VLAN your Verizon FiOS Actiontec Router with OpenWRT

I was content simply using the Verizon provided Actiontec Router at the head of my home network until I logged into my Verizon account and saw this:

verizon-wtf2

This is wrong on a number of levels. First, the Verizon e-mail account I’m forced to create when I got Verizon FiOS is an annoyance. I don’t check it. Since Verizon thinks this is my “real” e-mail, its only purpose is to act as a receptacle for Verizon’s spam. I also use it for HBO Go and Max Go log-ins, but that’s it. I was never really concerned about the password being strong until I saw this. Second, the Actiontec is NOT my device even if I change either the router log-in password or the security type and wireless key. Verizon will suck this information out via their own backdoor and display it on this page. Sure, this helps them handle support calls when people forget their wireless password, but this is NOT secure and I consider it a slap in the face. If someone compromises my Verizon e-mail account, they now have access to my wireless network. Additionally, Verizon has shown me that they have my wireless password even if I change it. They have the keys to my front door: I’m owned.

DSL Reports has an excellent FAQ showing all the different methods and trade-offs between various configurations of using your own router with Verizon Fios. I went with #6 Replacing the Actiontec (part 3): WAN-to-LAN keeps Guide and VOD

I purchased a Buffalo AirStation WZR-600DHP. This device comes with DD-WRT pre-installed. DD-WRT supports 802.11q VLAN tagging of Wireless on this device but not via the switch ports. Not to worry, I flashed it with OpenWRT using this Guide. With OpenWRT, I now have access to the switch ports for creating VLANs.

The Actiontec is now on a separate VLAN with internet access only and the wireless is turned off. Funny how it still reports the default SSID and password on “My Verizon”. Even if it does get compromised, it can’t access any devices on my home network. I also have an guest/untrusted wireless network via the Buffalo on a separate VLAN. I put my Nest thermostat and Nest smoke/CO detectors on the untrusted wireless network. The FiOS channel guide and video on demand (VOD) still works. The only thing that doesn’t work is changing channels via the Verizon Mobile App on my iPad. Oh nooooo! If I turned the Actiontec wireless on and connected to it, I could, but I’m not going to do that! Maybe sometime when I have nothing to do I’ll determine exactly what traffic needs to traverse the VLAN for the Verizon Mobile App and allow it. For now, it’s not a high priority.

Sure, if I call Verizon for support, they’ll make me put the Actiontec at the front of the network again. Not a big deal. I can reset it all day long without affecting anything. I gave it a DHCP reservation on the Buffalo so it always gets the same WAN IP. The only thing I have to remember after resetting the Actiontec is to turn off the wireless. But even if I forget, or if the wireless magically turns itself on, the Actiontec wireless is isolated on the same untrusted VLAN with no access to my home network.

Take control of your home network and put the Verizon Actiontec Router where it belongs!