[Verizon FiOS] Using Juniper’s SSG 5 As The Main Router

Juniper SSG 5 Wireless

Using a Juniper SSG5 w/ ScreenOS as the main router for the Verizon FiOS service provides a number of features and benefits over using Verizon’s own wireless router. Some of which are:

Built-in antivirus, antispam and web filtering, allowing for the possibility of stopping all viruses and malware before they damage your network.
Deep (packet) Inspection that has the potential to prevent application-level attacks from flooding the network.
Seven fixed 10/100 interfaces that can each operate individually or as a group in layer 2 and or layer 3 mode, while providing high-speed LAN connectivity and redundant WAN connectivity if so desired.
And much, much more. Here is the full list of features and benefits for the Secure Services Gateways by Juniper Networks (PDF).

Also, worth nothing the is the fact that Verizon’s ActionTec routers use TR-069, a WAN management protocol, that allows the device, also known as the Customer Premises Equipment (CPE), to get and send data to authorized parties or servers. By now having the Verizon ActionTec router behind our SSG we can effectively control this type of communication and even possibly capture the traffic it sends back and forth. There has been chatter on slashdot.org namely the article, Verizon Changing Users Router Passwords, in the past indirectly about this and the infamous open port 4567 on public facing ActionTec routers. My personal experience with TR-069 is later in this post.

We have the Verizon wireless ActionTec, model MI424WR at home and it sits behind our SSG5 with an additional coaxial connection at the back of it. This coaxial is use for connecting one or more set-top boxes (STB) to receive video or provide data in the case of a MoCa setup. When using the SSG5 router from Juniper, we do not completely eliminate the use Verizon’s wireless router as it is needed for TV/Cable service via the coax cable, something the SSG5 cannot provide. I have found, though your mileage might vary, when FiOS is first setup. By default, I am told, technicians perform a MoCA setup, unless a non-MoCA is requested by the customer (what I requested).

MoCA stands for Multimedia over Coax Alliance(MoCA) protocol, which allows for both data and video over a single coaxial cable. Hence, with a MoCA setup, there is no need to run an ethernet cable directly from the Optical Network Terminal (OTN) usually on the side of the home to the FiOS router inside the home. Instead a single coaxial cable is ran that allows both data and video and sometimes voice. So, if you are to use an SSG firewall or similar device with Verizon FiOS you will most likely want the non-MoCA setup, which is what I have for my SSG and it works great! Once working, the SSG needs to be configured in order to allow Verizon’s router to sit behind it using its WAN port. The WAN port of the ActionTec router needs access to the Internet for NAT of the of LAN and Wireless devices that sit behind it. This includes the STB as they need access to the Internet for retrieving channel listing. I will explain this setup via this rough diagram:

FiOS SSG Setup

The setup is pretty straight forward. Again, this setup requires that:

A Verizon tech provision a Non-MoCA setup.
An Ethernet cable is ran from the Optical Network Terminal (ONT), a Non-MoCA configuration, directly to a port of the SSG router (eth0/0) instead of the WAN port of the Verizon router.
The WAN port of the Verizon ActionTec router will connect to a physical port of the SSG to obtain an IP address via DHCP.

The initial configuration to setup the SSG 5 will not be discussed in detail, but I assume the reader knows how to access the SSG device via the serial-console and or one of the network ports. In this setup of the SSG we:

Configure eth0/0 as the WAN interface in the Untrust security zone allow it to act as a DHCP client.
Configure eth0/4 — eth0/6 to bind to bgroup0 on network: 192.168.2.0/24, in the Trust security zone (the WAN port of the Verizon ActionTec connects to once of these ports.)
Configure bgroup0 as a DHCP server to distribute IPs in the range: 192.168.2.30 — 192.168.2.60..

Configure eth0/0 as the WAN interface in the Untrust security zone allowing it to act as a DHCP client.

set interface "ethernet0/0" zone "Untrust"
set interface ethernet0/0 route
set interface ethernet0/0 ip manageable
set interface ethernet0/0 manage ping
set interface ethernet0/0 manage ssl
set interface ethernet0/0 dhcp client enable
set interface ethernet0/0 route-deny

Afterwards verify that ethernet0/0 on the SSG has a public verizon IP address. You may have to wait a bit up to five minutes for the new IP to come in. Worst case, you may have to call Verizon to break the IP lease. There really is no need to restart the SSG. It will actively request an IP until it is satisfied.

Configure eth0/4 — eth0/6 to bind to bgroup0 on network: 192.168.2.0/24, in the Trust security zone.

set interface "bgroup0" zone "Trust"
set interface bgroup0 port ethernet0/4
set interface bgroup0 port ethernet0/5
set interface bgroup0 port ethernet0/6
set interface bgroup0 ip 192.168.1.1/24
set interface bgroup0 ip manageable

Configure bgroup0 as a DHCP server to distribute IPs in the range: 192.168.2.30 — 192.168.2.60.

set interface bgroup0 dhcp server service
set interface bgroup0 dhcp server auto
set interface bgroup0 dhcp server ip 192.168.1.30 to 192.168.1.60

Afterwards, plug-in the Verizon ActionTec router to one of these ports, ethernet0/4, and it should receive an IP in the defined range. At this point, any communication that is to take place originating from the ActionTec must pass through the SSG.

All of the above command-line can be configured via the SSG’s web interface as well. I don’t show that here as it is pretty much self-explanatory.

Once steps 1 — 3 are complete. The WAN port of the Verizon ActionTec router may be plugged into bgroup0 to receive an IP via DHCP. Next, the policy “Trust” to “UnTrust” should be configured to allow traffic for all devices in the Trust network out to the Untrust. It is left up to the reader to allow or deny specific traffic.

Configure DefaultAllow Policy from Trust to Untrust for devices part of bgroup0

set policy name "DefaultAllow" from "Trust" to "Untrust" "Any" "Any" "ANY" permit log

My personal experience with TR-069

Since the switch to have Verizon’s router “piggy back” my SSG I have noticed periodic communication between our Verizon ActionTec router and at least two public IP addresses. Communication is initiated from the Verizon ActionTec router or CPE device about every 10 to 15 minutes to the following two IP addresses: 72.76.255.44 and 72.76.255.36. Active communication takes place on tcp port 80 and UDP port 6794.

From a whois query and reverse lookup both IPs belong to Verizon and not some third party — at least not by first glance:

OrgName: Verizon Online LLC
OrgId: VRIS
Address: 22001 Loudoun County Parkway
City: Ashburn
StateProv: VA
PostalCode: 20147
Country: US
RegDate:
Updated: 2010-08-17
Ref: http://whois.arin.net/rest/org/VRIS

A reverse lookup shows one (72.76.255.36) IP as a DNS server and the other (72.76.255.44) as something else, probably used for channel listing update by the looks of the hostname:


$ dig -x 72.76.255.36 | egrep "SOA|PTR"
255.76.72.in-addr.arpa.	834	IN	SOA	ns5.verizon.net. dns.verizon.com. 2010073001 86400 3600 604800 86400

$ dig -x 72.76.255.44 | egrep "SOA|PTR" 
44.255.76.72.in-addr.arpa. 86309 IN	PTR	mercuryipg.frhdnjbbh09.fiostv.verizon.net.

In another post, I plan on snooping the traffic initiated by the Verizon ActionTec router to the named IPs above. Stay tuned!

Cheers,
-swinful

5 Responses to [Verizon FiOS] Using Juniper’s SSG 5 As The Main Router

Tim says:

February 7, 2012 at 7:36 PM

The only thing I would add to this is that on the SSG, a VR be set up, the ActionTec gets its own VR, add a DCHP scope for just MoCa devices and set the ActionTec router to relay this to the TVs. In this way, you get complete separation of your local trust LAN and TV traffic. I have been running this set up for the last 6 months without a problem…outside of having to reboot Verizons router from time to time (POS 🙂 )

- swinful says:
  
  February 9, 2012 at 10:09 AM
  
  Hi Tim,
  
  Excellent recommendation and thank you for sharing! I will look into trying that configuration in my lab one of these days.
  
  Regards,
  -swinful
  
Anonymous says:

June 12, 2012 at 7:42 PM

What a great post. Thank you swinful!
Do you have or know of a post that shows how to connect and use the SSG between the actiontek and my personal network? When I put it there now my network works great but I cant get to the internet.

- swinful says:
  
  June 13, 2012 at 8:45 AM
  
  Hi,
  
  I am glad to hear you found this post useful. I am curious to know why the SSG would be connected behind the ActionTec instead of in front? What would be the end goal?
  
  For the setup of the SSG behind the ActionTec, if you have not already at least one (the main) interface of the SSG should be placed in dhcp and nat-mode. In most cases this would be the Trust zone. But, what have you configured that has not worked?
  
  Regards,
  swinful
  
Qanan says:

December 8, 2012 at 1:36 PM

swinful – thanks for this post. You confirmed a few things I found and more. After sniffing my router for a week, I realized that there was traffic out of the Verizon Actiontec router which was originating from the new Motorola IPs Fios put in. ir 912.168.1.100,101 etc. Here is what is some of what I found which is interesting (I’m a security tester, so maybe a bit concerning from a possible exploit view) after forcing a pptp clear command:

(X’d out some of the data)

urlsnarf snagged this POST cmd

192.168.1.100 – – [xx/Dec/2012:17:30:xx -0500] “POST http://mercuryipg.FALDMDFLD00.fiostv.verizon.net/MercuryServer/1-9/STBLogger/LoggerService.fasmx HTTP/1.1″ – – “-” “Mozilla/4.0 (compatible; AP:FiOS-Mercury/14.47; PL:Motorola-DCT/25.39; BX:2500; UA:0000026xxxxxxxxxx; U; en-US)”

I was able to capture over 20 .fasmx files over the course of an hour. The fasmx is a custom protocol(handler) for asp.net over http. I decoded it on another machine, but I only have access to this comp, so a notepad trans will have to do. Here are the contents of two of them:

H Cæ ª- â 472160000007223209048qÇê=1TÊê= M
MERCURY1.9.1 FLUpÇê= MERCURY1.9.1 MTR8Êê=F VZ_DVR< act=4.1;FID=1827621592;ch=7;recStr=1038796230;dur=1136;pos=0MERCURY1.9.1 ERR9Êê=¦ VZ_DVRœ ecode=0x8400001a;compId=VZ_DVR;file=DvrCtrl.c;func=DVRClearTemp;line=4321;etype=ERR;exname=;sysmsg=act=6.0;err=eAdapterReturnValue=3;
;callstack=;btncode=0MERCURY1.9.1 MTR@Êê=-
VZ_FULL_GUIDE act=launch;btncode=KEY_NONE;MERCURY1.9.1 MTRAÊê=+
VZ_FULL_GUIDE act=Quit;btncode=KEY_NONE;

H CF ª- B 472160000007223209048vÃê=1/Æê= M
MERCURY1.9.1 FLUvÃê= MERCURY1.9.1 MTR~Ãê= VZ_TV_MODES_BAR
Modes:StartedMERCURY1.9.1 MTRÇÅê=o VZ_DVRe act=3.1;FID=1827621592;ch=7;PlRecStr=1038796xx;RecStr=10387xxx30;PlRecDur=1800;RecDur=0;pFlgs=0x80a;MERCURY1.9.1 MTR/Æê=- VZ_FULL_GUIDE act=launch;btncode=KEY_NON

We know Motorola is using a SOAP protocol from those ports, so the interaction between the FIOS service and the Motorola Media boxes appears to be in part done via Verizon's Actiontec router to the internet. Knowing a bit about the SOAP protocol, it would be interesting to see if Verizon forced authentication both ways to avoid a potential exploit into the LAN via this service.

Let me know if what you found jives with that as well. It would be a security nightmare if this service opened up a backdoor.