firewall on Cisco RV042

[Ron C]

Hello, I have a Cisco RV042, I know a bit older, and I run 3 subnets
(192.168.1.0, 192.168.2.0 and 192.168.3.0)

I use those for smart 'things' that work with wifi.

I want to deny access to 192.168.2.0/24 for anything outside of the LAN (so anything from the internet).

The only firewall rules that seem to be able to work, are the ones that restrict traffic on the LAN itself? (I am not too familiar with small business routers, I tend to work with firewalls that run on Linux based gateways)

How do I create rules that:
1 - deny all traffic from "the internet" to 192.168.2.0
2 - allows traffic from 192.168.1.0/24 and 192.168.3.0/24 to and from192.168.2.0/24

thanks,

Ron

 

[coxhaus]

The firewall should take care of protecting your LAN from the outside.

I think the RV042 was a port based VLAN router. You used separate VLANs to separate LAN traffic. If you want traffic to share resources then include them in the same VLAN.

 

[Ron C]

Well I have some wfi smart electrical outlets, that I all gave the address of 192.168.2.x and I want only my other two subnets (192.168.1.0 and 192.168.3.0) to be able to connect to devices in 192.168.2.0.

So far I only managed to block either "everything to/from 192.168.2.0 .. or setting up rules "a la Linux iptables" outside traffic can still get to it.

Is there a place with example RV042 access rules, with explained what they actually do?

I tried:
1: deny any traffic to 192.168.2.1 - 192.168.2.254
2: allow LAN from 192.168.1.0-192.168.2.254 to 192.168.2.1 - 192.168.2.254
3: allow LAN from 192.168.3.0-192.168.3.254 to 192.168.2.1 - 192.168.2.254

BUT these rules do nothing, and allow 'internet' traffic in still

I wonder if an RV320 would work better, as in more 'conventional'

((I wish they would just allow iptables, even the systemd way.)

Ron

 

[coxhaus]

The RV320 router should be able to do what you want. I don't think the inter-network routing is going to work in the RV042 the way you want.

Internet traffic should not be getting through the firewall unless you opened a port.

 

[Ron C]

The RV320 router should be able to do what you want. I don't think the inter-network routing is going to work in the RV042 the way you want.

Internet traffic should not be getting through the firewall unless you opened a port.

That is what I am hearing. I just ordered one, we'll see how that goes.

thanks!

Ron

 

[coxhaus]

I am currently running a RV320 router which is working fine. I also have a Cisco SG300-28 switch in layer 3 mode which is handling all my local LAN VLANs. So I am not running VLANs on my RV320 now but I did before I installed my layer 3 switch.

First thing to do is upgrade the Rv320 firmware when you receive it before configuration. You probably want to download the firmware ahead of time before you take your network down.

 

[Ron C]

I am currently running a RV320 router which is working fine. I also have a Cisco SG300-28 switch in layer 3 mode which is handling all my local LAN VLANs. So I am not running VLANs on my RV320 now but I did before I installed my layer 3 switch.

First thing to do is upgrade the Rv320 firmware when you receive it before configuration. You probably want to download the firmware ahead of time before you take your network down.

The router will be here in a few days, good idea about updating the firmware. As soon as the thing is here it is the first thing I do. (I heard that can be done with a USB stick.

thanks,

Ron

 

[coxhaus]

I think you will find it easier to download the firmware to your PC. Then logon to the router web page with the default logon and password after doing a factory reset. I think the factory reset is press the reset button with a paper clip and hold for 10 seconds. The firmware upgrade will be under System Management on the menu.

 

[Ron C]

I think you will find it easier to download the firmware to your PC. Then logon to the router web page with the default logon and password after doing a factory reset. I think the factory reset is press the reset button with a paper clip and hold for 10 seconds. The firmware upgrade will be under System Management on the menu.

Ah alright, sounds simple enough, and the update can be read from a USB stick, I read somewhere.

Ron

 

[coxhaus]

I don't see any reason to go to the extra trouble to put the update on the USB stick when it is already on your PC. But I think you can do it.

 

[Ron C]

I don't see any reason to go to the extra trouble to put the update on the USB stick when it is already on your PC. But I think you can do it.

Didn't know that could be done with those. Where can we get these updates from?

Ron

 

[coxhaus]

Google RV320 firmware. It will be the Cisco web page. Once on the RV320 web page select download. Get the latest firmware.

 

[Ron C]

Google RV320 firmware. It will be the Cisco web page. Once on the RV320 web page select download. Get the latest firmware.

Alright,

I never upgraded the firmware on my RV042,because when I got it (a year 2-3 ago) I had to pay a fairly high amount on some website). Anyway, I downloaded all the firmware from Cisco for free now, so I was planning on using it on the RV042.

The router says, when I upgrade, it will go back to the default settings (which is a pain, because there was some https bug in the version I have... sooo).

Also, if I save/backup the Mirror and Startup conf, after the upgrade, will it restore all settings when I load the "Startup.conf" again? Or will I lose all routes etc?

thanks,

Ron

 

[coxhaus]

All of Cisco's small business firmware software is free. It is why I run small business routers, switches, and wireless units.

Cisco's pro line requires you to pay for IOS software.

 

[Ron C]

All of Cisco's small business firmware software is free. It is why I run small business routers, switches, and wireless units.

Cisco's pro line requires you to pay for IOS software.

I noticed that, since I could just download it... that's nice.

 

[coxhaus]

There have been some major router hacks so you want to run the latest firmware on your router.

 

[Ron C]

There have been some major router hacks so you want to run the latest firmware on your router.

right.. that's kind of a thing I am used to...

 

[Ron C]

There have been some major router hacks so you want to run the latest firmware on your router.

btw: I am used to different equipment, and if I work with routing/switching it mostly is work on linux based firewalls/switches etc.

But, the order of the rules is applied in ascending order, as 'usual', I assume, right? So when traffic matches a rule that applies, that's where it drops on the floor? (on these RV series routers) so: in this 3 rule example

[1]: accept traffic from 192.168.1.0 for 192.168.2.0
[2]: accept traffic from 192.168.3.0 for 192.168.2.0
[3] deny any traffic for 192.168.2.0

Means, that 192.168.1.0 and 192.168.3.0 can send traffic back and forth to 192.168.2.0, any thing else will drop on the floor, while if I made the 3rd rule the 1st priority, as for example in:

[1] deny any traffic for 192.168.2.0
[2]: accept traffic from 192.168.1.0 for 192.168.2.0
[3]: accept traffic from 192.168.3.0 for 192.168.2.0

nothing ever would come into 192.168.2.0 from any destination, not even the last two subnets, because the 1st rule always applies

, right?

Ron

 

[coxhaus]

The rules apply top to bottom. The problem I think you are having is there is no inter-vlan routing. As I said I think that router is port based VLANs. It has been a long time since I had one. They were also very slow with lots of lag. I switched to a RVs4000 early on so I never ran one very long.

 

[Ron C]

The rules apply top to bottom. The problem I think you are having is there is no inter-vlan routing. As I said I think that router is port based VLANs. It has been a long time since I had one. They were also very slow with lots of lag. I switched to a RVs4000 early on so I never ran one very long.

Right .. that makes sense, it's just linear, without objects/groups etc. I actually noticed that latency can be an issue, especially with more devices (I have a bunch of that smart-home stuff, and some robotics hobbies. If you can keep them contained to their own subnet, latency seems to be better, but one will run into issues (like you mentioned.) I hope that RV320 does better there, we'll see.