Draytek Vigor2950 Series User Manual
  1. Manuals
  2. Brands
  3. Draytek Manuals
  4. Firewall
  5. VIGOR2950
  6. User manual

Draytek Vigor2950 Series User Manual

Dual-wan ssl vpn appliance
Hide thumbs Also See for Vigor2950 Series:
Table of Contents

Advertisement

Quick Links

Download this manual

Advertisement

Table of Contents
loading

Related Manuals for Draytek Vigor2950 Series

Summary of Contents for Draytek Vigor2950 Series

  • Page 2 Vigor2950 Series User’s Guide...
  • Page 3 Windows, Windows 95, 98, Me, NT, 2000, XP, Vista and Explorer are trademarks of Microsoft Corp. Apple and Mac OS are registered trademarks of Apple Inc. Other products may be trademarks or registered trademarks of their respective manufacturers. Vigor2950 Series User’s Guide...

  • Page 4: Copyright Information

    Web registration is preferred. You can register your Vigor router via Owner http://www.draytek.com. Firmware & Tools Due to the continuous evolution of DrayTek technology, all routers will be Updates regularly upgraded. Please consult the DrayTek web site for more information on newest firmware, tools and documents.

  • Page 5: Regulatory Information

    No. 26, Fu Shing Road, HuKou Township, HsinChu Industrial Park, Hsin-Chu, Taiwan 303 Product: Vigor2950 Series Router DrayTek Corp. declares that Vigor2950 series is in compliance with the following essential requirements and other relevant provisions of R&TTE Directive 1999/5/EEC. The product conforms to the requirements of Electro-Magnetic Compatibility (EMC) Directive 2004/108/EC by complying with the requirements set forth in EN55022/Class A and EN55024/Class A.

  • Page 6: Table Of Contents

    3.2.5 Bind IP to MAC ....................... 40 3.3 NAT ............................41 3.3.1 Port Redirection ......................42 3.3.2 DMZ Host........................44 3.3.3 Open Ports........................48 3.3.4 Address Mapping......................50 3.4 Firewall ..........................51 3.4.1 Basics for Firewall......................51 Vigor2950 Series User’s Guide...
  • Page 7 3.11.3 Dial to a Single ISP/Dial to Dual ISPs ................ 144 3.11.4 Virtual TA ........................147 3.11.5 Call Control ......................... 150 3.12 Wireless LAN ........................152 3.12.1 Basic Concepts......................152 3.12.2 General Setup......................154 3.12.3 Security ........................156 3.12.4 Access Control......................158 Vigor2950 Series User’s Guide...
  • Page 8 4.6 Request a certificate from a CA server on Windows CA Server ......... 217 4.7 Request a CA Certificate and Set as Trusted on Windows CA Server ....... 221 4.8 ERD Mechanism for VPN TRUNK ..................223 4.9 VPN Load Balance Application ................... 225 viii Vigor2950 Series User’s Guide...
  • Page 9 5.3 Pinging the Router from Your Computer ................232 5.4 Checking If the ISP Settings are OK or Not ................ 234 5.5 Backing to Factory Default Setting If Necessary ..............236 5.6 Contacting Your Dealer ....................... 237 Vigor2950 Series User’s Guide...

  • Page 11: Preface

    The Vigor2950 series router provides Dual-WAN interface (which is a configuration second WAN) for Internet access to make the Internet connection more reliable. The wireless LAN supports more secure features and the transmission speed is up to 108Mbps (SuperG Object-oriented firewall is flexible and allows your network be safe. In addition, through VoIP function, the communication fee for you and remote people can be reduced.

  • Page 12: For Vigor2950

    WAN(1/2) Connecter for remote networked devices. LAN/Monitor Connecter for local networked devices. LAN (1-4) Connecter for local networked devices. Connecter for a power cord with 100-240VAC (inlet). Power Switch. “1” is ON; “0” is OFF. Vigor2950 Series User’s Guide...

  • Page 13: For Vigor2950G

    WAN(1/2) Connecter for remote networked devices. LAN/Monitor Connecter for local networked devices. LAN (1-4) Connecter for local networked devices. Connecter for a power cord with 100-240VAC (inlet). Power Switch. “1” is ON; “0” is OFF. Vigor2950 Series User’s Guide...

  • Page 14: For Vigor2950I

    WAN(1/2) Connecter for remote networked devices. LAN/Monitor Connecter for local networked devices. LAN (1- 4) Connecter for local networked devices. Connecter for a power cord with 100-240VAC (inlet). Power Switch. “1” is ON; “0” is OFF. Vigor2950 Series User’s Guide...

  • Page 15: For Vigor2950Gi

    WAN(1/2) Connecter for remote networked devices. LAN/Monitor Connecter for local networked devices. LAN (1- 4) Connecter for local networked devices. Connecter for a power cord with 100-240VAC (inlet). Power Switch. “1” is ON; “0” is OFF. Vigor2950 Series User’s Guide...

  • Page 16: Hardware Installation

    WAN port of router with Ethernet cable (RJ-45). The WAN1/WAN2 LED (Left or Right) will light up according to the network card feature (100 or 10) of the device that it connected. (For the detailed information of LED status, please refer to section 1.1.) Vigor2950 Series User’s Guide...

  • Page 17: Configuring Basic Settings

    Open a web browser on your PC and type http://192.168.1.1. A pop-up window will open to ask for username and password. Please type “admin” as the username and leave blank for the password on the window. Next click OK for next screen. Vigor2950 Series User’s Guide...
  • Page 18 Now, the Main Screen will pop up. Home Page for Vigor2950 Series 4Go to System Maintenance page and choose Administrator Password. Enter the login password (the default is blank) on the field of Old Password. Type a new one in the field of New Password and retype it on the field of Confirm Password.

  • Page 19: Quick Start Wizard

    On the next page as shown below, please select the appropriate Internet access type according to the information from your ISP. For example, you should select PPPoE mode if the ISP provides you PPPoE interface. Then click Next for next step. Vigor2950 Series User’s Guide...

  • Page 20: Pppoe

    If your ISP provides you the PPPoE connection, please select PPPoE for this router. The following page will be shown: User Name Assign a specific valid user name provided by the ISP. Vigor2950 Series User’s Guide...
  • Page 21 Retype the password to confirm it. Click Next for viewing summary of such connection. Click Finish. A page of Quick Start Wizard Setup OK!!! will appear. Then, the system status of this protocol will be shown. Vigor2950 Series User’s Guide...

  • Page 22: Pptp

    Click PPTP as the protocol. Type in all the information that your ISP provides for this protocol. Click Next for viewing summary of such connection. Click Finish. A page of Quick Start Wizard Setup OK!!! will appear. Then, the system status of this protocol will be shown. Vigor2950 Series User’s Guide...

  • Page 23: L2Tp

    Click L2TP as the protocol. Type in all the information that your ISP provides for this protocol. After finishing the settings in this page, click Next to see the following page. Vigor2950 Series User’s Guide...

  • Page 24: Static Ip

    After finishing the settings in this page, click Next to see the following page. Click Finish. A page of Quick Start Wizard Setup OK!!! will appear. Then, the system status of this protocol will be shown. Vigor2950 Series User’s Guide...

  • Page 25: Dhcp

    After finishing the settings in this page, click Next to see the following page. Click Finish. A page of Quick Start Wizard Setup OK!!! will appear. Then, the system status of this protocol will be shown. Vigor2950 Series User’s Guide...

  • Page 26: Online Status

    If you select PPPoE/PPTP as the protocol, you will find out a link of Dial PPPoE or Drop PPPoE in the Online Status web page. Online status for PPPoE Online status for PPTP (for WAN2) Online status for Static IP (for WAN1) Vigor2950 Series User’s Guide...
  • Page 27 RX Rate Display the speed of received octets at the ISDN interface. Up Time Display the total uptime of the interface. Display the charge information of the interface. Dial ISDN Allows you to dial ISDN connection. Vigor2950 Series User’s Guide...

  • Page 28: Saving Configuration

    Each time you click OK on the web page for saving the configuration, you can find messages showing the system interaction with you. Ready indicates the system is ready for you to input settings. Settings Saved means your settings are saved once you click Finish or OK button. Vigor2950 Series User’s Guide...

  • Page 29: Advanced Web Configuration

    Then a session will be created. Your user ID and password is authenticated via PAP or CHAP with RADIUS authentication system. And your IP address, DNS server, and other related information will usually be assigned by your ISP. Vigor2950 Series User’s Guide...

  • Page 30: General Setup

    Type the description for the WAN1/WAN2 interface. Physical Mode For WAN1, the physical connection is done through ADSL port; yet the physical connection for WAN2 is done through an Ethernet port (P1). You cannot change it. Vigor2950 Series User’s Guide...
  • Page 31 15 seconds. WAN1 Download speed exceed XX kbps– It means the connection for WAN2 will be activated when WAN1 Download speed exceed certain value that you set in this box for 15 seconds. Vigor2950 Series User’s Guide...

  • Page 32: Internet Access

    There are three access modes provided for PPPoE, Static or Dynamic IP and PPTP/L2TP. Details Page This button will open different web page according to the access mode that you choose in WAN1 or WAN2. Vigor2950 Series User’s Guide...
  • Page 33 Such function allows you to verify whether network connection is Detection alive or not through ARP Detect or Ping Detect. Mode – Choose ARP Detect or Ping Detect for the system to execute for WAN detection. Vigor2950 Series User’s Guide...
  • Page 34 MAC address by typing on the boxes of MAC Address for the router. Specify a MAC Address – Type the MAC address for the router manually. After finishing all the settings here, please click OK to activate them. Vigor2950 Series User’s Guide...
  • Page 35 Check Enable PING to keep alive box to activate this function. PING to the IP - If you enable the PING function, please specify the IP address for the system to PING it for keeping alive. Vigor2950 Series User’s Guide...
  • Page 36 Domain Name: Type in the domain name that you have assigned. Specify an IP address – Click this radio button to specify some data if you want to use Static IP mode. IP Address: Type the IP address. Subnet Mask: Type the subnet mask. Vigor2950 Series User’s Guide...
  • Page 37 MAC Address field. DNS Server IP Type in the primary IP address for the router if you want to use Address Static IP mode. If necessary, type in secondary IP address for necessity in the future. Vigor2950 Series User’s Guide...
  • Page 38 None - Disable the backup function. Packet Trigger -The backup line is not on until a packet from a local host triggers the router to establish a connection. This setting is available for i model only. Vigor2950 Series User’s Guide...
  • Page 39 MAC Address field. WAN IP Network Obtain an IP address automatically – Click this button to obtain Settings the IP address automatically. Specify an IP address – Click this radio button to specify some data. Vigor2950 Series User’s Guide...

  • Page 40: Load-Balance Policy

    Display the IP address for the start of the destination IP. Dest IP End Display the IP address for the end of the destination IP. Dest Port Start Display the IP address for the start of the destination port. Vigor2950 Series User’s Guide...
  • Page 41 Type the destination IP end for the specified WAN interface. If this field is blank, it means that all the destination IPs will be passed through the WAN interface. Dest Port Start Type the destination port start for the destination IP. Vigor2950 Series User’s Guide...

  • Page 42: Lan

    IP address. As a part of the public subnet, the Vigor router will serve for IP routing to help hosts in the public subnet to communicate with other public hosts or servers outside. Therefore, the router should be set as the gateway for public hosts. Vigor2950 Series User’s Guide...
  • Page 43 You can group local hosts by physical ports and create up to 4 virtual LANs. To manage the communication between different groups, please set up rules in Virtual LAN (VLAN) function and the rate of each. Vigor2950 Series User’s Guide...

  • Page 44: General Setup

    Type in secondary IP address for connecting to a subnet. (Default: 192.168.2.1/ 24) Subnet Mask An address code that determines the size of the network. (Default: 255.255.255.0/ 24) DHCP Server You can configure the router to serve as a DHCP server for the 2nd subnet. Vigor2950 Series User’s Guide...
  • Page 45 DHCP server to assign IP addresses to. The default is 50 and the maximum is 253. Gateway IP Address - Enter a value of the gateway IP address for the DHCP server. The value is usually as same as the 1st IP address Vigor2950 Series User’s Guide...

  • Page 46: Static Route

    There are two common scenarios of LAN settings that stated in Chapter 4. For the configuration examples, please refer to that chapter to get more information for your necessity. Go to LAN to open setting page and choose Static Route. Vigor2950 Series User’s Guide...
  • Page 47 Before setting Static Route, user A cannot talk to user B for Router A can only forward recognized packets to its default gateway Main Router. Go to LAN page and click General Setup, select 1st Subnet as the RIP Protocol Control. Then click the OK button. Vigor2950 Series User’s Guide...
  • Page 48 Return to Static Route Setup page. Click on another Index Number to add another static route as show below, which regulates all packets destined to 211.100.88.0 will be forwarded to 192.168.1.3. Go to Diagnostics and choose Routing Table to verify current routing table. Vigor2950 Series User’s Guide...

  • Page 49: Vlan

    For example, if you check the boxes of VLAN0-P1 and VLAN1-P1, you can make P1 to be grouped under VLAN0 and VLAN1 simultaneously. VLAN0-3 This router allows you to set 4 groups of virtual LAN. Vigor2950 Series User’s Guide...

  • Page 50: Bind Ip To Mac

    It is used to refresh the ARP table. When there is one new PC added to the LAN, you can click this link to obtain the newly ARP table information. IP Bind List It displays a list for the IP bind to MAC information. Vigor2950 Series User’s Guide...

  • Page 51: Nat

    192.168.1.0/24 subnet for the router. As stated before, the NAT facility can map one or more IP addresses and/or service ports into different specified services. In other words, the NAT function can be achieved by using port mapping methods. Below shows the menu items for NAT. Vigor2950 Series User’s Guide...

  • Page 52: Port Redirection

    To use this function, please go to NAT page and choose Port Redirection web page. The Port Redirection Table provides 20 port-mapping entries for the internal hosts. Press any number under Index to access into next page for configuring port redirection. Vigor2950 Series User’s Guide...
  • Page 53 80 to avoid conflict, such as 8080. This can be set in the System Maintenance >>Management Setup. You then will access the admin screen of by suffixing the IP address with 8080, e.g., http://192.168.1.1:8080 instead of port 80. Vigor2950 Series User’s Guide...

  • Page 54: Dmz Host

    Netmeeting or Internet Games etc. The inherent security properties of NAT are somewhat bypassed if you set up DMZ host. We suggest you to add additional filter rules or a secondary firewall. Click DMZ Host to open the following page: Vigor2950 Series User’s Guide...
  • Page 55 LAN network. Select one private IP address in the list to be the DMZ host. When you have selected one private IP from the above dialog, the IP address will be shown on the following screen. Click OK to Vigor2950 Series User’s Guide...
  • Page 56 LAN network. Select one private IP address in the list to be the DMZ host. When you have selected one private IP from the above dialog, the IP address will be shown on the following screen. Click OK to Vigor2950 Series User’s Guide...
  • Page 57 Note: If you previously have set up WAN Alias in Internet Access>>PPPoE/Static IP/PPTP, you will find them in Aux. WAN IP list for your selection. Vigor2950 Series User’s Guide...

  • Page 58: Open Ports

    Inactive or Active state. To add or edit port settings, click one index number on the page. The index entry setup page will pop up. In each index entry, you can specify 10 port ranges for diverse services. Vigor2950 Series User’s Guide...
  • Page 59 Specify the transport layer protocol. It could be TCP, UDP, or ----- (none) for selection. Start Port Specify the starting port number of the service offered by the local host. End Port Specify the ending port number of the service offered by the local host. Vigor2950 Series User’s Guide...

  • Page 60: Address Mapping

    Mask Display the subnet mask selected fro this address mapping. Status Display the status for the entry, enable or disable. Click the index number link to open the configuration page. Enable Check to enable this entry. Vigor2950 Series User’s Guide...

  • Page 61: Firewall

    Data Filter - When there is an existing Internet connection, Data Filter is applied to incoming and outgoing traffic. It will check packets according to the filter rules. If legal, the packet will pass the router. Vigor2950 Series User’s Guide...
  • Page 62 Also the Vigor router monitors the traffic. Any abnormal traffic flow violating the pre-defined parameter, such as the number of thresholds, is identified as an attack and the Vigor router will activate its defense mechanism to mitigate in a real-time manner. Vigor2950 Series User’s Guide...

  • Page 63: General Setup

    Select Pass or Block for the packets that do not match with the filter rules. Syslog For troubleshooting needs you can specify the filter log and/or CSM log here by checking the box. The log will be displayed on Draytek Syslog window. Vigor2950 Series User’s Guide...

  • Page 64: Filter Setup

    Click a button numbered (1 ~ 7) to edit the filter rule. Click the button will open Edit Filter Rule web page. For the detailed information, refer to the following page. Active Enable or disable the filter rule. Comment Enter filter set comments/description. Maximum length is 23–character long. Vigor2950 Series User’s Guide...
  • Page 65 Data Filter only. For the Call Filter, this setting is not available since Call Filter is only applied to outgoing traffic. Source/Destination IP Click Edit to access into the following dialog to choose the source/destination IP or IP ranges. Vigor2950 Series User’s Guide...
  • Page 66 To set the service type manually, please choose User defined as the Service Type and type them in this dialog. In addition, if you want to use the service type from defined groups or objects, please Vigor2950 Series User’s Guide...
  • Page 67 For troubleshooting needs you can specify the filter log and/or CSM log here. Check the corresponding box to enable the log function. Then, the filter log and/or CSM log will be shown on Draytek Syslog window. Vigor2950 Series User’s Guide...
  • Page 68 Each filter set is composed by 7 filter rules, which can be further defined. After that, in General Setup you may specify one set for call filter and one set for data filter to execute first. Vigor2950 Series User’s Guide...

  • Page 69: Dos Defense

    Port Scan attacks the Vigor router by sending lots of packets to detection many ports in an attempt to find ignorant services would respond. Check the box to activate the Port Scan detection. Whenever detecting this malicious exploration behavior by monitoring the Vigor2950 Series User’s Guide...
  • Page 70 ICMP packets with more fragment bit set are dropped. Block Land Check the box to enforce the Vigor router to defense the Land attacks. The Land attack combines the SYN attack technology with IP spoofing. A Land attack occurs when an attacker sends spoofed Vigor2950 Series User’s Guide...
  • Page 71 All the warning messages related to DoS defense will be sent to user and user can review it through Syslog daemon. Look for the keyword DoS in the message, followed by a name to indicate what kind of attacks is detected. Vigor2950 Series User’s Guide...

  • Page 72: Objects Settings

    IPs in the same department can be defined with an IP object (a range of IP address). You can set up to 192 sets of IP Objects with different conditions. Set to Factory Default Clear all profiles. Click the number under Index column for settings in detail. Vigor2950 Series User’s Guide...
  • Page 73 Type the subnet mask if the Subnet Address type is selected. Invert Select If it is checked, all the IP addresses except the ones listed above will be applied later while it is chosen. Below is an example of IP objects settings. Vigor2950 Series User’s Guide...

  • Page 74: Ip Group

    Available IP Objects All the available IP objects with the specified interface chosen above will be shown in this box. Selected IP Objects Click >> button to add the selected IP objects in this box. Vigor2950 Series User’s Guide...

  • Page 75: Service Type Object

    The filter rule will filter out any port number. (=) – when the first and last value are the same, it indicates one port; when the first and last values are different, it indicates a range for the port and available for this profile. Vigor2950 Series User’s Guide...

  • Page 76: Service Type Group

    Below is an example of service type objects settings. This page allows you to bind several service types into one group. Set to Factory Default Clear all profiles. Click the number under Index column for settings in detail. Vigor2950 Series User’s Guide...

  • Page 77: Im Object

    (es) and then click OK. Later, in the CSM>>APP Enforcement Profile page, you can use IM Object drop down list to choose the proper profile configured here as the standard for the host(s) to follow. Vigor2950 Series User’s Guide...
  • Page 78 Profile Name Type a name for this profile. Type a name for such profile and check all the items that not allowed to be used in the host. Finally, click OK to save this profile. Vigor2950 Series User’s Guide...

  • Page 79: P2P Object

    (es) and then click OK. Later, in the CSM>>APP Enforcement Profile page, you can use P2P Object drop down list to choose the proper profile configured here as the standard for the host(s) to follow. Profile Name Type a name for this profile. Vigor2950 Series User’s Guide...

  • Page 80: Protocol Object

    Profile Name Type a name for this profile. Type a name for such profile and check all the protocols that not allowed to be used in the host. Finally, click OK to save this profile. Vigor2950 Series User’s Guide...

  • Page 81: Misc Object

    Simple check the box (es) and then click OK. Later, in the CSM>>APP Enforcement Profile page, you can use Misc Object drop down list to choose the proper profile configured here as the standard for the host(s) to follow. Vigor2950 Series User’s Guide...

  • Page 82: Csm

    At office, URL Content Filter can also provide a job-related only environment hence to increase the employee work efficiency. How can URL Content Filter work better than traditional firewall in the field of filtering? Because it Vigor2950 Series User’s Guide...
  • Page 83 Please note that this action will not introduce any delay in your Web surfing because each of multiple load balanced database servers can handle millions of requests for categorization. Note: The priority of URL Content Filter is higher than Web Content Filter. Vigor2950 Series User’s Guide...

  • Page 84: App Enforcement Profile

    Type a name for the CSM profile. Each profile can contain three objects settings, IM Object, P2P Object and Misc Object. Such profile can be applied in the Firewall>>General Setup and Firewall>>Filter Setup pages as the standard for the host(s) to follow. Vigor2950 Series User’s Guide...

  • Page 85: Url Content Filter Profile

    Vigor router perform. Prevent web access Check the box to deny any web surfing activity using IP address, from IP address such as http://202.6.3.2. The reason for this is to prevent someone dodges the URL Access Control. Vigor2950 Series User’s Guide...
  • Page 86 URL Access Control. To enable an entry, click on the empty checkbox, named as ACT, in front of the appropriate entry. Time Schedule Specify what time should perform the URL content filtering facility. Vigor2950 Series User’s Guide...

  • Page 87: Web Content Filter Profile

    Web surfing because each of multiple load balanced database servers can handle millions of requests for categorization. Click CSM and click Web Content Filter Profile to open the profile setting page. For this section, please refer to Web Content Filter user’s guide. Vigor2950 Series User’s Guide...

  • Page 88: Bandwidth Management

    LAN. Limitation List Display a list of specific limitations that you set on this web page. Start IP Defines the start IP address for limit session. End IP Defines the end IP address for limit session. Vigor2950 Series User’s Guide...

  • Page 89: Bandwidth Limit

    Click this button to activate the function of limit bandwidth. Subnet – Check this box to apply the Apply to 2 bandwidth limit to the second subnet specified in LAN>>General Setup. Disable Click this button to close the function of limit bandwidth. Vigor2950 Series User’s Guide...

  • Page 90: Quality Of Service

    One reason for QoS is that numerous TCP-based applications tend to continually increase their transmission rate and consume all available bandwidth, which is called TCP slow start. If other applications are not protected by QoS, it will detract much from their performance in Vigor2950 Series User’s Guide...
  • Page 91 SLA among different DS domain owners. It’s not easy to achieve deterministic and consistent high-priority QoS traffic throughout the whole network with merely Vigor router’s effort. In the Bandwidth Management menu, click Quality of Service to open the web page. Vigor2950 Series User’s Guide...
  • Page 92 The factory default for this setting is checked. Please also define which traffic the QoS Control settings will apply to. IN- apply to incoming traffic only. OUT-apply to outgoing traffic only. BOTH- apply to both incoming and outgoing traffic. Vigor2950 Series User’s Guide...
  • Page 93 Setup link from Quality of Service page again. The first three (Class 1 to Class 3) class rules can be adjusted for your necessity. To add, edit or delete the class rule, please click the Edit link of that one. Vigor2950 Series User’s Guide...
  • Page 94 Check this box to invoke these settings. Local Address Click the Edit button to set the local IP address (on LAN) for the rule. Remote Address Click the Edit button to set the remote IP address (on LAN/WAN) for the rule. Vigor2950 Series User’s Guide...
  • Page 95 Edit to open the rule edit page for modification. To add a new service type, edit or delete an existed service type, please click the Edit link under Service Type field. Vigor2950 Series User’s Guide...
  • Page 96 Range as the type. By the way, you can set up to 40 service types. If you want to edit/delete an existed service type, please select the radio button of that one and click Edit/Edit for modification. Vigor2950 Series User’s Guide...

  • Page 97: Applications

    Click the number below Index to access into the setting page of DDNS setup to set account(s). WAN Interface Display current WAN interface used for accessing Internet. Domain Name Display the domain name that you set on the setting page of DDNS setup. Vigor2950 Series User’s Guide...
  • Page 98 Delete a Dynamic DNS Account In the DDNS setup menu, click the Index number you want to delete and then push Clear All button to delete the account. Vigor2950 Series User’s Guide...

  • Page 99: Schedule

    Remote Access >> LAN-to-LAN settings. To add a schedule, please click any index, say Index No. 1. The detailed settings of the call schedule with index 1 are shown below. Enable Schedule Setup Check to enable the schedule. Vigor2950 Series User’s Guide...
  • Page 100 Assign these two profiles to the PPPoE Internet access profile. Now, the PPPoE Internet connection will follow the schedule order to perform Force On or Force Down action according to the time plan that has been pre-defined in the schedule profiles. Vigor2950 Series User’s Guide...

  • Page 101: Radius/Ldap

    The RADIUS server and client share a secret that is used to authenticate the messages sent between them. Both sides must be configured to use the same shared secret. Confirm Shared Secret Re-type the Shared Secret for confirmation. Vigor2950 Series User’s Guide...

  • Page 102: Upnp

    The NAT Traversal of UPnP enables the multimedia features of your applications to operate. This has to manually set up port mappings or use other similar methods. The screenshots below show examples of this facility. Vigor2950 Series User’s Guide...

  • Page 103: Wake On Lan

    PC on this web page of Wake on LAN of this router. In addition, such PC must have installed a network card supporting WOL function. By the way, WOL function must be set as “Enable” on the BIOS setting. Vigor2950 Series User’s Guide...
  • Page 104 MAC Address Type any one of the MAC address of the binded PCs. Wake Up Click this button to wake up the selected IP. See the following figure. The result will be shown on the box. Vigor2950 Series User’s Guide...

  • Page 105: Vpn And Remote Access

    LAN-to-LAN profile for VPN dial out connection (from server to client) step by step. LAN-to-LAN Client Mode Choose the client mode. Selection Route Mode/NAT Mode – If the remote network only allows you to dial in with single IP, please choose this mode, otherwise please choose Route Mode. Vigor2950 Series User’s Guide...
  • Page 106 When you finish the mode and profile selection, please click Next to open the following page. In this page, you have to select suitable VPN type for the VPN client profile. There are six types provided here. Different type will lead to different configuration page. After making Vigor2950 Series User’s Guide...
  • Page 107 When you choose PPTP (None Encryption) or PPTP (Encryption), you will see the following graphic: When you choose IPSec, you will see the following graphic: When you choose L2TP, you will see the following graphic: Vigor2950 Series User’s Guide...
  • Page 108 When you choose L2TP over IPSec (Nice to Have), you will see the following graphic: When you choose L2TP over IPSec (Must), you will see the following graphic: Vigor2950 Series User’s Guide...
  • Page 109 Always On Check to enable router always keep VPN connection. Pre-Shared Key IKE Authentication Method usually applies to those are remote dial-in user or node (LAN to LAN) which uses dynamic IP address and IPSec-related VPN connections Vigor2950 Series User’s Guide...
  • Page 110 After finishing the configuration, please click Next. The confirmation page will be shown as follows. If there is no problem, you can click one of the radio buttons listed on the page and click Finish to execute the next action. Vigor2950 Series User’s Guide...

  • Page 111: Vpn Server Wizard

    Such wizard is used to configure VPN settings for VPN server. Such wizard will guide to set the LAN-to-LAN profile for VPN dial in connection (from client to server) step by step. VPN Server Mode Choose the direction for the VPN server. Vigor2950 Series User’s Guide...
  • Page 112 This item is available after you choose any one of dial-in user account profiles. Next, you have to select suitable dial-in type for the VPN server profile. There are several types provided here (similar to VPN Client Wizard). Different Dial-in Type will lead to different configuration Vigor2950 Series User’s Guide...
  • Page 113 L2TP with Policy (Nice to Have/Must), you will see the following graphic: When you check PPTP/L2TP (two types) or PPTP or L2TP with Policy (None), you will see the following graphic: When you check IPSec, you will see the following graphic: Vigor2950 Series User’s Guide...
  • Page 114 Certificate. Otherwise, the setting you choose here will not be effective. Peer IP/VPN Client IP Type the WAN IP address or VPN client IP address for the remote client. Peer ID Type the ID name for the remote client. Vigor2950 Series User’s Guide...

  • Page 115: Remote Access Control

    Enable the necessary VPN service as you need. If you intend to run a VPN server inside your LAN, you should disable the VPN service of Vigor Router to allow VPN tunnel pass through, as well as the appropriate NAT settings, such as DMZ or open port. Vigor2950 Series User’s Guide...

  • Page 116: Ppp General Setup

    Otherwise, the MPPE encryption scheme will be used to encrypt the data. Require MPPE (40/128bits) - Selecting this option will force the router to encrypt packets by using the MPPE encryption algorithm. In addition, the remote dial-in user will Vigor2950 Series User’s Guide...

  • Page 117: Ipsec General Setup

    On the receiving side, the peer will perform the same one-way hash on the packet and compare the value with the one in the AH it receives. Encapsulating Security Payload (ESP) is a security protocol that provides data confidentiality and protection with optional authentication and replay detection service. Vigor2950 Series User’s Guide...
  • Page 118 By default, this option is active. High - Encapsulating Security Payload (ESP) means payload (data) will be encrypted and authenticated. You may select encryption algorithm from Data Encryption Standard (DES), Triple DES (3DES), and AES. Vigor2950 Series User’s Guide...

  • Page 119: Ipsec Peer Identity

    Click each index to edit one peer digital certificate. There are three security levels of digital signature authentication: Fill each necessary field to authenticate the remote peer. The following explanation will guide you to fill all the necessary fields. Vigor2950 Series User’s Guide...
  • Page 120 Click to check the specific fields of digital signature to accept the peer with matching value. The field includes Country (C), State (ST), Location (L), Organization (O), Organization Unit (OU), Common Name (CN), and Email (E). Vigor2950 Series User’s Guide...

  • Page 121: Remote Dial-In User

    Click each index to edit one remote user profile. Each Dial-In Type requires you to fill the different corresponding fields on the right. If the fields gray out, it means you may leave it untouched. The following explanation will guide you to fill all the necessary fields. Vigor2950 Series User’s Guide...
  • Page 122 Nice to Have - Apply the IPSec policy first, if it is applicable during negotiation. Otherwise, the dial-in VPN connection becomes one pure L2TP connection. Must -Specify the IPSec policy to be definitely applied on the L2TP connection. Vigor2950 Series User’s Guide...
  • Page 123 To check if SSL Tunnel is activated or not, please open Draytek SSL VPN portal interface. From the web page, you will see the message to indicate the SSL Tunnel is activated. Specify Remote Node...
  • Page 124 SSL Web Proxy and choose the one(s) you need as SSL VPN. To check if SSL Web Proxy is activated or not, please open Draytek SSL VPN portal interface. From the web page, you will see the message to indicate that you have the privilege for the SSL Web Proxy.
  • Page 125 Once the callback budget has been exhausted, the callback mechanism will be disabled automatically. Callback Budget (Unit: minutes)- Specify the time budget for the dial-in user. The budget will be decreased automatically per callback connection. Vigor2950 Series User’s Guide...

  • Page 126: Lan To Lan

    4 subgroups. If the fields gray out, it means you may leave it untouched. The following explanations will guide you to fill all the necessary fields. For the web page is too long, we divide the page into several sections for explanation. Vigor2950 Series User’s Guide...
  • Page 127 WAN1 First - While connecting, the router will use WAN1 as the first channel for VPN connection. If WAN1 fails, the router will use another WAN interface instead. WAN1 Only - While connecting, the router will use WAN1 as the only channel for VPN connection. Vigor2950 Series User’s Guide...
  • Page 128 VPN connection and react accordingly. This is independent of DPD (dead peer detection). ISDN Build ISDN LAN-to-LAN connection to remote network. You should set up Link Type and identity like User Name and Password for the authentication of remote server. You can Vigor2950 Series User’s Guide...
  • Page 129 Please use the drop down list to choose one of the certificates configured in Certificate Management>>Local Certificate. IPSec Security Method This group of fields is a must for IPSec Tunnels and L2TP with IPSec Policy. Medium (AH, Authentication Header) means data will be Vigor2950 Series User’s Guide...
  • Page 130 VPN peers, and get its feedback to find a match. Two combinations are available for Aggressive mode and nine for Main mode. We suggest you select the combination that covers the most schemes. Vigor2950 Series User’s Guide...
  • Page 131 Provide ISDN Number to Remote-In the case that the remote peer requires the Vigor router to callback, the local ISDN number will be provided to the remote peer. Check Vigor2950 Series User’s Guide...
  • Page 132 IPSec Tunnel - Allow the remote dial-in user to trigger an IPSec VPN connection through Internet. L2TP - Allow the remote dial-in user to make a L2TP VPN connection through the Internet. You can select to use L2TP alone or with IPSec. Select from below: Vigor2950 Series User’s Guide...
  • Page 133 Callback Function (CPCB) The callback function provides a callback service only for the ISDN LAN-to-LAN connection (this feature is useful for i model only). The remote user will be charged the connection fee by the telecom. Enable Callback function-Enables the callback function. Vigor2950 Series User’s Guide...
  • Page 134 For IPSec, this is the destination clients IDs of phase 2 quick mode. More - Add a static route to direct all traffic destined to more Remote Network IP Addresses/ Remote Network Mask through the VPN connection. This is usually used when you Vigor2950 Series User’s Guide...

  • Page 135: Vpn Trunk Management

    Filly compliant with VPN Server LAN Sit Single/Multi Network Mail Alert support, please refer to System Maintenance >> SysLog / Mail Alert for detailed configuration Syslog support, please refer to System Maintenance >> SysLog / Mail Alert for detailed configuration Vigor2950 Series User’s Guide...
  • Page 136 VPN Tunnels disconnected. Users do not need to reconnect with setting TCP/UDP Service Port again. The VPN Load Balance function can keep the transmission for internal data on tunnel stably. Vigor2950 Series User’s Guide...
  • Page 137 IPSec, PPTP, L2TP, L2TP over IPSec (NICE), L2TP over IPSec(MUST) and so on. Member2 (on Backup Profile field) - Display the dial-out profile selected from the Member2 drop down list below. Vigor2950 Series User’s Guide...
  • Page 138 IPSec(MUST) and so on. Member2 - Display the dial-out profile selected from the Member2 drop down list below. Advanced – This button is only available when there is one or more profiles created in this page. Vigor2950 Series User’s Guide...
  • Page 139 VPN TRUNK – VPN Load Balance mechanism profile will be locked. The profiles in LAN-to-LAN will be displayed in blue. Edit Click this button to save the changes to the Status (Enable or Disable), profile name, member1 or member2. Vigor2950 Series User’s Guide...
  • Page 140 Member2. For such reason, LAN-to-LAN profiles of 1 and 2 will be expressed in red to indicate that they are fixed. If you delete the VPN TRUNK – VPN Backup/Load Balance mechanism profile, the selected LAN-to-LAN profiles will be released and Vigor2950 Series User’s Guide...
  • Page 141 Peer GRE IP. See the following graphic for an example. Later, on peer side (as VPN Client): please type 192.168.50.100 in the field of My GRE IP and type IP address of the server (192.168.50.200) in the field of Peer GRE Vigor2950 Series User’s Guide...
  • Page 142 Below shows the algorithm for Load Balance. Binding Tunnel Policy Create – Click this radio button for assign a blank table for configuring Binding Tunnel. After insert – Click this radio button to adding a new Vigor2950 Series User’s Guide...
  • Page 143 Port also fits the number here, such binding tunnel table can be established. Other means when the source IP, destination IP, destination port and fragment conditions match with the settings specified here with different TCP Service Port/UDP Service Port/ICMP/IGMP, such binding tunnel table can be established. Vigor2950 Series User’s Guide...
  • Page 144 List the backup profile name. ERD Mode ERD means “Environment Recovers Detection”. Normal – choose this mode to make all dial-out VPN TRUNK backup profiles being activated alternatively. Recover Timer – choose this mode to detect VPN connection Vigor2950 Series User’s Guide...
  • Page 145 Resume – when VPN connection breaks down or disconnects, Member 1 will be the top priority for the system to do VPN connection. Detail Information This field will display detailed information for Environment Recovers Detection. Vigor2950 Series User’s Guide...

  • Page 146: Connection Management

    The VPN connection built by Backup Mode supports VPN backup function. Load Balance Mode This filed displays the profile name saved in VPN TRUNK Management (with Index number and VPN Server IP address). The VPN connection built by Load Balance Mode supports Vigor2950 Series User’s Guide...

  • Page 147: Certificate Management

    This page allows users to adopt single certificate or mutliple certificates for certification through generating or importing. Users can generate up to three local certificats or they can import the third-party certificate(s) to fit different requests. Vigor2950 Series User’s Guide...
  • Page 148 Then click GENERATE again. Note: Please be noted that “Common Name” must be configured with rotuer’s WAN IP or domain name. After clicking GENERATE, the generated information will be displayed on the window below: Vigor2950 Series User’s Guide...
  • Page 149 .pfx or .p12. And these certificates usually need passwords. Note: PKCS12 is a standard for storing private keys and certificates securely. It is used in (among other things) Netscape and Microsoft Internet Explorer with their import and export options. Vigor2950 Series User’s Guide...

  • Page 150: Trusted Ca Certificate

    Trusted CA certificate lists three sets of trusted CA certificate. To import a pre-saved trusted CA certificate, please click IMPORT to open the following window. Use Browse… to find out the saved text file. Then click Import. The one you Vigor2950 Series User’s Guide...
  • Page 151 For viewing each trusted CA certificate, click View to open the certificate detail information window. If you want to delete a CA certificate, choose the one and click Delete to remove all the certificate information. Vigor2950 Series User’s Guide...

  • Page 152: Certificate Backup

    Also, you can use Restore to retrieve these two settings to the router whenever you want. ISDN means integrated services digital network that is an international communications standard for sending voice, video, and data over digital telephone lines or normal telephone wires. Below shows the menu items for ISDN. Vigor2950 Series User’s Guide...

  • Page 153: General Settings

    50, 17 and 67 on the fields of 1,2 and 3 one by one without typing 12345. Blocked MSN Numbers for Enter the specified MSN number into the fields to prevent the router from dialing the specific MSN number the router Vigor2950 Series User’s Guide...

  • Page 154: Dial To A Single Isp/Dial To Dual Isps

    Idle Timeout - Idle timeout means the router will be disconnect after being idle for a preset amount of time. The default is 180 seconds. If you set the time to 0, the ISDN connection to the ISP will always remain on. Vigor2950 Series User’s Guide...
  • Page 155 Idle Timeout - Idle timeout means the router will be disconnect after being idle for a preset amount of time. The default is 180 seconds. If you set the time to 0, the ISDN connection to the ISP will always remain on. Vigor2950 Series User’s Guide...
  • Page 156 To have an ISDN connection, please click this link. Now, the system will guide you to click Dial ISDN. Wait for a moment after clicking the dial link. Then, a successful ISDN connection will be shown as the following. Vigor2950 Series User’s Guide...

  • Page 157: Virtual Ta

    Virtual TA(Remote CAPI) Setup tab in the Quick Setup field to configure the Virtual TA features. Before describing the configuration of Virtual TA in the Vigor routers, please heed the following limitations. The Virtual TA client only supports Microsoft Windows 98/SE/2000/XP platforms. Vigor2950 Series User’s Guide...
  • Page 158 CAPI-based software to use the client to access the router. If the icon text is RED, it means the client has lost the connection to the server. This time, please check the physical Ethernet connection. Vigor2950 Series User’s Guide...
  • Page 159 If you have applied to an MSN number service, the Virtual TA server can assign which client has the specified MSN number. When an incoming call arrives, the server will inform the appropriate client. Now we set an example to describe the configuration of the MSN number. Vigor2950 Series User’s Guide...

  • Page 160: Call Control

    (the number is set in the Remote Activation field) to the router as signaling it for activation. The phone call will be soon disconnected once the router is on line. Vigor2950 Series User’s Guide...
  • Page 161 Low Water Mark and these two channels are being used over the High Water Time, the additional channel will be dropped. As a result, the total link speed will be 64kbps (one B channel). Vigor2950 Series User’s Guide...

  • Page 162: Wireless Lan

    Complete Security Standard Selection: To ensure the security and privacy of your wireless communication, we provide several prevailing standards on market. Vigor2950 Series User’s Guide...
  • Page 163 /or privacy on your wireless network. The Vigor wireless router is very flexible and can support multiple secure connections with both WEP and WPA at the same time. Example 1 Example 2 Example 3 Vigor2950 Series User’s Guide...

  • Page 164: General Setup

    Mixed (11b+11g+SuperG) - The radio can support IEEE802.11b, IEEE802.11g and SuperG protocols simultaneously. Mixed (11b+11g) - The radio can support both IEEE802.11b and IEEE802.11g protocols simultaneously. SuperG - The radio only supports SuperG. 11g only - The radio only supports IEEE802.11g. Vigor2950 Series User’s Guide...
  • Page 165 56 bit sync filed instead of long preamble with 128 bit sync field. However, some original 11b wireless network devices only support long preamble. Check it to use Long Preamble if needed to communicate with this kind of devices. Vigor2950 Series User’s Guide...

  • Page 166: Security

    PSK. Remember to select WPA type to define either Mixed or WPA2 only in the field below. WPA/802.1x Only - Accept WPA clients with 802.1x authentication. Remember to select WPA type to define Vigor2950 Series User’s Guide...
  • Page 167 Four keys can be entered here, but only one key can be selected at a time. The keys can be entered in ASCII or Hexadecimal. Check the key you wish to use. Vigor2950 Series User’s Guide...

  • Page 168: Access Control

    Delete the selected MAC address in the list. Edit Edit the selected MAC address in the list. Cancel Give up the access control set up. Click it to save the access control list. Clear All Clean all entries in the MAC address list. Vigor2950 Series User’s Guide...

  • Page 169: Wds

    AP can be repeated to another peer AP through WDS links. Yet in Bridge mode, packets received from a WDS link will only be forwarded to local wired or wireless hosts. In other words, only Repeater mode can do WDS-to-WDS packet forwarding. Vigor2950 Series User’s Guide...
  • Page 170 Click WDS from Wireless LAN menu. The following page will be shown. Mode Choose the mode for WDS setting. Disable mode will not invoke any WDS setting. Bridge mode is designed to fulfill the first type of application. Repeater mode is for the second one. Vigor2950 Series User’s Guide...

  • Page 171: Ap Discovery

    This page is used to scan the existence of the APs on the wireless LAN. Yet, only the AP which is in the same channel of this router can be found. Please click Scan to discover all the connected APs. Vigor2950 Series User’s Guide...

  • Page 172: Station List

    There is a code summary below for explanation. For convenient Access Control, you can select a WLAN station and click Add to Access Control below. Refresh Click this button to refresh the status of station list. Click this button to add current selected MAC address into Access Control. Vigor2950 Series User’s Guide...

  • Page 173: Station Rate Control

    The VLAN >> Wired VALN allows you to configure VLAN settings through wired connection to achieve the above intention. Simply check P1 and P2 boxes on the line of VLAN0; and check P3 and P4 boxes on the line of VLAN1. Vigor2950 Series User’s Guide...

  • Page 174: Wireless Vlan

    PCs under the same groups can use same Login ID and password to access into Internet. For example, see the following graphic. Both A and B use the same login ID (City) and password (1234). Therefore, they are grouped in the same W_VLAN. Vigor2950 Series User’s Guide...
  • Page 175 Check this box to invoke wireless VLAN function. Login ID Type Login ID for different groups of W_VLAN with 1 to 11 characters. Password Type password for different groups of W_VLAN with 1 to 11 characters. Vigor2950 Series User’s Guide...
  • Page 176 After finishing the configuration of wireless VLAN, the wireless clients connecting to this router must do the following steps to access into Internet. 1. Open a browser and type http://www.draytek.vlan/login.htm or http://(vigor router’s IP address)/login.htm on the address line. 2. The following screen will appear.
  • Page 177 4. When the accessing is successful, the following screen will appear. Note: The floating window with connection time will be shown on the screen till you logout. 5. You can go to Diagnostics>>Wireless VLAN Online Station for viewing the connection status whenever you want. Vigor2950 Series User’s Guide...

  • Page 178: Vlan Cross Setup

    The VLAN >> VALN Cross Setup allows you to set a communication bridge between computers in Wireless VLAN and wired VLAN. To achieve the intention of the above illustration, simply check the box under VLAN0 on the line of W_VLAN0. Vigor2950 Series User’s Guide...

  • Page 179: Wireless Rate Control

    20,000kbps. Adjust the values according to your necessity. Download Rate It decides the rate of data transmission for input. The default setting is 300. The range must be between 100 kbps to 20,000kbps. Adjust the values according to your necessity. Vigor2950 Series User’s Guide...

  • Page 180: Ssl Vpn

    Self-signed to use the router’s built-in default certificate. The default certificate can be used in SSL VPN server and HTTPS Web Proxy. Encryption Key Algorithm Choose the encryption level for the data connection in SSL VPN server. Vigor2950 Series User’s Guide...

  • Page 181: Ssl Web Proxy

    1) it is only used for WAN to LAN access, the web server must be configured behind vigor router; 2) web server gateway must be indicated to vigor router. In addition, users must execute “Connect” manually in SSL Client Portal page. Vigor2950 Series User’s Guide...

  • Page 182: Ssl Application

    Click number link under Index filed to make detailed configuration. Enable Application Service Check this box to enable this application. Application Name Type the profile name for the application. Application Use the drop down list to choose an application applied to this profile. Vigor2950 Series User’s Guide...
  • Page 183 Remote Desktop Protocol - Choose this item for accessing and controlling a remote PC through RDP protocol. IP Address Type the IP address for this protocol. Port Specify the port used for this protocol. Screen Size Chose the screen size for such application. Vigor2950 Series User’s Guide...

  • Page 184: User Account

    You can find out the link of Set SSL Web Proxy on the profile setting page. If you haven’t set any SSL Web Proxy Profile in SSL VPN>> SSL Web Proxy web page, there is no check box but a link appeared below. Vigor2950 Series User’s Guide...
  • Page 185 However, if you have set several SSL Web Proxy Profiles in SSL VPN>> SSL Web Proxy web page: The SSL Web Proxy profile names will be displayed (together with check box) as shown below. Vigor2950 Series User’s Guide...

  • Page 186: Online User Status

    If you have finished the configuration of SSL Web Proxy (server), users can find out corresponding settings when they access into Draytek SSL VPN portal interface. Next, users can open SSL VPN>> Online Status to view logging status of SSL VPN.

  • Page 187: System Status

    Display the MAC address of the WAN Interface. Connection Display the connection mode used currently. IP Address Display the IP address of the WAN interface. Default Gateway Display the assigned IP address of the default gateway. Vigor2950 Series User’s Guide...

  • Page 188: Setting

    Such data must be typed according to the ACS ( Configuration Server) you want to link. Please refer to VigorACS user’s manual for detailed information. URL - Type the URL for VigorACS server. If the connected CPE needs to be authenticated, please Vigor2950 Series User’s Guide...
  • Page 189 STUN binding request must be sent by the CPE to maintain the binding. Maximum Keep Alive Period - It determines the maximum period that the STUN binding request must be sent by the CPE to maintain the binding. Vigor2950 Series User’s Guide...

  • Page 190: Administrator Password

    Go to System Maintenance >> Configuration Backup. The following windows will be popped-up, as shown below. Click Backup button to get into the following dialog. Click Save button to open another dialog for saving configuration as a file. Vigor2950 Series User’s Guide...
  • Page 191 The above example is using Windows platform for demonstrating examples. The Mac or Linux platform will appear different windows, but the backup function is still available. Note: Backup for Certification must be done independently. The Configuration Backup does not include information of Certificate. Vigor2950 Series User’s Guide...

  • Page 192: Syslog/Mail Alert

    Enable syslog message Check the box listed on this web page to send the corresponding message of firewall, VPN, User Access, Call, WAN, Router/DSL information to Syslog. SMTP Server The IP address of the SMTP server. Vigor2950 Series User’s Guide...
  • Page 193 From the Syslog screen, select the router you want to monitor. Be reminded that in Network Information, select the network adapter used to connect to the router. Otherwise, you won’t succeed in retrieving information from the router. Vigor2950 Series User’s Guide...

  • Page 194: Time And Date

    Type the IP address of the time server. Time Zone Select the time zone where the router is located. Automatically Update Interval Select a time interval for updating from the NTP server. Click OK to save these settings. Vigor2950 Series User’s Guide...

  • Page 195: Management

    Check to use standard port numbers for the Telnet and HTTP servers. Enable SNMP Agent Check it to enable this function. Get Community Set the name for getting community by typing a proper character. The default setting is public. Vigor2950 Series User’s Guide...

  • Page 196: Reboot System

    Note: When the system pops up Reboot System web page after you configure web settings, please click OK to reboot your router for ensuring normal operation and preventing unexpected errors of the router in the future. Vigor2950 Series User’s Guide...

  • Page 197: Firmware Upgrade

    Note that this example is running over Windows OS (Operating System). Download the newest firmware from DrayTek's web site or FTP site. The DrayTek web site is www.draytek.com (or local DrayTek's web site) and FTP site is ftp.draytek.com.

  • Page 198: Diagnostics

    (e.g., ISDN, PPPoE, etc) is triggered by a package sending from the source IP address. Decoded Format It shows the source IP address (local), destination IP (remote) address, the protocol and length of the package. Refresh Click it to reload the page. Vigor2950 Series User’s Guide...

  • Page 199: Routing Table

    Resolution Protocol) cache held in the router. The table shows a mapping between an Ethernet hardware address (MAC Address) and an IP address. Refresh Click it to reload the page. Clear Click it to clear the whole table. Vigor2950 Series User’s Guide...

  • Page 200: Dhcp Table

    It displays the host ID name of the specified PC. Refresh Click it to reload the page. Click Diagnostics and click NAT Sessions Table to open the setup page. Private IP:Port It indicates the source IP address and port of local PC. Vigor2950 Series User’s Guide...

  • Page 201: Wireless Vlan Online Station Table

    IP address, MAC address and Login ID information for all the Wireless VLAN stations. IP Address Display the IP address of the wireless station. MAC Address Display the MAC address of the wireless station. Login ID Display the login ID that the wireless station belongs to. Vigor2950 Series User’s Guide...

  • Page 202: Data Flow Monitor

    Refresh Click this link to refresh this page manually. Index Display the number of the data flow. IP Address Display the IP address of the monitored device. Vigor2950 Series User’s Guide...

  • Page 203: Traffic Graph

    Click Diagnostics and click Traffic Graph to pen the web page. Choose WAN1 Bandwidth/WAN2 Bandwidth, VPN Bandwidth, Sessions, daily or weekly for viewing different traffic graph. Click Refresh to renew the graph at any time. The following two figures display different charts by daily and weekly. Vigor2950 Series User’s Guide...
  • Page 204 WAN1/WAN2 Bandwidth chart, the numbers displayed on vertical axis represent the numbers of the transmitted and received packets in the past. For Sessions chart, the numbers displayed on vertical axis represent the numbers of the NAT sessions during the past. Vigor2950 Series User’s Guide...

  • Page 205: Ping Diagnosis

    Type in the IP address of the Host/IP that you want to ping. Click this button to start the ping work. The result will be displayed on the screen. Clear Click this link to remove the result on the window. Vigor2950 Series User’s Guide...

  • Page 206: Trace Route

    Unspecified to be determined by the router automatically. Host/IP Address It indicates the IP address of the host. Click this button to start route tracing work. Clear Click this link to remove the result on the window. Vigor2950 Series User’s Guide...

  • Page 207: Support Area

    When you click the menu item under Support Area, you will be guided to visit www.draytek.com and open the corresponding pages directly. Click Support Area>>Application Note, the following web page will be displayed. Click Support Area>>FAQ, the following web page will be displayed.
  • Page 208 Vigor2950 Series User’s Guide...

  • Page 209: Application And Examples

    Go to VPN and Remote Access and select Remote Access Control to enable the necessary VPN service and click OK. Then, For using PPP based services, such as PPTP, L2TP, you have to set general settings in PPP General Setup. Vigor2950 Series User’s Guide...
  • Page 210 Set Dial-Out Settings as shown below to dial to connect to Router B aggressively with the selected Dial-Out method. If an IPSec-based service is selected, you should further specify the remote peer IP Address, IKE Authentication Method and IPSec Security Method for this Dial-Out Vigor2950 Series User’s Guide...
  • Page 211 Set Dial-In settings to as shown below to allow Router B dial-in to build VPN connection. If an IPSec-based service is selected, you may further specify the remote peer IP Address, IKE Authentication Method and IPSec Security Method for this Dial-In Vigor2950 Series User’s Guide...
  • Page 212 Address, Username, Password, and VJ Compression for this Dial-In connection. At last, set the remote network IP/subnet in TCP/IP Network Settings so that Router A can direct the packets destined to the remote network to Router B via the VPN connection. Vigor2950 Series User’s Guide...
  • Page 213 PPP General Setup. For using IPSec-based service, such as IPSec or L2TP with IPSec Policy, you have to set general settings in IPSec General Setup, such as the pre-shared key that both parties have known. Vigor2950 Series User’s Guide...
  • Page 214 Address, IKE Authentication Method and IPSec Security Method for this Dial-Out connection. If a PPP-based service is selected, you should further specify the remote peer IP Address, Username, Password, PPP Authentication and VJ Compression for this Vigor2950 Series User’s Guide...
  • Page 215 Otherwise, it will apply the settings defined in IPSec General Setup above. If a PPP-based service is selected, you should further specify the remote peer IP Address, Username, Password, and VJ Compression for this Dial-In connection. Vigor2950 Series User’s Guide...
  • Page 216 At last, set the remote network IP/subnet in TCP/IP Network Settings so that Router B can direct the packets destined to the remote network to Router A via the VPN connection. Vigor2950 Series User’s Guide...

  • Page 217: Create A Remote Dial-In User Connection Between The Teleworker And Headquarter

    PPP General Setup. For using IPSec-based service, such as IPSec or L2TP with IPSec Policy, you have to set general settings in IKE/IPSec General Setup, such as the pre-shared key that both parties have known. Vigor2950 Series User’s Guide...
  • Page 218 Otherwise, it will apply the settings defined in IPSec General Setup above. If a PPP-based service is selected, you should further specify the remote peer IP Address, Username, Password, and VJ Compression for this Dial-In connection. Vigor2950 Series User’s Guide...
  • Page 219 For Win2000/XP, please use "Network and Dial-up connections" or “Smart VPN Client”, complimentary software to help you create PPTP, L2TP, and L2TP over IPSec tunnel. You can find it in CD-ROM in the package or go to www.draytek.com download center. Install as instructed.
  • Page 220 VPN router. To use default gateway on remote network means that all the packets of remote host will be directed to VPN server then forwarded to Internet. This will make the remote host seem to be working in the enterprise network. Vigor2950 Series User’s Guide...

  • Page 221: Qos Setting Example

    Make sure the QoS Control on the left corner is checked. And select BOTH in Direction. Enter the Name of Index Class 1 by clicking Edit link. In this index, the user will set reserve bandwidth for Email using protocol POP3 and SMTP. Vigor2950 Series User’s Guide...
  • Page 222 Class Name of Index 3. In this index, he will set reserve bandwidth for 1 VPN tunnel. Click edit to open a new window. First, check the ACT box. Then click SrcEdit to set a worker’s subnet address. Click DestEdit to set headquarter’s subnet address. Leave other fields and click OK. Vigor2950 Series User’s Guide...

  • Page 223: Lan - Created By Using Nat

    You can just set the settings wrapped inside the red rectangles to fit the request of NAT usage. To use another DHCP server in the network rather than the built-in one of Vigor Router, you have to change the settings as show below. Vigor2950 Series User’s Guide...
  • Page 224 You can just set the settings wrapped inside the red rectangles to fit the request of NAT usage. Vigor2950 Series User’s Guide...

  • Page 225: Upgrade Firmware For Your Router

    3. Access into Support >> Downloads. Please find out Utility menu and click it. 4. Click on the link of Router Tools to download the file. After downloading the files, please decompressed the file onto your host. Vigor2950 Series User’s Guide...
  • Page 226 You will find out two files with different extension names, xxxx.all (keep the old custom settings) and xxxx.rst (reset all the custom settings to default settings). Choose any one of them that you need. Vigor2950 Series User’s Guide...

  • Page 227: Request A Certificate From A Ca Server On Windows Ca Server

    10. Click Send. 11. Now the firmware update is finished. Vigor2950 Series User’s Guide...
  • Page 228 You can click GENERATE button to start to edit a certificate request. Enter the information in the certificate request. Copy and save the X509 Local Certificate Requet as a text file and save it for later use. Vigor2950 Series User’s Guide...
  • Page 229 Select Submit a certificate request a base64 encoded PKCS #10 file or a renewal request using a base64 encoded PKCS #7 file Import the X509 Local Certificate Requet text file. Select Router (Offline request) or IPSec (Offline request) below. Vigor2950 Series User’s Guide...
  • Page 230 (.cer file) into Vigor router. When finished, click refresh and you will find the below window showing “------BEGINE CERTIFICATE------..” You may review the detail information of the certificate by clicking View button. Vigor2950 Series User’s Guide...

  • Page 231: Request A Ca Certificate And Set As Trusted On Windows Ca Server

    Use web browser connecting to the CA server that you would like to retrieve its CA certificate. Click Retrive the CA certificate or certificate recoring list. Vigor2950 Series User’s Guide...
  • Page 232 You may review the detail information of the certificate by clicking View button. Note: Before setting certificate configuration, please go to System Maintenance >> Time and Date to reset current time of the router first. Vigor2950 Series User’s Guide...

  • Page 233: Erd Mechanism For Vpn Trunk

    Request Background: Some of users think if VPN tunnel connected again, it is Environment Recovery Detection. For such users, use Normal mode. To set ERD Normal mode > vpn Trunk backup ERD VpnBackup Normal (3) Resume Mode Vigor2950 Series User’s Guide...
  • Page 234 For example, if you type “3600” as the value for <second>, Recover will be done with 30 seconds (3531 ~ 3600) for the backup VPN tunnel. If you set “30” as the value for <second>, it will be regarded as “0”. Vigor2950 Series User’s Guide...

  • Page 235: Vpn Load Balance Application

    Router A (VPN Client) for connecting with Router B (VPN Server). (1) VPN Client site For LAN-to-LAN Dial out for member1 and member2, please finish: LAN-to-LAN IPSec Dial Out (Router Mode) configuration. Member1 LAN-to-LAN Dial out Profile GRE over IPSec configuration. Vigor2950 Series User’s Guide...
  • Page 236 LAN-to-LAN IPSec Dial In configuration Finish GRE over IPSec setting in LAN-to-LAN Dial In Profile for matching with VPN Client Member1 configuration Finish GRE over IPSec setting in LAN-to-LAN Dial In Profile for matching with VPN Client Member2 configuration Vigor2950 Series User’s Guide...
  • Page 237 (3) Dialing from VPN Client site Vigor2950 Series User’s Guide...
  • Page 238 This page is left blank. Vigor2950 Series User’s Guide...

  • Page 239: Trouble Shooting

    Sometimes the link failure occurs due to the wrong network connection settings. After trying the above section, if the link is stilled failed, please do the steps listed below to make sure the network connection settings is OK. Vigor2950 Series User’s Guide...
  • Page 240 Go to Control Panel and then double-click on Network Connections. Right-click on Local Area Connection and click on Properties. Select Internet Protocol (TCP/IP) and then click Properties. Vigor2950 Series User’s Guide...
  • Page 241 Select Obtain an IP address automatically and Obtain DNS server address automatically. Double click on the current used MacOs on the desktop. Open the Application folder and get into Network. On the Network screen, select Using DHCP from the drop down list of Configure IPv4. Vigor2950 Series User’s Guide...

  • Page 242: Pinging The Router From Your Computer

    Open the Application folder and get into Utilities. Double click Terminal. The Terminal window will appear. Type ping 192.168.1.1 and press [Enter]. If the link is OK, the line of “64 bytes from 192.168.1.1: icmp_seq=0 ttl=255 time=xxxx ms” will appear. Vigor2950 Series User’s Guide...
  • Page 243 Vigor2950 Series User’s Guide...
  • Page 244 Check if Username and Password are entered with correct values that you got from your ISP. Check if the Enable option is selected. Check if IP address, Subnet Mask and Gateway are entered with correct values that you got from your ISP. Vigor2950 Series User’s Guide...
  • Page 245 Check if the Enable option for PPTP Link is selected. Check if Server Address, Username, Password and WAN IP address are set correctly (must identify with the values from your ISP). Vigor2950 Series User’s Guide...

  • Page 246: Backing To Factory Default Setting If Necessary

    5 seconds. When you see the ACT LED blinks rapidly, please release the button. Then, the router will restart with the default configuration. After restore the factory default setting, you can configure the settings for the router again to fit your personal request. Vigor2950 Series User’s Guide...

  • Page 247: Contacting Your Dealer

    If the router still cannot work correctly after trying many efforts, please contact your dealer for further help right away. For any questions, please feel free to send e-mail to support@draytek.com. Vigor2950 Series User’s Guide...

This manual is also suitable for:

Vigor2950gVigor2950iVigor2950gi

Table of Contents