Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

RV220W - ipv6 Firewall and Ping Questions

I have just recently been messing around with ipv6 on our RV220W.  The only reason for turning ipv6 on was to get upnp to work after a reboot.

I have setup ipv6 using a 6to4 tunnel (using the automatic tunnelling feature, awesome feature by the way), as well as, through a tunnel broker (tunnelbroker.net).  Both methods were super simple to configure.

I have run into a couple of road blocks though.

1.  I can't find any firewall features for ipv6.  We have a Cisco E4200 that has ipv6 and ipv6 firewall support so I am sure the RV220W either has ipv6 firewall options or will have it very soon in a firmware upgrade.  Am I correct on either account?  Without a built in firewall, ipv6 has really exposed our PCs, Mac's, etc to attack.  I ran some ipv6 firewall port scanners and found that we have several ports open (4800, 4900, 5263, etc).

2.  I found that ipv6 is a bit flaky.  For example, I experience a 15-50% packet loss when pinging an ipv6 website (ie ipv6.google.com).  It occurs on all of our PCs (Windows XP and Windows 7), as well as, our Mac OSX Lion Macbook Pros.  All of the more popular ipv6 test websites out there show that we go back and forth between ipv6 being turned on and off.  I am sure it has something to do with latency and/or failed pings.  Are there known issues with ipv6 on the RV220W?

I have opened a case (620246731) with Tori regarding the upnp issues that we encounter with ipv6 turned off.  Basically upnp works flawlessly when you turn it off and then back on after a reboot.  Unfortunately we have to reboot our RV220W due to slow downs, etc about once a week (of course it doesn't help that I have been updating the configuration off and on here lately) and upnp not working correctly after a reboot is quite frustrating.  I have even reflashed the latest firmware, reset to defaults, and made minimal configuration changes (going through the setup wizard, reserved some IPs by MAC address, etc) and upnp sill doesn't work after a reboot.  Therefore I don't think it has anything to do with my configuration.

I have a few take-aways from Tori and I's conversation.  I need to provide her with our configuration backup, some Wire Shark traces with unpn working and not working, as well as some screenshots of the upnp port map table showing that upnp is actually populating the table.  i should have the time to perform this maintenance/testing soon.

I will keep you guys posted, but please post here if there are known issues with upnp and/or ipv6 so I don't keep jacking with these things trying to get them to work needlessly. 

21 REPLIES
New Member

RV220W - ipv6 Firewall and Ping Questions

There is no IPv6 firewalling on the RV220w as of this writing (Firmware 1.0.3.5) and the general state of the RV220W firewall logging is pretty poor. I'd instead rely on a host inside your network to be your IPv6 gateway and firewall (running RADVD to advertise this fact to those hosts not using static routes) and instead only rely on the RV220w to forward Protocol 41 packets from your tunnel server to that IPv6 gateway *only*. That allows you to control Protocol 41 usage at your perimeter (don't want just anyone to set up encapsulated IPv6 tunnels, right?) on a point to point basis and then do the IPv6 firewalling on the secondary host.

Using this approach, you get *far* more granular control and vastly improved logging for the IPv6 traffic and the (relative) predictability of a 6in4 tunnel (in general, 6to4's predictability/performance gets a big thumbs down from most networking folks). The downside, of course, is a second piece of equipment (I use a VMware host to do it, so it's more configuration work for me, but not additional hardware) to watch over and keep up to date.

I don't do much with UPNP, but the RV220w had a similar issue with IPv6 tunneling (the 6to4 approach you described early on in your post) and it not working after a reboot (until toggled off and then back on again), so it's not out of the realm of possibility.

In terms of RV220w IPv6 performance...it's pretty poor (in my experience), but there have been improvements in the latest firmware releases (I don't want to throw Cisco under the bus completely here). There are still massive gaps in the feature set though (another topic for another time) and thus I've set up my home network as described above to account for those issues. Your sporadic performance might due to 6to4 issues (I've read about some horror stories) as well, so these might be issues that Cisco can't help you with.

Regardless, hopefully I've been a bit of help and I wish you the best of luck!

New Member

Re: RV220W - ipv6 Firewall and Ping Questions

Thanks for the reply Adam.  I was coming to the conclusion that there was no ipv6 firewall after taking a longer look at the RV220W GUI and open source documentation (didn't see ip6tables anywhere).

I don't see where I can forward protocol 41 ("-p 41", "-p ivp6", or "ipv6" in general) in the RV220W.  Would you mind helping me with that?  I'm not against offloading the ipv6 gateway and firewall to another host.  There will definitely be a learning curve involved, but I'm game.

I did take another stab at getting upnp to work without enabling dual stack (ipv6) and found that upnp stopped working after reboots after I created a second VLAN (guest VLAN with no inter VLAN routing).  I got the idea to do more indepth testing when I heard Tori talking with another guy on the phone and he asked if I had multiple VLANS. 

New Member

Re: RV220W - ipv6 Firewall and Ping Questions

Sure - you forward Protocol 41 packets by creating a custom service (under the advanced section of the Firewall tab). Just specify the type as "other" and then type in "41" in the protocol field at the bottom and save it.

Then you apply a firewall rule for the service (custom services will show up at the bottom of the dropdown list) you just defined and allow that service coming in from the tunnel server you're using (I'm assuming HE.net) and then DNAT'ing it to the IPv6 gateway/firewall that you've set up inside your network.

New Member

RV220W - ipv6 Firewall and Ping Questions

The RV220W definitely has (much too many) issues, but we are connecting a branch office using IPv6 in a 6in4 tunnel from tunnelbroker.net and it is working quite well. We are continously pinging the connection once every minute. It appears fairly stable, so I don't think there are any IPv6 problems in the router. Doing a continuous ping6 does not reveal any lost pings.

The most annoying issue is the one of having to manually disable/enable the 6in4 tunnel after each reboot. That should not be the case, and we cannot do it automatically due to the missing CLI interface in the RV220W (a feature found in many less expensive routers !)

New Member

RV220W - ipv6 Firewall and Ping Questions

Although I read the release notes for the lateset 1.0.3.5 firmware, it was long before I tried implementing ipv6.

In the release notes...

A 6to4 tunnel may encounter packet loss depending on the type of NIC used. (CSCtr08162)

...therefore I don't believe my case is unique.    I should have taken the time to re-read the release another time before posting about my packet loss (up to 70%!!!) issues.  I thought something was wrong (with my seteup) because all of our devices experience packet loss... all PCs and Macbook Pro's.

New Member

RV220W - ipv6 Firewall and Ping Questions

On a somewhat positive note, I had a long conversation with a buddy of mine that is a senior network engineer for a large corporation (10,000+ employees worldwide) here in Kansas City, Missouri.  He is the one that recommended that I start replacing our WRVS4400N v2 routers with RV220W's based on his experience with the one he uses at home.

In a nutshell, he told me that he doesn't like to mess around with network *stuff* at home because that's all he does during the day at work.  Therefore he uses an RV220W at home.  He confirmed for me that upnp does not work for him as well, but he doesn't use it (or ipv6).  He manually opens ports for all of his needs (game consoles, software needs, etc).  He did tell me that he thinks the RV220W is a great wireless router (he actually has a few Linksys E4200 routers configured as APs around his house) for it's price/feature combo.

He, and a few other of his family members, use the VPN functionality all the time.  PPTP, IPSec, SSL...  all of it.  Who do you think helped me configure my VPN setup?

If he is comfortable with an RV220W, then that is quite comforting to me.

He did tell me that he has a friend that has a 6 month old ASA 5505 (still under warranty and contract) for sale for $200.  He is more than willing to show me the ropes so I could tinker with it in our lab.  I just don't think I'm ready to start deploying those.

New Member

RV220W - ipv6 Firewall and Ping Questions

Well, here are the bugs I detected and in the release note of 1.0.2.4 (nearly identical to 1.0.3.5)

http://bugzilla.jth.net/buglist.cgi?product=Cisco%20RV220W&component=Firmware%201.0.2.4&resolution=---

If this makes you comfortable, then its OK for me, but it sure does not for me, especially because CISCO has shown absolutely no interest in working with me to document and track down these issues. Apparently if it is not an issue reported in the hopelessly slow CISCO case system then it is a non-existant issue !

Reporting issues to CISCO is also hopeless. I have tried to do so, but just been ignored.

New Member

RV220W - ipv6 Firewall and Ping Questions

I'm with you now, and I have looked at your bug report thread by the way.  I actually have it bookmarked!  I was talking more about the lack of ipv6 features (no firewall!!!) because that is what I am currently battling.

Speaking of which, I really wish Cisco would work on the Windows 7 64-bit and Mac OSX Lion SSL VPN issues. 

I wonder how the Small Business team works anyway.  The Linksys home router and Enterprise teams must not work with them at all.  The E4200 (Linksys home router) has an ipv6 firewall, crude, but existent.  If I'm not mistaken they run on Linux as well...

Have you thought about starting an RV200W Bug and Ehancement Request thread?  If I'm not mistaken, the first post can always be updated by the original poster so the most up-to-date ehancement list (and link to your bug thread) could always be at the top of the thread.

You game?

New Member

RV220W - ipv6 Firewall and Ping Questions

Firewalling in the router has never been an important issue for us, as we are having much better firewalling (IPv4 and IPv6) on our Linux servers than I have ever seen in a router. On the workstations we are depending on the MS Windows firewall and virus protection software. We probably should look more into IPv6 firewalls on the workstations.

The bugzilla was made partly to get experience with that software, partly out of frustration of the non-responsiveness of CISCO, who could benefit from the no-cost work of an experienced IT-professional, but chose not to do so without any feedback whatsoever. I even wrote a letter to the CISCO CEO about the CISCO reputation issue without any response. So much for the politeness of CISCO management living in their ivory tower.

I don't have the time and energy to continue maintaining it, but anybody can add comments to it and create new reports.

New Member

RV220W - ipv6 Firewall and Ping Questions

I'd be game to participate in such a thread. I think my frustration comes from the fact that I see such potential in the RV220W, but that product that is in front of us right now has such obvious issues. In the interests of full disclosure, I am a former Cisco employee (not on the product development side) and the RV220W firmware *has* been getting better since the initial firmware I used, but it's still a long way from what I'd consider a fully baked product and if some of the open source alternative firmwares were able to run on that platform, I'd probably flash the hardware with them and call it a day.

Joergen, I had previously seen your Bugzilla and it was great to see that others were noticing (and suffering from) the same issues that I was noticing, so thanks for that. I definitely get your frustration regarding the slow speed of issue resolution. but keep in mind that constantly expressing that frustration will eventually turn even the best-intentioned Cisco employee off. In short: pick your spots and hopefully we can save you some of the frustration =)

I know that for myself, it'd be great to have a Cisco product manager participate here and say "hey guys, we hear you - here's what we see as the biggest issues for the product and where we're focusing our development efforts - any". I appreciate Cisco folks posting in specific support cases and their urging users to open TAC requests, but I think the there's a missing overall sense of sustained engagement from the Cisco side in soliciting input and working together towards making a better product.

New Member

Re: RV220W - ipv6 Firewall and Ping Questions

It is my impression, that CISCO as many other old corporations has not been able to adjust to changing times.

It is not as in the old days, when the customers were just using the products, had no IT-knowledge and the company possessed all the information and maybe was in a certain level of monopoly.

Today there are many competitors in the market. The customers are shopping around and do not buy CISCO products, because they once did it.

Many customers are well-educated IT professionals who in knowledge equals or surpasses the CISCO supporters. There is also a community spirit among customers with the purpose of improving things.

I consider it foolish for a company not to tap into this source, but to continue its old-fashioned ways of handling customers.

These days we have Kodak in Chapter 11. A once very large and well-respected company and brand, which was not able to handle changing times and markets. This ought to be a writing on the wall for any old corporation.

Hall of Fame Super Gold

Re: RV220W - ipv6 Firewall and Ping Questions

JT,

the cisco products that provavly you're referring to, are not really Cisco. They are post-aquisition Linksys. I don't know for sure, bue it's even possible that they had a better quality before the Cisco acquisition.

The enterprise class Cisco prosucts have a much better software quality, and still enjoyt a great reputation among IT professionals. The sales results shiow that clearly, since 25 years.

New Member

Re: RV220W - ipv6 Firewall and Ping Questions

Yes, Kodak also has a great past!

I also know, that this product is not a core CISCO product, but it does display CISCO on the front.

CISCO management has made a fundamental error in not assuring, that this product is living up to the standard expected by the market.

Quality control and testing is apparently absent. There are issues in the software, which can be found by anybody simply by testing it for 5 minutes.

My advice to CISCO management is, that saving a few bucks on the quality control and testing department is not worth it. It is really going to hurt.

New Member

RV220W - ipv6 Firewall and Ping Questions

I'm not sure which company started the RV200W, probably Linksys, but they were on the right track.  It is an improvement over the WRVS4400N.  That said, I'm unsure where Cisco sees the RV SMB line of routers going.  They obviously are great supporters of the consumer line.  That line is rather strong, stable, and competively priced and one of main reasons they purchased Linksys in the first place.  The SMB line (Linux-based anyway) seems to be caught in the middle of the consumer line and IOS line.  I sometimes wonder if they intentionally hinder their capabilities.  They could easily utilize third party (DD-WRT, Tomato, etc) firmware sourcecode/functionality to make the RV220W a top-notch Linux-based router. 

New Member

RV220W - ipv6 Firewall and Ping Questions

It is quite common to introduce artificial limits in routers to increase sales of higher priced units.

I do not agree with this policy, but I do expect, that the quality of the actual product sold, is acceptable, leaving room for bugs not easily detectable in the lab.

When an immature product is sold, it must be on the condition, that the turnaround time to fix bugs reported by customers is short. This is unfortunately not the case at CISCO.

The CISCO support is better than that of many other companies, but it is worthless, when after half an hour on the phone, the supporter has to give up on the problem due to a software bug.

I have tried this, and I see clearly, that CISCO could save a lot on the support budget by increasing the quality control budget and reducing the time between new firmware releases.

So this is my New Year wish for CISCO.

New Member

RV220W - ipv6 Firewall and Ping Questions

I agree to a point.  The engineers have to draw the line somewhere because there is only so much RAM and flash memory to work with versus their other routers that have expansion capabilities.

The last thing I want is a router that is chaulked full of bells and whistles but doesn't have the juice to run them. 

If Cisco can get the major bugs worked out on the RV220W they won't have any trouble finding loyal customers willing to pay more for an RV router with say 512 MB - 1GB of RAM and 128 MB - 256 MB of flash RAM.  Then they could add more bells and whistles and charge a couple hundred more $ for it.

I'd definitely buy it because I'm more of Linux fan.  I would probably change my mind if I took the time to learn IOS though.    I just don't like the idea of paying yearly maintenance fees for a cheap SMB router though.  They need to find a happy medium.  I originally thought the RV200W as that happy medium...

RV220W - ipv6 Firewall and Ping Questions

Hi, My name is Eric Moyers. I am a Network Support Engineer in the  Cisco Small Business Support Center. Thank you for using the Cisco  Community Post Forums. Just wanted to drop in a note to let you guys  know that your post on our RV20W is greatly appreciated and that your  concerns and opinions are highly valued.

Mr. Thomsen, great to hear from you again, I hope that you are doing well.

The  issue with IPV6 is a recognized, and it is currently being worked on.  Software development timelines are very delicate. There is a process  that we have to go through with any development of new code. When you go  back and do any type of re-coding, it is then even more imperative that  we add in regression testing to ensure we don't break one thing while  fixing another.  

Currently there is not a date  for when this fix may be out. I will research this and see if I can find  some information for this thread.

Thanks

Eric Moyers

Cisco Network Support Engineer

SBSC Wireless and Surveillance SME

CCNA, CCNA-Wireless

1-866-606-1866

New Member

RV220W - ipv6 Firewall and Ping Questions

Eric,

I do not at all disagree with you, but in a rapidly changing market I am criticizing the allocation of man power to and lack of interest in customer involvement in this process.

I am often thinking about the Lou Gerstner book about IBM:  Who Says Elephants Can't Dance ?

In 1990, IBM had its most profitable year ever. By 1993, the computer  industry had changed so rapidly the company was on its way to losing $16  billion and IBM was on a watch list for extinction -- victimized by its  own lumbering size, an insular corporate culture, and the PC era IBM  had itself helped invent.

Laurels are great for cooking, but not for resting on.

Re: RV220W - ipv6 Firewall and Ping Questions

Mr. Thomsen,

I would disagree that there is a lack of interest in customer involvement. If that were truly the case, then Cisco would have never created this community forum for customers. The entire basis for this forum is so that customers have an opportunity to converse and mingle with peers and Cisco engineers. Here we trade ideas and help one another. Not in the least is having a forum to express displeasure in products or processes, like we have here.

I am also involved with an issue with the WAP4410N, where the customers are expressing their issues with the product. Cisco is listening to the post through agents like me and then they are working to make the product better. Just like we want to do with the RV220W

Code development to me, and I was a mainframe programmer in a earlier life, is similar to tying shoes. Two people can work on it, one could tie the right and one the left. However it is counter productive for two people to tie the same shoe. Just like coding, more than one person can work on the entire program or firmware, but two people working on the same block of code can lead to wasted coding time.

I entirely respect your opinions, but I truly beleive that Cisco is working to solve these issues as quick as possible.

Eric Moyers

New Member

RV220W - ipv6 Firewall and Ping Questions

Hi Eric,

Thanks for checking in with us here. I've got a couple questions for you if I may. Before I pose them to you though, I wanted to emphasize that I certainly understand that software development is fickle and subject to delays, so if some of the dates that I ask you about slip a bit, I'm not going to lose my sanity =)

- What does Cisco see as the biggest issues (both in terms of bugs and feature deficiencies) in the RV220w right now?

- What is the projected release date for the next version of RV220w firmware?

- Is there a process where customers can gain access to beta version of the RV220w firmware with the understanding that these are beta versions, bugs are likely and users running beta versions will not be supported?

- If we, as (perhaps overly =)) vocal RV220w owners, want to create a feature request/bug tracking list, perhaps with some proposed priorities for guiding software development time, what is the most helpful way to communicate that to the developers/project managers in charge of the firmware (especially considering it will be a living document).

Again, thanks for your help here. I know it's not necessarily fun tackling some of the issues that you face here, but it's certainly appreciated.

Cheers,

A.

Re: RV220W - ipv6 Firewall and Ping Questions

Hello Mr. Baldwin

Thank you for the e-mail.

- What does Cisco see as the biggest issues (both in terms of bugs and feature deficiencies) in the RV220w right now?

  A. There is a wireless meeting coming up next week I believe, I will put this question out there to see what they say.

- What is the projected release date for the next version of RV220w firmware?

  A. I have not heard, they really do not like giving me hard dates. I will see what I can find out.

-  Is there a process where customers can gain access to beta version of  the RV220w firmware with the understanding that these are beta versions,  bugs are likely and users running beta versions will not be supported?

  A. Yes there is a process. When one is available it is freely available with the signing a a form, (basically state what you said, "This is a beta version,  bugs are likely" a little more lawyer speak than I write write)

-  If we, as (perhaps overly =)) vocal RV220w owners, want to create a  feature request/bug tracking list, perhaps with some proposed priorities  for guiding software development time, what is the most helpful way to  communicate that to the developers/project managers in charge of the  firmware (especially considering it will be a living document).

  A. Anything thing you send me, I can get to the right people.

I have always been one of those people that when you yell "Fire", I don't run for an exit, but look for the Fire. Being a tech support engineer, you definitely see a wide variety of issues. Those of us here in the Small Business Support Center unless, we are on the UC540/560 side pretty much cover everything else on the phones. A few of us also monitor the Community Post to help customers as well. There are days that things can get overwhelming, being in the middle of the customer and the Development teams. But it is even more rewarding when we hear back from customers that all is well and issues are resolved.

I will keep this thread posted as I learn information and if you mouse over my picture you can find my e-mail as well.

Eric Moyers

2075
Views
0
Helpful
21
Replies
CreatePlease to create content