dslreports logo
site
spacer

spacer
 
    All FAQs Site FAQ DSL FAQ Cable Tech About DSL Distance DSL Hurdles »»
spc

spacer




how-to block ads




3.1 Actiontec

The following is extracted from the following paper:
Security Vulnerabilities in SOHO Routers by Craig Heffner and Derek Yap of »www.sourcesec.com
It's an interesting read, especially for users for the Actiontec MI424-WR router.

To summarize, of 9 types of attacks discussed, it reports the Actiontec as vulnerable to the following attacks:

•DNS Hijacking
quote:
Another host-name related attack vector, again involving DHCP, is domain name hijacking [5]. This attack occurs when a router resolves internal host names to their respective IP addresses; as in the DHCP XSS attack, the internal client's host name is specified inside a DHCPREQUEST packet. This in itself is not a particular concern, but if an attacker can register themselves on the network with a host name of WPAD then they can carry out any number of man-in-the-middle attacks against other clients on the network [6]. WPAD attacks primarily affect Windows users, and Internet Explorer users in particular, as various Windows applications (including IE) will look for a WPAD server by default.

This problem is further complicated on home networks where no domain name is configured. Normally, host names will be registered as sub-domains of the network domain; i.e., if the domain name is "home", then a host named "laptop" will be registered as "laptop.home". However, small networks rarely have a domain name configured, so the host would simply be registered on the LAN as "laptop". Thus, performing a DNS lookup for "laptop"; would return the IP address of the internal client who registered the host name of "laptop". But what if a host claims that its host name is "www.google.com"? Logic would suggest that a router would know better than to resolve requests for www.google.com to an internal IP address, but unfortunately that is exactly what some routers do; this allows an internal attacker to perform a single-packet DNS poison that will persist until the attacker either un-registers his host name, or leaves the network.



•Default WEP
quote:
Default configurations are normally not considered "vulnerabilities" in and of themselves, however, any type of default setting becomes an issue when applied to cryptography. WEP and WPA keys are of particular interest with home routers, since few routers come without wireless capabilities these days. You will notice that all of the described attacks have so far required access
to the LAN; wireless provides an attacker with access to the LAN, but still affords him the ability to remain reasonably removed from the LAN's physical location. In an effort to help protect users from wireless attacks, some vendors have begun shipping their products with wireless encryption enabled by default; unfortunately, the encryption method normally chosen is WEP (well known to
be broken [15]), and as in the case of the BT Home Hub router, the proprietary algorithm used for generating the default WEP key can be reverse engineered and used by an attacker to gain access to such encrypted networks [8].


Many newer home routers still come with no encryption enabled, however, one notable exception is the ActionTec MI424-WR. This particular router is commonly distributed by Verizon, and invariably a plethora of them can be found in areas where Verizon FiOS is available. Unlike the BT Home Hub, the ActionTec routers do not attempt to obscure the method used to generate their default 40 bit WEP key: [att=1]
Because WEP does not encrypt source/destination MAC addresses, any data packets to or from the ActionTec router will instantly reveal the WEP key. Also note that no active clients need be on the network in order for data packets to be generated, as the ActionTec routers are prone to periodically broadcasting un-solicited Spanning-Tree packets.


It should be noted regarding "and as in the case of the BT Home Hub router, the proprietary algorithm used for generating the default WEP key can be reverse engineered and used by an attacker to gain access to such encrypted networks", the ActionTec MI424-WR also has this same vulnerability. ActionTec's algorithm has been reverse engineered. See »[ fiber tech] Verizon FiOS default WEP key HIGHLY insecure!. No packet sniffers or crack tools are needed... just a calculator.


•Local UPNP
quote:
UPNP attacks are nothing new [10], but started receiving more attention after GNUCitizen demonstrated that UPNP attacks could be carried out remotely when coupled with flash-based CSRF attacks [11]. Because UPNP is an unauthenticated protocol that, by definition, provides control over a router's configuration, insecure UPNP stacks can result in a plethora of exploitation possibilities, including command execution and re-configuration of DNS settings. While most new routers protect against these attacks, there is another UPNP action that we can use to our advantage.

The previously mentioned session hijacking attacks (and some of the CSRF attacks) require an administrator to already be authenticated with the target router. But waiting around for the average user to log into their router makes these attacks unlikely to succeed. Instead, an attacker can use UPNP to terminate a router's WAN connection, interrupting the user's Internet connection.
Eventually, they are likely to:
1. Reset their router
2. Log into the router to diagnose the problem
3. Call their ISP, who will ask them to log into their router to diagnose the problem.
The WAN connection can be terminated using the UPNP ForceTermination action, which was available in all of the routers that we examined. Using Miranda [14], a UPNP administration utility, we can easily send UPNP commands to a router, forcing it to terminate it's WAN connection.



•CSRF UPNP
quote:
One of the most common uses for UPNP is port forwarding. UPNP allows client applications, such as P2P programs and games, to open ports on the router in order to facilitate necessary communications with other peers or services. While these port forwarding rules are meant to forward traffic from external clients to internal clients, an attacker can make use of these rules to expose the router's administrative interface to the WAN by forwarding traffic to port 80 of the router's IP address. Configuring the router as the attacker's personal proxy is also possible, by telling the router to forward traffic not to an internal IP, but an external IP [12]. While most new routers prevent these types of attacks by checking the specified IP addresses, some, like the ActionTec MI424-WR, still allow users to forward incoming connections on external ports to port 80 of the router itself, effectively enabling remote administration on the device.



It should be noted that the Actiontec was not the only router subject to these vulnerabilities. The paper also looked at the Linksys WRT160N, D-Link DIR-615 and Belkin F5D8233-4v3 routers, which had some of the same vulnerabilities along with other vulnerabilities of which the Actiontec was not susceptible.

by More Fiber See Profile edited by birdfeedr See Profile
last modified: 2009-03-07 06:24:04


The following instructions allow you to send a Wake-On-Lan (WOL) "Magic Packet" from the internet to a PC on your LAN behind the Actiontec NAT firewall.

From the PC you want to wake:
  • Make sure that the NIC supports WOL.
  • Make sure WOL is enabled in the machine BIOS
  • Make a note of the IP address or machine name.
  • Make a note of the MAC address of the NIC you want to receive the magic packet. e.g. aa:bb:cc:dd:ee:ff

Unfortunately, the Actiontec firmware (as of version 4.0.16.1.56.0.10.7) ages out its ARP cache. This means that when it receives a WOL packet from the WAN, it may have "forgotten" the IP address associated with the MAC address in the WOL packet. The Actiontec also does not allow creating a port forwarding rule to the LAN broadcast address (192.168.1.255). To get around both of these restrictions, we need to create a static ARP entry in the router that associates an unused IP address (192.168.1.254) with the broadcast MAC address (FF:FF:FF:FF:FF:FF).

Telnet to router:
	telnet 192.168.1.1
username: admin
password: ******

If you are unable to connect to the router, do the following:
  • Go to Advanced
  • Click on Local Administration
  • Check Using Primary Telnet Port (23)
  • Apply


At the prompt, enter either (depends on model of router):
        Wireless Broadband Router> shell
or:
        Wireless Broadband Router> system shell


BusyBox v0.50 (2007.11.14-21:26+0000) Built-in shell (lash)
Enter 'help' for a list of built-in commands.

/ # arp -s 192.168.1.254 FF:FF:FF:FF:FF:FF
/ #

Note: This static ARP entry will not survive a reboot of the router.

Now login to the Actiontec and Add WAKE-ON-LAN as a port forward protocol in the Actiontec:
  • Click on ADVANCED icon at top
  • Select Protocols
  • ADD (at bottom of list)
  • Service name: Wake-On-LAN
  • Add server port
  • Protocol: UDP
  • Source port: ANY
  • Dest port: SINGLE 9
  • APPLY
  • APPLY. Wake-On-LAN should now appear in the list of protocols.
  • CLOSE

Add the Port Forward Rule
  • Click on FIREWALL icon at top
  • Select Port Forwarding on left menu.
  • ADD
  • Device: 192.168.1.254
  • Protocol: Select Wake-On-LAN
  • Forward to port: 9
  • APPLY
  • APPLY. You should now see Wake-On-LAN for UDP in the list of forwarded ports.

SECURITY RISK: This port forward rule should only be enabled when necessary since it will turn any packet received on port 9 into a broadcast packet on your LAN. Recommendation: If the software you are using supports it, I would suggest using an obscure port number, such as 10009, rather than the well known port 9 (security by obscurity).

You can send a WOL packet from here: »/wakeup The DSLReports WOL tool only supports port 9.

If you have trouble, a WOL sniffer can be downloaded here: »www.depicus.com/download.aspx?product=wolm
The above site also has a variety of other WOL tools.


Thanks to zerog See Profile for his original post on the subject here: »MI424WR Wake On Lan (WOL) - working hack, needs testing

Revised 12/31/08 to replace DHCP reservation with static ARP.

Please use the feedback link below only to suggest improvements to this FAQ. If you have questions about this FAQ, please post them in the »Verizon FiOS forum.


by More Fiber See Profile edited by birdfeedr See Profile
last modified: 2010-12-19 19:10:45

Q. Help! The Actiontec router is no good at (fill in the blank) because its (fill in the blank) just doesn't (fill in the blank).

A. First, determine how you are getting data to the Actiontec. Look at the indicator lights on the front panel. Coax WAN or Ethernet WAN will be lit. That's your data source.

Or you can log in to the Actiontec, click on My Network icon, click on Network Connections menu item. Then see which Broadband Connection is connected. If it says Broadband Connection (Ethernet), you already have a ethernet connection to the ONT. If it shows Broadband Connection (coax), then proceed. If your connection is PPPoE, then "WAN PPPOE" is through ethernet, and "WAN PPPOE2" is through coax.

Q. My data source is Broadband Connection (Coax). What do I need to do?

A. Run cat5 wire, or cat5e or cat6 (all will work) properly terminated between the router and the ONT.

Release the DHCP lease, then power off the Actiontec. Plug one end of the cat5 cable into the RJ45 jack on the ONT, and the other end into the WAN ethernet port on the Actiontec.

Call the FSC at 888-553-1555, navigate through the menus to get to tech support. Tell the rep "I want to have the internet connection from my ONT to the Actiontec router changed from the coax connection to the ethernet connection. I understand that is something you can do without additional charge to me because the wire is already in place. Can you do that for me now, please?"

When FSC does that, and says it is done, power up the Actiontec and let it complete the bootup sequence. You should see lights on the router indicating the Ethernet WAN is selected. If the Coax WAN light is lit, ask if the changeover is complete. Otherwise, you should have an internet connection.

Alternatively, you can post your request in the Verizon Direct forum. If you connect the cat5 cable from the ONT to the Actiontec ahead of requesting the change, there will be only a momentary interruption in service when the change is made. The Actiontec will auto-detect the change and come up on the Broadband ethernet interface.

In either case, verify by logging in to the Actiontec and viewing the Connections page as detailed above.

Q. My data source is Broadband Connection (Ethernet). Now what?

A. You should take the time now to verify proper operation of the internet, including speed tests. Don't proceed unless you are satisfied with your wired connection. If you have FiOS TV, verify that the STBs are receiving Program Guide data and VOD.

When the Actiontec is working as you expect, you are ready to proceed with putting your own router into service. Depending on your circumstances, you would choose from:

Replacing the Actiontec (part 2): Internet only, no TV

Replacing the Actiontec (part 3): WAN-to-LAN keeps Guide and VOD (easier)

Replacing the Actiontec (part 4): LAN-to-LAN keeps MediaShare DVR

With thanks to More Fiber See Profile.




by birdfeedr See Profile edited by More Fiber See Profile
last modified: 2013-07-14 10:23:13

Q. I have internet service only, no TV. Can I replace the Actiontec completely?

A. Yes. Its a straightforward process. Until more MoCA-connected devices are available on the market, you will need an Ethernet connection for your replacement router. See Replacing the Actiontec (part 1): Coax to Ethernet for details.

Your choice of what router to buy will be based on what you need to do with it. Browse the forums here and elsewhere to narrow your search, but keep in mind that it must be powerful enough to support the throughput of your service, and have a large enough connection table for your applications. Here's a link to Router Charts at smallnetbuilder that compares LAN to WAN Throughput, with ability to select comparisons in other tests. I picked a D-Link DIR-655 because it appeared to be top-of-the-line when I purchased it. But in electronics, there's always something better tomorrow. Other hardware may be more suitable for gaming and other interests.

Once youve verified your broadband data connection on the Actiontec is Ethernet, youre ready to replace the Actiontec.

Short version: Release the WAN IP, power off Actiontec, connect your replacement router, turn it on and configure.

Longer version: follow these steps.

1. Important: Release the WAN IP on the Actiontec before turning it off. Log on to Actiontec, click on My Network icon, then select Network Connections item. Click on Broadband Connection (Ethernet) in the table to see the properties for your WAN port. Write down the MAC address for the ethernet WAN port, you may need it later. Scroll down and click Settings. Click the Release button and your internet light on the Actiontec will go orange.

2. Power off the Actiontec.

3. Unplug the ethernet from the Actiontec WAN port and plug it in to the WAN port on your new router. Connect your PC to a LAN port on your new router, turn it on and reboot your PC. When the router settles down, verify its status lights, including internet connectivity.

In the rare circumstance you do not get internet, you may have a MAC bound IP. You can call FSC and ask them to break the lease, or you can leave the router powered off for 2 hours then try again, or you can clone the Actiontec router MAC address into your new one.

4. Log in to your new router to verify and change any settings. Make sure you change your router password off the default value.

5. Your new router should indicate internet connectivity. Start your browser, verify internet connectivity by browsing to your default page: www.dslreports.com of course.

Run a speed test. If you have already tweaked your PC, you should be getting everything you asked for. That's why I had you connect wired. Keep it simple before you go more complicated.

Tada! Done.

With thanks to More Fiber See Profile for assistance.

Feedback received on this FAQ entry:
  • There should probably be a note in here that this setup is also valid for people who have FiOS TV service, but are using an STB other than Verizon's; eg, a TiVo or an HTPC using a tuner card.

    2014-03-06 10:33:46



by birdfeedr See Profile
last modified: 2008-12-02 18:06:46

Q. I have TV service. Can I replace the Actiontec completely?

A. No. The STBs and DVRs need internet connectivity to display the Program Guide and Video On Demand. Imagine at every half hour seeing the little popup on the TV screen. Instead of showing details for the show you are watching, it says Data Not Available. Video On Demand doesnt interest you? Think: not interested yet. As Verizon gets better in their marketing, they will improve their choices of little goodies to keep you a satisfied viewer. And they are adding more freebies all the time. At some point, you will change your mind, so keep the Actiontec in place for the TV data.

This is the Primary LAN-to-WAN (option 6) configuration listed in the following FAQ:
»Verizon Online FiOS FAQ »What are the tradeoffs between the various router configurations
See that FAQ for advantages and disadvantages of this and other configurations for using your own router.

Your setup will be like this:

Click for full size

Click to enlarge

Video from the ONT to the STBs does not change.

This connection method does not allow the MediaShare DVR to function as well as you might want. That system needs to have the PC and the DVR on the same segment of network. In other words, the MediaShare traffic cannot cross the WAN boundary. So if you have a MediaShare DVR, you need to use the LAN-to-LAN method in Replacing the Actiontec (part 4): LAN-to-LAN keeps MediaShare DVR.

You will place the Actiontec behind your primary router to complete the path for TV data. Using this connection method, the only purpose for the Actiontec is to connect the Actiontec's coax LAN to the ethernet WAN port. All other wireless and wired internet connections will be made to your primary router. Double-NAT does not seem to affect STB data including Program Guide, Widgets and VOD. Nor does it seem to affect standard traffic to other Actiontec coax LAN devices that may be connected through a MoCA bridge such as a NIM-100.

Ok, so youve verified your broadband data connection on the Actiontec is Ethernet in Replace the Actiontec (part 1): Coax to Ethernet. and youve chosen your new primary router based on performance specifications that match your service and what you want to do with it.

A. Short version: Turn off wireless (maybe), release the WAN IP, power off. Connect ethernet to WAN port on replacement router, turn it on, verify internet connectivity. Remove power to STBs and DVRs. Connect Actiontec WAN port to LAN port on replacement router, turn Actiontec on, make sure the Actiontec LAN subnet is different from your router's LAN subnet, and verify internet connectivity. Verify STBs and DVRs have data path to the internet. Tada! All done!

B. For the longer version follow these steps:

At various points in this procedure, you will need to verify certain router settings and connections. It is suggested you do this from a computer wired to the router. There are a number of problems that are related to wireless use, and you want to tackle those problems after you know you're running properly wired.

After your primary router is in place you may need to be able to check settings on the Actiontec. You can set it to allow remote administration on http port 80. Since it is behind your primary router, your exposure to vulnerabilities from the internet is reduced. Exposure to current LAN-side malware can be minimized by changing your router password to something you've chosen. You did do that already, didn't you? Don't use easy to guess passwords.

These instructions have been tested on a Rev. A Actiontec with firmware version 4.0.16.1.56.0.10.7. They are also known to work Actiontec up through Rev. E and the Westell 9100.

1. Turn off Wireless on the Actiontec if you intend to access only through your replacement router. Otherwise, set the same SSID, security and password on both routers, but set both routers on different wireless channels. Your wireless device will use the stronger signal of the two. (If you have questions about other wireless configurations, post them in the »Verizon FiOS forum). To turn off the Actiontec wireless, click on Wireless Settings icon, then click Basic Wireless Settings menu item. Click the button in item 1 to turn off radio, then scroll down and click Apply.

2. If you choose to do so for convenience, allow Remote Administration on the Actiontec. Click on Advanced icon, click Yes to allow changes, click on Remote Administration item, check Using Primary Http Port 80 under Allow Incoming Access to Wireless Broadband Router.

3. Release the IP on the Actiontec before turning it off. Click on My Network icon, then select Network Connections item. Click on Broadband Connection (Ethernet) in the table to see the properties for your WAN port. Write down the MAC address for the ethernet WAN port, you may need it later. Scroll down and click Settings. Click the Release button and your internet light on the Actiontec will go orange. If you are on PPPoE, this step does not apply to you.

4. Power off the Actiontec.

5. Next, unplug the ethernet from the Actiontec WAN port and plug it in to the WAN port on your new router. Connect your PC to a LAN port, turn on your new router and reboot your PC. When the router settles down, verify its status lights, including internet connectivity.

In the rare circumstance you do not get internet, you may have a MAC bound IP. Follow the procedures in this FAQ to release your DHCP lease.

Log in to your new router to verify and change any settings.

    •Make sure you change your router password off the default value.
    •Make sure your router is set to obtain it's WAN side address automatically (DHCP)
    •Your router should use a different LAN subnet than the Actiontec. For example, if you left the Actiontec LAN subnet as 192.168.1.x, then change your router's LAN subnet to 192.168.0.x.
    •Make sure DHCP Server is enabled on the LAN side of your router.
Reboot your router and PC to verify any changes.

Start your browser, verify internet connectivity by browsing to your default page: why, its www.dslreports.com, of course.

Run a speed test. If you have already tweaked your PC, you should be getting everything you asked for. That's why I had you connect wired. Keep it simple before you go more complicated.

Tada!! You have your replacement router connected to the ONTs ethernet WAN port.

6. Turn off all your STBs and DVRs by removing power to them. Hitting the Power switch isn't enough. Unplug the power cord from the outlet.

7. Connect the WAN port of the Actiontec to a LAN port of your new router. Connect your PC to a LAN port on the Actiontec. Reboot the PC. Power on the Actiontec. When all the router lights settle down, you should see internet connectivity. Verify by browsing to dslreports. You should be able to run a speed test, and get the same results you had with your primary router.

8. So far, so good? Turn on one STB. Let it boot up and settle down. Remember the video from the ONT will not be affected by the router changes. Verify the data gets there by changing a channel to see the program data, or press Guide to show the program guide, or press Widgets or On Demand. Any of these actions with normal results will verify your system works.

Repeat step 8 until all TV devices are on and working. You will be able to see the device names in My Network on the Actiontec.

Hurray!!! Mission accomplished.

At any point that you need to reset devices, power up from the WAN inward. Example: if the STBs do not connect, power them off, then power off the router, then power up the router and when it has settled down, power up the STB. Likewise, if the router cannot get an internet connection, turn it off, reboot the ONT, then when it's settled down, power on the router. I have not had any problems with this setup. The only thing that the Actiontec is doing is feeding data to the STBs. Double-NAT will not affect them, at least not in any way I have been able to determine.

Do these steps, then connect your PC to your router, and leave the Actiontec alone. There isn't anything else you really need to do with it. If you had allowed Remote Administration, you can get to the Actiontec by going to whatever address your primary router assigned to the Actiontec. You would login and password the same as you have done previously. The Actiontec at this point is now doing the same thing a NIM-100 would do. It's on the LAN side of your primary router acting as a bridge from your router's ethernet to the coax.

You have now entered the world of non-standard installation. VZ tech support may say it's not supported. That's fine, now you know where to get assistance. This forum has been my first stop for a long time. If, at any time, you want to go back to a standard installation, release the IP from your new router, power it off, connect the Actiontec WAN to the ONT cat5, power it on and you're back to a standard installation. VZ will support that.

With thanks to More Fiber See Profile for assistance.

Please note: The feedback link below only to suggest improvements to this FAQ. If you have questions about this FAQ, please post them in our »Verizon FiOS Forum.


Feedback received on this FAQ entry:
  • Note: This will also work for Frontier FiOS setups (unsurprisingly), especially since the Media Share features of the Home Media DVR don't work on Frontier anyway. The phone number to contact Frontier to make the Coax-to-Ethernet switch is 1-877-462-8188 (and then navigate lots of menus)

    2011-01-13 17:13:53



by birdfeedr See Profile edited by More Fiber See Profile
last modified: 2011-05-17 15:47:07

Q. I have TV service with Verizon MediaManager software on my PC. Can I replace the Actiontec completely?

A. No. The STBs and DVRs need internet connectivity to display the Program Guide and Video On Demand. Also, the Actiontec or a MOCA Bridge is needed for the MediaManager software to function. That system needs to have the PC and the DVR on the same segment of network. In other words, the MediaManager traffic cannot cross the WAN boundary. So if you have MediaManager, use this LAN-to-LAN connection method.

With LAN-to-LAN, the only purpose for the Actiontec is to connect the Actiontec's coax LAN (which provides data to the STB/DVR) to your primary routers ethernet LAN port. The coax cable remains connected to the Actiontec for the STB LAN data, the Actiontec WAN port will not be used. For a simpler implementation, wireless connections will be made to your primary router. The Actiontec's wireless will be disabled.

Ok, so youve verified your broadband data connection on the Actiontec is Ethernet in Replacing the Actiontec (part 1): Coax to Ethernet. and youve chosen your new primary router based on performance specifications that match your service and what you want to do with it.

Q. Ok, I'm ready. What do I do?

A. Short version: Change PC connection to static, remove power to all devices connected to coax LAN, delete Actiontec's DHCP assignments, change DHCP range to start at 192.168.1.3, disable DHCP, change Actiontec IP to static 192.168.1.2, turn off wireless (maybe), enable Remote Administration, release the WAN IP, power off Actiontec. Connect ethernet from ONT to WAN port on replacement router, turn it on, verify internet connectivity. Connect Actiontec LAN port to LAN port on replacement router, turn Actiontec on, and verify internet connectivity. Verify STBs and DVRs have data path to the internet. Tada! All done!

Longer version: Follow these steps.

At various points in this procedure, you will need to verify certain router settings and connections. It is suggested you do this from a computer wired to the router. There are a number of problems that are related to wireless use, and you want to tackle those problems after you know you're running properly wired.

Exposure to current LAN-side malware can be minimized by changing your router password to something you've chosen. You did do that already, didn't you? Don't use easy to guess passwords.

These instructions work on a Rev. A Actiontec with firmware version 4.0.16.1.56.0.10.7, and are likely identical for later models.

1. Change the IP address of the PC connected to the Actiontec to a static IP address.
For Windows, goto network settings and change the TCPIP settings of network interface card settings from Get Address Automatically, to Use This Address. For other operating systems, refer to your operating system documentation.
Make a note of your DNS server addresses. You will need these when you change your PC settings to use a static IP address. Devices on the coax LAN may pick up the Actiontec-served address even if the new router handles DHCP. The extra step here will make it easier to clean up the old addresses. I chose 192.168.1.48, subnet 255.255.255.0, gateway 192.168.1.1.

2. Remove power to all the devices on the coax LAN. Shut down all the ethernet LAN devices except the PC you are configuring with.

3. Delete all the Actiontec's DHCP assignments. While logged in to the Actiontec, click on Advanced icon, click on IP Address Distribution link, click on Connection List, then delete each item in the list until there are none remaining. It will take a few seconds on each one then the list will refresh.

4. Change the Actiontec's DHCP range to start at 192.168.1.3 even though it seems counterintuitive. Click on My Network icon, click Network Connections menu item, click on Network (Home/Office) link, click on settings button. Scroll down to IP Address Distribution, and set Start IP Address to 192.168.1.3, then click Apply. Status message appears, then click Apply again.

5. Disable DHCP. While in Network (Home/Office) status, click Settings button, select IP Address Distribution to Disabled, then click Apply. Status message appears, then click Apply again.

6. Change Actiontec IP to static 192.168.1.2 While in Network (Home/Office) status, click Settings button, change Internet Protocol drop-down to "Use the Following IP Address". Enter IP Address as 192.168.1.2, and Subnet Mask as 255.255.255.0 then click Apply. Status message appears, then click Apply again. You will need to log in again to the Actiontec router at the new IP 192.168.1.2.

7. Turn off Wireless on the Actiontec if you intend to access only through your replacement router. Otherwise, set the same SSID, security and password on both routers, but set both routers on different wireless channels. Your wireless device will use the stronger signal of the two. (If you have questions about other wireless configurations, post them in the »Verizon FiOS forum). To turn off the Actiontec wireless, click on Wireless Settings icon, then click Basic Wireless Settings menu item. Click the button in item 1 to turn off radio, then scroll down and click Apply.

8. If you choose to do so for convenience, allow Remote Administration on the Actiontec. Click on Advanced icon, click Yes to allow changes, click on Remote Administration item, check Using Primary Http Port 80 under Allow Incoming Access to Wireless Broadband Router.

Afterward, you will be able to login to the Actiontec while connected on the LAN side of your primary router. If you do not allow Remote Administration, you would need to connect to a LAN port on the Actiontec before logging in to it.

9. Important: Release the WAN IP on the Actiontec before turning it off. Click on My Network icon, then select Network Connections item. Click on Broadband Connection (Ethernet) in the table to see the properties for your WAN port. Write down the MAC address for the ethernet WAN port, you may need it later. Scroll down and click Settings. Click the Release button and your internet light on the Actiontec will go orange.

10. Power off the Actiontec.

11. Unplug the ethernet from the Actiontec WAN port and plug it in to the WAN port on your new router. Connect your PC to a LAN port on your new router, turn it on and reboot your PC. When the router settles down, verify its status lights, including internet connectivity.

In the rare circumstance you do not get internet, you may have a MAC bound IP. You can call FSC and ask them to break the lease, or you can leave the router powered off for 2 hours then try again, or you can clone the Actiontec router MAC address into your new one.

12. Log in to your new router to verify and change any settings. Make sure you change your router password off the default value. While terminology for your new router may vary, you want to ensure its LAN network IP is 192.168.1.1 and the DHCP Server settings has the gateway address set to 192.168.1.1, subnet 255.255.255.0. Also set it to distribute DHCP addresses in the range from 192.168.1.100 to 192.168.1.199. You can use the lower addresses for static IPs. Reboot router and PC if you made any changes.

13. Your new router should indicate internet connectivity. Start your browser, verify internet connectivity by browsing to your default page: www.dslreports.com of course.

Run a speed test. If you have already tweaked your PC, you should be getting everything you asked for. That's why I had you connect wired. Keep it simple before you go more complicated.

14. Connect a LAN port of the Actiontec to a LAN port of your new router. Connect your PC to a LAN port on the Actiontec. Power on the Actiontec. When all the router lights settle down, you should see Power and the ethernet LAN lights for your PC and the primary router. Internet, coax WAN, Ethernet WAN, Coax LAN and Wireless lights are off. The main configuration page will display a warning: "STOP: Check Broadband Connection". This is okay, since the WAN connection is not being used. Any previously set values associated with Broadband Connection will not apply since your new primary router is controlling DHCP and DNS. Verify internet connectivity by browsing to dslreports. You should be able to run a speed test, and get the same results you had with your primary router.

15. So far, so good? Turn on one STB. Let it boot up and settle down. Coax LAN light on the Actiontec should light up to indicate a Coax LAN connection. Give enough time for the STB to connect to data. Remember that video from the ONT will not be affected by the router changes. Verify the data gets there by changing a channel to see the program data, or press Guide to show the program guide, or press Widgets or On Demand. Any of these actions with normal results will verify your system is getting data to the STB. You can also verify the IP address on the STB. On a QIP-2500, select Menu on the Remote Control, scroll down to Settings, click OK, then scroll down to System Info.

Repeat step 15 until all TV devices are on and working. You may be able to see some, but it is not certain you will see all the device names in My Network on the Actiontec. Since the Actiontec is not administering the DHCP, you may only see the IP addresses, and it may take a little while before they become visible. The way to tell the connection is working is to see the results of the data request.

You will be setup like this: ONT -(cat5)-> your router -(cat5)-> Actiontec -(coax)-> STB

Hurray!!! Mission accomplished.

At any point that you need to reset devices, power up from the WAN inward. Example: if the STBs do not connect, power them off, then power off the router, then power up the router and when it has settled down, power up the STB. Likewise, if the router cannot get an internet connection, turn it off, reboot the ONT, then when it's settled down, power on the router. I have not had any problems with this setup. The only thing that the Actiontec is doing is feeding data to the STBs and DVRs. If you have a device on the coax LAN that needs a port-forwarding rule, follow instructions for your new router to reserve the IP address. After a power failure, the power-up sequence of devices may result in the device getting a different address than previous. By reserving an IP address for a particular device identified by MAC address, the port forward rule you set up will not be affected.

Do these steps, then connect your PC to your router. You can change the PC back to using a DHCP dynamic address if you wish. You can leave the Actiontec alone, or connect devices to the remaining LAN ports. If you allowed Remote Administration, you can monitor and administer it by logging in to 192.168.1.2. Remember the WAN port is not used. We did not disable it but it is not connected. Traffic Monitoring and Bandwidth Monitoring results will be affected because they monitor WAN data.

The Actiontec at this point is now on the LAN side of your primary router acting as a bridge from your router's ethernet to the coax. You have now entered the world of non-standard installation. VZ tech support may say it's not a supported installation. That's fine, now you know where to get assistance. This forum has been my first stop for a long time.

If, at any time, you want to go back to a standard installation, log in to the Actiontec and reset it back to its factory default then power it off. Release the IP address from your primary router then power it off. Connect the Actiontec WAN to the ONT cat5, power it on and you're back to a standard installation. VZ will support that.

With thanks to More Fiber See Profile for assistance.

Note:

There is currently an issue with the configuration in this FAQ. When the users router is configured as the primary router, remote access to the DVR from the Verizon TV Central web site does not work. So far, it appears the Actiontec router must be primary for the remote access feature. The latest status on this problem is posted in this thread: »FIOS TV Central website access with Non AT Router?


Please use the feedback link below only to suggest improvements to this FAQ. If you have questions about this FAQ, please post them in the »Verizon FiOS forum.



Feedback received on this FAQ entry:
  • Thanks man. I love you. I've been having problems with router resets for two years and now its fixed.

    2014-02-27 01:13:11

  • AMAZING instructions! Thanks for the thorough writeup, I can't tell you how excited I am to have my Sabai Dark Knight as my primary Internet router.

    2013-11-14 20:13:48



by birdfeedr See Profile edited by More Fiber See Profile
last modified: 2011-05-17 15:42:33

Wireless Distribution System (WDS) enables the interconnection of access points in a wireless network. It allows a wireless network to be expanded using multiple access points without the need for a wired backbone to link them.


A user writes that Actiontec supports WDS in their Q1000 VDSL modem hardware, so it may be a harbinger of things to come, however WDS is not supported by the Actiontec or Westell routers in use by Verizon at this time.



Feedback received on this FAQ entry:
  • Even though Verizon does not support it, you can add access points wirelessly to the Verizon Actiontec router without making any changes to it. The magic is in the firmware of the second router that you want to use. You can get the firmware for your switch that will use wireless to bridge to the Actiontec. See http://www.dd-wrt.com/site/

    2013-01-20 17:44:56



by More Fiber See Profile edited by birdfeedr See Profile
last modified: 2011-11-03 05:40:57

A new FiOS installation is built with equipment fresh out of the box. Some installers unpack the boxes before they arrive, so you may not see the packing material. Generally speaking, your installation uses the latest equipment.

However, any supply system has a certain amount of granularity, so your area may still be installing with older equipment while another area has already depleted older stock. Also, some areas may be allocated different models. Westell routers were deployed in some areas, while Actiontecs were exclusively used in others.

If you have an outage that's caused by a router failure, FSC tech support says they will send you a new router, and require you to return the old one. When returned, the router is tested and functional items are returned to inventory. The Actiontec Rev.A had significant limitations and it's safe to say that model has been pulled from inventory. The Rev.C may be issued as a replacement, and the Rev.D models are still in plentiful supply. So no matter what router you were initially provided, you may receive an older model replacement.

There is no known method of requesting a specific model as a replacement. In spite of what you may hear from a CSR on the phone, yours is the next one out the door from the central facility. You get what they ship. It's just another box to them. Don't fall for the line "you can buy one for $139." There still is no guarantee what you will receive. It gets shipped from that same central facility.

You may improve your chances of getting a newer model replacement during an on-site repair visit if the technician replaces from stock on his truck. However, in conversation with one technician locally, it was clear that his inventory was controlled, and he had two types of router models on his truck: new and refurb.

A local FiOS store may have replacement equipment, but it is not certain what items they have in stock. They seem to be TV-centric, allowing users to trade up or down on STBs and DVRs.

Another avenue is to search ebay for a specific router, with all the attendant risk and uncertainty involved in that marketplace.

If the reason you want a new router model is for a specific feature, you should consider the wider variety of equipment that's available to you on the consumer market, and use Verizon-supplied equipment as a bridge to it. See the tradeoffs FAQ here for more options. »Verizon Online FiOS FAQ »What are the tradeoffs between the various router configurations

As of 1/11/11, the Westell 9100EM Rev.B is in use in some areas (TX,CA).

The Actiontec Rev. I with 802.11n and Gig-E ports is currently used for new installs. It can also be ordered from Verizon's web site.
»teleproducts.verizon.com/fios/in···Products


Please use the feedback link below only to suggest improvements to this FAQ. If you have questions about this FAQ, please post them in the »Verizon FiOS forum.



by birdfeedr See Profile edited by More Fiber See Profile
last modified: 2012-04-13 18:08:39

No, it is not functional at this time.

However, the USB port is powered. Some readers use it to charge USB-connected devices such as MP3 players or cell phone headsets.


by More Fiber See Profile


In the event you have a network device that you would always like it to have the same LAN IP address assigned to it, there is a way to do this in the Actiontec router. Although IP assignments are done dynamically, DHCP, there is a way to change the IP lease from dynamic to what the Actiontec calls a static lease. This is also commonly known as a "DHCP Reservation".

With a static lease, the Actiontec DHCP server allocates a pre-determined IP address based on a table with MAC address/IP address pairs. In this process, a "paired" IP & MAC address, is set to be assigned a static lease, instead of the default Dynamic. DHCP is still in effect, but it is just under more defined parameters.

The process to alter, the type of lease from Dynamic to Static on an individual MAC address is as follows:
1) Log in to your Actiontec router. at 192.168.1.1
1) Top menu bar, click on Advanced. Do you want to proceed - Click Yes.
2) Click IP Address Distribution
3) Click Connection List
4) You'll see a table "DHCP Connections", locate the device you want to change, and click (either) it's name in the left column, or the Edit icon to it's far right.
5) Your device will appear with a check box "Static Lease Type". Add a checkmark in that box.
6) Click Apply
7) Click close
8) Logout
If you wish to revert from Static to Dynamic, just clear the checkbox in Step 5.


by bt06437 See Profile edited by More Fiber See Profile
last modified: 2011-06-08 21:01:52

Before attempting to configure port forwarding on the FiOS router, there is some information that you need to have in hand.

1. Computer/Device HOST name or IP Address if it is a static IP address
2. A list of the Port numbers and Protocols needed for the game, service or application

The Actiontec FiOS Routers have built in pre-configured rules for many of the common games, applications and services. It is a good practice to check the list before you begin to configure a new port forwarding rule. If the Protocol you need is not listed, you can create a custom rule using these directions. Any rule that you create will become part of the list and remain there until the router is Reset. (Resetting the router will restore all settings to default values and remove any custom rules that have been added. However, if you save a router Configuration file, it will create a backup of the router settings and any custom rules that have been added. That way if the router needs to be Reset or has already been Reset, it can quickly be reconfigured and lost port forwarding rules restored, by loading the saved Configuration file).

Instructional Video's and step by step instructions

How to Create Custom Port Forwarding Rules for model RI408 fimware versions (4.0.16.1.44.11 to 4.0.16.1.45.27)

How to Create Custom Port Forwarding Rules for model MI424WR Rev. A,C & D firmware versions (4.0.16.1.44.28 to 4.0.16.1.56.0.10.11.3)

How to Create Custom Port Forwarding Rules for model MI424WR Rev. A,C & D firmware versions (4.0.16.1.56.0.10.12.3)

How to Create Port Forwarding Rules for model MI424WR Rev. A,C & D firmware versions (4.0.16.1.56.0.10.14.4)

How to Create Custom Port Forwarding Rules for model MI424WR Rev. E & F firmware versions (20.8.0 to 20.9.0)

How to Create Custom Port Forwarding Rules for model MI424WR Rev. E & F firmware versions (20.10.7)

How to Create Port Forwarding Rules for model MI424WR Rev. E & F firmware versions (20.19.8)

How to Create Port Forwarding Rules for model MI424WR Rev. G firmware versions (30.18.5)

How to Create Port Forwarding Rules for model MI424WR Rev. I firmware versions (40.19.22)

There is also an automated Port Forwarding tool that will forward FiOS Routers, found at www.simpleportforwarding.com
Step by step instructions for alternate router models, can be found at Pc Wintech's website, as well as Portforward.com

Related:
Common Problems & Fixes For Port Forwarding



by hubrisnxs See Profile edited by More Fiber See Profile
last modified: 2012-07-18 19:35:23

The following table shows the differences between various Actiontec and Westell routers.

Click for full size

Click to enlarge

by More Fiber See Profile
last modified: 2013-01-10 11:40:17

What: Install your own cert into the Actiontec MI424-WR router.

Why: So don't get a cert warning when accessing from WAN / Internet.

1) Telnet to the router and login as administrator

2) Be sure to save the current cert and private key
a) conf print cert/0/cert
b) conf print cert/0/private

3) Install your own cert and private key
a) conf set cert/0/cert
b) conf set cert/0/private

help conf for list of configuration commands

Feedback received on this FAQ entry:
  • Step 3 a and b should be [code] a) conf set cert/0/cert b) conf set cert/0/private [/code]

    2013-04-16 21:10:26 (NOYB See Profile)



by NOYB See Profile edited by More Fiber See Profile
last modified: 2013-04-16 20:03:32