Press "Enter" to skip to content

pfSense and Verizon FiOS

I have a small homelab setup at home that I use to practice cyber ninja skills and test new technology. My homelab consist of a refurbished HP Z420 Workstation with 64 GB RAM and over 2 TB of SSD storage used as a server. The server is running VMware ESXI 6.7, which hosts several VMs. One of the VMs is pfSense and has a 2 NIC adapter assigned for LAN and WAN. I also have Verizon’s FiOS G1100 router that I use for its MoCA support (Video On Demand, DVR, Caller ID, etc). However, I do not need it any of its other functionalities.

Network Layout


The first thing I configured was pfSense to work as a router between WAN and LAN. The connection between the ONT and my server is ethernet which is plugged in to one of the 2-port NIC. I had no issue receiving an IP address assigned by Verizon. However, I have read instances where clients had to clone Verizon router’s MAC address to retrieve an IP address. The second port goes to a TP-Link unmanaged switch that works as the main switching device for my entire house (Wireless AP, Printers, PlayStation, etc). After running the initial pfSense setup, a working network with access to the internet should be available.

Next step is to configure Verizon’s router. The router is connected to the main switch via the router’s WAN interface. The WAN interface should be configured for a Static/Manual IP address or create a static IP/MAC assignment via pfSense’s DHCP server module. Because ports will be forwarded to Verizon’s router, it is important that its IP do not change. Additionally, Verizon’s router LAN needs to be configured to use a different private network than pfSense’s LAN. For example, pfSense LAN could have network and Verizon router LAN could have network. In the Network configuration’s Network (Home/Office) section, the privacy setting should be disabled (see image below). If privacy setting is enabled, the Set-Top Box will be unable to access the internet and features such as On Demand and Interactive Guide will not work. Lastly, I disabled the router’s WiFi to avoid radio-waves congestion because I use another Wireless AP device.

Network configuration’s Network (Home/Office)

Now that Verizon’s router has an IP assigned, I am back to the pfSense web console. I configured port forwarding in pfSense to allow the necessary connectivity for VOD, DVR, Caller ID to work. A list of required ports can be viewed in the router’s Firewall – Port Forwarding section (see image below). pfSense’s port forwarding rules (pfSense -> Firewall -> NAT) are:

  • TCP
    • 4567 (used by Verizon to push firmware upgrades to the router and other Verizon FiOS services)
    • 35000 (used by the primary Set-Top Box)
    • 35001-35013 (Optional. +1 Used for additional Set-Top Boxes)
  • UDP
    • 63145 (used by the primary Set-Top Box)
    • 63146-63149 (Optional. +1 Used for additional Set-Top Boxes).
Verizon Router Firewall – Port Forwarding automatically created rules.
pfSense Firewall – Port Forwarding rules

The setup is now complete. A hard reboot on the Set-Top Boxes and Verizon router should automatically configure themselves with the network changes. TV, VOD, Interactive Guide, and Caller-ID should be functioning. If not, I have ran into the issue where Verizon router retains previous network routes from the previous configuration. The routes can be deleted via Verizon router Web interface -> Advanced -> Routing -> Routing.


If it didn’t work for you, leave a comment.


  1. nandurx nandurx August 15, 2020

    so It worked everything and thanks for comment. Only problem is I can’t access my verizon admin page to make any changes.

  2. Ian Marrero Ian Marrero August 15, 2020

    1. You need to configure Verizon router to allow remote access to your admin page. The router thinks it’s connected to the public internet but in reality it’s connected to your LAN which should receive an internal IP from your DHCP. In the case above, it would be something like You will use that IP to access your admin page.
    2. You should have a patch cable from your main switch (LAN) to the WAN port of the Verizon router(the Internet port, usually a different color from the rest).
    3. If you forgot to configure allow remote access, plug in a computer to the Verizon router to change it.
    4. Sometimes router fail at detecting IP changes. Do the classic power off and on.

  3. David Simon Krajewski David Simon Krajewski November 12, 2020

    Does your remote dvr work. I tried your setup and did not have any luck.

    • Ian Marrero Ian Marrero November 17, 2020

      Yes, the DVR worked at the time of the writing. I don’t have FiOS services any longer so I cannot verify if it still works or not. If you are having issues, I would recommend searching , , and

  4. Emmanuel Rosaso Emmanuel Rosaso December 1, 2020

    An aditional port so you can access Fios router status from Fios App, TCP 4577

    • Ian Marrero Ian Marrero December 1, 2020

      Thanks for mentioning port TCP/4577. I did a bit of Google on the port and there are comments that port TCP/4567 is another port used by Verizon FiOS routers [0].

      I omitted or didn’t researched those ports further because those ports allow Verizon to inside my home network, not just the FiOS App. I have no need for Verizon to monitor my internal networks or grant them remote access.


      • Emmanuel Rosado Emmanuel Rosado December 2, 2020

        Good call, I will disable that rule, I was trying to use the remote function from the FiosTv app, but I guess I’m taking the wrong approach

        • Ian Marrero Ian Marrero December 2, 2020

          If you need it, you should enable it. I don’t think Verizon has any interest in snooping inside your home network. My approach is: if I don’t need the service, lock it down. If opening port 4577 makes your life easier in a secure way, go for it!

  5. Paul Paul December 18, 2020

    I want to go this direction but I have several AP’s (Actiontec) that Verizon organizes into a single SSID for both frequencies. Can pfsense do this?

Leave a Reply