Firewall and Security
The RV180's firewall features include most of what you'd expect. It offers simple check boxes to permit or deny flooding attacks on both the WAN and LAN, as well controlling responses to ICMP messages. Typical firewall features like Port Triggering, Port Forwarding and DMZ host are all available on the RV180. I successfully created a simple Port Forwarding rule (Figure 10) to allow iperf traffic through the firewall to a specific host on the LAN.
Figure 10: Port forwarding rule
More detailed firewall rules can be created in the RV180's Access Rules menu to filter specific traffic flows. A rule can be created to either block or allow traffic always or by schedule. The rule can filter on inbound or outbound traffic, by source or destination IP or range of addresses, and by protocol. There are over 60 predefined protocols and more can be added by tcp/udp/icmp and port. Below is a rule I created to block http traffic, which effectively blocked all web surfing from behind the RV180.
Figure 11: Access rule
Web filtering options on the RV180 include allowing or blocking specific web sites based on URL or keyword. Web filtering on the RV180 also requires creating LAN groups, which are single IP addresses or ranges of IP address. With a URL or keyword defined for filtering and applied to a LAN group, websites matching the criteria entered will be blocked with the message below.
Figure 12: Block message
Personally, I find URL and keyword filtering too basic. To be effective, URL and keyword filtering requires a human to enter all the desired sites and words for blocking. With millions of websites, I'm not sure you can be that effective in controlling web use with this basic form of filtering.
For more robust web filtering, Cisco RV220W's ProtectLink option offers a subscription based web filtering service. Alternatively, I like Zyxel's VFG6005 solution, which integrates the free OpenDNS service for web filtering.
Options in the RV180's Advanced Firewall menu include MAC filtering, TCP and UDP session controls, IGMP proxy configuration, and the ability to enable or disable a SIP ALG (Application Layer Gateway.) The Advanced Firewall menu also has menu options for configuring services (protocols) and schedules.
The RV180 also supports security options to authenticate users before they can use the network. Options include RADIUS, 802.1x and “Captive Portal.” The “Captive Portal” feature will force users to enter a user name and password to access the internet by presenting them a login screen shown below. Once authenticated, users can then open another browser window and surf.
Figure 13: Captive portal
I like the RV180's network features. In addition to typical small network router capabilities such as static, DHCP, and PPPoE functionality on the WAN interface, the RV180 supports VLANs, Jumbo Frames, one-to-one NAS, IPv6 and QoS.
The RV180 supports up to four 802.1.q VLANs. Each of the four ports on the RV180 can be configured as a tagged or untagged member of each VLAN. VLANs can be assigned a separate subnet, and the RV180 supports a separate DHCP server for each VLAN. By assigning a port as an untagged member of one VLAN and a tagged member of one or more additional VLANs, the RV180 also supports 802.1q VLAN trunking.
I tested basic VLAN capability by creating a separate VLAN with a unique DHCP server, assigned a port on the RV180 as an untagged member of that VLAN, connected my PC to that port, and validated my PC got an IP from the new DHCP server range. As shown in the below diagram, I created VLAN # 2012 and configured port 4 as the only member of this VLAN.
Figure 14: VLAN setup
The RV180 automatically assigns itself an IP address and creates a DHCP pool for each new VLAN created, saving you from having to configure it. In the above example, the RV180 assigned itself 192.168.2.1 for VLAN 2012 and created a DCHP pool in the 192.168.2.0/24 subnet. As expected, a device connected to port 4 on the RV180 received an IP in the 192.168.2.0/24 subnet.
With Gigabit ports, it is great to see the RV180 supports jumbo frames. The option for jumbo frames is enabled with a single checkbox and no reboot. Often, devices require a reboot to enable jumbo frames, so this is a nice convenience. Once enabled, I was able to pass up to 4000 byte frames between devices on the RV180 LAN, you can see my ping results below. (Note, my PC was limited to only 4000 byte frames, the RV180 specs indicate it supports up to 9000 byte frames.)
C:\Users\mrd005>ping -f -l 4000 192.168.1.10 Pinging 192.168.1.10 with 4000 bytes of data: Reply from 192.168.1.10: bytes=4000 time<1ms TTL=64 Reply from 192.168.1.10: bytes=4000 time<1ms TTL=64 Reply from 192.168.1.10: bytes=4000 time<1ms TTL=64 Reply from 192.168.1.10: bytes=4000 time<1ms TTL=64 Ping statistics for 192.168.1.10: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss)
IPv6 is also supported on the RV180, but requires a reboot to enable. The default LAN IPv6 address on the RV180 is fec0::1/64, so I assigned fec0::2/64 to my PC and was able to successfully send an IPv6 ping to the router. The RV180 supports static and DHCP (stateful and stateless) IPv6 addressing on the WAN and LAN interfaces.
IPv6 tunneling, which enables passing IPv6 traffic over an IPv4 network is also supported. Supported IPv6 tunneling protocols include Automatic 6to4 and ISATAP.
The RV180 has two options for Quality of Service (QoS) configuration. In the first option, the RV180 can allocate a percentage of bandwidth to traffic designated as high, medium, or low priority. High, medium and low priority traffic is defined via profiles. Profiles are configured to match traffic based on protocol, IP, MAC, VLAN ID, or DSCP markings. In the second option, the RV180 can impose rate limits to the specific traffic profiles. Both modes control uplink traffic only.