RV220W LAN-LAN firewall drops - fw 1.0.5.8

andyhillhome · ‎01-31-2014

I noticed a strange "feature" after I upgraded from firmware 1.0.4.7 to 1.0.5.8 on my RV220W.

My internal network is 192.168.1.0. I have an OpenVPN server on the internal net with a routed setup that hands out addresses to clients on 10.12.74.0, and pushes a static route to the 192.168.1.0 network. The RV220W also has a static route back to the 10.12.74.0 subnet. All worked perfectly fine with 1.0.4.7.

After upgrading to 1.0.5.8, I could still connect OpenVPN, and I could ping any address on the internal network. However, the minute I tried to do something like RDP to a host on 192.168.1.0, nothing would happen. Packet traces revealed that the packets were successfully making it through the tunnel to the target RDP host, and it did respond to the packets, but the replies were never seen at the VPN client.

I then noted that the RV220W firewall logs indicated it was dropping the return packets. I don't have the exact message, but it stated that it was DROPing a LAN - LAN packet from 192.168.1.78:3389 to 10.12.74.6:<highport>.

I then reverted to 1.0.4.7 with a factory reset and restored my config. All is working again.

I'm happy to go through this again and do more troubleshooting, but this seems like a major bug. The firewall should not be dropping LAN - LAN traffic, regardless of subnet, since there is no capability to write LAN - LAN access rules.

Thanks.

Tom Watts · ‎02-07-2014

Hi Andrew, thiere is actually LAN to LAN access rules on the firewall configuration. It's a relatively new feature that's been out about a year or so.

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

andyhillhome · ‎02-08-2014

Tom, thanks for the response.

I'm aware of the VLAN-VLAN rules, but there is no way I can see to write a simple layer 3 rule. The problem is that my OpenVPN client subnet is not represented in a VLAN, since it is just a tunnel interface on one of my servers and is not a real network tied to any physical interface. The OpenVPN server itself serves as the router between this 10.12.74.0 subnet and the real 192.168.1.0 LAN. All I need the RV220W to do is route return traffic for the 10.12 back to the OpenVPN server's IP. That's the piece that works in 1.0.4.7, but not in 1.0.5.8.

Thanks - let me know if I'm missing something here.

Andy

mpyhala · ‎02-08-2014

Andrew,

I understand what you are doing, I once used the exact same configuration with an RV220W at home and it worked perfectly. I would be interested in knowing if some other part of your configuration is breaking the route. If possible, back up your configuration, upgrade the firmware, reset to defaults and reconfigure only what you need for the OpenVPN server. Test and see if it works. If it does, reconfigure your other settings and test. If not, you should open a case with support and have this reported as a bug.

- Marty

jcquirin · ‎05-02-2014

I had the same pb, static routes created and firewall drops to these statics routes, the router was with the 1.0.5.8, i tried to find a solution, but i didn't any ways to solve it, so i revert the firmware with the 1.0.4.7, and it works now.
Everybody has to know that each fimrware for this router is bugged.

SamirD · ‎02-11-2014

Glad reverting firmware fixes the issue for you. Rule of thumb on smb routers is to NOT upgrade firmwares unless you have to. Every manufacturer has various bugs in each version, so you find the one that works for you and stick with it until you have to buy something else.

Or drop some serious money and get an enterprise grade router that doesn't have these issues.

Huntsville's Premiere Car and Bike e-magazine: www.huntsvillecarscene.com