FiOS “Three-Router” with VyOS and ESXi, Part 10: Port Forwarding

2 minute read

At this point the network should be mostly functional. Hosts on the internal home network (10.0.0.0/24) should have Internet access, and the Verizon router should be also be accessing the FiOS ISP network via secondary router impersonation scheme.

Some FiOS features still won’t be working, though. These include remote web access to your DVR, on-screen caller ID, and possibly others. The reason these features still don’t work is that they depend on Verizon’s ability to initiate connections to the Verizon hardware router from the WAN. As it stands right now, all traffic that is not initiated from behind the primary router is dropped by the FROM-EXTERNAL firewall rule set.

The solution to this is to create rules allowing the correct ports to pass through the FROM-EXTERNAL firewall, and also to create NAT rules that will correctly map traffic arriving on those ports to the Verizon router.

The required ports are:

  • TCP 4567
  • UDP 63145 (incrementing 1 for each STB you have)
  • TCP 35000 (incrementing 1 for each STB you have)
  • UDP 3500

Thus, if you have 3 set-top boxes in your home, you need to forward UDP 63145, UDP 63146, UDP 63147, TCP 35000, TCP 35001 and TCP 35002.[footnote]These ports and protocols are correct according to dslreports.com, but to avoid issues I just forwarded all of these ports for both TCP and UDP to the VZ router. This is arguably a weak security decision, but the VZ router would normally be facing the Internet anyway, so it’s not something that causes me to lose sleep.[/footnote]

The destination of these forwards should be the proxy address that we set up for the Verizon router on the internal network (10.0.0.3). Recall that, via 1:1 NAT, traffic arriving on all ports on that proxy address on the secondary router is forwarded to the same port on the VZ router.

To implement these rules, run the following commands on the primary router (this assumes 5 STBs, which is probably sufficient for most households):

set nat destination rule 10 destination port 3500,35000-35004,63145-63149
set nat destination rule 10 inbound-interface eth0
set nat destination rule 10 protocol udp
set nat destination rule 10 translation 10.0.0.3

set nat destination rule 12 destination port 4567
set nat destination rule 12 inbound-interface eth0
set nat destination rule 12 protocol tcp
set nat destination rule 12 translation 10.0.0.3

compare
commit
save

Traffic arriving on these ports on primary-eth0 should now be forwarded to 10.0.0.3. Since 10.0.0.3 is a proxy address, the secondary router will forward all traffic received there to the Verizon hardware router. You can now test that all FiOS features are working (they should be).