100workfromhome 
![[VPN Configured]ZBT WG3526 MT7621 Wireless VPN WiFi Router 802.11 ac I Secure and High Speed WiFi Long Range VPN RouterI WiFi Router Comes with VPN out of the box, Ready to Connect for Small Business.](https://m.media-amazon.com/images/I/41xQKSpcDsL._AC_SR160,160_.jpg)
The Good:
In terms of pure performance under a simple configuration, this device performs well enough. My non-scientific test achieved >600Mbps between a privately addressed node to a speed test server on the Internet.The system does support VLANs and IPv6.This is a superior router to your garden variety consumer device.
The Bad:
I should preface my critique by saying that my observations come from a former CCNA, current security professional with arguably high expectations for the device’s manageability.The manufacturer could correctly respond to many of my critiques with "the feature was never promised as part of the product."These are still valid concerns.I am treating this device as both a router and a switch; an argument that this device is merely a router, not a switch, might provide a straightforward, if inadequate, defense for other of the critiques.
#1 – Missing Core Features
#1a – No way to view the MAC addresses known to ports. (ie, no "show mac-address table" equivalent)
A switch knows what MAC addresses are known to each port.A managed switch should (and even some consumer devices do) make this list available to admins to enable them to inventory the devices on the network.Without this list, an admin with an asset list can determine if a new device has attached to the network.SNMP also does not reveal this information – more on this later.
#1b – No way to inspect the arp table.(ie, no "show arp" or "arp -a" equivalent)
A router (or IP-enabled node) keeps an arp table for determining the L2 address for forwarded packets.Viewing it tells an admin what nodes are communicating to or through the router.This is such basic functionality that Windows, Linux, MacOS, and other modern OSes all provide the arp table with the same command: "arp -a".But not this router.The closest thing is the listing under "IP & MAC Binding List".But the list seems to apply only to VLAN 1, and it is not informative enough.
#2 – Missing L2 and VLAN Features
#2a – No spanning tree support.Zero.So if you have spanning-tree enabled devices and which to build layer 2 fault tolerance into your network, you’re going to have to get a bit headier, since this device will be transparent.No, it wasn’t a promised feature, but the same can be said about Apple network devices, which would have gotten a pass for not having this feature.
#2b – No CDP Support.LLDP (Link Layer Discovery Protocol) is supported.Maybe it’s a reflection on the author, but no other LLDP devices exist on my network, but I have plenty of CDP, since I have a nearly homogeneous Cisco network.So LLDP is no help, and again, this device is a transparent entity where CDP is concerned.I would have appreciated CDP for legacy compatibility and LLDP for the future.
#3 – Problems with SNMP
I had hopes that SNMP would address my missing ARP and MAC Address Table issue…I was wrong.
Once I had the RV325 linked up with my SNMP monitoring software (Observium), my hope to address some of the shortcomings were dash.
The device presents three ethernet ports in SNMP.
eth0: this represents the whole switch.All of the IPs associated with the interface are associated with this interface, but there is no expression of VLAN information at all, as I would expect from a switch.There is no experession of subinterfaces either, which I would expect from a router.This might help explain why I see lots of "IP Redirect" messages from this device when the next hop node is not available.And there was no "no ip redirects" command to help me stop this unnecessary traffic.
eth1: This is what the Web GUI calls "WAN1".
eth2: This is what the Web GUI calls "WAN2".
Interestingly, one can get per-port traffic counters via the Web GUI.
So:
A) With the RV325, one cannot get traffic on a per-VLAN basis.
B) No MAC address table expressed via SNMP.
C) The only ARP expressed via SNMP is for WAN ports.
#4 – No OpenVPN as a client
I had hopes that I could use the device’s OpenVPN functionality to create a stable VPN to a publicly addressed node.I currently do this from behind a NATed IPv4 address to tunnel static IPv6 addresses.Unfortunately, this device wants to be the server.Darn.
** There may be other ways for me to address my needs with this router.It has an impressive set of VPN options.But there is no way for me to replace the OpenVPN solution that I already have working.
#5 – More VLAN Strangeness (IPv6, DHCP)
#5a – My provider delegates a single /64 v6 network to my device.The device applies this space to VLAN 1, acting as a router and providing address assignment.There does not seem to be a way to assign this space to another VLAN.It is as though the IPv6 developers and the VLAN developers weren’t talking.So you can tear up that brilliant VLAN configuration you had and start over – or worse, you could be bringing this device in to replace an existing VLAN-enabled device, only to find out that you have to make network changes to work around this limitation.Don’t fret, it’s only more night work.
#5b – DHCP address binding seems to work for VLAN 1, but not for other VLANs.I haven’t gotten to the bottom of this, but it seems significant that the IP & Mac Binding "show unknown addresses" seems to know only of VLAN 1 unknown addresses.Perhaps it is natural that the bindings don’t work anywhere else, either.But like the previous limitation, it is disappointing and removes the value of the feature.
#5c – The VLAN/port assignment screen is unnecessarily hard to manage.Cisco, you’ve been doing this for years.You already know this isn’t good.
#6 – Firewall Rule Strangeness (yet more VLAN strangeness)
There is an option under VLANs called "Device Management" which, if disabled, prevents a device from accessing administrative features of the router.This means no Web GUI.It also means no SNMP, and probably other services for that VLAN.Changes to these settings are not reflected in firewall access rules, despite the fact that enabling the access rules will allow access to these same services.What is the real rule set?You’ll never know.
#7 – Mirror Port Kills Performance
The RV325 has an option to mirror all traffic to port 1.This is awesome!But don’t leave it on (like I would like to do) because it will eat your performance alive.Your performance will be measured in hundreds of Kbps.No M, no G.
The RV325 claims a good feature set, and delivers most of it.But the device behaves like siamese twins – a switch and a router, uncomfortable together.You may be happier with Cisco’s enterprise-grade equipment (some of which sells for less than this device on Amazon, albeit with much less support) or that of another vendor.
For me, the device falls short.Consider the following requirements:
The network should…
– Separate guest devices, permanent user devices, IoT devices, permanent service devices (SANs, etc), and security devices (Cameras) such that they may not interfere with one another (VLANs).
– Allow for the inventory and detection of new network devices
– Support active monitoring, (SNMP, syslog, packet capture), including at the VLAN level, without interfering with overall network performance.
For a home user, this may be excessive.But for a business, it certainly should not be.And at this price point, I believe a supported solution should be available.And despite the fact that the features I desire aren’t specifically advertised, I would expect another network-savvy admin to be surprised at these issues as well.
I hope you have found this writeup to be helpful.
