Draytek Vigor 2820/2830 Configuration

A guide for Exa Resellers and IT Contractors

Draytek Vigor 2820/2830 Configuration

Contents
About this guide...................................................................................................................................................................3 Vigor Router Configuration (ADSL)........................................................................................................................................4 Vigor Router Configuration (FTTC).........................................................................................................................................4 Vigor Router Configuration (Pre-amble).................................................................................................................................5 Vigor Router Configuration (LAN) Single LAN.......................................................................................................................5 Vigor Router Configuration (LAN) Multi-LAN........................................................................................................................6 Vigor Router Configuration (DHCP)........................................................................................................................................7 Vigor Router Configuration (Finalisation)................................................................................................................................7 Vigor Router Configuration - Access internal website on real world IP......................................................................................8

Exa Networks Ltd 2012-

-2-

Revision 20120514-1

Draytek Vigor 2820/2830 Configuration

About this guide

This document has been compiled from internal documentation created by the Exa Networks Ltd Technical Support and Production department. As such, though all confidential references should have been removed prior to publication, this document is solely for the use of Exa Networks employees, their resellers, the customers of the aforementioned and anyone performing IT and networking work for the aforementioned. Other use of this document is prohibited, though derivative works which do not mention Exa Networks nor any of their products may be produced if full acknowledgement is given in such works. Draytek and Vigor are registered trademarks of Draytek Corporation Exa Networks and SurfProtect are registered trademarks of Exa Networks Ltd This guide should not be treated as a substitute technical manual for Draytek hardware, merely hints and instructions. Derivative configurations of those here will, no doubt, be possible and indeed often some steps are not completely necessary. For example: The rebooting of a router is not necessary during configuration, and simply skipping to a new step or menu option after clicking an 'OK' button will suffice. Those with the inclination or technical experience may wish to consult other resources, such as the router manual (provided in PDF format on a CD supplied with the router), or the Draytek (UK) website, as well as other networking and internet connectivity resources in order to modify or improve on the information given here. Comments and suggestions for this documentation can be sent to support@exa-networks.co.uk

Exa Networks Ltd 2012-

-3-

Revision 20120514-1

Draytek Vigor 2820/2830 Configuration

Vigor Router Configuration (ADSL)

1. Follow the instructions at Vigor Router Configuration (Pre-amble) 2. Choose the WAN connection (WAN > Internet Access) 1. Default configurations already have the drop-down against WAN1 set to PPPoE / PPPoA; If not, set this, and set WAN2 and WAN3 to none (unless this is some kind of hybrid connectivity with fail-overs). 3. Configure WAN details (WAN > Internet Access > WAN1 > Details Page) 1. Set DSL username, password and any other settings 2. Click OK and allow router to reboot again 4. Follow the instructions at Vigor Router Configuration (Finalisation)

Vigor Router Configuration (FTTC)

1. Follow the instructions at Vigor Router Configuration (Pre-amble) 2. For Vigor 2820 only: Go to WAN > General Setup 1. Change the Enabled drop-down for WAN2 to Yes 2. Change the Physical Mode drop-down to Ethernet 3. Change the Enabled drop-down for WAN1 to No (unless this is some kind of hybrid connectivity with failovers, or migrating from DSL to FTTC) 3. For Vigor 2830 only: Go to WAN > Internet Access 1. Default configurations have the drop-down against WAN1 set to PPPoE / PPPoA; Unless this is some kind of hybrid connectivity with fail-overs, or migrating from DSL to FTTC, disable WAN1 by: 1. Go into the WAN1 configuration and set it to Disabled 2. Click OK and allow the router to reboot This is annoying, but sometimes the routers absolutely refuse to remember the settings from the drop-downs on the parent screen. 2. Set WAN3 to none. This is probably already set, but if not and there is to be no form of hybrid connectivity, disable WAN3 by: 1. Go into the WAN3 configuration and set it to Disabled 2. Click OK and allow the router to reboot. 3. Set WAN2 to PPPoE and enter the details page 4. Configure WAN details (WAN > Internet Access > WAN2 > Details Page) 1. Select the Enabled option 1. This is a follow on from the routers often forgetting the settings from the parent screen. 2. Set DSL username, password and any other settings 3. Click OK and allow router to reboot again 1. N.B. WAN2 connections do not use the DSL (sync) light; They use the WAN2 light! (More investigation of the WAN2 light's behaviour is needed). 5. Follow the instructions at Vigor Router Configuration (Finalisation)

Exa Networks Ltd 2012-

-4-

Revision 20120514-1

Draytek Vigor 2820/2830 Configuration

Vigor Router Configuration (Pre-amble)

... continuing from other instructions 1. Obtain preferred internal IP details from end user technical contact: 1. What is(/are) the internal IP range(s) for the router? Up to four internal IP ranges are allowed. NB: Vigor 2830s are better multiple ranges than 2820s Caution: Unless VLAN IDs are being used, different ranges must be assigned to different physical ports on the router. 2. What is(/are) the internal subnet address(es) for the above range(s)? 3. What specific IP(s) should the router be given (for each network)? This is so that it can be the gateway for that(/those) network(s). 4. For each network, should DHCP be On or Off? If On: What should the lowest allocation address be (in that network)? How big should the IP pool be? Caution: Different LAN ports will have to be assigned to different subnets if multiple DHCP is required 5. If the connection is to be SurfProtected, there are separate LANs, and the connection owner does not have an ICAP capable proxy, is each LAN to be treated differently by SurfProtect? e.g. many schools have a Staff network and a Student network (often called Admin and Curriculum), are different rights to be granted to each network? 6. Are there any other Configuration details, such as port forwarding and firewalling? For example, when enabled - as in the finalisation - the router's remote administration runs on ports 80 and 443, and so any internal resources running on them would require these ports to be reassigned, and for port forwarding to be configured for the services' internal IP address. HTTPS can be blocked for one network and not another 2. Connect router to network card, plug in, switch on; Use cables and power adapter from box 1. May need to set network card to DHCP to be able to talk to the router. Default IP is usually 192.168.1.1 3. Log into router. Default details are usually admin and admin or admin and no password 4. Follow the instructions at Vigor Router Configuration (LAN) Single LAN or Vigor Router Configuration (LAN) MultiLAN depending on the necessary configuration. 5. Log into router again ... return to previous instructions

Vigor Router Configuration (LAN) Single LAN

... continuing from other instructions Configure LAN details (LAN > General Setup) For single IP configurations: 1. Go into LAN1 or the first LAN configuration area 2. Set Internal IP + Internal Subnet + DHCP (See Vigor Router Configuration (DHCP)) with settings provided by end-user technical contact 3. Click OK and allow router to reboot ... return to previous instructions

Exa Networks Ltd 2012-

-5-

Revision 20120514-1

Draytek Vigor 2820/2830 Configuration

Vigor Router Configuration (LAN) Multi-LAN

For multiple IP configurations: Vigor 2820s are not very good at this. 2830 or greater is recommended 1. Go into the VLAN Configuration (LAN > VLAN) and Enable VLANs 2. Set each port on the router to be associated with a different individual LAN a) Set the port to which you are connected to be LAN1, as they are all initially LAN1. b) e.g. you might set ports 1 and 2 to be LAN1 and ports 3 and 4 to be LAN2. c) Don't tick the specific VLAN Enable boxes unless there are known VLAN IDs from inside the end-user's network! Even though the tick-boxes allow it, running multiple ID-less VLANs over any single port can cause problems; Vigors are unpredictable when such a configuration is used and this is not recommended. This is especially true of DHCP. Multiple DHCP on one port will make the router inaccessible and it will have to be factory reset! d) These settings can be changed later 3. Go back to the main LAN screen and set the various LANs with their necessary settings as provided by the end-user technical contact - IP range, Subnet, Any DHCP (See Vigor Router Configuration (DHCP)) a) Click OK and reboot as necessary 4. Return to the VLAN Configuration and assign LANs to ports as necessary a) Ports can multiple ID-less VLANs, which is a nice trick, so it's possible to run all LANs on all ports, provided there's no DHCP clash. 5. If no DHCP has been assigned, manually set network card to be able to connect to the router using the (or one of) the IP range(s) associated with the port you are connected to on the router. 6. If the different subnets are to be treated differently by the outside world, i.e. they are to appear to come from different real-world IPs: a) This is necessary for one of the possible non-ICAP SurfProtect configurations b) N.B. This only works for Vigor2830s with June 2011 firmware or greater. Older 2830s will need to be updated. c) d) e) f) g) Log into the router again Go to (WAN >> Internet Access) Select the WAN configuration for whichever connectivity is being used (WAN1 for ADSL, WAN2 for FTTC) Click the WAN IP Alias button Add as many IPs from the connectivity's real world IP pool as necessary into the pop-up Ensure each entry is enabled Ensure each entry is set to join the NAT IP Pool N.B. If the connectivity only has the one real-world IP then either new IPs will need to be obtained or alternative methods of performing the subnet identification will need to be explored. Click OK Go to (NAT >> Address Mapping) N.B.: If this menu option is not present, the router does not have the latest firmware Select an unused rule by index number (Repeat as necessary for all subnets that are to be uniquely identifiable by real world IP) Set the Protocol to ALL Set the WAN interface to the interface of the associated connection (WAN1 for ADSL, WAN2 for FTTC) Set the WAN IP to one of the IPs set in WAN IP Alias earlier. Set the Private IP and subnet mask to be one of (or even part of) one of the LAN ranges on the router. This ties in with placing internal equipment into a specific subnet or network for different firewalling or filtering, as mentioned elsewhere Tick the Enable box and click OK

h) i) j) k) l) m) n)

o)

... return to previous instructions

Exa Networks Ltd 2012-

-6-

Revision 20120514-1

Draytek Vigor 2820/2830 Configuration

Vigor Router Configuration (DHCP)

... continuing from other instructions Configure DHCP details (LAN > General Setup)

These instructions are Vigor 2830 only

1. (For each LAN for which the router is to handle DHCP) Click on the Details Page button for the LAN 2. Either (Where there is equipment with manually configured IPs as well as those with DHCP leases): 1. Set the Start IP address to be an IP in the range for which no lower IPs will be allocated by the router Recommendation: Set this IP to fall on a subnet boundary. This would allow scope for more advanced firewalling / filtering etc. The low IPs are free to be manually assigned to other equipment such as servers, priority workstations, printers, etc. 2. Set the IP pool count to the number of computers that are realistically going to be asking the router for an IP address 3. Set the gateway IP address to be the same as the router's own IP address on the LAN Other configurations are possible, but beyond the scope of this documentation 4. Click OK 3. Or (Where everything requires DHCP, but certain equipment must fall in a particular subnet of DHCP): 1. Set the Start IP address to be the base address of the IP range (usually ending .0) 2. Set the IP pool count to be as large as to encompass everything. This includes all DHCP leasers as well as anything which requires a fixed IP to be allocated by the router 3. Set the gateway IP address to be the same as the router's own IP address on the LAN 4. Click OK 5. Go to (LAN >> Bind IP to MAC) 6. Select the Strict Bind option 7. Enter the MAC address and required internal IP address for specific important equipment, such as servers, priority workstations, printers, etc. 8. Repeat as necessary for all equipment Recommendation: Try to keep the allocations within a specific subnet of the LAN's range. This will allow for easier separate firewalling / filtering for these pieces of equipment where necessary. 4. The previous two rules may be combined if necessary, but doing so is beyond the scope of this documentation. ... return to previous instructions

Vigor Router Configuration (Finalisation)

1. Log into router for third time 2. Configure Admin Password (System Maintenance > Administrator Password) 1. Set password to be something other than admin; Choices are: 1. The ADSL password 2. A simple password from a Password Generator 3. Something requested by the end-user (though we do not ask for this preference). 2. No reboot needed this time (usually). 3. Configure Remote Admin details (System Maintenance > Management) 1. Set router name to be something pertaining to the customer 1. <customer name>-<first part of postcode> should work, although there is limited space; Use hyphens to separate words e.g. Exa-Networks-BD16 2. Turn on remote admin 3. Turn off telnet 4. Add an accepted (Access list) IP range of 82.219.212.0 with subnet of 255.255.255.0[/24] 5. Click OK and allow router to reboot for the final time 4. Optional: Test new router password

Exa Networks Ltd 2012-

-7-

Revision 20120514-1

Draytek Vigor 2820/2830 Configuration

Vigor Router Configuration - Access internal website on real world IP

For main ADSL Configuration instructions, see Vigor Router Configuration (ADSL) For main Fibre to the Cabinet Configuration instructions, see Vigor Router Configuration (FTTC) 1. Reconfigure Remote Admin details (System Maintenance > Management) 1. Ensure 'User define ports' is set 2. Change HTTP port to 8080 3. Change HTTPS port to 44300 4. Click OK once, but do not click OK a second time to reboot - this will be done later 2. Set up port redirection for HTTP (NAT > Port Redirection) 1. Click on the first available rule (usually 1) 2. Set mode to Single 3. Enter HTTP into the Service Name 4. Select the right real-world IP from the drop-down Further Configuration may be required if the right IP is not available. Docs to follow, but the setting is under WAN > Internet Access > WAN* > WAN IP Alias. 5. Set both the Public Port and Private Port to 80 6. Set the Private IP to the internal web server IP address 7. Tick 'Enable' at the top and click OK at the bottom 3. Set up port redirection for HTTPS (NAT > Port Redirection) 1. Click on the next available rule (usually 2) 2. Set mode to Single 3. Enter HTTPS into the Service Name 4. Select the real-world IP from the drop-down as before 5. Set both the Public Port and Private Port to 443 6. Set the Private IP to the internal web server IP address 7. Tick 'Enable' at the top and click OK at the bottom 4. Reboot the router (System Maintenance > Reboot System) 1. Ensure 'using current configuration' is set 2. Click 'Reboot Now'

Exa Networks Ltd 2012-

-8-

Revision 20120514-1