RV220W - in routing mode changes external Ip with router IP

Unanswered Question
Apr 10th, 2011

Good day.

I just installed one RV220W in my network, in routing mode (not NAT) using on WAN port public Ip 193.111.184.xxx and on LAN side on IP from my company public C class (212.100.143.0). It's working, but main ang huge problem is than Router is changing any IP coming from intenet with it's own 212.100.143.xxx IP, which mess up everything (logs, counters, etc).

It was using 1.0.1.0 firmware, I switched to 1.0.0.26 but nothing changed.

Also I have a VPN - gate to gate with another location (RV042), and all computers from other side of tunnel reports same router IP 212.100.143.xxx when accesing servers from my side, which also is bad.

Previously I user an RV082 for this joB and everything was great, except 100 Mb WAN/LAN ports of RV082, which I will use until get Rv220W working right.

Any idea is apreciated.

Thank you,

Catalin Burla

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
gctwnl001 Sun, 04/10/2011 - 12:59

I have changed this weekend from a DSL using a Linksys by Cisco WAG54G2 to a Cisco RV220W Small Business Router and just found out the same problem. This is serious for me, for one, it completely destroys SPAM blocking with DNS blacklists.

This is how it looked when using the linksys:

Apr  9 03:18:17 vanroodewierda postfix/smtpd[49507]: connect from 189-041-10-204.xd-dynamic.ctbcnetsuper.com.br[189.41.10.204]

Apr  9 03:18:18 vanroodewierda postfix/smtpd[49507]: NOQUEUE: reject: RCPT from 189-041-10-204.xd-dynamic.ctbcnetsuper.com.br[189.41.10.204]: 554 5.7.1 Service unavailable; Client host [189.41.10.204] blocked using zen.spamhaus.org; http://www.spamhaus.org/query/bl?ip=189.41.10.204; from=<no-reply005@job.com> to=<d091c4bd-0476-11d7-aba4-0003930ad8a4@rna.nl> proto=ESMTP helo=<189-041-10-204.xd-dynamic.ctbcnetsuper.com.br>

This is how it looks when using the RV220W:
Apr 10 18:34:29 vanroodewierda postfix/smtpd[31608]: connect from ciscorouter.rna.nl[192.168.2.254]
And thus DNSBL is not possible. My RV220W uses One-to-One NAT to route one of the 5 outside WAN IP addresses I to the mail server on the LAN. Because I do not get the external IP address passed on to the inside, postfix has nothing to go on. I tried instead to use the  normal port forwarding in the IPv4 rules on my main WAN IP address, but that doesn't help.
How and where can I report this and how long will it take Cisco to fix something like this? Because this is very important for me (and my users) and I'll have to return the router and buy another brand if it takes too long.
gctwnl001 Sun, 04/10/2011 - 14:50

There is a second nasty effect of this. My machines on the LAN are protected by a firewall. This firewall has different rule sets for the LAN (192.168.x.x) and for the rest.

WIth the translation by the RV220W of all external IP's to an internal one, all external traffic has now become elevated to 'internal' status.

One other possible effect (apart from what a firewall thinks) is that if for instance your mail server only relays for the internal LAN, any host on the internet has now become 'the internal LAN' and in effect your RV220W has turned your mail server into an open relay on the internet. This is not what Cisco wants to promote, I think.

gctwnl001 Sun, 04/10/2011 - 17:58

I had a look at a lot of info, and it starts to look to me that the RV220W not only hides the LAN form the WAN, but also the other way around. So, an SMTP-client from the outside will be translated to the inside IP address of the router (e.g. 192.168.1.1) and a free port will be found for the mapping.

If you cannot turn this off, it seems to me a terrible error.

catafildas Sun, 04/10/2011 - 23:52

Good day,

Yes, blacklist, spam , etc are off using RV220W. You should see my mail server with more than 250.000 spam mail in queue:(

Another strange behaviour is if you have static route added to RV220W on LAN side  and you are using Microsoft ISA Server, as changing IP will cause ISA to block traffic.

Sadly but true, Cisco Rv220W is on a shelf waiting for better days, and, hopefully an answer and solution from CISCO.

Cheers

gctwnl001 Mon, 04/11/2011 - 00:39

It sems to me that the RV220W is doing NAT both ways. It does not only hide the internal net from the outside, but it also does hide the external net from the inside.

For me, I cannot put it on a shelf. This is my only router which I bought for my migration to another IP. So, either this gets fixed real soon, or I have to return the item and buy an alternative.

gctwnl001 Thu, 04/14/2011 - 10:50

I have returned the router and decided not to bother with Cisco Small Business Routers for the foreseeable future. Too bad. Hardware wise, this is a neat package. Software wise it is so immature that it is in need of some serious Cisco corporate attention, lest it (and others of this software base) significantly start to hurt Cisco's brand image.

Te-Kai Liu Wed, 04/27/2011 - 13:28

If the issue persists, would you consider giving a call to the Support Center?

jda@cyteen.com Wed, 05/04/2011 - 09:45

Same situation here, my mail server see all the email as if they were coming from the RV220W, i had to disable most of the ant spam cause exchange was rejecting email (Sender ID for example), the strange thing is that i have a RV120W deployed in another site and the problem is no present.

Is the problem known by Cisco? We have to upgrade most of our site vpn router and I would love to deploy the RV220W but with this bug it’s impossible!

This is what the headers looks like:

Received: from ABTS-North-Dynamic-168.4.68.182.airtelbroadband.in
(10.88.88.254) by dh-ms5.xxxx.com (10.88.88.25) with Microsoft SMTP Server
id 14.1.289.1; Wed, 4 May 2011 13:53:49 +0200
Received: from [168.181.51.213] (account snailingy9424@gmail.com HELO
xdxxctygzfghp.rbmlyilqymd.su) by
ABTS-North-Dynamic-168.4.68.182.airtelbroadband.in (CommuniGate Pro SMTP
5.2.3) with ESMTPA id 304829780 for ....

catafildas Wed, 05/04/2011 - 09:49

Hi

Got in touch with Cisco, give them remote access to router, also config file and network topology (yesterday, 03.05).

Now waiting for something good to come out. Will inform you.

Best regards,

Catalin Burla

jda@cyteen.com Wed, 05/04/2011 - 10:12

Great, the bug is so obvious i just can’t imagine that they could miss it. Let’s just hope they don’t take too long to release a fix.


It might come from the ProtectLink Web or the VPN SSL (where the port forwarding is mentioned) cause it’s the only difference with the RV120W

jda@cyteen.com Tue, 06/14/2011 - 15:17

Can't they fix this it's a very stupid bug i can't understand how such a bug could make it on a sisco product, i’m having other kind of problems related to wsus and ActiveDirectory /dns because of that.

How can I report this further I’m not familiar with the process ?

catafildas Fri, 06/17/2011 - 06:51

Bad news is that "support" cannot reproduce error in their lab, and their conclusion was that is something wrong with my network. Funny, no?

Yes, I am dissapointed too.  I am back on old RV082.

To report you have 2 opttions: call support on phone numbers listed for your country or web.

Good luck,

Catalin

jda@cyteen.com Fri, 06/17/2011 - 08:43

Ok i have reached the support; they will try to reproduce the problem.

Meanwhile on my side I’ll try to setup an easily reproducible scenario for them.

But I can confirm that the bug is general, I mean it also append in site to site ipsec tunnel, all the computer that goes thru the vpn and end up in the LAN part after the RV220 seems to be coming from the RV220 ip itself.

It renders RPC connection completely unstable and broke the Active Directory replication and the DFS-R on my remote site.

I’m back on the RV082 too, I keep you informed

jda@cyteen.com Wed, 06/22/2011 - 11:02

Ok I eventually have good news.

The Switzerland support was able to reproduce the problem, and they found the problem didn’t appear on a fresh configuration (after a factory reset) they asked me to reset the configuration and re-implement it checking at each step if the problem appears.

One hour after I found the single checkbox that mess up the all internal NAT configuration: PPTP Server.

I reloaded my production configuration disabled the PPTP server and guess what? No more problem, external IP come as external as they should.

Do you have PPTP server enabled by any chance? And if yes disabling it solve the problem for you too? Tell me so the support here can escalade the bug.

catafildas Thu, 06/23/2011 - 01:14

Hi.

I enabled PPTP server for test only when first time configuring router, after disabled. Until I noticed probelm and after, no change to PPTP.

Another behavior is that (with a "faulty" config ) if you switch to gateway mode and back to router mode, it works correct. After power off - power on cycle, it goes crazy again.

After factory reset I configured router again, without enabling even once PPTP and router was running ok.

So it seems that what you discovered make sense.

My problem is that after few days running performance got terrible slow, so I revert to RV082 as I am few days off and can't afford "tests" now.

Next week will be back to office and will give another try.

Best regards,

Catalin Burla

jda@cyteen.com Thu, 06/23/2011 - 03:39

Even if disabling the PPTP server fix the "internal NAT" problem i have another issue persisting on the Ipsec tunnel, rpc comunication doen't pass the tunnel, everything else if fine. i'm back to the rv082 till the next firmware anyway, this looks like a beta software...

i keep you informed and thx for yours

jda@cyteen.com Wed, 06/29/2011 - 15:37

Ok the good news is that the issue is as been reproduced by Cisco, they are working on fixing the bug. no ETA is the bad news

Actions

Login or Register to take actions

This Discussion

Posted April 10, 2011 at 4:13 AM
Stats:
Replies:18 Avg. Rating:
Views:4745 Votes:0
Shares:0
Tags: routing, mode, rv220w
+

Related Content

Discussions Leaderboard