Draytek 2912 Series Router Overview. Part Two
In the first part of the review, we looked at the Draytek 2912 / 2912n series router in detail from such aspects as positioning the device on the market, how to use the router, its key functions and examples of their use, familiarized yourself with the detailed technical specification of the device, looked at the configuration and appearance of the router, detailed functions of indicators and device interfaces. Everything we see clearly demonstrates that the device has very wide capabilities that an enterprise of the SMB / SOHO level or a small branch of a large company may need and therefore the device has great potential for use in corporate networks. Load testing showed good results, I did not expect other results, because the device is far from the initial level, so it must be productive.
In this part of the review, we take a closer look at the device’s web interface, learn about its features and an example of setting up such functions and interfaces as WAN and LAN, Load-balancing, wireless network, VPN, firewall, NAT bandwidth control, as well as USB functions, diagnostics and monitoring of the router.
Below is a general wiring diagram of the router.
')
Fig. 0
By default, the router has an open wireless network called Draytek and a DHCP server, you can connect to it or use one of the LAN ports.
After connecting to the router from the PC and successfully obtaining the IP address from the network 192.168.1.0/24,
open its web interface, to do this, in the web browser you need to dial the default IP LAN 192.168.1.1,
Username: admin, password: admin. I recommend immediately changing the password to a more secure one.
Fig. one
We get to the Online Status menu where the main information about the device is displayed.
Fig. 2
I note that the firmware version 3.7.8.1_R is preinstalled on routers shipped to Russia, this firmware differs from the usual one in that it does not have encryption other than the PPTP protocol, it looks like this:
Fig. 3
If this is not enough, you can install a full firmware by downloading it from the Draytek.com website.
in the section Supports -> Downloads -> Firmware - Vigor2912 Series .
I chose the latest 3.8.1.1 and downloaded it, then, unzip it, in the web interface of the router, open System Maintenance >> Firmware Upgrade and specify the file v2912_3811.all, then click "Upgrade".
Fig. four
After a successful update, restart the router and get the latest firmware without any restrictions.
For clarity, below is an image of the network scheme for the Draytek 2912n router, which we will consider.
Fig. 4-1
To connect to the Internet, we use two WAN interfaces with several routing rules. In case of a failure on the first channel, the traffic will automatically go through the backup.
We use two subnets: LAN0 = 192.168.1.0 / 24 and LAN1 = 192.168.2.0 / 24. And three wireless networks with SSID: DrayTek, DrayTek_Guest and DrayTek_Unencrypted. They are integrated through VLAN settings with wireless networks. Remote clients can connect via VPN using Smart VPN Client and PPTP and IPSec protocols. For the SmartMonitor application, mirroring is enabled from the LAN ports.
In general, regardless of the model of the Draytek router, the menu structure has a similar organization, you can not find any functions, or discover more of them than in another model or firmware version, but the structure remains unchanged. On the left is a block of global menu items structured by router subsystems: Wizards, settings for wired network interfaces WAN and LAN, then a firewall settings block (Firewall, Objects Settings, CSM) and User Management, then a settings block special router applications (Applications). Then the VPN settings block, followed by the menu for setting up a wireless network (Wireless LAN), a separate menu for setting the USB port (USB Application), and finally the menu of service functions (System Maintenance) and the diagnostics menu of the router (Diagnostics).
All items are structured simply and logically, in accordance with the network functions, without any specific and confusing logic.
Each global menu item includes one or more sub-items.
Consider the main menu items, since the router has a configuration corresponding to the network scheme that was presented above, as we review the new menu items, it will become clear how these or other network functions are configured.
Here are the settings wizards that allow you to configure the main functions of the router with a few clicks. They are a chain of several dialog boxes, the last window displays a listing of all the settings made and the “Finish” button to apply them. It seemed to me that the data of the wizard for very lazy administrators, as well as without them, setting up the basic functions on the router is easy.
Quick Start Wizard - used to quickly configure the connection WAN 1-3 interfaces.
Service Activation Wizard - activates an intelligent thematic filter Web Content Filter.
The following wizards of the VPN Client Wizard and the VPN Server Wizard seemed interesting to me, with the help of them it is easy to configure the VPN in the LAN-to-LAN and Remote Dial-in User modes, activate the service and register the users. Below, an example of 3 steps to add and activate a VPN user.
We chose PPTP, then you need to configure the client-side, we will use the Draytek Smart VPN client. Let's go back to the VPN settings in the VPN and Remote Access menu.
Fig. five
Fig. 6
Fig. 7
Wireless Wizard Wizard is used for initial configuration of a wireless network. Below is the final window at the completion of the wizard.
Fig. eight
In a couple of clicks, the wireless network is set up.
The next menu item contains two subitems: the first Physical Connection shows the physical status of the interfaces LAN, WAN 1-3 and link-level counters, the same thing, but only for virtual interfaces can be seen in the Virtual WAN menu.
Fig. 9
More detailed information on the system status can be found in System Maintenance -> System Status .
In this menu, all settings related to the connection of the router to the Internet providers are made. In our example, WAN 1 and 2 are active.
Fig. 10-1
Load balance mode setting is available when two or three WAN interfaces are used simultaneously. We use Auto Weigh mode; in this mode, the router automatically distributes the load. The WAN 3 interface can be used when connecting a 3 / 4G modem.
Below is the detailed configuration of the WAN 2 interface, we use load balancing mode.
Fig. 10-2
In the Internet Access submenu, the interfaces are configured directly.
Fig. 10-3
We are moving to Detalils Page WAN 2 , here are the settings for the connection mode, we use a static IP, the first interface is a DHCP client. In addition to the methods we used, you can connect to the Internet using the PPTP / L2TP or PPPoE protocols, also IPv6.
Fig. eleven
The Multi-VLAN submenu allows the administrator to create profiles for a specific physical WAN 1-2 interface and create a bridge with LAN interfaces on the local network to achieve maximum throughput.
Fig. 12
That is, on the basis of the physical interface WAN 1-2, we create an additional virtual WAN 5-7 in the VLAN specified by us and “bridge” it with the necessary LAN ports 1-3 (port 4 can work only in the NAT mode), optionally, we can assign virtual interface WAN 5-7 IP address manually or receive via DHCP, that is, make it L3. As an example, you can take the forwarding of IPTV traffic from a WAN to a LAN.
The item is responsible for setting up the local network and contains a number of sub-items. The router supports two independent LAN segments with its own settings, the default is 192.168.1.1/24 and 192.168.2.1/24, you can also add one routed network. In both segments, DHCP is enabled which gives IP addresses to connecting user terminals. By the way, the DHCP server can be configured to transfer any additional DHCP options, it is very convenient if there are specialized services on the network, for example, a TFTP server.
Fig. 13
Additionally, you can enable or disable routing between LAN 1 and 2 in the Inter-LAN Routing section.
In the next LAN >> Static Route Setup submenu, you can add up to 10 static routes to other networks by IP addresses in LAN 1-2 subnets.
The LAN >> VLAN Configuration submenu allows you to combine the specified LAN ports P2-4 (P1 performs the WAN2 function in our example) into one VLAN with wireless networks SSID 1-4 and optionally add priority VLAN tags. When VLAN Tag is enabled, the traffic with tags specified in the VID field will appear on the corresponding LAN ports, tags are not transmitted over wireless networks. In our example, two independent VLANs. VLAN0 includes LAN ports P 2-4 and a wireless network with SSID1 - all this is in LAN 1 segment. VLAN1 includes wireless networks with SSID2 and SSID3 - all this is in the LAN 2 segment.
Fig. 14
The router can operate in the mode of creating untagged port-based VLANs, or VLANs based on VID tags.
The next submenu item is LAN >> Bind IP to MAC . Allows you to create lists with matching MAC addresses and IP addresses, if the function allows all assigned IP addresses to MAC addresses can not be changed. Created sheets can be saved to a file and restored to the router configuration from a previously saved file.
In the LAN >> LAN Port Mirror menu, you can enable copying of all traffic from the specified LAN Mirrored port to the receiving Mirror port. This feature is useful for debugging a network using a sniffer or using the Draytek Smart Monitor network monitoring and analysis application; information about this application can be found in the first part of this review.
Fig. 15
The LAN >> Web Portal Setup submenu allows you to define profiles that are assigned to the LAN or WLAN-wireless network interfaces and specify the URL of the site to automatically redirect the user when you first try to open the web page, after connecting through the interface specified in the profile, for example , SSID1.
Fig. sixteen
This feature is used for promotional purposes or to notify a user who connects to the Internet through a specific company network.
In the example, when you try to open any webpage for the first time, the user will be redirected to the site www.ucexpert.ru , where at the top of the screen there will be a message suggesting the user to click the “Continue” button to continue the web session and go to the desired site.
Below is an example of a page page.
Fig. 17
This menu item contains the General Setup sub-item — direct configuration of load balancing rules and routing policies; and Diagnose , a sub-item for debugging customized rules, where you can simulate the route of one or several packets through the table of customized rules and check the result.
Fig. 18
In the example, packets departing from any LAN IP addresses of the router to IP 8.8.8.8 will pass through WAN1, the second rule works the same way, only for IP destination 8.8.4.4 and the packets will pass through WAN2. The third rule specifies the whole subnet, the fourth rule indicates that all traffic must be sent via WAN1, in case of failure of WAN1, sent to WAN2. Each rule has priority, the lower it is, the earlier the rule is executed.
The following image shows the criteria by which you can set a rule, there are quite a few of them, you can also determine where to send the packet if the rule did not work.
Fig. nineteen
The following figure shows the route diagnostics.
Fig. 20
In the menu, the NAT Address Translation (Network Address Translation) functions are configured; it contains the Port Redirection submenu - port forwarding from the port of the specified WAN interface to the IP address and a port on the LAN network, this may be necessary for FTP servers, mail servers, etc. d.
The DMZ Host submenu allows you to set one DMZ host on the LAN for each of the WAN interfaces.
The Open Ports submenu allows you to keep the specified port ranges open for special applications, such as P2P, and direct them to specific IP addresses on the LAN.
Fig. 21
Port Triggering is a variation of Open Ports . If, after activation of the Open Ports rule, the specified ports are constantly open, then when the Port Triggering rule is applied, the specified ports will open only when the conditions of the rules match, then the ports will close again after a timeout.
The function in the appropriate sub-menu item is defined by a set of rules.
In this menu, global firewall rules are configured, sets and order of traffic inspection rules are specified, and default traffic filtering rules are also specified.
The firewall can be divided into 3 subsystems:
The firewall architecture uses two independent rule sets, Call Filter and Data Filter.
The Call Filter rule set is used for traffic that goes from the local network to the WAN, when there is no active Internet connection (the WAN interface is not active) and before establishing the connection, the traffic passes through the Call Filter rules, if no packets are blocked, the connection is established.
When the WAN interface is active, all packets immediately fall into the Data Filter rule set, and all incoming traffic to the WAN interfaces also falls there.
Fig. 22
Firewall rules can specify objects (defined through the Objects Settings menu), such as IP addresses or groups of IP addresses, protocol and port range and their groups, keywords and groups of keywords, file extension profiles, users (certain in the User Management menu) and finally, in the CSM (Content Security Management) menu, define applications, for example, Skype, URLs and even the subject matter of various websites using the Web Content Filter system.
That is, we can work with traffic from the network layer to the application level, plus use the Web Content Filter system for intelligent processing of traffic on the subject of web content, that is, create very broad rules.
Below are the global settings in the Firewall >> General Setup submenu, then the Firewall >> Filter Setup submenu illustrating firewall rulesets, the Firewall >> Filter Setup >> Edit Filter Set submenu illustrating the composition of a particular set of rules.
Fig. 23
Now consider a specific rule in from a table called block-social
Fig. 24
First, in Schedule, you can specify a schedule when the rule will work, for example, block social networks from 9-30 to 18-00 from Monday to Friday. Next, we specify the direction of traffic checking in the Direction field, any incoming and outgoing IP addresses, the service type can be specified by a specific object in the Objects Setting >> Service Type Object menu, or a set of objects, and is a bundle of protocol type + port or range ports.
Next, in the Filter field we specify the criterion “Pass If No Further Further Match” - packets should be skipped if none of the criteria in the remaining rules matches. If the user turns to a social network, for example, ok.ru, the criterion will match and the package will be blocked. The criterion in this example is a profile in the URL Content Filter, which contains an object - a group including keywords - social network addresses.
Below, I will illustrate the settings when we get to them. In the same way, other criteria are included in the rule, that is, in the internetwork filter rules, you can add criteria both at the network level and at the application level, moreover, you can enable Web Content Filter which runs even higher - at the web content theme. .
Submenu DoS Defense . The router implements detection and automatic protection against DoS attacks, with the traffic intensity threshold metrics after which the event is considered an attack can be manually configured. Also provides for sending notifications about the attack.
A firewall can operate in one of two global modes:
Rule-Based , that is, based on rules where objects, for example, the IP addresses of user stations. The administrator sets the rules based on different IP addresses.
User-Based , that is, management is carried out on the basis of user profiles. The administrator sets the rules for different user profiles or their groups. Before this, users must log in. After authorization, the system creates a correspondence between the username and the IP address with which it is authorized.
Below are the User Management >> General Setup submenus where you switch between working with IP addresses or working with user profiles.
If everything is clear with work by IP addresses: the administrator assigns an IP address to the user's terminal, which should not be changed and assigns rules for the IP address.
As soon as we switch to User-Based mode, the user must log in, until that moment he will not be able to work on the network, and when opening the browser and trying to access any site, he will be redirected to the login page. To log in, a user profile with the appropriate rights must be contained in the User Management >> User Profile table.
Fig. 25
In the example there is a user profile Ignat Kudryavtsev, open the profile of this user
Fig. 26
As you can see, here you can set the timeout for automatic logout in case of idle time, and the restriction on the simultaneous number of logins, enable external authentication using the LDAP or RADIUS protocols. You can also set quotas for time and volume of traffic consumed by the user.
Landing Page - this is the page that the user will see after successful login.You can display a simple message, as in our example: “Login Success!”, Or you can redirect to any website, for example, the company's website. To do this, in the Landing page settings, you need to write a string like:
All settings are described in detail in the user manual.
When you open a web browser and try to access any site, the user will be redirected to the login page, after successful login, the message “Login Success!” Will appear and the user will be able to work online.
Fig. 27
In the User Group submenu, users can be grouped to then assign the same rules to groups of users, for example, by company department. Submenu User Online Status is used to view the status of users.
Draytek 2912 series routers support firewall with invisible testing of SPI (Stateful Packet Inspection) based on Objects (Object-based), such as: a user (he gets a certain IP during authorization), IP addresses or groups of IP addresses, a protocol and port range and their groups, keywords and keyword groups, file extension profiles. These objects can be used to create firewall rules that can be turned on and off on a schedule.
In the Objects Setting menu, various types of objects are created and grouped.
In the IP Object submenu, objects are created based on the host, range of IP addresses or a subnet. You can also use a specific MAC address for any IP address. In the IP Group submenu, groups are created from IP objects, which can then be used to create firewall rules.
Same for IPv6 Object and IPv6 Group with IP addressing IPv6.
In the Service Type Object and Service Type Group submenus, objects are created and grouped based on protocol type, source and destination ports.
Fig. 28
In the Keyword Object and Keyword Group submenus, objects are created and grouped based on keywords, then these objects can be used to create filtering rules, for example, for the URL Content Filter Profile and DNS Filter Profile in the CSM subsystem. In our example, we block the social networks vk.com twitter.com facebook.com and ok.ru, for this we created two profiles with the names social-nets and social-ok.ru containing the given keywords and added them to the group social-nets- gro submenu Objects Setting >> Keyword Group . Next, we use this group in the CSM >> URL Content Filter Profile .
Fig. 29
In the File Extension Object submenu, profiles of extensions are created, files that can be recognized and used in firewall rules. Thus, for example, you can prohibit the download of all compressed files or video files with the specified extensions. The example prohibits the loading of any images. The created profile with the name blk-img will then be used in the CSM profile >> URL Content Filter Profile . We will see this in the example below.
Fig. thirty
The SMS / Mail Service Object and Notification Object submenus allow you to configure up to 10 notification profiles for the Application >> SMS / Mail Alert Service .
CSM (Content Security Management) security system, an application-level firewall subsystem, allows you to block URL links by keywords and content types, for example, Java Applet, Cookies, Active X, you can also block various network applications, for example , IM / P2P or application level protocols, for example, MySQL, SMB, SSH, UltraVPN, the list of services and protocols is quite impressive. It is possible to block DNS by keywords.
In the APP Enforcement Profile submenu, profiles are created for filtering network applications that can use dynamically changing ports, and each such application has its own specifics, for example, Skype.
Fig. 31
In the example of the settings for the firewall rule of the Data Filter table above, this rule is indicated.
Submenu URL Content Filter Profile is responsible for filtering web content. The previously created Group / Object Keyword objects are specified here and the URL Access Control function is enabled , then each website address will be searched by keywords. In our example, we added earlier to the created group social-nets-gro containing keywords with the web addresses of social networks.
In the Web Feature section, you can enable cookies, proxy locking and file uploads with those specified in the File Extension Profile , in the example above, we created the 1-blk-img profile.
The created social profile is assigned in the firewall rule in the URL Content Filter field.
Fig. 32
When the rule works when trying to open, for example, vk.com, the user will see a message from the Administration Message field , an example of the contents of such a field is shown in the previous image.
Fig. 33
Submenu Web Content Filter Profile . Another powerful CSM tool is the GlobalView Web Content Filter system. It is designed to filter unwanted content at the thematic level, that is, for example, sites with the theme of porn, crime, gambling, and more. The administrator creates profiles where he specifies the subject of the sites and assigns them to the firewall rules, then indicates what to do if the rule matches, for example, block. Web Content Filter is licensed, but a trial license for testing can be obtained free of charge.
Below is the profile setting by categories:
Fig. 34
The DNS Filter Profile subsystem checks and blocks DNS requests for UDP port 53 in accordance with the assigned URL profile Content Filter Profile or Web Content Filter Profile. You can also customize the message that will be displayed to the user when the resource is locked.
The Bandwidth Management >> Sessions Limit submenu is used to limit the number of NATs from sessions with LAN IP addresses that can be simultaneously established. For example, P2P (Peer to Peer) applications typically require multiple simultaneous sessions, and they consume a lot of network resources. You can also limit the number of default sessions from any IP.
The Bandwidth Management >> Bandwidth Limit submenu sets limits on bandwidth utilization for hosts and IP address ranges. Moreover, the operation of the rules can be configured on a schedule, you can separately limit the band for incoming and outgoing traffic.
In the Bandwidth Management >> Quality of Service submenu, the quality of the traffic service is configured. At first, traffic using rules is classified by criteria such as source and destination IP, service type and DiffServ code. Then, each class of traffic is reserved its percentage of the total bandwidth of the specified interface.
Fig. 35
By the way, prioritization for VoIP traffic is prioritized by default.
This menu contains service application settings that help fine-tune individual functions.
For example, in the Schedule submenu, schedule profiles are configured, which are used in various settings of functions and rules of the router; you can create up to 15 entries in the schedule.
Fig. 36
In the LAN DNS menu , you can specify the correspondence of the IP address and the domain name in the local network. In the RADIUS menu and Active Directory / LDAP, you can optionally enable user authorization on the appropriate submenu server servers. In the IGMP submenu, you can enable IGMP proxying or IGMP snooping for multicast traffic, such as IP TV.
The router supports up to 16 VPN * LAN-to-LAN tunnels to create a secure connection between the organization's networks or create a VPN connection from remote workstations of homeworkers using the PPTP / IPSec / L2P / L2TPover IPSec protocols. AES / DES / 3DES encryption and IKE authentication provide enhanced security. Using a dual WAN connection allows you to use not only a load balancing scheme, but also redundancy. Therefore, if the main channel of the VPN channel becomes unavailable, it will replace the backup VPN channel.
By the way, the VPN functions in Draytek are very easy to configure. In just a couple of clicks, you can configure both LAN-to-LAN connections and access from remote workstations. Dryatek has its own VPN client to simplify the connection of workstations, it is called the Draytek Smart VPN Client, the application is available for free download on draytek.com
* In the official deliveries of routers to the territory of the Russian Federation, all software encryption tools that do not comply with state standards have been removed, so this firmware has only PPTP support without encryption. This can be fixed by installing regular software, which can be downloaded from draytek.com.
The global access VPN protocols are enabled in the Remote Access Control Setup submenu, the Pre-Shared Key for the IKE Authentication method is specified in the IPsec General Setup submenu, and the encryption methods are indicated. For example, specify the key draytek.commmmm
Fig. 37
In the Remote Dial-in User submenu, users who can connect via VPN from their remote locations to the localizer's LAN network are specified.
Fig. 38
In the Status list, it is clear that the user ignat is in the status “online”, as it is marked in green. In the example below, the user ignat connects via PPTP, the second user will connect through the IPSec tunnel using the pre-configured above preshared key = draytek.commmmm.
Fig. 39
To connect from the client side, I used the Draytek Smart VPN Client, it is installed and configured in two clicks.
Below is an example for PPTP.
Fig. 40
Similarly, a second VPN client is configured that will dynamically connect using the preshared key that we previously specified in the IPsec General Setup submenu as draytek.commmmm.
Figure 42
After successful connection in the Connection Management submenu, we will see active connections.
Fig. 43
The LAN to LAN submenu is used to configure VPN connections between two networks. A LAN-to-LAN profile is created, it specifies all settings required for creating a connection: connection type — incoming, outgoing or two-way, VPN protocol — PPTP, L2TP with IPsec Policy or IPsec Tunnel, depending on the protocol, specific settings, for example, login or password or IKE Pre-Shared Key, encryption method and so on. In fact, there are not so many settings, and they are simple in the general case. It specifies which local network the remote side must “see” and which remote network to route traffic through this VPN connection.
After saving the connection settings, the local side will initiate the connection or wait for an incoming connection from the remote side, depending on the settings.
The established connection can also be viewed in the Connection Management submenu.
The router supports the 802.11n wireless network and has two omni-directional antennas. The settings of the wireless network functions in the router are large.
The device supports up to 4 independent wireless networks with their own settings, and for each of the networks you can limit the maximum bandwidth for outgoing and incoming traffic, and also enable the schedule according to which these restrictions will work.
Below to illustrate the settings are the General Setup and Security Settings submenus. The settings are very visual.
Fig. 44
For each of the 4x wireless networks, their own security settings are configured, including MAC address filters. For each network, you can enable the Wi-Fi usage quota based on the MAC address and the timeout for re-quota provisioning.
Below is the Station List submenu , which shows the currently connected wireless terminals.
Fig. 45
In addition, in the Access Control submenu, you can enable the MAC address filter, and create both white and black lists of MAC addresses. Lists can be saved to a file on a computer or downloaded from a file, if necessary.
The Advanced Setting submenu contains radio channel fine tuning, for example, outgoing signal power, operating mode, channel width, fragment length, and others.
Wireless also supports configuration via WPS (Wi-Fi Protected Setup) and WDS settings, which can be found in the corresponding sub-items of the Wireless LAN menu.
The router has a USB port that can be used in three different modes. First, connect a USB 3G / 4G modem to reserve an Internet connection or as a basic Internet connection if there are no other ways to connect to the Internet.
Secondly, connect the USB printer to the router, which becomes the print server and users will be able to use it by setting up access to it over the network.
Fig. 46
In the image above, an example in which the USB port is used to connect the drive and exchange files over the network using FTP and SMB protocols. Created two users with different home directories. In the image below, there is an example of the USB Device Status submenu , where we see that a 8 GB drive is connected to the USB port and you can see a list of active users who are connected to it via the network.
Fig. 47
Photo USB Application >> File Explorer and Photo USB Application >> USB Device Status
Third, connect a USB drive and share files with FTP or NetBios / SMB. The list of supported modems can be viewed in the Modem Support List submenu, and the list of LAN clients can be viewed in the SMB Client Support List submenu.
When a 3G / 4G modem or printer is connected, their status will be reflected in the corresponding Modem and Printer tabs of the USB Device Status submenu.
The menu contains the service functions of the router. Here you can set a new password for users with User and Administrator rights, configure the TR-069 protocol for external control of the device. In the Configuration Backup submenu, you can save the current configuration of the router or restore it from a previously saved one. The Configuration Backup submenu is used to configure the SysLog system logs to be sent over the network; you can also specify which logs to record. Additionally, you can customize the sending of email notifications.
Fig. 48
By the way, Draytek has a free utility to simplify viewing and storing syslog on a remote computer. It is called Draytek Syslog. Below is a screenshot of the interface.
Fig. 49
In the Management submenu, you can configure permissions for remote control. And if necessary, you need to separately allow control from the Internet, that is, from WAN interfaces.
Fig. 50
There are a large number of diagnostic functions on the router, I really like it - almost any problem of diagnosing a condition can be solved through this menu.
In the Routing Table submenu there is a complete routing table, in the ARP Cache Table a list of all MAC addresses on the local network, in the DHCP Table a list of all active DHCP clients, there are tables of NAT sessions and a cache of DNS records.
Fig. 51
Of course, there are Ping and Traceroute . It is possible to enable local viewing of the system logs of the router, and they are divided by the types of the main subsystems: VPN, Firewall, WAN, and others.
Fig. 52
In the Traffic Graph submenu, you can, graphically, evaluate the utilization of WAN interfaces or the number of sessions.
Fig. 53
We have studied in great detail the Draytek 2912 / 2912n series of routers. This device, which contains all the necessary network functions in a single package and is ideal for a small office, therefore, acquiring it, the owner, saves money due to the lack of the need to purchase additional network equipment that could implement individual Draytek 2912n functions, for example, firewall, point access, VPN hub, network printer or NAS server to store shared documents.
In the first part of the review, we determined the positioning of the device, examined in detail the typical use case of the router, described in detail all the key features and benefits, looked at the detailed technical specification - it is impressive.
Additional software Draytek VigorACS SI, for large installations, will allow you to easily manage and maintain a huge fleet of routers, for a single installation, the Draytek Smart Monitor software designed for monitoring and analyzing traffic will become an indispensable tool for network debugging and user monitoring. We looked at the configuration and appearance of the device, the display and the interfaces, then we tested the maximum throughput of the router in several modes. All results correspond to the figures declared by the manufacturer.
In the second part of the review, which you are currently reading, we looked at each menu item in detail, with examples of setting up such functions and interfaces as WAN and LAN, load balancing and routing policies, wireless network, VPN, firewall, NAT bandwidth control, and USB functions, diagnostics and monitoring of the router. As for the documentation, in the process of setting up and testing, I addressed it many times and easily found answers - all functions are well described, and the sections where they are clearly structured. Working with the router and its documentation left only good impressions.
The Draytek 2912 router is very functional, and easy to set up, can be controlled via a web browser, CLI command line interface or TR-69 protocol. In addition, additional software VigorACS SI and Smart Monitor to monitor and manage both individual devices and a large fleet of hundreds or thousands of devices will help significantly reduce the cost of installation and maintenance of devices. Therefore, Draytek 2912 has a huge potential for use in corporate networks of small companies, as well as in separate offices of large enterprises. Also, I note the good quality of software, high performance and reliability, proven by time.
In this part of the review, we take a closer look at the device’s web interface, learn about its features and an example of setting up such functions and interfaces as WAN and LAN, Load-balancing, wireless network, VPN, firewall, NAT bandwidth control, as well as USB functions, diagnostics and monitoring of the router.
Below is a general wiring diagram of the router.
')
Fig. 0
By default, the router has an open wireless network called Draytek and a DHCP server, you can connect to it or use one of the LAN ports.
After connecting to the router from the PC and successfully obtaining the IP address from the network 192.168.1.0/24,
open its web interface, to do this, in the web browser you need to dial the default IP LAN 192.168.1.1,
Username: admin, password: admin. I recommend immediately changing the password to a more secure one.
Fig. one
We get to the Online Status menu where the main information about the device is displayed.
Fig. 2
I note that the firmware version 3.7.8.1_R is preinstalled on routers shipped to Russia, this firmware differs from the usual one in that it does not have encryption other than the PPTP protocol, it looks like this:
Fig. 3
If this is not enough, you can install a full firmware by downloading it from the Draytek.com website.
in the section Supports -> Downloads -> Firmware - Vigor2912 Series .
I chose the latest 3.8.1.1 and downloaded it, then, unzip it, in the web interface of the router, open System Maintenance >> Firmware Upgrade and specify the file v2912_3811.all, then click "Upgrade".
Fig. four
After a successful update, restart the router and get the latest firmware without any restrictions.
For clarity, below is an image of the network scheme for the Draytek 2912n router, which we will consider.
Fig. 4-1
To connect to the Internet, we use two WAN interfaces with several routing rules. In case of a failure on the first channel, the traffic will automatically go through the backup.
We use two subnets: LAN0 = 192.168.1.0 / 24 and LAN1 = 192.168.2.0 / 24. And three wireless networks with SSID: DrayTek, DrayTek_Guest and DrayTek_Unencrypted. They are integrated through VLAN settings with wireless networks. Remote clients can connect via VPN using Smart VPN Client and PPTP and IPSec protocols. For the SmartMonitor application, mirroring is enabled from the LAN ports.
In general, regardless of the model of the Draytek router, the menu structure has a similar organization, you can not find any functions, or discover more of them than in another model or firmware version, but the structure remains unchanged. On the left is a block of global menu items structured by router subsystems: Wizards, settings for wired network interfaces WAN and LAN, then a firewall settings block (Firewall, Objects Settings, CSM) and User Management, then a settings block special router applications (Applications). Then the VPN settings block, followed by the menu for setting up a wireless network (Wireless LAN), a separate menu for setting the USB port (USB Application), and finally the menu of service functions (System Maintenance) and the diagnostics menu of the router (Diagnostics).
All items are structured simply and logically, in accordance with the network functions, without any specific and confusing logic.
Each global menu item includes one or more sub-items.
Consider the main menu items, since the router has a configuration corresponding to the network scheme that was presented above, as we review the new menu items, it will become clear how these or other network functions are configured.
Wizards Menu
Here are the settings wizards that allow you to configure the main functions of the router with a few clicks. They are a chain of several dialog boxes, the last window displays a listing of all the settings made and the “Finish” button to apply them. It seemed to me that the data of the wizard for very lazy administrators, as well as without them, setting up the basic functions on the router is easy.
Quick Start Wizard - used to quickly configure the connection WAN 1-3 interfaces.
Service Activation Wizard - activates an intelligent thematic filter Web Content Filter.
The following wizards of the VPN Client Wizard and the VPN Server Wizard seemed interesting to me, with the help of them it is easy to configure the VPN in the LAN-to-LAN and Remote Dial-in User modes, activate the service and register the users. Below, an example of 3 steps to add and activate a VPN user.
We chose PPTP, then you need to configure the client-side, we will use the Draytek Smart VPN client. Let's go back to the VPN settings in the VPN and Remote Access menu.
Fig. five
Fig. 6
Fig. 7
Wireless Wizard Wizard is used for initial configuration of a wireless network. Below is the final window at the completion of the wizard.
Fig. eight
In a couple of clicks, the wireless network is set up.
Menu Online Status
The next menu item contains two subitems: the first Physical Connection shows the physical status of the interfaces LAN, WAN 1-3 and link-level counters, the same thing, but only for virtual interfaces can be seen in the Virtual WAN menu.
Fig. 9
More detailed information on the system status can be found in System Maintenance -> System Status .
WAN menu
In this menu, all settings related to the connection of the router to the Internet providers are made. In our example, WAN 1 and 2 are active.
Fig. 10-1
Load balance mode setting is available when two or three WAN interfaces are used simultaneously. We use Auto Weigh mode; in this mode, the router automatically distributes the load. The WAN 3 interface can be used when connecting a 3 / 4G modem.
Below is the detailed configuration of the WAN 2 interface, we use load balancing mode.
Fig. 10-2
In the Internet Access submenu, the interfaces are configured directly.
Fig. 10-3
We are moving to Detalils Page WAN 2 , here are the settings for the connection mode, we use a static IP, the first interface is a DHCP client. In addition to the methods we used, you can connect to the Internet using the PPTP / L2TP or PPPoE protocols, also IPv6.
Fig. eleven
The Multi-VLAN submenu allows the administrator to create profiles for a specific physical WAN 1-2 interface and create a bridge with LAN interfaces on the local network to achieve maximum throughput.
Fig. 12
That is, on the basis of the physical interface WAN 1-2, we create an additional virtual WAN 5-7 in the VLAN specified by us and “bridge” it with the necessary LAN ports 1-3 (port 4 can work only in the NAT mode), optionally, we can assign virtual interface WAN 5-7 IP address manually or receive via DHCP, that is, make it L3. As an example, you can take the forwarding of IPTV traffic from a WAN to a LAN.
LAN menu
The item is responsible for setting up the local network and contains a number of sub-items. The router supports two independent LAN segments with its own settings, the default is 192.168.1.1/24 and 192.168.2.1/24, you can also add one routed network. In both segments, DHCP is enabled which gives IP addresses to connecting user terminals. By the way, the DHCP server can be configured to transfer any additional DHCP options, it is very convenient if there are specialized services on the network, for example, a TFTP server.
Fig. 13
Additionally, you can enable or disable routing between LAN 1 and 2 in the Inter-LAN Routing section.
In the next LAN >> Static Route Setup submenu, you can add up to 10 static routes to other networks by IP addresses in LAN 1-2 subnets.
The LAN >> VLAN Configuration submenu allows you to combine the specified LAN ports P2-4 (P1 performs the WAN2 function in our example) into one VLAN with wireless networks SSID 1-4 and optionally add priority VLAN tags. When VLAN Tag is enabled, the traffic with tags specified in the VID field will appear on the corresponding LAN ports, tags are not transmitted over wireless networks. In our example, two independent VLANs. VLAN0 includes LAN ports P 2-4 and a wireless network with SSID1 - all this is in LAN 1 segment. VLAN1 includes wireless networks with SSID2 and SSID3 - all this is in the LAN 2 segment.
Fig. 14
The router can operate in the mode of creating untagged port-based VLANs, or VLANs based on VID tags.
The next submenu item is LAN >> Bind IP to MAC . Allows you to create lists with matching MAC addresses and IP addresses, if the function allows all assigned IP addresses to MAC addresses can not be changed. Created sheets can be saved to a file and restored to the router configuration from a previously saved file.
In the LAN >> LAN Port Mirror menu, you can enable copying of all traffic from the specified LAN Mirrored port to the receiving Mirror port. This feature is useful for debugging a network using a sniffer or using the Draytek Smart Monitor network monitoring and analysis application; information about this application can be found in the first part of this review.
Fig. 15
The LAN >> Web Portal Setup submenu allows you to define profiles that are assigned to the LAN or WLAN-wireless network interfaces and specify the URL of the site to automatically redirect the user when you first try to open the web page, after connecting through the interface specified in the profile, for example , SSID1.
Fig. sixteen
This feature is used for promotional purposes or to notify a user who connects to the Internet through a specific company network.
In the example, when you try to open any webpage for the first time, the user will be redirected to the site www.ucexpert.ru , where at the top of the screen there will be a message suggesting the user to click the “Continue” button to continue the web session and go to the desired site.
Below is an example of a page page.
Fig. 17
Menu Load-Balance / Route Policy
This menu item contains the General Setup sub-item — direct configuration of load balancing rules and routing policies; and Diagnose , a sub-item for debugging customized rules, where you can simulate the route of one or several packets through the table of customized rules and check the result.
Fig. 18
In the example, packets departing from any LAN IP addresses of the router to IP 8.8.8.8 will pass through WAN1, the second rule works the same way, only for IP destination 8.8.4.4 and the packets will pass through WAN2. The third rule specifies the whole subnet, the fourth rule indicates that all traffic must be sent via WAN1, in case of failure of WAN1, sent to WAN2. Each rule has priority, the lower it is, the earlier the rule is executed.
The following image shows the criteria by which you can set a rule, there are quite a few of them, you can also determine where to send the packet if the rule did not work.
Fig. nineteen
The following figure shows the route diagnostics.
Fig. 20
NAT menu
In the menu, the NAT Address Translation (Network Address Translation) functions are configured; it contains the Port Redirection submenu - port forwarding from the port of the specified WAN interface to the IP address and a port on the LAN network, this may be necessary for FTP servers, mail servers, etc. d.
The DMZ Host submenu allows you to set one DMZ host on the LAN for each of the WAN interfaces.
The Open Ports submenu allows you to keep the specified port ranges open for special applications, such as P2P, and direct them to specific IP addresses on the LAN.
Fig. 21
Port Triggering is a variation of Open Ports . If, after activation of the Open Ports rule, the specified ports are constantly open, then when the Port Triggering rule is applied, the specified ports will open only when the conditions of the rules match, then the ports will close again after a timeout.
The function in the appropriate sub-menu item is defined by a set of rules.
Firewall menu
In this menu, global firewall rules are configured, sets and order of traffic inspection rules are specified, and default traffic filtering rules are also specified.
The firewall can be divided into 3 subsystems:
- User-configurable IP filter based on the Call Filter / Data Filter rule sets
- Stateful Packet Inspection (SPI) Filter
- Denial of Service (DoS) / Distributed DoS (DDoS) protection
The firewall architecture uses two independent rule sets, Call Filter and Data Filter.
The Call Filter rule set is used for traffic that goes from the local network to the WAN, when there is no active Internet connection (the WAN interface is not active) and before establishing the connection, the traffic passes through the Call Filter rules, if no packets are blocked, the connection is established.
When the WAN interface is active, all packets immediately fall into the Data Filter rule set, and all incoming traffic to the WAN interfaces also falls there.
Fig. 22
Firewall rules can specify objects (defined through the Objects Settings menu), such as IP addresses or groups of IP addresses, protocol and port range and their groups, keywords and groups of keywords, file extension profiles, users (certain in the User Management menu) and finally, in the CSM (Content Security Management) menu, define applications, for example, Skype, URLs and even the subject matter of various websites using the Web Content Filter system.
That is, we can work with traffic from the network layer to the application level, plus use the Web Content Filter system for intelligent processing of traffic on the subject of web content, that is, create very broad rules.
Below are the global settings in the Firewall >> General Setup submenu, then the Firewall >> Filter Setup submenu illustrating firewall rulesets, the Firewall >> Filter Setup >> Edit Filter Set submenu illustrating the composition of a particular set of rules.
Fig. 23
Now consider a specific rule in from a table called block-social
Fig. 24
First, in Schedule, you can specify a schedule when the rule will work, for example, block social networks from 9-30 to 18-00 from Monday to Friday. Next, we specify the direction of traffic checking in the Direction field, any incoming and outgoing IP addresses, the service type can be specified by a specific object in the Objects Setting >> Service Type Object menu, or a set of objects, and is a bundle of protocol type + port or range ports.
Next, in the Filter field we specify the criterion “Pass If No Further Further Match” - packets should be skipped if none of the criteria in the remaining rules matches. If the user turns to a social network, for example, ok.ru, the criterion will match and the package will be blocked. The criterion in this example is a profile in the URL Content Filter, which contains an object - a group including keywords - social network addresses.
Below, I will illustrate the settings when we get to them. In the same way, other criteria are included in the rule, that is, in the internetwork filter rules, you can add criteria both at the network level and at the application level, moreover, you can enable Web Content Filter which runs even higher - at the web content theme. .
Submenu DoS Defense . The router implements detection and automatic protection against DoS attacks, with the traffic intensity threshold metrics after which the event is considered an attack can be manually configured. Also provides for sending notifications about the attack.
User Management menu
A firewall can operate in one of two global modes:
Rule-Based , that is, based on rules where objects, for example, the IP addresses of user stations. The administrator sets the rules based on different IP addresses.
User-Based , that is, management is carried out on the basis of user profiles. The administrator sets the rules for different user profiles or their groups. Before this, users must log in. After authorization, the system creates a correspondence between the username and the IP address with which it is authorized.
Below are the User Management >> General Setup submenus where you switch between working with IP addresses or working with user profiles.
If everything is clear with work by IP addresses: the administrator assigns an IP address to the user's terminal, which should not be changed and assigns rules for the IP address.
As soon as we switch to User-Based mode, the user must log in, until that moment he will not be able to work on the network, and when opening the browser and trying to access any site, he will be redirected to the login page. To log in, a user profile with the appropriate rights must be contained in the User Management >> User Profile table.
Fig. 25
In the example there is a user profile Ignat Kudryavtsev, open the profile of this user
Fig. 26
As you can see, here you can set the timeout for automatic logout in case of idle time, and the restriction on the simultaneous number of logins, enable external authentication using the LDAP or RADIUS protocols. You can also set quotas for time and volume of traffic consumed by the user.
Landing Page - this is the page that the user will see after successful login.You can display a simple message, as in our example: “Login Success!”, Or you can redirect to any website, for example, the company's website. To do this, in the Landing page settings, you need to write a string like:
<body stats=1><script language='javascript'> window.location='<a href="http://www.draytek.com/">http://www.draytek.com</a>'</script></body> All settings are described in detail in the user manual.
When you open a web browser and try to access any site, the user will be redirected to the login page, after successful login, the message “Login Success!” Will appear and the user will be able to work online.
Fig. 27
In the User Group submenu, users can be grouped to then assign the same rules to groups of users, for example, by company department. Submenu User Online Status is used to view the status of users.
Objects Setting Menu
Draytek 2912 series routers support firewall with invisible testing of SPI (Stateful Packet Inspection) based on Objects (Object-based), such as: a user (he gets a certain IP during authorization), IP addresses or groups of IP addresses, a protocol and port range and their groups, keywords and keyword groups, file extension profiles. These objects can be used to create firewall rules that can be turned on and off on a schedule.
In the Objects Setting menu, various types of objects are created and grouped.
In the IP Object submenu, objects are created based on the host, range of IP addresses or a subnet. You can also use a specific MAC address for any IP address. In the IP Group submenu, groups are created from IP objects, which can then be used to create firewall rules.
Same for IPv6 Object and IPv6 Group with IP addressing IPv6.
In the Service Type Object and Service Type Group submenus, objects are created and grouped based on protocol type, source and destination ports.
Fig. 28
In the Keyword Object and Keyword Group submenus, objects are created and grouped based on keywords, then these objects can be used to create filtering rules, for example, for the URL Content Filter Profile and DNS Filter Profile in the CSM subsystem. In our example, we block the social networks vk.com twitter.com facebook.com and ok.ru, for this we created two profiles with the names social-nets and social-ok.ru containing the given keywords and added them to the group social-nets- gro submenu Objects Setting >> Keyword Group . Next, we use this group in the CSM >> URL Content Filter Profile .
Fig. 29
In the File Extension Object submenu, profiles of extensions are created, files that can be recognized and used in firewall rules. Thus, for example, you can prohibit the download of all compressed files or video files with the specified extensions. The example prohibits the loading of any images. The created profile with the name blk-img will then be used in the CSM profile >> URL Content Filter Profile . We will see this in the example below.
Fig. thirty
The SMS / Mail Service Object and Notification Object submenus allow you to configure up to 10 notification profiles for the Application >> SMS / Mail Alert Service .
CSM menu
CSM (Content Security Management) security system, an application-level firewall subsystem, allows you to block URL links by keywords and content types, for example, Java Applet, Cookies, Active X, you can also block various network applications, for example , IM / P2P or application level protocols, for example, MySQL, SMB, SSH, UltraVPN, the list of services and protocols is quite impressive. It is possible to block DNS by keywords.
In the APP Enforcement Profile submenu, profiles are created for filtering network applications that can use dynamically changing ports, and each such application has its own specifics, for example, Skype.
Fig. 31
In the example of the settings for the firewall rule of the Data Filter table above, this rule is indicated.
Submenu URL Content Filter Profile is responsible for filtering web content. The previously created Group / Object Keyword objects are specified here and the URL Access Control function is enabled , then each website address will be searched by keywords. In our example, we added earlier to the created group social-nets-gro containing keywords with the web addresses of social networks.
In the Web Feature section, you can enable cookies, proxy locking and file uploads with those specified in the File Extension Profile , in the example above, we created the 1-blk-img profile.
The created social profile is assigned in the firewall rule in the URL Content Filter field.
Fig. 32
When the rule works when trying to open, for example, vk.com, the user will see a message from the Administration Message field , an example of the contents of such a field is shown in the previous image.
Fig. 33
Submenu Web Content Filter Profile . Another powerful CSM tool is the GlobalView Web Content Filter system. It is designed to filter unwanted content at the thematic level, that is, for example, sites with the theme of porn, crime, gambling, and more. The administrator creates profiles where he specifies the subject of the sites and assigns them to the firewall rules, then indicates what to do if the rule matches, for example, block. Web Content Filter is licensed, but a trial license for testing can be obtained free of charge.
Below is the profile setting by categories:
Fig. 34
The DNS Filter Profile subsystem checks and blocks DNS requests for UDP port 53 in accordance with the assigned URL profile Content Filter Profile or Web Content Filter Profile. You can also customize the message that will be displayed to the user when the resource is locked.
Bandwidth Management menu
The Bandwidth Management >> Sessions Limit submenu is used to limit the number of NATs from sessions with LAN IP addresses that can be simultaneously established. For example, P2P (Peer to Peer) applications typically require multiple simultaneous sessions, and they consume a lot of network resources. You can also limit the number of default sessions from any IP.
The Bandwidth Management >> Bandwidth Limit submenu sets limits on bandwidth utilization for hosts and IP address ranges. Moreover, the operation of the rules can be configured on a schedule, you can separately limit the band for incoming and outgoing traffic.
In the Bandwidth Management >> Quality of Service submenu, the quality of the traffic service is configured. At first, traffic using rules is classified by criteria such as source and destination IP, service type and DiffServ code. Then, each class of traffic is reserved its percentage of the total bandwidth of the specified interface.
Fig. 35
By the way, prioritization for VoIP traffic is prioritized by default.
Applicatons menu
This menu contains service application settings that help fine-tune individual functions.
For example, in the Schedule submenu, schedule profiles are configured, which are used in various settings of functions and rules of the router; you can create up to 15 entries in the schedule.
Fig. 36
In the LAN DNS menu , you can specify the correspondence of the IP address and the domain name in the local network. In the RADIUS menu and Active Directory / LDAP, you can optionally enable user authorization on the appropriate submenu server servers. In the IGMP submenu, you can enable IGMP proxying or IGMP snooping for multicast traffic, such as IP TV.
VPN and Remote Access menu
The router supports up to 16 VPN * LAN-to-LAN tunnels to create a secure connection between the organization's networks or create a VPN connection from remote workstations of homeworkers using the PPTP / IPSec / L2P / L2TPover IPSec protocols. AES / DES / 3DES encryption and IKE authentication provide enhanced security. Using a dual WAN connection allows you to use not only a load balancing scheme, but also redundancy. Therefore, if the main channel of the VPN channel becomes unavailable, it will replace the backup VPN channel.
By the way, the VPN functions in Draytek are very easy to configure. In just a couple of clicks, you can configure both LAN-to-LAN connections and access from remote workstations. Dryatek has its own VPN client to simplify the connection of workstations, it is called the Draytek Smart VPN Client, the application is available for free download on draytek.com
* In the official deliveries of routers to the territory of the Russian Federation, all software encryption tools that do not comply with state standards have been removed, so this firmware has only PPTP support without encryption. This can be fixed by installing regular software, which can be downloaded from draytek.com.
The global access VPN protocols are enabled in the Remote Access Control Setup submenu, the Pre-Shared Key for the IKE Authentication method is specified in the IPsec General Setup submenu, and the encryption methods are indicated. For example, specify the key draytek.commmmm
Fig. 37
In the Remote Dial-in User submenu, users who can connect via VPN from their remote locations to the localizer's LAN network are specified.
Fig. 38
In the Status list, it is clear that the user ignat is in the status “online”, as it is marked in green. In the example below, the user ignat connects via PPTP, the second user will connect through the IPSec tunnel using the pre-configured above preshared key = draytek.commmmm.
Fig. 39
To connect from the client side, I used the Draytek Smart VPN Client, it is installed and configured in two clicks.
Below is an example for PPTP.
Fig. 40
Similarly, a second VPN client is configured that will dynamically connect using the preshared key that we previously specified in the IPsec General Setup submenu as draytek.commmmm.
Figure 42
After successful connection in the Connection Management submenu, we will see active connections.
Fig. 43
The LAN to LAN submenu is used to configure VPN connections between two networks. A LAN-to-LAN profile is created, it specifies all settings required for creating a connection: connection type — incoming, outgoing or two-way, VPN protocol — PPTP, L2TP with IPsec Policy or IPsec Tunnel, depending on the protocol, specific settings, for example, login or password or IKE Pre-Shared Key, encryption method and so on. In fact, there are not so many settings, and they are simple in the general case. It specifies which local network the remote side must “see” and which remote network to route traffic through this VPN connection.
After saving the connection settings, the local side will initiate the connection or wait for an incoming connection from the remote side, depending on the settings.
The established connection can also be viewed in the Connection Management submenu.
Wireless LAN menu
The router supports the 802.11n wireless network and has two omni-directional antennas. The settings of the wireless network functions in the router are large.
The device supports up to 4 independent wireless networks with their own settings, and for each of the networks you can limit the maximum bandwidth for outgoing and incoming traffic, and also enable the schedule according to which these restrictions will work.
Below to illustrate the settings are the General Setup and Security Settings submenus. The settings are very visual.
Fig. 44
For each of the 4x wireless networks, their own security settings are configured, including MAC address filters. For each network, you can enable the Wi-Fi usage quota based on the MAC address and the timeout for re-quota provisioning.
Below is the Station List submenu , which shows the currently connected wireless terminals.
Fig. 45
In addition, in the Access Control submenu, you can enable the MAC address filter, and create both white and black lists of MAC addresses. Lists can be saved to a file on a computer or downloaded from a file, if necessary.
The Advanced Setting submenu contains radio channel fine tuning, for example, outgoing signal power, operating mode, channel width, fragment length, and others.
Wireless also supports configuration via WPS (Wi-Fi Protected Setup) and WDS settings, which can be found in the corresponding sub-items of the Wireless LAN menu.
USB Application Menu
The router has a USB port that can be used in three different modes. First, connect a USB 3G / 4G modem to reserve an Internet connection or as a basic Internet connection if there are no other ways to connect to the Internet.
Secondly, connect the USB printer to the router, which becomes the print server and users will be able to use it by setting up access to it over the network.
Fig. 46
In the image above, an example in which the USB port is used to connect the drive and exchange files over the network using FTP and SMB protocols. Created two users with different home directories. In the image below, there is an example of the USB Device Status submenu , where we see that a 8 GB drive is connected to the USB port and you can see a list of active users who are connected to it via the network.
Fig. 47
Photo USB Application >> File Explorer and Photo USB Application >> USB Device Status
Third, connect a USB drive and share files with FTP or NetBios / SMB. The list of supported modems can be viewed in the Modem Support List submenu, and the list of LAN clients can be viewed in the SMB Client Support List submenu.
When a 3G / 4G modem or printer is connected, their status will be reflected in the corresponding Modem and Printer tabs of the USB Device Status submenu.
System Maintenance menu
The menu contains the service functions of the router. Here you can set a new password for users with User and Administrator rights, configure the TR-069 protocol for external control of the device. In the Configuration Backup submenu, you can save the current configuration of the router or restore it from a previously saved one. The Configuration Backup submenu is used to configure the SysLog system logs to be sent over the network; you can also specify which logs to record. Additionally, you can customize the sending of email notifications.
Fig. 48
By the way, Draytek has a free utility to simplify viewing and storing syslog on a remote computer. It is called Draytek Syslog. Below is a screenshot of the interface.
Fig. 49
In the Management submenu, you can configure permissions for remote control. And if necessary, you need to separately allow control from the Internet, that is, from WAN interfaces.
Fig. 50
Diagnostics menu
There are a large number of diagnostic functions on the router, I really like it - almost any problem of diagnosing a condition can be solved through this menu.
In the Routing Table submenu there is a complete routing table, in the ARP Cache Table a list of all MAC addresses on the local network, in the DHCP Table a list of all active DHCP clients, there are tables of NAT sessions and a cache of DNS records.
Fig. 51
Of course, there are Ping and Traceroute . It is possible to enable local viewing of the system logs of the router, and they are divided by the types of the main subsystems: VPN, Firewall, WAN, and others.
Fig. 52
In the Traffic Graph submenu, you can, graphically, evaluate the utilization of WAN interfaces or the number of sessions.
Fig. 53
findings
We have studied in great detail the Draytek 2912 / 2912n series of routers. This device, which contains all the necessary network functions in a single package and is ideal for a small office, therefore, acquiring it, the owner, saves money due to the lack of the need to purchase additional network equipment that could implement individual Draytek 2912n functions, for example, firewall, point access, VPN hub, network printer or NAS server to store shared documents.
In the first part of the review, we determined the positioning of the device, examined in detail the typical use case of the router, described in detail all the key features and benefits, looked at the detailed technical specification - it is impressive.
Additional software Draytek VigorACS SI, for large installations, will allow you to easily manage and maintain a huge fleet of routers, for a single installation, the Draytek Smart Monitor software designed for monitoring and analyzing traffic will become an indispensable tool for network debugging and user monitoring. We looked at the configuration and appearance of the device, the display and the interfaces, then we tested the maximum throughput of the router in several modes. All results correspond to the figures declared by the manufacturer.
In the second part of the review, which you are currently reading, we looked at each menu item in detail, with examples of setting up such functions and interfaces as WAN and LAN, load balancing and routing policies, wireless network, VPN, firewall, NAT bandwidth control, and USB functions, diagnostics and monitoring of the router. As for the documentation, in the process of setting up and testing, I addressed it many times and easily found answers - all functions are well described, and the sections where they are clearly structured. Working with the router and its documentation left only good impressions.
The Draytek 2912 router is very functional, and easy to set up, can be controlled via a web browser, CLI command line interface or TR-69 protocol. In addition, additional software VigorACS SI and Smart Monitor to monitor and manage both individual devices and a large fleet of hundreds or thousands of devices will help significantly reduce the cost of installation and maintenance of devices. Therefore, Draytek 2912 has a huge potential for use in corporate networks of small companies, as well as in separate offices of large enterprises. Also, I note the good quality of software, high performance and reliability, proven by time.
Source: https://habr.com/ru/post/395129/
All Articles