I've been a pretty happy FIOS (Verizon PON) user since moving to Leesburg two and a half years ago. We have both TV and Internet. I'm also a geek - I run our own router rather than using Verizon's Actiontec, have a commercial grade PoE switches in the basement, and generally have a home network that looks more like a small company than SOHO. TACACS/RADIUS server in the basement? Yeah, we got that. In this overview I explain the setup we have here which keeps the settop boxes happy while using our own router.

First, a little background. Verizon PON uses three colors of light in the fiber plant - 1490nm for downstream Internet, 1310nm for upstream Internet, and 1550nm for QAM (digital) television. Like most modern settop boxes (STBs), their provisioning is considerably more complex than simply passively listening to a low data rate carousel. A fairly common method these days is to use TR-69 SOAP over HTTPS to carry configuration information. This means not only bidirectional communication (for an established session) but the ability to establish a session from either the server or the client, since a message may be sent out from the ACS to ask the box to initialize itself or load configuration information.

That's all a hairy long-winded way of saying "you need holes poked in the firewall, with appropriate NAT to get them to the right STB", in our case Cisco CHS435s (Verizon also uses Motorola STBs). So far so good but there's a difficulty - despite having ethernet, these devices really really want to speak to the Internet (and each other) over MOCA, a few hundred megabit ethernet-ish networking over cable tv coax standard. Yes, the same piece of coax that the cable tv signal comes in over. Sure there are RJ45 connectors on the back of the boxes but you really don't want to go down that path, trust me.

The ONT (fiber box on the wall, ours was made by Telco Systems but Motorola also makes 'em for Verizon) can deliver the Internet connectivity over either ethernet or MOCA coax. From there into the router, then from the router to the STBs. The Actiontec router that Verizon provides has all the port forwards already configured into it.

It turns out that these STBs are happy running double-NATted, if you get the ONT configured to use an ethernet handoff and insert your own router between the Actiontec and the ONT. You won't want to use 192.168.0.0/24 on your "real" network of course since that's the STB network and will leave the Actiontec fairly confused, but any other RFC1918 space will work fine.

There are a few benefits to doing things this way. First, the Actiontec is free and you don't have to go out and find a MOCA bridge on Amazon or something. Second, you don't have to worry about which box gets which address; there's no selective rewriting of ports, just forwarding particular ports that the Actiontec is known to listen on, in to the Actiontec inside. Third, it leaves the test server on the Actiontec itself open so that Verizon can run diags on your box. Downside? Well, since the STBs aren't in the same broadcast domain as your laptop etc anymore, you lose the ability to automatically discover windows shares and run slide shows of your photos from them. You were gonna miss that, right?

So, here's the port list:

4567/tcp = web management to the actiontec (complete with auth basic!)
35000/tcp = management of first STB
35001/tcp = management of second STB
35002/tcp = management of third STB
35003/tcp = management of fourth STB
63145/udp = DVR remote management doesn't work if you miss this one

I'll confess I'm not exactly sure what the protocol is on the 35000 series ports or 63145, but the 35000 ports appear to be a poke-me port that results in https to Verizon's TR69 server. Anyway, if you pass all these in the firewall and NAT them to the external Ethernet interface on the Actiontec, all works fine. We've been running with this config for over a year and a half with no trouble including using my.verizon.com to program the DVR while away from home. Don't forget to turn on external management on the Actiontec since your home address is "on the outside", and turn off the 802.11 radio - no doubt you have better APs for your household anyway.

So why would you want to use your own router anyway? Well, the Actiontec is nice hardware (includes a multicore mips64 cpu, the software is pretty crummy. Maybe you want Cisco or Juniper for your router instead. Maybe you're parsimonious and want a Mikrotik or a Ubiquiti ER-Lite. Perhaps you're tunneling in some IPv4 or IPv6 space over GRE or 6in4. Maybe you want to be able to VPN in to home. All of these are great reasons to run your own router instead of the consumer grade stuff that Verizon hands you for free.