For some reason lately I can no longer log into a Verizon/Frontier router with my l2tp vpn. I'm using a mikrotik router. I have the mikrotik in the dmz of the Verizon unit, and it's worked for years. I googled it and it seems you have to forward certain ports to the mikrotik to get it to work, but why if it's in the dmz, and why has it worked for years? This has me stumped.

It's been like this for a while now, at least with Verizon. You're double nat'd and the negotiations required for l2tp don't jive in that setup without a lot of trial and error. Which would probably break again at some point.

PPTP is the only vpn I've got working when my tik is in the DMZ.

If you have the opportunity to put your tik directly at the ONT, then place their shit modem behind yours, that's the way I'd go.

At least with Verizon around here, cable guide, callerid, etc. still work fine with this setup. However, one call to verizon support from your customer will get that setup all screwed up again because they will make the customer put their POS back in front of the line.

Hmm...

Perhaps Verizon has changed things and the DMZ is no longer a "true" DMZ.

It used to be that there was nothing "in the way" of a device in the DMZ and the outside world.

Frederick

Ya, with Verizon, that was never the case. Their DMZ is a joke. I've just gotten in the habit of opening ports on both units and then rebooting both.

Why not connect your router directly to the ONT? Their router is required only if you need its MOCA for cable TV. Their router can hang off of a switch. At home I don't have their cable or their router.

That was suggested already up above in my post.

Also...

[Link: amp.thehackernews.com]

all of our tiks are patched.


Thanks for the feedback.

Something has changed on Verizon end for sure.

Pain in the ass!

by the way can't connect to ANY PPTP with my new MacBook Pro running windows 7. I use Virtualbox and have to use NAT otherwise the network won't connect on the windows side, but the issue is NAT give me a 10. address, not a real IP. I think somehow that is affecting the PPTP connection. I used to be able to use bridged adapter on my old Mac, but it won't work on the new one.

I'm not a Mac user so not totally sure, but I do use IOS and they dropped PPTP a while back. L2TP is basically the only vpn you can use on those now. Is it the same with Macs??

Now, if you move your tik to be front-in-line on the ONT, you should be able to get any/all vpns working again without issue.

Can you do that if they have tv service?

Yes.

Their router/modem just needs an internet connection to pull the guide info.

Have a read at this link. This is all the possibilities that can be done. You would be performing #6.

[Link: dslreports.com]

I have about 10 clients setup this way with no issue (I live in comcast land). If the client relies on the verizon app for TV, then you have no choice but to be in the DMZ of their router (only way it works).

Also, make sure you have client sign a waiver to call you first for any verizon issues. If verizon sends a tech to the site, they will switch theirs back to the ONT.

There are setups that are supposed to work but I never found one that provided all the normal features the FIOS TV provides.

And I spent hours and hours trying the various configs.

I gave up and put my routers on the DMZ but it appears as if something has changed in that regard.

Frederick

I've tried every possibility in that link that I posted, and spent countless un-billable hours as well to test them.

If your clients need/want verizon app services, then DMZ is your only bet.

If they don't rely on that crap, then setup #6 will do the trick and everything will still work.

We do Pakedge behind Verizon DMZ all the time. Aside from having to forward ports on the VZ thru to the Pakedge once in a while for some devices that need it (IC Realtime), we have no issues using VPN to the Pakedge- with either PPTP or OpenVPN.

The DMZ method is the best way to let client keep their Fios App controls and guide data/on demand. I did have someone once tell me you can ditch the VZ router if each STB can be fed with ethernet and that will supposedly allow all Fios stuff to continue working. Since the boxes are almost always in a rack it may be worth a test.