FIOS Router

I'm doing some research for a group that has a 100Mb FIOS Internet
connection at their site. I was surprised to learn that Verizon
supplied them with the same Actiontec router that they provided me
with on my 10Mb connection at home. Needless to say the Actiontec
router is not up to the task of moving all of that traffic (they are
using about 80Mb now and sometimes max out their connection). Verizon
has been good about replacing the router multiple time when they
finally fail, however having to power-cycle the router multiple times
per day is not acceptable.

What I would like to do is set them up with a router/firewall that is
capable of handling their current bandwidth needs as well as their
anticipated future growth. My concern is terminating the FIOS
connection from the ONT directly to something like a Cisco 3900
(Output from the ONT is CAT5 terminating to RJ-45). I have been
searching around the Internet and found one discussion where someone
claims to have been able to accomplish just this using a Cisco 871
router. Based on the loose discussions that I have read it seems that
the FIOS connection configuration can vary from area to area.

I am also aware that we can configure the Actiontec router as a
bridge, but I would much rather remove it altogether particularly with
the amount of traffic this group is moving.

Has anyone been able to accomplish this or something similar with any
hardware other then the router Verizon provides? Any insight on
Verizon's official stance on this would be helpful. If there is
someone from Verizon out there that can contact me about the technical
aspects of doing this, that would be much appreciated as well.

- Chris

I worked for a small business that purchased 20Mbps FiOS. I threw the
actiontech out the day it showed up in the mail. Plugged the copper hand off
from the ONT into my 2851 and never looked back.
I can't recall what was involved back then in doing so. Verizon clearly
stated that they won't support that. In other words, i'd have to hook up the
actiontech every time I would need to call them, but that never happened.
The link was solid day in and day out. So the only time I ever used it when
VZN tech showed up to "make sure everything works" on the first day of
service.
iirc, I was researching that before I did that and stumbled upon some forums
that claimed that if I hook up the actiontech first and then take it out and
plug in something else, I'll have issues with VZN caching my MAC address or
some bullsh*t like that. But that only seemed to apply in case of if the
customer is using a DHCP address. At the time we paid for a block of 5 IPs,
so we had static.
In short, I never say a single issue, but just to be fair, I only did NAT
out for user access. Never hosted a server on it or anything like that.
The only thing I recall bugging VZN about is for them to hand me off RJ45
copper, rather than coax, but sounds like you've got RJ45 hand off already,
so you should be set.

Hope this helps.

Andrey

Would a hardware firewall appliance do the trick? Limited routing features
should be sufficient for an access application typical of FIOS. A Cisco ASA
5510 or Juniper SSG5 wouldn't be bad choices.

I've deployed SonicWALL NSA appliances for use on FiOS with good results. With any firewall, size it to be able to handle the bandwidth and applications involved.

I've been using linux/iptables since day 1. 100Mbps is a walk in the park.

I'm doing some research for a group that has a 100Mb FIOS Internet
connection at their site. I was surprised to learn that Verizon
supplied them with the same Actiontec router that they provided me
with on my 10Mb connection at home. Needless to say the Actiontec
router is not up to the task of moving all of that traffic (they are
using about 80Mb now and sometimes max out their connection). Verizon
has been good about replacing the router multiple time when they
finally fail, however having to power-cycle the router multiple times
per day is not acceptable.

Which Actiontec did they give your client? There's like 3 different revisions of the Actiontec MoCA/Ethernet routers, and I know some of the earliest ones have some odd issues. The Actiontec MI424WR is actually a fairly beefy and nice router - but its hampered by two major things in terms of performance:

1) The ethernet hand-off from the ONT to the Actiontec is only 100BT. As we all know, 100mbit != actual 100mbit transfer. I believe MoCA can do better then 100mbit, so you'd have to use the MoCA port to get closer.

2) Jungo OpenRG is a pile, and buggy. My parents have FiOS and their MI424WR won't hand out any IP addresses for DNS other then itself no matter how I configure it. There's a bizarre slowdown when DNS is handled by the MI424WR, that I have yet to figure out.

Yay for closed source crap bolted on top of open source stuff to 'replace' non-broken functionality with something that a company can restrict.

What I would like to do is set them up with a router/firewall that is
capable of handling their current bandwidth needs as well as their
anticipated future growth. My concern is terminating the FIOS
connection from the ONT directly to something like a Cisco 3900
(Output from the ONT is CAT5 terminating to RJ-45). I have been
searching around the Internet and found one discussion where someone
claims to have been able to accomplish just this using a Cisco 871
router. Based on the loose discussions that I have read it seems that
the FIOS connection configuration can vary from area to area.

I am also aware that we can configure the Actiontec router as a
bridge, but I would much rather remove it altogether particularly with
the amount of traffic this group is moving.

Has anyone been able to accomplish this or something similar with any
hardware other then the router Verizon provides? Any insight on
Verizon's official stance on this would be helpful. If there is
someone from Verizon out there that can contact me about the technical
aspects of doing this, that would be much appreciated as well.

Like I said, your going to be hampered by the fact that the ethernet handoff from the ONT is 100BT. Don't forget, there's all this overhead between ethernet, TCP/IP, the ATM network, etc that will even further limit your performance.

If you call up and badger Verizon, you should be able to get them to switch between MoCA and ethernet handoffs if needed - I've only personally managed to get them to switch to ethernet once without faking a problem on our end to get a tech to come out and do it.

See the response I just posted, but in all likely, he's being hampered by the fact the handoff from the ONT is 100BT ethernet and OpenRG (which bolts on top of a Linux OS and 'replaces' the functionality of iptables and such).

Thanks for the information everyone!

Most I will spec out several solutions for them, but the preferred
solution will probably be a firewall just because most appliances will
do more routing then they would need. I was looking at the Sonicwall
NS series because it looks like they provide good throughput for the
price.

Brielle: Thank you for the info about the Ethernet port on the ONT. I
will make sure to relay that information. At this point I believe they
would want to make their service stable and worry about maximum
bandwidth once that is done.

The router they have is the MI424WR, which is what I have for my home
service. I don't have many complaints about it at home, however it's
clear that it's not up to the task in the case of my client. They have
had the router replaced by Verizon 4 times in about as many months.

- Chris

Brielle: Thank you for the info about the Ethernet port on the ONT. I
will make sure to relay that information. At this point I believe they
would want to make their service stable and worry about maximum
bandwidth once that is done.

I was actually corrected off list that its possible to get 100mbit over 100Base-TX, but its entirely possible that cheapie cards and such may not be able to hit that high of performance.

The router they have is the MI424WR, which is what I have for my home
service. I don't have many complaints about it at home, however it's
clear that it's not up to the task in the case of my client. They have
had the router replaced by Verizon 4 times in about as many months.

I believe its possible to install DD-WRT on the MI424WR.

http://dd-wrt.com/wiki/index.php/MI424WR

You might have luck with running pure Linux on that rather then Jungo's commercial linux abomination that Verizon uses.

While I replied of list, RouterOS (Mikrotik) can do 100meg in many of
their inexpensive devices. WE have a fiber loop here running our office
that we can pull 70+ meg and its a 200 buck unit! We actually make a
device called a PowerRouter, these are x86 versions, vs 680mhz mips
processors. These can route at GigE speeds. Not to mention you get all
of the firewalling, traffic management, QoS, etc with it as well.
Just another option.

Sadly, I have only the 50/20 FiOS service. I would love to get 100/100. Where do I sign up.

My initial installation used MoCA. It would not reliably deliver 50Mbps on tcp-based download tests. (coax network brand new, very small). Test results were erratic, typically between 30 and 40Mbps. Technician told me to put up with it (not making this up).

I fought with VZ and had them re-provision me to 100BaseT connection on the ONT. I immediately observed reliable, consistent download speeds at 51.8Mbps. (Since dropped to 49.2 after their speed re-provisioning a few months ago.)

MoCA is a half-duplex channel with sophisticated MAC (e.g. BW reservations and so forth). The MoCA diag displays show that the STBs see each other and the Actiontech at speeds over 220Mbps. I doubt the issue is inadequate phy connection. I assume the interplay between the MoCA MAC and TCP yields poor performance. But, I did not research this. I had them take my Internet off the MoCA path and it has worked fine since.

So, how I go about getting 100/100?

To be honest, I'm not sure how they got the 100Mb service. The fastest
service I have seen on the FiOS website is the 50/20. I can only
assume that it varies by region.

- Chris

To be honest, I'm not sure how they got the 100Mb service. The fastest
service I have seen on the FiOS website is the 50/20. I can only
assume that it varies by region.

It does, or it used to... rumors were DFW was a good place to get the
100/100 service.

As to the actiontec, just ditch it, if you have cat-5 from the ONT
you've been presented with an ethernet LAN, plug that into any old
switch and feed your end systems off that (presuming you have more
than 1 ip address and static addressing).

If you NEED a router/firewall, then get an ssg5 or use a little linux-alike box.

-Chris

I really meant a real Linux server (or desktop box loaded with CentOS, Deb,
ect) with some basic IPtables rules and dual NIC. I never intended to use any
kind of appliance or router device loaded with 'brand x' Linux.

A 100bT hand-off should have NO issues reaching ~98Mbps without packet loss;
just a little extra latency as you start filling buffers.

Since the first day our FiOS was installed, we switched out the cruddy Dlink
router (later swapped with Actiontec) with a Linux box running CentOS and a
simple iptables script. I later added a Atheros-based wifi card with HostAP
and madwifi to create an AP from the same box.

Linux/Wifi is not for all of course, but the dual-nic and IPtables part pretty
much anyone can do...you could just as easily hang a small wifi router off the
box.

-R