cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

RV320 v1.1.1.19 Bugs + Feature Requests

matthew1471
Beginner
Beginner

Firstly thank you for posting the new firmware and fixing some of the annoying bugs in the last version, the update to newer OpenSSL versions was particularly appreciated :-).

There's a few bugs and feature requests I still have that I'd like to share with you, from discussion with Cisco before it sounds like some of these were planned so perhaps these just didn't make it into the final release?

Recently Discovered :

Bugs:

1. Typos and software age : "Resource Management" under "SSL VPN" when you select "Add" under the "Application Icon" drop-down offers "Microsoft Interment Explorer" (sic). Also Microsoft FrontPage has been discontinued for 10 years and since superseded by 2 products (Microsoft Visual Studio is now the best replacement). The Cisco copyright is also (c) 2013 which all in all in 2015 makes the product feel quite old despite the firmware being released a few days ago.

2. The proposed Cisco "Easy VPN" on the VPN screens is actually End-of-Life (EoL) http://www.cisco.com/c/en/us/products/collateral/security/vpn-client/end_of_life_c51-680819.html so I'm not sure what the suggested option is on Windows 8.1

3. Client-To-Gateway settings IKE-with-Certificate expects the client to have a static IP or a DNS record... for a mobile device I'm not sure if it's possible to specify an IP range and the in-built help doesn't suggest anything.. this may however be a lack of VPN knowledge on my part. Group VPN while allowing you to specify other means of authentication also forces pre-shared key (so you cannot use certificates) and has an option referring to Microsoft XP/2000 clients which implies it won't work on newer versions of Windows. Windows XP and 2000 are both End of Life.

4. On the System Statistics page WAN2 is showing as Enabled, despite it being disabled and the system summary stating so. Also nothing is plugged into it and it reports on System Statistics that there have been 4 transmitted packets, 4 total packets and 424 transmitted packet bytes. The interface has been completely disabled from boot-up.

Feature Requests:

1. OpenVPN support.

2. A guide / assistance in the built-in help on how to make this VPN Router work with Android V4 and above clients using the default stock VPN options. The options on Android are "PPTP" (which nobody touches any more for new deployments, Microsoft themselves even recommend you avoid using this), "L2TP/IPSec" (Pre-Shared Key and RSA variants), IPSec Xauth (Pre-Shared Key and RSA variants) and one that allows a mix "IPSec Hybrid RSA".

Carried Over From "RV320 v1.1.1.06 Bugs + Feature Requests":

Bugs:

1. Mirror Port feature allows the device plugged into the port to still interact with the network and mirrored traffic (which is not the behaviour of your small business switches) allowing it to respond to and interact with received traffic. At a minimum the documentation does not warn of this difference in behaviour.

4. Still impossible to set a Daylight Saving rule for the UK. http://en.wikipedia.org/wiki/British_Summer_Time

5. DHCP Status table periodically loses all entries. Particularly after anything that causes the router to reboot. The documentation should explain this is since the router was started and this list is lost when the router is restarted.

8. Help for "System Statistics" and "Processes" is very limited (and not helpful).

9. Clicking "Enabled" or "Disabled" against USB1 or USB2 does not contain a hyperlink to the "USB Failover Settings" tab of the selected interface under Setup->Network where the operation mode can be set to "Disabled" which all the other options do have.

10. Processes like "webBoot" appearing and using port 22088 in the Processes table and "HTTP Server with SSL support" on ports like 5443 and the documentation lists nothing about them.

Feature Request:

1. Ability to choose which port is mirrored (LAN2, LAN3, LAN4, WAN1, WAN2, VLAN1.. etc) and potentially the destination (i.e if we are not using WAN2 why not make it an option to be a mirror port destination?).

2. Tables to be sortable ASCending/DESCending by clicking on the column.

3. "Enable Mirror Port (Port 1)" rename to "Mirror All Traffic (To Port 1)" and/or update documentation to explain a device on Port 1 with this enabled should NOT attempt to reply to the traffic.

4. Web API or Proprietary Telnet API (or even just experimental SSH access) option so we can programmatically add items to the firewall rules table (fail2ban etc) so we can write scripts in Python etc to ban IP addresses on the Firewall.

5. The option to choose what gets syslog'd and what gets written to the non-volatile memory log (worried about device longevity with all the logging turned on). The WAP371 now has this feature.

6. Bandwidth Management cannot set an IP to have a particular priority. The priority only lists services (with no IP address control) and the Rate Control only lists particular rates (but for specific IPs).. would like to say something like 192.168.1.5 has "High" priority.

7. Some of the columns to be sensibly sorted by default instead of the order they were entered.. for example IP & MAC Binding should be sorted by IP address.

8. A wider range of Dynamic DNS providers supported (1 for Europe/America and 1 for China is not really enough!). Perhaps an API/standard for this too so we can make our own.

9. Ability to route all web traffic via a HTTP proxy (like Squid). Sometimes called a transparent web proxy.

10. Ability to ban an IP after they fail to correctly login x number of times to either the VPN/Web Interface/SSL VPN etc.. to prevent bruteforce attacks succeeding.

11. DNS Local Database - Would be nice if there was an option (i.e. could be disabled) for the DNS server to append the domain name to any queries without a "." so Windows users could enter in "NAS" for example in the DNS Local Database and it behave as expected.

Also as an aside, I've noticed on this site when you type in too many tags into the add discussion page it errors and then trashes the form (including whatever you wrote in this box), which is quite frustrating.

Thank you again for fixing a lot of the bugs in the last release. I look forward to seeing the next one which should make the product even better. If there's a better way to be more involved in testing/reviewing Cisco products please let me know as I would love to help out.

Regards,
Matthew

1 ACCEPTED SOLUTION

Accepted Solutions

Rasmus Rask
Beginner
Beginner

Oh for ..... sake!

Since upgrading to 1.1.1.19, I can no longer add or edit port forwarding entries - adding a new, or editing an existing, replaces the chosen service with "[TCP&UDP/~]" (aka. "all traffic") and also leaves the entry disabled.

Not only is this extremely buggy router, once again, an obstruction to my work, but I also now mangled an existing rule and can't revert it due to this bug.

I have effectively DoS'ed myself thanks to this lovely router. Is there no QA on your firmware releases?

When is the next FW release expected?

View solution in original post

15 REPLIES 15

dancrichton
Beginner
Beginner

Here are a few things that are on my list of annoyances so far. Still haven't put my RV320 into production due to show stopping issues.

 

1. Would like to see RADIUS support for PPTP (I know PPTP isn't recommended for VPN connections, but with no L2TP and the SSL VPN being unusable for IE10+ or Windows 7 64-bit it's the only choice when installing client software isn't an option).

 

2. It would also be handy if usernames weren't limited to 11 characters, in the absence of RADIUS support I'm unable to set my VPN users with the usernames they'd use normally as the 11 character limit is too short.

 

3. SSL VPN support for IE10+ and Windows 7 64-bit - apparently (I was told this by a Cisco support engineer) this is due in the next MR firmware release hopefully in April. Still outstanding in the current release which I why I've included it here. IE10+ support is a simple tweak to not rely on looking for "MSIE" in the user agent string, and instead to look for "Trident" (the IE rendering engine, and likely will be in the "Spartan" user agent string too). Also the ActiveX components have expired digital certificates so cannot be installed even on Windows 32-bit without registry changes to allow unsigned drivers to be installed.

 

4. Support for SSL VPN with non-IE browsers. Other vendors support non-IE browsers using Java based plugins, this would be useful too but I guess is dependent upon Cavium making these plugins available to Cisco.

 

5. Easy VPN summary page - using RADIUS for user authentication the Group VPN Status table shows the Remote Client as the tunnel name, rather than showing the username supplied in the connection. Would be much more useful to show the actual username as otherwise there is no way to determine which connection relates to which user.

 

6. Access rules limit - when defaulting to deny all outgoing connections and only allow specific ones, the limit of 50 access rules is hit pretty easily.  Would be a little easier to manage if there was an option to specific both TCP and UDP in a single service entry - for instance, rather than having to set up DNS as TCP port 53 and UDP port 53, a single service entry as TCP/UDP port 53 would reduce the number of services and the number of access rules. Or a way to specify multiple ports for a single service rather than a range, such as when allowing external email access - a single rule allowing ports 25, 465, 110, 995, 143, 993 would cover unencrypted and SSL/TLS SMTP, POP3, and IMAP in one go.

 

Dan

I appreciate your knowledge, patience and persistence, Dan.

Looking forward to news about SSL VPN on any modern Windows OS. 

As a side-note, the support forums here themselves often seems extremely sluggish and buggy.

I've found copying and pasting my response periodically is a necessity on this site. There's just too many ways to lose your post while you're composing it!