WRV200 - from Internet gateway to just VPN gateway

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by Sfor, Oct 16, 2007.

  1. Sfor

    Sfor Network Guru Member

    The WRV200 seems to be a bad platform for a broadband Internet access. It's main advantage over other devices is low price and VPN capabilities.

    What I'm thinking of is to use a cheap and reliable SMC based broadband router (SMC7004br or Digitus DN-11005) as an Internet gateway and WRV200 to add just the IPSec VPN gateway to gateway ability.

    But, the question is how to combine two routers to work as one.

    All the traffic with exception of the VPN should go just through the SMC router, as WRV200 is not reliable enough. The WRV200 should process just the VPN traffic.

    The SMC router can route all the traffic to the networks connected through VPN tunnels to the WRV200 through the LAN. A static route entry can solve this easily. But, there will be a problem with creating VPN connection over the NAT. And the same devices accessing the Internet should have the access to the VPN. So, LAN interfaces of the both routers should be connected to the same LAN segment, I think.
  2. ghost_zero5

    ghost_zero5 LI Guru Member

    Normally it should be possible be forwarding the correct port(s) to the WRV200 (though I never tried it - and first I would need to find out which port(s) get used anyway)...
  3. Sfor

    Sfor Network Guru Member

    It is not so simple. The WRV200 is connected with both WAN and LAN ports to the same network segment. I foud it to be possible by using different net masks. The SMC gateway uses mask, while the WRV200 WAN is using net mask. The gateway is in the WRV200 WAN IP range, while all LAN devices are using WRV200 LAN IP range. I SET the WRV200 WAN interface to be the DMZ host.

    Still, I can not make a VPN tunnet to work.
  4. ifican

    ifican Network Guru Member

    The easiest will be for the wrv200 to initiate the vpn connection, if you set the tunnel to nat-t enabled it will connect from behind another device if it is intiating the tunnel. You will also need to make sure that the device receiving device is nat-t capable. Also you should beable to forward ports udp 500 and 4500 to the wrv and it should respond if its not the initiator but nat-t still needs to be enabled.
  5. Sfor

    Sfor Network Guru Member

    A NAT-T enabled device will not be able to initiate connection.

    Also, I'm not sure which device should have the NAT-T enabled. Should it be the one behind NAT, or the other.

    The second gateway is a WRV200 with 1.0.33 firmware. So, it is NAT-T capable, as far as I know.

    Here is the current log:
    And the negotiation stops at this point.
  6. ifican

    ifican Network Guru Member

    A device that is nat-t enable most certanly can initiate, now if the wrv can i dont know i would have to pull mine out and look but i believe it can. All nat-t does is wrap the ipsec (protocol 50) in a upd port 4500 wrapper so it can be pat'ed and return correctly and needs to be enable on the vpn router. You will also need to make sure that ipsec passthru is enable on the router infront of your vpn router.
  7. ghost_zero5

    ghost_zero5 LI Guru Member

    So you mean the WRV200 is already set to DMZ on the second router - meaning everything will get sent there..?
    In that case the WRV200 would more or less again do all the NAT himself because you forward all the traffic to it...
  8. ifican

    ifican Network Guru Member

    Not necessarily, it will depend on the front router, some pass traffic to an internet facing ip in the dmz other do not (dmz still nat'd). Also especially with vpn traffic, i do not now any devices that pass ipsec traffic unless it knows where to send it (dmz or otherwise). But this is a good observation and worth looking into.
  9. Sfor

    Sfor Network Guru Member

    In my WRV200, if I enable "Nat-Traversal" function the router forces me to change "Remote secure group" and "Remote secure gateway" to "Any". The "Restart" button is disabled, then. So, I can not reconnect the tunnel, if NAT-T is enabled.

    My gateway router does not have IP-Sec passtrough function, as far as I know.
  10. ifican

    ifican Network Guru Member

    Then try forwarding udp port 500 and 4500 to the wrv and initiate it from the other side
  11. Sfor

    Sfor Network Guru Member

    I added the forwarding, and I got the tunnel connected without NAT-T enabled. But, something is wrong with the transfers. I can not ping through the tunnel.

    WRV200 acts strange. Something is wrong with the LAN swith in it. It is related to the WAN LAN connection, probably.
  12. Sfor

    Sfor Network Guru Member

    The VPN tunnels were working correctly, when the WRV200 was the internet gateway. Now, the WRV200 is behind SMC router and the VPN does not work as it was before.

    I forwarded the ports 500 and 4500 to the WRV200 WAN IP. The tunnel with the other WRV200 connects, but it does not work. Here is the log:
    In the same time I can not make the second tunnel to a RV042 device connected.
    I also tried switching the WRV200 to the router mode. It made no change on the VPN, but I'm able to access the WEB GUI from the WAN IP without remote management enabled. A bit strange, but it does nothing to do with the VPN.
  13. DocLarge

    DocLarge Super Moderator Staff Member Member


    SFOR, what SMC router are you using? I was able to do vpn in the exact same configuration you're running but with an SMCBR18VPN Barricade Firewall router. I was actually connecting to Eric Stewart's pix and there was no problem pinging or transferring files...

    Which SMC router are you using?

  14. ifican

    ifican Network Guru Member


    The symptopms he is currently experiencing is the exact symptoms you will see if nat-t is not being used, I can recreate this at home (mind you without the same routers) but, if a client nat-t enabled connects to a concentrator that is not nat-t enabled the vpn will connect but not work (border router drops the ipsec (protocol 50) traffic because it does not know what to do with it), but the tunnel stays up and appears to be working. However once nat-t is enabled on the concentrator the client connects and works flawlessly. This can also be verified by sniffing traffic on the border / nat router.
  15. Sfor

    Sfor Network Guru Member

    I'm using an SMC barricade clone DN-11005 made by Digitus. The firmware is almost the same. Digitus changed some screen colors, but the rest is SMC design.

    I'll try to check the NAT-T with remote router, again.

    I wish I knew what ports the IPSec is using for the tunnel traffic.
  16. ifican

    ifican Network Guru Member

    Thats the tricky part, ipsec is a protocol and does not use a port number. So there is no way to forward ipsec unless you do a one to one nat. That is where nat-t comes in, nat-t wraps ipsec in a udp port 4500 wrapper so you have the ability to forward it wherever you like.
  17. Sfor

    Sfor Network Guru Member

    With Nat-T enabled on the remote router:
    With NAT-T enabled on the local router:
    In either case it does not work.
  18. ifican

    ifican Network Guru Member

    While i look over this, you currently have nat-t enabled for the tunnel in question on both sides, yes?

    edit: from looking over the logs it appears that you shut off nat-t on the remote and turned it on on the local. It needs to be on on both sides so each knows what do to.
  19. Sfor

    Sfor Network Guru Member

    If I enable NAT-T on both sides I will not be able to connect.

    With NAT-T enabled WRV200 will not let me to save the tunnel settings, until I change the remote security group and remote gateway to "any". After that it is not possible to connect from this device. Only a remote device can do it.
  20. ifican

    ifican Network Guru Member

    When you enable nat-t thats what tells it to wrap it in the udp port 4500 as witnessed in your logs, well come to think of it you can enable nat-t on the 200 keep the ports on the smc forwarded to the 200 and it should still work, just make sure your remote end settings are correct and you have strong passwords. You will also have to initiate it from the remote end but it should work.
  21. Sfor

    Sfor Network Guru Member

    It does not work, still.

    Also, I see no reason for the restrictions to the remote gateway settings with NAT-T enabled in WRV200. RV042 gives a possibility to enable NAT-T without forcing remote gateway type.

    I do believe it is another bug in the WRV200 firmware.
  22. ifican

    ifican Network Guru Member

    I agree with the nat-t restrictions issue, any other device i have that is nat-t capable lets me set it up however i want. If you want repost the new logs so we can see what its doing.
  23. Sfor

    Sfor Network Guru Member

    I got tired, and I decided to report the bug to the Linksys, directly.

    Interesting thing is, there is a Polish language Live Chat linksys support option available. Looks like Linksys improves the customer support.
  24. Sfor

    Sfor Network Guru Member

    Well, I made yet another experiment. I tried to connect to a RV042, this time.

    If I enable the NAT-T in RV042 the tunnel connects, but there is no transfer, as well. There is no difference with NAT-T enabled in WRV200. I'm starting to believe the WRV200 does have the NAT-T enabled, always. The switch in the WEB GUI does absolutely nothing about the NAT-T.

    Another thing is the DN-11005 router DMZ feature does not work correctly, as well. It does forward low ports to the DMZ host, but higher ports are blocked. It appears the port 500 is forwarded by DMZ feature, but 4500 is not.

    I'm curious, if it would be possible to set a port forwarding rule to the whole port range. It would be a sort of DMZ problem workaround. What I'm afraid of is a conflict with NAT. Depending on the routing rule execution order it could block other traffic. But, if the NAT has a higher priority than port forwarding, it could work.
  25. Sfor

    Sfor Network Guru Member

    I failed to create usable tunnels and I found another bug in the firmware.

    It is time to conclude.

    WRV200... What it is good for?... Absolutely nothing.

    I bought two of them more than a year ago. Many issues were fixed by self reset, but the reboot fix is yet another problem.

    Router reboots itself to keep GUI access and proper services available. This is causing about a minute long drops in services with every reset (it is very frustrating during IP phone calls). Also the router switch stops responding during a reboot making drops in LAN communication.

    I tried to use a more reliable router to provide routing services to my network. WRV200 was to provide just the VPN services. Since this is not working, and the Linksys had more than enough time to make the device working correctly, it is a proper time to simply look for a better router.

    I made a quick search with local offers of the VPN capable routers and I found a few interesting devices:

    1) D-Link Dl-804HV - no wireless, but I do not need it. It has a bonus - RS232 port. It is just a tiny bit more expensive than WRV200.
    2) Zioncom/ipTime IP1601 - no wireless, as well. But, it has a built in 16 port switch. 19" case. (big one) the same price as WRV200.
    3) Linksys AG241 - no wireless, ADSL router. Is someone has an ADSL line it looks like a very good choice (not im my case, as I do need ethernet WAN port). It is significantly cheaper than WRV200.
    4) Linksys WRV200 - it's only advantage could be the wireless ability.
  26. kspare

    kspare Computer Guy Staff Member Member

    can you post your settings for your tunnels on each side? I'm running 3 wrv200's that connect back to a pix 506e firewall without problem.

    Infact at each site we're running it as a router, site to site vpn, wifi, qos. And it's working nearly flawlessly with beta 1.0.35.

    Also what firmware are you running?
  27. Sfor

    Sfor Network Guru Member

    I'm running just two WRV200, one with 1.0.33 and one with 1.0.34. Everything works quite good, if the router is set as the internet gateway. But, it does self resets too often to consider it as a reliable device. I had to plug all LAN devices to an ethernet switch, because the resets are breaking LAN communication.

    The VPN works good enough for me. There are two WRV200 and a RV042 in a triangle shaped network.

    When I needed a VPN capable router (a year ago), the WRV200 was the only low price device on the market. Now it does have a competition. I waited long enough. I declared my will to change the device many months ago on this forum. The reason why I did not do it then was the fact there were no other device on the market with the same price. Now, my network is about to grow again. I know WRV200 too good to trust it. There are a lot of problems the firmware maintainer is not able to reproduce, the conclusion is the device is unstable and the hardware issue is one of the possible causes.

    I do not need wireless. This feature was disabled since I bought my WRV200. D-Link Dl-804HV costs almost the same money as WRV200, so I'm going to buy and try one. I've heard some opinions the D-Link device is much more stable. If this is the truth I will get rid of all WRV200 devices, probably.

    WRV200 can be used as a SOHO device. But, it does not appear to be reliable enough for a business class router.
  28. Sfor

    Sfor Network Guru Member

    I did some research, and I found the D-Link DI-804HV does not have a 3DES enryption acceleration unit. Since I do not know what this device can do, maybe I should give yet another chance to the WRV200, as it can go up to 30Mbits with the VPN traffic.
  29. Sfor

    Sfor Network Guru Member

    I was able to get the IP1601 user manual. And, this device looks very interesting. The good side is it has WOL (I wish WRV200 would have this option) and PPTP VPN server. But, it does not have IPSec VPN except for the passthrough support.

    Darn. WRV200 looks better with every new bit of information I'm collecting.
  30. DocLarge

    DocLarge Super Moderator Staff Member Member

    The DI-804HV and the DI-808HV both can run up to 40 IPSEC vpn tunnels (I have the DI-808HV which is the 8-port version). This router is essentially the same coding as the now defunct SMC SMCBR18VPN Firewall Vpn router (I have this one also). Both have a failover port for dial-up connection, something I wish the developers would consider.

    The main reason I stopped using the Dlink was that it didn't have good ftp support; Hell, it basically wouldn't work. I bought this when I got fed up with the WRV54G not being supported (this was when they took almost two years before developing any new firmware a while back). I slung one of my other routers onto it for wireless functionality and it worked fine for other things. Still, I prefer Linksys, but the unit you're looking at is "decent." It's still no wrv200 though :)

    Try 1.0.35; that's what I'm using now and it's still passing my little tests...

  31. Sfor

    Sfor Network Guru Member

    My WRV200 routers are connected through a 100MBit/s WAN. So, the speed of the VPN encoding/decoding is an important matter, for me.

    WRV200 works quite well, except for the self resets I'm experiencing. The last one happend less than an hour ago.

    The SysLog showed:
    It looks like the WRV200 ethernet switch related reboot, I think. The PAP2 rebooted, as well.

    The 1.0.35 firmware does change nothing important from the 1.0.34 I'm using now. I do not believe it will do anything good. The hourly DHCP renew can be another cause of the Internet connection drops.
  32. DocLarge

    DocLarge Super Moderator Staff Member Member

    From what you're displaying, is seems as if port 1 might have rebooted because if any traffic did change, it normally takes between 15 - 30 seconds from a port to go from blocking to listening, learning, and then into forwarding mode.

    Again, a change in firmware may do you... :)

  33. kspare

    kspare Computer Guy Staff Member Member

    You need to post more of that syslog, it kinda looks like the voip device rebooted and not the router....but I could be wrong. The pot forwarding states would have been reset when the voip device rebooted.
  34. kspare

    kspare Computer Guy Staff Member Member

    Is there any chance I could come in and look at your routers via the gui? Also can you try running the .35 firmware, i'm running a wrv200 in a production environment, running 2 vpn tunnels, wifi, qos, port forwarding, basically everything and it's been incredibly stable. I've had no reboots and no problems with ftp either.

    Let me know.
  35. Sfor

    Sfor Network Guru Member

    The entire WAN I do have the Internet acces through is behind NAT. So, the access to my routers through Internet is not possible.

    The router rebooted, for sure. As, the "System Up Time" couter was cleared, then.

    I did another reset a few minutes later, just to see what log entries are generated during a reset event. Here is the result:
    So, there is not much in the SysLog telling about a reset routine event.

    I switched off DHCP and the SIP application layer and I'm waiting for another reset event.

    If it will not help then I'll try the 1.0.35 firmware.

    The interesting thing is the other WRV200 resets itself just about once a week, only. It is connected to the same WAN, but there is not as much traffic there. So, the problem is related to my LAN, traffic, or simply my WRV200 device is faulty.
  36. Sfor

    Sfor Network Guru Member

    It did it again:
    But this time it did it multiple times in round.

    When I saw the internet connection not working I entered the router WEB UI, but it did not respond. Then I went to see the SysLog entries. So, I saw it keeps resetting itself. Then I went to see the router lights and I managed to see at least 3 reset events in round.
  37. Sfor

    Sfor Network Guru Member

    Exactly as I was expecting. The 1.0.35 firmware reconnects VPN tunnels every hour. This breakes network connections made over VPN tunnels. So, this firmware together with DHCP WAN setting is worse than the older one, when comes to VPN networking.

    My router acts very strange. One of the LAN ports hanged. A reset cleared the problem. But, I'm starting to believe my router is damaged.
  38. DocLarge

    DocLarge Super Moderator Staff Member Member

    I was getting ready to make that comment about your router also (being damaged) because it doesn't appear that your router is resetting (checking the "system uptime will tell you if the router reboots or not); the port information seems to be fluctuating back and forth. Having said that, the log information is saying to me that either something connected to your router is causing the port to go from blocking and listening or one of the ports are bad thus the fluctuation between the blocking, forwarding, and listening states.

    Again, this is just my guess...

  39. Sfor

    Sfor Network Guru Member

    Well. There is another router connected to the LAN1 serving as a LAN switch and WOL web interface. There are 2computers connected to it and another LAN ethernet switch with just two computers. The WRV200 LAN4 is connected directly to a Linksys PAP2 device.

    Today I received a phone call my PAP2 is not responding, and VoIP is not working. The LAN4 light was off. When I moved the plug to LAN3 PAP2 started to work again. The LAN4 appeared to be dead untill I did a software reset from the WEB GUI.
  40. DocLarge

    DocLarge Super Moderator Staff Member Member

    Hmmm, could this be....?!?!?! :)

    Again, I don't think your router is resetting. As I said in the PM, your router is going from blocking thru forwarding. It's quite possible LAN4 port is causing this when it fails, "if" what you say about the port is true. I'm going on what your logs are saying regarding the "Forwarding" entries... For some of you who are not aware, if a router has chosen a "designated port" to connect to the root bridge (switch) it's other interfaces go into "blocking" mode. If the designated port on that particular switch fails, then the switch that was in blocking mode goes to listening (15 seconds) learning (15 seconds) and then finally into "forwarding" mode.

    SFOR, if you are allowed, respond to Kspare and see if you two can allow time for him to take a look for you (again, "if" allowed). I'm putting my money on a bad port (Port 4).

    We'll take a look at the "vpn dropping every hour" with 1.0.35 firmware to confirm.

  41. HughR

    HughR LI Guru Member

    Disclaimer: I have never used my WRV200 seriously. It doesn't sound good enough to bother with.

    I don't know what "reconnects VPN tunnels every hour" actually means.

    It is normal for IPSec connections to be rekeyed regularly. This is just proper crypto hygiene. Rekeying means, essentially, replacing an old tunnel with a new one. The protocol is designed for this to happen without interrupting tunnel traffic. (It isn't quite that clean. You can see some of the details in an RFC Henry and I wrote: http://tools.ietf.org/html/draft-spencer-ipsec-ike-implementation-02. This reflects some of our experience writing the IPSec code subsequently used in the WRV200.)

    So: if "reconnects VPN tunnels every hour" means rekeying, then this should not cause breaks in network connections made over VPN tunnels.
  42. HughR

    HughR LI Guru Member

    The more I read of these problems, the more I wonder if the right approach is to use OpenWRT + Openswan on some suitable cheap or spacious router.

    Personally, I use cheap old Small Form Factor PCs as gateway machines. They are a lot easier to bend to ones will, but they are noisy and take more power.

    I just started playing with OpenWRT on a refurb Motorola WR850G (cheap!!). I've hit a couple of snags and the OpenWRT community is not quite as responsive as I'd hoped (my first patches were actually accepted today, so things are looking up).

    Mandatory rant: the GPL is being broken by Linksysinfo (presumably Linksys itself) distributing beta copies the WRV200 firmware (including some of my code) without distributing the source code. A reasonable open source firmware community could presumably fix these long-standing bugs.
  43. Sfor

    Sfor Network Guru Member

    Well. The IPSec is being stopped every hour, so it is not a key renegotiation case. Here is the log:
    Gemtek maintains the WRV200 code and Linksys puts the logo, as far as I know.

    As for the GPL development. There is no known broken firmware recovery routine for WRV200. It makes firmware tweaks testing quite dangerous. I would start tweaking in the code long time ago, if it would be less dangerous.
  44. HughR

    HughR LI Guru Member

    You are right. Taking down IPSec every hour seems like a very bad idea.

    If that is what Toxic refers to as "resetting the firewall ALG module hourly" in the first message of http://www.linksysinfo.org/forums/showthread.php?t=54972 then that is truly a desperation move.

    The "firewall ALG module" isn't normal iptables terminology. I would guess that this would involve resetting conntracking or perhaps unloading and reloading ip_conntrack_ftp and ip_nat_ftp.

    If you say so. But Gemtek (and Linksys) are not making the beta firmware binary available to everyone on the internet. Linksysinfo is, so they are the ones that are clearly violating the license.
    Can you build from source a firmware image that clearly matches one of the corresponding binary firmware distributed by Linksys? If so, certain small changes might be safe enough (like: adding dropbear ssh server).
  45. kspare

    kspare Computer Guy Staff Member Member

    Before you start talking out your ass about something you obviously know nothing about..maybe ask some questions. Linksys supplies a select few the beta firmware binary, linksysinfo then helps distribute the binary on linksys' behalf. So before you come off acting like you are the GPL police make sure you know the facts.
  46. Sfor

    Sfor Network Guru Member

    No, this is not the case. ALG module hourly reset is done in the 1.0.36 firmware. The hourly VPN disconnection is happening with the 1.0.35 firmware and is related to DHCP hourly renewal, somehow.

    The thread you mentioned started with the 1.0.36, only. The 1.0.35 was added later. That's why the first post does not give the details about 1.0.35.
  47. HughR

    HughR LI Guru Member

    The GPL creates obligations on distributors. Simplified: because Linksysinfo offers me the binary, and I have accepted, Linksysinfo is obligated to offer me the source.

    Linksys has not offered me the beta binary. I have asked. So they are not obliged to offer me the source.

    Gemtek has not offered me any binary (beta or otherwise). I have not asked but I did have a quick look at their web site. So they are not obliged to offer me the source.

    As far as being the GPL police, in some sense I can be. When the GPL is violated, it is the copyright holders who are the ones who can bring legal proceedings. I am one of the copyright holders of the code in question.

    I pressed Linksys to release to source for the WRV200 in the first place. It took some time, but they did. I have no way of knowing if there is a causal link.

    Please explain what leads you to conclude that I know nothing? What questions should I be asking?

    Here's one to ask Linksysinfo: may I please have the source code corresponding to the beta firmware that you are distributing? This should prompt Linksysinfo to ask the same from Linksys.
  48. HughR

    HughR LI Guru Member

    OK. Good to know.

    I wonder why the DHCP hourly renewal is done in this way. It is normal for a DHCP client to try to renew a lease without releasing the old one. The behaviour you describe suggests that a release is being done.

    If an interface goes down (i.e. loses its IP address), Openswan would normally delete any tunnels associated with that interface. Perhaps the DHCP hourly renewal is taking down the interface.

    I don't understand what the DHCP renewal is trying to accomplish but it sounds as if it is a bit heavy handed and will cause more disruption than is necessary.
  49. Sfor

    Sfor Network Guru Member

    I saw such a result on Linksys RV042. When DHCP lease was timed out the router was loosing VPN connection during DHCP renew procedure. This issue was solved with a new firmware. But, knowing the speed of the WRV200 firmware development I had a pretty good chance to win a bet the WRV200 has the same issue.
  50. DocLarge

    DocLarge Super Moderator Staff Member Member

    ???????? *scratch* *scratch*

    Hugh, you're normally a well mannered soul in our forum, but I must ask, what's got you going as of late?

  51. Sfor

    Sfor Network Guru Member

    I made another experiment today.

    I set the WAN to:
    The gateway: (gateway NAT router)

    the LAN to:

    Then I've connected LAN2 to another gateway router, and WAN to LAN1.

    In theory WAN outbound packets to should reach the LAN switch through LAN1, then to go out through LAN2. But, they were dropped, instead.

    I had to connect WAN to the gateway router directly, in order for WAN outbound packets to reach the target.
  52. Sfor

    Sfor Network Guru Member

    At last... The WRV200 works as just a VPN gateway now. The solution was to change the gateway router to IPSec Passthrough capable one.

    I've bought a OvisLink AirLive IP-1000R router, recently. So, I could continue experiments with some new hardware.

    I've set the WRV200 as follows.
    - DHCP switched off.
    - changed from gateway to router mode.
    - WAN and LAN port subnet mask is Both are covering the whole gateway router subnet which is
    - The VPN tunnel local secure group network mask is
    - both LAN and WAN ports are connected to the Internet gateway router.

    Internet gateway IP-1000R router.
    - Routing rules directing the traffic to the remote networks trough the WRV200 LAN port as a gateway
    - Virtual server port 500 and 4500 mapped to the WRV200 WAN IP port.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice