Security note, Actiontec GT784WNV firewall fails after reboot. Silence from Verizon.
LilyTomlin_gif
Enthusiast - Level 2

Brand new Actiontec GT784WNV DSL modem/router with the "current firmware" (GT784WN-VZ-1.1.22) When the modem reboots, firewall settings default and firewall log is erased. When making changes to settings in the router, wifi security frequently defaults to WPA from WPA2 and I have to check it last thing before I exit. Admin access continues to pass unencrypted. Verizon won't acknowledge. I think this version of the firmware is five or six years old and I don't think it's undergone any major change in a decade. I contacted Actiontec and they told me Verizon handles their own firmware. Verizon won't even respond, much less give me a firmware update. I haven't been able to find any third party firmware (Openwrt is working on it, but not quite there.) The frequency of reboots means anyone with this router is basically wide open. If anyone knows of a working third party firmware, or any sort of workaround, I'd be glad to hear it. Alternatively, if you know what specs a modem for their network needs so I don't have to go through them, I'd appreciate it.

Verizon's official policy of neglecting their copper network and related systems has reached "**bleep**" levels. I wish they'd spin it off to another telco. Downstream speeds rarely break 300k and are often comparable to dial-up. I know I'm beating a dead horse, but it would be nice to have some options.

0 Likes
1 Solution

Correct answers
Re: Security note, Actiontec GT784WNV firewall fails after reboot. Silence from Verizon.
smith6612
Community Leader
Community Leader

The firmware on the ActionTec modems is historically buggy. When I had one, it would regularly leak memory on the DHCP process as well as the Wireless management process.

If you bridge it to another router, or if you replace it with a Westell 6100 (if you can find one), you'll probably have no further issues. I wouldn't expect any further firmware updates to the ActionTec.

As for Tor browsing the Verizon website, Verizon might've had issues with Tor traffic in the past, and their firewalls are set to block Tor as a result.

As for everything else... Verizon stopped caring about the DSL network a long time ago. If you're having congestion issues, I wish you luck in getting it fixed. They will hopefully replace it with FiOS or, at least some 5G solution in the future. Verizon's priced their DSL services to cost more than 200Mbps Cable Internet in my area. They really don't want people on DSL anymore.

View solution in original post

Re: Security note, Actiontec GT784WNV firewall fails after reboot. Silence from Verizon.
dexman
Community Leader
Community Leader

If my memory is correct, the daycare center that leases space in the church I attend has two DSL feeds from Verizon. I know that the modems that Verizon supplied are not GT784's (the church still has our old 784 modem & service despite having moved 99.99% of Internet activity to Comcast). The modems that the daycare has look similar to the FiOS G1100 router. I don't remember the specific make & model though.

See if there is any way that Verizon can supply this newer model.

Re: Security note, Actiontec GT784WNV firewall fails after reboot. Silence from Verizon.
dslr595148
Community Leader
Community Leader

If you wish to keep using your existing modem combo, this is what you need to do.

Step one: Get a RJ-45 WAN port NAT router.

That RJ-45 WAN port NAT router can either be hardware based (ex when I was last on Verizon DSL with that modem, I was using the Linksys E4200 Hardware Version one) or DIY.

If DIY, it could eiher be pure DIY or a distro designed for connection sharing.

Regarding age of DIY, it could be:

a) ..Spare

b) ..New bought (HP/Dell, ETC..)

c) ..New built/assembled - (Buying the case, Motherboard, CPU, RAM, HD, ETC..) typically by your self

The computer acting as DIY NAT router must either have at least two NICs or if only one NIC it must have at least two ethernet ports.

REFs

https://www.dslreports.com/shownews/118897

and then these three threads, that in turn point to arstechnica.com

https://www.dslreports.com/forum/r30568002-Numbers-don-t-lie-it-s-time-to-build-your-own-router

https://www.dslreports.com/forum/r30714877-Guide-to-building-a-Linux-router-from-scratch

Note the one above not only tells how to build/assemble the computer, it also tells how to do pure DIY.

https://www.dslreports.com/forum/r30984220-The-Router-rumble-Ars-DIY-build-faces-better-tests-toughe...

Side note with most DIY NAT routers, they do not do wireless. So you will eiher have to follow get a WAP or get a NAT router and convert it to act as if it was only a hub/switch/wap (REF for convert to hub/switch/wap = https://www.dslreports.com/faq/11233 )

Step two: Make sure that the RJ-45 ports of the separate NAT router works.

Step three: Put your modem into bridge mode.

As how to...

REF = https://forums.verizon.com/t5/High-Speed-Internet/Brand-new-GT784WNV-to-Bridge-Mode-Successfully/m-p...

Steps:

  1. Logged into modem at 192.168.1.1, prompted me to create a new password, which I did.
  2. There is a one-click Bridge Mode button - I didn't use that right off (see screenshots in References link below for an example of what this looked like).
  3. I disabled the wireless function on this screen:  http://screenshots.portforward.com/routers/Actiontec/GT784WNV/Wireless_802.1x.htm
  4. I changed the gateway for the modem to 192.168.99.1 as recommended on a few writeups
  5. I disabled DHCP in the modem.  Should not need to do this but was playing it safe.
  6. I enabled Bridge Mode in the modem (one-click button on main screen)
  7. I called VZ tech support to find out if our acct was set up DHCP or PPPoE.  It was set up DHCP so I don't need a username/password.
  8. I set up our AE with DHCP under Internet section and enabled DHCP and NAT under Network section.
  9. I set up DNS servers using OpenDNS (in the AE).  Pretty basic just plug the numbers in off this site: https://store.opendns.com/setup/#/
  10. Didn't have a connection, so I called VZ back and they ran a diagnostic.  While running, internet connection started working.  Rock 'n roll.  Not exactly clear what they did.  Not sure they knew.
  11. One error persisted on the AE - IPv6 not resolved or something.  I changed to "link-local" mode in the AE and that fixed it.  Appears VZ doesn't use IPv6 in our area yet.
  12. Everything is working fine so far.

Open problems:

1.  Last night I couldn't get into the modem at 192.168.99.1 after I put it to Bridge mode.  Have to mess around with it a little bit more I guess, maybe I'm doing something wrong.

Links / references I used:

1. Our modem screens looked like these - I believe it is a new version of the firmware, compared to other screenshots I have seen.  Forgot to write the version down:

http://screenshots.portforward.com/routers/Actiontec/GT784WNV/

2.  Handy reference on how to reset the modem - I didn't need to use this but YMMV:

http://www.verizon.com/Support/Residential/Internet/HighSpeed/Networking/GT784WNV_AT/ATLAS6610.htm#

3.  Handy writeup from another forum that I referred to but didn't follow exactly:

http://www.dslreports.com/forum/r27205081-modem-router-Putting-a-Actiontec-GT784WNV-into-Bridge-Mode

4.  Handy article on why to bridge mode:

http://taldar.wordpress.com/2009/07/14/actiontec-airport/


Step four: Then configure your RJ-45 WAN port NAT router for the connection. This can mean PPPoE, Pure Static, or DHCP. For DHCP - spoof/clone the WAN MAC Address of the Actiontec GT784WNV.

Step five: profit šŸ™‚

Step six: Also for future REFs

a)

https://forums.verizon.com/t5/High-Speed-Internet/How-to-get-into-a-modem-router-that-is-in-bridge-m...

b) https://forums.verizon.com/t5/High-Speed-Internet/Actiontec-GT784WNV-router-memory-leak/m-p/890582#M...


@Smith6612 wrote:



^^^

Pondering the fallout of the GT784WNV, which Verizon continues to ignore.
LilyTomlin_gif
Enthusiast - Level 2

If you Tor browse Verizon...

anything beyond the the main page brings up the following

Access denied, in accordance with Verizon Information Security Policy
Please contact us with the following Case ID [redacted] if there is a legitimate business need to access this content. 10623 .

This is kind of funny; anonymous browsing of their public webpage wouldn't seem to be a big security threat. So I decided to look at their "Information Security Policy"

Their Information Security Summary details

-Verizon uses a variety of industry-recognized security practices to protect our internal networks, including appropriately configured firewalls, network segmentation and networking monitoring.

-Verizon implements security continuous monitoring which includes logging and monitoring access to Verizonā€™s networks and assets. Hardware and software-based tools have been deployed throughout the Verizon network to provide real-time alerting from devices such as firewalls, intrusion detection systems, routers and switches. [italics mine]

Also:

-Verizon has an established patch management process for production hardware and software installed on the Verizon network.

And the kicker:

-Verizon addresses the identification, management, and resolution of security issues requiring attention.

-Verizon communicates, consistent with contractual and legal obligations, the status of material issues affecting the Customer.

All of this seems inconsistent with the approach they've taken toward the situation with the Actiontec GT784WNV. But maybe all of the previous only applies to INTERNAL Verizon networks. A security for me but not for thee kind of attitude. Because jeez, they seem really determined to ignore the vulnerabilities in the GT784WNV, which is deployed all over their network. I mean, the tech support guy at India Offshore didn't even know when the firmware was last updated. So the firewall vulnerabilities, the firewall logging disabling, the unencrypted traffic for router administration: they've been there for years. The purposeful backdoor they have installed by enabling port-forwarding on 4567, and which can't be turned off: obviously they know that's there. I could almost see installing a backdoor if you were actually going to push a firmware update from time to time. But not so much with Verizon. Very iffy. I'd like to emphasize again their own policy: "Verizon communicates, consistent with contractual and legal obligations, the status of material issues affecting the Customer." I suspect the italicized portion may be doing the heavy lifting there, which is to say if Verizon isn't required in their own opinion, to alert its customers about a major systemic security issue, THEY WON'T. Especially when it poses an immediate threat to the Customer. Classy. But I'm supposed to take them at their word when they say they didn't intentionally throttle my speed for complaining.

0 Likes
Re: Pondering the fallout of the GT784WNV, which Verizon continues to ignore.
dslr595148
Community Leader
Community Leader

@LilyTomlin_gif wrote:

All of this seems inconsistent with the approach they've taken toward the situation with the Actiontec GT784WNV. But maybe all of the previous only applies to INTERNAL Verizon networks. A security for me but not for thee kind of attitude. Because jeez, they seem really determined to ignore the vulnerabilities in the GT784WNV, which is deployed all over their network. I mean, the tech support guy at India Offshore didn't even know when the firmware was last updated. So the firewall vulnerabilities, the firewall logging disabling, the unencrypted traffic for router administration: they've been there for years. The purposeful backdoor they have installed by enabling port-forwarding on 4567, and which can't be turned off: obviously they know that's there. I could almost see installing a backdoor if you were actually going to push a firmware update from time to time. But not so much with Verizon. Very iffy. I'd like to emphasize again their own policy: "Verizon communicates, consistent with contractual and legal obligations, the status of material issues affecting the Customer." I suspect the italicized portion may be doing the heavy lifting there, which is to say if Verizon isn't required in their own opinion, to alert its customers about a major systemic security issue, THEY WON'T. Especially when it poses an immediate threat to the Customer. Classy.


Let us face it, most modem combos are great when working only as a modem (read: setting the modem combo to bridge mode), but are a pain when they are in NAT router mode.

Re: Security note, Actiontec GT784WNV firewall fails after reboot. Silence from Verizon.
smith6612
Community Leader
Community Leader

The firmware on the ActionTec modems is historically buggy. When I had one, it would regularly leak memory on the DHCP process as well as the Wireless management process.

If you bridge it to another router, or if you replace it with a Westell 6100 (if you can find one), you'll probably have no further issues. I wouldn't expect any further firmware updates to the ActionTec.

As for Tor browsing the Verizon website, Verizon might've had issues with Tor traffic in the past, and their firewalls are set to block Tor as a result.

As for everything else... Verizon stopped caring about the DSL network a long time ago. If you're having congestion issues, I wish you luck in getting it fixed. They will hopefully replace it with FiOS or, at least some 5G solution in the future. Verizon's priced their DSL services to cost more than 200Mbps Cable Internet in my area. They really don't want people on DSL anymore.