FiOS and the Westell 9100

Update: Looking for the Westell 9100 default password? It’s admin / password1.

Verizon finally came and hooked us up today. Here are a few things I’ve noticed so far:

  • The tech thought it strange that we have a huge LCD TV but no TV service at all. He also thought it strange that we had no phone line.
  • The technician came with a USB drive and a SecurID-type dongle. He requested to use a Windows machine so he could run it. Since my computer took a while (it hasn’t been used in a while, and I also have it locked down a bit so that it won’t, for example, autorun USB drives), he was talking a bit. Apparently the USB drive contains a set of applications that log into the router to perform initial configuration. (He connected via WEP key first, so it’s possible it works over wireless, too.) He also mentioned that it fixes WinSock, which made me a bit nervous since I’m pretty sure WinSock doesn’t need any fixing. It sounds more like it fixes common network issues. He also mentioned that one day the server it connects to went down, and that the techs were told to “do it by hand,” but no one even knew what steps were involved anymore.
  • He had a Toughbook with a cellular modem. He mentioned that if the laptop didn’t work, he could use that to configure the router, but that they weren’t supposed to, and had to write up a report explaining why they didn’t use the customer’s computer.
  • The router connects to the ONT (Optical Network Terminal) over coax, using MoCA. The fiber ends at the coax; there’s no fiber run inside your home. It’s also possible to plug into the Ethernet port on the ONT, though what I’ve read suggests that you can only use MoCA or Ethernet, but both cannot be enabled simultaneously.
  • My router is a Westell 9100. The default password is admin / password1 — this isn’t provided, and it took a little bit of Googling to find.
  • The Westell appears to run embedded Linux, based on the fact that the system log feature is obvious dmesg/syslog stuff, including “ NET4: Linux TCP/IP for NET4.0” A few other notable lines:
    • IP: routing cache hash table of 512 buckets, 4Kbytes
    • TCP: Hash tables configured (established 4096 bind 8192)
    • kern.alert 802.1Q VLAN Support 1.8 Ben Greear [email]
    • kern.alert All bugs added by David S. Miller [email at]
    • kern.warn Watchdog started Kick jiffies = 10
    • kern.warn Danube Port Initializaion
    • Various references to IPSec and ipsec_null_init, an Infineon DEU for MD5/SHA1/AES/DES
    • Several entries about MAC addresses being changed, and to atypical formats at that
  • The Westell uses to synchronize its clock. This is improper and expressly prohibited for a preset value: end users are invited to use (a ‘cluster’ of thousands of NTP servers), but you’re supposed to get a vendor CNAME before shipping devices using the pool.
  • The Westell has a webserver running on port 4567. I can see a handful of connections from, which resolves to They’re hitting a URL that are long strings of numbers. The majority of the requests came back with a 401 Unauthorized, but a few were authenticated. If I open a remote connection on this port, I can speak to the webserver, though it rejects all my connections. (Incidentally, if you nmap it from outside to make sure it’s locked down, and pass the right flags, nmap generates a lot of strange HTTP requests, including 401, 501 Not Implemented, and a lot of 400 Bad Requests. With a URL containing a space (%20) and some weird characters, a 404 came back, which seems improper: a 401 should really take precedence, no? Googling seems to suggest that this port is open so Verizon can remotely upgrade it, but it seems troubling that it’s not locked down other than with BasicAuth. If a vulnerability were found in this webserver implementation — which is apparently meant to allow low-level management — it could allow someone to mess with a lot of peoples’ routers. At least one forum suggests it’s a TR-069 implementation, using SOAP to manage CPE.
  • It’s fast, though I’m yet to hit the promised speed. We pay for 25/15 Mbps; tests get me about 19 Mbps down, and very close to 15 Mbps up. Part of it may be that 25 Mbps is a ridiculous amount of bandwidth for a server to be pushing; I’ve worked with plenty of servers on 100 Mbps drops (into much bigger backbones), and 25 Mbps would be a big spike in any of them, albeit doable. So a busy server might struggle.
  • Even though the Westell is improperly using the NTP pool, it doesn’t seem to have an option to run an NTP server on the LAN. As best as I can tell, it’s strictly used to keep the logfile timestamps accurate. Perhaps it’s necessary as part of a security mechanism (e.g., a time-based key system) for remote access over 4567. I kind of hope it is.
  • The Westell keeps lots of counters on packets and bytes, but doesn’t seem to want to speak SNMP.
  • Despite being a Linux device that doesn’t let me ssh to it, use NTP, or query it over SNMP, it has a good feature set for home users. A dumb-user-friendly interface allows me to see/manage all devices on the network, and you can set up rules: like “Johnny’s computer can’t go online after 10pm” or “Johnny’s computer can’t access” There’s also QoS support and Dynamic DNS support for several major clients.
  • It’s possible to download a configuration file. It includes references to passwords, though I’m not sure how they’re used.
  • It comes with an out-of-the-box WEP key, which is good. It’s possible to use WPA, though I haven’t set it up. You can disable SSID broadcast (default is to broadcast), and do MAC restrictions.

7 thoughts on “FiOS and the Westell 9100

  1. I haven’t run into trouble yet. How the heck does an ARP cache fill up? I can’t fathom why it would need more than maybe 16 bytes per connected device? And frankly, that’s generous: a MAC address is 48 bits = 6 bytes. If you asked me to design the LEDs on your toaster I’d probably end up throwing in something like 16MB of memory?

  2. I just got FiOS service and I’m looking for how to enable the USB port on the router. A lot of similar posts (even on a Verizon forum) say it has been disabled.
    Personally, why the hell is it not enabled!? I may be the one to post something up once I blow the router up jacking with the configuration file.
    Anybody have any luck figuring this out let me know… Regards, Joe

  3. You can enable telnet access. Export the config file, search for ‘telnets’ and set disabled to 0. Once telnet’ed into the device, you can open a shell with the command system / shell.

    The device is built on OpenRG. I’d like to get SNMP or similar monitoring data but have not yet found a way.

  4. Awesome tip on the telnet, worked like a charm! Any ideas on a configuration line to enable the usb? Or how to enable it from the telnet shell? I saw two options in the config that looked interesting. The first was lock (1) (which I think allows me to turn off remote administration) and hiddenpage (0) which I can’t really see what that does. Any ideas?

  5. WAKE ON LAN (WOL) on Westell 9100

    Sorry for a similiar post on an old thread, but this has info on the Westell 9100 I haven’t seen anyplace. I’m using WOL very successfully from my local LAN – the target PC always wakes up. However, from the Internet i can only wake the target PC for few minutes and then it will not wake. My research appears to indicate the ARP table is timing out. I have a static entry for this PC, but the packet does not make it to the target PC after it has been asleep for a few minutes. Some suggestions for other routers included configuring the router with an unused IP address and a MAC address of FF:FF:FF:FF:FF:FF:FF:FF but the router rejects it as being reserved for network broadcast.

    Has anyone gotten WOL to reliably work from the Internet on the Westell 9100 ? ?

Leave a Reply

Your email address will not be published. Required fields are marked *