Guest WiFi Access with RV042

I have a new client with a RV042 and two wireless routers acting as access points. They want two different networks, Guests and Employee's. I know the RV042 has a dual WAN with the secondary being a DMZ port. Im not sure if it supports vlan routing but from what ive read, i could just create the subnet and implement firewall rules between the subnets.

Out of curiosity, would it be possible to place one wireless router off the dmz port with dhcp enabled?  

Please elaborate on this network setup as im not completely savvy with subnetting or these small business routers.

Who is Participating?
Fred MarshallConnect With a Mentor PrincipalCommented:
I believe this is the key to that:

Cisco switched from the Linksys/Cisco version marked in the fine print on the label
to a Cisco version with a darker colored box and front panel marked in the fine print on the label
RV042 V03.
Only the firmware on the latter has the VLAN capability as far as I know.
And, this is likely the only one you'll find on the market today from the usual suspects.

Firmware for this one is version 4.x.x.x.x.x.
I have one of these RV042 V03 running with
I have an RV082 of the same vintage running with
MattLightAuthor Commented:
Found a really good article on setting like this up.

I'm sure there is a better way ( more professional ) to accomplish this, but comes with the price tag of the equipment.

Ill leave this question open for additional comments on this setup.
btanConnect With a Mentor Exec ConsultantCommented:
Some quick setup thoughts:
a) By default, the DHCP range of the router can handle 50 clients (wired and wireless clients), have some buffering below the no.
b) The access points’ IP address should be statically assign for ease in managing the units via the web utility.
c) Configure the router for the Internet connection (e.g. WAN 1) then connect a switch (we will come to it later on) into on of the LAN ports. After that connect the wired PCs, etc and access points to that switch and configure each WAPs with different SSIDs.
d) The wireless computer etc will see the desired SSID and need to connect to that network. These wireless clients must be set as auto or in DHCP mode so that it will automatically receive an IP address from the router and eventually get internet access.
We do want to segregate network for the guest wireless clients as you also desired. Using the DMZ is preferred and, if practical, a strongly recommended alternative to Public LAN Servers or putting these servers on the WAN port where they are not protected and not accessible by users on the LAN. The RV042 should allow you to designate a DMZ interface and a separate IP address/subnet for that network. Also DMZ and WAN will be at different subnet.

The shared link with FW segregation is good and best practice for separating tiered esp for extranet and intranet (even for ext/int DMZ). Optimising the no of device and cost, using subnet or VLAN via the single router comes into considerations but for the big folks, physical FW is essential for more controls and granular ACL (they can belong to different DMZ stakeholders too).

Overall there are two things that we may want to consider either

i) use the concept of “subnetting” (RV042 has basic support for multiple subnets, but apparently it can only supply one pool of IP addresses (ie, I do not see any way to have it assign IP addresses to two different subnets).
ii) use a managed switch with Layer 3 capability.  (RV042's VLAN abilities are very basic so there doesn't seem to be any way to specify Firewall Access Rules based on a particular VLAN. E.g. force all the Wifi traffic onto a different subnet so that I can then create Access Rules based on that subnet.)
In (i), we can keep the regular switch but you will need to cluster the subnets of your network from the guests. Probably reading in the below can help . It can be something as simple as for internal computers and for guest 
In (ii), and also if we are not familiar with subnetting, probably a better fit or preferred means is to use a managed switch but with Layer 3 capabilities. Layer 3 deals with IP addresses where the switch can route certain IP address to the VLAN (Virtual LAN). These VLANs are like group of networks where you can manage the access restrictions for each member. However these switches are more expensive compared to the regular switch since it can do more that a regular switch. We will also want in general to explicitly configure an access list in the L3 device (or FW) to deny access between the external DMZ network and the internal network.
KuppingerCole Reviews AlgoSec in Executive Report

Leading analyst firm, KuppingerCole reviews AlgoSec's Security Policy Management Solution, and the security challenges faced by companies today in their Executive View report.

Fred MarshallConnect With a Mentor PrincipalCommented:
From what I get on my later version RV042 and RV082 units:
You can set up LAN ports to be on one of a few different VLANs.
What this appears to mean is that ports on one VLAN are on a LAN switch which is disconnected from any of the other VLAN port sets.
There appears to be no method for interVLAN routing on an RV0x2 .. not that you care.
Also, it appears to be no method for DHCP save on one VLAN but I've not found which one.  Might one assume VLAN1 which is the default?
It appears that the RV042 does not care what the VLAN2 subnet might be and I would guess that the management interface will always be on VLAN1 (i.e. the IP address of the RV042).

The dual WAN is not the place to look for this in my opinion.

What I get is this and it should work for you:
I am assuming that the company is on VLAN1 and is using DHCP from the RV042 already.
You would then set up VLAN2 on one or more ports (one should be enough).
You plug in a router (like another RV042) *LAN* side to the VLAN2 port and turn its DHCP service ON/Enabled.  Leave the WAN ports empty.  Assign the LAN side of this router a (different) subnet and an IP address as usual.  Now you have a complete subnet with a DHCP server.  You could plug the Guest Access Point into this LAN.
Oh!  You may have to assign all the LAN ports on the second router to VLAN2 also .. if that router is VLAN-aware as a recent RV042 may be.  I don't see how it can hurt and it may be necessary.

Now both subnets have access to the internet and not to each other.
TimotiStDatacenter TechnicianCommented:
@fmarshall: Do you know what exact hw/fw version of RV042 supports vlans?
Would be very interested! :)

btanConnect With a Mentor Exec ConsultantCommented:
Just to share for RV042, better to go into latest which is also dated quite sometime ago in 2012. E.g. Version 3 Hardware - Firmware

As it is v3 supports multiple LAN subnets and 4 port-based VLANs, but doesn't support 802.1q VLANs. Port-based VLANS allows you to separate traffic by physical LAN port on the RV042, although all devices will be on the same subnet. Likewise for RV042G

The latest list of firmware history for Cisco RV042 Dual WAN VPN Router (and other RV series inclusive too)

Just a side not in firmware release note

The RV0xx version 3 routers handle multiple subnets on the LAN side differently than the RV0xx version 2 routers. For example, RV042 v3 running in Router Mode is connected to the RV082 v3 (Serve as internet gateway). To allow the computers in the LAN of the RV042 v3 to access the Internet, you need to add an Access Rule.
MattLightAuthor Commented:
Thanks everyone for the comments. What i found was the RV042 supports assigning vlans to the LAN ports. What i ended up doing was configured one of the wireless routers as a WAP and plugging it into a LAN port on the back of the router and assigning that port to VLAN 2.
It still hands out ip addresses on 192.168 network so i just accommodated the dhcp range to handle wireless guests as well. When connected to the guest WAP i was not able to ping anything on the "internal" network and vise versa. However, i still pull the same gateway, which is to be expected so, i just made sure the router password was extremely secure in case there are wandering network clients. Also set the router to notify me of any failed attempts at logging in.

Its a simple setup, and not enterprise level security... but it will do for small businesses that don't have huge budgets.
Fred MarshallPrincipalCommented:
Thanks for the points!
What i ended up doing was configured one of the wireless routers as a WAP and plugging it into a LAN port on the back of the router and assigning that port to VLAN 2.
It still hands out ip addresses on 192.168 network so i just accommodated the dhcp range to handle wireless guests as well. ...However, i still pull the same gateway
I'd like to understand this better.  Are you saying that VLAN1 is, DHCP is enabled AND addresses from this subnet are being handed out via DHCP on VLAN2?

What I get from this is that while DHCP works on both VLANs, using the same subnet address range, the router still prevents traffic between the VLANs?

This means that the added router that I suggested isn't necessary for DHCP on VLAN2?
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.