RV340W: I can PING all my VLAN's default gateways - how to avoid?

Torsjan22 · ‎03-22-2019

Device: Small Business RV340W Dual WAN Gigabit Wireless-AC VPN Router
Firmware: 1.0.02.16
Management: Only using browser

I'm a Cisco novice. This is my first Cisco router, placed on my small network setup to give Internet access.

This is also my first posting here. Sorry if I failed to search any solutions there might be in the community already. I have tried to search for the same issue, but couldn't find any solution for me.

Network description/examples:

The RV340W has defined 4 VLANs with each IP4 networks
VLAN1 = 10.1.1.1/24
VLAN2 = 10.1.2.1/24
VLAN3 = 10.1.3.1/24
VLAN4 = 192.168.1.1/24

All VLANs have access to Internet from WAN1 port, by setting the respective first IP address as default gateway.

No VLAN should be able to communicate with each other. Just share the Internet access.

I found that I could PING everything from the other VLAN networks, but managed to set a few access rules in the firewall section to restrict any traffic to and from all VLANs. The PING of anything on each VLAN network got stopped.

Problem:

Default gateway (the RV340W) of each individual VLANS can naturally be PING'ed. But also every other of the default gateways can be pinged! I can PING 10.1.3.1 from VLAN1 network 10.1.1.1/24 and get steady replies. That goes for all of them, from any VLAN. Even 192.168.1.1 also replies happily.

Since any user on these networks can search and PING the other network's gateways, I wonder if they can hack my router in any way. Because I can access the router's management web page by using any of the gateway IP addresses in my browser. I have however naturally unchecked the Device managament ability for most of them, but still... It feels a bit worrying.

Does this sound correct or wrong behaviour to any of the community here?
Can this access of each other default gateway IP's be avoided? How?
What am I doing wrong? What am I missing?

Any hints and comments would be appreciated.

Regards:
Torsjan22

luis_cordova · ‎03-22-2019

Hi @Torsjan22 ,

https://www.cisco.com/c/en/us/support/docs/smb/routers/cisco-rv-series-small-business-routers/smb5491-configure-access-rules-on-an-rv34x-series-router.html

You could try this:
Assuming you want only the gateway of vlan 1 to be the administration ip (VLAN1 = 10.1.1.1), you could create a rule that restricts the access of each LAN to that specific IP.

Maybe some like this:

Regards

Torsjan22 · ‎03-23-2019

Thank You so much for Your reply, luis_cordova. I much appreciate it. Your idea is good. I didn't think of that myself. However, I'm afraid I can't make this work.

Here is a simplified example from my present access rules table:

Priority	Action	Services	Source Interface	Source	Destination Interface	Destination	Schedule
1	Allowed	IPv4: All Traffic	VLAN4	Any	WAN1	Any	ANYTIME
2	Denied	IPv4: All Traffic	VLAN4	Any	Any	Any	ANYTIME
3	Denied	IPv4: All Traffic	VLAN2	Any	VLAN1	10.1.1.1	ANYTIME
4	Denied	IPv4: All Traffic	VLAN3	Any	VLAN1	10.1.1.1	ANYTIME
5	Denied	IPv4: All Traffic	VLAN4	Any	VLAN1	10.1.1.1	ANYTIME

Rule 1 and 2 stops VLAN4 from anything but Internet (WAN1). This seem to work fine.

The rest of the rules follows Your good idea, trying to block the default gateway for VLAN1 from all the other VLANs. Sadly I still can PING any default gateway from any VLAN, despite these rules active on my router. Explicitly: From network 192.168.1.1/24 I get strong replies for PING 10.1.1.1. Sorry about that.

I will have to investigate this issue further. It might even not be possible, as all these gateway addresses are physically the same box. I believe I have seen that written here somewhere.

No matter what: You did help me understand and think further, so I thank You still. Please advice more if You want and have the time. :)

Regards