USER MANUAL Vigor 3910 Draytek

Multi-WAN Security Router

USER'S GUIDE

Vigor3910 Series Multi-WAN Security Router

User's Guide

Version: 1.61

Firmware Version: V4.3.2.5

(For future update, please visit DrayTek web site)

Date: January 29, 2024

Copyrights

© All rights reserved. This publication contains information that is protected by copyright. No part may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language without written permission from the copyright holders.

Trademarks

The following trademarks are used in this document:

● Microsoft is a registered trademark of Microsoft Corp.
● Windows 8, 10, 11 and Explorer are trademarks of Microsoft Corp.
● Apple and Mac OS are registered trademarks of Apple Inc.
● Other products may be trademarks or registered trademarks of their respective manufacturers.

Safety Instructions

• Read the installation guide thoroughly before you set up the router.
• The router is a complicated electronic unit that may be repaired only be authorized and qualified personnel. Do not try to open or repair the router yourself.
• Do not place the router in a damp or humid place, e.g. a bathroom.
  ● The router should be used in a sheltered area, within a temperature range of +5 to +40 Celsius.
• Do not expose the router to direct sunlight or other heat sources. The housing and electronic components may be damaged by direct sunlight or heat sources.
• Do not deploy the cable for LAN connection outdoor to prevent electronic shock hazards.
• Do not power off the device when saving configurations or firmware upgrades. It may damage the data in a flash. Please disconnect the Internet connection on the device before powering it off when a TR-069/ ACS server manages the device.
• Keep the package out of reach of children.
• When you want to dispose of the router, please follow local regulations on conservation of the environment.

Warranty

We warrant to the original end user (purchaser) that the router will be free from any defects in workmanship or materials for a period of two (2) years from the date of purchase from the dealer. Please keep your purchase receipt in a safe place as it serves as proof of date of purchase. During the warranty period, and upon proof of purchase, should the product have indications of failure due to faulty workmanship and/or materials, we will, at our discretion, repair or replace the defective products or components, without charge for either parts or labor, to whatever extent we deem necessary tore-store the product to proper operating condition. Any replacement will consist of a new or re-manufactured functionally equivalent product of equal value, and will be offered solely at our discretion. This warranty will not apply if the product is modified, misused, tampered with, damaged by an act of God, or subjected to abnormal working conditions. The warranty does not cover the bundled or licensed software of other vendors. Defects which do not significantly affect the usability of the product will not be covered by the warranty. We reserve the right to revise the manual and online documentation and to make changes from time to time in the contents hereof without obligation to notify any person of such revision or changes.

Table of Contents

Part I Installation....1

I-1 Introduction ...... 2

I-1-1 Indicators and Connectors .... 3

I-2 Hardware Installation 5

I-2-1 Installing Vigor Router 5

I-2-2 Rack-Mounted Installation....6

I-3 Accessing Web Page 7

I-4 Changing Password....9

I-5 Dashboard.... 10

I-5-1 Virtual Panel 11

I-5-2 Quick Access for Common Used Menu 12

I-5-3 GUI Map 13

I-5-4 Web Console 14

I-5-5 Config Backup 14

I-5-6 Manual Download.... 15

I-5-7 Logout.... 15

I-5-8 Online Status.... 16

I-5-8-1 Physical Connection....16

I-5-8-2 Virtual WAN 18

I-6 Quick Start Wizard 19

I-6-1 For WAN1 (Fiber) 20

I-6-2 For WAN3 (Ethernet - 2.5G)....27

I-6-3 For WAN5\~WAN8 (Etherent) 34

I-7 Service Activation Wizard 41

I-8 Registering Vigor Router.... 43

I-9 VPN Client Wizard 46

I-10 VPN Server Wizard 53

Part II Connectivity ....63

II-1 Port Setup 64

II-2 WAN 65

Web User Interface 66

II-2-1 General Setup 66

II-2-2 Internet Access....71

II-2-2-1 Details Page for PPPoE....73

II-2-2-2 Details Page for Static or Dynamic IP....76

II-2-2-3 Details Page for IPv6 - Offline in Ethernet WAN....80

II-2-2-4 Details Page for IPv6 - PPP 80

II-2-2-5 Details Page for IPv6 - TSPC....81

II-2-2-6 Details Page for IPv6 - AICCU 83

II-2-2-7 Details Page for IPv6 - DHCPv6 Client 85

II-2-2-8 Details Page for IPv6 - Static IPv6....86

II-2-2-9 Details Page for IPv6 - 6in4 Static Tunnel 87
II-2-2-10 Details Page for IPv6 - 6rd 90

II-2-3 Multi-VLAN 92

II-2-4 WAN Budget....96

II-2-4-1 General Setup 96
II-2-4-2 Status 99

II-3 LAN 100

Web User Interface....102

II-3-1 General Setup 102

II-3-1-1 Details Page for LAN1 - Ethernet TCP/IP and DHCP Setup.... 103
II-3-1-2 Details Page for IP Routed Subnet 106
II-3-1-3 Details Page for LAN1 - IPv6 Setup.... 108
II-3-1-4 DHCP Server Option 112

II-3-2 VLAN 113
II-3-3 Bind IP to MAC 115
II-3-4 Port Mirror/Packet Capture.... 118
II-3-5 Wired 802.1x 120
II-3-6 PPPoE Server 122

II-4 NAT 123

Web User Interface 124
II-4-1 Port Redirection.... 124
II-4-2 DMZ Host 128
II-4-3 Open Ports 131
II-4-4 Port Triggering.... 133
II-4-5 Fast NAT 137
II-4-6 ALG....138

II-5 Applications 139

Web User Interface 141
II-5-1 Dynamic DNS 141
II-5-2 LAN DNS / DNS Forwarding 146
II-5-3 DNS Security 150

II-5-3-1 General Setup 150
II-5-3-2 Domain Diagnose.... 151

II-5-4 Schedule....152

II-5-5 RADIUS/TACACS+ 155

II-5-5-1 External RADIUS.... 155
II-5-5-2 Internal RADIUS 157
II-5-5-3 External TACACS+.... 160

II-5-6 Active Directory/ LDAP 161

II-5-6-1 General Setup 161
II-5-6-2 Active Directory / LDAP Profiles 162

II-5-7 UPnP 163

II-5-8 IGMP....165

II-5-8-1 General Setting 165
II-5-8-2 Working Status 166

II-5-9 Wake on LAN 167

II-5-10 SMS / Mail Alert Service.... 168

II-5-10-1 SMS Alert 168

II-5-10-2 Mail Alert 169

II-5-11 Bonjour 170

II-5-12 High Availability 173

II-5-12-1 General Setup.... 173

II-5-12-2 Config Sync 175

II-5-13 Local 802.1X General Setup 177

II-5-14 Smart Action 179

Application Notes 181

A-1 How to Implement the LDAP/AD Authentication for User Management? ..... 181

A-2 How to use DrayDDNS? 184

II-6 Routing....189

Web User Interface 190

II-6-1 Static Route 190

II-6-2 Load-Balance /Route Policy 195

II-6-2-1 General Setup 195

II-6-2-2 Diagnose for Route Policy 201

II-6-3 Fast Routing 205

II-6-4 OSPF 206

II-6-5 BGP 208

II-6-4-1 Basic Settings.... 209

II-6-4-2 Static Network 210

Application Notes 211

A-1 How to Customize a Secure Route between VPN Router and Remote Router by Using

Route Policy 211

Part III VPN 215

III-1 VPN and Remote Access.... 216

Web User Interface 216

III-1-1 Remote Access Control.... 217

III-1-1-1 Remote Access Control Setup 217

III-1-2 Bind to WAN 218

III-1-2 PPP General Setup 219

III-1-3 SSL General Setup....221

III-1-4 IPsec General Setup 222

III-1-5 IPsec Peer Identity 225

III-1-6 VPN Matcher Setup.... 227

III-1-7 OpenVPN 229

III-1-7-1 OpenVPN Server Setup 229

III-1-7-2 Client Config.... 232

III-1-7-3 Import Certificate 233

III-1-8 WireGuard 234

III-1-9 Remote Dial-in User 235

III-1-10 LAN to LAN....242

III-1-11 VPN Trunk Management 252

III-1-12 Connection Management 257

Application Notes 259

A-1 How to Build a LAN-to-LAN VPN Between Remote Office and Headquarter via IPsec Tunnel (Main Mode).... 259

III-2 Certificate Management.... 264

Web User Interface 265

III-2-1 Local Certificate 265

III-2-2 Trusted CA Certificate 270

III-2-3 Certificate Backup 273

III-2-4 Self-Signed Certificate.... 274

Part IV Security 275

IV-1 Firewall....276

Web User Interface 278

IV-1-1 General Setup 278

IV-1-2 Filter Setup.... 283

IV-1-3 Defense Setup 293

IV-1-3-1 DoS Defense 293

IV-1-3-2 Spoofing Defense.... 296

IV-1-4 Diagnose 296

Application Notes 299

A-1 How to Configure Certain Computers Accessing to Internet 299

IV-2 CSM (Central Security Management).... 302

Web User Interface 303

IV-2-1 APP Enforcement Profile 303

IV-2-2 URL Content Filter Profile 305

IV-2-3 Web Content Filter Profile.... 309

IV-2-4 DNS Filter Profile 312

Application Notes 314

A-1 How to Create an Account for MyVigor 314

A-2 How to Block Facebook Service Accessed by the Users via Web Content Filter / URL Content Filter 318

A-3 How to use APP Enforcement to block application like Facebook, YouTube or TeamViewer? 323

Part V Management ....327

V-1 System Maintenance 328

Web User Interface 329

V-1-1 System Status 329

V-1-2 TR-069 331

V-1-2-1 ACS and CPE Settings.... 331

V-1-2-2 Reporting Configuration.... 333

V-1-2-3 Export Parameters.... 335

V-1-3 Administrator Password 336

V-1-4 User Password.... 339

V-1-5 Login Page Greeting 342

V-1-6 Configuration Backup.... 344

V-1-7 Configuration Export 346

V-1-8 Webhook 347

V-1-9 Syslog/Mail Alert 348

V-1-10 Time and Date.... 351

V-1-11 SNMP 352

V-1-12 Management 354

V-1-13 Self-Signed Certificate 359

V-1-14 Reboot System.... 361

V-1-15 Firmware Upgrade 362

V-1-16 Internal Service User List 363

V-1-17 Dashboard Control 364

V-1-18 Max Connection 364

V-2 Bandwidth Management 365

Web User Interface 366

V-2-1 Sessions Limit 366

V-2-2 Bandwidth Limit 368

V-2-3 Quality of Service 370

V-2-4 APP QoS 376

V-3 User Management 377

Web User Interface 378

V-3-1 General Setup 378

V-3-2 User Profile 380

V-3-3 User Group.... 385

V-3-4 User Online Status 386

V-3-5 PPPoE User Online Status 387

Application Notes 388

A-1 How to authenticate clients via User Management 388

A-2 How to use Landing Page Feature 397

V-4 Hotspot Web Portal 401

Web User Interface 401

V-4-1 Profile Setup.... 401

V-4-1-1 Login Method 402

V-4-1-2 Steps for Configuring a Web Portal Profile.... 403

V-4-2 Users Information.... 419

V-4-2-1 User Info 419

V-4-2-2 Database Setup.... 421

V-4-3 Quota Management 423

V-4-4 PIN Generator 426

V-4-4-1 PIN Status 426
V-4-4-2 PIN Generator 427
V-4-4-3 PIN Voucher 428

Application Notes 430

A-1 How to allow users login to Vigor's Hotspot with their social media accounts (e.g.,
Facebook & Google) 430
A-2 How to allow hotspot clients to get login PIN code via SMS?...... 438

V-5 Central Management (AP) 446

Web User Interface 447
V-5-1 Dashboard.... 447
V-5-2 Status 448
V-5-3 WLAN Profile.... 449
V-5-4 AP Maintenance.... 454
V-5-5 Traffic Graph 455
V-5-6 Event Log 456
V-5-7 Total Traffic 457
V-5-8 Station Number 457
V-5-9 Load Balance 458

V-6 Central Management (Switch) 460

Web User Interface 461
V-6-1 Status 461

V-6-1-1 Switch Status 461
V-6-1-2 Switch Hierarchy 463
V-6-1-3 Detailed Info.... 464
V-6-1-4 TR069 Setting.... 465

V-6-2 Profile 466
V-6-3 Group 469
V-6-4 Maintenance.... 471
V-6-5 Alert and Log....472

V-6-5-1 Alert Setup.... 472
V-6-5-2 Switch and Port Setup 473

V-6-6 Database Setup 475
V-6-7 Support List 476

V-7 Central Management (External Devices).... 477

Part VI Others....479

VI-1 Objects Settings.... 480

Web User Interface 481
VI-1-1 IP Object 481
VI-1-2 IP Group....484
VI-1-3 IPv6 Object.... 485
VI-1-4 IPv6 Group 487
VI-1-5 Service Type Object....488
VI-1-6 Service Type Group 490

VI-1-7 Keyword Object.... 492

VI-1-8 Keyword Group 494

VI-1-9 File Extension Object 495

VI-1-10 SMS/Mail Service Object 497

VI-1-11 Notification Object....502

VI-1-12 String Object 504

VI-1-13 Country Object 505

VI-1-14 Objects Backup/Restore 507

Application Notes 508

A-1 How to Send a Notification to Specified Phone Number via SMS Service in WAN Disconnection 508

VI-2 USB Application 512

Web User Interface 513

VI-2-1 USB General Settings....513

VI-2-2 USB User Management 513

VI-2-3 File Explorer 515

VI-2-4 USB Device Status.... 517

VI-2-5 Temperature Sensor 519

Part VII Troubleshooting ....521

VII-1 Diagnostics 522

Web User Interface 523

VII-1-1 Dial-out Triggering....523

VII-1-2 Routing Table....524

VII-1-3 ARP Cache Table 525

VII-1-4 IPv6 Neighbour Table 526

VII-1-5 DHCP Table.... 527

VII-1-6 NAT Sessions Table 528

VII-1-7 DNS Cache Table 529

VII-1-8 Ping Diagnosis 530

VII-1-9 Data Flow Monitor 532

VII-1-10 Port Mirror/Packet Capture 534

VII-1-11 Traffic Graph 537

VII-1-12 VPN Graph....538

VII-1-13 Trace Route 540

VII-1-14 Syslog Explorer....541

VII-1-15 IPv6 TSPC Status 542

VII-1-16 High Availability Status 543

VII-1-17 Authentication Information 545

VII-1-18 DoS Flood Table 546

VII-1-19 Route Policy Diagnosis 547

VII-1-20 Debug Logs....549

VII-2 Checking If the Hardware Status Is OK or Not 550
VII-3 Checking If the Network Connection Settings on Your Computer Is OK or Not.... 551
VII-4 Pinging the Router from Your Computer 554
VII-5 Checking If the ISP Settings are OK or Not.... 556
VII-6 Backing to Factory Default Setting If Necessary 557
VII-7 Contacting DrayTek 559

Part VIII DrayTek Tools ....561

VIII-1 SmartVPN Client....562

VIII-1-1 DrayTek Android-based SmartVPN APP for the establishment of SSL VPN connection 562
VIII-1-2 How to Use SmartVPN Android APP to Establish SSL VPN Tunnel?...... 563

Part IX Telnet Commands....567

Accessing Telnet of Vigor3910 568

Part I Installation

This part will introduce Vigor router and guide to install the device in hardware and software.

I-1 Introduction

This is a generic International version of the user guide. Specification, compatibility and features vary by region. For specific user guides suitable for your region or product, please contact local distributor.

Vigor3910 Series, a broadband router, integrates IP layer QoS, NAT session/bandwidth management to help users control works well with large bandwidth.

By adopting hardware-based VPN platform and hardware encryption of AES/ DES/ 3DES, the router increases the performance of VPN greatly and offers several protocols (such as IPSec/ PPTP/ L2TP) with up to 100 VPN tunnels.

The object-based design used in SPI (Stateful Packet Inspection) firewall allows users to set firewall policy easily. CSM (Content Security Management) provides users control and management in IM (Instant Messenger) and P2P (Peer to Peer) more efficiency than before. By the way, DoS/ DDoS prevention and URL/ Web content filter strengthen the security outside and control inside.

Object-based firewall is flexible and allows your network be safe.

graph TD
    A["Remote office A"] -->|VPN Load-balancing & Failover| B["HQ"]
    C["Remote office B"] -->|VPN Failover| B
    D["Branch office"] -->|VPN Failover| B
    E["Tele-workers"] -->|Remote Dial-in (Support SSL VPN)| B
    B --> F["Vigor3910"]

I-1-1 Indicators and Connectors

Before you use the Vigor router, please get acquainted with the LED indicators and connectors first.

Interface Description
USB1 / USB2 Connector for the USB device.
Console Provided for technician use.
SFP+(P1~P2)	Connector for SFP module with the rate of 10G/ 1G bps.
2.5GBase-T(P3~P4)	Connector for remote network devices or local network devices (WAN/ LAN) with the rate of 2.5G/ 1G/ 100M/ 10M bps.
GbE P5~P8 Connectors for remote network devices or local network devices (WAN/ LAN) with the rate of 1G/ 100M/ 10M bps.
GbE P9~P12	Connector for local network devices (LAN) with the rate of 1G/ 100M/ 10M bps.
	The Factory Reset button is used to restore the default settings. Turn on the router (ACT LED is blinking). Press the hole and keep for more than 5 seconds. When you see the ACT LED begins to blink rapidly than usual, release the button. Then the router will restart with the factory default configuration.
	Connector for a power cord.ON/ OFF - Power switch.

I-2 Hardware Installation

I-2-1 Installing Vigor Router

Before starting to configure the router, you have to connect your devices correctly.

1. Connect a modem to any WAN port of Vigor3910 with Ethernet cable (RJ-45) to access Internet.
2. Connect the other end of the cable (RJ-45) to the Ethernet port on your computer (that device also can connect to other computers to form a small area network). The LAN LED for that port on the front panel will light up.
3. Connect a server/router (depends on your requirement) to any WAN port of Vigor3910 with Ethernet cable (RJ-45). The WAN LED will light up.
4. Connect the power cord to Vigor3910's power port on the rear panel, and the other side into a wall outlet.
5. Power on the device by pressing down the power switch on the rear panel. The PWR LED should be ON.
6. The system starts to initiate. After completing the system test, the ACT LED will light up and start blinking.

Below shows an outline of the hardware installation for your reference.

graph TD
    A["Power cable"] --> B["1"]
    B --> C["2"]
    C --> D["3"]
    D --> E["4"]
    E --> F["5"]
    G["Internet"] --> H["1"]
    I["Internet"] --> J["3"]
    K["Server"] --> L["2"]
    M["Computer"] --> N["LAN"]
    O["Wizard"] --> P["1"]
    Q["COM/CLZ"] --> R["1"]
    S["SPV"] --> T["1"]
    U["1100bit-F"] --> V["1"]
    W["16"] --> X["16"]
    Y["16"] --> Z["16"]
    AA["16"] --> AB["16"]
    AC["16"] --> AD["16"]

I-2-2 Rack-Mounted Installation

The Vigor3910 Series can be mounted on the wall by using standard brackets shown below.

Attach the brackets to the chassis of a rack. The second bracket attaches the other side of the chassis.

After the bracket installation, the Vigor3910 Series chassis can be installed in a rack by using four screws for each side of the rack.

Desktop Type Installation

Rubber pads are included with the Vigor3910 Series. These rubber pads improve the air circulation and decrease unnecessary rubbing on the desktop.

I-3 Accessing Web Page

1. Make sure your PC connects to the router correctly.

You may either simply set up your computer to get IP dynamically from the router or set up the IP address of the computer to be the same subnet as the default IP address of Vigor router 192.168.1.1. For the detailed information, please refer to the later section - Trouble Shooting of the guide.

1. Open a web browser on your PC and type http://192.168.1.1. The following window will be open to ask for username and password.

Copyright © 2021 DrayTek Corp

1. Please type "admin/admin" as the Username/Password and click Login.

Info

If you fail to access to the web configuration, please go to "Trouble Shooting" for detecting and solving your problem.

1. Now, the Main Screen will appear.

Info

The home page will be different slightly in accordance with the type of the router you have.

1. The web page can be logged out according to the chosen condition. The default setting is Auto Logout, which means the web configuration system will logout after 5 minutes without any operation. Change the setting for your necessity.

I-4 Changing Password

Please change the password for the original security of the router.

1. Open a web browser on your PC and type http://192.168.1.1. A pop-up window will open to ask for username and password.

2. Please type "admin/admin" as Username/Password for accessing into the web user interface with admin mode.

3. Go to System Maintenance page and choose Administrator Password.

System Maintenance >> Administrator Password

Administrator Password

1. Enter the login password (the default is "admin") on the field of Old Password. Type New Password and Confirm Password. Then click OK to continue.

Info

The maximum length of the password you can set is 23 characters.

1. Now, the password has been changed. Next time, use the new password to access the Web user interface for this router.

Info

Even the password is changed, the Username for logging onto the web user interface is still "admin".

I-5 Dashboard

Dashboard shows the connection status including System Information, IPv4 Internet Access, IPv6 Internet Access, Interface (physical connection), Security and Quick Access.

Click Dashboard from the main menu on the left side of the main page.

A web page with default selections will be displayed on the screen. Refer to the following figure:

Dashboard

I-5-1 Virtual Panel

On the top of the Dashboard, a virtual panel (simulating the physical panel of the router) displays the physical interface connection. It will be refreshed every five seconds. When you move and click the mouse cursor on LAN, or WAN, related web setting page will be open for you to configure if required.

Dashboard

For detailed information about the LED display, refer to I-1-1 LED Indicators and Connectors.

I-5-2 Quick Access for Common Used Menu

All the menu items can be accessed and arranged orderly on the left side of the main page for your request. However, some important and common used menu items which can be accessed in a quick way just for convenience.

Look at the right side of the Dashboard. You will find a group of common used functions grouped under Quick Access.

The function links of System Status, Dynamic DDNS, TR-069, User Management, IM/ P2P Block, Schedule, Syslog/ Mail Alert, LDAP, RADIUS, Firewall Object Setting and Data Flow Monitor are displayed here. Move your mouse cursor on any one of the items and click on it. The corresponding setting page will be open immediately.

Dashboard

Besides, LAN, IP Routed Subnet, WAN interfaces, VPN security settings such as Remote Dial-in User and LAN to LAN also can be accessed on this page easily. Scroll down the page to find them and move your mouse cursor on the item to open the configuration web page.

Note that there is a plus ( ) icon located on the left side of VPN/LAN. Click it to review the LAN connection(s) used presently.

All of the hosts (including wireless clients) displayed with Host ID, IP Address and MAC address indicates that the traffic would be transmitted through LAN port(s) and then the WAN port. The purpose is to perform the traffic monitor of the host(s).

I-5-3 GUI Map

All the functions the router supports are listed with table clearly in this page. Users can click the function link to access into the setting page of the function for detailed configuration. Click the icon on the top of the main screen to display all the functions.

GUI Map

I-5-4 Web Console

It is not necessary to use the telnet command via DOS prompt. The changes made by using web console have the same effects as modified through web user interface. The functions/ settings modified under Web Console also can be reviewed on the web user interface.

Click the Web Console icon on the top of the main screen to open the following screen.

I-5-5 Config Backup

There is one way to store current used settings quickly by clicking the Config Backup icon. It allows you to backup current settings as a file. Such configuration file can be restored by using System Maintenance>>Configuration Backup.

Simply click the icon on the top of the main screen.

I-5-6 Manual Download

Manual Download

Click this icon to open online user's guide of Vigor router. This document offers detailed information for the settings on web user interface.

I-5-7 Logout

logout

Click this icon to exit the web user interface.

I-5-8 Online Status

Dashboard

Wizards

Online Status

Physical Connection

Virtual WAN

Search menu

I-5-8-1 Physical Connection

Such page displays the physical connection status such as LAN connection status, WAN connection status, ADSL information, and so on.

Physical Connection for IPv4 Protocol

Online Status

Physical Connection for IPv6 Protocol

Online Status

Detailed explanation (for IPv4) is shown below:

Detailed explanation (for IPv6) is shown below:

Info

The words in green mean that the WAN connection of that interface is ready for accessing Internet; the words in red mean that the WAN connection of that interface is not ready for accessing Internet.

I-5-8-2 Virtual WAN

Such page displays the virtual WAN connection information.

Virtual WAN are used by TR-069 management, VoIP service and so on.

The field of Application will list i-9 the purpose of such WAN connection.

I-6 Quick Start Wizard

Quick Start Wizard can help you to deploy and use the router easily and quickly. Go to Wizards>>Quick Start Wizard. The first screen of Quick Start Wizard is entering login password. After typing the password, please click Next.

Wizards >> Quick Start Wizard

Enter login password

Please enter an alpha-numeric string as your Password (Max 83 characters)

Old Password

New Password

Confirm Password

Password Strength:

Strong password requirements:

1. Have at least one upper-case letter and one lower-case letter.

2. Including non-alphanumeric characters is a plus.

Hint: If you want to keep the password unchanged, leave the password blank and press "Next" button to skip this process.

< Back

Next>

Finish

Cancel

On the next page as shown below, please select the WAN interface that you use. If fiber is used, please choose WAN1/WAN2; if Ethernet is used, please choose WAN3 \~WANx. Then click Next for next step.

Quick Start Wizard

WAN Interface

WAN Interface:

Display Name:

Physical Mode:

Physical Type:

WAN3

MK-Tina

Ethernet

Auto negotiation ▼

< Back

Next>

Finish

Cancel

Fiber WAN and Etherent WAN will bring up different configuration page. Refer to the following for detailed information.

I-6-1 For WAN1 (Fiber)

WAN1 can be configured for physical mode of SFP+ (Fiber connection).

Quick Start Wizard

WAN Interface

Available settings are explained as follows:

On the next page as shown below, please select the appropriate Internet access type according to the information from your ISP. For example, you should select PPPoE mode if the ISP provides you PPPoE interface. Then click Next for next step.

Ethernet WAN1 - PPPoE

1. Choose WAN1 as the WAN Interface. Click the Next button. The following page will be open for you to specify Internet Access Type.

Quick Start Wizard

Connect to Internet

1. Click PPPoE as the Internet Access Type to get the following page.

Quick Start Wizard

PPPoE Client Mode

Available settings are explained as follows:

1. Please manually enter the Username/ Password provided by your ISP. Click Next for viewing summary of such connection.

Quick Start Wizard

Please confirm your settings:

WAN Interface: WAN1 Physical Mode: SFP+ Internet Access: PPPoE

Click Back to modify changes if necessary. Otherwise, click Finish to save the current settings and restart the Vigor router.

1. Click Finish. A page of Quick Start Wizard Setup OK!!! will appear. Then, the system status of this protocol will be shown.

Quick Start Wizard Setup OK!

1. Now, you can enjoy surfing on the Internet.

Ethernet WAN1 - Static IP

1. Choose WAN1 as the WAN Interface. Click the Next button. The following page will be open for you to specify Internet Access Type.

Quick Start Wizard

Connect to Internet

WAN 1

Select one of the following Internet Access types provided by your ISP.

○ PPPoE

Static IP

○ DHCP

1. Click Static IP as the Internet Access type to get the following page.

Quick Start Wizard

Static IP Client Mode

WAN 1

Enter the Static IP configuration provided by your ISP.

WAN IP

190.168.3.100

Subnet Mask

255.255.255.0

Gateway

192.168.3.1

Primary DNS

8.8.8.8

Secondary DNS

8.8.4.4

(optional)

Available settings are explained as follows:

1. Please Enter the IP address information originally provided by your ISP. Then click Next for next step.

Quick Start Wizard

Please confirm your settings:

WAN Interface:

WAN1

Physical Mode:

SFP+

Internet Access:

Static IP

Click Back to modify changes if necessary. Otherwise, click Finish to save the current settings and restart the Vigor router.

1. Click Finish. A page of Quick Start Wizard Setup OK!!! will appear. Then, the system status of this protocol will be shown.

Quick Start Wizard Setup OK!

1. Now, you can enjoy surfing on the Internet.

Ethernet WAN1 - DHCP

1. Choose WAN1 as the WAN Interface. Click the Next button. The following page will be open for you to specify Internet Access Type.

Quick Start Wizard

Connect to Internet

WAN 1

Select one of the following Internet Access types provided by your ISP.

○ PPPoE

○ Static IP

DHCP

1. Click DHCP as the Internet Access type to get the following page.

Quick Start Wizard

DHCP Client Mode

WAN 1

If your ISP requires you to enter a specific host name or specific MAC address, please enter it in.

Host Name

MAC

Available settings are explained as follows:

Cancel Click it to give up the quick start wizard.

1. After finished the settings above, click Next for viewing summary of such connection.

Quick Start Wizard

Please confirm your settings:

WAN Interface: WAN1

Physical Mode: SFP+

Internet Access: DHCP

Click Back to modify changes if necessary. Otherwise, click Finish to save the current settings and restart the Vigor router.

1. Click Finish. A page of Quick Start Wizard Setup OK!!! will appear. Then, the system status of this protocol will be shown.

Quick Start Wizard Setup OK!

1. Now, you can enjoy surfing on the Internet.

I-6-2 For WAN3 (Ethernet - 2.5G)

WAN3 shall be used for connection with rate 2.5G.

Quick Start Wizard

WAN Interface

Available settings are explained as follows:

On the next page as shown below, please select the appropriate Internet access type according to the information from your ISP. For example, you should select PPPoE mode if the ISP provides you PPPoE interface. Then click Next for next step.

Ethernet WAN3 - PPPoE

1. Choose WAN3 as the WAN Interface. Click the Next button. The following page will be open for you to specify Internet Access Type.

Quick Start Wizard

Connect to Internet

1. Click PPPoE as the Internet Access Type to get the following page.

Quick Start Wizard

PPPoE Client Mode

Available settings are explained as follows:

1. Please manually enter the Username/ Password provided by your ISP. Click Next for viewing summary of such connection.

Quick Start Wizard

Please confirm your settings:

WAN Interface:

WAN3

Physical Mode:

Ethernet

Internet Access:

PPPoE

Click Back to modify changes if necessary. Otherwise, click Finish to save the current settings and restart the Vigor router.

< Back

Next>

Finish

Cancel

1. Click Finish. A page of Quick Start Wizard Setup OK!!! will appear. Then, the system status of this protocol will be shown.

Quick Start Wizard Setup OK!

1. Now, you can enjoy surfing on the Internet.

Ethernet WAN3 - Static IP

1. Choose WAN3 as the WAN Interface. Click the Next button. The following page will be open for you to specify Internet Access Type.

Quick Start Wizard

Connect to Internet

WAN 3

Select one of the following Internet Access types provided by your ISP.

○ PPPoE

Static IP

DHCP

< Back

Next >

Finish

Cancel

1. Click Static IP as the Internet Access type to get the following page.

Quick Start Wizard

Static IP Client Mode

WAN 3

Enter the Static IP configuration provided by your ISP.

WAN IP

172.16.21.77

Subnet Mask

255.255.255.0

Gateway

172.16.21.1

Primary DNS

8.8.8.8

Secondary DNS

8.8.4.4

(optional)

< Back

Next >

Finish

Cancel

Available settings are explained as follows:

1. Please enter the IP address information originally provided by your ISP. Then click Next for next step.

Quick Start Wizard

Please confirm your settings:

WAN Interface:

WAN3

Physical Mode:

Ethernet

Internet Access:

Static IP

Click Back to modify changes if necessary. Otherwise, click Finish to save the current settings and restart the Vigor router.

1. Click Finish. A page of Quick Start Wizard Setup OK!!! will appear. Then, the system status of this protocol will be shown.

Quick Start Wizard Setup OK!

1. Now, you can enjoy surfing on the Internet.

Wireless WAN3 - DHCP

1. Choose WAN3 as the WAN Interfac. Click the Next button. The following page will be open for you to specify Internet Access Type.

Quick Start Wizard

Connect to Internet

WAN 3

Select one of the following Internet Access types provided by your ISP.

○ PPPoE

○ Static IP

DHCP

1. Click DHCP as the Internet Access type to get the following page.

Quick Start Wizard

DHCP Client Mode

WAN 3

If your ISP requires you to enter a specific host name or specific MAC address, please enter it in.

Host Name

MAC

Available settings are explained as follows:

Cancel Click it to give up the quick start wizard.

1. After finished the settings above, click Next for viewing summary of such connection.

Quick Start Wizard

Please confirm your settings:

WAN Interface:

WAN3

Physical Mode:

Ethernet

Internet Access:

DHCP

Click Back to modify changes if necessary. Otherwise, click Finish to save the current settings and restart the Vigor router.

1. Click Finish. A page of Quick Start Wizard Setup OK!!! will appear. Then, the system status of this protocol will be shown.

Quick Start Wizard Setup OK!

1. Now, you can enjoy surfing on the Internet.

I-6-3 For WAN5\~WAN8 (Etherent)

WAN5\~WAN8 can be configured for physical mode of Ethernet.

Quick Start Wizard

WAN Interface

Available settings are explained as follows:

On the next page as shown below, please select the appropriate Internet access type according to the information from your ISP. For example, you should select PPPoE mode if the ISP provides you PPPoE interface. Then click Next for next step.

Ethernet WAN5 - PPPoE

1. Choose WAN5 as the WAN Interface. Click the Next button. The following page will be open for you to specify Internet Access Type.

Connect to Internet

1. Click PPPoE as the Internet Access Type to get the following page.

Quick Start Wizard

PPPoE Client Mode

Available settings are explained as follows:

1. Please manually enter the Username/ Password provided by your ISP. Click Next for viewing summary of such connection.

Quick Start Wizard

Please confirm your settings:

WAN Interface:

WAN5

Physical Mode:

Ethernet

Internet Access:

PPPoE

Click Back to modify changes if necessary. Otherwise, click Finish to save the current settings and restart the Vigor router.

< Back

Next>

Finish

Cancel

1. Click Finish. A page of Quick Start Wizard Setup OK!!! will appear. Then, the system status of this protocol will be shown.

Quick Start Wizard Setup OK!

1. Now, you can enjoy surfing on the Internet.

Ethernet WAN5 - Static IP

1. Choose WAN5 as the WAN Interface. Click the Next button. The following page will be open for you to specify Internet Access Type.

Quick Start Wizard

Connect to Internet

WAN 5

Select one of the following Internet Access types provided by your ISP.

○ PPPoE

Static IP

DHCP

1. Click Static IP as the Internet Access type to get the following page.

Quick Start Wizard

Static IP Client Mode

WAN 5

Enter the Static IP configuration provided by your ISP.

WAN IP

Subnet Mask

Gateway

Primary DNS

Secondary DNS

Available settings are explained as follows:

1. Please enter the IP address information originally provided by your ISP. Then click Next for next step.

Quick Start Wizard

Please confirm your settings:

WAN Interface:

WAN5

Physical Mode:

Ethernet

Internet Access:

Static IP

Click Back to modify changes if necessary. Otherwise, click Finish to save the current settings and restart the Vigor router.

1. Click Finish. A page of Quick Start Wizard Setup OK!!! will appear. Then, the system status of this protocol will be shown.

Quick Start Wizard Setup OK!

1. Now, you can enjoy surfing on the Internet.

Wireless WAN5 - DHCP

1. Choose WAN5 as the WAN Interfac. Click the Next button. The following page will be open for you to specify Internet Access Type.

Quick Start Wizard

Connect to Internet

WAN 5

Select one of the following Internet Access types provided by your ISP.

○ PPPoE

○ Static IP

DHCP

1. Click DHCP as the Internet Access type to get the following page.

Quick Start Wizard

DHCP Client Mode

WAN 5

If your ISP requires you to enter a specific host name or specific MAC address, please enter it in.

Host Name

MAC

Available settings are explained as follows:

Cancel Click it to give up the quick start wizard.

1. After finished the settings above, click Next for viewing summary of such connection.

Quick Start Wizard

Please confirm your settings:

WAN Interface:

WAN5

Physical Mode:

Ethernet

Internet Access:

DHCP

Click Back to modify changes if necessary. Otherwise, click Finish to save the current settings and restart the Vigor router.

1. Click Finish. A page of Quick Start Wizard Setup OK!!! will appear. Then, the system status of this protocol will be shown.

Quick Start Wizard Setup OK!

1. Now, you can enjoy surfing on the Internet.

I-7 Service Activation Wizard

Service Activation Wizard can guide you to activate WCF service (Web Content Filter) with a quick and easy way. For the Service Activation Wizard is only available for admin operation, therefore, please type “admin/admin” on Username/Password while Logging into the web user interface.

Service Activation Wizard is a tool which allows you to use trial version of WCF directly without accessing into the server (MyVigor) located on http://myvigor.draytek.com. For using Web Content Filter Profile, please refer to later section Web Content Filter Profile for detailed information.

Now, follow the steps listed below to activate WCF feature for your router.

Info Such function is available only for Admin Mode.

1. Open Wizards>>Service Activation Wizard.

1. The screen of Service Activation Wizard will be shown as follows. You can activate the Web content filter services and/or DDNS service at the same time or individually. When you finish the selection, please click Next.

Service Activation Wizard

Select the service type that you want to activate

Activation Date: 2021-04-19

Web Content Filter(WCF) Service :

Dynamic DNS(DDNS) Service :

Domain Name : 2019101610520701 .drayddns.com

Info

● BPjM is web content filter (WCF) for German Speaking users. It is ideal for your family to provide more Internet security for youngsters.
● Cryan 30-day trial is WCF which offers 30-day trial period.
- DT-DDNS, developed by DrayTek, offers one year free charge service of dynamic DNS service for internal use.

1. Setting confirmation page will be displayed as follows, please click Activate.

Service Activation Wizard

Please confirm your settings

Sevice Type : Trial version Sevice Activated : Web Content Filter (BPjM)

Please click Back to re-select service type you to activate.

Info

The service will be activated and applied as the default rule configured in Firewall>>General Setup.

1. The web page will display the service that you have activated according to your selection(s).

I-8 Registering Vigor Router

You have finished the configuration of Quick Start Wizard and you can surf the Internet at any time. Now it is the time to register your Vigor router to MyVigor website for getting more service. Please follow the steps below to finish the router registration.

1 Please login the web configuration interface of Vigor router by typing "admin/admin" as User Name / Password.

Copyright © 2021 DrayTek Corp

2 Click Support Area>>Production Registration from the home page.

Support Area Product Registration Service Status

3 A Login page will be shown on the screen. Please type the account and password that you created previously. And click Login.

Info

If you haven't an accessing account, please refer to section Creating an Account for MyVigor to create your own one. Please read the articles on the Agreement regarding user rights carefully while creating a user account.

4 The following page will be displayed after you logging in MyVigor. Type a nickname for the router, then click Submit.

5 When the following page appears, your router information has been added to the database. Your router has been registered to myvigor website successfully.

graph TD
    A["License Status"] --> B["License Action"]
    B --> C["Activate License"]
    C --> D["Force Sync"]
    D --> E["License History"]
    E --> F["Today 2019-12-26"]
    F --> G["Product Registration 2019-12-26"]

6 Clicking MYPRODUCT for viewing the general information of the registered router on MyVigor website.

I-9 VPN Client Wizard

The VPN Client Wizard will configure the router as a client to connect to a remote VPN server using a LAN-to-LAN VPN tunnel. The wizard will guide you through the setup process.

1. On the menu bar, click on Wizards, and then VPN Client Wizard.

VPN Client Wizard

Choose VPN Establishment Environment

Please choose a LAN-to-LAN Profile:

1 x ???

< Back Next > Finish Cancel

Available settings are explained as follows:

1. When you finish the mode and profile selection, please click Next to open the following page.

VPN Client Wizard

VPN Connection Setting

Security Ranking:

Very High

IPsec XAuth

IPsec IKEv2 EAP (only for NAT Mode)

L2TP over IPSec

OpenVPN (AES256)

High

IPSec IKEv1/IKEv2

SSL

OpenVPN (AES128)

Medium

PPTP (Encryption)

Low

L2TP / PPTP (None Encryption)

OpenVPN (None Encryption)

LAN-to-LAN VPN Client Mode Selection:

Select VPN Type:

Throughput Ranking:

Very High

L2TP / PPTP (None Encryption)

High

IPSec IKEv2/EAP/IKEv1/XAuth

OpenVPN (UDP None Encryption)

Medium

L2TP over IPSec / PPTP (Encryption)

OpenVPN (UDP)

OpenVPN (TCP None Encryption)

Low

SSL/OpenVPN (TCP)

Route Mode

PPTP (Encryption)

Note:

1. Please use Route Mode for typical LAN-to-LAN tunnels.
2. If the remote network is only expecting a single client or IP and is not configured to route the subnet then select
   NAT Mode
3. If you are unsure of your configuration select Route Mode.

< Back

Next>

Finish

Cancel

Available settings are explained as follows:

Info

The following descriptions for VPN Type are based on the Route Mode specified in LAN-to-LAN Client Mode Selection.

If you have selected PPTP (None Encryption) or PPTP (Encryption), the following configuration screen appears.

VPN Client Wizard

VPN Client PPTP Encryption Settings

If you have selected IPsec, the following configuration screen appears.

VPN Client Wizard

VPN Client IPsec Settings

If you have selected SSL/L2TP, the following configuration screen appears.

VPN Client Wizard

VPN Client L2TP Settings

If you have selected L2TP over IPsec (Nice to Have) or L2TP over IPsec (Must), the following configuration screen appears.

VPN Client Wizard

VPN Client L2TP over IPsec (Nice to Have) Settings

If you have selected OpenVPN, the following configuration screen appears.

VPN Client OpenVPN Encryption Settings

Available settings are explained as follows:

1. After you have entered all the required information, click Next to proceed to the confirmation page. The confirmation page shows a summary of all the settings. If you need to make adjustments to the settings, click Back to return to the previous page. Otherwise, select one of the following actions and click Finish to save the changes to the LAN-to-LAN VPN profile.

VPN Client Wizard

Please confirm your settings

< Back Next > Finish Cancel

Available settings are explained as follows:

I-10 VPN Server Wizard

The VPN Server Wizard can be used to set the router up as a server that accepts inbound VPN connections from a VPN server using a LAN-to-LAN VPN tunnel.

Site-to-Site (LAN-to-LAN)

• A connection between two router's LAN networks.
• Allows employees in branch offices and head office to share the same network resources.

graph LR
    A["Local Network 192.168.1.0/24"] --> B["Network"]
    B --> C["Internet"]
    C --> D["Remote Network 172.16.2.0/24"]
    B --> E["VPN Tunnel"]
    E --> D

Remote Access (Remote Dial-in)

• A connection between the remote host and router's LAN network. The host will use an IP address in the local subnet.
• Allows employees to access the company's internal resources when they are traveling.

graph LR
    A["Local Network 192.168.1.0/24"] --> B["Network"]
    B --> C["Internet\nVPN Tunnel"]
    C --> D["Remote Host 192.168.1.100"]

The wizard will guide you step by step through the setup process.

1. On the menu bar, click on Wizards, and then VPN Server Wizard.

VPN Server Wizard

Choose VPN Establishment Environment

Available settings are explained as follows:

1. After making the choices for the server profile, please click Next.
2. The following dialog box appears, reminding you to not configure IPsec fields if the remote location has a dynamic IP address.

192.168.1.1

If you are using IPsec Main mode and the remote VPN gateway has a dynamic IP address, please don't setup "PeerIP" or "Peer ID" fields, and don't tick "IPsec Authentication". Instead, please go to the VPN and Remote Access >> IPsec General Setup page to setup a common preshared key.

确定

Click OK to dismiss the dialog box and proceed to the next page.

If you have chosen to configure a LAN-to-LAN VPN profile, proceed to step 4.

If you have chosen to configure a Remote Dial-in User VPN profile, proceed to step 5.

1. The Site to Site VPN (LAN-to-LAN) configuration page appears as follows if you have selected PPTP/SSL.

VPN Server Wizard

VPN Authentication Setting

Profile Name

PPTP / SSL Tunnel Authentication

Username

Password

Peer IP/VPN Client IP

Site to Site Information

Remote Network IP

Remote Network Mask

Local Network IP

Local Network Mask

???

???

0.0.0.0

255.255.255.0 / 24

192.168.1.1

255.255.255.0/24

< Back

Next>

Finish

Cancel

If you have selected PPTP & IPsec & L2TP (three types) or PPTP & IPsec (two types) or L2TP with Policy (Nice to Have/Must), the following configuration screen appears.

VPN Server Wizard

VPN Authentication Setting

If you have selected IPsec, the following configuration screen appears.

VPN Server Wizard

VPN Authentication Setting

If you have selected OpenVPN, the following configuration screen appears.

VPN Server Wizard

VPN Authentication Setting

OpenVPN General Setup

Available settings are explained as follows:

1. The Remote Dial-in User (Teleworker) VPN configuration page appears as follows if you have selected PPTP/SSL.

VPN Server Wizard

VPN Authentication Setting

If you have selected IPsec XAuth/L2TP with IPsec Policy (None), the following configuration screen appears.

VPN Server Wizard

VPN Authentication Setting

If you have selected IPsec XAuth/L2TP with IPsec Policy (Nice to Have)/L2TP with IPsec Policy (Must), the following configuration screen appears.

VPN Server Wizard

VPN Authentication Setting

If you have selected OpenVPN Tunnel, the following configuration screen appears.

VPN Server Wizard

VPN Authentication Setting

OpenVPN General Setup

Available settings are explained as follows:

1. After finishing the configuration, click Next to proceed to the confirmation page.

Please Confirm Your Settings

Available settings are explained as follows:

1. Click Finish to save the profile, or Back to make changes, or Cancel to exit the wizard without saving.

Part II Connectivity

WAN

LAN

NAT

Applications

Routing

It means wide area network. Public IP will be used in WAN.

It means local area network. Private IP will be used in LAN.

Local Area Network (LAN) is a group of subnets regulated and ruled by router. The design of network structure is related to what type of public IP addresses coming from your ISP.

When the data flow passing through, the Network Address Translation (NAT) function of the router will dedicate to translate public/private addresses, and the packets will be delivered to the correct host PC in the local area network.

DNS, LAN DNS, IGMP, WOL, RADIUS, ...

Static Route, Load-Balance/Route Policy, OSPF, BGP

II-1 Port Setup

This page is used for configuring transmission rate for LAN and WAN ports respectively.

Due to hardware restriction, the speed of P3 is the same as the speed of P4. So whenever P3 is changed, P4 is changed too and vice versa.

Port Setup

Note:

1. The same color, the same group. Members of the same group get modified together
2. Please review WAN Active Mode after setting
3. Given the speed of P3/P4 is "Auto" and P3/P4 are both connected, then the link speed of P4 will be set to the link speed of P3

Available settings are explained as follows:

It allows users to access Internet.

Basics of Internet Protocol (IP) Network

IP means Internet Protocol. Every device in an IP-based Network including routers, print server, and host PCs, needs an IP address to identify its location on the network. To avoid address conflicts, IP addresses are publicly registered with the Network Information Centre (NIC). Having a unique IP address is mandatory for those devices participated in the public network but not in the private TCP/IP local area networks (LANs), such as host PCs under the management of a router since they do not need to be accessed by the public. Hence, the NIC has reserved certain addresses that will never be registered publicly. These are known as private IP addresses, and are listed in the following ranges:

From 10.0.0.0 to 10.255.255.255

From 172.16.0.0 to 172.31.255.255

From 192.168.0.0 to 192.168.255.255

What are Public IP Address and Private IP Address

As the router plays a role to manage and further protect its LAN, it interconnects groups of host PCs. Each of them has a private IP address assigned by the built-in DHCP server of the Vigor router. The router itself will also use the default private IP address: 192.168.1.1 to communicate with the local hosts. Meanwhile, Vigor router will communicate with other network devices through a public IP address. When the data flow passing through, the Network Address Translation (NAT) function of the router will dedicate to translate public/private addresses, and the packets will be delivered to the correct host PC in the local area network. Thus, all the host PCs can share a common Internet connection.

Get Your Public IP Address from ISP

In ADSL deployment, the PPP (Point to Point)-style authentication and authorization is required for bridging customer premises equipment (CPE). Point to Point Protocol over Ethernet (PPPoE) connects a network of hosts via an access device to a remote access concentrator or aggregation concentrator. This implementation provides users with significant ease of use. Meanwhile it provides access control, billing, and type of service according to user requirement.

When a router begins to connect to your ISP, a serial of discovery process will occur to ask for a connection. Then a session will be created. Your user ID and password is authenticated via PAP or CHAP with RADIUS authentication system. And your IP address, DNS server, and other related information will usually be assigned by your ISP.

Web User Interface

II-2-1 General Setup

This section will introduce some general settings of Internet and explain the connection modes for WAN1\~WAN8 in details.

This router supports multiple-WAN function. It allows users to access Internet and combine the bandwidth of the multiple WANs to speed up the transmission through the network. Each WAN port can connect to different ISPs, Even if the ISPs use different technology to provide telecommunication service (such as DSL, Cable modem, etc.). If any connection problem occurred on one of the ISP connections, all the traffic will be guided and switched to the normal communication port for proper operation. Please configure WAN# settings.

This webpage allows you to set general setup for WAN# respectively.

WAN >> General Setup

Load Balance Setup Advanced

Note:

Latency, jitter, and packet-loss require setting Link Condition Detection in each WAN setting page.

OK Cancel

Available settings are explained as follows:

	Backup (WAN#)- Display the backup WAN interface for this WAN when it is disabled.
Load Balance V means the function of load balance for such WAN interface is enabled.
Load Balance Setup	Advanced- Load Balance for the traffic of STUN, google STUN, and SIP are disabled in default to prevent from conflict. The following dialog allows you to define protocol, port and name for the traffic not to be applied with load balance. That is, when an item is enabled (checked), it might not be affected by load balance.
Mode	IP Based - The same source / destination IP pair w the same WAN interface as policy. It is the default setting.Session Based- All of the WAN interfaces will be used (as out-going WAN) for passing through new sessions to get better transmission speed. Though good speed test result for throughput might be reached; however, some web site may not open smoothly, especially the site need authentication, e.g., FTP.If you have no strong demand about speed test result, keep default settings as IP based.
Line Speed This option is available for multiple-WAN for getting enough bandwidth for each WAN port. If you know the practical bandwidth for your WAN interface, please choose the setting of According to Line Speed. Otherwise, please choose Auto Detect to let the router reach the best load balance.
Load Balance Weights There are four weight types for choosing to meet your request.Custom- You can distribute the usage ratio for each WAN interface by setting weights for bandwidth, latency, jitter, and packet loss respectively.Load Balance Weights CustomUpload BandwidthWeight: Low Download BandwidthWeight: Low Low LatencyWeight: Low Low JitterWeight: Low Less Packet LossWeight: Low High

Info

In default, each WAN port is enabled.

After finished the above settings, click OK to save the settings.

To configure WAN interface settings, click the WAN# link to open the following page.

WAN 3

Note:
The line speed setting of WAN interface is available only when According to Line Speed is selected as the Load Balance Mode.

Available settings are explained as follows:

After finished the above settings, click OK to save the settings.

II-2-2 Internet Access

For the router supports multi-WAN function, the users can set different WAN settings for Internet Access. Due to different Physical Mode for WAN interface, the Access Mode for these connections also varies. Refer to the following figures.

WAN >> Internet Access

Internet Access

DHCP Client Option

Available settings are explained as follows:

Enable - Check the box to enable the function of DHCP Option. Each DHCP option is composed by an option number with data. For example,

Option number:100

Data: abcd

When such function is enabled, the specified values for DHCP option will be seen in DHCP reply packets.

Interface - Specify the WAN interface(s) that will be overwritten by this function. WAN13 \~ WAN52 can be located under WAN>>Multi-VLAN.

Option Number - Type a number for such function.

DataType - Choose the type (ASCII or Hex) for the data to be stored.

Data - Type the content of the data to be processed by the function of DHCP option.

Info

If you choose to configure option 61 here, the detailed settings in WAN>>Interface Access will be overwritten.

II-2-2-1 Details Page for PPPoE

To choose PPPoE as the accessing protocol of the Internet, please select PPPoE from the WAN>>Internet Access >>WAN3 page. The following web page will be shown.

WAN >> Internet Access

WAN 3

Note:

VPN feature may be affected when the value of MTU is changed, please also check your value of VPN MSS in VPN and Remote Access >> PPP General Setup or VPN and Remote Access >> IPsec General Setup page.

We recommend to put the same decreased value on VPN MSS. For example, reducing the MTU from 1500 -> 1400, then it will need to reduct 100 from MSS value.

Available settings are explained as follows:

Item	Description
Enable/Disable	Enable or disable PPPoE access mode.
ISP Access Setup Enter your	allocated username, password and authentication parameters according to the information provided by your ISP.Usage - Username provided by the ISP for PPPoE authentication.Password - Password provided by the ISP for PPPoE authentication.More Options -Service Name (Optional) - Sets the PPP service name tag. Required by some ISPs. Leave blank unless instructed otherwise by your ISP.
WAN Connection Detection	Configures how the WAN connection is monitored.Mode - Choose ARP Detect or Ping Detect for the system to execute for WAN detection.ARP Detect - The router broadcasts an ARP request every 5 seconds. If no response is received within 30 seconds, the WAN connection is deemed to have failed.Ping Detect - The router sends an ICMP (Internet Control Message Protocol) echo request every second to the host, whose address is specified in the Ping IP field, to verify the WAN connection. If the remote host does not respond within 30 seconds, the WAN connection is deemed to have failed.If you choose Ping Detect as the detection mode, you have to enter required settings for the following items.Primary/Secondary Ping IP - Enter Primary or Secondary IP address in this field for pinging.Ping Gateway IP - Enable this setting to use current WAN gateway IP address for pinging.With the IP address(es) pinging, Vigor router can check if the WAN connection is on or off.TTL (Time to Live) - Time To Live, the maximum allowed number of hops to the ping destination. Valid values range from 1 to 255.Ping Interval - Enter the interval for the system to execute the PING operation.Ping Retry - Enter the number of times that the system is allowed to execute the PING operation before WAN disconnection is judged.
MTU Maximum Transmission	Unit, the size of the largest packet, in bytes, that can be transmitted to the WAN. The maximum value is 1500. For PPPoE connections, there is always an 8-byte overhead, so the maximum valid MTU value for PPPoE is 1492.Path MTU Discovery - Use this feature to determine the optimal MTU size for the WAN.Click Path MTU Discovery to open the following dialog.Path MTU to - Select Host / IP, for an IPv4 address or Host / IPv6, for an IPv6 address, and then enter the IP address in the textbox.MTU size start from - Determine the starting point value of the packet.MTU reduce size by - Number of octets by which to decrease the 1500-byte MTU. Start with a 0 value for the reduce size and click the Detect button. If the message Fail is returned, increase the MTU reduce size and try again. Repeat until you see the message Success, indicating that the optimal MTU size has been reached.Detect - Click it to detect a suitable MTU value.Accept - After clicking it, the detected value will be displayed in the field of MTU.
PPP/MP Setup PPP Authentication	- The protocol used for PPP authentication.PAP only - Only PAP (Password Authentication Protocol) is used.PAP/CHAP/MS-CHAP/MS-CHAPv2 - Both PAP and CHAP (Challenge-Handshake Authentication Protocol) can be used for PPP authentication. Router negotiates with the PPTP or L2TP server to determine which protocol to use.Idle Timeout - Set the timeout for breaking down the Internet after passing through the time without any action.Assignment (IPCP) - Configure the router according to how your ISP allocates WAN IP address(es) to you.Static - ISP has assigned a fixed WAN IP address, which is to be entered below in Fixed IP Address.Dynamic - WAN IP address is dynamically allocated.Fixed IP Address - Enter a fixed IP address.WAN IP Alias - Click to enter multiple WAN IP addresses assigned by your ISP.
Dial-Out Schedule Specify up to 4 time schedule entries to enable or disable the WAN. All the schedules can be set previously inApplications >> Schedule web page and you can use the number that you have set in that web page.
TTL Change the TTL value - Enable or disable the TTL (Time to Live) for a packet transmitted through Vigor router.If enabled - TTL value will be reduced (-1) when it pass through Vigor router. It will cause the client, accessing Internet through Vigor router, be blocked by certain ISP when TTL value becomes "0".If disabled - TTL value will not be reduced. Then, when a packet passes through Vigor router, it will not be cancelled. That is, the client who sends out the packet will not be blocked by ISP.
MAC Default MAC Address - Use the default MAC address for the WAN Ethernet port.Specify a MAC Address - Specify a MAC address for the WAN
	Ethernet port. Select this option if your ISP authenticates by MAC addresses.

After finishing all the settings here, please click OK to activate them.

II-2-2-2 Details Page for Static or Dynamic IP

For static IP mode, you usually receive a fixed public IP address or a public subnet, namely multiple public IP addresses from your DSL or Cable ISP service providers. In most cases, a Cable service provider will offer a fixed public IP, while a DSL service provider will offer a public subnet. If you have a public subnet, you could assign an IP address or many IP address to the WAN interface.

To use Static or Dynamic IP as the accessing protocol of the internet, please click the Static or Dynamic IP tab. The following web page will be shown.

WAN >> Internet Access

WAN 3

Note:

VPN feature may be affected when the value of MTU is changed, please also check your value of VPN MSS in VPN and Remote Access >> PPP General Setup or VPN and Remote Access >> IPsec General Setup page. We recommend to put the same decreased value on VPN MSS. For example, reducing the MTU from 1500 -> 1400, then it will need to reduct 100 from MSS value.

Available settings are explained as follows:

Item	Description
Enable/Disable	Enable or disable Static or Dynamic IP access mode.
IP Network Settings	Obtain an IP address automatically - The router receives IP configuration information from a DHCP server.More Options - Click to set more options.Router Name- Used by some ISPs. Contact your ISP for the appropriate values.Domain Name -Used by some ISPs. Contact your ISP for the appropriate values.Enable DHCP Client Identifier* - Used by some ISPs that authenticates using DHCP Client Identifier (Option 61). To enable, tick this box and fill out theUsernameand Passwordfields below.Specify an IP address -Use the IP address, Subnet Mask andGateway values specified below.IP Address -WAN IP address assigned by the ISP.Subnet Mask -WAN subnet mask.Gateway IP Address - IP address of the WAN Gateway.WAN IP Alias - Click to enter multiple WAN IP addresses assigned by your ISP.
DNS Server IP Address	Primary IP Address - IP address of primary DNS server.Secondary IP Address - IP address of secondary DNS server.
WAN Connection Detection	Configures how the WAN connection is monitored.Mode - Choose ARP Detect, Ping Detect,Always On or Strict ARP Detectfor the system to execute for WAN detection.ARP Detect- The router broadcasts an ARP request every 5 seconds. If no response is received within 30 seconds, the WAN connection is deemed to have failed.Ping Detect- The router sends an ICMP (Internet Control Message Protocol) echo request every second to the host, whose address is specified in the Ping IP field, to verify the WAN connection. If the remote host does not respond within 30 seconds, the WAN connection is deemed to have failed.Always On- The router assumes the WAN connection is always active.If you choose Ping Detectas the detection mode, you have to enter required settings for the following items.Primary/Secondary Ping IP - Enter Primary or Secondary IP address in this field for pinging.Ping Gateway IP - Enable this setting to use current WAN gateway IP address for pinging.With the IP address(es) pinging, Vigor router can checkif the WAN connection is on or off.TTL (Time to Live) - Time To Live, the maximum allowed number of hops to the ping destination. Valid values range from 1 to 255.Ping Interval - Enter the interval for the system to execute the PING operation.Ping Retry - Enter the number of times that the system is allowed to execute the PING operation before WAN disconnection is judged.
MTU Maximum Transmission	Unit, the size of the largest packet, in bytes, that can be transmitted to the WAN. The maximum value is 1500. For PPPoE connections, there is always an 8-byte overhead, so the maximum valid MTU value for PPPoE is 1492.Path MTU Discovery - Use this feature to determine the optimal MTU size for the WAN.Click Path MTU Discovery to open the following dialog.Path MTU to - Select Host / IP, for an IPv4 address or Host / IPv6, for an IPv6 address, and then enter the IP address in the textbox.MTU size start from - Determine the starting point value of the packet.MTU reduce size by - Number of octets by which to decrease the 1500-byte MTU. Start with a 0 value for the reduce size and click the Detect button. If the message Fail is returned, increase the MTU reduce size and try again. Repeat until you see the message Success, indicating that the optimal MTU size has been reached.Detect - Click it to detect a suitable MTU value.Accept - After clicking it, the detected value will be displayed in the field of MTU.
Keep WAN Connection	Enable PING to keep alive - If selected, ping a WAN host to maintain the connection. If unselected, ping to keep WAN alive is disabled.PING to the IP - IP address of host to be pinged.PING Interval - Number of minutes to wait before sending a ping request to the WAN host.
TTL Change the TTL value	- Check the box to enable the TTL(Time to Live) for a packet transmitted through Vigor router.If enabled - TTL value will be reduced (-1) when it passes through Vigor router. It will cause the client, accessing Internet through Vigor router, be blocked by certain ISP when TTL value becomes “0”.● If disabled - TTL value will not be reduced. Then, when a packet passes through Vigor router, it will not be cancelled. That is, the client who sends out the packet will not be blocked by ISP.
RIP Routing Routing Information Protocol is abbreviated as RIP(RFC1058).If selected, the router can exchange routing information with other routers.
MAC Address Default MAC Address - Use the default MAC address for the WAN Ethernet port.Specify a MAC Address - Specify a MAC address for the WAN Ethernet port. Select this option if your ISP authenticates by MAC addresses.

After finishing all the settings here, please click OK to activate them.

II-2-2-3 Details Page for IPv6 – Offline in Ethernet WAN

When Offline is selected, the IPv6 connection will be disabled.

WAN >> Internet Access

WAN 1

II-2-2-4 Details Page for IPv6 – PPP

IPv6 WAN address is assigned along with the IPv4 WAN address during PPPoE negotiation. This IPv6 access mode requires that the IPv4 uses PPPoE.

WAN >> Internet Access

WAN 1

Note: IPv4 WAN setting should be PPPoE / PPPoA client.

Available settings are explained as follows:

Below shows an example for successful IPv6 connection based on PPP mode.

Online Status

Info

At present, the IPv6 prefix can be acquired via the PPPoE mode connection which is available for the areas such as Taiwan (hinet), the Netherlands, Australia and UK.

II-2-2-5 Details Page for IPv6 – TSPC

Tunnel setup protocol client (TSPC) is an application which could help you to connect to IPv6 network easily.

Please make sure your IPv4 WAN connection is OK and apply one free account from hexago (http://gogonet.gogo6.com/page/freenet6-account) before you try to use TSPC for network connection. TSPC would connect to tunnel broker and requests a tunnel according to the specifications inside the configuration file. It gets a public IPv6 IP address and an IPv6 prefix from the tunnel broker and then monitors the state of the tunnel in background.

After getting the IPv6 prefix and starting router advertisement daemon (RADVD), the PC behind this router can directly connect to IPv6 the Internet.

WAN 1

Available settings are explained as follows:

After finished the above settings, click OK to save the settings.

II-2-2-6 Details Page for IPv6 – AICCU

WAN >> Internet Access

WAN 1

Note: If "Always On" is not enabled, AICCU connection would only retry three times.

Available settings are explained as follows:

After finished the above settings, click OK to save the settings.

II-2-2-7 Details Page for IPv6 – DHCPv6 Client

DHCPv6 client mode would use DHCPv6 protocol to obtain IPv6 address from server.

Available settings are explained as follows:

After finished the above settings, click OK to save the settings.

II-2-2-8 Details Page for IPv6 – Static IPv6

This type allows you to setup static IPv6 address for WAN interface.

Available settings are explained as follows:

After finished the above settings, click OK to save the settings.

II-2-2-9 Details Page for IPv6 – 6in4 Static Tunnel

This type allows you to setup 6in4 Static Tunnel for WAN interface.

Such mode allows the router to access IPv6 network through IPv4 network.

However, 6in4 offers a prefix outside of 2002::0/16. So, you can use a fixed endpoint rather than anycast endpoint. The mode has more reliability.

WAN 1

Available settings are explained as follows:

After finished the above settings, click OK to save the settings.

Below shows an example for successful IPv6 connection based on 6in4 Static Tunnel mode.

Online Status

II-2-2-10 Details Page for IPv6 – 6rd

This type allows you to setup 6rd for WAN interface.

WAN >> Internet Access

WAN 1

Available settings are explained as follows:

After finished the above settings, click OK to save the settings.

Below shows an example for successful IPv6 connection based on 6rd mode.

Online Status

II-2-3 Multi-VLAN

Multi-VLAN lets you configure multiple VLAN groups.

Channel 1 to 8 have the following fixed assignments and cannot be altered.

Channels 13 through 52 can be configured as virtual WANs.

General

The system allows you to set up to eight channels used as multi-VLAN.

WAN >> Multi-VLAN

Multi-VLAN

Available settings are explained as follows:

Click any index (13\~52) to get the following web page:

WAN >> Multi-VLAN >> Channel 13

Available settings are explained as follows:

After finished the above settings, click OK to save the settings and return to previous page.

II-2-4 WAN Budget

This function is used to determine the data traffic volume for each WAN interface respectively to prevent overcharges for data transmission by the ISP. Please note that the Quota Limit and Billing cycle day of month settings will need to be configured correctly first in order for some period calculations to be performed correctly.

The WAN Budget feature allows you to conveniently keep track of Internet traffic volume. You can:

• set up calendar cycles to monitor;
• limit your Internet usage according to your ISP's quota;
• set up action(s) to take when the quota is exceeded.

II-2-4-1 General Setup

WAN >> WAN Budget

Note:

1. The budget traffic information provided here is for reference only, please consult your ISP for the actual traffic usage and charges.

2. When hardware acceleration function is used, the monitored WAN traffic of Ethernet WAN interfaces may be slightly inaccurate.

Duration Start and end timestamps of the current cycle.

Click WAN1 (to WAN8) link to open the following web page.

WAN >> WAN Budget

WAN 1

Note:

1. Please make sure the Time and Date of the router is configured.
2. SMS message and mail will be sent when the usage reaches 95% and 100% of quota.

OK

Cancel

Available settings are explained as follows:

an interval of billing cycle.

Monthly is default setting. If long period or a short period is required, use Custom. The period of cycle duration is between 1 day and 60 days. You can determine the cycle duration by specifying the days and the hours. In addition, you can specify which day of today is in a cycle.

Use Cycle in hours -

Monthly

Custom

Use Cycle in hours
○ Use Cycle in days

Usage counter resets at the beginning of each cycle.

Cycle duration : 1 ▼ days and 0 ▼ hours

Today is day 1 √ in the cycle.

• Cycle duration: Specify the days and hours to reset the traffic record. For example, 7 means the whole cycle is 7 days; 20 means the whole cycle is 20 days. When the time is up, the router will reset the traffic record automatically.
• Today is day – Specify the day in the cycle as the starting point which Vigor router will reset the traffic record. For example, “3” means the third day of the cycle duration.

Use Cycle in days -

Monthly

Custom

○ Use Cycle in hours

Use Cycle in days

Usage counter resets at the beginning of each cycle.

Cycle duration : 1 √ days.

Today is day 1 in the cycle and data quota resets at 00:00

• Cycle duration: Specify the days to reset the traffic record. For example, 7 means the whole cycle is 7 days; 20 means the whole cycle is 20 days. When the time is up, the router will reset the traffic record automatically.
• Today is day - Specify the day and time for data quota rest in the cycle as the starting point which Vigor router will reset the traffic record. For example, "3" means the third day of the cycle duration.

After finished the above settings, click OK to save the settings.

II-2-4-2 Status

The status page displays the status WAN budget, including the duration and the usage.

WAN >> WAN Budget

If the WAN budget is exhausted, a lock will be displayed on the page if Shutdown WAN interface is selected. Which means no data transmission will be carried out. Moreover, the system will send out a warning message to the administrator if Mail Alert is selected. Or, the system will send out SMS message to the administrator if SMS message is selected.

WAN >> WAN Budget

II-3 LAN

A LAN(Local Area Network) comprises a collection of LAN clients, which are networked devices on your premises. A LAN client can be a computer, a printer, a Voice-over-IP (VoIP) phone, a mobile phone, a gaming console, an Internet Protocol Television (IPTV), etc, and can have either a wired (using Ethernet cabling) or wireless (using Wi-Fi) network connection.

LAN clients within the same LAN are normally able to communicate with one another directly, as they are peers to one another, unless measures, such as firewalls or VLANs, have been put in place to restrict such access. Nowadays the most common LAN firewalls are implemented on the LAN client itself. For example, Microsoft Windows since Windows XP and Apple OS X have built-in firewalls that can be configured to restrict traffic coming in and going out of the computer. VLANs, on the other hand, are usually set up using network switches or routers.

To communicate with the hosts outside of the LAN, LAN clients have to go through a network gateway, which in most cases is a router that sits between the LAN and the ISP network, which is the WAN. The router acts as a director to ensure traffic between the LAN and the WAN reach their intended destinations.

IP Address

On most broadband networks, the ISP assigns a single WAN IP address to the subscriber. All LAN clients have to share this WAN IP address when accessing the Internet. To achieve this, a technique called Network Address Translation (NAT) is used. Under NAT, a private block of IP addresses is assigned to the LAN clients, which communicate with WAN hosts through the router, also known as the gateway.

On outgoing traffic to the WAN, the router makes note that a LAN client has attempted to reach a WAN host, and forwards the request to the intended WAN recipient.

On traffic incoming to the LAN from a WAN host, the router checks its records to see if a matching outstanding request from a LAN client to this WAN host exists, and if so, forwards it to the LAN client. Otherwise, the traffic is dropped.

There are 3 distinct blocks of IPv4 address that are reserved for use as private IP addresses on a LAN.

The default beginning IP Address of LAN 1 is 192.168.1.1, and the Subnet Mask is 255.255.255.0, for a total of 254 assignable IP addresses, from 192.168.1.1 to 192.168.1.254. The final IP address of the selected range is reserved for routing and cannot be assigned to a LAN client.

In most cases, the default IP address block should work satisfactorily. However, there are situations where you need to select a different address block, such as when you need to communicate with other LANs that already use the same address block.

Private IP addresses can be assigned automatically to LAN clients using Dynamic Host Configuration Protocol (DHCP), or manually assigned. The DHCP server can either be the router (the most common case), or a separate server, that hands out IP addresses to DHCP clients.

Alternatively, static IP addresses can be manually configured on LAN clients as part of their network settings. No matter how IP addresses are configured, it is important that no two devices get the same IP address. If both DHCP and static assignment are used on a network, it is important to exclude the static IP addresses from the DHCP IP pool. For example, if your LAN uses the 192.168.1.x subnet and you have 20 DHCP clients and 20 static IP clients, you could configure 192.168.1.10 as the Start IP Address, 50 as the IP Pool Counts (enough for the current number of DHCP clients, plus room for future expansion), and use addresses greater than 192.168.1.100 for static assignment.

Web User Interface

To begin configuring the LAN settings, select LAN>>General Settings from the menu bar of the Web UI.

LAN

General Setup

VLAN

Bind IP to MAC

Port Mirror/Packet Capture

Wired 802.1X

PPPoE Server

Hot corn/Coal/Diesel

II-3-1 General Setup

This page provides you the general settings for LAN. Click LAN to open the LAN settings page and choose General Setup.

There are several subnets provided by the router which allow users to divide groups into different subnets (LAN2 - LAN100). In addition, different subnets can link for each other by configuring Inter-LAN Routing. At present, LAN1 setting is fixed with NAT mode only. LAN2 - LAN50 can be operated under NAT or Route mode. IP Routed Subnet can be operated under Route mode.

LAN 1 is always enabled and is used as the default subnet. LANs 2 to 100 are subnets to be used in conjunction with Virtual LANs (VLANs). Each VLAN can be configured to allow or disallow communication with other VLANs using the Inter-LAN Routing matrix.

To configure a subnet, select its Details Page button to bring up the LAN Details Page.

LAN >> General Setup

General Setup

DHCP Server Option

Note:

1. Please enable LAN 2 - 100 on LAN >> VLAN page before configure them.

☐ Force router to use "DNS server IP address" settings specified in LAN1

Inter-LAN Routing

OK

Available settings are explained as follows:

When you finish the configuration, please click OK to save and exit this page.

Info

To configure a subnet, select its Detials Page button to bring up the LAN Details Page.

II-3-1-1 Details Page for LAN1 – Ethernet TCP/IP and DHCP Setup

This page has two tabs, LAN Ethernet TCP/IP and DHCP Setup, which sets up the IPv4 LAN environment, and LAN IPv6 Setup, which sets up the IPv6 environment.

Note: Change IP Address or Subnet Mask in Network Configuration will also change HA LAN1 Virtual IP to the same domain IP.

OK

Available settings are explained as follows:

When you finish the configuration, please click OK to save and exit this page.

II-3-1-2 Details Page for IP Routed Subnet

LAN >> General Setup

TCP/IP and DHCP Setup for IP Routed Subnet

Available settings are explained as follows:

When you finish the configuration, please click OK to save and exit this page.

II-3-1-3 Details Page for LAN1 – IPv6 Setup

There are two configuration pages for LAN1, Ethernet TCP/IP and DHCP Setup (based on IPv4) and IPv6 Setup. Click the tab for each type and refer to the following explanations for detailed information. Below shows the settings page for IPv6.

LAN >> General Setup

It provides 2 daemons for LAN side IPv6 address configuration. One is SLAAC(stateless) and the other is DHCPv6 Server (Stateful).

Available settings are explained as follows:

Item	Description
Enable IPv6 Enables or disables IPv6 on the LAN.
WAN Primary Interface Select the WAN to be used for IPv6 traffic.
Static IPv6 Address Enter	Pv6 Address and Prefix length to be added, or click an existing IPv6 address to be deleted in the Current IPv6 Address Table below and the values will be automatically copied over.IPv6 Address-Type static IPv6 address for LANPrefix Length - Enter the fixed value for prefix length.Add - Click it to add a new entry.Delete - Click it to remove an existed entry.
Unique Local Address (ULA) configuration	Unique Local Addresses (ULAs) are private IPv6 addresses assigned to LAN clients.Off - ULA is disabled.Manually ULA Prefix - LAN clients will be assigned ULAs generated based on the prefix manually entered.Auto ULA Prefix - LAN clients will be assigned ULAs using an automatically-determined prefix.
Current IPv6 Address Table	Display current used IPv6 addresses.
DNS Server IPv6 Address Deploy when WAN is up - The RA (router advertisement) packets will be sent to LAN PC with DNS server information only when network connection by any one of WAN interfaces is up.Enable - The RA (router advertisement) packets will be sent to LAN PC with DNS server information no matter WAN connection is up or not.Primary DNS Sever - Enter the IPv6 address for Primary DNS server.Secondary DNS Server -Type another IPv6 address for DNS server if required.Disable - DNS server will not be used.
Management	Configures the Managed Address Configuration flag (M-bit) in Route Advertisements.Off - No configuration information is sent using Route Advertisements.SLAAC(stateless) - M-bit is unset.DHCPv6(stateful) - M-bit is set, which indicates to LAN clients that they should acquire all IPv6 configuration information from a DHCPv6 server. The DHCPv6 server can either be the one built into the Vigor2860, or a separate DHCPv6 server.Other Option (O-bit) - When selected, the OtherConfiguration flag is set, which indicates to LAN clients that IPv6 configuration information besides LAN IPv6 addresses is available from a DHCPv6 server.Setting the M-bit (see Management above) has the same effect as implicitly setting the O-bit, as DHCPv6 supplies all IPv6 configuration information, including what is indicated as available when the O-bit is set.
Other Option(O-bit)	When selected, theOther Configurationflag is set, which indicates to LAN clients that IPv6 configuration information besides LAN IPv6 addresses is available from a DHCPv6 server.Setting the M-bit (seeManagementabove) has the same effect as implicitly setting the O-bit, as DHCPv6 supplies all IPv6 configuration information, including what is indicated as available when the O-bit is set.
DHCPv6 Server Enable Server	-Click it to enable DHCPv6 server. DHCPv6Server could assign IPv6 address to PC according to the Start/ End IPv6 address configuration.Disable Server -Click it to disable DHCPv6 server.IPv6 Address Random Allocation - Check it to assign the DHCPv6 IP address randomly to prevent the attacks from the IPv6 reconnaissance techniques.Auto IPv6 range - When selected, the router’s built-in DHCPv6 server decides the LAN IPv6 address range to be used. When deselected, LAN IPv6 addresses given out will be within the range as specified in theStart IPv6 AddressandEnd IPv6 Address.Start IPv6 Address / End IPv6 Address -Enter the start and end address for IPv6 server.Advance setting - Click theEditbutton to bring up the IPv6 Advanced Settings page.LAN >> General Setup
Advance setting The Advanced Settings page has additional settings for Router Advertisement and enabling multiple WANs for IPv6 traffic.

Router Advertisement Configuration - Click Enable to enable router advertisement server. The router advertisement daemon sends Router Advertisement messages, specified by RFC 2461, to a local Ethernet LAN periodically and when requested by a node sending a Router Solicitation message. These messages are required for IPv6 stateless auto-configuration.

Disable - Click it to disable router advertisement server.

Hop Limit - The value is required for the device behind the router when IPv6 is in use. Default value of hop limit field in Route Advertisement messages.

Min/Max Interval Time (sec) - Minimum/ Maximum time, in seconds, between unsolicited multicast route advertisement messages sent by the RA server.

Default Lifetime (sec) - Time, in seconds, that the router is to be used as the default router.

Default Preference - Default preference value (Low, Medium, High) of the router sent in route advertisement messages.

MTU - It means Max Transmit Unit for packet. If Auto is selected, the router determines the MTU value to send in route advertisement messages.

RIPng Protocol - RIPng (RIP next generation) offers the same functions and benefits as IPv4 RIP v2.

Extension WAN - In addition to the default WAN used for IPv6 traffic specified in the WAN Primary Interface in the LAN IPv6 Setup page, additional WANs can be selected to carry IPv6 traffic by enabling them in the Extension WAN section.

Available WAN - Additional WANs available but not currently selected to carry IPv6 traffic.

Selected WAN - Additional WANs selected to carry IPv6 traffic.

After making changes on the Advance setting page, click the OK button to retain the changes and return to the LAN IPv6 Setup page. Be sure to click OK on the LAN IPv6 Setup page or else changes made on the Advance setting page will not be saved.

II-3-1-4 DHCP Server Option

DHCP Options can be configured by clicking the Advanced button on the LAN General Setup screen.

LAN >> General Setup

DHCP Server Customized Status

Available settings are explained as follows:

II-3-2 VLAN

Virtual Local Area Networks (VLANs) allow you to subdivide your LAN to facilitate management or to improve network security.

Select LAN>>VLAN from the menu bar of the Web UI to bring up the VLAN Configuration page.

Tagged VLAN

The tagged VLANs (802.1q) can mark data with a VLAN identifier. This identifier can be carried through an onward Ethernet switch to specific ports. The specific VLAN clients can also pick up this identifier as it is just passed to the LAN. You can set the priorities for LAN-side QoS. You can assign each of VLANs to each of the different IP subnets that the router may also be operating, to provide even more isolation. The said functionality is tag-based multi-subnet.

LAN >> VLAN Configuration

VLAN Configuration

Settings in this page only applied to LAN port but not WAN port.

Available settings are explained as follows:

Inter-LAN Routing

The Vigor router supports up to 99 VLANs. Each VLAN can be set up to use one or more of the Ethernet ports and wireless LAN Service Set Identifiers (SSIDs). Within the grid of VLANs (horizontal rows) and LAN interfaces (vertical columns),

● all hosts within the same VLAN (horizontal row) are visible to one another

● all hosts connected to the same LAN or WLAN interface (vertical column) are visible to one another if

• they belong to the same VLAN, or
• they belong to different VLANs, and inter-LAN routing (LAN>>General Setup) between them is enabled (see below).

LAN >> General Setup

General Setup

DHCP Server Option

Note:

Please enable LAN 2 - 100 on LAN >> VLAN page before configure them.

☐ Force router to use "DNS server IP address" settings specified in LAN1

Inter-LAN Routing

OK

Inter-LAN Routing allows different LAN subnets to be interconnected or isolated. It is only available when the VLAN functionality is enabled. In the Inter-LAN Routing matrix, a selected checkbox means that the 2 intersecting LANs can communicate with each other.

Vigor router features a hugely flexible VLAN system. In its simplest form, each of the Gigabit LAN ports can be isolated from each other, for example to feed different companies or departments but keeping their local traffic completely separated.

II-3-3 Bind IP to MAC

This function is used to bind the IP and MAC address in LAN to have a strengthening control in network. With the Bind IP to MAC feature you can reserve LAN IP addresses for LAN clients. Each reserved IP address is associated with a Media Access Control (MAC) address.

Click LAN and click Bind IP to MAC to open the setup page.

LAN >> Bind IP to MAC 

Bind IP to MAC

Available settings are explained as follows:

Item	Description
Enable MAC addresses that have an IP address assigned on this page will receive that IP address through DHCP.
Disable	MAC address-to-IP address bindings configured on this page are ignored by the DHCP server when assigning IP addresses through DHCP.
Strict Bind Check the box to block the connection of the IP/ MAC which is not listed in IP Bind List.LAN clients will be assigned IP addresses according to the MAC-to-IP address associations on this page. LAN client whose MAC address has not been bound to an IP address will be denied network access.
	Note: Before selecting Strict Bind, make sure at least one valid MAC address has been bound to an IP address. Otherwise no LAN clients will have network access, and it will not be possible to connect to the router to make changes to its configuration.Apply Strict Bind to Subnet - Choose the subnet(s) for applying the rules of Bind IP to MAC.
ARP Table This table is the	LAN ARP table of this router. The information for IP and MAC will be displayed in this field. Each pair of IP and MAC address listed in ARP table can be selected and added to IP Bind List by clicking Add below.
Select All Select all entries	in the ARP Table for manipulation.
Sort Sort the entries in the	ARP Table by IP address.
Refresh Refresh the screen	to reflect the current state of the ARP table.
Add / Update to IP Bind List	IP Address - Enter the IP address to be associated with a MAC address.Mac Address - Enter the MAC address of the LAN client's network interface.Comment - Optional comment field to identify this IP Address - MAC Address pair.
Add	It allows you to add the one you choose from the ARP table or the IP/ MAC address typed in Add and Edit to the table of IP Bind List.
Update It allows you to edit	and modify the selected IP address and MAC address that you create before.
Delete	You can remove any item listed in IP Bind List. Simply click and select the one, and click Delete. The selected item will be removed from the IP Bind List.
IP Bind List	It displays a list for the IP bind to MAC information.
Backup IP Bind List	Click Backup and enter a filename to back up IP Bind List to a file.
Upload From File	Click Browse... to select an IP Bind List backup file. Click Restore to restore the backup and overwrite the existing list.

Info

Before you select Strict Bind, you have to bind one set of IP/MAC address for one PC. If not, no one of the PCs can access into Internet. And the web user interface of the router might not be accessed.

When you finish the configuration, click OK to save the settings.

II-3-4 Port Mirror/Packet Capture

The LAN Port Mirror function allows network traffic of select LAN ports to be forwarded to another LAN port for analysis. This is useful for enforcing policies, detecting unauthorized access, monitoring network performance, etc.

Select LAN>>LAN Port Mirror from the menu bar of the Web UI to bring up the LAN Port Mirror configuration page.

If selecing "Continuously Send All Packets to Mirror Port", the setting page will be shown as follows:

LAN >> Port Mirror/Packet Capture

Continuously Send All Packets to Mirror Port
○ Download .pcap

Available settings are explained as follows:

If selecing "Download .pcap", the setting page will be shown as follows:

LAN >> Port Mirror/Packet Capture

○ Continuously Send All Packets to Mirror Port Download .pcap

Status: Idle

Setting ○ Capture All Packets

Capture with Filter

Duration 60 (seconds)

Filter Settings

Available settings are explained as follows:

After finishing all the settings here, please click OK to save the configuration.

II-3-5 Wired 802.1x

Wired 802.1X provides authentication for clients wishing to connect to the LAN by Ethernet. Only one client can be authenticated on each LAN port.

Select LAN>>Wired 802.1X from the menu bar of the Web UI to bring up the Wired 802.1X configuration page.

LAN >> Wired 802.1X

Wired 802.1X

LAN 802.1X:

Enable

Authentication Type: External RADIUS

802.1X ports:

□ p9

□P10

□P11

□P12

Note:

1. 802.1X enabled LAN ports only support a single attached device using EAPOL authentication. To authenticate multiple devices through a LAN port you need an 802.1X-capable switch. Then configure 802.1X on the attached switch instead.
2. Please configure External RADIUS or Local 802.1X for authentication.
3. Authentication by External RADIUS supports PEAP, EAP-TLS and EAP-TTLS.

OK

Available settings are explained as follows:

After finishing all the settings here, please click OK to save the configuration.

II-3-6 PPPoE Server

LAN users can access into Internet through built-in PPPoE server on Vigor router. PPPoE server is a mechanism which can authenticate LAN users (configured in User Management>>User Profile) and prevent ARP attack completely.

LAN >> PPPoE Server

PPPoE Server

OK

Available settings are explained as follows:

II-4 NAT

Most ISPs allocate one WAN IP address to each subscriber. In order to simultaneously connect multiple devices to the Internet, a technique called Network Address Translation is employed.

Usually, the router serves as an NAT (Network Address Translation) router. NAT is a mechanism that one or more private IP addresses can be mapped into a single public one. Public IP address is usually assigned by your ISP, for which you may get charged. Private IP addresses are recognized only among internal hosts.

When the outgoing packets destined to some public server on the Internet reach the NAT router, the router will change its source address into the public IP address of the router, select the available public port, and then forward it. At the same time, the router shall list an entry in a table to memorize this address/ port-mapping relationship. When the public server response, the incoming traffic, of course, is destined to the router's public IP address and the router will do the inversion based on its table. Therefore, the internal host can communicate with external host smoothly.

The benefit of the NAT includes:

- Save cost on applying public IP address and apply efficient usage of IP address. NAT allows the internal IP addresses of local hosts to be translated into one public IP address, thus you can have only one IP address on behalf of the entire internal hosts.

● Enhance security of the internal network by obscuring the IP address. There are many attacks aiming victims based on the IP address. Since the attacker cannot be aware of any private IP addresses, the NAT function can protect the internal network.

Info

On NAT page, you will see the private IP address defined in RFC-1918. Usually we use the 192.168.1.0/24 subnet for the router. As stated before, the NAT facility can map one or more IP addresses and/or service ports into different specified services. In other words, the NAT function can be achieved by using port mapping methods.

Web User Interface

II-4-1 Port Redirection

Port Redirection is usually set up for server related service inside the local network (LAN), such as web servers, FTP servers, E-mail servers etc. Most of the case, you need a public IP address for each server and this public IP address/ domain name are recognized by all users. Since the server is actually located inside the LAN, the network well protected by NAT of the router, and identified by its private IP address/ port, the goal of Port Redirection function is to forward all access request with public IP address from external users to the mapping private IP address/ port of the server.

Most ISPs allocate one WAN IP address to each subscriber. In order to simultaneously connect multiple devices to the Internet, a technique called Network Address Translation is employed.

graph TD
    A["Internet"] --> B["NAT"]
    B --> C["DMZ 192.168.1.22"]
    B --> D["DMZ 192.168.1.11"]
    B --> E["FTP Server 192.168.1.12 Port 21"]
    B --> F["Web Server 192.168.1.13 Port 80"]
    G["Destined to 220.135.240.207 Port 213"] --> B

The port redirection can only apply to incoming traffic.

To use this function, please go to NAT page and choose Port Redirection web page. The Port Redirection Table provides 520 port-mapping entries for the internal hosts.

Each item is explained as follows:

Press any number under Index to access into next page for configuring port redirection.

Index No. 1

Note:

In "Range" Mode the End IP will be calculated automatically once the Public Port and Start IP have been entered.

Available settings are explained as follows:

After finishing all the settings here, please click OK to save the configuration.

Note that the router has its own built-in services (servers) such as Telnet, HTTP and FTP etc. Since the common port numbers of these services (servers) are all the same, you may need to reset the router in order to avoid confliction.

For example, the built-in web user interface in the router is with default port 80, which may conflict with the web server in the local network, http://192.168.1.13:80. Therefore, you need to change the router's http port to any one other than the default port 80 to avoid conflict, such as 8080. This can be set in the System Maintenance >>Management Setup. You then will access the admin screen of by suffixing the IP address with 8080, e.g., http://192.168.1.1:8080 instead of port 80.

System Maintenance >> Management

II-4-2 DMZ Host

As mentioned above, Port Redirection can redirect incoming TCP/UDP or other traffic on particular ports to the specific private IP address/port of host in the LAN. However, other IP protocols, for example Protocols 50 (ESP) and 51 (AH), do not travel on a fixed port. Vigor router provides a facility DMZ Host that maps ALL unsolicited data on any protocol to a single host in the LAN. Regular web surfing and other such Internet activities from other clients will continue to work without inappropriate interruption. DMZ Host allows a defined internal user to be totally exposed to the Internet, which usually helps some special applications such as Netmeeting or Internet Games etc.

graph TD
    A["Internet"] --> B["NAT"]
    B --> C["DMZ 192.168.1.22"]
    B --> D["FTP Server 192.168.1.12 Port 21"]
    B --> E["Web Server 192.168.1.13 Port 80"]
    A --> F["Destination: 220.135.240.207\nProtocol: Any\nPort: Any"]

The security properties of NAT are somewhat bypassed if you set up DMZ host. We suggest you to add additional filter rules or a secondary firewall.

Click DMZ Host to open the following page. You can set different DMZ host for each WAN interface. Click the WAN tab to switch into the configuration page for that WAN.

NAT >> DMZ Host Setup

Available settings are explained as follows:

Item	Description
	Enables or disables DMZ host.None - Disables DMZ host function.Private IP - Allows WAN traffic to be sent to a specific LAN IP address.
Private IP	If Private IP mode has been selected, click the Choose IP button to select a LAN IP address.
Choose IP	Click this button and then a window will automatically pop up, as depicted below. The window consists of a list of private IP addresses of all hosts in your LAN network. Select one private IP address in the list to be the DMZ host.When you have selected one private IP from the above dialog, the IP address will be shown on the screen. Click OK to save the setting.

DMZ Host for other WAN interface is slightly different with WAN1. Active True IP selection is available for WAN1 only.

See the following figure.

NAT >> DMZ Host Setup

If you previously have set up WAN Alias for PPPoE or Static or Dynamic IP mode in WAN2 interface, you will find them in Aux. WAN IP for your selection.

NAT >> DMZ Host Setup

Available settings are explained as follows:

Item	Description
Enable Check to enable the	DMZ Host function.
Private IP Enter the private	IP address of the DMZ host, or click Choose PC to select one.
Choose IP	Click this button and then a window will automatically pop up, as depicted below. The window consists of a list of private IP addresses of all hosts in your LAN network. Select one private IP address in the list to be the DMZ host.When you have selected one private IP from the above dialog, the IP address will be shown on the screen. Click OK to save the setting.

After finishing all the settings here, please click OK to save the configuration.

II-4-3 Open Ports

The Open Ports function allows inbound traffic from specific ports on WAN interfaces to be forwarded to LAN clients. Unlike Port Redirection, LAN client ports cannot be remapped and must remain identical to the opened ports on the WAN interface.

It allows you to open a range of ports for the traffic of special applications.

The common application of Open Ports includes P2P application (e.g., BT, KaZaA, Gnutella, WinMX, eMule, and others), Internet Camera, etc. Ensure that you keep the application involved up-to-date to avoid falling victim to any security exploits.

NAT >> Open Ports

Available settings are explained as follows:

To add or edit port settings, click one index number on the page. The index entry setup page will pop up. In each index entry, you can specify 10 port ranges for diverse services.

Index No. 1

Available settings are explained as follows:

After finishing all the settings here, please click OK to save the configuration.

NAT >> Open Ports

II-4-4 Port Triggering

If you run programs that function as server applications where they expect to receive unsolicited traffic from the WAN, you can set up rules in Port Triggering to detect LAN-to-WAN traffic initiated by those programs, and automatically open up WAN ports to accept incoming traffic and forward it to the LAN client running the server applications.

Port Triggering is a variation of open ports function.

The key difference between "open port" and "port triggering" is:

• Once the OK button is clicked and the configuration has taken effect, "open port" keeps the ports opened forever.
• Once the OK button is clicked and the configuration has taken effect, "port triggering" will only attempt to open the ports once the triggering conditions are met.
• The duration that these ports are opened depends on the type of protocol used. The "default" durations are shown below and these duration values can be modified via telnet commands.

TCP: 86400 sec.

UDP: 180 sec.

IGMP: 10 sec.

TCP WWW: 60 sec.

TCP SYN: 60 sec.

Port Triggering
Set to Factory Default

OK

Cancel

Available settings are explained as follows:

Click the index number link to open the configuration page.

NAT >> Port Triggering

No. 1

Available settings are explained as follows:

After finishing all the settings here, please click OK to save the configuration.

Open Port and Port Triggering Compared

II-4-5 Fast NAT

This function allows for establishing a network connection with a built-in acceleration engine. Time can be saved and CPU usage can be reduced.

NAT >> Fast Routing / NAT

Fast Routing / NAT

□ Inter-LAN Fast Routing
□ LAN/WAN Fast NAT

Usage:

1. Use hardware fast path to help establish connections with the same source and destination ip.
2. Enable this function to reduce connection time and cpu usage.

Note:

Session limit and firewall port related settings may not work properly.

OK

Available settings are explained as follows:

II-4-6 ALG

ALG means Application Layer Gateway. There are two methods provided by Vigor router, RTSP (Real Time Streaming Protocol) ALG and SIP (Session Initiation Protocol) ALG, for processing the packets of voice and video.

RTSP ALG makes RTSP message, RTCP message, and RTP packets of voice and video be transmitted and received correctly via NAT by Vigor router.

However, SIP ALG makes SIP message and RTP packets of voice be transmitted and received correctly via NAT by Vigor router.

NAT >> ALG

OK

Available settings are explained as follows:

II-5 Applications

Dynamic DNS

Most ISPs assigns dynamic WAN IP addresses to their customers. Dynamic IP addresses presents challenges to users who would like to accept remote connections to their LANs from the Internet, as service could be disrupted due to the IP address changing without notice. By setting up service with a Dynamic DNS (DDNS) provider, and configuring Dynamic DNS updates on the Vigor router, you can have reliable access to your network by means of an easy-to-remember domain address that resolves to the most current WAN IP address.

The Vigor router supports a wide range of DDNS providers, such as DynDNS, No-IP.com, DtDNS, and ChangeIP. Please contact the DDNS provider of your choice to set up service before configuring DDNS on the router.

LAN DNS / DNS Forwarding

LAN DNS allows the network administrator to override standard DNS resolutions for selecting domain addresses. The router will respond to queries on matched domain addresses with custom IP addresses.

DNS Forwarding allows the network administrator to forward DNS queries to different DNS servers based on the domain name.

LAN DNS and DNS Forwarding only affect DNS queries that are sent to the WAN through the router. DNS queries that are directed to a DNS server on the LAN will not be intercepted by the router.

Schedule

The Vigor router has a built-in clock which can update itself manually or automatically by means of Network Time Protocols (NTP). As a result, you can not only schedule the router to dialup to the Internet at a specified time, but also restrict Internet access to certain hours so that users can connect to the Internet only during certain hours, say, business hours. The schedule is also applicable to other functions.

RADIUS/TACACS+

Remote Authentication Dial-In User Service (RADIUS) is a security authentication client/server protocol that supports authentication, authorization and accounting, which is widely used by Internet service providers. It is the most common method of authenticating and authorizing dial-up and tunneled network users.

The built-in RADIUS client feature enables the router to assist the remote dial-in user or a wireless station and the RADIUS server in performing mutual authentication. It enables centralized remote access authentication for network management.

LDAP /Active Directory Setup

Lightweight Directory Access Protocol (LDAP) is a communication protocol for using in TCP/IP network. It defines the methods to access distributing directory server by clients, work on directory and share the information in the directory by clients. The LDAP standard is established by the work team of Internet Engineering Task Force (IETF).

As the name described, LDAP is designed as an effect way to access directory service without the complexity of other directory service protocols. For LDAP is defined to perform, inquire and modify the information within the directory, and acquire the data in the directory securely, therefore users can apply LDAP to search or list the directory object, inquire or manage the active directory.

UPnP

The Vigor supports UPnP (Universal Plug and Play), which is a suite of network protocols that simplifies network configuration. Applications and network devices on the LAN, that support UPnP, may request the router to modify its settings to allow NAT Traversal, so that WAN hosts can connect to them directly.

Examples of applications and devices that support UPnP include file-sharing applications such as uTorrent, Vuze and eMule, gaming consoles such as the Sony PlayStations 3 and 4 Xbox 360 and Xbox One, media streaming applications such as Plex and XBMC, and messaging and calling applications such as Skype. To find out if a certain application or network device supports or requires UPnP, please consult its user manual or check with its vendor.

Wake on LAN

Using the Wake on LAN (WoL) feature, LAN clients that support WoL can be powered on or resume from sleep over the network, without the need for physical access to the device.

In order for LAN clients to be able to woken from sleep or off states, the network interface card must be configured to monitor Wake-on-LAN messages. Consult the documentation of the LAN client for details on setting up its network interface for Wake on LAN.

Web User Interface

II-5-1 Dynamic DNS

Enable the Function and Add a Dynamic DNS Account

To begin configuring Dynamic DNS, from the main menu, navigate to Applications, and select Dynamic DNS. The Dynamic DNS main configuration screen appears:

Applications >> Dynamic DNS Setup

Available settings are explained as follows:

After clicking on the index number, the detail configuration screen for the DDNS profile appears:

Applications >> Dynamic DNS Setup >> Dynamic DNS Account Setup

Index : 1

Note:

1. The Create function of Let's Encrypt certificate works only when the current profile has been stored.
2. WAN IP must be public IP when create Let's Encrypt certificate.

OK Clear Cancel

If User-Defined is specified as the service provider, the web page will be changed slightly as follows:

Index:1

OK

Clear

Cancel

Available settings are explained as follows:

Item	Description
Enable Dynamic DNS Account	Select to enable this DDNS profile.
WAN Interface	Select the WAN interface to monitor for IP address changes.WANx First - The specified WAN interface will be examined first. If it is online, its IP address will be used in the DDNS update.WANx Only - Only the specified WAN interface will be examined. If the WAN interface is online, its IP address will be used in the DDNS update. Otherwise no update will be performed for this DDNS profile.
Service Provider	Select the DDNS provider. If your DDNS provider is not listed, selectUser-Definedand manually configure the profile.Provider Host - Enter the IP address or the domain name of the host which provides related service.Note that such option is available when Customized is selected as Service Provider.Service API - Enter the API information obtained from DDNS server.Note that such option is available when Customized isselected as Service Provider.(e.g:/dynamic/ dns/ update.asp?u=j0***&p=j0*******&hostname=j****.changeip.org&ip=###IP###&cmd=update&offline=0)Auth Type- Two types can be used for authentication.Basic-Username and password defined later can be shown from the packets captured.URL-Username and password defined later can be shown in URL.(e.g., http://ns1.vigordns.com/ ddns.php?username=xxxx&password=xxxx&domain=xxxx.vigordns.com)Note that such option is available when Customized is selected as Service Provider.Connection Type- There are two connection types (HTTP and HTTPS) to be specified. Note that such option is available when Customized is selected as Service Provider.Server Response- Type any text that you want to receive from the DDNS server.Note that such option is available when Customized is selected as Service Provider.If other service provider is selected, you have to configure Service Type, Domain Name, Login Name and Password.Service Type- Select the service type that matches that of your DynDNS account. If you are unsure which service type to select, try Dynamic first. This options is applicable to DynDNS only.Domain Name- The domain and subdomain to be updated.
Login Name The login name of the DDNS account.
Password The password of the DDNS account.
Wildcard and Backup MX The Wildcard and Backup MX (Mail Exchange) features are not supported for all Dynamic DNS providers. You could get more detailed information from their websites.
Mail Extender If the mail server is defined with another name, please enter the name in this area. Such mail server will be used as backup mail exchange.
Determine WAN IP	If a Vigor router is installed behind any NAT router, you can enable such function to locate the real WAN IP.When the WAN IP used by Vigor router is private IP, this function can detect the public IP used by the NAT router and use the detected IP address for DDNS update.There are two methods offered for you to choose:WAN IP- The IP address of the router's WAN interface will be used.Internet IP- The real public IP address will be used.Select this option if the IP address assigned to the router's WAN interface is not the actual external IP address.
Let's Encrypt certificate Create - Click it to generate a certificate issued by Let's Encrypt for applying to such DDNS account.Auto Renew- Check the box to make the system update the
	certificate automatically.

Click OK to save changes, Clear to clear all settings, or Cancel to discard changes and return to the main DDNS screen.

DrayDDNS Settings

DrayDDNS, a new DDNS service developed by DrayTek, can record multiple WAN IP (IPv4) on single domain name. It is convenient for users to use and easily to set up. Each Vigor Router is available to register one domain name.

Choose DrayTek Global as the service provider, the web page will be displayed as follows:

Applications >> Dynamic DNS Setup >> Dynamic DNS Account Setup

Index : 1

Note:

1. The Create function of Let's Encrypt certificate works only when the current profile has been stored.

Available settings are explained as follows:

Disable the Function and Clear all Dynamic DNS Accounts

In the DDNS setup menu, uncheck Enable Dynamic DNS Setup, and push Clear All button to disable the function and clear all accounts from the router.

Delete a Dynamic DNS Account

In the DDNS setup menu, click the Index number you want to delete and then push Clear All button to delete the account.

DDNS updates take place when:

• The router is powered on or rebooted.
• The public IP address of any WAN interface changes.
• The online status of a WAN interface changes (going from online to offline or vice versa).
  ● The DDNS function is changed from disabled to enabled.
  ● A DDNS entry is modified and enabled.
• The Auto-Update Interval has elapsed.

Procedures for Setting up a Dynamic DNS Entry

1. Contact the dynamic DNS provider of your choice and have service set up. Most DDNS providers accept signups on their websites. Service could be provided free of charge or for a fee.
2. Create a DDNS entry on the router by selecting the appropriate DDNS provider and enter the account information.
3. Make sure that both the DDNS entry and the DDNS feature are enabled on the router.
4. Click the View Log button on the DDNS main page to bring up the update log.
5. Examine the update log to make sure the update was successful.
6. If the update was not successful, verify the DDNS entry to make sure the settings are entered correctly.

II-5-2 LAN DNS / DNS Forwarding

The LAN DNS lets the network administrators host servers with privacy and security. When the network administrators of your office set up FTP, Mail or Web server inside LAN, you can specify specific private IP address (es) to correspondent servers. Thus, even the remote PC is adopting public DNS as the DNS server, the LAN DNS resolution on Vigor3910 Series will respond the specified private IP address.

graph TD
    A["Server"] -->|192.168.1.100| B["Router"]
    C["Public IP"] -->|210.139.175.223| B
    D["Internet"] -->|140.186.223.x| E["Server"]
    F["Public DNS Server"] -->|server.yourdomain.com 210.139.175.223| B
    G["Private IP"] -->|192.168.1.100| B
    H["IP Address List"] --> I["IP Address: 190.168.1.100"]
    J["Profile Index : 1"] --> K["Enable"]
    L["Domain Name: server.yourdomain.com"] --> M["IP Address List"]
    N["A private IP address mapped to the Domain Name."] --> B

To start configuring LAN DNS or DNS Forwarding, from the main menu, click Applications, followed by LAN DNS / DNS Forwarding.

Applications >> LAN DNS / DNS Forwarding

LAN DNS Resolution / Conditional DNS Forwarding
Set to Factory Default

<< 1.10 | 11.20 | 21.30 | 31.40 | 41.50 | 51.60 | 61.70 | 71.80 | 81.90 | 91.100 | 101.110 | 111.120 >>

OK

Each item is explained as follows:

To configure a LAN DNS profile, click on its index to bring up the configuration page.

Profile Index : 1

Available settings are explained as follows:

Item	Description
Enable Select to enable this	profile.
Profile Enter a name to identify this profile.	Note: If you type a name here for LAN DNS and click OK to save the configuration, the name also will be applied to conditional DNS forwarding automatically.
Type Choose LAN DNS or LAN	Forwarding.
If LAN DNS is selected Domain Name - Enter the domain name for the router to look for in DNS queries to intercept and reply to. Wildcards in the form of asterisks (*) can be used to match a domain level. For example, *.draytek.com will match domain names such as www.draytek.com and ftp.draytek.com, whereas www.draytek.* will match domain names such as www.draytek.com and www.draytek.co.uk.CNAME - Click Add to add an domain name alias for the domain name. Click Delete next to an alias entry to delete it.IP Address List - The IP address listed here will be used for mapping with the domain name specified above. In general, one domain name maps with one IP address. If required, you can configure two IP addresses mapping with the same domain name.Add -Click Add to bring up the Add IP Address dialog box:
	Host's IP Address - Enter the IP address to be returned in response to a DNS query for the configured domain names and aliases.Only use this record.... - Select to use this IP address only if the IP address of the source of the DNS query belongs to the same subnet as the host IP address entered above.After changes have been made, click OK to save and dismiss the dialog box, or Close to discard the changes and dismiss the dialog box.Delete-To delete an IP address, click on it and then click Delete.
If DNS Forwarding is selected	Domain Name - Enter the domain name for the router to look for in DNS queries to intercept and reply to. Wildcards in the form of asterisks (*) can be used to match a domain level. For example, *.draytek.com will match domain names such as www.draytek.com and ftp.draytek.com, whereas www.draytek.* will match domain names such as www.draytek.com and www.draytek.co.uk.DNS Server IP Address - Enter the IP address of the DNS server you want to use for DNS forwarding.

To save changes made to the LAN DNS profile, click OK. To clear the profile and restore the factory default blank values, click Clear.

II-5-3 DNS Security

Domain Name System Security Extensions (DNSSEC) protects against DNS-based attacks by authenticating DNS responses from DNS resolvers.

The DNS servers must support DNS security validation for the feature to function properly. To configure DNS security, from the main menu, click Applications, followed by DNS Security.

II-5-3-1 General Setup

All of WAN interfaces of Vigor router can be configured with DNS Security enabled respectively.

Applications >> DNS Security

DNS Security

Note:

The DNS server supports DNSSEC

The DNS server does not support DNSSEC, function may not work as expected even if it is enabled

OK

Available settings are explained as follows:

Press OK to save changes.

II-5-3-2 Domain Diagnose

While using the Domain Diagnose feature, you can check to see if the router's DNS security function is working properly, or whether a given domain is secured by DNS security. Note that DNS Security has to be first enabled or the test results would not be meaningful.

Application >> DNS Security

DNS Security

Available settings are explained as follows:

II-5-4 Schedule

Time schedules can be created and used with router features that support them, so that those features can be turned on and off automatically at preconfigured times.

Applications >> Schedule

Available settings are explained as follows:

To configure a schedule, click on its index to bring up the settings page.

Applications >> Schedule

Note:

Comment can only contain A-Z a-z 0-9, . {} - _ ( ) ^ \$ ! \~ ' |

Available settings are explained as follows:

To save changes made to the Schedule, click OK. To clear the schedule and restore the factory default blank values, click Clear. To cancel the changes and return to the main Schedule page, click Cancel.

Example

Suppose you want to control the PPPoE Internet access connection to be always on (Force On) from 9:00 to 18:00 for whole week. Other time the Internet access connection should be disconnected (Force Down).

Office

Hour:

(Force On)

Mon - Sun 9:00 am to 6:00 pm

1. Make sure the PPPoE connection and Time Setup is working properly.
2. Configure the PPPoE always on from 9:00 to 18:00 for whole week.
3. Configure the Force Down from 18:00 to next day 9:00 for whole week.
4. Assign these two profiles to the PPPoE Internet access profile. Now, the PPPoE Internet connection will follow the schedule order to perform Force On or Force Down action according to the time plan that has been pre-defined in the schedule profiles.

II-5-5 RADIUS/TACACS+

Remote Authentication Dial-In User Service (RADIUS) is a security authentication client/server protocol that supports authentication, authorization, and accounting, which is widely used in enterprise networks. It is the most common authentication method to manage the clients' access to the wireless network, the Internet and the VPN.

The router supports external TACACS+ and internal and external RADIUS servers for user authentication. To configure TACACS+ or RADIUS servers, from the Main Menu select Applications >> RADIUS/TACACS+.

II-5-5-1 External RADIUS

The built-in RADIUS client feature enables the router to assist the remote dial-in user or a wireless station and the RADIUS server in performing mutual authentication. It enables centralized remote access authentication for network management.

Vigor router can be operated as a RADIUS client. This web page is used to configure settings for external RADIUS server. Then LAN users of Vigor router will be authenticated and accounted by such server for network application.

Select External RADIUS to configure the router to use an external RADIUS server for user authentication.

Applications >> RADIUS/TACACS+

Default Profile Profile 1 RADIUS Request Interval 2 sec (2\~30)

RADIUS Server Status Log Display the record of current status of RADIUS server.

Click any index number to open the following page. It is used to configure settings for external RADIUS server. Then users of the Vigor router will be authenticated by this server for the network application.

Applications >> RADIUS/TACACS+ >> Profile 1

Enable this profile
Enable Accounting

Comments:

Primary Server

Primary Server

Secret

Authentication Port

Accounting Port

Disconnect Message Port

Interim Update Interval

Retry

Secondary Server

Secondary Server

Secret

Authentication Port

Accounting Port

Disconnect Message Port

Interim Update Interval

Retry

Note:

If RADIUS server has specified Interim Update Interval value(Acct-Interim-Interval), Vigor Router will follow the interval that the RADIUS server provides and ignore the Interim Update Interval setting here.

Available settings are explained as follows:

Item	Description
Enable this profile Check to	enable RADIUS client profile.Comment - Enter a brief description for this profile.
Enable Accounting After checking it, Vigor router supports the accounting feature (available seconds for using, quantity of RX/ TX data) for external RADIUS server. Any client tries to access the Internet shall be authenticated and accounted by an external RADIUS server.Accounting Port -The UDP port number that the RADIUS server is using. The default value is 1813, based on RFC 2138.Disconnect Message Port - Set a port number for listening the RADIUS disconnection message.Interim Update Interval - Set a time interval for sending the accounting request to the RADIUS server.
	Applications >> RADIUS/TACACS-> >> Profile 1
Primary Server Primary Server	- Enter the IP address of RADIUS server.Secret - The RADIUS server and client share a secret that is used to authenticate the messages sent between them. Both sides must be configured to use the same shared secret. The maximum length of the shared secret you can set is 36 characters.Authentication Port - The UDP port number that the RADIUS server is using. The default value is 1812, based on RFC 2138.Retry - Set the number of attempts to perform reconnection with RADIUS server. If the connection (with the Primary Server) still fails, stop the connection attempt and begin to make connection with the secondary server.
Secondary Server Secondary Server	- Enter the IP address of RADIUS server.Secret - The RADIUS server and client share a secret that is used to authenticate the messages sent between them. Both sides must be configured to use the same shared secret. The maximum length of the shared secret you can set is 36 characters.Authentication Port - The UDP port number that the RADIUS server is using. The default value is 1812, based on RFC 2138.Retry - Set the numberof attempts to perform reconnection. If the connection (with the Secondary Server) still fails, stop the connection attempt. The client authentication would be determined as "failed".

To save changes on the page, click OK. To discard changes, click Cancel. To reset all settings to blank, click Clear.

II-5-5-2 Internal RADIUS

Except for being a built-in RADIUS client, Vigor router also can be operated as a RADIUS server which performs security authentication by itself. This page is used to configure settings for internal RADIUS server. Then users of Vigor router will be authenticated by Vigor router directly.

Select Internal RADIUS to configure the router's built-in RADIUS server.

Applications >> RADIUS/TACACS+

Note:
1. Only the user profiles which is enabled in User Management >> User Profile will be listed here, and it shows in the System Maintenance >> Internal Service User List.
2.RADIUS Client Access List is first match.

Available settings are explained as follows:

To add a User Profile to the RADIUS server, select it under Available List, then click the >> button. To remove a User Profile from the RADIUS server, select it under Selected Authentication List, then click the << button.

To save changes on the page, click OK. To discard changes, click Cancel. To reset all settings to blank, click Clear.

II-5-5-3 External TACACS+

It means Terminal Access Controller Access-Control System Plus. It works like RADIUS does. Click the External TACACS+ to open the following page:

Applications >> RADIUS/TACACS+

Available settings are explained as follows:

To save changes on the page, click OK. To discard changes, click Cancel. To reset all settings to blank, click Clear.

II-5-6 Active Directory/ LDAP

Lightweight Directory Access Protocol (LDAP) is an industry-standard protocol for maintaining and accessing directory information on a network. When used in conjunction with a Vigor router, LDAP can be used to authenticate VPN connection attempts.

Active Directory (AD) is a directory service from Microsoft that supports LDAP queries.

To configure Active Directory or LDAP settings, from the Main Menu select Applications >> Active Directory /LDAP.

II-5-6-1 General Setup

To configure the settings for the LDAP server, select General Setup.

Applications >> Active Directory / LDAP

Active Directory / LDAP Profiles

Available settings are explained as follows:

To save changes on the page, select OK; to discard changes, select Cancel.

II-5-6-2 Active Directory / LDAP Profiles

Up to 8 LDAP profiles can be created. These profiles would be used with User Management for different purposes in management.

To configure an LDAP profile, click on its index to show the following settings page.

Applications >> Active Directory /LDAP>>Server Profiles

Index No. 1

Note:
Please type in your additional filter for BaseDN search request. For example, "gidNumber=500" for OpenLDAP, and "msNPAIowDialin=TRUE" for AD.

Available settings are explained as follows:

To save changes on the page, select OK; to discard changes, select Cancel.

II-5-7 UPnP

To configure UPnP settings, from the Main Menu select Applications >> UPnP.

Applications >> UPnP

UPnP

Note:

1. To allow NAT pass-through to a UPnP enabled client the connection control service must also be enabled.
2. CAUTION: due to vulnerabilities CVE-2020-12695, UPnP is not considered safe to use. Use it at your own risk.

OK Clear Cancel

Available settings are explained as follows:

To save changes on the page, select OK; to discard changes, select Cancel; to revert all settings to the factory default, select Clear.

The reminder as regards concern about Firewall and UPnP:

Can't work with Firewall Software

Enabling firewall applications on your PC may cause the UPnP function not working properly. This is because these applications will block the accessing ability of some network ports.

Security Considerations

Activating UPnP allows any application or network devices to open ports on the WAN side to allow connections to the LAN, which could compromise network security. Also if UPnP applications or network devices malfunction or terminate abnormally, the opened ports may remain open indefinitely, and thus increasing the chance of it getting exploited by malicious parties.

If you do not have applications or network devices which requires UPnP, you are advised to disable UPnP.

Info

UPnP is required for some applications such as PPS, Skype, eMule...and etc. If you are not familiar with UPnP, it is suggested to turn off this function for security.

II-5-8 IGMP

Internet Group Management Protocol (IGMP) is an IPv4 communication protocol for establishing multicast group memberships.

To configure IGMP settings, from the Main Menu select Applications >> IGMP.

II-5-8-1 General Setting

Applications >> IGMP

Available settings are explained as follows:

To save changes on the page, select OK; to discard changes, select Cancel.

II-5-8-2 Working Status

Displays a list of active multicast groups.

Applications >> IGMP

IGMP Device Table

Available settings are explained as follows:

II-5-9 Wake on LAN

Using the Wake on LAN (WoL) feature, LAN clients that support WoL can be powered on or resume from sleep over the network, without the need for physical access to the device.

In order for LAN clients to be able to wake from sleep or off states, the network interface card must be configured to monitor Wake-on-LAN messages. Consult the documentation of the LAN client for details on setting up its network interface for Wake on LAN.

If you wish to be able to select the IP address of the Wake-on-LAN client, its MAC address must first be bound to a static IP address using the Bind IP to MAC function.

To configure Wake on LAN settings, from the Main Menu select Applications >> Wake on LAN.

Applications >> Wake on LAN

Wake on LAN

Note:

Wake on LAN integrates with Bind IP to MAC function; only bound PCs can wake up through IP.

Available settings are explained as follows:

II-5-10 SMS / Mail Alert Service

You can set up SMS or mail profiles for the router to send events or alerts to designated recipients. Up to 10 SMS profiles and 10 mail profiles can be configured.

II-5-10-1 SMS Alert

To configure SMS alert profiles, select the SMS Alert tab.

Applications >> SMS / Mail Alert Service

Note:
All the SMS Alert profiles share the same "Sending Interval" setting if they use the same SMS Provider.

Available settings are explained as follows:

After finishing all the settings here, please click OK to save the configuration.

II-5-10-2 Mail Alert

To configure mail alert profiles, select the SMS Alert tab.

Application >> SMS / Mail Alert Service

Note:
All the Mail Alert profiles share the same "Sending Interval" setting if they use the same Mail Server.

Available settings are explained as follows:

After finishing all the settings here, please click OK to save the configuration.

II-5-11 Bonjour

Bonjour is Apple's implementation of zero-configuration networking (Zeroconf), a technology that allows automatic discovery and configuration of network devices and services. Bonjour is built into OS X, and versions for Windows PCs can be downloaded without charge from Apple's website.

Without Bonjour, routers, computers, and other network peripherals would require manual configuration of network settings such as IP addresses and port numbers, which could be complex and cumbersome. By enabling Bonjour on the Vigor router, users only need to know the name of the router in order to set up connectivity between LAN devices, and the router and the peripherals that are connected to it.

To enable the Bonjour service, click Application>>Bonjour to open the following page. Check the box(es) of the server service(s) that you want to share to the LAN clients.

Available settings are explained as follows:

Below shows an example for applying the bonjour feature that Vigor router can be used as the FTP server.

1. Here, we use Firefox and DNSSD to discover the service in such case. Therefore, just ensure the Bonjour client program and DNSSD for Firefox have been installed on the computer.

1. Open the web browse, Firefox. If Bonjour and DNSSD have been installed, you can open the web page (DNSSD) and see the following results.

DNSSD for Firefox

1. Open System Maintenance>>Management. Type a name (e.g., DrayTek) as the Router Name and click OK.

1. Next, open Applications>>Bonjour. Check the service that you want to use via Bonjour.

1. Open the DNSSD page again. The available items will be changed as the follows. It means the Vigor router (based on Bonjour protocol) is ready to be used as a printer server, FTP server, SSH Server, Telnet Server, and HTTP Server.

DNSSD for Firefox

1. Now, any page or document can be printed out through Vigor router (installed with a printer).

II-5-12 High Availability

The High Availability (HA) feature of the router provides redundancy of network resources, and reduces downtime in case of component failure. The level of sophistication of HA is determined by availability requirements and tolerance of system interruptions. Systems that provide near full-time availability typically have redundant hardware and software.

The HA of the Vigor3910 Series is designed to avoid single points-of-failure. When failures occur, the failover process transfers the network load handled by the failed component (the primary router) to the backup component (the secondary router), and the availability of network resources are preserved and partially failed transactions are recovered. In a matter of seconds the system returns to normal operation.

In order to set up High Availability, at least 2 DrayTek routers have to be configured in the following manner:

● Enable High Availability on both the primary and secondary routers.
- Set a high priority ID on the primary router, and a lower priority ID on the secondary router.
- Configure identical redundancy methods, group IDs, and authentication keys on both routers.
- Set the management interface of both routers to the same subnet.
- Enable virtual IP on both routers for each subnet in use. Make sure the virtual IPs are identical on both routers.

II-5-12-1 General Setup

Open Applications>>High Availability to bring up the configuration page to configure High Availability.

Applications >> High Availability

Available settings are explained as follows:

When you finish the configuration, please click OK to save and exit this page.

II-5-12-2 Config Sync

The synchronization of configuration between high availability routers is configured here.

Applications >> High Availability

□ Enable High Availability Redundancy Method Active-Standby

Note:

This feature requires that both routers are the same series, and the High Availability must be enabled for Config Sync to operate.

Available settings are explained as follows:

When you finish the configuration, please click OK to save and exit this page.

When the configuration method is set to "Hot Standby", the following settings will not be synchronized:

• WAN (user selectable)
  • LAN

• LAN IPv6

• router name

• admin and user passwords.

Example:

Take the following picture as an example. The upper Vigor3910 is regarded as primary device, the lower Vigor3910 is regarded as secondary device. When primary Vigor3910 Series is broken down, the secondary device could replace the primary role to take over all jobs as soon as possible. However, once the primary device is working again, the secondary device would be changed to original role to stand by.

graph TD
    A["Mail Server"] --> B["Vigor Switch"]
    C["FTP Server"] --> B
    D["Web Server"] --> B
    E["CRM Server"] --> B
    F["ERP Server"] --> B
    B --> G["DARP"]
    G --> H["Vigor3910 Primary"]
    G --> I["Vigor3910 Secondary"]
    H --> J["ISP 1"]
    I --> K["ISP 2"]
    J --> L["Internet"]
    K --> L
    style A fill:#f9f,stroke:#333
    style C fill:#f9f,stroke:#333
    style D fill:#f9f,stroke:#333
    style E fill:#f9f,stroke:#333
    style F fill:#f9f,stroke:#333
    style G fill:#ccf,stroke:#333
    style H fill:#ccf,stroke:#333
    style I fill:#ccf,stroke:#333
    style J fill:#dfd,stroke:#333
    style K fill:#dfd,stroke:#333
    style L fill:#dfd,stroke:#333

II-5-13 Local 802.1X General Setup

You may configure the built-in 802.1X server here. The local 802.X server can be used to authenticate wired and wireless LAN clients.

Applications >> Local 802.1X General Setup

Local 802.1X General Setup

Note:
1. Only the user profiles which is enabled in User Management >> User Profile will be listed here.
2. Wired 802.1X used the same User Profile as its identity and password.

Available settings are explained as follows:

When you finish the configuration, please click OK to save and exit this page.

II-5-14 Smart Action

Smart Action allows you to run some tasks (e.g., sending alerts, mails, or removing a VPN profile) automatically at a specified date, a cycle time, or a specified situation. Vigor user can pre-configure up to 64 profiles to manage different tasks.

Applications >> Smart Action

To configure a profile, click on its index to show the following settings page.

Applications >> Smart Action

Profile Index : 1

Note:
1. Comment can not contain characters \~ ! @ # \$ % ^ & " ( ) ' " { } | ;
2. If use CLI, user can put two or more commands on the same line separated by the semicolon
3. If use Webhook POST Content, only JSON format be accepted

Available settings are explained as follows:

When you finish the configuration, please click OK to save and exit this page.

Application Notes

A-1 How to Implement the LDAP/AD Authentication for User Management?

For simplifying the configuration of LDAP authentication for User Access Management, we implement "Group" feature.

There is no need to pre-configure user profile for each user on Vigor router anymore. We only need to configure the Groups DN, then the Vigor router (e.g., Vigor 2860 series) can pass the authentication to LDAP server with the pre-defined Group path.

Below shows the configuration steps:

1. Access into the web user interface of the Vigor router.

2. Open Applications>>Active Directory /LDAP to get the following page for configuring LDAP related settings.

There are three types of bind type supported:

• Simple Mode – Just simply do the bind authentication without any search action.
• Anonymous – Perform a search action first with Anonymous account then do the bind authentication.
• Regular Mode- Mostly it is the same with anonymous mode. The different is that, the server will firstly check if you have the search authority.

For the regular mode, you'll need to type in the Regular DN and Regular Password.

1. Create LDAP server profiles. Click the Active Directory /LDAP tab to open the profile web page and click any one of the index number link.

If we have two groups "RD1" and "SHRD" on LDAP server, we can configure two LDAP server profiles with different Group Distinguished Name.

Index No. 1

Note:

Please type in your additional filter for BaseDN search request. For example, "gidNumber=500" for OpenLDAP, and "msNPAIowDialin=TRUE" for AD.

and

Applications >> Active Directory /LDAP>>Server Profiles

Index No. 2

Note:

Please type in your additional filter for BaseDN search request. For example, "gidNumber=500" for OpenLDAP, and "msNPAIowDialin=TRUE" for AD.

1. Click OK to save the settings above.

2. Open User Management>>General Setup. Select User-Based as the Mode option.

User Management >> General Setup

General Setup

Mode Selection:

○ Rule-Based is a management method based on IP address. Administrator may set different firewall rules to different IP address.
User-Based is a management method based on user profiles. Administrator may set different firewall rules to different user profiles.
Notice for User-Based mode:
- In User-Based mode, Active Rules in Firewall will be applied to all LAN clients, packets that matches the Active Rules will be blocked or pass immediately, no user authentication is required.
- Only Inactive Rules in Firewall can be set for individual user profile. In User-Based mode, packets that do not match Active Rules will need authentication, and the Inactive Rule applied to the specific user profile will then take effect.

Authentication page:

Login Page Greeting

☐ Display IP address on the dialog box pops up after successful login.

1. Then open VPN and Remote Access>>PPP General Setup to check the profile(s) that will be authenticated with LDAP server.

VPN and Remote Access >> PPP General Setup

PPP General Setup

OK

After above configurations, users belong to either "rd1" or "shrd" group can access Internet after inputting their credentials on LDAP server.

A-2 How to use DrayDDNS?

Vigor router supports various DDNS service providers, user can set up user-defined profile to update the DDNS even the service provider is not on the list. Now, DrayTek starts to support our own DDNS service - DrayDDNS. We will provide a domain name for each Vigor router, this single domain name can record IP addresses of all WAN.

Set up DrayDDNS on DrayOS Router

1. Go to Applications >> Dynamic DNS Setup. Enable Dynamic DNS Setup.

1. Go to Wizards >> Service Activation Wizard page, wait for the router to connect to MyVigor server, then:

(a) Select DT-DDNS.
(b) Enter the desired Domain Name.
(c) Make sure you have read the License Agreement. Check I have read and accept the above Agreement, then click Next.

Service Activation Wizard

Select the service type that you want to activate

Activation Date : 2018-01-18

Web Content Filter(WCF) Service :

BPJM

License Agreement

This is a web content filter that is provided by the German government. It is a free service without any guarantee and will expire one year after activation. You may re-activate the service after expiry.

Cyren 30-Days Free Trial

License Agreement

This is a worldwide web content filter service. The free trail license can only be used once. At the end of the free trail period you may purchase the official one-year Cyren Web Content Filter from an authorized DrayTek reseller.

APP Enforcement(APPE) Service :

DT-APPE

License Agreement

Upgrade APPE Signature automatically.

Dynamic DNS(DDNS) Service :

DT-DDNS

License Agreement

This is a Dynamic Domain Name Service that is provided by DrayTek company. It is a free service will expire 1 year after activation. You may re-active the service after expiry.

Domain Name : domo .drayddns.com

have read and accept the above Agreement. (Please check this box).

Next>

Cancel

1. Confirm the information, then click Activate.

Service Activation Wizard

Please confirm your settings

Sevice Type : Trial version

Sevice Activated : Dynamic DNS ( demo.drayddns.com )

Please click Back to re-select service type you to activate.

< Back

Activate

Cancel

1. MyVigor server will reply with the service activation information.

DrayTek Service Activation

Please check if the license fits with the service provider of your signature. To ensure normal operation for your router, update your signature again is recommended.

Copyright © DrayTek Corp. All Rights Reserved.

1. Vigor router will contact with MyVigor server, then get the DrayDDNS license as well as the domain name back, and create the DDNS profile automatically. Please go to Applications >> Dynamic DNS Setup page to make sure the router has created the DDNS profile.

Applications >> Dynamic DNS Setup

Note that, if your router does not get the domain after you activating the license, it may due to the router does not trigger the process, which to connect and get the license from MyVigor server. You may reboot the router to trigger the process.

Modify DrayDDNS Domain Name

Currently, only the domain name is allowed to be modified MyVigor website. We will need to register the router to MyVigor server, and log in to MyVigor website to modify it.

1. Please visit https://myvigor.draytek.com/ or go to Applications >> Dynamic DNS Setup >> DrayDDNS profile and click Edit domain.

Index : 1

1. Log in to MyVigor Website, choose the profile, then click Edit DDNS settings.

My Information - My Products

Device Information

Device Name: FAE2000

Serial Number: 2016 0205

Model: Vigor2860 Series

Rename Transfer Back

Device's Service

Expired License

1. Input the desired Domain name and click Update.

Edit DDNS Settings

1. Vigor router will get the modified domain name when the it performs next DDNS updating. We can click Sync domain to accelerate this process.

Index : 1

1. After few seconds, the router will get the new domain name and print it on the profiles list.

Applications >> Dynamic DNS Setup

II-6 Routing

Route Policy (also well known as PBR, policy-based routing) is a feature where you may need to get a strategy for routing. The packets will be directed to the specified interface if they match one of the policies. You can setup route policies in various reasons such as load balance, security, routing decision, and etc.

Through protocol, IP address, port number and interface configuration, Route Policy can be used to configure any routing rules to fit actual request. In general, Route Policy can easily reach the following purposes:

Load Balance

You may manually create policies to balance the traffic across network interface.

Specify Interface

Through dedicated interface (WAN/ LAN/ VPN), the data can be sent from the source IP to the destination IP.

Address Mapping

Allows you specify the outgoing WAN IP address (es) for an internal private IP address or a range of internal private IP addresses.

Priority

The router will determine which policy will be adopted for transmitting the packet according to the priority of Static Route and Route Policy.

Failover to/Failback

Packets will be sent through another Interface or follow another Policy when the original interface goes down (Failover to). Once the original interface resumes service (Failback), the packets will be returned to it immediately.

Other routing

Specify routing policy to determine the direction of the data transmission.

Info

For more detailed information about using policy route, refer to SUPPORT >> TECH SUPPORT >>FAQs on www.draytek.com.

Web User Interface

Routing

Static Route

Load-Balance/Route Policy

Fast Routing

OSPF

BGP

II-6-1 Static Route

Go to Routing >> Static Route. You can create static routes so that traffic to specific IP addresses go through a particular LAN or WAN.

The Static Route Setup screen has separate tabs for IPv4 and IPv6. Select the appropriate tab to begin.

II-6-1-1 Static Route for IPv4

Routing >> Static Route

Available settings are explained as follows:

Item	Description
Set to Factory Default Clear	all of the settings and return to factory default settings.
Viewing Routing Table Displays the routing table for your reference. Diagnostics >> View Routing Table
Index	The number (1 to 300) under Index allows you to open next page to set up static route.
Enable Enables or disables the static route.
Destination Address Beginning destination address.
Mask Subnet mask of the destination address.
Gateway IP address of the gateway, which is the host that the traffic needs to go through to reach the destination.
Interface The LAN or WAN that should be used to contact the gateway.
Backup	Click it to backup the configuration of static route settings.
Restore Click it to restore the configuration of static route settings.Before clicking, make sure upload the configuration file onto Vigor router.

Add Static Routes to Private and Public Networks

Here is an example (based on IPv4) of setting Static Route in Main Router so that user A and B locating in different subnet can talk to each other via the router. Assuming the Internet access has been configured and the router works properly:

• use the Main Router to surf the Internet.
  ● create a private subnet 192.168.10.0 using an internal Router A (192.168.1.2)
  ● create a public subnet 211.100.88.0 via an internal Router B (192.168.1.3).
  ● have set Main Router 192.168.1.1 as the default gateway for the Router A 192.168.1.2.

Before setting Static Route, user A cannot talk to user B for Router A can only forward recognized packets to its default gateway Main Router.

graph TD
    A["Internet"] --> B["Router C 192.168.1.1"]
    B --> C["Router A 192.168.1.2 (Gateway:192.168.1.1)"]
    B --> D["Router B 192.168.1.3"]
    C --> E["User A"]
    C --> F["Private Subnet 192.168.10.0/24"]
    D --> G["User B"]
    D --> H["Private Subnet 211.10.88.0/24"]
    B --> I["Set Static Route"]

1. Go to LAN page and click General Setup, select 1st Subnet as the RIP Protocol Control. Then click the OK button.

Info

There are two reasons that we have to apply RIP Protocol Control on 1st Subnet. The first is that the LAN interface can exchange RIP packets with the neighboring routers via the 1st subnet (192.168.1.0/24). The second is that those hosts on the internal private subnets (ex. 192.168.10.0/24) can access the Internet via the router, and continuously exchange of IP routing information with different subnets.

1. Click the LAN >> Static Route and click on the Index Number 1. Check the Enable box. Please add a static route as shown below, which regulates all packets destined to 192.168.10.0 will be forwarded to 192.168.1.2. Click OK.

Routing >> Static Route Setup

Index No. 1

Enable

Destination IP Address

Subnet Mask

Gateway IP Address

Network Interface

192.168.10.0

255.255.255.255/32

192.168.1.2

LAN1

Note:

WAN7, WAN8, WAN9 are PVCs or VLANs that can be configured on the Multi-PVC/VLAN page.

Available settings are explained as follows:

1. Return to Static Route Setup page. Click on another Index Number to add another static route as show below, which regulates all packets destined to 211.100.88.0 will be forwarded to 192.168.1.3. Click OK.

Routing >> Static Route Setup

Index No. 2

Note:

WAN7, WAN8, WAN9 are PVCs or VLANs that can be configured on the Multi-PVC/VLAN page.

1. Go to Diagnostics and choose Routing Table to verify current routing table.

Diagnostics >> View Routing Table