Hello all,
There are some customers would like to know how to use their own routers without a double NAT situation, and yet, Fios TV One DVR would still work. The solution involves using routers that could be operated without the NAT.
As usual, advice offered here are largely my personal opinions. Because concepts covered in this article constitute "advanced knowledge," official Verizon Support cannot handle any issues that may arise from the following setups (and any derivative setups). Not all features in a Fios or Verizon router are covered by official Verizon Support, but you could always ask them in the Community.
Lawyers may also add: I do not endorse or condone any third party products that may be referenced or implied in the article. I do not offer warranty or guarantee of any kind from this article. By following the setups in this article, you agree to hold both me and Verizon harmless. You are solely responsible for any changes you made on your device configuration.
Please see the following expanded network diagram.
The Internet is made of many Autonomous Systems (AS). AS'es are organizations of routers that are under the control of one administrative entity. Two AS'es are of particular concern for Verizon customers. One is AS 701 UUNET, the backbone of the wireline connections, and another is AS6147 CELLCO-PART, the backbone of the wireless connections. For Fios customers, the majority, if not all connections are made to AS 701. In fact, your Broadband Home Router (BHR) or Customer Premise Router (CPE) also belongs to AS 701 at least in part, in terms of network administrative domain, because the WAN IP address of the BHR is assigned by the Gateway Router (GWR) of Verizon. The WAN IP address belongs to AS 701.
The GWR bears an IP address of 198.51.100.1/24 and assigns 198.51.100.2/24 to the BHR. 198.51.100.0/24 is a test net I use for example purposes. In real life, no one would get a 198.51.100.0/24 address, hopefully. The BHR is a Linux router, which could be G1100, G3100, CR1000A, or CR1000B. I would focus the configuration on CR1000A, as that is what I have on my desk.
CR1000A has two interfaces, eth0 and eth1. eth0 is technically br-lan for bridged LAN connections, but that is some complications beyond the scope of this article. eth1 is the WAN interface and runs a DHCP client to get a WAN IP address from GWR's offerings. eth0 is the LAN interface and is assigned a class C IP of 192.168.1.1, by default. The light gray vertical line to the right of the CR1000A (BHR) is a network segment, with a prefix of 192.168.1.0/24 specifically. The usual Fios TV One device, VMS4100, is connected to this 192.168.1.0/24 network. For the Fios TV One DVR and other features to work properly, it needs to be on the same network as the CR1000A's LAN interface, because Fios STBs negotiate some complex SSDP and IGMP messages with the Fios/Verizon Router.
Having only a 192.168.1.0/24 network for all the devices at home is a security concern to some because the lack of network segmentation. Some use the Guest Network SSID and VLAN 10 of the Fios/Verizon Router to get some segmentation, but this is clumsy at best. My solution involves adding a Layer 3 switch on the LAN segment to get connectivity to other network segments, that are 192.168.2.0/24 and 192.168.3.0/24. For the sake of example, I put IoTs on 192.168.2.0/24 and personal computers on 192.168.3.0/24. The IoTs and PCs could send traffic to each other, and any devices upstream in the 192.168.1.0/24 network and the Internet, because Layer 3 switches support some routing.
The key issue is that the return traffic may not get back to the 192.168.2.0/24 and 192.168.3.0/24 networks because the default gateway in the 192.168.1.0/24 network is 192.168.1.1 (BHR), and the BHR has a default route to the GWR. By default, BHR does not know the existence of 192.168.2.0/24 and 192.168.3.0/24. Although the hardware is capable of supporting RIP and OSPF, but that is just overkill for a residential router. I need to configure static routing on BHR to explicitly tell it to use the 192.168.1.2, the layer 3 switch, as the next-hop router to reach the 192.168.2.0/24 and 192.168.1.0/24 networks. For security, you could define ip access-list extended on layer 3 switch, if you are using a Cisco switch, to restrict the reachability of the IoT network. Or, if you have the knowledge of iptables or nftables, you could get a cheap Mikrotik hEX RB750Gr3 and do a full-blown stateful firewall between 192.168.2.0/24 and the rest of the network, to only permit inbound traffic going into the 192.168.2.0/24 network, and outbound traffic from the 192.168.2.0/24 to go to the Internet exclusively.
So the question is why could you avoid the double NAT? This is because of the iptables setup in the Fios/Verizon router. If you are familiar with how NAT is achieved on iptables, you would be familiar with the action jump MASQUERADE. The MASQUERADE statement is to source-nat any packets that exits on the eth1/WAN interface of the router, irrespective of the source address, so this allows for any subnets behind the router to be NAT'ed.
The other thing that is hinting In the diagram is that you could have an IPsec concentrator behind the router. The Verizon/Fios Routers to my knowledge does not have good hw crypto acceleration, so an external Arm or Intel box is needed anyways. The IPsec concentrator could provide secure remote access to any networks behind the Fios/Verizon Router. This prevents the need to port forward individual devices directly behind a wide-open hole on the firewall.
