Using a Juniper SSG5 w/ ScreenOS as the main router for the Verizon FiOS service provides a number of features and benefits over using Verizon’s own wireless router. Some of which are:
- Built-in antivirus, antispam and web filtering, allowing for the possibility of stopping all viruses and malware before they damage your network.
- Deep (packet) Inspection that has the potential to prevent application-level attacks from flooding the network.
- Seven fixed 10/100 interfaces that can each operate individually or as a group in layer 2 and or layer 3 mode, while providing high-speed LAN connectivity and redundant WAN connectivity if so desired.
- And much, much more. Here is the full list of features and benefits for the Secure Services Gateways by Juniper Networks (PDF).
Also, worth nothing the is the fact that Verizon’s ActionTec routers use TR-069, a WAN management protocol, that allows the device, also known as the Customer Premises Equipment (CPE), to get and send data to authorized parties or servers. By now having the Verizon ActionTec router behind our SSG we can effectively control this type of communication and even possibly capture the traffic it sends back and forth. There has been chatter on slashdot.org namely the article, Verizon Changing Users Router Passwords, in the past indirectly about this and the infamous open port 4567 on public facing ActionTec routers. My personal experience with TR-069 is later in this post.
We have the Verizon wireless ActionTec, model MI424WR at home and it sits behind our SSG5 with an additional coaxial connection at the back of it. This coaxial is use for connecting one or more set-top boxes (STB) to receive video or provide data in the case of a MoCa setup. When using the SSG5 router from Juniper, we do not completely eliminate the use Verizon’s wireless router as it is needed for TV/Cable service via the coax cable, something the SSG5 cannot provide. I have found, though your mileage might vary, when FiOS is first setup. By default, I am told, technicians perform a MoCA setup, unless a non-MoCA is requested by the customer (what I requested).
MoCA stands for Multimedia over Coax Alliance(MoCA) protocol, which allows for both data and video over a single coaxial cable. Hence, with a MoCA setup, there is no need to run an ethernet cable directly from the Optical Network Terminal (OTN) usually on the side of the home to the FiOS router inside the home. Instead a single coaxial cable is ran that allows both data and video and sometimes voice. So, if you are to use an SSG firewall or similar device with Verizon FiOS you will most likely want the non-MoCA setup, which is what I have for my SSG and it works great! Once working, the SSG needs to be configured in order to allow Verizon’s router to sit behind it using its WAN port. The WAN port of the ActionTec router needs access to the Internet for NAT of the of LAN and Wireless devices that sit behind it. This includes the STB as they need access to the Internet for retrieving channel listing. I will explain this setup via this rough diagram:
The setup is pretty straight forward. Again, this setup requires that:
- A Verizon tech provision a Non-MoCA setup.
- An Ethernet cable is ran from the Optical Network Terminal (ONT), a Non-MoCA configuration, directly to a port of the SSG router (eth0/0) instead of the WAN port of the Verizon router.
- The WAN port of the Verizon ActionTec router will connect to a physical port of the SSG to obtain an IP address via DHCP.
The initial configuration to setup the SSG 5 will not be discussed in detail, but I assume the reader knows how to access the SSG device via the serial-console and or one of the network ports. In this setup of the SSG we:
- Configure eth0/0 as the WAN interface in the Untrust security zone allow it to act as a DHCP client.
- Configure eth0/4 — eth0/6 to bind to bgroup0 on network: 192.168.2.0/24, in the Trust security zone (the WAN port of the Verizon ActionTec connects to once of these ports.)
- Configure bgroup0 as a DHCP server to distribute IPs in the range: 192.168.2.30 — 192.168.2.60..
Configure eth0/0 as the WAN interface in the Untrust security zone allowing it to act as a DHCP client.
set interface "ethernet0/0" zone "Untrust" set interface ethernet0/0 route set interface ethernet0/0 ip manageable set interface ethernet0/0 manage ping set interface ethernet0/0 manage ssl set interface ethernet0/0 dhcp client enable set interface ethernet0/0 route-deny
Afterwards verify that ethernet0/0 on the SSG has a public verizon IP address. You may have to wait a bit up to five minutes for the new IP to come in. Worst case, you may have to call Verizon to break the IP lease. There really is no need to restart the SSG. It will actively request an IP until it is satisfied.
Configure eth0/4 — eth0/6 to bind to bgroup0 on network: 192.168.2.0/24, in the Trust security zone.
set interface "bgroup0" zone "Trust" set interface bgroup0 port ethernet0/4 set interface bgroup0 port ethernet0/5 set interface bgroup0 port ethernet0/6 set interface bgroup0 ip 192.168.1.1/24 set interface bgroup0 ip manageable
Configure bgroup0 as a DHCP server to distribute IPs in the range: 192.168.2.30 — 192.168.2.60.
set interface bgroup0 dhcp server service set interface bgroup0 dhcp server auto set interface bgroup0 dhcp server ip 192.168.1.30 to 192.168.1.60
Afterwards, plug-in the Verizon ActionTec router to one of these ports, ethernet0/4, and it should receive an IP in the defined range. At this point, any communication that is to take place originating from the ActionTec must pass through the SSG.
All of the above command-line can be configured via the SSG’s web interface as well. I don’t show that here as it is pretty much self-explanatory.
Once steps 1 — 3 are complete. The WAN port of the Verizon ActionTec router may be plugged into bgroup0 to receive an IP via DHCP. Next, the policy “Trust” to “UnTrust” should be configured to allow traffic for all devices in the Trust network out to the Untrust. It is left up to the reader to allow or deny specific traffic.
Configure DefaultAllow Policy from Trust to Untrust for devices part of bgroup0
set policy name "DefaultAllow" from "Trust" to "Untrust" "Any" "Any" "ANY" permit log
My personal experience with TR-069
Since the switch to have Verizon’s router “piggy back” my SSG I have noticed periodic communication between our Verizon ActionTec router and at least two public IP addresses. Communication is initiated from the Verizon ActionTec router or CPE device about every 10 to 15 minutes to the following two IP addresses: 126.96.36.199 and 188.8.131.52. Active communication takes place on tcp port 80 and UDP port 6794.
From a whois query and reverse lookup both IPs belong to Verizon and not some third party — at least not by first glance:
OrgName: Verizon Online LLC
Address: 22001 Loudoun County Parkway
A reverse lookup shows one (184.108.40.206) IP as a DNS server and the other (220.127.116.11) as something else, probably used for channel listing update by the looks of the hostname:
$ dig -x 18.104.22.168 | egrep "SOA|PTR" 255.76.72.in-addr.arpa. 834 IN SOA ns5.verizon.net. dns.verizon.com. 2010073001 86400 3600 604800 86400 $ dig -x 22.214.171.124 | egrep "SOA|PTR" 126.96.36.199.in-addr.arpa. 86309 IN PTR mercuryipg.frhdnjbbh09.fiostv.verizon.net.
In another post, I plan on snooping the traffic initiated by the Verizon ActionTec router to the named IPs above. Stay tuned!