Verizon has a bug in their business offering for multiple static IP addresses.
When using a professional firewall that such as a Cisco ASA, I could only get 1 address to respond from offsite.
The first problem was solved by going to DSLReports.com, you have to call Verizon and convince them to instant message the group that runs the ONT’s (the termination that is onsite) to set the MAC filter to 5.
After that only 1 IP address worked per device. I could ping each other but Verizon served traffic could not see me. A quick TCP-Dump of the external segment showed the problem:
arp who-has 22.214.171.124 (00:1e:4a:87:32:59) tell 0.0.0.0
arp who-has 126.96.36.199 (00:1d:70:26:3c:53) tell 0.0.0.0
The address 0.0.0.0 is slightly illegal, the ASA ignores the ARP request and the Verizon gateway never binds the Mac to the translated IP addresses. This means that inbound static addresses didn’t work and only the physical interface address could be used for the outbound global pool.
I managed to get Verizon to admit the bug, the Alcatel equipment was partially to blame and I would imagine that the (non-professional) “firewall” that comes with the account had been modified to respond to an ARP request from 0.0.0.0 They projected it would be fixed Q1 of the next year… that was 15 months ago.
I found that the service (that I am paying for) could be made to work. I adapted a short Perl script to send ARP replies to the Verizon gateway router every 30 seconds or so, as if it was responding to an ARP request.
arp reply 188.8.131.52 is-at 00:1d:70:26:2c:53
Here I am telling the gateway that .36 is bound to the same address as .35. I was immediately able to ping the address .36 remotely, alls it took was a Linux system and the perl script below. I don’t believe that the ARP replies can be generated inside the ASA and be made to traverse the firewall; several types of lower traffic can using the ethertype command but ARP’s get absorbed. I haven’t tried proxy-arp to see if it relays the bogus advertisement as it breaks so many rules of paranoia that I doubt that the ASA would propagate it.
At the moment I have plugged in a dedicated Ethernet interface from my VMWare stack and am running a virtual Linux machine for the sole purpose of “poisoning” the ARP table. The FIOS service itself screams, though we wouldn’t ever consider using their DNS, but leave it to Verizon to pull up short on static IP address support.
‘eth0’, # Device
‘184.108.40.206’, # Verizon gateway, not really 0.0.0.0 of course
‘220.127.116.11’, # address that we want Verizon to respond
’00:1E:EC:9F:DB:67′, # Source MAC Mac of our address
’00:1d:70:26:cc:53, # Destinaton MAC address for ARP
‘reply’ # ARP operation
;print “packet sent\n”;
To install the Net::ARP module using CPAN:
perl -MCPAN -e ‘install Net::ARP’