Tuesday, August 10, 2010

Verizon FIOS Faux Pas

Exemplifying the problem many folks have been having with Verizon FIOS, our router is version C of the Actiontec line. For the first two years of use, the bulk of our bandwidth was light web surfing and providng data to the VOD/Guide service for the DVR. Not very taxing on a 12Mb/s line. However, two things happened this year that started to tax the FIOS service, as provided by Verizon. First, we got an internet-ready DVD player. For this, we also signed up for NetFlix, an online movie service whose monthly subscription for online access to streaming content is less than a couple of video store rentals. We also discovered that our Wii had onboard wireless and had recently had software written for it to make it NetFlix compatible. This increased our bandwidth usage when streaming a movie by about ten fold. Unfortunately, the little NAT table in the ActionTec router just couldn't handle it and ended up crashing about every other day, requiring a manual power cycle. This just wouldn't fly, so, having spare hardware laying around and a desire to amp up the firewall capabilities of the home connection anyway, I decided to attempt to replace the Actiontec.


I followed the advice provided at DSLReports and set up a double-bridge bypass to my own firewall. This worked well for bypassing the NAT table issue... for about 20 days. After that, the Internet continued to work flawlessly, providing plenty of connections for the demands of streaming media, but the VOD/Guide services consistently failed due to the DVR's inability to pull an IP address. After a couple hours of poking at my firewall and the Actiontec, I found that the COAX (Ethernet) connection was not pulling an IP for the Actiontec, nor was it passing the bridge from the MOCA adapter for the STB. When I realized this, I looked at the configuration of the Actiontec router and saw that the COAX (Ethernet) interface was completely disabled. Now how could this be? It worked before. After re-enabling it and some power cycles, I determined that the Actiontec will only enable the device for the time it is powered on. For some reason, every so often it will self-reboot, which resets the device state to DISABLED, killing the VOD/Guide. ARGH!! So, to keep the STB working as it should, I have to attach to the Ethernet switch, manually set my IP address to the 192.168.1.0/24 net, enter the 192.168.1.1 default address, login, and reenable the COAX (Ethernet) device. What a pain, Verizon!


This also brings to light a security vulnerability in this method of double-bridging. The router automagically assigns itself this 192.168.1.1 address available from its Ethernet ports. As the Ethernet switch is bridged to the COAX (Broadband) device, this means that the router may be remotely accessible to an attack should an aggressor push spoofed RFC 1918 packets to your public IP address. They will drop off of the WAN firewall, but will the local ethernet bind to 192.168.1.1 answer? Since the Ethernet ports are set to make up the outer bridge to the WAN, this seems plausible, making for a potential hole in this setup. So much for adding security with a better firewall!