I recently stumbled over an interesting problem with Verizon’s FiOS Internet service while doing some consulting. In an effort to protect the innocent and prevent and ass hattery, I’ve changed the IP addressing to use something from RFC5737.
A client had two physical sites about 1 mile apart which were connected to the Internet by separate Verizon FiOS broadband connections and which were assigned the following static IP addresses;
Site A:
IP Network: 198.51.100.226/28
Subnet Mask: 255.255.255.0
Default Gateway: 198.51.100.1
Usable IP Addresses: 198.51.100.226 – 198.254.100.238
Site B:
IP Network: 198.51.100.50/28
Subnet Mask: 255.255.255.0
Default Gateway: 198.51.100.1
Usable IP Addresses: 198.51.100.50 – 198.51.100.63
Let me be the first to admit that the information above isn’t quite right… there is no IP address block 198.51.100.226/28, it should be 198.51.100.224/28. I believe that’s Verizon trying to avoid having customers accidentally use the network address or the first address in the IP address block which is likely reserved for the actual Verizon Actiontec router.
The client was trying to establish a VPN tunnel between the two sites and was running into difficulties. The issue was with the IP addressing provided by Verizon and it’s likely implementation of private VLANs on the Juniper hardware. I’m assuming that Verizon is likely using PVLANs to isolate traffic between individual customers to minimize the number of IP subnets they need to create. Instead of creating 16 /28 IP networks they are using a single /24 network and then isolating the traffic between customers using PVLANs. The issue in the example above is pretty obvious – the individual client devices are attempting to communicate with each other on the local subnet. Believing that there’s no need to signal the upstream router because the netmask indicates that the remote site should be in the same IP network. While the remote site is actually in the same IP network, the implementation of PVLANs is blocking communication between the client devices.
Anyone have any experience with Verizon FiOS using PVLANs?
I believe I heard years ago that Verizon chose Juniper for their FiOS implementation.
Cheers!
Reference: Juniper – Understanding Private VLANs on EX Series Switches
John says
I have no experience with this, but based on what you shared, this is the first thing that came mind.
Did you try creating a static route on each side for the tunnel endpoint IP on the other side with a next hop of Verizon’s default gateway?
Michael McNamara says
That’s a good idea John… use host routes or try a route for the real /28 network.
Unfortunately the client requested that Verizon issue a different IP address block.
Thanks for the suggestion!
Cheers!