Cisco RV220W Wireless Network Security Firewall Reviewed
- Thread starter RamGuy
- Start date
Also 64 MB here
MY RV220W also displays 64 MB as RAM
In spite of the numerous smaller and bigger issues in the router (
http://bugzilla.jth.net/buglist.cgi?product=Cisco+RV220W) is has been running for 2 months now with firmware 1.0.2.4 without any big problems. It has a permanent IPSEC VPN connection to a remote Fedora 15 Linux server working well, but if the router is rebooted, the VPN must manually be reconnected.
MY RV220W also displays 64 MB as RAM
In spite of the numerous smaller and bigger issues in the router (
http://bugzilla.jth.net/buglist.cgi?product=Cisco+RV220W) is has been running for 2 months now with firmware 1.0.2.4 without any big problems. It has a permanent IPSEC VPN connection to a remote Fedora 15 Linux server working well, but if the router is rebooted, the VPN must manually be reconnected.
Just registered -- not finished reading the thread.
Old post -- but Aerohive has RADIUS built-in:
http://www.aerohive.com/
Four Quick Questions:
1. It seems this unit does not accept VPN connections from wireless clients on the LAN side -- like WatchGuard does.
Is that true?
2. Tim's Performance Review mentions:
"I didn't find any controls, however, to keep wireless traffic from connecting to wired LAN clients, for setting up "guest" Internet-only access, for example".
Is this true? If so, it's an unbelievable oversight for a SMB product.
3. Can I assume that wireless clients cannot see other wireless clients?
4. Do RADIUS server implementations include the ability to authenticate wireless clients on the LAN side -- or only WAN side connections?
Lastly, given the nature of my questions, if this device falls short of my "wish list" -- would anyone be kind enough to recommend an alternate product that I should be looking at.
Thanks very much.
1. It seems this unit does not accept VPN connections from wireless clients on the LAN side -- like WatchGuard does.
Is that true?
2. Tim's Performance Review mentions:
"I didn't find any controls, however, to keep wireless traffic from connecting to wired LAN clients, for setting up "guest" Internet-only access, for example".
Is this true? If so, it's an unbelievable oversight for a SMB product.
3. Can I assume that wireless clients cannot see other wireless clients?
4. Do RADIUS server implementations include the ability to authenticate wireless clients on the LAN side -- or only WAN side connections?
Lastly, given the nature of my questions, if this device falls short of my "wish list" -- would anyone be kind enough to recommend an alternate product that I should be looking at.
Thanks very much.
Better than assumed
1) Not true. I can connect to the router as a PPTP Server from my Android smartphone
2) Not true. I have defined 2 VLANS. One as the LAN 192.168.1.1, one as 192.168.20.0 as "guest only" preventing access to the internal LAN IP-range (Inter VLAN Routing disabled), but the router will allow access when the public IP-adresss is used using its own internal address as source IP-address (sic!).
I assume. that this form of access is regulated by the router firewall rules.
3) When they are in the same VLAN they can ping each other. Access within a VLAN must be regulated by firewalls on the clients
1) Not true. I can connect to the router as a PPTP Server from my Android smartphone
2) Not true. I have defined 2 VLANS. One as the LAN 192.168.1.1, one as 192.168.20.0 as "guest only" preventing access to the internal LAN IP-range (Inter VLAN Routing disabled), but the router will allow access when the public IP-adresss is used using its own internal address as source IP-address (sic!).
I assume. that this form of access is regulated by the router firewall rules.
3) When they are in the same VLAN they can ping each other. Access within a VLAN must be regulated by firewalls on the clients
@joergent
Thanks for the prompt and informative reply.
If I'm understanding you correctly -- you achieved WLAN/Wired LAN segregation through the use of two VLANs.
I'm just a bit thrown by the second half of that sentence:
"but the router will allow access when the public IP-adresss is used using its own internal address as source IP-address (sic!)".
Are you saying that if you DON'T use VLANs -- the WLAN/LAN devices will see each other?
Or are you saying that they will ONLY see each other when their respective IP Ranges overlap?
Ultimately, I need for a device on the wired LAN side to be COMPLETELY inaccessible by wireless devices on the WLAN side. And that's the reason I'm asking.
Thanks very much.
Thanks for the prompt and informative reply.
If I'm understanding you correctly -- you achieved WLAN/Wired LAN segregation through the use of two VLANs.
I'm just a bit thrown by the second half of that sentence:
"but the router will allow access when the public IP-adresss is used using its own internal address as source IP-address (sic!)".
Are you saying that if you DON'T use VLANs -- the WLAN/LAN devices will see each other?
Or are you saying that they will ONLY see each other when their respective IP Ranges overlap?
Ultimately, I need for a device on the wired LAN side to be COMPLETELY inaccessible by wireless devices on the WLAN side. And that's the reason I'm asking.
Thanks very much.
Hairpinning
No, I am referring to the wellknown hairpinning problem in the RV220W.
When a LAN device is using the public IP address and accessing the public services accessible via this address, the RV220W will now forward the request through its logic as if the request were coming from the WAN. However, the source address is not the LAN address of the device similar to the public WAN address of some external client, but it is always the router address itself (e.g. 192.168.1.1). This will cause problems for firewalls and server services depending on the source address.
So the devices on other VLANS are only accessible, when they are accessible from the WAN.
As we do not have strict requirements in this area I have not done extensive testing on this.
A new release of the firmware is in the works, but as it took Cisco from March to August to release the latest upgrade, it may not be available for some time to come.
No, I am referring to the wellknown hairpinning problem in the RV220W.
When a LAN device is using the public IP address and accessing the public services accessible via this address, the RV220W will now forward the request through its logic as if the request were coming from the WAN. However, the source address is not the LAN address of the device similar to the public WAN address of some external client, but it is always the router address itself (e.g. 192.168.1.1). This will cause problems for firewalls and server services depending on the source address.
So the devices on other VLANS are only accessible, when they are accessible from the WAN.
As we do not have strict requirements in this area I have not done extensive testing on this.
A new release of the firmware is in the works, but as it took Cisco from March to August to release the latest upgrade, it may not be available for some time to come.
Last edited:
@joergent
Thanks ... I wasn't aware of that.
It would not be an issue in my "Use Case".
But the fact that there are issues of this nature -- and anecdotal references to it possibly never being fixed -- does give one pause.
Read the Cisco Comment in First Review
http://www.newegg.com/Product/Product.aspx?Item=N82E16833150125
Thanks ... I wasn't aware of that.
It would not be an issue in my "Use Case".
But the fact that there are issues of this nature -- and anecdotal references to it possibly never being fixed -- does give one pause.
Read the Cisco Comment in First Review
http://www.newegg.com/Product/Product.aspx?Item=N82E16833150125
I'm interested in purchasing this router but with all the negative feedback I'm a little hesitant. However most people who are complaining say they are on FW 10.2.4 and now Cisco has a new 10.3.5 FW out. So far there are no release notes for it so I was hoping that maybe someone who does own it could comment on this new FW and see if maybe things are more stable now?
FW 1.0.3.5 is a disappointment
This release is now GA, but fixes only 4 issues of which at least 3 are non-important.
It is probably made by a single programmer one Friday afternoon !
In the release notes, there is a long list of unsolved issues, but there a numerous additional issues reported by users, but not listed.
Cisco is simply not listening to the users.
This release is now GA, but fixes only 4 issues of which at least 3 are non-important.
It is probably made by a single programmer one Friday afternoon !
In the release notes, there is a long list of unsolved issues, but there a numerous additional issues reported by users, but not listed.
Cisco is simply not listening to the users.
RV220W GUI mockup online
For potential customers this is nice.
It is the GUI interface of the router where you can navigate as if it were your own unit.
http://www.cisco.com/web/sbtg/gui_mockups/RV220W_v1/home.htm
For potential customers this is nice.
It is the GUI interface of the router where you can navigate as if it were your own unit.
http://www.cisco.com/web/sbtg/gui_mockups/RV220W_v1/home.htm
Sorry to drag up this thread on my first post but I feel this is worth mentioning. I spent months researching routers to fit my needs and this router did just that. But since the release of firmware 1.0.2.4 it would appear they have changed the goal posts. The only reason I noticed was because devices connected to the non-default vlans were no longer recieving IP addresses from the DHCP.
Port based VLANs have now been removed, meaning the unit now only supports 802.1q.
The number of allowed vlans has been reduced from 16 to 4. You can check this when you go to the config page for vlans, and it states, you may configure up to 4 new vlans.
I have been onto there support team today who were unable to give any answers, but who are going to look into these.
Port based VLANs have now been removed, meaning the unit now only supports 802.1q.
The number of allowed vlans has been reduced from 16 to 4. You can check this when you go to the config page for vlans, and it states, you may configure up to 4 new vlans.
I have been onto there support team today who were unable to give any answers, but who are going to look into these.
RamGuy
Senior Member
DHCP / IP-reservations?
Is it just me, or does the Cisco RV220W indeed miss the option for DHCP reservation / IP-reservation in the firmware?
With the latest 1.0.3.5 firmware I can't seem to figure out anyway to set IP-reservations for the DHCP in the router firmware. I could always just configure static IP-addresses on my computers but I have always found it better to simply add some simple IP-reservations on the router instead and it seems rather awkward that a small business router from Cisco isn't up for the task when even the cheapest Netgear, Linksys and D-Link routers are?
I heard a rumour about a bug in earlier firmwares for the RV220W where IP-reservations broke port forwarding / access rules so Cisco might have removed the feature all together I guess, but I would expect this to be fixed and added back in by now if that was indeed the case?
There also seem to be a cosmetic bug (at least I hope it's only cosmetic) with the latest 1.0.3.5 firmware making the router report only a total of 64mb RAM instead of 128mb as with earlier firmwares. I refuse to believe Cisco have all of a sudden decided to hard disable half of the RAM within the latest firmware.
Last, but not least I have gotten it confirmed by Cisco that the DMZ-feature is indeed pointless at this point as it doesn't really do anything. DMZ hosting your IP / computer doesn't make any difference, you still have to manually port forward / create access rules for every single application / port to actually make things work behind / through the firewall / NAT.
Sadly this seems to be the case with most routers these days, if I remember correctly I was faced with the same issues with my older D-Link DIR-655 rev2, D-Link DVG-5802S and Linksys WRT600N. What's the point and idea behind the DMZ feature if you still have to do the port forwarding? Have I misinterperated the whole idea when I thought the whole point with adding a computer / IP into the demilitarized zone was to get it fully exposed? Shouldn't all non-forwarded ports that are being access from the WAN side automatically be forwarded to the DMZ-hosted IP-address thus rendering port forwarding unnecessary?
I find these awkward bugs and lack of basic features somewhat disappointing considering it's a Cisco product, catering towards small business / office and enterprise home users with a rather steep price tag considering the hardware of the product. How much must one pay to actually get a rock solid, bugfree, yet high preforming router with decently customizable firmware and support suitable for heavy duty home / home enterprise usage?
Is it just me, or does the Cisco RV220W indeed miss the option for DHCP reservation / IP-reservation in the firmware?
With the latest 1.0.3.5 firmware I can't seem to figure out anyway to set IP-reservations for the DHCP in the router firmware. I could always just configure static IP-addresses on my computers but I have always found it better to simply add some simple IP-reservations on the router instead and it seems rather awkward that a small business router from Cisco isn't up for the task when even the cheapest Netgear, Linksys and D-Link routers are?
I heard a rumour about a bug in earlier firmwares for the RV220W where IP-reservations broke port forwarding / access rules so Cisco might have removed the feature all together I guess, but I would expect this to be fixed and added back in by now if that was indeed the case?
There also seem to be a cosmetic bug (at least I hope it's only cosmetic) with the latest 1.0.3.5 firmware making the router report only a total of 64mb RAM instead of 128mb as with earlier firmwares. I refuse to believe Cisco have all of a sudden decided to hard disable half of the RAM within the latest firmware.
Last, but not least I have gotten it confirmed by Cisco that the DMZ-feature is indeed pointless at this point as it doesn't really do anything. DMZ hosting your IP / computer doesn't make any difference, you still have to manually port forward / create access rules for every single application / port to actually make things work behind / through the firewall / NAT.
Sadly this seems to be the case with most routers these days, if I remember correctly I was faced with the same issues with my older D-Link DIR-655 rev2, D-Link DVG-5802S and Linksys WRT600N. What's the point and idea behind the DMZ feature if you still have to do the port forwarding? Have I misinterperated the whole idea when I thought the whole point with adding a computer / IP into the demilitarized zone was to get it fully exposed? Shouldn't all non-forwarded ports that are being access from the WAN side automatically be forwarded to the DMZ-hosted IP-address thus rendering port forwarding unnecessary?
I find these awkward bugs and lack of basic features somewhat disappointing considering it's a Cisco product, catering towards small business / office and enterprise home users with a rather steep price tag considering the hardware of the product. How much must one pay to actually get a rock solid, bugfree, yet high preforming router with decently customizable firmware and support suitable for heavy duty home / home enterprise usage?
Last edited:
OK Updating... I have just now had this router DIE!.. It's been pretty good for a while EXCEPT... My wireless printers need a router reboot every new-day I try to print to them. They show up linked, but the router doesn't provide connectivity (Samsung CLP-315W's). Same for a a wireless Epson printer. Reboot the router then power-cycle the printer and all is well.
Other than this it has the essential features I need. (I share my WAN connection with a couple neighbors and I isolate their traffic on VLANS and BW limit them.) BW limiting doesn't work real well, but the isolation through vlans works well. There appears to be no port or IP-address traffic statistics tracking mechanism which I want, but I'm not sure any of them do.
When it died yesterday, I tried to do a factir default restore and the router starts with all ports "led ON", proper speed, but about 1 minute later all LED's except power go off. I also did a hold - in reset, power on, wait 20+ secs and now there are a couple back & forth flashing LED's. I'm wondering if ut is trying to TFTP boot a new image, but of course there is no info on how to do that. So, I think I wil just have to replace it entirely.
If anyone knows any models which will give me GigE ports, Vlans, good throughput and VERY reliable, I would appreciate the advise. I'm not super concerned abyt having the Latest WiFi standard. Maybe to support 1 WiFi user at a time streaming a netflix video without messing with the other traffic.
Thanks for feedback!
-Andrew
Firmware Release 1.0.5.8
A new firmware is release for the RV220W.
Things cannot get any worse than they are currently, only better.
http://http://software.cisco.com/do...83118607&softwareid=282487380&release=1.0.5.8
Best regards!
A new firmware is release for the RV220W.
Things cannot get any worse than they are currently, only better.
http://http://software.cisco.com/do...83118607&softwareid=282487380&release=1.0.5.8
Best regards!
Similar threads
Similar threads
Similar threads
-
Aruba vs Cisco vs TP Link Omada vs Unifi Access Points
- Started by ChaoscripT
- Replies: 32
-
-
-
-
-
Latest threads
-
-
Diversion Exclude subnet from Diversion blocking- Started by kstamand
- Replies: 0
-
-
Frustration with RT-BE88U and SmartDevices- Started by phillyaj
- Replies: 1
-
AdGuardHome High CPU usage after AdGuard Home installation
- Started by ViBE
- Replies: 2
Support SNBForums w/ Amazon
If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!
Sign Up For SNBForums Daily Digest
Get an update of what's new every day delivered to your mailbox. Sign up here!