Fixing Static Addresses on Verizon FIOS

Verizon has a bug in their business offering for multiple static IP addresses.

When using a professional firewall that such as a Cisco ASA, I could only get 1 address to respond from offsite.

The first problem was solved by going to, you have to call Verizon and convince them to instant message the group that runs the ONT’s (the termination that is onsite) to set the MAC filter to 5.

After that only 1 IP address worked per device. I could ping each other but Verizon served traffic could not see me. A quick TCP-Dump of the external segment showed the problem:

arp who-has (00:1e:4a:87:32:59) tell
arp who-has (00:1d:70:26:3c:53) tell

The address is slightly illegal, the ASA ignores the ARP request and the Verizon gateway never binds the Mac to the translated IP addresses. This means that inbound static addresses didn’t work and only the physical interface address could be used for the outbound global pool.

I managed to get Verizon to admit the bug, the Alcatel equipment was partially to blame and I would imagine that the (non-professional) “firewall” that comes with the account had been modified to respond to an ARP request from They projected it would be fixed Q1 of the next year… that was 15 months ago.

I found that the service (that I am paying for) could be made to work. I adapted a short Perl script to send ARP replies to the Verizon gateway router every 30 seconds or so, as if it was responding to an ARP request.

arp reply is-at 00:1d:70:26:2c:53

Here I am telling the gateway that .36 is bound to the same address as .35. I was immediately able to ping the address .36 remotely, alls it took was a Linux system and the perl script below. I don’t believe that the ARP replies can be generated inside the ASA and be made to traverse the firewall; several types of lower traffic can using the ethertype command but ARP’s get absorbed. I haven’t tried proxy-arp to see if it relays the bogus advertisement as it breaks so many rules of paranoia that I doubt that the ASA would propagate it.

At the moment I have plugged in a dedicated Ethernet interface from my VMWare stack and am running a virtual Linux machine for the sole purpose of “poisoning” the ARP table. The FIOS service itself screams, though we wouldn’t ever consider using their DNS, but leave it to Verizon to pull up short on static IP address support.

Bil Herd

use Net::ARP;
use strict;
use warnings;
for (;;){

‘eth0’, # Device
‘’, # Verizon gateway, not really of course

‘’, # address that we want Verizon to respond

’00:1E:EC:9F:DB:67′, # Source MAC Mac of our address

’00:1d:70:26:cc:53, # Destinaton MAC address for ARP
‘reply’ # ARP operation
print “packet sent\n”;

To install the Net::ARP module using CPAN:

perl -MCPAN -e ‘install Net::ARP’


, , , , , , , , , ,

  1. #1 by Cowmix on August 25th, 2011

    Do you still have to run this ‘service’ to make your FiOS work with static IPs?

  2. #2 by Rgrealgevag on September 5th, 2011
    the software you are installingfor this hardware ACPI uniprocessor PC has not not passed the window logo testing to verify its compatibility windows XP continuing your installation of this software may impair or destabilize the correct operation of your system ether immediately or in the future. Microsoft strongly recommends that you stop this installation now and contact the hardware vendor for software that has passed the windows logo testing thats what it tells me i started to do system restore when my P.C started crashing like a week ago and this is the 2nd time i do system restore today cause my P.C crashes .. can any one help me out what do i have to do or download anything ? i have norton 05′ scanned my system for virus and notting pops up i really need help can some one help me out please ????????????

  3. #3 by Bil on September 22nd, 2011

    When upgrading to ASA 8.3 the ASA started to respond to Something has since changed and the ASA has either stopped responding or Verizon has changed something, I suspect a tighter integration to their DHCP mechanism that is meant to work with their cheap Actiontek router.

  4. #4 by Mark Johnson on October 10th, 2011

    I am still waiting for this to get cleared up. Bill any ideas as to where and when this will be fixed?

    I have fought with VZ well over 100 times on this. I need to get VPNs to work as well as remote access and did not want to remove our ASA.

    Do you think 8.3 fixes the ARP issue?

  5. #5 by Bil on October 11th, 2011

    Actually the problem is still hear and if anything may be worse.

    First is the un-predictableness of who will be affected, this is due to the code and software at the CO, but seems to be earmarked by the presence of an Alcatel ONT on premises.

    Software version 8.3 DID appear to fix the problem, and then it stopped. Just for grins I upgraded to 8.4 and broke my java, more on that in a future post.

    I am going to sniff it again but a wireshark interpretation on the capture packets from the ASA itself didn’t see ANY ARP packets. I will verify that this might have changed.

    If you are going to update to 8.3 be aware that this usually requires a change in your configuration!! ACL’s no longer reference the outside address on a static NAT but instead the INSIDE address. My “import” where it tries the upgrade itself on your existing configuration in flash did not work, be prepared to rewrite them, meanwhile your site will probably be down.  Also the NAT’s have changed; you are better off deleting the statics and implementing them as Net Objects rather than inlines. I should do a post on the conversion process.

    Finally I have snagged an Arduino board and might look at writing an applet that sits on the Ethernet doing gratuitous ARP spoofs, let me know if you’d be interested in one providing it works. Basically a brick with Ethernet plug and power supply.

  6. #6 by Steele Burgess on November 10th, 2011

    I have multipe statics with Verizon FIOS. See that the gateway drops out on a lot of the statics. Very frustrating.

  7. #7 by Bil on November 13th, 2011

    In mid-Jersey the FIOS works flawlessly withs tatics, here is south Jersey they appear to have changed the operation again. I know that they are very into a DHCP process to obtain your assigned statics as the other day we troubleshot someone who burned through their 32 assigned statics by turning on the wireless access point wide open an we had t wait 8 hours for the leases to expire and free up the addresses for the “static” pool. The newest ASA code has some more extensive ARP spoof control on NAT and i was still not ale to get it through the Acatel, it almost seemed like the ONT was filtering. I will have to drop a sniffer on it again.

  8. #8 by Eric on December 28th, 2011

    I am currently running into this issue running a Juniper SRX210. Have you found any other solutions besides poisoning the ARP table?

    Also, would it be possible to clarify the comments in your Perl script?

    Bil Herd

    use Net::ARP;
    use strict;
    use warnings;
    for (;;){
    ‘eth0′, # Device
    ‘’, # Verizon gateway, not really of course
    ‘′, # address that we want Verizon to respond
    ‘00:1E:EC:9F:DB:67′, # Source MAC Mac of our address
    ‘00:1d:70:26:cc:53, # Destinaton MAC address for ARP
    ‘reply’ # ARP operation
    ;print “packet sent\n”;

    The source MAC of our address, this is the MAC address of the ONT?

  9. #9 by Bil on December 30th, 2011

    @Eric Let me know if something works on the Juniper side of things. I was going to take another run at this as Verizon changed something and a gratuitous ARP looks like it no longer works, at least without changing the format. One theory is that they wrapped more into the DHCP mechanism for routing, not sure on this as I can grab any device including a naked linux box and assign it one of the unused IP’s and it works…. for exactly one IP.

  10. #10 by Cow mix on August 23rd, 2012

    Does anyone know if newer versions of IOS resolve this issue?

(will not be published)

  1. No trackbacks yet.