What's new

RV320 questions, or general home router advice

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

tribunal88

New Around Here
I'll be moving into a new house shortly and plan to run network cable throughout. Using information from this site and coworkers, I've been planning to segment my network for security reasons, and this will require 6 VLANs. The RV320 looks like a good fit, but as I started to get into the details, I realized I might be making some bad assumptions or just plain unaware of details.

What I want to do is segment the network into the following groups

Wired-Secure (VMware ESXi, NAS)
Wired-Private (PCs, Media Players, TVs, etc, Printers)
Wired-Public (Webserver)
Wireless-Private (Family devices)
Wireless-Public (Guest devices)
VPN (mostly just for me to do remote management)

Each would get its own VLAN with a DHCP, and I've got a whole slew of planned ACLs to restrict communication amongst them. I'd planned on using the RV320 as the router/gateway/firewall with Netgear GS108T 8-port switches for a main backbone (so I can LAG certain ports together), then some GS108E and GS105E switches that I already have to expand from there. For wireless, I was looking at the Cisco WAP321. I believe all of these will do 802.1q VLAN.

I would like to be able to stream media from the NAS to multiple devices and PCs throughout the house, so building in LAG to improve bandwidth seemed like a good idea. Similarly, the NAS has 2 NICs which can be bound together. Since it hosts both the media and the iSCSI luns which feed the ESXi host, LAG would help out a lot there as well.

So, one of the first things that popped into my mind was what to do about broadcasts. I know some of my media devices can be controller by apps (with more certain to follow - audio receivers ship with NICs now, can you believe it?). If they are on separate subnets, the broadcast messages for discovery won't reach them, and many of these apps don't allow for specifying IPs for targets. I read online about something called an "ip helper address" rule which overcomes this. Does the RV320 have this capability?

Another concern was that the data sheet says the RV320 can do 7 VLANs, but one of the pages on their website which talks about configuration lists 4 as its max. Can anyone confirm which is correct?

And lastly, given my goals, am I taking the wrong approach?
 
A lot of routers other than cisco will do Vlan however if you connect switches than you will need managed.

If you want security dont use the cisco RV series because they dont have configurable firewall. If the work you do is important it may be worth having a competent IT guy or learning up, I would suggest brands like Zyxel firewall products, pfsense, ubiquiti or mikrotik. All of them have configurable firewalls. PFsense is one of the best for small to medium sized network security while both ubiquiti and mikrotik are quite capable as well. If you want L2 firewall i know from experience that mikrotik has them if the device you run routerOS is bridging which would require a good CPU or fast routerboard.

pfsense, ubiquiti and mikrotik have L3 to L7 firewalls but they require setup and configuration unlike the cisco RV series or consumer routers where you simply tick the features you want running. I suggest checking if the RV320 firmware is stable before purchasing it. If you want a dedicated device instead of an x86 box all 3 brands have them but you would need to check the performance for mikrotik and pfsense before you get one.

Mikrotik bridging (switching using CPU) can also use the L3 to L7 firewall if you want it to. Getting a configurable firewall will do a lot more good than a cisco RV that has the features built in but unconfigurable. All the brands i mention support VPN. Being configurable they will do a lot more than what a cisco RV would and have similar features to what an enterprise cisco product would provide. They also do not have limits like number of vlans or QoS or firewall rules. In routerOS you can add thousands of VLANs to a single interface or virtual interface. I believe pfsense and ubiquiti can do the same thing. In l2, VLAN limit is 4096 VlANs in a single network. The 3 brands i mentioned dont have as few limitations to the cisco RV In number of tunnels and have better VPN throughput and some may support unlimited VPN tunnels depending on license. They all support LAG too (some can do it on the switch level while some requires CPU).

broadcasts can be controlled via L2 firewall. You will need a configurable firewall for what you want to do and the cisco RV is limited.

In all these 3 brands to get a broadcast to another subnet you must route it. That means the router must have the route configured inside (it may be dynamically added) and you must than apply a forward rule using dst-nat on broadcast address to forward to a different subnet. The cisco RV is similar to a consumer router so it cannot be configured like these devices can.
Be sure to check the performance specs first.

Do note that broadcasting to other subnets or VLANs too much can cause a network slow down if the full port bandwidth is reached by broadcast. It may be wise to limit the rate that broadcasts can be forwarded between subnets. you must also carefully make sure that only certain broadcast packets are forwarded otherwise devices on the other subnets or vlans will get dhcp from other subnets or vlans. If within your budget you can get a CCR and skip using a managed switch as CCRs can bind ports together using CPU or switch (if it has a switch chip) and bridge and route at wirespeed while having at least 8 gigabit ports. I use a CCR with 2 SFP+ ports with a CRS with 24 gigabit ports and 2 SFP+ ports for sufficient ports and bandwidth between them. CCR is pure router while CRS is just pure switch. I stopped using the netgear smart switches because they have random problems with some features. There are CCRs with 12 gigabit ports.

The cheaper option is to get pfsense/ubiquiti/mikrotik that is fast enough and connect to a better switch other than netgear or tplink.
 
Last edited:
I was looking at the Ubiquiti EdgeRouter, specifically the ERPOE-5, which was within my price range. Am I correct in that it won't act as a gateway? In an enterprise you would separate out your GW, Firewall, and router, but since this is for the home, I unified offering would probably be best for me. If Ubiquiti doesn't have an all-in-one solution, what's the best way to add that component? Cheapest?

I also had been looking at Zyxel USGs, but I was suspicious that the ones in my price range (I'm trying to keep it under $200 for this appliance) would have the same limitations as the RV320.

Thanks for the quick feedback. For context, I'm a DBA by trade, spending most of my time on Oracle and Linux), and I've spent a lot of time learning systems and storage. Now I want to learn networking and this project is to help me do that.
 
Last edited:
One other requirement I have is port mirroring/SPAN. I use Security Onion for my IDS and need to mirror the WAN port for the packet capture.
 
It does act as a gateway too if you want. The other choice is the RB850Gx2 from mikrotik.

both edgerouter and mikrotik are very similar and do all you want, they retain the same OS across all their routers however mikrotik has more features such as scripts.

pfsense would be cheaper if you installed it on a PC and used it as a router. pfsense would be better as a firewall too and also does what you want.

Ubiquiti has a manual for their edgerouters showing what they can do.

I dont think you understand how these flexible routers work. You have to configure them for the job you want. They will do what you want but you need to set it up.
 
Last edited:
Great! I've got some homework to do, it seems. Thanks for the quick call-backs. I'll probably be back to this forum a lot as I hit roadblocks.
 
I suggest to consider the recently released Netgear Prosafe FVS336Gv3 (FVS336G-300). It's a direct competitor of RV320. I'm currently evaluating the RV325.

I wish SmallNetBuilder staff would review the Netgear FVS336Gv3 or update the original review of FVS336Gv1 from 7 years ago.
 
I've looked over the manual for the Netgear and it doesn't say if there is a limit the number of DHCP servers and/or VLANs you can configure with it. With just about all the other appliances I looked at (except those mentioned by System Error Message), there's been a limit. Also, in the Firewall section I couldn't find any mention of a limit to the number of firewall rules. This is another thing that seems to be present in all the more user-friendly routers.

Depending on the answer to those questions, this would be an alternative if I wanted something I could just "drop in" and configure. Though I will say that the opportunity to learn how to manager a professional router is attractive, and the Ubiquiti ERPOE-5 would afford me that.
 
Personally, if I have time, I'd go for Ubiquiti ERPOE-5, pfSense or similar products like these. But the issue is lack of time (family, work/biz, etc). These equipment require time studying CLI manuals/web posts, research to fill knowledge gap on core networking and lots of trial/error/debug. There's also potential to make mistakes and I may not even know about it. And of course, I get it working & life gets busy & not mess with it but 1+ year after something breaks or I need to change something... then struggling to recall what exact CLI commands I typed awhile back.

Hence I do hope a "drop in" product like RV32x or FVS336Gv3 or another is the right product for me.
 
I've decided to go with the ERPOE-5 as it will meet all my needs. I'd like to pair it with a Cisco WAP321 so I can set up a dual-band wifi to segment my guests from my internal devices. I'd also like to use the PoE features of the router with the WAP, but I've read the the ERPOE-5 uses "Passive" PoE, and the WAP uses 802.3af. I'm guessing this makes them incompatible or at the least needing some kind of converter. What's the best way to go about hooking these 2 together? Also, what will happen if I plug a non PoE device into the PoE port. Does it just kill the device or are we talking fire hazard here?

Update: Would this work? It looks like the conversion might be in the wrong direction.
 
Last edited:
VLANs were created to isolate traffic and cut down on broadcast domains. In a home network if you want all the Apple devices and Microsoft devices to find each other across VLANs it is almost too much trouble to have VLANs. You might save your money and buy a fast router for home. If you are going to pass all the traffic from VLAN to VLAN why have a VLAN. My wife always comes up with something which won’t work from her iPad or iPhone in different VLANs I have setup. Think about printer sharing, Apple TV, Itunes on wired workstation, file sharing and etc. The list goes on and on. Just a thought.
 
Isolating traffic is entirely my goal. I have a test lab server infrastructure that I use professionally, and I'd like to keep the regular PCs and devices away from it except for specific ports on specific servers. I host my website locally, so just for security I figured it would be a good idea to put it in a DMZ. I'd also like to have my guests on a separate wireless network that can only access the internet. I've even considered isolating the devices as a group on their own VLAN since I can't control their security (think of all the devices out there that still haven't patched for Heartbleed). As more things become networked it's only going to get worse.

And lastly, I want to be able to learn how to manage a basic professional network just to increase my own understanding given how often it intersects my position (DBA).
 
DMZ and security don't belong in the same sentence. DMZ is the opposite of security.
 
DMZ and security don't belong in the same sentence. DMZ is the opposite of security.

Could you expound on that. My understanding is that a DMZ is where you place servers you wish to expose to the internet. From that perspective the DMZ is inherently less secure than other network segments which remain isolated behind the firewall (though even the DMZ might only expose certain ports on specific servers to the internet). However, wouldn't the DMZ still be considered a component of overall network security since the servers in it have very limited access to the rest of the local network? The idea being that if they are compromised , the damage is contained, hopefully long enough for the intrusion to be detected.
 
Just following up. I've had my ERPOE5 now for about a week and am so far pleased with it. I'm running firmware 1.6.0, and the GUI is very helpful. It's very DIY though, and I spent a lot of time reading forum posts, talking to network admins, and tinkering to understand how the pieces work. I also managed to nearly lock myself out of it once, and get it into an illegal state, such that none of the vlans were working the way they should (a quick edit of the config.boot fixed the issue). Fortunately Ubiquiti employees engage with forum users frequently and are both helpful and responsive (I had 5 responses in a couple hours to help me troubleshoot an issue).

The WAN got set up with a wizard, and I was able to create all my subnets, and the firewall rules that govern them, without leaving the GUI. I need to do a couple port-forwards, but I can do that as well through the GUI. I understand there is a lot of advanced functionality that you can only get access to with the CLI (and I've used the CLI extensively for troubleshooting), and I'll have to do my port-mirroring through there as well, but the web interface seems very mature.

Thanks to everyone for the suggestions.
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top