using Verizon. The setup is pretty minimal and I will discuss a bit in this reply on how to get started. Stay tuned for a later post which will detail more.

      1. Choose an interface to serve as your public, untrust, interface. Mine is eth0/0
      Under: Network -> Interfaces -> List
      Edit: eth0/0,
      Select: [Obtain IP using DHCP], [Automatic update DHCP server parameters]
      Interface Mode [Route]
      If you need to configure VIP, I suggest you wait until the basic is working first.

      2. Choose another interface to serve your private LAN. Mine is eth0/6 (
      Under: Network -> Interfaces -> List
      Edit: eth0/6
      Select: [Static IP] (Configure you IPs). For the interface IP I use [Managable]
      Interface Mode [NAT] /* You can select Route if you want, but you will have to set src-NAT for each policy that needs to get out your private LAN. NAT is good to start of. */

      3. Configure DHCP on your private LAN interface (eth0/6)
      Under: Network -> DHCP(List)
      Edit: the IP associated with your private lan interface (eth0/6)
      Select: [DHCP Server]
      Select: Server Mode [Enabled], [Update From Upstream DHCP Client on Interface [Any]]
      Gateway:, Mask: /24, Next Server Ip: [From Interface]
      Select [Addresses] and Enter/Create New DHCP range.

      If you use Wireless, the setup is the same.

      !!Note!! You may have to call Verizon to force a renew on your lease, so the SSG will get a new IP for Step-1. Also, I am currently running version: 6.3.0r3.0. Stay tuned for detailed steps on how to also make your STB (Set Top Box) obtain an IP via the SSG so you can receive channel listings as well. Let us know how you make out. I have also figured out how to stop Verizon from renewing my IP lease without having to pay extra for a static IP when using the SSG!


      • ACA says:

        I had to reset the SSG5 to factory default and then i was getting my full download and upload speed. Go figure. Is there a way that I can get the SSG to obtain the public IP address?

      • swinful says:

        ACA, have you tried the steps listed in the comments? Did it help?

      • simsjrg@gmail.com says:

        “I have also figured out how to stop Verizon from renewing my IP lease without having to pay extra for a static IP when using the SSG!”

        This drove me crazy when I had FiOS. How can you do this and do they allow you to use ports 25 and 80 if you are using an address in their dhcp pools? I would love to be able to go back to FiOS for the speed and not have to pay $74.90 a month for my business class cable with 5 static IP’s.


      • swinful says:


        I am certainly allowed to use both port 25 and and port 80 with my SSG5 using Verizon FiOS! And, I still confirm that while I do not have a business line the only time my ‘dynamic’ IP ever changes is if I reboot my SSG5, which is hardly ever and rare. In fact I just performed a quick test to see if I could reach port 25 on one of my internal machines by opening port 25 and viola!

        `–> telnet myhomenetwork.no-ip.com 25
        Trying x0x.x0x.200.x0x…
        Connected to myhomenetwork.no-ip.com.
        Escape character is ‘^]’.
        220 westmere.goldcoast.com ESMTP Sendmail 8.13.8+Sun/8.13.8; Tue, 23 Aug 2011 18:57:23 -0400 (EDT)

        There was no need to test with port 80 as that is used for my webserver. Essentially, Verizon just thinks my IP is dead because I disallow ping.

  2. Edo says:

    I have business class fios with 5 static ip addresses. I am using a juniper ssg140 instead of the verizon router. My computers can connect to the net just fine. ( similiar setup as yours just with a static IP address). My problem is that I can’t seem to get any of the other static ip addresses to route. I setup a VIP and routed to an internal server using standard and non-standard ports. No luck! Any advice for setting up a VIP with Fios and an SSG140

    • swinful says:

      Hi Edo,

      In addition to setting up a VIP for an incoming service have you configured a policy to allow this incoming connection? By default, just because you setup a VIP you cannot assume that service will be automatically allowed. You must create a policy to permit access. Let me know if you have created the policy and I will follow up with further details on how I configured my VIP services.

      • Anonymous says:

        Yes, I have configured a policy to allow the traffic to pass. A basic policy from the untrust to trust, using [any] as the source and the [vip] as the destination.

    • Anonymous says:

      The problem is related to ARP. This is what I just got from Verizon FIOS rep: “it is the ARP issue with the ALCTL network, a reboot will also fix the issue but it will happen every some many hours, you have to configure your router to reply to a ARP ping a ARP ping and it will stop the issues […] the best way and permanent fix is to get your router to reply to ARP pings, i understand a lot of people do not like it due to ARP poisoning attacks but you have to do that, to make it function right “

      • Edo says:

        FROM Edo :I became aware of the ARP ping problem when trying to troubleshoot with the verizon techs. I have attempted to work with the juniper tech support, they have not been much help. Do you know if the ssg140 can be configured to respond to the ARP pings?

  3. Mike says:

    Have you changed your config around at all? I am using an SSG5 as my main firewall with the Actiontec as a Ethernet to Coax bridge. I use one of the Juniper bgroup0 ports connected to one of the LAN ports on the Actiontec. I have set up the Actiontec with a Static IP so that I have connectivity to if from the network. The only issue I have is that I do not get Remote DVR and cannot access the DVR’s from the My Verizon website

  4. Mike O says:

    I have the same setup as Mike above and have had the setup for about 6-8 months or so. I would like to try and get the Remote DVR app for the iPhone to work though. Other than that the setup works great. The Verizon Remote app for iPhone works without issue

    • swinful says:

      Hi Mike & Mike O.,

      You are right. I just downloaded the iPhone FiOS Remote app and it works well. However, the iPhone FiOS DVR app will not allow me to schedule any TV shows. Are you receiving the following error when trying to schedule a show?

      “Network connection to FiOS services timeed out. View the FAQ …”

      With our setups being similar, I suspect once logged into the DVR app and selecting a show to be recorded, Verizon tries to connect back to the STB of the registered account to apply the setting and is being prevented from doing so. What do you think? I tried re-enabling port 4567 to my Verizon Router (ActionTec), but that did not work. Perhaps it’s trying to connect on another port?

  5. Mike O. says:

    Have you upgraded to the Quantum TV offering yet? Just wounding if there are any gotchas. Mike

  6. swinful says:

    Hey Mike. Not yet. Will keep you posted when I do and if there are any gotchas.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s