dslreports logo


3.2 Actiontec & FiOS Quantum Gateway

The following is extracted from the following paper:


Security Vulnerabilities in SOHO Routers by Craig Heffner and Derek Yap of www.sourcesec.com


It's an interesting read, especially for users for the Actiontec MI424-WR router. To summarize, of 9 types of attacks discussed, it reports the Actiontec as vulnerable to the following attacks:

•DNS Hijacking
quote:
Another host-name related attack vector, again involving DHCP, is domain name hijacking [5]. This attack occurs when a router resolves internal host names to their respective IP addresses; as in the DHCP XSS attack, the internal client's host name is specified inside a DHCPREQUEST packet. This in itself is not a particular concern, but if an attacker can register themselves on the network with a host name of WPAD then they can carry out any number of man-in-the-middle attacks against other clients on the network [6]. WPAD attacks primarily affect Windows users, and Internet Explorer users in particular, as various Windows applications (including IE) will look for a WPAD server by default.

This problem is further complicated on home networks where no domain name is configured. Normally, host names will be registered as sub-domains of the network domain; i.e., if the domain name is "home", then a host named "laptop" will be registered as "laptop.home". However, small networks rarely have a domain name configured, so the host would simply be registered on the LAN as "laptop". Thus, performing a DNS lookup for "laptop"; would return the IP address of the internal client who registered the host name of "laptop". But what if a host claims that its host name is "www.google.com"? Logic would suggest that a router would know better than to resolve requests for www.google.com to an internal IP address, but unfortunately that is exactly what some routers do; this allows an internal attacker to perform a single-packet DNS poison that will persist until the attacker either un-registers his host name, or leaves the network.


•Local UPNP
quote:
UPNP attacks are nothing new [10], but started receiving more attention after GNUCitizen demonstrated that UPNP attacks could be carried out remotely when coupled with flash-based CSRF attacks [11]. Because UPNP is an unauthenticated protocol that, by definition, provides control over a router's configuration, insecure UPNP stacks can result in a plethora of exploitation possibilities, including command execution and re-configuration of DNS settings. While most new routers protect against these attacks, there is another UPNP action that we can use to our advantage.

The previously mentioned session hijacking attacks (and some of the CSRF attacks) require an administrator to already be authenticated with the target router. But waiting around for the average user to log into their router makes these attacks unlikely to succeed. Instead, an attacker can use UPNP to terminate a router's WAN connection, interrupting the user's Internet connection.
Eventually, they are likely to:
1. Reset their router
2. Log into the router to diagnose the problem
3. Call their ISP, who will ask them to log into their router to diagnose the problem.
The WAN connection can be terminated using the UPNP ForceTermination action, which was available in all of the routers that we examined. Using Miranda [14], a UPNP administration utility, we can easily send UPNP commands to a router, forcing it to terminate it's WAN connection.



•CSRF UPNP
quote:
One of the most common uses for UPNP is port forwarding. UPNP allows client applications, such as P2P programs and games, to open ports on the router in order to facilitate necessary communications with other peers or services. While these port forwarding rules are meant to forward traffic from external clients to internal clients, an attacker can make use of these rules to expose the router's administrative interface to the WAN by forwarding traffic to port 80 of the router's IP address. Configuring the router as the attacker's personal proxy is also possible, by telling the router to forward traffic not to an internal IP, but an external IP [12]. While most new routers prevent these types of attacks by checking the specified IP addresses, some, like the ActionTec MI424-WR, still allow users to forward incoming connections on external ports to port 80 of the router itself, effectively enabling remote administration on the device.


It should be noted that the Actiontec was not the only router subject to these vulnerabilities. The paper also looked at the Linksys WRT160N, D-Link DIR-615 and Belkin F5D8233-4v3 routers, which had some of the same vulnerabilities along with other vulnerabilities of which the Actiontec was not susceptible.

by More Fiber See Profile edited by Branch See Profile
last modified: 2016-10-02 15:34:59



The following instructions allow you to send a Wake-On-Lan (WOL) "Magic Packet" from the internet to a PC on your LAN behind the Actiontec NAT firewall.

From the PC you want to wake:

  • Make sure that the NIC supports WOL.
  • Make sure WOL is enabled in the machine BIOS
  • Make a note of the IP address or machine name.
  • Make a note of the MAC address of the NIC you want to receive the magic packet. e.g. aa:bb:cc:dd:ee:ff

Unfortunately, the Actiontec firmware (as of version 4.0.16.1.56.0.10.7) ages out its ARP cache. This means that when it receives a WOL packet from the WAN, it may have "forgotten" the IP address associated with the MAC address in the WOL packet. The Actiontec also does not allow creating a port forwarding rule to the LAN broadcast address (192.168.1.255). To get around both of these restrictions, we need to create a static ARP entry in the router that associates an unused IP address (192.168.1.254) with the broadcast MAC address (FF:FF:FF:FF:FF:FF).

Telnet to router:


If you are unable to connect to the router, do the following:
  • Go to Advanced
  • Click on Local Administration
  • Check Using Primary Telnet Port (23)
  • Apply

At the prompt, enter either (depends on model of router):

or:

Note: This static ARP entry will not survive a reboot of the router.

Now login to the Actiontec and Add WAKE-ON-LAN as a port forward protocol in the Actiontec:

  • Click on ADVANCED icon at top
  • Select Protocols
  • ADD (at bottom of list)
  • Service name: Wake-On-LAN
  • Add server port
  • Protocol: UDP
  • Source port: ANY
  • Dest port: SINGLE 9
  • APPLY
  • APPLY. Wake-On-LAN should now appear in the list of protocols.
  • CLOSE

Add the Port Forward Rule
  • Click on FIREWALL icon at top
  • Select Port Forwarding on left menu.
  • ADD
  • Device: 192.168.1.254
  • Protocol: Select Wake-On-LAN
  • Forward to port: 9
  • APPLY
  • APPLY. You should now see Wake-On-LAN for UDP in the list of forwarded ports.

SECURITY RISK: This port forward rule should only be enabled when necessary since it will turn any packet received on port 9 into a broadcast packet on your LAN. Recommendation: If the software you are using supports it, I would suggest using an obscure port number, such as 10009, rather than the well known port 9 (security by obscurity).

You can send a WOL packet from here: »/wakeup The DSLReports WOL tool only supports port 9.

If you have trouble, a WOL sniffer can be downloaded here: »www.depicus.com/wake-on- ··· tor.aspx

The above site also has a variety of other WOL tools. 


Thanks to zerog See Profile for his original post on the subject here: »MI424WR Wake On Lan (WOL) - working hack, needs testing and aefstoggaflm See Profile for the updated WOL Sniffer link.

Revised 12/31/08 to replace DHCP reservation with static ARP.


Please use the feedback link below only to suggest improvements to this FAQ. If you have questions about this FAQ, please post them in the »Verizon FiOS forum.

by More Fiber See Profile edited by Branch See Profile
last modified: 2016-10-02 13:45:28

Q. Help! The Actiontec router is no good at (fill in the blank) because its (fill in the blank) just doesn't (fill in the blank). I want to replace it!

A. First, determine how you are getting data to the Actiontec. Look at the indicator lights on the front panel. Coax WAN or Ethernet WAN will be lit. That's your data source.

Or you can log in to the Actiontec, click on My Network icon, click on Network Connections menu item. Then see which Broadband Connection is connected. If it says Broadband Connection (Ethernet), you already have a ethernet connection to the ONT. If that is the case, go to the bottom of the "My data source is Broadband Connection (Ethernet). Now what?" section. If it shows Broadband Connection (coax), then proceed with the below section.

Q. My data source is Broadband Connection (Coax). What do I need to do?

A. Run cat5 wire, or cat5e or cat6 (all will work) properly terminated between the router and the ONT.

Release the DHCP lease, then power off the Actiontec. Plug one end of the cat5 cable into the RJ45 jack on the ONT, and the other end into the WAN ethernet port on the Actiontec.

Call FiOS Tech Support at 800-Verizon, and navigate through the menus to get to tech support. Tell the rep "I want to have the internet connection from my ONT to the Router changed from a coax connection to an ethernet connection. I already have the wire in place. Can you do that for me now, please?"

When Tech Support does that, and says it is done, power up the Actiontec and let it complete the bootup sequence. You should see lights on the router indicating the Ethernet WAN is selected. If the Coax WAN light is lit, ask if the changeover is complete. Otherwise, you should have an internet connection.

Alternatively, you can post your request in the Verizon Direct forum. If you connect the cat5 cable from the ONT to the Actiontec ahead of requesting the change, there will be only a momentary interruption in service when the change is made. The Actiontec will auto-detect the change and come up on the Broadband ethernet interface.

In either case, verify by logging in to the Actiontec and viewing the Connections page as detailed above.

Q. My data source is Broadband Connection (Ethernet). Now what?

A. You should take the time now to verify proper operation of the internet, including speed tests. Don't proceed unless you are satisfied with your wired connection. If you have FiOS TV, verify that the STBs are receiving Program Guide data and VOD.

When the Actiontec is working as you expect, you are ready to proceed with putting your own router into service. Depending on your circumstances, you would choose from:

Replacing the Actiontec (part 2): Internet only, no TV

Replacing the Actiontec (part 3): WAN-to-LAN keeps Guide and VOD (easier)

Replacing the Actiontec (part 4): LAN-to-LAN keeps MediaShare DVR

With thanks to More Fiber See Profile.




Feedback received on this FAQ entry:
  • These instructions are timeless and perfect. I got switched over the phone in roughly 10 minutes, the slow restart of MI424wr being the bottle neck. Frontier answers at 1-800-921-8101

    2020-05-01 18:08:01 (vdfoorm See Profile)

  • Great info! This procedure for switching the ONT over from coax to cat5 works for Frontier FIOS as well as Verizon - the support rep initially didn't know what I was talking about, but he got a "provisioning" technician on the line who was able to to get the ONT switched over.

    2020-02-07 10:44:50 (taddison See Profile)

by birdfeedr See Profile edited by Branch See Profile
last modified: 2016-10-04 20:49:06

Q. I have internet service only, no TV. Can I replace the Actiontec completely?

A. Yes. Its a straightforward process. Until more MoCA-connected devices are available on the market, you will need an Ethernet connection for your replacement router. See Replacing the Actiontec (part 1): Coax to Ethernet for details.

Your choice of what router to buy will be based on what you need to do with it. Browse the forums here and elsewhere to narrow your search, but keep in mind that it must be powerful enough to support the throughput of your service, and have a large enough connection table for your applications. Here's a link to Router Charts at smallnetbuilder that compares LAN to WAN Throughput, with ability to select comparisons in other tests. I picked a D-Link DIR-655 because it appeared to be top-of-the-line when I purchased it. But in electronics, there's always something better tomorrow. Other hardware may be more suitable for gaming and other interests.

Once youve verified your broadband data connection on the Actiontec is Ethernet, youre ready to replace the Actiontec.

Short version: Release the WAN IP, power off Actiontec, connect your replacement router, turn it on and configure.

Longer version: follow these steps.

1. Important: Release the WAN IP on the Actiontec before turning it off. Log on to Actiontec, click on My Network icon, then select Network Connections item. Click on Broadband Connection (Ethernet) in the table to see the properties for your WAN port. Write down the MAC address for the ethernet WAN port, you may need it later. Scroll down and click Settings. Click the Release button and your internet light on the Actiontec will go orange.

2. Power off the Actiontec.

3. Unplug the ethernet from the Actiontec WAN port and plug it in to the WAN port on your new router. Connect your PC to a LAN port on your new router, turn it on and reboot your PC. When the router settles down, verify its status lights, including internet connectivity.

In the rare circumstance you do not get internet, you may have a MAC bound IP. You can call FSC and ask them to break the lease, or you can leave the router powered off for 2 hours then try again, or you can clone the Actiontec router MAC address into your new one.

4. Log in to your new router to verify and change any settings. Make sure you change your router password off the default value.

5. Your new router should indicate internet connectivity. Start your browser, verify internet connectivity by browsing to your default page: www.dslreports.com of course.

Run a speed test. If you have already tweaked your PC, you should be getting everything you asked for. That's why I had you connect wired. Keep it simple before you go more complicated.

Tada! Done.

With thanks to More Fiber See Profile for assistance.


Feedback received on this FAQ entry:
  • Thanks for this guide, I am planning on moving ahead with the switch however I am a bit confused by how my ONT seems to be set up. When logged into the router it does say my connection is ethernet/coax. When I look inside the box there is an ethernet cable plugged in that runs to the right side of the box where it is then split apart and the individual wires are sitting with some plastic contraption. Im not sure what that does or if I need to even concern myself with it, or if I can just plug my ethernet cable in its place, run into the house, and call Verizon like the last standard steps. I included 2 annotated pics of the box. https://satori-design.d.pr/1O1iaP https://satori-design.d.pr/TB7KyF

    2018-02-19 00:02:13 (satori83 See Profile)

  • Worked great for me.... Thanks for the Info!

    2018-02-13 13:45:40

by birdfeedr See Profile
last modified: 2008-12-02 18:06:46

This is the Primary LAN-to-WAN (option 6) configuration listed in the following FAQ:
»Verizon FiOS FAQ »What are the tradeoffs between the various router configurations
See that FAQ for advantages and disadvantages of this and other configurations for using your own router.

Your setup will be like this:


Click for full size

Click to enlarge

Video from the ONT to the STBs does not change.

This connection method does not allow the MediaShare DVR to function as well as you might want. That system needs to have the PC and the DVR on the same segment of network. In other words, the MediaShare traffic cannot cross the WAN boundary. So if you have a MediaShare DVR, you need to use the LAN-to-LAN method in Replacing the Actiontec (part 4): LAN-to-LAN keeps MediaShare DVR.

You will place the Actiontec behind your primary router to complete the path for TV data. Using this connection method, the only purpose for the Actiontec is to connect the Actiontec's coax LAN to the ethernet WAN port. All other wireless and wired internet connections will be made to your primary router. Double-NAT does not seem to affect STB data including Program Guide, Widgets and VOD. Nor does it seem to affect standard traffic to other Actiontec coax LAN devices that may be connected through a MoCA bridge such as a NIM-100.

Ok, so youve verified your broadband data connection on the Actiontec is Ethernet in Replace the Actiontec (part 1): Coax to Ethernet. and youve chosen your new primary router based on performance specifications that match your service and what you want to do with it.

A. Short version: Turn off wireless (maybe), release the WAN IP, power off. Connect ethernet to WAN port on replacement router, turn it on, verify internet connectivity. Remove power to STBs and DVRs. Connect Actiontec WAN port to LAN port on replacement router, turn Actiontec on, make sure the Actiontec LAN subnet is different from your router's LAN subnet, and verify internet connectivity. Verify STBs and DVRs have data path to the internet. Tada! All done!

B. For the longer version follow these steps:

At various points in this procedure, you will need to verify certain router settings and connections. It is suggested you do this from a computer wired to the router. There are a number of problems that are related to wireless use, and you want to tackle those problems after you know you're running properly wired.

After your primary router is in place you may need to be able to check settings on the Actiontec. You can set it to allow remote administration on http port 80. Since it is behind your primary router, your exposure to vulnerabilities from the internet is reduced. Exposure to current LAN-side malware can be minimized by changing your router password to something you've chosen. You did do that already, didn't you? Don't use easy to guess passwords.

These instructions have been tested on a Rev. A Actiontec with firmware version 4.0.16.1.56.0.10.7. They are also known to work Actiontec up through Rev. E and the Westell 9100.

1. Turn off Wireless on the Actiontec if you intend to access only through your replacement router. Otherwise, set the same SSID, security and password on both routers, but set both routers on different wireless channels. Your wireless device will use the stronger signal of the two. (If you have questions about other wireless configurations, post them in the »Verizon FiOS forum). To turn off the Actiontec wireless, click on Wireless Settings icon, then click Basic Wireless Settings menu item. Click the button in item 1 to turn off radio, then scroll down and click Apply.

2. If you choose to do so for convenience, allow Remote Administration on the Actiontec. Click on Advanced icon, click Yes to allow changes, click on Remote Administration item, check Using Primary Http Port 80 under Allow Incoming Access to Wireless Broadband Router.

3. Release the IP on the Actiontec before turning it off. Click on My Network icon, then select Network Connections item. Click on Broadband Connection (Ethernet) in the table to see the properties for your WAN port. Write down the MAC address for the ethernet WAN port, you may need it later. Scroll down and click Settings. Click the Release button and your internet light on the Actiontec will go orange. If you are on PPPoE, this step does not apply to you.

4. Power off the Actiontec.

5. Next, unplug the ethernet from the Actiontec WAN port and plug it in to the WAN port on your new router. Connect your PC to a LAN port, turn on your new router and reboot your PC. When the router settles down, verify its status lights, including internet connectivity.

In the rare circumstance you do not get internet, you may have a MAC bound IP. Follow the procedures in this FAQ to release your DHCP lease.

Log in to your new router to verify and change any settings.

  • Make sure you change your router password off the default value.
  • Make sure your router is set to obtain it's WAN side address automatically (DHCP)
  • Your router should use a different LAN subnet than the Actiontec. For example, if you left the Actiontec LAN subnet as 192.168.1.x, then change your router's LAN subnet to 192.168.0.x.
  • Make sure DHCP Server is enabled on the LAN side of your router.
Reboot your router and PC to verify any changes.

Start your browser, verify internet connectivity by browsing to your default page: why, its www.dslreports.com, of course.

Run a speed test. If you have already tweaked your PC, you should be getting everything you asked for. That's why I had you connect wired. Keep it simple before you go more complicated.

Tada!! You have your replacement router connected to the ONTs ethernet WAN port.

6. Turn off all your STBs and DVRs by removing power to them. Hitting the Power switch isn't enough. Unplug the power cord from the outlet.

7. Connect the WAN port of the Actiontec to a LAN port of your new router. Connect your PC to a LAN port on the Actiontec. Reboot the PC. Power on the Actiontec. When all the router lights settle down, you should see internet connectivity. Verify by browsing to dslreports. You should be able to run a speed test, and get the same results you had with your primary router.

8. So far, so good? Turn on one STB. Let it boot up and settle down. Remember the video from the ONT will not be affected by the router changes. Verify the data gets there by changing a channel to see the program data, or press Guide to show the program guide, or press Widgets or On Demand. Any of these actions with normal results will verify your system works.

Repeat step 8 until all TV devices are on and working. You will be able to see the device names in My Network on the Actiontec.

Hurray!!! Mission accomplished.

At any point that you need to reset devices, power up from the WAN inward. Example: if the STBs do not connect, power them off, then power off the router, then power up the router and when it has settled down, power up the STB. Likewise, if the router cannot get an internet connection, turn it off, reboot the ONT, then when it's settled down, power on the router. I have not had any problems with this setup. The only thing that the Actiontec is doing is feeding data to the STBs. Double-NAT will not affect them, at least not in any way I have been able to determine.

Do these steps, then connect your PC to your router, and leave the Actiontec alone. There isn't anything else you really need to do with it. If you had allowed Remote Administration, you can get to the Actiontec by going to whatever address your primary router assigned to the Actiontec. You would login and password the same as you have done previously. The Actiontec at this point is now doing the same thing a NIM-100 would do. It's on the LAN side of your primary router acting as a bridge from your router's ethernet to the coax.

You have now entered the world of non-standard installation. VZ tech support may say it's not supported. That's fine, now you know where to get assistance. This forum has been my first stop for a long time. If, at any time, you want to go back to a standard installation, release the IP from your new router, power it off, connect the Actiontec WAN to the ONT cat5, power it on and you're back to a standard installation. VZ will support that.

With thanks to More Fiber See Profile for assistance.

Please note: The feedback link below only to suggest improvements to this FAQ. If you have questions about this FAQ, please post them in our »Verizon FiOS Forum.




Feedback received on this FAQ entry:
  • Thank you so much for this! I was able to get it to work using a Fios G3100. I had already previously setup the new router (Asus ZenWifi X8, where I had already released the DHCP on the G3100 beforehand), and I still had DVR Guides for about a week, until they disappeared. So here's the sequence I followed: 1) Change the IP address of my PC to a static IP address. 2) Turned off wifi on my laptop and then powered up the G3100 (which is not connected to the internet) and connected the G3100 LAN into my laptop via ethernet. 3) Typed in myfiosgateway.com to login to the G3100. Went to Advanced => Wifi => Radio Management and turned off all radios 4) Disconnected the G3100 and turned wifi back on my laptop and confirmed an internet connection. Then continued with the instructions above starting with Step 6. Next I will try 3-router Option 8 to see if I can get it to work. Will add feedback there on how it goes.

    2023-12-13 17:25:26 (goch See Profile)

  • Not sure if anyone has tried this again I recent times but I am unable to get this working. I'm using a Unifi router (UDM Pro) and the G1100 FIOS router. I have everyone network wise setup properly. I have also set the port forwarding rules as Zman44 described above and also no luck getting the TV Guide or VOD working. I'm really stumped why this is not working... Perhaps it's the STBs boxes I have? I have 3 x Motorola QIP7232 2 Any suggestions?

    2021-01-04 17:37:04 (pish180 See Profile)

  • I went thru this setup (Option #6) using a Nighthawk AC3200 as primary router and switching the FIOS G1100 for MOCA pass thru. I have the house wired for CAT 6 to several locations/devices and use a switch (Netgear GS316) along with a patch panel. Getting thru the details provided for Option 6 everything seems to be working fine. Until I try to tie in the switch by feeding a CAT 6 cable from Nighthawk LAN port to Switch. PC is now connected to switch. I lose internet to PC. Any ideas?

    2020-10-30 12:19:05 (Zman44 See Profile)

  • A couple configuration tips I recommend: If you have a bunch of hosts with names that you'd like to keep at their existing IP addresses, change the IP address on the FiOS router to be something other than what the new "first position" router will use for it's LAN. In my case, I kept 192.168.1.x for my various home devices, and changed the FiOS router to use 192.168.16.x for its LAN. Pick a static IP for the FiOS router WAN port, i.e. 192.168.16.2 The Video-on-demand (VOD) service needs some TCP and UDP port forwards. Here's how mine look in OpenWRT: (network / firewall / port forwards) Allow TCP traffic from the WAN (any host) on ports in the range 35000-35009 and forward to the IP assigned for the WAN port of the FiOS router. Allow UDP traffic from the WAN (any host) on ports in the range 63145-63154 and forward to the IP assigned for the WAN port of the FiOS router.

    2019-08-28 15:26:38 (gwr See Profile)

  • Just got FIOS installed and am going to try this configuration so that I can continue to use my Netgear router as primary. Just wondering if my wireless devices connect to the Netgear, will I still be able to use the FIOS app to watch live TV? I'm concerned because the STBs will be on a different subnet from the Netgear if I understand this correctly.

    2019-04-10 18:58:19 (CJC See Profile)

  • As a novice, I was a bit nervous taking on such an adventure but it paid off. I followed the instructions word to word and had a successful installation. Google wifi works great serving as a primary router. Now it seems the Quantum router g1100 is serving as a switch and all the LANS on it work great. No problem with STBs and video on demand works fine. Thanks again!

    2017-09-25 10:07:56 (Augeman See Profile)

  • Thank you so much for this guide! I was able to turn my Actiontec into a Moca bridge and use Google WiFi as my replacement router. One difference in my set-up from your illustration is that I have internet going to the new router first, then to the old Actiontec's WAN port (as you describe) and then my computer is connected to a LAN port of the Actiontec. Your illustration shows the computer hooked up to a LAN port of the new router which was one of my testing steps, but not the final set-up. I actually also have a Sonos Bridge (earlier version of the Boost) in between the Google and Actiontec, but that's not overly material. Took a while to figure out that it couldn't be behind the Actiontec but I eventually got there. My biggest issue setting this up was that Frontier forgot to enable Moca on the ONT when I had them switch internet to the CAT5 from the coax (was originally pushing both video and internet on the same coax line). Took three calls to have them figure out they just needed to change a setting on their end. Anyway, thanks again!

    2017-07-31 02:00:16 (blinkyfish See Profile)

by birdfeedr See Profile edited by Branch See Profile
last modified: 2016-10-15 16:50:52

Q. I want to make my router primary, but software on my PC or other devices need to see what's on the secondary router.

A. As an example, you have a Plex server connected to the primary router and the TV is connected to the Actiontec router. These devices have to be on the same segment of network. In other words, the network traffic cannot cross a WAN boundary. So, to permit this traffic, use this LAN-to-LAN connection method.

With LAN-to-LAN, the primary purpose for the Actiontec is to connect the Actiontec's coax LAN (which provides data to the STB/DVR) to your primary router's ethernet LAN port. The coax cable remains connected to the Actiontec for the STB LAN data, the Actiontec WAN port will not be used. For a simpler implementation, wireless connections will be made to your primary router. The Actiontec's wireless will be disabled.

Ok, so youve verified your broadband data connection on the Actiontec is Ethernet in Replacing the Actiontec (part 1): Coax to Ethernet. and youve chosen your new primary router based on performance specifications that match your service and what you want to do with it.

Q. Ok, I'm ready. What do I do?

A. Short version: Change PC connection to static, remove power to all devices connected to coax LAN, delete Actiontec's DHCP assignments, change DHCP range to start at 192.168.1.3, disable DHCP, change Actiontec IP to static 192.168.1.2, turn off wireless (maybe), enable Remote Administration, release the WAN IP, power off Actiontec. Connect ethernet from ONT to WAN port on replacement router, turn it on, verify internet connectivity. Connect Actiontec LAN port to LAN port on replacement router, turn Actiontec on, and verify internet connectivity. Verify STBs and DVRs have data path to the internet. Tada! All done!

Longer version: Follow these steps.

At various points in this procedure, you will need to verify certain router settings and connections. It is suggested you do this from a computer wired to the router. There are a number of problems that are related to wireless use, and you want to tackle those problems after you know you're running properly wired.

Exposure to current LAN-side malware can be minimized by changing your router password to something you've chosen. You did do that already, didn't you? Don't use easy to guess passwords.

These instructions work on a Rev. A Actiontec with firmware version 4.0.16.1.56.0.10.7, and are likely identical for later models.

1. Change the IP address of the PC connected to the Actiontec to a static IP address.
For Windows, goto network settings and change the TCPIP settings of network interface card settings from Get Address Automatically, to Use This Address. For other operating systems, refer to your operating system documentation.
Make a note of your DNS server addresses. You will need these when you change your PC settings to use a static IP address. Devices on the coax LAN may pick up the Actiontec-served address even if the new router handles DHCP. The extra step here will make it easier to clean up the old addresses. I chose 192.168.1.48, subnet 255.255.255.0, gateway 192.168.1.1.

2. Remove power to all the devices on the coax LAN. Shut down all the ethernet LAN devices except the PC you are configuring with.

3. Delete all the Actiontec's DHCP assignments. While logged in to the Actiontec, click on Advanced icon, click on IP Address Distribution link, click on Connection List, then delete each item in the list until there are none remaining. It will take a few seconds on each one then the list will refresh.

4. Change the Actiontec's DHCP range to start at 192.168.1.3 even though it seems counterintuitive. Click on My Network icon, click Network Connections menu item, click on Network (Home/Office) link, click on settings button. Scroll down to IP Address Distribution, and set Start IP Address to 192.168.1.3, then click Apply. Status message appears, then click Apply again.

5. Disable DHCP. While in Network (Home/Office) status, click Settings button, select IP Address Distribution to Disabled, then click Apply. Status message appears, then click Apply again.

6. Change Actiontec IP to static 192.168.1.2 While in Network (Home/Office) status, click Settings button, change Internet Protocol drop-down to "Use the Following IP Address". Enter IP Address as 192.168.1.2, and Subnet Mask as 255.255.255.0 then click Apply. Status message appears, then click Apply again. You will need to log in again to the Actiontec router at the new IP 192.168.1.2.

7. Turn off Wireless on the Actiontec if you intend to access only through your replacement router. Otherwise, set the same SSID, security and password on both routers, but set both routers on different wireless channels. Your wireless device will use the stronger signal of the two. (If you have questions about other wireless configurations, post them in the »Verizon FiOS forum). To turn off the Actiontec wireless, click on Wireless Settings icon, then click Basic Wireless Settings menu item. Click the button in item 1 to turn off radio, then scroll down and click Apply.

8. If you choose to do so for convenience, allow Remote Administration on the Actiontec. Click on Advanced icon, click Yes to allow changes, click on Remote Administration item, check Using Primary Http Port 80 under Allow Incoming Access to Wireless Broadband Router.

Afterward, you will be able to login to the Actiontec while connected on the LAN side of your primary router. If you do not allow Remote Administration, you would need to connect to a LAN port on the Actiontec before logging in to it.

9. Important: Release the WAN IP on the Actiontec before turning it off. Click on My Network icon, then select Network Connections item. Click on Broadband Connection (Ethernet) in the table to see the properties for your WAN port. Write down the MAC address for the ethernet WAN port, you may need it later. Scroll down and click Settings. Click the Release button and your internet light on the Actiontec will go orange.

10. Power off the Actiontec.

11. Unplug the ethernet from the Actiontec WAN port and plug it in to the WAN port on your new router. Connect your PC to a LAN port on your new router, turn it on and reboot your PC. When the router settles down, verify its status lights, including internet connectivity.

In the rare circumstance you do not get internet, you may have a MAC bound IP. You can call FSC and ask them to break the lease, or you can leave the router powered off for 2 hours then try again, or you can clone the Actiontec router MAC address into your new one.

12. Log in to your new router to verify and change any settings. Make sure you change your router password off the default value. While terminology for your new router may vary, you want to ensure its LAN network IP is 192.168.1.1 and the DHCP Server settings has the gateway address set to 192.168.1.1, subnet 255.255.255.0. Also set it to distribute DHCP addresses in the range from 192.168.1.100 to 192.168.1.199. You can use the lower addresses for static IPs. Reboot router and PC if you made any changes.

13. Your new router should indicate internet connectivity. Start your browser, verify internet connectivity by browsing to your default page: www.dslreports.com of course.

Run a speed test. If you have already tweaked your PC, you should be getting everything you asked for. That's why I had you connect wired. Keep it simple before you go more complicated.

14. Connect a LAN port of the Actiontec to a LAN port of your new router. Connect your PC to a LAN port on the Actiontec. Power on the Actiontec. When all the router lights settle down, you should see Power and the ethernet LAN lights for your PC and the primary router. Internet, coax WAN, Ethernet WAN, Coax LAN and Wireless lights are off. The main configuration page will display a warning: "STOP: Check Broadband Connection". This is okay, since the WAN connection is not being used. Any previously set values associated with Broadband Connection will not apply since your new primary router is controlling DHCP and DNS. Verify internet connectivity by browsing to dslreports. You should be able to run a speed test, and get the same results you had with your primary router.

15. So far, so good? Turn on one STB. Let it boot up and settle down. Coax LAN light on the Actiontec should light up to indicate a Coax LAN connection. Give enough time for the STB to connect to data. Remember that video from the ONT will not be affected by the router changes. Verify the data gets there by changing a channel to see the program data, or press Guide to show the program guide, or press Widgets or On Demand. Any of these actions with normal results will verify your system is getting data to the STB. You can also verify the IP address on the STB. On a QIP-2500, select Menu on the Remote Control, scroll down to Settings, click OK, then scroll down to System Info.

Repeat step 15 until all TV devices are on and working. You may be able to see some, but it is not certain you will see all the device names in My Network on the Actiontec. Since the Actiontec is not administering the DHCP, you may only see the IP addresses, and it may take a little while before they become visible. The way to tell the connection is working is to see the results of the data request.

You will be setup like this: ONT -(cat5)-> your router -(cat5)-> Actiontec -(coax)-> STB

Hurray!!! Mission accomplished.

At any point that you need to reset devices, power up from the WAN inward. Example: if the STBs do not connect, power them off, then power off the router, then power up the router and when it has settled down, power up the STB. Likewise, if the router cannot get an internet connection, turn it off, reboot the ONT, then when it's settled down, power on the router. I have not had any problems with this setup. The only thing that the Actiontec is doing is feeding data to the STBs and DVRs. If you have a device on the coax LAN that needs a port-forwarding rule, follow instructions for your new router to reserve the IP address. After a power failure, the power-up sequence of devices may result in the device getting a different address than previous. By reserving an IP address for a particular device identified by MAC address, the port forward rule you set up will not be affected.

Do these steps, then connect your PC to your router. You can change the PC back to using a DHCP dynamic address if you wish. You can leave the Actiontec alone, or connect devices to the remaining LAN ports. If you allowed Remote Administration, you can monitor and administer it by logging in to 192.168.1.2. Remember the WAN port is not used. We did not disable it but it is not connected. Traffic Monitoring and Bandwidth Monitoring results will be affected because they monitor WAN data.

The Actiontec at this point is now on the LAN side of your primary router acting as a bridge from your router's ethernet to the coax. You have now entered the world of non-standard installation. VZ tech support may say it's not a supported installation. That's fine, now you know where to get assistance. This forum has been my first stop for a long time.

If, at any time, you want to go back to a standard installation, log in to the Actiontec and reset it back to its factory default then power it off. Release the IP address from your primary router then power it off. Connect the Actiontec WAN to the ONT cat5, power it on and you're back to a standard installation. VZ will support that.

With thanks to More Fiber See Profile and [userbirdfeedr] for assistance.


Please use the feedback link below only to suggest improvements to this FAQ. If you have questions about this FAQ, please post them in the »Verizon FiOS forum.




Feedback received on this FAQ entry:
  • I closely followed these steps last night and everything works - thank you to the author & editors for this great write-up. Clearly a lot of work went into putting this together. I previously had the G3100 as primary and it is now secondary, running my 2 STBs. But a couple of steps were slightly different in my case. 1st, in Step 3 I deleted all the DHCP assignments except I could not delete my 2 STBs, the option didn't exist. 2nd, In Step 8, I did not enable Remote Administration from WAN on the G3100 (port 443 not 80 in my case), but I can still log into the G3100 at 192.168.1.2 without plugging my PC into a LAN port on the G3100. I'm wondering if that Step 8 is 100% correct, (since it is all LAN-side, and the Remote Admin setting is for Incoming from WAN). TV and Internet work great. A follow-up to one of the 2019 feedbacks: my STBs aren't at the standard default .100, .101, but I can still connect to them with the iOS app.

    2023-07-22 16:06:42 (countryjudge See Profile)

  • I am, unable to log in to the Fios forum. Step 4, you have me setting my Actiontec router DHCP range to begin at 3, then in Step 5, disable DHCP. Did I read this wrong?

    2020-07-06 15:32:20 (sjsteve See Profile)

  • In order for you to reach the STB from the iOS App, you need to make sure your STBs have the standard default IP address of .100, .101, etc.

    2019-10-14 10:52:46 (itcsburnett See Profile)

  • can this be upgraded to account for the new G1100 and fios one equipment?

    2019-02-26 22:42:13 (LSP414 See Profile)

  • Thank you for these instructions. They worked like a charm. I replaced my Verizon G1100 as my primary router with Netgear Orbi (RBR50). I also performed your suggestion of copying over the port forwarding rules and so far all my Verizon services, including TV, DVR and VOD continue to work as before.

    2017-11-08 05:57:23 (lnxraider See Profile)

  • I need to say thank you for this Site and instructions.. Replaced the Actiontec with a linksys wrt1900acs. These made this a very easy upgrade... I did run into one problem one my side.. I forgot to drop the wireless antenna. It just so happened that the Wireless IP was 192.168.1.2. Just like the new setting for the Actiontec. Once i killed my antenna I was able to get into the new IP. Thanks Again for great instructions. BVT

    2015-12-23 14:06:51

by birdfeedr See Profile edited by Branch See Profile
last modified: 2016-10-15 16:49:39

Wireless Distribution System (WDS) enables the interconnection of access points in a wireless network. It allows a wireless network to be expanded using multiple access points without the need for a wired backbone to link them.


A user writes that Actiontec supports WDS in their Q1000 VDSL modem hardware, so it may be a harbinger of things to come, however WDS is not supported by the Actiontec or Westell routers in use by Verizon at this time.



Feedback received on this FAQ entry:
  • Even though Verizon does not support it, you can add access points wirelessly to the Verizon Actiontec router without making any changes to it. The magic is in the firmware of the second router that you want to use. You can get the firmware for your switch that will use wireless to bridge to the Actiontec. See http://www.dd-wrt.com/site/

    2013-01-20 17:44:56

by More Fiber See Profile edited by birdfeedr See Profile
last modified: 2011-11-03 05:40:57

No, it is not functional at this time.

However, the USB port is powered. Some readers use it to charge USB-connected devices such as MP3 players or cell phone headsets.

by More Fiber See Profile
last modified: 2011-05-18 06:43:56


In the event you have a network device that you would always like it to have the same LAN IP address assigned to it, there is a way to do this in the Actiontec router. Although IP assignments are done dynamically, DHCP, there is a way to change the IP lease from dynamic to what the Actiontec calls a static lease. This is also commonly known as a "DHCP Reservation".

With a static lease, the Actiontec DHCP server allocates a pre-determined IP address based on a table with MAC address/IP address pairs. In this process, a "paired" IP & MAC address, is set to be assigned a static lease, instead of the default Dynamic. DHCP is still in effect, but it is just under more defined parameters.

The process to alter, the type of lease from Dynamic to Static on an individual MAC address is as follows:
1) Log in to your Actiontec router. at 192.168.1.1
1) Top menu bar, click on Advanced. Do you want to proceed - Click Yes.
2) Click IP Address Distribution
3) Click Connection List
4) You'll see a table "DHCP Connections", locate the device you want to change, and click (either) it's name in the left column, or the Edit icon to it's far right.
5) Your device will appear with a check box "Static Lease Type". Add a checkmark in that box.
6) Click Apply
7) Click close
8) Logout
If you wish to revert from Static to Dynamic, just clear the checkbox in Step 5.

by bt06437 See Profile edited by More Fiber See Profile
last modified: 2011-06-08 21:01:52

Before attempting to configure port forwarding on the FiOS router, there is some information that you need to have in hand.

1. Computer/Device HOST name or IP Address if it is a static IP address
2. A list of the Port numbers and Protocols needed for the game, service or application

The Actiontec FiOS Routers have built in pre-configured rules for many of the common games, applications and services. It is a good practice to check the list before you begin to configure a new port forwarding rule. If the Protocol you need is not listed, you can create a custom rule using these directions. Any rule that you create will become part of the list and remain there until the router is Reset. (Resetting the router will restore all settings to default values and remove any custom rules that have been added. However, if you save a router Configuration file, it will create a backup of the router settings and any custom rules that have been added. That way if the router needs to be Reset or has already been Reset, it can quickly be reconfigured and lost port forwarding rules restored, by loading the saved Configuration file).

Instructional Video's and step by step instructions

How to Create Custom Port Forwarding Rules for model RI408 fimware versions (4.0.16.1.44.11 to 4.0.16.1.45.27)

How to Create Custom Port Forwarding Rules for model MI424WR Rev. A,C & D firmware versions (4.0.16.1.44.28 to 4.0.16.1.56.0.10.11.3)

How to Create Custom Port Forwarding Rules for model MI424WR Rev. A,C & D firmware versions (4.0.16.1.56.0.10.12.3)

How to Create Port Forwarding Rules for model MI424WR Rev. A,C & D firmware versions (4.0.16.1.56.0.10.14.4)

How to Create Custom Port Forwarding Rules for model MI424WR Rev. E & F firmware versions (20.8.0 to 20.9.0)

How to Create Custom Port Forwarding Rules for model MI424WR Rev. E & F firmware versions (20.10.7)

How to Create Port Forwarding Rules for model MI424WR Rev. E & F firmware versions (20.19.8)

How to Create Port Forwarding Rules for model MI424WR Rev. G firmware versions (30.18.5)

How to Create Port Forwarding Rules for model MI424WR Rev. I firmware versions (40.19.22)

There is also an automated Port Forwarding tool that will forward FiOS Routers, found at www.simpleportforwarding.com
Step by step instructions for alternate router models, can be found at Pc Wintech's website, as well as Portforward.com

Related:
Common Problems & Fixes For Port Forwarding

by hubrisnxs See Profile edited by More Fiber See Profile
last modified: 2012-07-18 19:35:23

The following table shows the differences between various Actiontec and Westell routers.

Click for full size

Click to enlarge

by More Fiber See Profile
last modified: 2013-01-10 11:40:17

What: Install your own cert into the Actiontec MI424-WR router.


Why: So don't get a cert warning when accessing from WAN / Internet.


1) Telnet to the router and login as administrator

2) Be sure to save the current cert and private key
a) conf print cert/0/cert 

b) conf print cert/0/private

3) Install your own cert and private key 

a) conf set cert/0/cert 

b) conf set cert/0/private  


help conf for list of configuration commands

by NOYB See Profile edited by Branch See Profile
last modified: 2016-10-02 08:27:21

Due to FiOS's extremely high soft data cap, most people don't have a need to check how much data they use. However, if you're curious, here's how to check with the Actiontec and FiOS Quantum Gateway Routers:

1.Log in to the router at 192.168.1.1
2.Click System Monitoring at the top
3.On the left, click Advanced Status, then click Yes
4.Click Traffic Monitoring
5.
Look at the Broadband Connection column, and scroll down until you see Recieved Bytes, which is your downloaded data, and Sent Bytes, which is your upload. Be sure not to look at the Packets.
6.Take those values and convert them to either gigabytes or terabytes, whichever is more appropriate.
7.Finally, go back to the router GUI and look at Time Span. This is the span of time that the data was downloaded/uploaded. It's in the format of HH:MM:SS, and it resets every time the router is rebooted.

by Branch See Profile
last modified: 2017-01-24 22:17:12