|At a glance|
|Product||Cisco Wireless-N VPN Firewall (RV110W) [Website]|
|Summary||Single band N router with 10/100 ports and 5 each IPsec & PPTP tunnels based on a Broadcom N Router SoC.|
|Pros||• Aggressively priced for an IPsec router • 100 Mbps wire-speed routing
• IPv6 support • VLANs with multiple subnets
|Cons||• Mixed wireless performance, especially with low signal levels
• Does not support full IPsec tunnels • Forces router IP change when adding VPN accounts
If you thought Cisco had established the low end of its RV small biz router line with the RV120W that Doug Reid looked at back in January, you’d be wrong. It seems that Cisco wants to extend its reach to the really small business router buyer and for that, they came up with the RV110W Wireless-N VPN Firewall.
At first blush, the 110W’s feature set looks similar enough to the 120W’s that you might wonder how Cisco is managing to sell the 110W for as low as $85 vs. $136. But all will be revealed shortly, dear reader. In the meantime, I’ll just say that you get what you pay for.
The RV110W is not cut from the same cloth as its other RV siblings. The emphasis on low cost starts with the all-plastic black enclosure, whose rounded-corner 6" square footprint might bring to mind an Apple Airport Extreme – Darth Vader edition. But a more appropriate comparison would be that it’s a slightly thinner version of the RV220W, with a bit of silvery bling on the front panel.
The two exernal antennae are movable, but can’t be upgraded. And even with a cost-reduced focus, Cisco has thoughfully added a security lock slot on the side and wall / ceiling mounting slots on the bottom.
Cisco didn’t scrimp on indicators as Figure 1 shows. They even included a hardware WPS button prominently on the front panel vs. the software only buttons on the more expensive RVs.
Figure 1: RV110W front view
The rear callouts in Figure 2 don’t identify the single WAN and four switch LAN ports as 10/100, not Gigabit. Cisco must believe low cost (or higher margins) is more important than supporting faster LAN transfers, since none of its RV series, including the more heavy-lifting RV0XX series include Gigabit Ethernet.
Figure 2: RV110W rear view
Once you get inside the 110W, you understand that it’s a very different beast. Unlike the other RV’s, it’s not powered by a Cavium processor. No, at the heart of the 110W beats a lowly Broadcom BCM5357 router SoC, the very same beastie that powers the two lowest-ranking members of the Linksys E series consumer router line. So the RV110W’s dirty little secret is that, at least hardware-wise, it has more in common with its E1200 and E1500 consumer cousins than with its own small-biz siblings.
Actually, of the two, the 110W is more like the E1500, since it has two SiGE 2.4 GHz power amplifiers under the RF shield you see in Figure 3. There’s a bit clearer shot of the board in the gallery if you want it.
Figure 3: RV110W inside
The 110W differs from the E1500 in an important way, however, in that it has 64 MB and 16 MB of RAM and flash, repspectively, vs. the E1500’s 32 MB / 8 MB. As you’ll see shortly, the 110W puts that extra memory to good use.
Considering the hardware it’s running on, the 110W’s feature set is pretty impressive. Here’s the summary; I’ll follow up with more details on some of the key features in a bit. You can also use Cisco’s feature comparison tool to compare the RV110W against Cisco’s other small-business routers and there is also an online emulator for an admin test drive.
- DHCP, Static, PPPoE, PPTP, L2TP WAN types, all with MTU adjust
- WAN port MAC address cloning
- DHCP server with max users, client lease time, DNS controls and DHCP reservation
- Built-in Dynamic DNS clients for TZO, DynDNS, 3322.org
- Static and dynamic routing (RIPv1, RIPv2)
- RSTP (Rapid Spanning Tree Protocol) support
- Four Port-based VLANs with 802.1q tagging enable
- Inter VLAN routing with separate DHCP for each subnet
- Port speed, mode and flow control adjust (no port disable)
- Port mirroring
- Dual-stack IPv6 support (four modes for mixes of WAN and LAN IP mode)
- IPv6 WAN support: Auto and static configuration
- IPv6 DHCP LAN server
- IPv6 static and RIPng routes
- IPv6 6to4 automatic tunneling and static DNS entry
- Up and downlink four level service priority QoS
- 802.1p tagging with CoS and DSCP settings
- DMZ host
- SPI+NAT firewall w/ enables for DoS protection, Multicast passthrough (IGMP proxy), Block WAN request, Java, Cookings, ActiveX, Proxy
- UPnP support
- Schedulable Allow / Deny outbound service access rules
- Schedulable Internet Access Policy and URL / Keyword blocking
- Single port forwarding with separate Internal and External port setting
- Port range forwarding
- Triggered port range forwarding
- HTTPS admin access (including remote)
- Password complexity enforcement (can be disabled)
- Read only guest admin account
- Admin session timeout adjust
- Simple Network Management Protocol (SNMP) version 1, 2c, 3,
- Available service advertisement via Bonjour
- Ping, Tracert and DNS lookup tools
- Syslog support
- Browser based log, emailed logs
- VPN status
- Wired and wireless statistics
- 5 QuickVPN tunnels (3DES encryption, MD5 authentication)
- 5 PPTP tunnels
- IPsec, PPTP, L2TP pass-through
- Self Generated Certificate and Certificate Import
- 2.4 GHz Wireless 802.11 b/g/n radio
- Up to 32 clients
- 4 SSIDs with separate virtual networks with separate wireless profiles, supports SSID to VLAN mapping with wireless client isolation
- WEP, WPA Personal / Enterprise, WPA2 Personal Enterprise security
- Wi-Fi Protected Setup (WPS), pushbutton and pin methods, assignable to SSID
- MAC address filtering
- Scheduled wireless enable / disable
- WMM support
- Wireless Distribution System (WDS) bridging and repeating with up to three partners
- Basic rate, Transmission rate, N transmission rate, CTS Protection enables
- Beacon and DTIM inverval, Fragmentation and RTS Threshold adjusts
- One-to-one NAT
- Cisco ProtectLink Web cloud-based security service
- Wireless Transmit power adjust
The two biggies in the missing features above are the first two. If you have multiple IP addresses from your ISP, the 110W can’t use any more than one of them. You also don’t get to try out Cisco’s optional ($) cloud-based security service that’s available on the RV0XX series (details here). But you can always point your DNS entries to OpenDNS and sign up for a free account and get free web filtering there.
For those of you who hunger for IPv6, the 110W supports it out of the box, but with a unique modal approach. Figure 4 shows your options, which include mixes of support for IPv6 on the LAN and WAN sides of the router.
Figure 4: IP mode settings
Doug put the RV 120W through some IPv6 testing, which you might want to glance at. I haven’t made the leap yet, so I left IPv6 alone. Cisco’s RV110W online emulator is set up in IPv6 mode for both WAN and LAN, so you can explore the settings more there.
Doug provided details on VLAN, Wireless configuration and QoS features in his RV 120W review. The 110W’s counterparts have a few differences that you should be aware of:
- VLAN ports can’t be configured as access, general, or trunk
- QoS profiles are priority-based only. You can’t set a bandwidth limit
- There is no traffic metering
A little closer shot of the board
This Getting started page is just for that. There is also a setup wizard that launches when you first log in.
The dashboard provides an at-a-glance status view
Example VLAN setup. The terminology is a bit confusing. This example shows router ports 3 and 4 members of both VLAN 3 and 4.
Basic wireless settings
Advanced wireless settings. No transmit power adjust.
The other dirty little secret the RV110W hopes you won’t notice is that it’s not a full IPsec router. The only IPsec you get is in the form of support for Cisco’s QuickVPN client. QuickVPN is for supporting remote clients only and uses MD5 authentication and 3DES encryption, which can’t be changed. The tunnel is from client to router only and doesn’t support NetBIOS traffic.
So you can use QuickVPN to securely connect to LAN clients behind the RV110W, browse and edit files and access whatever else you need. But no one on the the LAN can reach out to the QuickVPN’d client—the client must initiate all traffic.
The only VPN settings you have are to set up VPN clients, which you must do separately for QuickVPN and PPTP. There are no other IPsec settings, so you can’t support general IPsec clients or connections with other RV110Ws or any other IPsec gateway.
Figure 5: VPN client setup
The other VPN option is a fully-functional PPTP server. Many may dismiss PPTP as insecure, but it’s widely supported and the 110W’s implementation supports NetBIOS traffic and will assign connected clients a "local" IP whose range you can set, as Figure 5 shows. The PPTP server also supports a full two-way tunnel.
Since I’d learned the hard way about QuickVPN’s setup quirks with Windows 7 (short story: it requires Windows Firewall be enabled), I had an easier time with it this time. I also knew that I could run an IxChariot throughput test only from client to router and that I had to stop the test manually because the IxChariot endpoint on the 110W’s LAN couldn’t return test results to the console sitting on the WAN (that one-way tunnel, remember?)
Figure 6 shows throughput through the QuickVPN and PPTP tunnels averaged around 5 Mbps and 12 Mbps respectively for the one minute tests. Not too shabby for a single-chip router! Note that you can have five QuickVPN and five PPTP tunnels going simultaneously. I didn’t test this, but Cisco says it’s so.
Figure 6: QuickVPN and PPTP throughput
Note that I had to disable the default-enabled MPPE Encryption to get my PPTP tunnel up from the built-in Win 7 VPN client. There are no helpful hints about PPTP configuration in the admin manual, by the way.
One "feature" I didn’t care for at all is the 110W’s insistence on changing the router’s IP address when you make an entry in the VPN Client table. I know that both ends of a VPN tunnel need to be on different subnets so didn’t need the 110W’s help for this. But if you change it back, as I did, and then have to enter another VPN Client, the router will change it again. There should be a way to decline this option and have the router honor it.
One nice addition to the QuickVPN client (at least the recently-released 188.8.131.52 version that I downloaded and installed) is that it pops up a warning about its Win 7 quirks the first time it runs.
Routing throughput running the latest 184.108.40.206 firmware and our router test process measured 93 Mbps WAN to LAN, 94 Mbps LAN to WAN and 143 Mbps total with up and down tests running simultaneously. So you’re getting pretty much 100 Mbps wire-speed. The IxChariot composite plot below shows upload speed lower than download in the simultaneous routing test.
Maximum simultaneous connections stopped at our 34,925 test maximum, which is better than the RV 120W, which topped out at 12,086.
Figure 7: RV110W routing throughput
The RV110W is Wi-Fi Certified and properly defaulted to 20 MHz bandwidth mode on power-up. I successfully ran a Wi-Fi Protected Setup (WPS) session with my Win 7 client by entering the WPS code found on the router’s bottom label. The WPS session completed quickly and resulted in a WPA2/AES secured connection with the same WPA2 pre-shared key. All tests were run with this secured connection using our latest wireless test process.
The 2.4 GHz downlink chart in Figure 8, filtered to show single band routers only, shows the RV110W ranking near the bottom of the top third and slightly above the RV 120W and below the Linksys E1500.
Figure 8: RV110W Performance rank – 2.4 GHz, 20 MHz mode, downlink
So I pulled those two, plus another VPN router, the Draytek Vigor 2130n into the Performance table in Figure 9 for a closer look. The Draytek doesn’t support 40 MHz bandwidth mode, but in 20 MHz mode, it’s the best of the bunch running uplink.
All the Ciscos are more alike than different, although the RV 120W consistently turns in the weakest strong signal uplink performance. The 110W’s highest throughput of 63.9 Mbps was obtained in Location A running downlink in 20 MHz bandwidth mode. Note that the same test in 40 MHz bandwidth mode yielded about the same, i.e. 62.3 Mbps.
Figure 9: Wireless Performance table
Using bandwidth-hogging 40 MHz bandwidth mode doesn’t provide higher throughput for a single connection. But I was able to measure 80 Mbps total throughput when running a simultaneous up and downlink test. Using 40 MHz mode also seemed to help the abysmal 20 MHz mode uplink performance in weaker signal Locations D and F.
The IxChariot throughput plot summary in Figure 10 shows some large throughput dropouts during the stronger signal level runs, which I encountered during multiple retries. You can see this also in the 40 MHz mode downlink plot linked below.
Figure 10: IxChariot plots – 2.4 GHz, 20 MHz mode, downlink
Here are links to the other plots for your reference:
- 2.4 GHz / 20 MHz uplink
- 2.4 GHz / 20 MHz up and downlink
- 2.4 GHz / 40 MHz downlink
- 2.4 GHz / 40 MHz uplink
- 2.4 GHz / 40 MHz up and downlink
I’ve flipped back and forth in my feelings about the RV110W during my time reviewing it. But in the end, I think it’s a good addition to the range of options for connecting remote users securely back into their home or office LANs. Cisco’s QuickVPN method is, for the most part, quick and easy to get working. And you’ll never have to futz with a single IPsec setting, something that has been known to drive perfectly sane people to the brink.
As long as you understand QuickVPN’s limitations, which Cisco should make more clear—perhaps in a whitepaper (nudge, nudge)—you might even grow to prefer it over using a standard IPsec client.
Cisco has really squeezed a lot out of Broadcom’s router SoC, including managing to get 5 Mbps of 3DES encrypted VPN throughput, VLANs with routing among multiple subnets, priority based up and downlink QoS, 100 Mbps wire-speed routing, and decent—although not outstanding—802.11b/g/n wireless. Doing all that and getting it on store shelves for way under $100 could make the RV110W the product to bring easy-to-use VPN to the masses.