Telecom Monopoly CenturyLink’s Static IP / Modem / UPS Scam Outlined

I’m really sorry to say that I was excited when I found out CenturyLink offered gigabit 1000 up 1000 down fiber to the home in the neighborhood I just moved into. Dreams of things like having enough upload speed to leave the cloud and operate jamesachambers.com independently in my own home seemed like they could finally be a reality. Dreams were quickly shattered when I realized what kind of incompetence and dishonesty I would be dealing with.

Ordering

I checked to make sure static IPs were available through CenturyLink. Let’s check it out:

CenturyLink Static IP Order Page

Oh perfect, it looks like they definitely offer it! The one time charge is a little silly but assuming I will keep them for years it should still be worth it. Absolutely no indication here I won’t be able to get it with any CenturyLink provided service.

I ordered the service right through CenturyLink’s web site for $65 a month with no taxes or additional charges with the qualification that I must enroll in autopay. Fast internet here we come!

First Installation

The first installation was professional and extremely well done. Just kidding. Check it out:

CyberPower Outdoor UPS Installation
A “UPS” installation being used as a power strip drilled into my wall with no battery

There’s one of two things going on here. Either CenturyLink doesn’t install batteries on UPS units of customers who don’t have phones just to save a few bucks, or both of my techs took the batteries and sold them on eBay. That’s about it.

If you have a phone installed an installation like this may violate code in your area, so if you’re a CenturyLink customer (sorry) I recommend you go out to your box and see if you have one of these. Bet you there’s a good chance you don’t!

The UPS battery is there for service to keep running during power outages so it is a safety issue. This mostly impacts phone services but can definitely still help a lot with internet as well. You don’t want your equipment to go down with minor power fluctuations or if it’s only your house and the neighborhood is fine or if a breaker flips. People are relying more and more on VOIP for their phone which goes through your internet as well as other services like IP cameras that you want to keep protected and online especially if events are occurring that may cause power loss.

Either buy your own battery for it off eBay or call CenturyLink and let them know you don’t appreciate them putting your safety at risk to save themselves a few bucks.

CenturyLink PPPoE Modem
CenturyLink PPPoE Modem

And this right here is your actual modem. It is a ONT unit that interfaces with the fiber. If you open the inner panel you can see the fiber terminations although I would highly recommend leaving the inner part of it alone (unless you’re a fiber tech you can do no good in there, the connections can be very sensitive).

You actually don’t need CenturyLink’s modem at all no matter how much their sales/tech staff tell you that you need it. All you need is a router that is capable of PPPoE dialing and tagging your traffic as vlan201 (this is how CenturyLink hides their traffic from normal devices from normal gateways like your router) and establishing a PPPoE connection. More on that later.

Static IP Results – Installation #1

Here’s a link to CenturyLink’s static IP tool.

Upon logging into the tool:

CenturyLink Static IP Fail
CenturyLink Static IP Eligibility Denial Message

Oh boy, what happened? Well it turns out CenturyLink has something called “SimplePay” which is what they wanted me to sign up for. The “benefit” of it is it’s a flat rate without the usual taxes and fees all telecoms tack on there. The downside? It’s completely outsourced 100% to India and considered a prepaid plan and a lower tier of service. It’s not eligible for static IPs.

Gee, that would have been good to mention somewhere! Surely they can fix my account in the computer though right?

Nope. To fix it you will need to call them again and they will need to do ANOTHER installation. This one won’t be free, it will cost you $99. You also get taxes and fees added on to the rate every month unlike the previous plan. Great. I did it anyways because I need the static IP block to do *anything* I wanted to do with this connection.

They also left the line unburied. They said someone would come by in a couple of days to bury it. Nobody did.

Installation #2

I don’t have any pictures to share about the second installation. Why? Because they didn’t do anything. Literally they did not do anything.

We went to my basement and plugged in their new modem and he left. Then 5 minutes later I disconnected their new modem and put it back on my own. $99.

On the upside, after the SECOND installation, they actually came back and buried my line! That’s something at least!

Static IP Attempt #2

CenturyLink Static IP Fail #2
Surprised?

So after spending about 5 hours on the phone getting my new account set up and confirming it is a “postpaid plan” I still can’t access the tool. It turns out CenturyLink ordered me something called a “webshop” account. What is a webshop account? Good question, I never bought the service at a webshop, CenturyLink chose it for me when I told them I needed to get on a plan that does static IP addresses.

But they didn’t chose the right one. And guess what? They can’t fix this one in the computer either. They have to come install it again, and I will be charged $99 again. I will not be refunded for my previous installation. What did I pay for the second time they charged me and came out to install the service again? Nobody can tell me.

CenturyLink’s Unnecessary Backdoored Malware Modem

Now surely I must have lost my mind with this heading. It sounds like crazy cooky Alex Jones stuff to say that CenturyLink’s “modem” is backdoored and isn’t even necessary for the service to work.

Nope. Afraid not. CenturyLink has a long and proud tradition of backdooring their modems and those backdoors being insecure and leaked out/discovered. I’ll just share with you some of the ones in the past few years but these go way back. Here’s some examples:

ExploitDB #1 – 2017 – CenturyLink built in backdoor username: admin password: CenturyL1nk – boy they’ll never figure out that one and have unfettered backdoor access to my entire home!

ExploitDB #2 – Same exploit for the common Zyxel modem

Packetstorm #1 – Once you get in with the CenturyL1nk password you can change to root by using the password “zyad5001”. Great!

Now if you think that the 2020 versions of these modems don’t just have a different more secure password and that CenturyLink doesn’t still have ROOT ACCESS to a hardware device in your dwelling and subsequently your network….

Wrong!

Bypassing Modem

To do this you will need a router capable of vlan tagging and PPPoE connections. Note that some areas might not use vlan tagging as the router has an option to turn it off although I suspect this is pretty standard. If you have any doubts log into your CenturyLink modem and in your advanced WAN settings it will tell you if vlan tagging is enabled and which one they’re using.

First you will need your PPPoE credentials. CenturyLink will give these to you (for now) if you call technical support. I had the tech give me them to me in person on the second install because they type them into your modem. It’s part of the 5 minute unnecessary setup and best I can tell is the only reason they insist they have to send a tech and charge you. These credentials will not be your normal username and password. In fact, it’s likely the email address is one you will have never seen before ending in @centurylink.net. They are special creds set up for you by CenturyLink to connect through the ONT device I showed earlier.

Once you have that all you need to do is tag your WAN port as vlan201. For my home I used a Fortigate FG-30E which is my whole house firewall. These are enterprise grade devices and are quite expensive (especially with AV and IPS signature subscriptions) but newer higher end Linksys and Netgear and many other brands of routers also support basic vlan tagging now. If you have a newer router that cost more than $100 it probably has it. Just look up whether your current router supports vlan tagging and PPPoE addressing and if it does you already have everything you need.

After tagging my WAN port with vlan201 I just let it retrieve everything else with PPPoE:

Fortigate PPPoE Settings
Bypassing CenturyLink’s “Modem” w/ FortiGate FG-30E – set vlan201 on WAN
Fortigate PPPoE Configuration
Changed addressing mode to PPPoE and entered PPPoE credentials provided by CenturyLink tech support

There you go. Bye bye backdoored modem/router!

A Note About CenturyLink’s “Secure WiFi”

My modem and these new modems apparently come with some built in service called “Secure WiFi”. This sounds like some really fancy technology that you wouldn’t want to give up!

Well let’s take a little bit closer of a look here.

This page gives us what little information CenturyLink will tell you about what exactly this is. Let’s take a look at an entry and see if we can figure out if this has any real value. How about the “Hoes does Secure WiFi work entry:

Q: How does Secure WiFi work?

A: Secure WiFi uses a McAfee powered technology called Global Threat Intelligence (GTI) to identify dangerous websites. The protection works as follows:
GTI constantly monitors websites around the world for malicious and dangerous content.
When malicious content is found on a website, GTI 'flags' the site as risky.
When any of your devices attempt to visit a website, Secure WiFi checks that the website is not on the 'risky' list.
If the website is risky, Secure WiFi stops the device from accessing that site and displays a warning page.

Okay, so Secure WiFi is just basic web/IP filtering installed network wide and provided through McAfee’s service/list. This may actually have some value to regular Joe internet users as common botnet C&C sites and malware distribution sites will be on the list.

It also means that CenturyLink tracks every connection you make it and sends it to a server to decide (and log) whether it’s going to allow you to connect.

Do you trust them to keep that information safe and not sell it to third parties? This company tells you when you call their support phone number that they will sell your information for marketing and repair purposes unless you ask the agent to flag your call/account as not consenting. So for me the answer was obviously no, and so I was perfectly willing to go without this service, and in fact wanted to actively remove it.

However, I wanted to mention that it is better protection than nothing and you should be aware that if you don’t secure your network in other ways you are giving something up even if it’s pretty basic in reality. In my case the Fortigate came with a year subscription of their professional web filtering service as well as active antivirus and IPS threat signatures, etc. so I knew I was protected in other ways.

My Personal CenturyLink Modem Collection

CenturyLink Tower of Shame
CenturyLink Tower of Shame

This is the CenturyLink Tower of Shame. How many modems will I end up with before CenturyLink can figure out how static IP addresses work? How tall will the tower reach? Do you think they’ll bill me for all these modems even though I haven’t been asked to return them? Have you had a personal experience with this company like I have? Let me know!

Update 7/9/20: Credit Score Change – Pulls from CenturyLink

I received an alert from my bank that CenturyLink has now done what is called a “hard pull” on my credit twice for both of these postpaid plans. This can impact your credit score and I received an option to dispute it. They may pull it again if I actually have them go ahead with another $99 install that probably won’t get me anywhere again. This is just another warning and another thing to watch out for.

Update 7/14/20: Account Migration Attempt Breaks Account (Service Disruption)

I worked with an “Account Specialist” who attempted to migrate my account. To do this I had to cancel my current account and he placed an order to start the new account without calling a dispatch. Essentially he was trying to fix it in the computer without me having to pay another $99 and have another installation/modem.

This technician finally figured out the reason I can’t access the CenturyLink static IP tool is that they are switching billing systems and their systems have not been updated to recognize the account #s from this new system. Their system is actually broken for new types of accounts and they have to attempt to migrate you. They said I need a “normal” account with a 10 digit account number to be recognized by the system. The Customer Advocacy group told me to ask for a “CRIS residential account migration”.

I was rightfully very nervous at this point because they have tried so many things unsuccessfully. I’ve heard this kind of stuff from them before and it has never panned out. My main concern was that they would make it worse (ESPECIALLY since this hair-brained scheme involved cancelling my current working plan).

The first sign of trouble was that a tech tried to contact me at 9 AM to do another install and had another modem. I refused this time as I was tired of paying the $99 and knew there was not supposed to be a dispatch. Sure enough at 5 PM my working account deactivated and my new account did not come online.

I spent about 3 hours on the phone with CenturyLink and was told that my account was stuck in a “Pending” state because the tech flagged it as a cancellation. The solution? I would need to start completely over with a new order and another hard credit pull against my name.

My account was so broken at this point they could not even schedule a tech to come and look at it because their system now showed that I had service at my address that was stuck in a broken state. My current status is I have been completely disconnected and have no internet at home for several days. I gave up and reordered the original prepaid “SimplePay” service I had for $65 a month and will come Thursday online through their web site. That was the only way I could get an install since they couldn’t order one for me with the “Pending” stuck account.

Will update further!

Update 7/17/20 – Back Online (Where I Started)

CenturyLink came and installed the original prepaid $65 a month with no taxes or fees that I started with. I’m giving up as having no internet at home was pretty painful!

guest

20 Comments
Inline Feedbacks
View all comments

Tim Salo
Tim Salo
8 months ago

Thank you for writing this up.

I wanted to upgrade my CenturyLink DSL service, which is horribly slow and currently isn’t working very well. But, it does have a static IP address, which I need for my servers.

I ordered CentruyLink small business Internet service over the web, which was advertised to operate at 940 Mbps. Fortunately, I figured out that I couldn’t get static IP addresses for my Internet service, because it was prepaid. CentryLink wanted to sell me some service for over $150/month (plus cost of static IP address, plus probably a bunch of taxes, fees, and fines). I do give CenturyLink credit for being able to cancel this installation before it happened.

Now, I’m back shopping for business Internet that doesn’t cost an arm and a leg and that supports static IP addresses. Any suggestions?

Gary
Gary
3 months ago

You could use a Mikrotik router in bonding mode (active/active) to multiplex the two ISP connections together.

Bill
Bill
1 year ago

What a great 🙁 story. I’ve tried to ditch the CL ‘modem’ to use my Asus router but couldn’t figure out a way. I was briefly able to use transparent bridging but when I did an NTP update (the time/date was showing way off in the logs) it broke it and I’ve been totally unsuccessful since. It’s incredibly frustrating and ridiculous. Thanks for your posts!

Tony Gonzalez
Tony Gonzalez
1 year ago

Hi James,

Thanks for writing this blog post. I also have CL’s $65/month plan. I want to ditch the modem router that they give you and install either a virtual fw (Sophos XG, Pfsense, etc) or just purchase a Ubiquiti USG and carve out VLANs on my Cisco 3750 switch.

Now that you are back where you started, on the $65 plan. Do you still have the FortiGate as your edge device? I wasn’t sure if I still needed the modem part of the CL device, but it doesn’t seem like it, and use my $100+ router as an AP to extend my network.

Thanks again.

Tony Gonzalez
Tony Gonzalez
1 year ago

Thanks for your reply James. I ended up using a virtual appliance and installed Sophos XG. I got it to work, but I still am a bit fuzzy with the detail on the interfaces and vlan tagging. I do have my PPPoE creds and typed them in and tagged it on VLAN 201 which you nailed (CL is using 201) but didn’t get any external IP on Port 2 where my WAN is configured.

I disabled DCHP on CLs modem and enabled it on my firewall, all my appliances are now catching the IP from my firewall but I am still using the CL appliance. Can I ping you and maybe do a quick zoom sessh. I am on Twitter and I believe you are as well because I also used your walkthrough to build a Minecraft server. Thanks btw 🙂

Tony Gonzalez
Tony Gonzalez
1 year ago

Thanks James. Totally appreciate you looking up these KBs for me.

on the port 2 interface (WAN) I configured PPPoE and entered the whole username and included the @centurylink.net email domain and tagged that interface with VLAN201 but on the GUI not the console.

For the physical connections, I have an ethernet drop coming from the ONT device on the side of my house to my media closet in my basement. That drop is connected to the modem/router then from the modem/router to my trunk interface (port1) on my cisco 3750g switch. I bypassed the modem and connected the CL drop from the outside directly to my switch trunk port. I haven’t configured VLAN on the switch yet so I have everything on the default vlan.

You gave me something to go off. Let me dig a bit more and will get back to you.

Thanks again, appreciate you for blogging about this.

Separate note:
I had to revert back to CL modem/router again because apps like Disney+, Amazon prime, etc would work when I cast them using my chromecast. Anyway I have to tweak the filtering setting on the XG. Alas, I will get to it once I figure out this network thing.

Thanks

Tony Gonzalez
Tony Gonzalez
1 year ago

Hi James,

I did a little more research and after careful consideration. I am going to ditch the virtual firewall (Sophos XG) for a Ubiquiti UDM Pro. It’s set to arrive later today so I’m very excited. I haven’t research if I can tag the WAN interface with VLAN 201 then enter my CL creds. But I believe upon connecting the device (UDM) during the initial setup, it ask you what type of connection you are going to use. DCHP, Static or PPPoE.

I will report back once my fw is online. Now if I can’t tag the WAN interface. Then I will settle with using the CL appliance as a modem in transparent bridge mode.

Moreover, the reason I am ditching the virtual fw is I don’t want to depend on running my DL380 due to the electrical cost. I don’t have critical workloads running on my vSphere environment yet. But want to segment all my traffic from the rest of the house, and a vFW will not allow me that w/o jeopardizing everyone’s iNET connectivity when I am tinkering.

Thank you for your support and your great blog.

Cheers,

-tony

Tony Gonzalez
Tony Gonzalez
1 year ago

Hi James,

I am happy to report that I have updated my network and added the UDM Pro w/o the CL router/modem appliance. I am so happy I don’t have to rely on my ISP’s device for connectivity. Can’t wait to figure the UDM out and begin segmenting the network. Thanks again for your support and links.

You are the man. I would show you pictures of my setup, but I don’t think I can upload pictures to your comment thread. I will blog about it.

cheers,

Happy resurrection weekend!

-tony

delta-siera
delta-siera
1 year ago

I’ve had plenty of bad experiences with CenturyLink even as a business customer! A very unreliable DSL service got swapped out for Yondoo fiber when they came into that market… it’s been roses ever since!

Trying to get a new custom fiber build at one of our new locations… took about 6 months, was a very painful process, has DSL side-ordered to provide at least some kind of internet connection earlier in the process but contractor said it would actual take longer than the fiber build. Cancelled with contractor, had a future call from the contract that CL still had the order in. Also cancelled directly with a CL support person. Almost a year later, a full year’s bill showed up for the DSL that we cancelled before it was ever installed and brought online. Was given a phone number to someone that I called over a half dozen times and email address that I never got a response. Finally got back with another CL person and got the charges dropped. Wow. Outrageous monthly bill on this 50 Mbps up/down fiber connection at almost $1K/month. We’ll be outsourcing once this contract is up.

I might have 1 in 10 customer support engagements with them that are actually positive or “good”. Comcast is bad but IMO CenturyLink is worse. I’ve heard plenty of horror stories, and I’m just not seeing it get better at all.

Our local ISP devised a long-term, big investment plan to bring fiber-to-the-home to a huge region around us. Customer support is great, the internet service is extremely reliable and always fast as the plan calls for, the install is only $99, pricing for the dl/ul speed is extremely competitive, and their service doesn’t require PPPoE credentials — I assume the line is authenticated at the GPON and everything afterwards is fair game, e.g. user-provided router just hooks up and works. The only downfall I can mention is that their in-house Wi-Fi router is even worse that the other big telcos, namely in terms of coverage distance. It’s has a 802.11ac chipset but honestly feels more like 802.11n. Running my old Asus AC-66U solved that right quick.

James: could we get a status update?

Jim "JR"
Jim "JR"
2 years ago

Why does this not surprise me. . . .

I wonder where you are. My brother tried internet with CenturyLink a few years ago and it was a Fuster-Cluck from the word “Go!” If there was a way they could have screwed it up, they did it. When he did get Internet and Telephone service from them, it worked if and when it darn well felt like it. Perhaps there was a particular relationship between the phases of the moon and/or the positions of various constellations and planets that was required, but we never figured it out.

The icing on the cake was that he had the damnedest time even PAYING their bills! He’d pay and it would either be lost, refused, spontaneously cancelled, or whatever. His service spent more time being blocked for non-payment, (though he paid and had screen-shots of the payment processing through his bank), than it spent working. Then they started dinging his credit rating for non-payment.

Eventually he told ’em to bloody-well ‘naff-off, cancelled their service, blocked their attempts to auto-pay, opened disputes with everyone and their brother, and hasn’t looked back.

Jim "JR"
Jim "JR"
2 years ago

Righty-O!

Not only was my brother having billing issues, he was having service issues as well. Even when his service wasn’t blocked for “non-payment”, it worked if, and when, it decided it wanted to work. Since my brother has a few health issues and he absolutely, positively, needs his phone service to work, (can you say “life or death”? Ahh! I KNEW you could!), and nothing he, or I, did was any help whatsoever.

Quite frankly, I’m waiting for some hungry lawyer to file the class-action lawsuit.

What really infuriates me about this is that they can support a crappy service model and a SQA department run by the now famous “million monkeys using a million typewriters” because everyone else is so expensive. In essence, they “got ‘ya by the short-an’-curlies”.

I just hope their keypunch machines don’t jam before they finish the billing changeover! 😉