Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

[Security issue ?] RV0xx vlan & VPNs

Hi,

I've got an issue with last firmware of RV042 (I don't know for previous as it's my first one).

I've a lan interface connected to an office network (192.168.2.0/24).

On wan interface (only 1 is used), i've got the internet connection.

Office network is connected to another site (192.168.1.0/24) using site-to site vpn. So through web interface, local lan (192.168.2.0/24) is authorized to communicate with (192.168.1.0/24) and the other way also.

Everything ok at this step.

I have to configure a guest vlan. So i attributed an unused vlan to one lan unused port. I added a "multiple subnet" for this new vlan. (192.168.4.0/24)

When i configure a computer with static/dhcp ip (192.168.4.1 for example), i cannot access local office lan, and i can connect to internet (which is OK).

The problem is when a guest set is ip to 192.168.2.x. The RV0xx is "listening" with ip 192.168.2.1 and then send the packet into the vpn tunnel if destination is 192.168.1.x.

So is there a way to stop this flow, because i don't want guests having access to office network through VPN ? As you can understand this question is not limited to guest, but more to vlan withe VPN. What am i doing wrong ?

Has someone has the same issue ?

Thanks

Jerome

PS : If there is a bug, can it be resolved in the next soon firmware.

Everyone's tags (5)
1 ACCEPTED SOLUTION

Accepted Solutions

[Security issue ?] RV0xx vlan & VPNs

To prevent a guest from changing its assigned IP address, you would need an additional switch to enforce the security.

5 REPLIES

[Security issue ?] RV0xx vlan & VPNs

Try adding an Access Rule that denies 192.168.4.x from going to 192.168.1.x.

[Security issue ?] RV0xx vlan & VPNs

How is your tunnel configured? If the local subnet and remote subnet is 192.168.2.x and 192.168.1.x, respectively, I wonder how the 192.168.4.x subnet could reach the remote subnet.

New Member

[Security issue ?] RV0xx vlan & VPNs

Thanks for replying.

if 192.168.4.x is configured on PC, the guest cannot access the VPN, so this case is OK.

BUT the problem is when the guest use an ip in 192.168.2.x that there is a problem. Because i can't assign in web interface a lan port to a VPN, nor a vlan, only ip or range. In this case the guest has full access to remote network.

Regards,

Jérôme

[Security issue ?] RV0xx vlan & VPNs

To prevent a guest from changing its assigned IP address, you would need an additional switch to enforce the security.

New Member

[Security issue ?] RV0xx vlan & VPNs

Yes it's a good workaround, but difficult to explain to customers that have bought this product after reviewing administrator guide (which explain guest network using vlan).

That's what i thought...

I'll wait for next firmware hoping for a fix, as using vlan with vpn is currently too risky.

Thanks,

Jerome

610
Views
0
Helpful
5
Replies
CreatePlease to create content