First of all, Fios does not use modems.  The devices are just routers with some features that enable Verizon to support them and hardware to create MoCA networks for set-top-boxes or other coax network devices.

If you do not have Verizon set-top-boxes, you can use any router you want.  Note that if you do this, Verizon support will end at the ONT.  You'll also need Ethernet WAN from the ONT.  If you're currently on MoCA WAN, you'll need to install an Ethernet cable and contact Verizon to switch the ONT to Ethernet WAN (this is free.)

If you have Verizon set-top-boxes, a Verizon router is required.  It takes a very network savvy person to use a non-Verizon router with their boxes, and even then not all set-top-box features may work.  In this situation, you can disable the WiFi on the Verizon router and then plug in your own firewall/router device to the Verizon's LAN ports.  All of your home devices would then be attached to your firewall/router by it's wired or WiFi network.

You cannot loop traffic in and out of a Verizon router to go through an external firewall.

Ok, so maybe things were thrown off a bit because of terminology.  Ok the scenario is that a Verizon wireless router is in place.  From what I understand Verizon wireless routers have some firewall capabilities but it may not be that robust.  Is it possible to insert a separate physical firewall, that is not Wi-Fi capable, after the Verizon wireless router and have this physical firewall handle only firewall responsibilities and allow the Verizon router to handle the rest of the responsibilities as usual(i.e. wireless, routing. etc)?

Additionally, with regards to the robustness of Verizon wireless router firewall capabilities, do Verizon wireless routers provide the following capabilities?

• IDS/IPS
• Anti-malware
• Anti-virus
• VPN

IDS/IPS, yes.

Anti-malware/Anti-virus, yes through free Home Protection.

VPN, no, VPN is not a defining component of a firewall. VPN is available through Home Device Protect for $25 per month.

Hosting a personal VPN server behind a G3100 is problematic. G3100's capability to passthrough AH and ESP packets was explicitly removed in the newer firmware.

Sure, you can plug whatever you want behind a Verizon router.  Note only the devices attached to it will benefit from it's firewall.  Anything connected to the Verizon router via WiFi or wired will not have it's traffic pass through the other device.

I understood the scenario you described as having an external firewall process traffic that goes to devices connected to the Verizon router's WiFi or Ethernet.  This is not possible.  Traffic cannot be looped out and in from a Verizon router.

Verizon routers do have a decent firewall.  They have a reasonable amount of controls available to the user.  Network engineers or hard-core networking geeks may want more granularity on the controls; but the firewall is a solid product for most consumers.

Again, if you don't have TV service it is very easy to use whatever router you want.  Do you have TV service?

@gs0b Thanks for the clear response.  Let's say yes I have TV service.  When you mentioned router in you last post, did you mean firewall?

@ Cang_Household, Thanks for your reply.  What is free Home Protection and how does one obtain the service?

Most, if not all, consumer routers include a firewall.  A firewall only box is typically a commercial class device.  Since you did not specify if your use of the term firewall refers to an integrated device or a standalone one, I've used the term to refer to a device with firewall capability that may or may not be integrated with other functions.

You cannot attach an external firewall or router with firewall to a Verizon router and loop traffic through the Verizon router.  Any devices you protected by  your router/firewall or firewall need to connect directly to that device.

If you have TV service, you need to keep a Verizon router as primary.  This means any additional firewall capabilities you want will need to be done through an external device (integrated router/firewall or standalone, your choice.)

@gs0b

Ok makes perfect sense. One more question for the sake of clarity. Let's say I have a standalone physical SonicWall firewall device that has wireless capability.  Can I plug my SonicWall WAN port into the LAN port of my wireless Verizon router.  The LAN side of my  SonicWall will be a completely separate network from the wireless side of my Verizon router. Due to TV service I have no problem with the Verizon router being the primary. In fact I want the Verizon router to remain the primary.  Basically creating the scenario below. Is this feasible?

SONICWALL WIRELESS USERS ---> SONICWALL FIREWALL WITH WIRELESS CAPABILITY ---> VERIZON WIRELESS  ROUTER ---> INTERNET

AND

VERIZON WIRELESS USERS --->VERIZON WIRELESS ROUTER ---> INTERNET