Always Remember: With Gusto Comes Data Loss.

Configuring Verizon FiOS Behind a SonicWall (or other firewall)

This article discusses the setup requirements and instructions for using a SonicWall (or other third party router) as the primary router on a Verizon FiOS connection. This becomes important when the client is using their FiOS connection for TV/DVR as well as Internet.

Preparation

You must locate the Verizon ONT (the box that has the fiber cable going into it). This must have both coax and cat5 coming out. By default Verizon only provides coax out, so it may be necessary to crimp your own cat5. The ONT has two panels, the left one will open simply by pulling, the right will need a special tool. You will only need to access the left panel.
Connect a cat5 to the Ethernet port in the left side of the ONT, and then connect the other end to a router. If you get link lights to appear on the ONT you can move on to the actual setup. If you do not, you much call Verizon FiOS Support and get them to enable the Ethernet port remotely.

Installation

Before doing anything, you must call Verizon and have them release the DHCP lease from the Verizon router. This can be done manually by disconnecting the router for several hours if Verizon is unavailable, but it is usually faster to just call them.
Now you can remove the FiOS router from the network (temporarily) and connect the SonicWall to the cat5 mentioned above. The SonicWall should pull a DHCP lease from Verizon and you should be able to ping out at this point. Once you have verified this, you will connect the Verizon router to the SonicWall LAN port. At this point, the Verizon router should be connected to the ONT via coax and to the SonicWall via cat5.

Setup

Below are the default IP/Port settings for the various devices that you may see on the network (as setup by Verizon):

+---------------------+----------------------+------------------+
|localhost            | Verizon FiOS Service | AT Management    |
|127.0.0.1            | Tcp Any - > 4567     |                  |
+---------------------+----------------------+------------------+
|192.168.1.100:63145  | Application          | First DVR        |
|                     | UDP Any -> 63145     |                  |
+---------------------+----------------------+------------------+
|192.168.1.103:8082   | Application          | First STB        |
|                     | UDP Any -> 35000     |                  |
+---------------------+----------------------+------------------+
|192.168.1.101:8082   | Application          | Second STB       |
|                     | UDP Any -> 35001     |                  |
+---------------------+----------------------+------------------+
|192.168.1.105:8082   | Application          | Third STB        |
|                     | UDP Any -> 35002     |                  |
+---------------------+----------------------+------------------+
|192.168.1.102:8082   | Application          | Fourth STB       |
|                     | UDP Any -> 35003     |                  |
+---------------------+----------------------+------------------+
|192.168.1.104:8082   | Application          | Fifth STB        |
|                     | UDP Any -> 35004     |                  |
+---------------------+----------------------+------------------+
|192.168.1.100:8082   | Application          | DVR Again        |
|                     | UDP Any -> 3500      |                  |
+---------------------+----------------------+------------------+
These services must pass through the Verizon router, so it will be necessary to setup NAT and Firewall rules in the SonicWall. To do this you must create an Address Object for the Verizon Router  in Network > Address Objects:
Name: FiOS Router
Zone Assignment: LAN
Type: Host
IP: <IP you will assign to this router>

You will then need to create a number of firewall services in Firewall > Services:

Name: FiOS Guide
Protocol: TCP
Port Range: 4567-4567
Name: FiOS Media Manager
Protocol: UDP
Port Range: 5050-5050
Name: FiOS DVR1
Protocol: UDP
Port Range: 3500-3500
Name: FiOS DVR2
Protocol: UDP
Port Range: 63145-63145
Name: FiOS STB1
Protocol: UDP
Port Range: 35000-35000

…And so on for as many STBs as are present up to the limit of 5. Once that is complete you will likely want to add all of these new rules to a Service Group. This is done in the same Firewall > Service location. Simply click on the “Add Group” button, give it a name such as “FiOS Services” and add all of the custom services you just created. Once that is complete you will need to allow these services through the Firewall. Navigate to Firewall > Access Rules and add a rule matching the following:

Action: Allow
From Zone: WAN
To Zone: LAN
Service: FiOS Services
Source: Any
Destination: FiOS Router
Users: All
Schedule: Always on

Once you have set those fields as indicated, you can leave the rest of the settings as they are set by default. Finally you will need to create a NAT Policy to direct traffic over these ports to the FiOS Router. To do this, navigate to Network > NAT Policies and click Add. Fill out the fields as indicated below:

Original Source: Any
Translated Source: Original
Original Destination: WAN Primary IP
Translated Destination: FiOS Router
Original Service: FiOS Services
Translated Service: Original
Inbound Interface: Any
Outbound Interface: Any

You do not need to set any of the Advanced Options here.

Once you have completed all of the steps listed above, everything should be working. You may have to reboot the Verizon Router and wait 10-15 minutes for it to reconnect to Verizon and pull the required information. You can test the functionality of this by pressing the “On Demand” button on the TV Remote and seeing if the STB is able to connect to the Verizon service.

12 thoughts on “Configuring Verizon FiOS Behind a SonicWall (or other firewall)

  1. Thank you very much for a great article! I was wondering about the protocols used by your STBs — my Verizon FiOS router shows me using TCP for my STBs (i.e., “TCP Any -> 35000”), while your port forwarding list shows you using UDP for your STBs (i.e. “UDP Any -> 35000”). Do I have my STBs misconfigured, or can you use either protocol for the STBs?

    Thanks again for posting your article — it greatly assisted me putting my Actiontec MI424WR router onto one of the LAN segments on my SonicWall firewall.

    • Interesting. Mine are definitely using UDP, but I have a very basic package. Perhaps if you have additional features some of them require TCP. Beyond the very slight security concern, I do not see any reason to not just enable both TCP and UDP if you are seeing results that differ from what I posted.

      I’m glad this article could help you out. Trying to get this information from Verizon is like trying to wring blood from a stone.

  2. Thank you for the guide.. really helped me.

    Question, on your Verizon router did you connect teh Cat5 from the Sonicwall to the WAN Ethernet PORT on the Verizon Router? Also, did you do DHCP or static IP for the Verizon router from the Sonicwall?

    Thanks!

    • I am glad the guide could help. To answer your questions:

      1. On my SonicWall I have X0 going to my primary switch, X1 is of course WAN, and X2 is going to the Verizon Router (connecting to one of the LAN ports, not the WAN port).
      2. I have the Verizon Router pulling from DHCP, but it has a static map in my DHCP server (mostly because I give everything a static address so I can monitor for any unwanted devices suddenly joining my network)

      I hope that helps! Let me know if you have any further questions.

      EDIT: I should add that X2 is simply set as PortShield to X0. I could have connected the Verizon Router to my main switch, but the physical cabling in my setup made it easier to do it this way.

  3. Will this setting allow me to order contents from on-demand as well as schedule DVR recording from outside of the network? The way I have it set up currently does not allow me to manage the DVR from outside of the network, like when I am away from home. Also I am unable to order content from on demand even when I am inside of the network.

    • To the best of my knowledge, this will allow you to do anything you would ordinarily do using just the default FiOS router. This is the reason we leave the coax connection to the FiOS router in place, while also connecting to the SonicWall (or other router) over ethernet. I have never tried managing my DVR from outside my network, but because we take the time to setup port forwarding for the appropriate management ports, it should be no different than the default setup. I’d be interested if you wanted to give it a shot and let us know.

  4. Hi Josh,

    Thanks for the guide. I was able to give internet to the DVR following the guide, but now I lost the capabilities to manage my DVR from outside, as well as Caller ID on the TV screen. I have been struggling to find out what ports need to be open and forwarder in order for me to access the DVR from an app on the phone or myverizon.com.

    My setup is slightly different than yours:

    X1: Sonicwall is on top of the network, pulling DHCP from the ONT via Ethernet

    X0: Main LAN network on a 192.168.66.x/24 subnet – for all home PCs and WiFi devices

    X2: FIOS network on a 192.168.1.x/24 subnet – I wanted segregation of the Verizon TV devices with the main LAN, by blocking traffic from FIOS->LAN

    – Sonicwall is on 192.168.1.1 for X2 and the DHCP server.
    – FIOS router (Actiontec MI424WR REV.I) is on 192.168.1.2, connected from X2 to a LAN port. Coax is also connected to the ONT box
    – The set-top box and the DVR are pulling DHCP from the Sonicwall, but every time I try to give them reservations, they ignore it and take another IP

    – I created services 4567, 5050, 3500, 35000, 35001, 63145, 35002, 35003, etc. and put them in a FIOS group
    – NAT Policy for Any Source | Original | Wan Primary IP | FIOS Router | FIOS Services | Original, just as in the guide
    – Firewall Rule: WAN->FIOS Network: Any | FIOS Router | FIOS Services | Allow

    After this, the DVR is not accessible from outside. Even tried forwarding the FIOS services to the broadcast address 192.168.1.255, but nothing.

    What am I doing wrong?

    Appreciate the help,

    Izzy

    • Izzy – I’m afraid your setup is much more involved than mine. From what you describe it sounds like you have everything in place that I would imagine you need. My best guess is that there is a range of ports for those services that I did not mention in my article because those features didn’t exist when I wrote it. You could set up a packet capture on the SonicWALL and watch what traffic is doing from those devices – this might tell you what ports you should be looking for. Otherwise do the same but for your X1 interface to see what is trying to reach in. Sorry I can’t be more help with this.

    • Your firewall rule is this: Firewall Rule: WAN->FIOS Network: Any | FIOS Router | FIOS Services | Allow
      it should be this:Firewall Rule: WAN->FIOS Network: Any | X1 IP | FIOS Services | Allow

      Please let me know if this is still and issue and if this helps!

Leave a comment

Your email address will not be published. Required fields are marked *