WRV200 Update -- Kudos and Klunkers

Discussion in 'Cisco Small Business Routers and VPN Solutions' started by eric_stewart, Jun 1, 2006.

  1. eric_stewart

    eric_stewart Super Moderator Staff Member Member

    I am now officially impressed. I successfully configured a site-to-site VPN between a Cisco PIX 501 firewall on a public IP address and where the WRV200 is behind 2 NAT'ng routers. Looking at the syslog output on the WRV200 (and examining the rich logging on the PIX) I can confirm:

    - The VPN successfully established an IPSEC SA at 256-bit AES encryption with HMAC-SHA and a pre-shared key;
    - NAT-T was successfully negotiated as both firewalls detected that the WRV200 was behind NAT router(s) and tunneled IPSec inside UDP port 4500.

    I have also tested (as mentioned in a previous post) the ability to separate both wireless SSIDs and wired ports into separate, private VLANs. Also, WPA2-AES seems to work fine as does the DHCP/static IP address assignment feature.

    PPTP (GRE) pass-through works, as does IPSec pass-through

    I'm a bit troubled by one thing. I will test it further but I found that everytime I changed the LAN IP from the default, address, that it broke routing. I wasn't able to connect to the Internet until I changed it back to the default. I did the standard stuff.....resetting the box to default settings and installing the latest 1.0.12 firmware with the same results. Strange.

    I found a couple of other peculiarities and thought they might be because I was using IE 7 Beta 2, so I reverted to IE 6 and also tried Netscape 8.1 with the same result:
    - The administration page lets you change the administrator's password. When this page displays, it displays with the username/password field showing as blank. If you put username/password = admin/admin (for example) into it and save the settings you lock yourself out of the blasted device.
    - I have also noted the need for a reboot after making the most inconsequential changes...this makes making a number of different, consecutive settings somewhat frustrating. I also noted the same issue that someone else did, namely that some of the pages don't load properly the 1st time, and have to be reloaded.
    - As noted previously, I reverted to IE6 and also Netscape 8.1 and noted the same behaviour in both. In fact, some of the '.asp' extension pages would load first as a page full of (normally hidden) code and would require a refresh to load/format properly.

    I love the things that work on this box and are fixed relative to the WRV54G. I haven't tried QuickVPN with it, but am confident of success, especially because of the NAT-T feature. The syslog output indicates that the IPSec VPN server is Free S/WAN or Open S/WAN. There is a lot of syslog activity as changes are made. I haven't seen anywhere the number of "error" messages that come up when configuring/rebooting the WRV54G.

    I'm going to test the LAN IP address "issue" a bit more tomorrow. Setting the IP address is a bit of a no-brainer and I can't see the cause-and-effect of changing the LAN IP subsequently breaking routing. I will try other private IPs...maybe on the 10.x.x.x network or 172.16.x.x to see if I get similar issues. As it turns out, (the default LAN) is a good fit for my site-to-site VPN "test bed" since I have two private class C's on my home network that are different from the remote site and therefore don't have to worry about overlapping subnets and subsequent routing issues.

  2. DocLarge

    DocLarge Super Moderator Staff Member Member

    Sweet, eric. I'm ordering a Cisco PiX 501 later on today myself (mostly for CCNA testing and to put my Cisco 1720 and Cisco 2610 online). I have a 1900 that hasn't really been used yet, but I need to get IOS for it...

    Do you run any other routers behind your Pix? I'm planning on running my Pix in front of my 1720 because my image is 12.3 (on the 1720) and it doesn't have a firewall. My thoughts are I can place the 1720 behind the Pix and all will be good. Any thoughts?

    As for my WRV200, provided it works as well as your saying (which I also expect), I'm going to upgrade a few locations with this device.

  3. ccbadd

    ccbadd Network Guru Member

    Eric, I have been using with no real problems. I have noticed, and reproduced several times, that when the router reboots and you try to renew your ip lease, it still gives a ip. If you wait a minute or two before renewing, you will get the correct ip.
  4. eric_stewart

    eric_stewart Super Moderator Staff Member Member

    I have two WRT54GSs behind my PIX 501, the 1st one establishes a DMZ between it and the PIX, and the 2nd is used purely as a wireless access point and PPTP server. They are running DD-WRT v23_SP1 firmware. I use the PIX to establish the perimeter and also as an IPSec VPN gateway for remote access clients.

    As described in the posting, I am experimenting with the PIX <--> WRV200 site-to-site VPN, but this is not something I usually need for a home network! That would definitely peg the geek-o-meter.

  5. kspare

    kspare Computer Guy Staff Member Member

    Doc before you buy a new pix fire me an email @ kevin@pare.ca I have a 10 user and a 50 user pix that I want to sell.

  6. DocLarge

    DocLarge Super Moderator Staff Member Member

    Sure, Kspare.

    The price I'm getting it for is about $275 plus shipping (it's refurbished). 10 user license is all I'm after at the moment...

  7. randydodd

    randydodd LI Guru Member

    I had some minor difficulty with getting my WRV200 LAN set to, but after 2 attempts, got it to take.

    I noticed that several times, the thing flakes and does not take settings. SO i always double check my settings.
  8. eric_stewart

    eric_stewart Super Moderator Staff Member Member

    Just to follow up. I have been successful in changing the IP address to something other than for the WRV200 while maintaining routing. Whoo hoo!

    I've noticed some other anomalies in addition to the ones I mentioned before. When I make certain changes on the router, like setting a static DHCP assignment, when I return to the "Administration" page:

    - my passwords don't display (mentioned that before)
    - UPnP is set to "off".

    Of course, when I put UPnP back "on", and save settings, I'm nagged to put in an admin password. If I do (mentioned this before!) I lock myself out of the box.

  9. PTzero

    PTzero LI Guru Member

    I just got this router last night. After a little bit of experimentation, I got it to work as a WDS server to an Airport Express AP. The Airport Express now works as a nice little ethernet/wifi bridge for my (wifi-challenged) DirecTiVo. :clap:
  10. eric_stewart

    eric_stewart Super Moderator Staff Member Member

    I found some other interesting features:
    - the WRV200 completely loses its configuration and goes back to factory defaults (SSID: linksys-g, LAN IP:, WAN: DHCP ...etc.) when heavily loaded. I haven't done any empirical testing of this, but it seems that when the teenage daughter unit is Bittorrenting/BitLording the device just "loses it"...literally.
    - When I restore the configuration that I very cleverly backed up, the device becomes unresponsive and reboots with ...you guessed it.... the default configuration
    - Periodically the box has a hissy fit when I make a change, the web GUI becomes unresponsive only to come back at some random interval (though it remains pingable and passes traffic)
    - My trust WRT54GS w/ DD-WRT v23SP1 works flawlessly, though I note that whatever my daughter's doing is occupying over 300 of the 512 connections that the box can statefully inspect with the SPI firewall. (I might be missing something...only 512 connections?!)


    - Now for the good stuff. When it works, it is roughly 10% faster than the WRT54GS.
    - The syslog output seems to have a lot of goodies in it
    - DoS attacks are accurately reported in syslog;
    - The email alert feature works

    ...add to this the other (very!) useful features (previously tested and reported in a previous post) that this box has like multiple SSIDs, VLAN support, site-to-site VPN w/ AES, GRE pass-through which works, NAT-T patch, etc. and I can say that the good stuff is really good!

    I'm a bit frustrated but hopeful that, as DocLarge has posted, this is the Wireless/SPI Firewall/VPN Router that we've been waiting for.

    Anyone know anything about the hardware specs? RAM / Flash / Processor?

    Thanks for the bandwidth,

  11. TazUk

    TazUk Network Guru Member

    It should be listed on the FCC website but I'm buggered if I can find it :?
  12. DocLarge

    DocLarge Super Moderator Staff Member Member

  13. YeOldeStonecat

    YeOldeStonecat Network Guru Member

    Those dumps when under load are disappointing. Seems to make the unit to be a little underhorsepowered.

    When this unit was announced...with its nice small office features...I was pretty exciting..expecting something of a wireless version of the RV0 routers. And in the RV0 price range..upper 2 to mid 3 hundge range.

    Upon placing the order a few weeks ago and seeing the actual price of the unit..being sooooo inexpensive...I thought to myself "Uh oh...all these features..at such a cheap price"...it made me worry.

    Reading some of the performance quirks of this....starts to confirm my worry.
  14. SoonerAl

    SoonerAl LI Guru Member

    Does anyone know...

    ...if you can configure different encryption methods to each VLAN? Meaning can you use WPA-PSK (AES) on one VLAN and WPA-PSK (TKIP) on another VLAN and leave one VLAN totally unencrypted?

  15. TazUk

    TazUk Network Guru Member

  16. TazUk

    TazUk Network Guru Member

    Not much inside, most of the work is done by the Realtek RTL8651B gateway controller which is a combined 200Mhz RISC CPU, network switch, hardware firewall, etc


    There are two other main chips, ones a RaLink 802.11g WLAN controller and the other I can't read the number from.
  17. eric_stewart

    eric_stewart Super Moderator Staff Member Member

    Re: Does anyone know...

    Yes. I'm on my "Hotspot" VLAN right now and it's unencrypted. My other SSID/VLAN uses WPA2/PSK/AES and is used for my home network. I can also confirm that you cannot ping from one to another.

  18. eric_stewart

    eric_stewart Super Moderator Staff Member Member

    One other thing. I've noticed that when I set up the WRV200 for https vs. http for management that:

    a) the pages load much quicker;
    b) I don't get errors on the pages (and have to reload the pages);

  19. tolsti

    tolsti Network Guru Member

    pptp server on wrv200?

    My RV042 supports PPTP connections from win2000/xp clients. Does WRV have a PPTP server too?
  20. YeOldeStonecat

    YeOldeStonecat Network Guru Member

    Re: pptp server on wrv200?

    I couldn't find it on current firmware...... :thumbdown: in my book.
  21. SoonerAl

    SoonerAl LI Guru Member

    Re: Does anyone know...


  22. tolsti

    tolsti Network Guru Member

    Would you agree that WRV200 is cost-effective, but still buggy and not feature-rich?
    Also one thing I like about RV042 is not having to reboot it every time you make a change to the settings. Compared to the WRV54G its a breath of fresh air.
  23. YeOldeStonecat

    YeOldeStonecat Network Guru Member

    I'd say it's cost effective...under a hundred bucks and a somewhat decent set of features.....hopefully firmware will mature more. But being under a hundred bucks...not gonna get my hopes up all too much.

    For now...I have my eyes set on the upcoming WAP4400N, RVL200, and RVS4000....as far a the next products to drool over.
  24. randydodd

    randydodd LI Guru Member


    Hey Stonecat.
    I have to deploy a new wireless network next month, using 4 AP's. In infrastructure mode.
    Do you recommend i wait till the WAP4400N comes out? or shall i use this WRV200?

    When is the WAP4400N coming?

    or alternative suggestions?

  25. kspare

    kspare Computer Guy Staff Member Member

    Well so far this is working ok, better wireless range and faster speeds.

    What I have noticed is that vpns configured to use fqdn say they are connected but won't pass traffic.

    It also doesn't show the up time anymore??

    The multiple ssids and auto channel selection are VERY nice!
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice