Verizon FiOS → FIOS Actiontec Bridge with ZyWall Router

Just the other day, I switched to FIOS from Optimum Online. Pretty much the first thing I did is log on to this site and see what sort of networking configurations people have decided to use. The tech installed a coax line in to the actiontec router. Wanting to use my existing ZyWall 2X router instead of the one provided, I decided to follow the bridging guide: »Make your actiontec a bridge with VOD working with REV D .

After a few hours of messing with the settings, my ZyWall router was unable to acquire a WAN address. Frustrated, I temporarily disabled the firewall. Within seconds, I had an IP address and everything was working fine. Upon closer analysis of the routers logs, I was able to determine what IP ranges and ports I needed to open in order for my ZyWall 2x router to work through the bridge with the firewall enabled.

This post is aimed at anyone using attempting to bridge the supplied Actiontec router connected to a ZyWall router. I decided to post my findings in order to help anyone stuck in the process.

Before proceeding, let me briefly describe my network configuration. The Actiontec router has a static address at 192.168.100.1, and my network range is 192.168.1.0 - 192.168.1.255.

When I first followed the bridging guide, I had the Actiontec router configured at the address of 192.168.1.1, and the ZyWall at 192.168.1.2. It worked alright, but the ZyWall's logs quickly filled up with "ip spoofing" attack alerts since the Actiontec was on the same subnet. Changing it to a different address solved that problem.

Please refer to the attached picture for the firewall rule created. I'll provide a brief explanation of why I selected the following ranges.

1) First, create a new "WAN to WAN" firewall rule.

2) Under "source address", add the following ranges:
192.168.100.1 (IP of Actiontec router)
173.0.0.0 - 173.255.255.255 (IP range of FIOS)
96.0.0.0 - 96.255.255.255 (IP range of FIOS)
98.0.0.0 - 98.255.255.255 (IP range of FIOS)
192.168.1.0 - 192.168.1.255 (IP range of LAN)

*Note: My IP was initially in the 173.x.x.x range. I did a quick search, and discovered that other IP ranges that some people had were in the 96.x.x.x and 98.x.x.x range. In case I was ever assigned one of those addresses, the rule needed needed to be flexible.

3) Under "destination address", add the following ranges:
255.255.255.255 (Broadcast)
192.168.1.0 - 192.168.1.255 (IP range of LAN)
224.0.0.0 - 239.255.255.255 (Multicast)

4) Under "selected services", add the following ports/protocols:
PING(ICMP:0)
MULTICAST(IGMP:0)
*UPNP(UDP:1900) <--- Custom Rule
*DNS(UDP:67-68) <--- Custom Rule

5) Apply the rule

After applying these settings, the ZyWall 2X was able to acquire an IP address through the bridged Actiontec with the ZyWall's firewall enabled.

If anyone has any questions, comments, or suggested revisions to my firewall rule, I would love to hear them. I hope this has been helpful for anyone trying to configure a similar setup.

Take care,
-- Devsforev

Looking at some of the line monitors in the FiOS group at »/testh ··· ?view=66, there may be some blocks in use that are not in your table. Clearly some of the line monitors are not active, likely because they have not been updated after a dynamic address change. Some others in there appear to include bonded IPs from various sources. At least one of those monitors is a DSL IP.

VZ may have allocated the low 70 IP blocks for business services. You've probably got it right on residential with 96. 98. and 173.

If you had an outage caused by VZ assigning you an address in a new un-named source block, you'd be able to determine that from your status screen, right?

I'm just thinking, that's all. Not familiar with Zywall. Just thinking of first diagnostic step in troubleshooting an outage.

It's not at all clear why you needed to do that. If you bridged the Actiontec correctly, the Zyxel should see everything on it's WAN port that the Actiontec sees on it's WAN port. There are lots of posts from users with a Zyxel. I don't recall anyone every posting about having to create filters in their router in order to get pull a WAN IP address. The most common problem when following any of the bridging instructions is failure to properly release the Actiontec's DHCP lease before connecting the new router.

You didn't say which version of the Actiontec you have. Based on the fact that you have a recent install, I'm assuming it is an Actiontec (GEN2) Rev. E.
If that is the case, the correct instructions are here:
»Re: MI424WR-GEN2 Rev E Configuration Thread

You should also review this FAQ:
»Verizon FiOS FAQ »What are the tradeoffs between the various router configurations

Thank you for posting the link to that thread. It seems that there are a few more instructions there than were present in the original link I posted. I will give that a shot tomorrow, and report back with my findings.

Thanks again,
-- Devsforev

Yes, I have a Rev. E Actiontec. I followed the instructions up through the end of section 1 of the »Re: MI424WR-GEN2 Rev E Configuration Thread guide. I don't need the double-bridge, since I only have internet and phone through FIOS. In summary, I still had to punch holes in the firewall for an IP address to be snagged.

To be honest, I've spent more time screwing around with this damn Actiontec than is worth my while. I got a box of CAT-5E sitting next to my feet right now. From what I've read, all I gotta do is call Verizon and tell them to turn the RJ-45 port live. Then I can chuck this bad boy, cut out the middle-man, and have a direct pipe running into my network.

I think that's gonna be tomorrow's project. Thanks everyone.