cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3091
Views
0
Helpful
21
Replies

RV220W - ipv6 Firewall and Ping Questions

doug_counsil
Level 1
Level 1

I have just recently been messing around with ipv6 on our RV220W.  The only reason for turning ipv6 on was to get upnp to work after a reboot.

I have setup ipv6 using a 6to4 tunnel (using the automatic tunnelling feature, awesome feature by the way), as well as, through a tunnel broker (tunnelbroker.net).  Both methods were super simple to configure.

I have run into a couple of road blocks though.

1.  I can't find any firewall features for ipv6.  We have a Cisco E4200 that has ipv6 and ipv6 firewall support so I am sure the RV220W either has ipv6 firewall options or will have it very soon in a firmware upgrade.  Am I correct on either account?  Without a built in firewall, ipv6 has really exposed our PCs, Mac's, etc to attack.  I ran some ipv6 firewall port scanners and found that we have several ports open (4800, 4900, 5263, etc).

2.  I found that ipv6 is a bit flaky.  For example, I experience a 15-50% packet loss when pinging an ipv6 website (ie ipv6.google.com).  It occurs on all of our PCs (Windows XP and Windows 7), as well as, our Mac OSX Lion Macbook Pros.  All of the more popular ipv6 test websites out there show that we go back and forth between ipv6 being turned on and off.  I am sure it has something to do with latency and/or failed pings.  Are there known issues with ipv6 on the RV220W?

I have opened a case (620246731) with Tori regarding the upnp issues that we encounter with ipv6 turned off.  Basically upnp works flawlessly when you turn it off and then back on after a reboot.  Unfortunately we have to reboot our RV220W due to slow downs, etc about once a week (of course it doesn't help that I have been updating the configuration off and on here lately) and upnp not working correctly after a reboot is quite frustrating.  I have even reflashed the latest firmware, reset to defaults, and made minimal configuration changes (going through the setup wizard, reserved some IPs by MAC address, etc) and upnp sill doesn't work after a reboot.  Therefore I don't think it has anything to do with my configuration.

I have a few take-aways from Tori and I's conversation.  I need to provide her with our configuration backup, some Wire Shark traces with unpn working and not working, as well as some screenshots of the upnp port map table showing that upnp is actually populating the table.  i should have the time to perform this maintenance/testing soon.

I will keep you guys posted, but please post here if there are known issues with upnp and/or ipv6 so I don't keep jacking with these things trying to get them to work needlessly. 

21 Replies 21

adam.baldwin
Level 1
Level 1

There is no IPv6 firewalling on the RV220w as of this writing (Firmware 1.0.3.5) and the general state of the RV220W firewall logging is pretty poor. I'd instead rely on a host inside your network to be your IPv6 gateway and firewall (running RADVD to advertise this fact to those hosts not using static routes) and instead only rely on the RV220w to forward Protocol 41 packets from your tunnel server to that IPv6 gateway *only*. That allows you to control Protocol 41 usage at your perimeter (don't want just anyone to set up encapsulated IPv6 tunnels, right?) on a point to point basis and then do the IPv6 firewalling on the secondary host.

Using this approach, you get *far* more granular control and vastly improved logging for the IPv6 traffic and the (relative) predictability of a 6in4 tunnel (in general, 6to4's predictability/performance gets a big thumbs down from most networking folks). The downside, of course, is a second piece of equipment (I use a VMware host to do it, so it's more configuration work for me, but not additional hardware) to watch over and keep up to date.

I don't do much with UPNP, but the RV220w had a similar issue with IPv6 tunneling (the 6to4 approach you described early on in your post) and it not working after a reboot (until toggled off and then back on again), so it's not out of the realm of possibility.

In terms of RV220w IPv6 performance...it's pretty poor (in my experience), but there have been improvements in the latest firmware releases (I don't want to throw Cisco under the bus completely here). There are still massive gaps in the feature set though (another topic for another time) and thus I've set up my home network as described above to account for those issues. Your sporadic performance might due to 6to4 issues (I've read about some horror stories) as well, so these might be issues that Cisco can't help you with.

Regardless, hopefully I've been a bit of help and I wish you the best of luck!

Thanks for the reply Adam.  I was coming to the conclusion that there was no ipv6 firewall after taking a longer look at the RV220W GUI and open source documentation (didn't see ip6tables anywhere).

I don't see where I can forward protocol 41 ("-p 41", "-p ivp6", or "ipv6" in general) in the RV220W.  Would you mind helping me with that?  I'm not against offloading the ipv6 gateway and firewall to another host.  There will definitely be a learning curve involved, but I'm game.

I did take another stab at getting upnp to work without enabling dual stack (ipv6) and found that upnp stopped working after reboots after I created a second VLAN (guest VLAN with no inter VLAN routing).  I got the idea to do more indepth testing when I heard Tori talking with another guy on the phone and he asked if I had multiple VLANS. 

adam.baldwin
Level 1
Level 1

Sure - you forward Protocol 41 packets by creating a custom service (under the advanced section of the Firewall tab). Just specify the type as "other" and then type in "41" in the protocol field at the bottom and save it.

Then you apply a firewall rule for the service (custom services will show up at the bottom of the dropdown list) you just defined and allow that service coming in from the tunnel server you're using (I'm assuming HE.net) and then DNAT'ing it to the IPv6 gateway/firewall that you've set up inside your network.

Joergen Thomsen
Level 1
Level 1

The RV220W definitely has (much too many) issues, but we are connecting a branch office using IPv6 in a 6in4 tunnel from tunnelbroker.net and it is working quite well. We are continously pinging the connection once every minute. It appears fairly stable, so I don't think there are any IPv6 problems in the router. Doing a continuous ping6 does not reveal any lost pings.

The most annoying issue is the one of having to manually disable/enable the 6in4 tunnel after each reboot. That should not be the case, and we cannot do it automatically due to the missing CLI interface in the RV220W (a feature found in many less expensive routers !)

Although I read the release notes for the lateset 1.0.3.5 firmware, it was long before I tried implementing ipv6.

In the release notes...

A 6to4 tunnel may encounter packet loss depending on the type of NIC used. (CSCtr08162)

...therefore I don't believe my case is unique.    I should have taken the time to re-read the release another time before posting about my packet loss (up to 70%!!!) issues.  I thought something was wrong (with my seteup) because all of our devices experience packet loss... all PCs and Macbook Pro's.

doug_counsil
Level 1
Level 1

On a somewhat positive note, I had a long conversation with a buddy of mine that is a senior network engineer for a large corporation (10,000+ employees worldwide) here in Kansas City, Missouri.  He is the one that recommended that I start replacing our WRVS4400N v2 routers with RV220W's based on his experience with the one he uses at home.

In a nutshell, he told me that he doesn't like to mess around with network *stuff* at home because that's all he does during the day at work.  Therefore he uses an RV220W at home.  He confirmed for me that upnp does not work for him as well, but he doesn't use it (or ipv6).  He manually opens ports for all of his needs (game consoles, software needs, etc).  He did tell me that he thinks the RV220W is a great wireless router (he actually has a few Linksys E4200 routers configured as APs around his house) for it's price/feature combo.

He, and a few other of his family members, use the VPN functionality all the time.  PPTP, IPSec, SSL...  all of it.  Who do you think helped me configure my VPN setup?

If he is comfortable with an RV220W, then that is quite comforting to me.

He did tell me that he has a friend that has a 6 month old ASA 5505 (still under warranty and contract) for sale for $200.  He is more than willing to show me the ropes so I could tinker with it in our lab.  I just don't think I'm ready to start deploying those.

Well, here are the bugs I detected and in the release note of 1.0.2.4 (nearly identical to 1.0.3.5)

http://bugzilla.jth.net/buglist.cgi?product=Cisco%20RV220W&component=Firmware%201.0.2.4&resolution=---

If this makes you comfortable, then its OK for me, but it sure does not for me, especially because CISCO has shown absolutely no interest in working with me to document and track down these issues. Apparently if it is not an issue reported in the hopelessly slow CISCO case system then it is a non-existant issue !

Reporting issues to CISCO is also hopeless. I have tried to do so, but just been ignored.

I'm with you now, and I have looked at your bug report thread by the way.  I actually have it bookmarked!  I was talking more about the lack of ipv6 features (no firewall!!!) because that is what I am currently battling.

Speaking of which, I really wish Cisco would work on the Windows 7 64-bit and Mac OSX Lion SSL VPN issues. 

I wonder how the Small Business team works anyway.  The Linksys home router and Enterprise teams must not work with them at all.  The E4200 (Linksys home router) has an ipv6 firewall, crude, but existent.  If I'm not mistaken they run on Linux as well...

Have you thought about starting an RV200W Bug and Ehancement Request thread?  If I'm not mistaken, the first post can always be updated by the original poster so the most up-to-date ehancement list (and link to your bug thread) could always be at the top of the thread.

You game?

Firewalling in the router has never been an important issue for us, as we are having much better firewalling (IPv4 and IPv6) on our Linux servers than I have ever seen in a router. On the workstations we are depending on the MS Windows firewall and virus protection software. We probably should look more into IPv6 firewalls on the workstations.

The bugzilla was made partly to get experience with that software, partly out of frustration of the non-responsiveness of CISCO, who could benefit from the no-cost work of an experienced IT-professional, but chose not to do so without any feedback whatsoever. I even wrote a letter to the CISCO CEO about the CISCO reputation issue without any response. So much for the politeness of CISCO management living in their ivory tower.

I don't have the time and energy to continue maintaining it, but anybody can add comments to it and create new reports.

I'd be game to participate in such a thread. I think my frustration comes from the fact that I see such potential in the RV220W, but that product that is in front of us right now has such obvious issues. In the interests of full disclosure, I am a former Cisco employee (not on the product development side) and the RV220W firmware *has* been getting better since the initial firmware I used, but it's still a long way from what I'd consider a fully baked product and if some of the open source alternative firmwares were able to run on that platform, I'd probably flash the hardware with them and call it a day.

Joergen, I had previously seen your Bugzilla and it was great to see that others were noticing (and suffering from) the same issues that I was noticing, so thanks for that. I definitely get your frustration regarding the slow speed of issue resolution. but keep in mind that constantly expressing that frustration will eventually turn even the best-intentioned Cisco employee off. In short: pick your spots and hopefully we can save you some of the frustration =)

I know that for myself, it'd be great to have a Cisco product manager participate here and say "hey guys, we hear you - here's what we see as the biggest issues for the product and where we're focusing our development efforts - any". I appreciate Cisco folks posting in specific support cases and their urging users to open TAC requests, but I think the there's a missing overall sense of sustained engagement from the Cisco side in soliciting input and working together towards making a better product.

It is my impression, that CISCO as many other old corporations has not been able to adjust to changing times.

It is not as in the old days, when the customers were just using the products, had no IT-knowledge and the company possessed all the information and maybe was in a certain level of monopoly.

Today there are many competitors in the market. The customers are shopping around and do not buy CISCO products, because they once did it.

Many customers are well-educated IT professionals who in knowledge equals or surpasses the CISCO supporters. There is also a community spirit among customers with the purpose of improving things.

I consider it foolish for a company not to tap into this source, but to continue its old-fashioned ways of handling customers.

These days we have Kodak in Chapter 11. A once very large and well-respected company and brand, which was not able to handle changing times and markets. This ought to be a writing on the wall for any old corporation.

JT,

the cisco products that provavly you're referring to, are not really Cisco. They are post-aquisition Linksys. I don't know for sure, bue it's even possible that they had a better quality before the Cisco acquisition.

The enterprise class Cisco prosucts have a much better software quality, and still enjoyt a great reputation among IT professionals. The sales results shiow that clearly, since 25 years.

Yes, Kodak also has a great past!

I also know, that this product is not a core CISCO product, but it does display CISCO on the front.

CISCO management has made a fundamental error in not assuring, that this product is living up to the standard expected by the market.

Quality control and testing is apparently absent. There are issues in the software, which can be found by anybody simply by testing it for 5 minutes.

My advice to CISCO management is, that saving a few bucks on the quality control and testing department is not worth it. It is really going to hurt.

I'm not sure which company started the RV200W, probably Linksys, but they were on the right track.  It is an improvement over the WRVS4400N.  That said, I'm unsure where Cisco sees the RV SMB line of routers going.  They obviously are great supporters of the consumer line.  That line is rather strong, stable, and competively priced and one of main reasons they purchased Linksys in the first place.  The SMB line (Linux-based anyway) seems to be caught in the middle of the consumer line and IOS line.  I sometimes wonder if they intentionally hinder their capabilities.  They could easily utilize third party (DD-WRT, Tomato, etc) firmware sourcecode/functionality to make the RV220W a top-notch Linux-based router. 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: