1. Manuals
  2. Brands
  3. DryTek Manuals
  4. Firewall
  5. Vigor 2952 series
  6. User manual

DryTek Vigor 2952 series User Manual

Hide thumbs
1
2
3
4
Table Of Contents
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
Table of Contents

Advertisement

Quick Links

Download this manual

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the Vigor 2952 series and is the answer not in the manual?

Questions and answers

Summary of Contents for DryTek Vigor 2952 series

  • Page 2 Vigor2952 Series Dual-WAN Security Firewall User’s Guide Version: 1.5 Firmware Version: V3.8.4 (For future update, please visit DrayTek web site) Date: November 17, 2016 Vigor2952 Series User’s Guide...
  • Page 3 Copyrights © All rights reserved. This publication contains information that is protected by copyright. No part may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language without written permission from the copyright holders. Trademarks The following trademarks are used in this document: ...
  • Page 4 European Community Declarations Manufacturer: DrayTek Corp. Address: No. 26, Fu Shing Road, Hukou Township, Hsinchu Industrial Park, Hsinchu County, Taiwan 303 Product: Vigor2952 Series Router DrayTek Corp. declares that Vigor2952 Series of routers are in compliance with the following essential requirements and other relevant provisions of R&TTE 1999/5/EC, ErP 2009/125/EC and RoHS 2011/65/EU.

  • Page 5: Table Of Contents

    Part I Installation ........................1 I-1 Introduction ........................... 2 I-1-1 Indicators and Connectors ....................4 I-2 Hardware Installation ........................7 I-2-1 Installing Vigor Router ......................7 I-2-2 Wall-Mounted Installation of Vigor Router................8 I-2-3 Installing USB Printer to Vigor Router ................. 9 I-3 Accessing Web Page ........................
  • Page 6 II-1-2-10 Details Page for IPv6 – DHCPv6 Client in WAN1/WAN2 ......76 II-1-2-11 Details Page for IPv6 – Static IPv6 in in WAN1/WAN2 ......78 II-1-2-12 Details Page for IPv6 – 6in4 Static Tunnel in WAN1 / WAN2 ....79 II-1-2-13 Details Page for IPv6 – 6rd in WAN1 / WAN2........81 II-1-3 Multi-VLAN ........................
  • Page 7 II-4-7 UPnP ..........................165 II-4-8 IGMP..........................166 II-4-9 Wake on LAN ......................... 167 II-4-10 SMS / Mail Alert Service....................168 II-4-11 Bonjour ......................... 170 II-4-12 High Availability ......................173 II-4-12-1 General Setup ................. 175 II-4-12-2 Config Sync ................177 II-4-13 Local 802.1X General Setup ..................179 Application Notes ........................
  • Page 8 IV-1-1 VPN Client Wizard ......................235 IV-1-2 VPN Server Wizard ....................... 242 IV-1-3 Remote Access Control ....................246 IV-1-4 PPP General Setup....................... 247 IV-1-5 IPsec General Setup ..................... 249 IV-1-6 IPsec Peer Identity ......................250 IV-1-7 Remote Dial-in User...................... 252 IV-1-8 LAN to LAN ........................

  • Page 9: Content Filter

    V-2-5 DNS Filter Profile ......................345 Application Notes ........................347 A-1 How to Create an Account for MyVigor ..........347 A-2 How to Block Facebook Service Accessed by the Users via Web Content Filter / URL Content Filter ..................355 Part VI Management ......................361 VI-1 System Maintenance ......................

  • Page 10: Wlan Profile

    Application Notes ........................443 A-1 How to create Facebook APP for Web Portal Authentication? ...... 443 A-2 How to create Google APP for Web Portal Authentication? ......449 VI-4 Central Management (VPN) ....................451 Web User Interface ........................452 VI-4-1 General Setup ....................... 452 VI-4-1-1 General Settings...............
  • Page 11 Part VII Others........................503 VII-1 Objects Settings........................504 Web User Interface ........................505 VII-1-1 IP Object ........................505 VII-1-2 IP Group........................509 VII-1-3 IPv6 Object........................510 VII-1-4 IPv6 Group ........................512 VII-1-5 Service Type Object..................... 514 VII-1-6 Service Type Group ..................... 516 VII-1-7 Keyword Object......................
  • Page 12 VIII-1-10 Traffic Graph ......................562 VIII-1-11 Trace Route ......................563 VIII-1-12 Syslog Explorer ......................564 VIII-1-13 IPv6 TSPC Status ..................... 565 VIII-1-14 High Availability Status ..................... 566 VIII-1-15 Authentication Information ..................568 VIII-1-16 DoS Flood Table ....................... 569 VIII-2 Checking If the Hardware Status Is OK or Not ..............571 VIII-3 Checking If the Network Connection Settings on Your Computer Is OK or Not....

  • Page 13: Part I Installation

    This part will introduce Vigor router and guide to install the device in hardware and software. Vigor2952 Series User’s Guide...

  • Page 14: Introduction

    Vigor2952 Series, a broadband router, integrates IP layer QoS, NAT session/bandwidth management to help users control works well with large bandwidth. By adopting hardware-based VPN platform and hardware encryption of AES/DES/3DES, the router increases the performance of VPN greatly and offers several protocols (such as IPSec/PPTP/L2TP) with up to 100 VPN tunnels.
  • Page 15 In addition, Vigor2952 Series supports USB interface for connecting USB printer to share printer, USB storage device for sharing files, or for 3G/4G WAN. The LAN ports of Vigor2952P and Vigor2952Pn allow power to be supplied to end devices, such as Wireless Access Points, IP Phones and IP cams, directly through the existing LAN cables, eliminating costs for additional AC wiring and reducing installation cost.

  • Page 16: I-1-1 Indicators And Connectors

    Before you use the Vigor router, please get acquainted with the LED indicators and connectors first. Status Explanation ACT (Activity) Blinking The router is powered on and running normally. The router is powered off. USB1~USB2 A USB device is connected and active. Blinking The data is transmitting.
  • Page 17 (Green) The WAN1/Fiber port is connected with 10/100Mbps. WAN2 Left LED The port is connected. (Green) The port is disconnected. Blinking The data is transmitting. Right LED The port is connected with 1000Mbps. (Green) The port is connected with 10/100Mbps. LAN1~ Left LED The port is connected.
  • Page 18 Interface Description Factory Reset Restore the default settings. Usage: Turn on the router (ACT LED is blinking). Press the hole and keep for more than 5 seconds. When you see the ACT LED begins to blink rapidly than usual, release the button. Then the router will restart with the factory default configuration.

  • Page 19: Hardware Installation

    Before starting to configure the router, you have to connect your devices correctly. Connect a cable Modem/DSL Modem/Media Converter (depends on your requirement) to any WAN port of router with Ethernet cable (RJ-45). Or, connect the fiber cable to the WAN (SFP) port of router.

  • Page 20: I-2-2 Wall-Mounted Installation Of Vigor Router

    Vigor can be mounted on the wall by using standard brackets shown below. Choose a flat surface (on the wall) which is suitable for placing the router. Make the screw holes on the short side of the bracket aim at the screw holes on the router. Next, fasten both the bracket and the router with two screws;...

  • Page 21: I-2-3 Installing Usb Printer To Vigor Router

    You can install a printer onto the router for sharing printing. All the PCs connected this router can print documents via the router. The example provided here is made based on Windows 7. For other Windows system, please visit www.DrayTek.com. Before using it, please follow the steps below to configure settings for connected computers (or wireless clients).
  • Page 22 A dialog will appear. Click Add a local printer and click Next. In this dialog, choose Create a new port. In the field of Type of port, use the drop down list to select Standard TCP/IP Port. Then, click Next. Vigor2952 Series User’s Guide...
  • Page 23 In the following dialog, type 192.168.1.1 (router’s LAN IP) in the field of Hostname or IP Address and type 192.168.1.1 as the Port name. Then, click Next. Click Standard and choose Generic Network Card. Vigor2952 Series User’s Guide...
  • Page 24 Now, your system will ask you to choose right name of the printer that you installed onto the router. Such step can make correct driver loaded onto your PC. When you finish the selection, click Next. Type a name for the chosen printer. Click Next. Vigor2952 Series User’s Guide...
  • Page 25 10. Choose Do not share this printer and click Next. 11. Then, in the following dialog, click Finish. Vigor2952 Series User’s Guide...
  • Page 26 12. The new printer has been added and displayed under Printers and Faxes. Click the new printer icon and click Printer server properties. 13. Edit the property of the new printer you have added by clicking Configure Port. Vigor2952 Series User’s Guide...
  • Page 27 14. Select "LPR" on Protocol, type p1 (number 1) as Queue Name. Then click OK. Next please refer to the red rectangle for choosing the correct protocol and LPR name. Vigor2952 Series User’s Guide...
  • Page 28 The printer can be used for printing now. Most of the printers with different manufacturers are compatible with vigor router. Info Note 1: Some printers with the fax/scanning or other additional functions are not you do not know whether your printer is supported or not, supported.

  • Page 29: Accessing Web Page

    Make sure your PC connects to the router correctly. You may either simply set up your computer to get IP dynamically from the router or set up the IP address of the computer to be the same subnet as the default IP address of Vigor router 192.168.1.1.
  • Page 30 Now, the Main Screen will appear. Info The home page will be different slightly in accordance with the type of the router you have. The web page can be logged out according to the chosen condition. The default setting is Auto Logout, which means the web configuration system will logout after 5 minutes without any operation.

  • Page 31: Changing Password

    Please change the password for the original security of the router. Open a web browser on your PC and type http://192.168.1.1. A pop-up window will open to ask for username and password. Please type “admin/admin” as Username/Password for accessing into the web user interface with admin mode.

  • Page 32: Dashboard

    Dashboard shows the connection status including System Information, IPv4 Internet Access, IPv6 Internet Access, Interface (physical connection), Security and Quick Access. Click Dashboard from the main menu on the left side of the main page. A web page with default selections will be displayed on the screen. Refer to the following figure: On the top of the Dashboard, a virtual panel (simulating the physical panel of the router) displays the physical interface connection.

  • Page 33: I-5-2 Name With A Link

    For detailed information about the LED display, refer to I-1-1 LED Indicators and Connectors. A name with a link (e.g., Router Name, Current Time, WAN1~4 and etc.) below means you can click it to open the configuration page for modification. Vigor2952 Series User’s Guide...

  • Page 34: I-5-3 Quick Access For Common Used Menu

    All the menu items can be accessed and arranged orderly on the left side of the main page for your request. However, some important and common used menu items which can be accessed in a quick way just for convenience. Look at the right side of the Dashboard.

  • Page 35: I-5-4 Gui Map

    Host connected physically to the router via LAN port(s) will be displayed with green circles in the field of Connected. All of the hosts (including wireless clients) displayed with Host ID, IP Address and MAC address indicates that the traffic would be transmitted through LAN port(s) and then the WAN port. The purpose is to perform the traffic monitor of the host(s).

  • Page 36: I-5-5 Web Console

    It is not necessary to use the telnet command via DOS prompt. The changes made by using web console have the same effects as modified through web user interface. The functions/settings modified under Web Console also can be reviewed on the web user interface.

  • Page 37: I-5-6 Config Backup

    There is one way to store current used settings quickly by clicking the Config Backup icon. It allows you to backup current settings as a file. Such configuration file can be restored by using System Maintenance>>Configuration Backup. Simply click the icon on the top of the main screen and a pop up dialog will appear. Click Save to store the setting.

  • Page 38: I-5-8 Online Status

    Such page displays the physical connection status such as LAN connection status, WAN connection status, ADSL information, and so on. Physical Connection for IPv4 Protocol Vigor2952 Series User’s Guide...
  • Page 39 Physical Connection for IPv6 Protocol Detailed explanation (for IPv4) is shown below: Item Description LAN Status Primary DNS-Displays the primary DNS server address for WAN interface. Secondary DNS -Displays the secondary DNS server address for WAN interface. IP Address-Displays the IP address of the LAN interface. TX Packets-Displays the total transmitted packets at the LAN interface.

  • Page 40: I-5-8-2 Virtual Wan

    Detailed explanation (for IPv6) is shown below: Item Description LAN Status IP Address- Displays the IPv6 address of the LAN interface.. TX Packets-Displays the total transmitted packets at the LAN interface. RX Packets-Displays the total received packets at the LAN interface.

  • Page 41: Quick Start Wizard

    Quick Start Wizard can help you to deploy and use the router easily and quickly. Click Wizards>>Quick Start Wizard. The first screen of Quick Start Wizard is entering login password. After typing the password, please click Next. On the next page as shown below, please select the WAN interface (WAN 1 to WAN4) that you use.

  • Page 42: I-6-1 Wan1 (Fiber) / Wan1/2(Ethernet) / Wan3/4(Usb)

    Vigor router will use either Fiber WAN or WAN1 for Internet connection. If Note both Fiber WAN and WAN1 are connected physically at the same time, Fiber WAN will be the first choice for network connection. WAN1 can be configured as Fiber WAN1 or Ethernet WAN1 according to the physical hardware connection.
  • Page 43 Click PPPoE as the Internet Access Type. Then click Next to continue. Available settings are explained as follows: Item Description Service Name Enter the description of the specific network service. (Optional) Username Assign a specific valid user name provided by the ISP. Note: The maximum length of the user name you can set is 63 characters.
  • Page 44 Please manually enter the Username/Password provided by your ISP. Click Next for viewing summary of such connection. Click Finish. A page of Quick Start Wizard Setup OK!!! will appear. Then, the system status of this protocol will be shown. Now, you can enjoy surfing on the Internet. Vigor2952 Series User’s Guide...
  • Page 45 Choose WAN2 as the WAN Interface and click the Next button. The following page will be open for you to specify Internet Access Type. Click PPTP/L2TP as the Internet Access Type. Then click Next to continue. Available settings are explained as follows: Item Description Username...
  • Page 46 Confirm Password Retype the password. WAN IP Configuration Obtain an IP address automatically – the router will get an IP address automatically from DHCP server. Specify an IP address – you have to type relational settings manually.  IP Address - Type the IP address. ...
  • Page 47 Choose WAN2 as the WAN Interface and click the Next button. The following page will be open for you to specify Internet Access Type. Click Static IP as the Internet Access type. Simply click Next to continue. Available settings are explained as follows: Item Description WAN IP...
  • Page 48 Cancel Click it to give up the quick start wizard. Please type in the IP address information originally provided by your ISP. Then click Next for next step. Click Finish. A page of Quick Start Wizard Setup OK!!! will appear. Then, the system status of this protocol will be shown.
  • Page 49 Choose WAN2 as WAN Interface and click the Next button. The following page will be open for you to specify Internet Access Type. Click DHCP as the Internet Access type. Simply click Next to continue. Available settings are explained as follows: Item Description Host Name...
  • Page 50 Cancel Click it to give up the quick start wizard. After finished the settings above, click Next for viewing summary of such connection. Click Finish. A page of Quick Start Wizard Setup OK!!! will appear. Then, the system status of this protocol will be shown. Now, you can enjoy surfing on the Internet.

  • Page 51: I-6-2 Wan3 / Wan4 (Usb)

    WAN3/WAN4 is dedicated to physical mode in USB. Choose WAN3 as WAN Interface. Then, click Next for getting the following page. Available settings are explained as follows: Item Description Internet Access Choose one of the selections as the protocol of accessing the internet.
  • Page 52 question, please contact to your ISP. The maximum length of the string you can set is 47 characters. APN Name – APN means Access Point Name which is provided and required by some ISPs. Type the name and click Apply. 4G USB Modem (DHCP SIM Pin code –Type PIN code of the SIM card that will be used mode)

  • Page 53: Service Activation Wizard

    Service Activation Wizard can guide you to activate WCF service (Web Content Filter) with a quick and easy way. For the Service Activation Wizard is only available for admin operation, therefore, please type “admin/admin” on Username/Password while Logging into the web user interface. Service Activation Wizard is a tool which allows you to use trial version of WCF directly without accessing into the server (MyVigor) located on http://myvigor.draytek.com.
  • Page 54 In the following page, you can activate the Web content filter services at the same time or individually. When you finish the selection, please click Next. Info Commtouch is the web content filter based on Commtouch operated in the worldwide. There is a 30-day trial period. After trial, you can purchase DrayTek's prepared Commtouch GlobalView WCF package from retailing outlets.
  • Page 55 Wait for a moment till the following page appears. When such page appears, you can enable or disable these services for your necessity. Then, click Finish. Info The service will be activated and applied as the default rule configured in Firewall>>General Setup.

  • Page 56: Registering Vigor Router

    You have finished the configuration of Quick Start Wizard and you can surf the Internet at any time. Now it is the time to register your Vigor router to MyVigor website for getting more service. Please follow the steps below to finish the router registration. Please login the web configuration interface of Vigor router by typing “admin/admin”...
  • Page 57 Info If you haven’t an accessing account, please refer to section Creating an Account for MyVigor to create your own one. Please read the articles on the Agreement regarding user rights carefully while creating a user account. The following page will be displayed after you logging in MyVigor. From this page, please click Add or Product Registration.
  • Page 58 Vigor2952 Series User’s Guide...

  • Page 59: Part Ii Connectivity

    It means wide area network. Public IP will be used in WAN. It means local area network. Private IP will be used in LAN. Local Area Network (LAN) is a group of subnets regulated and ruled by router. The design of network structure is related to what type of public IP addresses coming from your ISP.

  • Page 60: Wan

    It allows users to access Internet. IP means Internet Protocol. Every device in an IP-based Network including routers, print server, and host PCs, needs an IP address to identify its location on the network. To avoid address conflicts, IP addresses are publicly registered with the Network Information Centre (NIC).
  • Page 61 After connecting into the router, 3G/4G USB Modem will be regarded as the WAN3/WAN4 port. However, the original WAN1 and WAN2 still can be used and Load-Balance can be done in the router. Besides, 3G/4G USB Modem in WAN3/WAN4 also can be used as backup device. Therefore, when WAN1 and WAN2 are not available, the router will use 3.5G for supporting automatically.

  • Page 62: Web User Interface

    This section will introduce some general settings of Internet and explain the connection modes for WAN1, WAN2 and WAN3/WAN4 in details. This router supports multiple-WAN function. It allows users to access Internet and combine the bandwidth of the multiple WANs to speed up the transmission through the network. Each WAN port can connect to different ISPs, Even if the ISPs use different technology to provide telecommunication service (such as DSL, Cable modem, etc.).

  • Page 63: Ii-1-1-1 Wan1 (Fiber/Auto)

    throughput might be reached; however, some web site may not open smoothly, especially the site need authentication, e.g., FTP. If you have no strong demand about speed test result, keep default settings as IP based. Index Click the WAN interface link under Index to access into the WAN configuration page.
  • Page 64 Enable Choose Yes to invoke the settings for this WAN interface. Choose No to disable the settings for this WAN interface. Display Name Type the description for such interface. Physical Mode Display the physical mode of such interface. Physical Type (Fiber) Specify the mode for data transmission.

  • Page 65: Ii-1-1-2 Wan2 (Ethernet)

    Ethernet is the Physical Mode for WAN2. Available settings are explained as follows: Item Description Enable Choose Yes to invoke the settings for this WAN interface. Choose No to disable the settings for this WAN interface. Display Name Type the description for such WAN interface. Physical Mode Display the physical mode of such WAN interface.

  • Page 66: Ii-1-1-3 Wan3 / Wan4 (Usb)

    function for such WAN interface. When the data traffic is large, the WAN interface with the function enabled will balance the data transmission automatically among all of the WAN interfaces in connection status. Failover – Choose it to make the WAN connection as a backup connection.
  • Page 67 Physical Mode Display the physical mode of such WAN interface. Line Speed If your choose According to Line Speed as the Load Balance Mode, please type the line speed for downloading and uploading for such WAN interface. The unit is kbps. Active Mode Choose Always On to make such WAN connection being activated always.

  • Page 68: Ii-1-2 Internet Access

    For the router supports multi-WAN function, the users can set different WAN settings (for WAN1/WAN2/WAN3/WAN4) for Internet Access. Due to different Physical Mode for WAN interface, the Access Mode for these connections also varies. Refer to the following figures. And, And, Available settings are explained as follows: Item...
  • Page 69 Display Name It shows the name of the WAN1/WAN2/WAN3/WAN4/WAN5 that entered in general setup. Physical Mode It shows the physical connection for WAN1 (Ethernet or Fiber) WAN2 (Ethernet) /WAN3~4 (3G/4G USB Modem) according to the real network connection. Access Mode Use the drop down list to choose a proper access mode.

  • Page 70: Ii-1-2-1 Details Page For Pppoe In Etherenet Wan1/Wan2 And Fiber Wan1

    Info If you choose to configure option 61 here, the detailed settings in WAN>>Internet Access will be overwritten. To choose PPPoE as the accessing protocol of the Internet, please select PPPoE from the WAN>>Internet Access >>WAN1 page. The following web page will be shown. Available settings are explained as follows: Item Description...
  • Page 71 WAN Connection Such function allows you to verify whether network Detection connection is alive or not through ARP Detect or Ping Detect. Mode – Choose ARP Detect or Ping Detect for the system to execute for WAN detection. If you choose Ping Detect as the detection mode, you have to type required settings for the following items.

  • Page 72: Ii-1-2-2 Details Page For Static Or Dynamic Ip In Etherenet Wan1/Wan2 And Fiber Wan1

    Internet after passing through the time without any action. IP Address Assignment Usually ISP dynamically assigns IP address to you each time Method (IPCP) you connect to it and request. In some case, your ISP provides service to always assign you the same IP address whenever you request.
  • Page 73 Available settings are explained as follows: Item Description Enable / Disable Click Enable for activating this function. If you click Disable, this function will be closed and all the settings that you adjusted in this page will be invalid. Keep WAN Connection Normally, this function is designed for Dynamic IP environments because some ISPs will drop connections if there is no traffic within certain periods of time.
  • Page 74 pinging, Vigor router can check if the WAN connection is on or off.  TTL (Time to Live) – Set TTL value of PING operation. It means Max Transmit Unit for packet. Path MTU Discovery – It is used to detect the maximum MTU size of a packet not to be segmented in specific transmit path.
  • Page 75 WAN IP Network Settings This group allows you to obtain an IP address automatically and allows you type in IP address manually. WAN IP Alias - If you have multiple public IP addresses and would like to utilize them on the WAN interface, please use WAN IP Alias.
  • Page 76 DNS Server IP Address Type in the primary IP address for the router if you want to use Static IP mode. If necessary, type in secondary IP address for necessity in the future. After finishing all the settings here, please click OK to activate them. Vigor2952 Series User’s Guide...

  • Page 77: Ii-1-2-3 Details Page For Pptp/L2Tp In Etherenet Wan1/Wan2 And Fiber Wan1

    To use PPTP/L2TP as the accessing protocol of the internet, please click the PPTP/L2TP tab. The following web page will be shown. Available settings are explained as follows: Item Description PPTP/L2TP Enable PPTP- Click this radio button to enable a PPTP client to establish a tunnel to a DSL modem on the WAN interface.
  • Page 78 Path MTU to – Type the IP address as the specific  transmit path. MTU size start from – Determine the starting point  value of the packet. Default setting is 1500. MTU reduce size by– It determines the decreasing size ...

  • Page 79: Ii-1-2-4 Details Page For 3G/4G Usb Modem (Ppp Mode) In Usb Wan3/Wan4

    To use 3G/4G USB Modem (PPP mode) as the accessing protocol of the internet, please choose Internet Access from WAN menu. Then, select 3G/4G USB Modem (PPP mode) for WAN5. The following web page will be shown. Available settings are explained as follows: Item Description Modem Support List...
  • Page 80 Modem Initial String Such value is used to initialize USB modem. Please use the default value. If you have any question, please contact to your ISP. The maximum length of the string you can set is 47 characters. APN Name APN means Access Point Name which is provided and required by some ISPs.

  • Page 81: Ii-1-2-5 Details Page For 3G/4G Usb Modem (Dhcp Mode) In Usb Wan3/Wan4

    To use 3G/4G USB Modem (DHCP mode) as the accessing protocol of the internet, please choose Internet Access from WAN menu. Then, select 3G/4G USB Modem (DHCP mode) for WAN3/WAN4. The following web page will be shown. Available settings are explained as follows: Item Description Modem Support List...
  • Page 82 APN Name APN means Access Point Name which is provided and required by some ISPs. Type the name and click Apply. The maximum length of the name you can set is 47 characters. It means Max Transmit Unit for packet. Path MTU Discovery –...

  • Page 83: Ii-1-2-6 Details Page For Ipv6 - Offline In Wan1/Wan2/Wan3/Wan4

    – – When Offline is selected, the IPv6 connection will be disabled. – – During the procedure of IPv4 PPPoE connection, we can get the IPv6 Link Local Address between the gateway and Vigor router through IPv6CP. Later, use DHCPv6 or accept RA to acquire the IPv6 prefix address (such as: 2001:B010:7300:200::/64) offered by the ISP.

  • Page 84: Ii-1-2-8 Details Page For Ipv6 - Tspc In Wan1/Wan2/Wan3/Wan4

    Info At present, the IPv6 prefix can be acquired via the PPPoE mode connection which is available for the areas such as Taiwan (hinet), the Netherlands, Australia and UK. – – Tunnel setup protocol client (TSPC) is an application which could help you to connect to IPv6 network easily.
  • Page 85 Available settings are explained as follows: Item Description Username Type the name obtained from the broker. It is suggested for you to apply another username and password for http://gogonet.gogo6.com/page/freenet6-account. The maximum length of the name you can set is 63 characters.

  • Page 86: Ii-1-2-9 Details Page For Ipv6 - Aiccu In Wan1/Wan2/Wan3/Wan4

    – – Available settings are explained as follows: Item Description Always On Check this box to keep the network connection always. Username Type the name obtained from the broker. Please apply new account at http://www.sixxs.net/. It is suggested for you to apply another username and password.
  • Page 87 WAN Connection Such function allows you to verify whether network Detection connection is alive or not through Ping Detect. Mode – Choose Always On or Ping Detect for the system to execute for WAN detection.  Ping IP/Hostname – If you choose Ping Detect as detection mode, you have to type IP address in this field for pinging.

  • Page 88: Ii-1-2-10 Details Page For Ipv6 - Dhcpv6 Client In Wan1/Wan2

    – – DHCPv6 client mode would use DHCPv6 protocol to obtain IPv6 address from server. Available settings are explained as follows: Item Description Identify Association Choose Prefix Delegation or Non-temporary Address as the identify association. IAID Type a number as IAID. WAN Connection Such function allows you to verify whether network Detection...
  • Page 89 User Management will be ignored. And all of the filter rules defined and enabled in Firewall menu will be activated. Bridge Subnet – Make a bridge between the selected LAN subnet and such WAN interface. After finished the above settings, click OK to save the settings. Vigor2952 Series User’s Guide...

  • Page 90: Ii-1-2-11 Details Page For Ipv6 - Static Ipv6 In In Wan1/Wan2

    – – This type allows you to setup static IPv6 address for WAN interface. Available settings are explained as follows: Item Description Static IPv6 Address IPv6 Address – Type the IPv6 Static IP Address. Configuration Prefix Length – Type the fixed value for prefix length. Add –...

  • Page 91: Ii-1-2-12 Details Page For Ipv6 - 6In4 Static Tunnel In Wan1 / Wan2

    for pinging.  TTL (Time to Live) –If you choose Ping Detect as detection mode, you have to type TTL value. RIPng Protocol RIPng (RIP next generation) offers the same functions and benefits as IPv4 RIP v2. Bridge Mode Enable Bridge Mode - If the function is enabled, the router will work as a bridge modem.
  • Page 92 Tunnel TTL Type the number for the data lifetime in tunnel. WAN Connection Such function allows you to verify whether network Detection connection is alive or not through Ping Detect. Mode – Choose Always On or Ping Detect for the system to execute for WAN detection.

  • Page 93: Ii-1-2-13 Details Page For Ipv6 - 6Rd In Wan1 / Wan2

    – – This type allows you to setup 6rd for WAN interface. Available settings are explained as follows: Item Description 6rd Settings 6rd Mode – Choose Auto 6rd for retrieving 6rd prefix automatically from 6rd service provider. The IPv4 WAN must be set as "DHCP";...
  • Page 94 Below shows an example for successful IPv6 connection based on 6rd mode. Vigor2952 Series User’s Guide...
  • Page 95 This router allows you to create multi-PVC for different data transferring for using. Simply go to WAN and select Multi-VLAN page. The system allows you to set up to eight channels used as multi-VLAN. Available settings are explained as follows: Item Description Channel...

  • Page 96: Ii-1-3 Multi-Vlan

    Click index 8 to get the following web page: Available settings are explained as follows: Item Description Multi-VLAN Channel 8 Enable – Click it to enable the configuration of this channel. Disable –Click it to disable the configuration of this channel. WAN Type The connections and interfaces created in every channel may select a specific WAN type to be built upon.
  • Page 97 Available settings are explained as follows: Item Description Multi-VLAN Channel 5/6/7 Enable – Click it to enable the configuration of this channel. Disable –Click it to disable the configuration of this channel. WAN Type The connections and interfaces created in every channel may select a specific WAN type to be built upon.
  • Page 98 Open Port-based Bridge The settings here will create a bridge between the LAN ports Connection for this selected and the WAN. The WAN interface of the bridge Channel connection will be built upon the WAN type selected using the VLAN tag configured. Physical Members –...
  • Page 99 the router if you want to use Static IP mode. If necessary, type in secondary IP address for necessity in the future. After finished the above settings, click OK to save the settings and return to previous page. Vigor2952 Series User’s Guide...

  • Page 100: Ii-1-4 Wan Budget

    This function is used to determine the data traffic volume for each WAN interface respectively to prevent from overcharges for data transmission by the ISP. Please note that the Quota Limit and Billing cycle day of month settings will need to be configured correctly first in order for some period calculations to be performed correctly.
  • Page 101  Using Notification Object – The system will send out a notification based on the event conditions of the notification object.  Set Mail Alert – The system will send out a warning message to the administrator when the quota is running out.

  • Page 102: Ii-1-4-2 Status

    The status page displays the status WAN budget, including the duration and the usage. If the WAN budget is exhausted, a lock will be displayed on the page if Shutdown WAN interface is selected. Which means no data transmission will be carried out. Moreover, the system will send out a warning message to the administrator if Mail Alert is selected.

  • Page 103: Application Notes

    Due to the shortage of IPv4 address, more and more countries use IPv6 to solve the problem. However, to continually use the original rich resources of IPv4, both IPv6 and IPv4 networks shall communicate for each other via intercommunication mechanism to complete the shifting job from IPv4 to IPv6 gradually.
  • Page 104 Info Only one WAN interface support IPv6 service at one time. In this example, WAN2 is chosen as the one supporting IPv6 service. In the following figure, use the drop down list to choose a proper connection type. Different connection types will bring out different configuration page. Refer to the following: ...
  • Page 105 Access into the setting page for IPv6 service, it is not necessary for you to configure anything. Click OK and open Online Status. If the connection is successful, you will get the IP address for IPv4 and IPv6 at the same time. Vigor2952 Series User’s Guide...
  • Page 106 Vigor2952 Series User’s Guide...
  • Page 107  TSPC – Tunnel application, both IPv6 hosts communicate through IPv4 network Choose TSPC and type the information for TSPC service. Info While using such mode, you have to make sure the IPv4 network connection is normal. (In the following figure, the TSPC information is obtained from http://gogo6.com/ after applied for the service.) Click OK and open Online Status.
  • Page 108  AICCU – Tunnel application Choose AICCU and type the information for AICCU of IPv6. Info While using such mode, you have to make sure the IPv4 network connection is normal. (In the following figure, the AICCU information is obtained from https://www.sixxs.net/main/ after applied for the service.) Click OK and open Online Status.
  • Page 109  DHCPv6 Client Choose DHCPv6 Client. Click one of the identity associations and type the IAID number. Click OK and open Online Status. If the connection is successful, the physical connection will be shows as follows: Vigor2952 Series User’s Guide...
  • Page 110  Static IPv6 Choose Static IPv6. Type IPv6 address, Prefix Length and Gateway Address. Click OK and open Online Status. If the connection is successful, the physical connection will be shows as follows: Vigor2952 Series User’s Guide...
  • Page 111  6in4 Static Tunnel Choose 6in4 Static Tunnel. Type remote endpoint IPv4 address, 6in4 IPv6 Address, LAN Routed Prefix and Tunnel TTL. Click OK and open Online Status. If the connection is successful, the physical connection will be shows as follows: Vigor2952 Series User’s Guide...
  • Page 112  Choose 6rd. Type IPv4 Border Relay, IPv4 Mask Length, 6rd Prefix and 6rd Prefix Length. Click OK and open Online Status. If the connection is successful, the physical connection will be shows as follows: Vigor2952 Series User’s Guide...
  • Page 113 After finished the WAN settings for IPv6, please configure the LAN settings to make the router’s client get the IPv6 address. Access into the web user interface of Vigor2952. Open LAN>> General Setup. Click the IPv6 button. In the field of DHCPv6 Server Configuration, when DHCPv6 service is enabled, you can assign available IPv6 address for the client manually.
  • Page 114 Make sure you have obtained the correct IPv6 IP address. Get into MS-DOS interface and type the command of “ipconfig”. Refer to the following figure. From the above figure we can see IPv6 IP address has been captured by the system. Use the Ping command to ping any IPv6 address indicating an IPv6 website.
  • Page 115 Connect to the website for IPv6. Open a web browser and type an URL of IPv6, e.g., www.kame.net. If your computer accesses into the website by using IPv6 address, you may see a turtle dancing on the screen. If not, only a steady turtle will be seen. If you can see a turtle dancing on the screen, that means IPv6 service is ready for you to access and utilize.

  • Page 116: Lan

    Local Area Network (LAN) is a group of subnets regulated and ruled by router. The design of network structure is related to what type of public IP addresses coming from your ISP. The most generic function of Vigor router is NAT. It creates a private subnet of your own. As mentioned previously, the router will talk to other public hosts on the Internet by using public IP address and talking to local hosts by using its private IP address.
  • Page 117 Vigor router will exchange routing information with neighboring routers using the RIP to accomplish IP routing. This allows users to change the information of the router such as IP address and the routers will automatically inform for each other. When you have several subnets in your LAN, sometimes a more effective and quicker way for connection is the Static routes function rather than other method.

  • Page 118: Web User Interface

    This page provides you the general settings for LAN. Click LAN to open the LAN settings page and choose General Setup. There are several subnets provided by the router which allow users to divide groups into different subnets (LAN1 – LAN6). In addition, different subnets can link for each other by configuring Inter-LAN Routing.
  • Page 119 Available settings are explained as follows: Item Description General Setup Allow to configure settings for each subnet respectively. Index - Display all of the LAN items. Status- Basically, LAN1 status is enabled in default. LAN2 –LAN6 and IP Routed Subnet can be observed by checking the box of Status.
  • Page 120 Enable/Disable – Enable/Disable the function of DHCP Option. Each DHCP option is composed by an option number with data. For example, Option number:100 Data: abcd When such function is enabled, the specified values for DHCP option will be seen in DHCP reply packets. Interface –...

  • Page 121: Ii-2-1-1 Details Page For Lan1 - Ethernet Tcp/Ip And Dhcp Setup

    – – There are two configuration pages for LAN1, Ethernet TCP/IP and DHCP Setup (based on IPv4) and IPv6 Setup. Click the tab for each type and refer to the following explanations for detailed information. Available settings are explained as follows: Item Description Network Configuration...
  • Page 122 RIP Protocol Control, Disable - deactivate the RIP protocol. It will lead to a stoppage of the exchange of routing information between routers. (Default) Enable – activate the RIP protocol. DHCP Server DHCP stands for Dynamic Host Configuration Protocol. The Configuration router by factory default acts a DHCP server for your network so it automatically dispatches related IP settings to any local...

  • Page 123: Ii-2-1-2 Details Page For Lan1~ Lan4 - Ipv6 Setup

    Primary IP Address -You must specify a DNS server IP address here because your ISP should provide you with usually more than one DNS Server. If your ISP does not provide it, the router will automatically apply default DNS Server IP address: 194.109.6.66 to this field.
  • Page 124 It provides 2 daemons for LAN side IPv6 address configuration. One is SLAAC(stateless) and the other is DHCPv6 Server (Stateful). Available settings are explained as follows: Item Description Enable IPv6 Check the box to enable the configuration of LAN 1 IPv6 Setup.
  • Page 125 Auto ULA Prefix – The system will generate the required IPv6 address. Manually ULA Prefix – A user can type the ULA IPv6 address manually. DNS Server IPv6 Address Primary DNS Sever – Type the IPv6 address for Primary DNS server.
  • Page 126 Edit to open the pop-up window. Router Advertisement Configuration – Click Enable to enable router advertisement server. The router advertisement daemon sends Router Advertisement messages, specified by RFC 2461, to a local Ethernet LAN periodically and when requested by a node sending a Router Solicitation message.

  • Page 127: Ii-2-1-3 Details Page For Lan2 ~ Lan8

    Available settings are explained as follows: Item Description Network Configuration Enable/Disable - Click Enable to enable such configuration; click Disable to disable such configuration. For NAT Usage - Click this radio button to invoke NAT function. For Routing Usage - Click this radio button to invoke this function.

  • Page 128: Ii-2-1-4 Details Page For Ip Routed Subnet

    192.168.1.254. IP Pool Counts - Enter the maximum number of PCs that you want the DHCP server to assign IP addresses to. The default is 50 and the maximum is 253. Gateway IP Address - Enter a value of the gateway IP address for the DHCP server.
  • Page 129 Subnet Mask - Type in an address code that determines the size of the network. (Default: 255.255.255.0/ 24) RIP Protocol Control, Disable - deactivate the RIP protocol. It will lead to a stoppage of the exchange of routing information between routers.

  • Page 130: Ii-2-2 Vlan

    With the 6-port Gigabit switch on the LAN side, Vigor router provides extremely high speed connectivity for the highest speed local data transfer of any server or local PCs. On the Wireless-equipped models (e.g., Vigor2952n), each of the wireless SSIDs can also be grouped within one of the VLANs.
  • Page 131 Available settings are explained as follows: Item Description Enable Click it to enable VLAN configuration. P1 – P4 – Check the LAN port(s) to group them under the selected VLAN. Wireless LAN SSID1 – SSID4 – Check the SSID boxes to group them under the selected VLAN.
  • Page 132 Click OK. Open LAN>>General Setup. If you want to let the clients in both groups communicate with each other, simply activate Inter-LAN Routing by checking the box between LAN1 and LAN2. Vigor router supports up to six private IP subnets on LAN. Each can be independent (isolated) or common (able to communicate with each other).

  • Page 133: Ii-2-3 Bind Ip To Mac

    This function is used to bind the IP and MAC address in LAN to have a strengthening control in network. When this function is enabled, all the assigned IP and MAC address binding together cannot be changed. If you modified the binding IP or MAC address, it might cause you not access into the Internet.
  • Page 134 selected and added to IP Bind List by clicking Add below. Select All Click this link to select all the items in the ARP table. Sort Reorder the table based on the IP address. Refresh Refresh the ARP table listed below to obtain the newest ARP table information.

  • Page 135: Ii-2-4 Lan Port Mirror

    LAN port mirror can be applied for the users in LAN. Generally speaking, this function copies traffic from one or more specific ports to a target port. This mechanism helps manager track the network errors or abnormal packets transmission without interrupting the flow of data access the network.

  • Page 136: Ii-2-5 Wired 802.1X

    IEEE 802.1x is an IEEE Standard for port-based Network Access Control (PNAC). It is part of the IEEE 802.1 group of networking protocols. It provides an authentication mechanism for the device that is attached to a LAN or WLAN. Wired 802.1x provides authentication for one network device on each LAN port. The RADIUS Server settings must be configured before enabling 802.1x because the EAP (Extensible Authentication Protocol) Authenticator relies on the RADIUS Server in its authentication process.

  • Page 137: Ii-2-6 Web Portal Setup

    This page allows you to configure a profile with specified URL for accessing into or display a message when a wireless/LAN user connects to Internet through this router. No matter what the purpose of the wireless/LAN client is, he/she will be forced into the URL configured here while trying to access into the Internet or the desired web page through this router.
  • Page 138 To configure the profile, click any index number link to open the following page. Available settings are explained as follows: Item Description Enable Check the box to enable this function. Body Two types can be specified for web portal setup. URL Redirect - Any user who wants to access into Internet through this router will be redirected to the URL specified here first.
  • Page 139 Authentication Position on Screen – The content of notice and the defined button can be shown upside (Top) or downside (Bottom) the text defined for message body. None – No authentication is required. Button click – Define the word (default word is “Continue”) shown on the button.

  • Page 140: Ii-2-7 Pppoe Server

    LAN users can access into Internet through built-in PPPoE server on Vigor router. PPPoE server is a mechanism which can authenticate LAN users (configured in User Management>>User Profile) and prevent ARP attack completely. Available settings are explained as follows: Item Description PPPoE Server Enable –...

  • Page 141: Ii-2-8 Poe

    PoE (Power over Ethernet) allows devices connecting to Vigor router through PoE LAN ports get sufficient power to activate that device and execute data transmission. This page provides general settings for configuring PoE of Vigor router. Each item is explained as follows: Item Description Mode...

  • Page 142: Ii-2-8-2 Device Check

    specified PoE LAN Port. This is available when Manual is selected as the Mode. Schedule Two schedule profiles can be applied to each specified PoE LAN Port. This is available when Manual is selected as the Mode. Clear All Click to remove all of the configurations in this page. After finishing all the settings here, please click OK to save the configuration.

  • Page 143: Ii-2-8-3 Status

    This page displays the status for each PoE port, including class of powered device, power usage, power limit, current and error log of PoE. Each item is explained as follows: Item Description Port Display the number representing LAN Port 1/2/3/4. PD Class Display the class of the powered device.
  • Page 144 Refresh Reload the record. Vigor2952 Series User’s Guide...

  • Page 145: Nat

    Usually, the router serves as an NAT (Network Address Translation) router. NAT is a mechanism that one or more private IP addresses can be mapped into a single public one. Public IP address is usually assigned by your ISP, for which you may get charged. Private IP addresses are recognized only among internal hosts.

  • Page 146: Web User Interface

    Port Redirection is usually set up for server related service inside the local network (LAN), such as web servers, FTP servers, E-mail servers etc. Most of the case, you need a public IP address for each server and this public IP address/domain name are recognized by all users. Since the server is actually located inside the LAN, the network well protected by NAT of the router, and identified by its private IP address/port, the goal of Port Redirection function is to forward all access request with public IP address from external users to the mapping...
  • Page 147 Each item is explained as follows: Item Description Index Display the number of the profile. Service Name Display the description of the specific network service. WAN Interface Display the WAN IP address used by the profile. Protocol Display the transport layer protocol (TCP or UDP). Public Port Display the port number which will be redirected to the specified Private IP and Port of the internal host.
  • Page 148 Available settings are explained as follows: Item Description Enable Check this box to enable such port redirection setting. Mode Two options (Single and Range) are provided here for you to choose. To set a range for the specific service, select Range. In Range mode, if the public port (start port and end port) and the starting IP of private IP had been entered, the system will calculate and display the ending IP of private IP...
  • Page 149 Vigor2952 Series User’s Guide...

  • Page 150: Ii-3-2 Dmz Host

    As mentioned above, Port Redirection can redirect incoming TCP/UDP or other traffic on particular ports to the specific private IP address/port of host in the LAN. However, other IP protocols, for example Protocols 50 (ESP) and 51 (AH), do not travel on a fixed port. Vigor router provides a facility DMZ Host that maps ALL unsolicited data on any protocol to a single host in the LAN.
  • Page 151 Choose IP Click this button and then a window will automatically pop up, as depicted below. The window consists of a list of private IP addresses of all hosts in your LAN network. Select one private IP address in the list to be the DMZ host. When you have selected one private IP from the above dialog, the IP address will be shown on the screen.
  • Page 152 Choose IP Click this button and then a window will automatically pop up, as depicted below. The window consists of a list of private IP addresses of all hosts in your LAN network. Select one private IP address in the list to be the DMZ host. When you have selected one private IP from the above dialog, the IP address will be shown on the screen.

  • Page 153: Ii-3-3 Open Ports

    Open Ports allows you to open a range of ports for the traffic of special applications. Common application of Open Ports includes P2P application (e.g., BT, KaZaA, Gnutella, WinMX, eMule and others), Internet Camera etc. Ensure that you keep the application involved up-to-date to avoid falling victim to any security exploits.
  • Page 154 Available settings are explained as follows: Item Description Enable Open Ports Check to enable this entry. Comment Make a name for the defined network application/service. WAN Interface Specify the WAN interface that will be used for this entry. WAN IP Specify the WAN IP address that will be used for this entry.

  • Page 155: Ii-3-4 Port Triggering

    After finishing all the settings here, please click OK to save the configuration. Port Triggering is a variation of open ports function. It is suitable for set matching conditions for specific service like Quick Time, ICQ, BitTorrent and so on. The key difference between "open port"...
  • Page 156 Available settings are explained as follows: Item Description Comment Display the text which memorizes the application of this rule. Triggering Protocol Display the protocol of the triggering packets. Source IP Display the source IP address. Triggering Port Display the port of the triggering packets. Incoming Protocol Display the protocol for the incoming data of such triggering profile.
  • Page 157 in this page for passing the packet. Triggering Protocol Select the protocol (TCP, UDP or TCP/UDP) for such triggering profile. Triggering Port Type the port or port range for such triggering profile. Incoming Protocol When the triggering packets received, it is expected the incoming packets will use the selected protocol.

  • Page 158: Applications

    The ISP often provides you with a dynamic IP address when you connect to the Internet via your ISP. It means that the public IP address assigned to your router changes each time you access the Internet. The Dynamic DNS feature lets you assign a domain name to a dynamic WAN IP address.
  • Page 159 The UPnP (Universal Plug and Play) protocol is supported to bring to network connected devices the ease of installation and configuration which is already available for directly connected PC peripherals with the existing Windows 'Plug and Play' system. For NAT routers, the major feature of UPnP on the router is “NAT Traversal”.

  • Page 160: Web User Interface

    Assume you have a registered domain name from the DDNS provider, say hostname.dyndns.org, and an account with username: test and password: test. Open Applications>>Dynamic DNS. Check Enable Dynamic DNS Setup. Available settings are explained as follows: Item Description Enable Dynamic DNS Check this box to enable DDNS function.
  • Page 161 Force Update Force the router updates its information to DDNS server. Auto-Update Set the time for the router to perform auto update for DDNS interval service. Index Click the number below Index to access into the setting page of DDNS setup to set account(s). WAN Interface Display the WAN interface used.
  • Page 162 Password Type in the password that you set for applying domain. Wildcard and The Wildcard and Backup MX (Mail Exchange) features are Backup MX not supported for all Dynamic DNS providers. You could get more detailed information from their websites. Mail Extender If the mail server is defined with another name, please type the name in this area.

  • Page 163: Ii-4-2 Lan Dns / Dns Forwarding

    The LAN DNS lets the network administrators host servers with privacy and security. When the network administrators of your office set up FTP, Mail or Web server inside LAN, you can specify specific private IP address (es) to correspondent servers. Thus, even the remote PC is adopting public DNS as the DNS server, the LAN DNS resolution on Vigor2952 Series will respond the specified private IP address.
  • Page 164 Enable Check the box to enable the selected profile. Index Click the number below Index to access into the setting page. Profile Display the name of the LAN DNS profile. Domain Name Display the domain name of the LAN DNS profile. Forwarding Display that such profile is conditional DNS forwarding or not.
  • Page 165 domain name specified above. In general, one domain name maps with one IP address. If required, you can configure two IP addresses mapping with the same domain name. Add – Click it to open a dialog to type the host’s IP address. ...

  • Page 166: Ii-4-3 Dns Security

    DNS security is able to ensure that the incoming data is not falsified and the source of the data is secure and correct to prevent from DNS attack by someone. Available settings are explained as follows: Item Description Enable Check the box to enable the DNS security management. Interface There are four WAN interfaces allowed to be set with DNS security enabled.

  • Page 167: Ii-4-3-2 Domain Diagnose

    This page is used to configure settings for manually detecting if the domain is secure not. Available settings are explained as follows: Item Description Domain Type the domain name and IP address (IPv4/IPv6) that you want to query. Interface Specify the interface required for executing diagnose. DNS Server Type the IP address of the DNS Server which will diagnose the domain specified above.

  • Page 168: Ii-4-4 Schedule

    The Vigor router has a built-in clock which can update itself manually or automatically by means of Network Time Protocols (NTP). As a result, you can not only schedule the router to dialup to the Internet at a specified time, but also restrict Internet access to certain hours so that users can connect to the Internet only during certain hours, say, business hours.
  • Page 169 Available settings are explained as follows: Item Description Enable Schedule Check to enable the schedule. Setup Start Date Specify the starting date of the schedule. (yyyy-mm-dd) Start Time (hh:mm) Specify the starting time of the schedule. Duration Time Specify the duration (or period) for the schedule. (hh:mm) Action Specify which action Call Schedule should apply during the...

  • Page 170: Ii-4-5 Radius/Tacacs

    Mon - Sun 9:00 am 6:00 pm Make sure the PPPoE connection and Time Setup is working properly. Configure the PPPoE always on from 9:00 to 18:00 for whole week. Configure the Force Down from 18:00 to next day 9:00 for whole week. Assign these two profiles to the PPPoE Internet access profile.

  • Page 171: Ii-4-5-2 Internal Radius

    Confirm Shared Secret Re-type the Shared Secret for confirmation. After finished the above settings, click OK button to save the settings. Except for being a built-in RADIUS client, Vigor router also can be operated as a RADIUS server which performs security authentication by itself. This page is used to configure settings for internal RADIUS server.
  • Page 172 secret. Enable - Check to enable RADIUS client feature. Shared Secret - The RADIUS server and client share a secret that is used to authenticate the messages sent between them. Both sides must be configured to use the same shared secret.

  • Page 173: Ii-4-5-3 External Tacacs

    It means Terminal Access Controller Access-Control System Plus. It works like RADIUS does. Click the External TACACS+ to open the following page: Available settings are explained as follows: Item Description Enable Check to enable TACACS+ feature. Server IP Address Enter the IP address of TACACS+ server. Destination Port The UDP port number that the TACACS+ server is using.

  • Page 174: Ii-4-6 Active Directory/ Ldap

    Lightweight Directory Access Protocol (LDAP) is a communication protocol for using in TCP/IP network. It defines the methods to access distributing directory server by clients, work on directory and share the information in the directory by clients. The LDAP standard is established by the work team of Internet Engineering Task Force (IETF).
  • Page 175 Available settings are explained as follows: Item Description Enable Check to enable such function. Bind Type There are three types of bind type supported.  Simple Mode – Just simply do the bind authentication without any search action. Anonymous – Perform a search action first with ...
  • Page 176 Available settings are explained as follows: Item Description Name Type a name for such profile. The length of the user name is limited to 19 characters. Common Name Identifier Type or edit the common name identifier for the LDAP server. The common name identifier for most LDAP server is “cn”.

  • Page 177: Ii-4-7 Upnp

    The UPnP (Universal Plug and Play) protocol is supported to bring to network connected devices the ease of installation and configuration which is already available for directly connected PC peripherals with the existing Windows 'Plug and Play' system. For NAT routers, the major feature of UPnP on the router is “NAT Traversal”.

  • Page 178: Ii-4-8 Igmp

    IGMP is the abbreviation of Internet Group Management Protocol. It is a communication protocol which is mainly used for managing the membership of Internet Protocol multicast groups. Available settings are explained as follows: Item Description IGMP Proxy Check this box to enable this function. The application of multicast will be executed through WAN/PVC/VLAN port.

  • Page 179: Ii-4-9 Wake On Lan

    A PC client on LAN can be woken up by the router it connects. When a user wants to wake up a specified PC through the router, he/she must type correct MAC address of the specified PC on this web page of Wake on LAN (WOL) of this router. In addition, such PC must have installed a network card supporting WOL function.

  • Page 180: Ii-4-10 Sms / Mail Alert Service

    The function of SMS (Short Message Service)/Mail Alert is that Vigor router sends a message to user’s mobile or e-mail box through specified service provider to assist the user knowing the real-time abnormal situations. Vigor router allows you to set up to 10 SMS profiles which will be sent out according to different conditions.
  • Page 181 This page allows you to specify Mail Server profile, who will get the notification e-mail, what the content is and when the message will be sent. Available settings are explained as follows: Item Description Index Check the box to enable such profile. Mail Service Use the drop down list to choose mail service object.

  • Page 182: Ii-4-11 Bonjour

    Bonjour is a service discovery protocol which is a built-in service in Mac OS X; for Windows or Linux platform, there is correspondent software to enable this function for free. Usually, users have to configure the router or personal computers to use above services. Sometimes, the configuration (e.g., IP settings, port number) is complicated and not easy to complete.
  • Page 183 2. Open the web browse, Firefox. If Bonjour and DNSSD have been installed, you can open the web page (DNSSD) and see the following results. 3. Open System Maintenance>>Management. Type a name as the Router Name and click 4. Next, open Applications>>Bonjour. Check the service that you want to use via Bonjour. 5.
  • Page 184 6. Now, any page or document can be printed out through Vigor router (installed with a printer). Vigor2952 Series User’s Guide...

  • Page 185: Ii-4-12 High Availability

    The High Availability (HA) feature refers to the awareness of component failure and the availability of backup resources. The complexity of HA is determined by the availability needs and the tolerance of system interruptions. Systems, provide nearly full-time availability, typically have redundant hardware and software that make the system available despite failures.
  • Page 186 Available settings are explained as follows: Item Description Enable High Abailablity Check this box to enable HA function. Redundancy Method Choose Hot-Standby or Active-Standby as the method for Hot-Standby - Such method is suitable for a user which has one ISP account.

  • Page 187: Ii-4-12-1 General Setup

    function. WAN settings of primary and secondary routers can be  the same. Note: When Hot-Standby is used, wireless LAN will be “enabled” automatically for clients connecting to the primary router; however, wireless LAN on secondary router will be “disabled” directlly. Thus clients can not connect to the secondary router any more.
  • Page 188 several groups. Each router must be specified with one group ID. Different routers with the same ID value will be categoried into the same group. Only one of the routers in the same group will be selected as the primary router. Priority ID Type a value (1~30).

  • Page 189: Ii-4-12-2 Config Sync

    This page is used to specify the synchronization time for such Vigor router and only available when Hot-Standby method is specified and High Availability is enabled. Available settings are explained as follows: Item Description Enable Config Sync (Max. Check this box to enable configuration synchronization. Sync to 10 routers) To sync configuration from primary to secondary router, both primary and seconday routers need to enable “config...
  • Page 190 Take the following picture as an example. The upper Vigor2952 is regarded as primary device, the lower Vigor2952 is regarded as secondary device. When primary Vigor2952 Series is broken down, the secondary device could replace the primary role to take over all jobs as soon as possible.

  • Page 191: Ii-4-13 Local 802.1X General Setup

    Such page allows you to configure general settings for Local 802.1X server built in Vigor router. Available settings are explained as follows: Item Description Enable Click it to enable local 802.1X server. At present, such feature can be used for wireless and wired 802.1x authentication.
  • Page 192 enabled previously. Click it to save the settings. Clear Click it to remove previous setting configuration. Cancel Click it to give up all settings configuration. When you finish the configuration, please click OK to save and exit this page. Vigor2952 Series User’s Guide...

  • Page 193: Application Notes

    For simplifying the configuration of LDAP authentication for User Access Management, we implement “Group” feature. There is no need to pre-configure user profile for each user on Vigor router anymore. We only need to configure the Groups DN, then the Vigor router (e.g., Vigor2952 series) can pass the authentication to LDAP server with the pre-defined Group path.
  • Page 194 Click OK to save the settings above. Open User Management>>General Setup. Select User-Based as the Mode option. Vigor2952 Series User’s Guide...
  • Page 195 Then open VPN and Remote Access>>PPP General Setup to check the profile(s) that will be authenticated with LDAP server. After above configurations, users belong to either “rd1” or “shrd” group can access Internet after inputting their credentials on LDAP server. Vigor2952 Series User’s Guide...

  • Page 196: Routing

    Route Policy (also well known as PBR, policy-based routing) is a feature where you may need to get a strategy for routing. The packets will be directed to the specified interface if they match one of the policies. You can setup route policies in various reasons such as load balance, security, routing decision, and etc.

  • Page 197: Web User Interface

    Go to LAN to open setting page and choose Static Route. The router offers IPv4 and IPv6 for you to configure the static route. Both protocols bring different web pages. Available settings are explained as follows: Item Description Index The number (1 to 30) under Index allows you to open next page to set up static route.
  • Page 198 Here is an example (based on IPv4) of setting Static Route in Main Router so that user A and B locating in different subnet can talk to each other via the router. Assuming the Internet access has been configured and the router works properly: ...
  • Page 199 Click the LAN >> Static Route and click on the Index Number 1. Check the Enable box. Please add a static route as shown below, which regulates all packets destined to 192.168.10.0 will be forwarded to 192.168.1.2. Click OK. Available settings are explained as follows: Item Description Enable...
  • Page 200 You can set up to 40 profiles for IPv6 static route. Click the IPv6 tab to open the following page: Available settings are explained as follows: Item Description Index The number (1 to 40) under Index allows you to open next page to set up static route.

  • Page 201: Ii-5-2 Load-Balance /Route Policy

    When you finish the configuration, please click OK to save and exit this page. Available settings are explained as follows: Item Description Index Click the number of index to access into the configuration web page. Enable Check this box to enable this policy. Protocol Display the protocol used for this policy.
  • Page 202 To use Wizard Mode, simple do the following steps: 1. Click the Wizard Mode radio button. 2. Click Index 1. The setting page will appear as follows: Available settings are explained as follows: Item Description Source IP Any – Any IP can be treated as the source IP. Src IP Start - Type the source IP start for the specified WAN interface.
  • Page 203 4. After specifying the interface, click Next to get the following page. Available settings are explained as follows: Item Description Force NAT /Force It determines which mechanism that the router will use to Routing forward the packet to WAN. 5. After choosing the mechanism, click Next to get the summary page for reference. 6.
  • Page 204 To use Advance Mode, do the following steps: 1. Click the Advance Mode radio button. 2. Click Index 2 to access into the following page. Available settings are explained as follows: Item Description Enable Check this box to enable this policy. Criteria Protocol Use the drop-down menu to choose a proper protocol for the...
  • Page 205 Dest IP Start- Type the destination IP start for the specified WAN interface. Dest IP End - Type the destination IP end for the specified WAN interface. If this field is blank, it means that all the destination IPs will be passed through the WAN interface. Destination Port Any –...

  • Page 206: Ii-5-2-2 Diagnose

    With the analysis done by such page, possible path (static route, routing table or policy route) of the packets sent out of the router can be traced. Available settings are explained as follows: Item Description Mode Analyze how a packet will be sent – Choose such mode to make Vigor router analyze how a single packet will be sent by a route policy.
  • Page 207 Analyze – Click it to perform the job of analyzing. The analyzed result will be shown on the page. If required, click export analysis to export the result as a file. Note that the analysis was based on the current "load-balance/route policy"...

  • Page 208: Application Notes

    Info The web user interface will be revised later. Example 1: In the following figure, a LAN to LAN VPN tunnel is built between DrayTek VPN router (e.g., Vigor2952 Series) and the remote router. Firewall Router can receive all of the traffic coming from remote PC which wants to access into Internet;...
  • Page 209 Click any Index number link (e.g., 1 in this case). Configure the settings as follows. Now, if you want such route policy will be applied by Vigor router with higher priority, please adjust the value of Priority for such route policy. In general, default route is specified with the lowest priority for it value is fixed as “250”.
  • Page 210 Example 2: Below shows a scenario that local users behind Vigor router A want to access into a remote service (e.g., YouTube) which is blocked or restricted by local Service Provider in area with restrictions. A policy route can be created by the side of Router A to break through the Internet censorship circumvention.

  • Page 211: How To Setup Address Mapping

    Click OK to save the settings. Address Mapping is used to map a specified private IP or a range of private IPs of NAT subnet into a specified WAN IP (or WAN IP alias IP). Refer to the following figure. Suppose the WAN settings for a router are configured as follows: WAN1: 202.211.100.10, WAN1 alias: 202.211.100.11 WAN2: 203.98.200.10...
  • Page 212 Click the Details Page of WAN 1 to open the following page. From the above figure, set main WAN IP address as 202.211.100.10. Click the WAN IP Alias button to configure the other IP address which is 202.211.100.11. Make sure Join IP NAT Pool is not checked. Click OK to save the settings. Vigor2952 Series User’s Guide...
  • Page 213 After finished configuration for WAN1, open Load-Balance/Route Policy. Click Index number 1 and 2 to configure the details. After finished the settings, click OK to save the settings respectively. Vigor2952 Series User’s Guide...
  • Page 214 Upon completing the above configuration, you have specified the outgoing IP address(es) for some specific computers. Now, you bind some specific computers to some WAN IP alias for outgoing traffic. Vigor2952 Series User’s Guide...

  • Page 215: How To Setup Load Balance For Packets

    The following figure shows a simple application of load balance. WAN1 and WAN2 can be used to access into Internet. The PC in LAN1 can send the data to the remote PC through the specified WAN1. Access into web user interface of Vigor2952 Series. Open Load-Balance/Route Policy>>General Setup.
  • Page 216 In the following page, check Enable; set Dest IP Start and Dest IP End with 203.65.1.35 and 203.65.1.35; choose WAN1 as the Interface; click default gateway. After finished the above settings, click OK to save the configuration. Now, the packets sent to the remote PC (IP address: 203.65.1.35) will be forced to pass through WAN1.

  • Page 217: Hardware Acceleration

    Hardware Acceleration is also called PPA in DrayTek for it is based on Protocol Processing Engine (PPE) of Infineon. It can only support 128 sessions for network traffic (IN & OUT) with implementing three kinds of modes - Disable, Auto and Manual. When the data traffic is heavy and data transmission is getting slowly and slowly, you can configure this page to accelerate the data streaming by hardware itself.
  • Page 218 Protocol Such option is available when Manual is selected as Mode. There are two types supported by this function, TCP and UDP. Option Such option is available when Manual is selected as Mode. Accelerate most heavy traffic sessions – Such option is available in Auto Mode, too.

  • Page 219: Part Iii Wireless Lan

    Wireless LAN enables high mobility so WLAN users can simultaneously access all LAN facilities just like on a wired LAN as well as Internet access. Vigor2952 Series User’s Guide...
  • Page 220 This function is used for “n” models only. Over recent years, the market for wireless communications has enjoyed tremendous growth. Wireless technology now reaches or is capable of reaching virtually every location on the surface of the earth. Hundreds of millions of people exchange information every day via wireless communication products.
  • Page 221 Vigor Router is equipped with a hardware AES encryption engine so it can apply the highest protection to your data without influencing user experience. To ensure the security and privacy of your wireless communication, we provide several prevailing standards on market. WEP (Wired Equivalent Privacy) is a legacy method to encrypt each frame transmitted via radio using either a 64-bit or 128-bit key.
  • Page 222 WPS (Wi-Fi Protected Setup) provides easy procedure to make network connection between wireless station and wireless access point (vigor router) with the encryption of WPA and WPA2. Vigor2952 Series User’s Guide...

  • Page 223: Web User Interface

    The wireless wizard allows you to configure settings specified for a host AP (for home use or internal use for a company) and specified for a guest AP (for any wireless clients accessing into Internet). Follow the steps listed below: 1.
  • Page 224 determine for you. Security Key The wireless mode offered by this wizard is WPA2/PSK. The WPA encrypts each frame transmitted from the radio using the key, which either PSK (Pre-Shared Key) entered manually in this field below or automatically negotiated via 802.1x authentication.
  • Page 225 4. After typing the required information, click Next. 5. The following page will display the configuration summary for wireless setting. 6. Click Finish to complete the wireless settings configuration. Vigor2952 Series User’s Guide...

  • Page 226: Iii-1-2 General Setup

    By clicking the Wireless LAN>> General Settings, a new web page will appear so that you could configure the SSID and the wireless channel. Please refer to the following figure for more information. Available settings are explained as follows: Item Description Enable Wireless LAN Check the box to enable wireless function.
  • Page 227 SSID Means the identification of the wireless LAN. SSID can be any text numbers or various special characters. Isolate Member –Check this box to make the wireless clients (stations) with the same SSID not accessing for each other. VPN – Check this box to make the wireless clients (stations) with different VPN not accessing for each other.

  • Page 228: Iii-1-3 Security

    This page allows you to set security with different modes for SSID 1, 2, 3 and 4 respectively. After configuring the correct settings, please click OK to save and invoke it. The password (PSK) of default security mode is provided and stated on the label pasted on the bottom of the router.
  • Page 229 simultaneously if 802.1x mode is selected. Disable - Turn off the encryption mechanism. WEP-Accepts only WEP clients and the encryption key should be entered in WEP Key. WEP/802.1x Only - Accepts only WEP clients and the encryption key is obtained dynamically from RADIUS server with 802.1X protocol.

  • Page 230: Iii-1-4 Access Control

    In the Access Control, the router may restrict wireless access to certain wireless clients only by locking their MAC address into a black or white list. The user may block wireless clients by inserting their MAC addresses into a black list, or only let them be able to connect by inserting their MAC addresses into a white list.

  • Page 231: Iii-1-5 Wps

    Cancel Give up the access control set up. Click it to save the access control list. Clear All Clean all entries in the MAC address list. After finishing all the settings here, please click OK to save the configuration. WPS (Wi-Fi Protected Setup) provides easy procedure to make network connection between wireless station and wireless access point (vigor router) with the encryption of WPA and WPA2.
  • Page 232 On the side of Vigor 2952 series which served as an AP, press WPS button once on the  front panel of the router or click Start PBC on web configuration interface. On the side of a station with network card installed, press Start PBC button of network card.
  • Page 233 Below shows Wireless LAN>>WPS web page: Available settings are explained as follows: Item Description Enable WPS Check this box to enable WPS setting. WPS Status Display related system information for WPS. If the wireless security (encryption) function of the router is properly configured, you can see ‘Configured’...

  • Page 234: Iii-1-6 Wds

    WDS means Wireless Distribution System. It is a protocol for connecting two access points (AP) wirelessly. Usually, it can be used for the following application:  Provide bridge traffic between two LANs through the air.  Extend the coverage range of a WLAN. To meet the above requirement, two WDS modes are implemented in Vigor router.
  • Page 235 Click WDS from Wireless LAN menu. The following page will be shown. Available settings are explained as follows: Item Description Mode Choose the mode for WDS setting. Disable mode will not invoke any WDS setting. Bridge mode is designed to fulfill the first type of application.
  • Page 236 Security There are three types for security, Disable and Pre-shared key. The setting you choose here will make the following WEP or Pre-shared key field valid or not. Choose one of the types for the router. Pre-shared Key Type – There are some types for you to choose. WPA and WPA2 are used for WDS devices (e.g.2952n wireless router, you can set the encryption mode as WPA or WPA2 to establish your WDS system between AP and the router.

  • Page 237: Iii-1-7 Advanced Setting

    This page allows users to set advanced settings such as operation mode, channel bandwidth, guard interval, and aggregation MSDU for wireless data transmission. Available settings are explained as follows: Item Description Operation Mode Mixed Mode – the router can transmit data with the ways supported in both 802.11a/b/g and 802.11n standards.
  • Page 238 Long Preamble This option is to define the length of the sync field in an 802.11 packet. Most modern wireless network uses short preamble with 56 bit sync field instead of long preamble with 128 bit sync field. However, some original 11b wireless network devices only support long preamble.
  • Page 239 Rate Adaptation Algorithm Wireless transmission rate is adapted dynamically. Usually, performance of “new” algorithm is better than “old”. Fragment Length Set the Fragment threshold of wireless radio. Do not modify default value if you don’t know what it is, default value is (256 –...

  • Page 240: Iii-1-8 Ap Discovery

    Vigor router can scan all regulatory channels and find working APs in the neighborhood. Based on the scanning result, users will know which channel is clean for usage. Also, it can be used to facilitate finding an AP for a WDS link. Notice that during the scanning process (about 5 seconds), no client is allowed to connect to Vigor.

  • Page 241: Iii-1-9 Station List

    Station List provides the knowledge of connecting wireless clients now along with its status code. There is a code summary below for explanation. For convenient Access Control, you can select a WLAN station and click Add to Access Control below. Available settings are explained as follows: Item Description...

  • Page 242: Iii-1-10 Station Control

    Station Control is used to specify the duration for the wireless client to connect and reconnect Vigor router. If such function is not enabled, the wireless client can connect Vigor router until the router shuts down. Such feature is especially useful for free Wi-Fi service. For example, a coffee shop offers free Wi-Fi service for its guests for one hour every day.

  • Page 243: Iii-1-11 Bandwidth Management

    The downstream or upstream from FTP, HTTP or some P2P applications will occupy large of bandwidth and affect the applications for other programs. Please use Bandwidth Management to make the bandwidth usage more efficient. Available settings are explained as follows: Item Description SSID...
  • Page 244 This page is left blank. Vigor2952 Series User’s Guide...

  • Page 245: Part Iv Vpn

    A Virtual Private Network (VPN) is the extension of a private network that encompasses links across shared or public networks like the Internet. In short, by VPN technology, you can send data between two computers across a shared or public network in a manner that emulates the properties of a point-to-point private link.

  • Page 246: Vpn And Remote Access

    A Virtual Private Network (VPN) is the extension of a private network that encompasses links across shared or public networks like the Internet. In short, by VPN technology, you can send data between two computers across a shared or public network in a manner that emulates the properties of a point-to-point private link.

  • Page 247: Web User Interface

    Such wizard is used to configure VPN settings for VPN client. Such wizard will guide to set the LAN-to-LAN profile for VPN dial out connection (from server to client) step by step. Open Wizards>>VPN Client Wizard. The following page will appear. Available settings are explained as follows: Item Description...
  • Page 248 When you finish the mode and profile selection, please click Next to open the following page. In this page, you have to select suitable VPN type for the VPN client profile. There are six types provided here. Different type will lead to different configuration page. After making the choices for the client profile, please click Next.
  • Page 249 When you choose IPsec, you will see the following graphic: Vigor2952 Series User’s Guide...
  • Page 250 When you choose L2TP, you will see the following graphic: When you choose L2TP over IPsec (Nice to Have) or L2TP over IPsec (Must), you will see the following graphic: Vigor2952 Series User’s Guide...
  • Page 251 When you choose SSL, you will see the following graphic: Available settings are explained as follows: Item Description Profile Name Type a name for such profile. The length of the file is limited to 10 characters. VPN Dial-Out Through Use the drop down menu to choose a proper WAN interface for this profile.
  • Page 252 Digital Signature Click Digital Signature to invoke this function. (X.509) Peer ID – Choose the peer ID selection from the drop down list. Local ID – Choose Alternative Subject Name First or Subject Name First. Local Certificate – Use the drop down list to choose one of the certificates for using.
  • Page 253 Item Description Go to the VPN Click this radio button to access VPN and Remote Connection Access>>Connection Management for viewing VPN Management Connection status. Do another VPN Click this radio button to set another profile of VPN Server Server Wizard Setup through VPN Server Wizard.

  • Page 254: Iv-1-2 Vpn Server Wizard

    Such wizard is used to configure VPN settings for VPN server. Such wizard will guide to set the LAN-to-LAN profile for VPN dial in connection (from client to server) step by step. Open Wizards>>VPN Server Wizard. The following page will appear. Available settings are explained as follows: Item Description...
  • Page 255 Different Dial-in Type will lead to different configuration page. In addition, adjustable items for each dial-in type will be changed according to the VPN Server Mode (Site to Site VPN and Remote Dial-in User) selected. After making the choices for the server profile, please click Next. You will see different configurations based on the selection you made.
  • Page 256 Available settings are explained as follows: Item Description Profile Name Type a name for such profile. The length of the file is limited to 10 characters. User Name This field is used to authenticate for connection when you select PPTP or L2TP with or without IPsec policy above. The length of the name is limited to 11 characters.
  • Page 257 After finishing the configuration, please click Next. The confirmation page will be shown as follows. If there is no problem, you can click one of the radio buttons listed on the page and click Finish to execute the next action. Available settings are explained as follows: Item Description...

  • Page 258: Iv-1-3 Remote Access Control

    Enable the necessary VPN service as you need. If you intend to run a VPN server inside your LAN, you should disable the VPN service of Vigor Router to allow VPN tunnel pass through, as well as the appropriate NAT settings, such as DMZ or open port. After finishing all the settings here, please click OK to save the configuration.

  • Page 259: Iv-1-4 Ppp General Setup

    This submenu only applies to PPP-related VPN connections, such as PPTP, L2TP, L2TP over IPsec. Available settings are explained as follows: Item Description Dial-In PPP Authentication PAP Only - elect this option to force the router to authenticate dial-in users with the PAP protocol. PAP/CHAP/MS-CHAP/MS-CHAPv2 - Selecting this option means the router will attempt to authenticate dial-in users with the CHAP protocol first.
  • Page 260 bi-directional authentication in order to provide stronger security, for example, Cisco routers. So you should enable this function when your peer router requires mutual authentication. You should further specify the User Name and Password of the mutual authentication peer. The length of the name/password is limited to 23/19 characters.

  • Page 261: Iv-1-5 Ipsec General Setup

    In IPsec General Setup, there are two major parts of configuration. There are two phases of IPsec. Phase 1: negotiation of IKE parameters including encryption, hash, Diffie-Hellman  parameter values, and lifetime to protect the following IKE exchange, authentication of both peers using either a Pre-Shared Key or Digital Signature (x.509).

  • Page 262: Iv-1-6 Ipsec Peer Identity

    Key. Certificate for Dial-in –Choose one of the local certificates from the drop down list. Pre-Shared Key- Specify a key for IKE authentication. Confirm Pre-Shared Key- Retype the characters to confirm the pre-shared key. Any packets from the remote dial-in user which does not match the rule defined in VPN and Remote Access>>Remote Dial-In User will be applied with the method specified here.
  • Page 263 Name Display the profile name of that index. Click each index to edit one peer digital certificate. There are three security levels of digital signature authentication: Fill each necessary field to authenticate the remote peer. The following explanation will guide you to fill all the necessary fields. Available settings are explained as follows: Item Description...

  • Page 264: Iv-1-7 Remote Dial-In User

    You can manage remote access by maintaining a table of remote user profile, so that users can be authenticated to dial-in via VPN connection. You may set parameters including specified connection peer ID, connection type (VPN connection - including PPTP, IPsec Tunnel, and L2TP by itself or over IPsec) and corresponding security methods, etc.
  • Page 265 Click each index to edit one remote user profile. Each Dial-In Type requires you to fill the different corresponding fields on the right. If the fields gray out, it means you may leave it untouched. The following explanation will guide you to fill all the necessary fields. Available settings are explained as follows: Item Description...
  • Page 266 remote dial-in user, ISDN number or peer ID (used in IKE aggressive mode). Uncheck the checkbox means the connection type you select above will apply the authentication methods and security methods in the general settings. Netbios Naming Packet -  Pass –...

  • Page 267: Iv-1-8 Lan To Lan

    Local ID (Optional)- Specify a local ID to be used for Dial-in setting in the LAN-to-LAN Profile setup. This item is optional and can be used only in IKE aggressive mode. After finishing all the settings here, please click OK to save the configuration. Here you can manage LAN-to-LAN connections by maintaining a table of connection profiles.
  • Page 268 Available settings are explained as follows: Item Description View All – Click it to display the LAN to LAN profiles. Trunk – Click it to display the Trunk profiles. Set to Factory Default Click to clear all indexes. Name Indicate the name of the LAN-to-LAN profile. The symbol ??? represents that the profile is empty.
  • Page 269 Item Description Common Settings Profile Name – Specify a name for the profile of the LAN-to-LAN connection. Enable this profile - Check here to activate this profile. VPN Dial-Out Through - Use the drop down menu to choose a proper WAN interface for this profile. This setting is useful for dial-out only.
  • Page 270 of redial. Normally, if any one of VPN peers wants to disconnect the connection, it should follow a serial of packet exchange procedure to inform each other. However, if the remote peer disconnects without notice, Vigor router will by no where to know this situation. To resolve this dilemma, by continuously sending PING packets to the remote host, the Vigor router can know the true existence of this VPN connection and react accordingly.
  • Page 271 optional and can be used only in IKE aggressive mode. Local Certificate – Select one of the profiles set in  Certificate Management>>Local Certificate. IPsec Security Method - This group of fields is a must for IPsec Tunnels and L2TP with IPsec Policy. Medium AH (Authentication Header) means data will ...
  • Page 272 28800 seconds. You may specify a value in between 900 and 86400 seconds. IKE phase 2 key lifetime-For security reason, the  lifetime of key should be defined. The default value is 3600 seconds. You may specify a value in between 600 and 86400 seconds.
  • Page 273 the User Name and Password of remote dial-in user below. IPsec Tunnel- Allow the remote dial-in user to trigger  an IPsec VPN connection through Internet. L2TP with IPsec Policy - Allow the remote dial-in user  to make a L2TP VPN connection through the Internet. You can select to use L2TP alone or with IPsec.
  • Page 274 Subject Name First – The subject name  (configured in Certificate Management>>Local Certificate) will be inspected first. IPsec Security Method - This group of fields is a must for IPsec Tunnels and L2TP with IPsec Policy when you specify the remote node. Medium- Authentication Header (AH) means data will ...
  • Page 275 through the VPN connection. This is usually used when you find there are several subnets behind the remote VPN router. RIP Direction - The option specifies the direction of RIP (Routing Information Protocol) packets. You can enable/disable one of direction here. Herein, we provide four options: TX/RX Both, TX Only, RX Only, and Disable.
  • Page 276 Translated Type – There are two types for you to choose. Whole Subnet   Specific IP Address Virtual IP Mapping – A pop up dialog will appear for you to specify the local IP address and the mapping virtual IP address.

  • Page 277: Iv-1-9 Vpn Trunk Management

    VPN trunk includes four features - VPN Backup, VPN load balance, GRE over IPsec, and Binding tunnel policy. – – VPN TRUNK Management is a backup mechanism which can set multiple VPN tunnels as backup tunnel. It can assure the network connection not to be cut off due to network environment blocked by any reason.
  • Page 278 Available settings are explained as follows: Item Description Backup Profile List Set to Factory Default - Click to clear all VPN TRUNK-VPN Backup mechanism profile. No – The order of VPN TRUNK-VPN Backup mechanism profile. Status - “v” means such profile is enabled; “x” means such profile is disabled.
  • Page 279 Detailed information for this dialog, see later section - Advanced Load Balance and Backup. Load Balance Profile List Set to Factory Default - Click to clear all VPN TRUNK-VPN Load Balance mechanism profile. - The order of VPN TRUNK-VPN Load Balance mechanism profile.
  • Page 280 General Setup Status- After choosing one of the profile listed above, please click Enable to activate this profile. If you click Disable, the selected or current used VPN TRUNK-Backup/Load Balance mechanism profile will not have any effect for VPN tunnel. Profile Name- Type a name for VPN TRUNK profile.
  • Page 281 First of all, go to VPN and Remote Access>>LAN-to-LAN. Set two or more LAN-to-LAN profiles first that will be used for Member1 and Member2. If you do not set enough LAN-to-LAN profiles, you cannot operate VPN TRUNK – VPN Backup /Load Balance mechanism profile management well.
  • Page 282 Later, on peer side (as VPN Client): please type 192.168.50.100 in the field of My GRE IP and type IP address of the server (192.168.50.200) in the field of Peer GRE IP. After setting profiles for load balance, you can choose any one of them and click Advance for more detailed configuration.
  • Page 283 Available settings are explained as follows: Item Description Profile Name List the load balance profile name. Load Balance Algorithm Round Robin – Based on packet base, both tunnels will send the packet alternatively. Such method can reach the balance of packet transmission with fixed rate. Weighted Round Robin –...
  • Page 284 Tunnel Bind Table Index- 128 Binding tunnel tables are provided by this device. Specify the number of the tunnel for such Load Balance profile. Active – In-active/Delete can delete this binding tunnel table. Active can activate this binding tunnel table. Binding Dial Out Index –...
  • Page 285 To configure a successful binding tunnel, you have to: Type Binding Src IP range (Start and End) and Binding Des IP range (Start and End). Choose TCP/UDP, IGMP/ICMP or Other as Binding Protocol. Available settings are explained as follows: Item Description Profile Name List the backup profile name.

  • Page 286: Iv-1-10 Connection Management

    Member 1 will be the top priority for the system to do VPN connection. Detail Information This field will display detailed information for Environment Recovers Detection. You can find the summary table of all VPN connections. You may disconnect any VPN connection by clicking Drop button.
  • Page 287 information among 5, 10, and 30. Refresh - Click this button to refresh the whole connection status. Vigor2952 Series User’s Guide...

  • Page 288: Application Notes

    Log into the web user interface of Vigor router. Open VPN and Remote Access>>LAN to LAN to create a LAN-to-LAN profile. The following settings are for a permanent VPN connection. Click any index number to open the configuration page. Type a name which is easy for identification for such profile (in this case, type VPN Server), and check the box of Enable This Profile.
  • Page 289 Now navigate to the next section, Dial-In Settings to check PPTP, IPsec Tunnel and L2TP boxes. Check the box of Specify Remote… and type the Peer VPN Server IP (e.g., 218.242.130.19 in this case). Press the IKE Pre-Shared Key button to set the PSK; and select Medium (AH) or High (ESP) as the security method.
  • Page 290 Click OK to save the settings. Open VPN and Remote Access>>Connection Management to check the dial-in connection status (from branch office). Log into the web user interface of Vigor router. Open VPN and Remote Access>>LAN to LAN to create a LAN-to-LAN profile. The following settings are for a permanent VPN connection.
  • Page 291 Now navigate to the next section, Dial-Out Settings to select the IPsec Tunnel service and type the remote server IP/host name (e.g., 218.242.133.91, in this case). Press the IKE Pre-Shared Key button to set the PSK; and select Medium (AH) or High (ESP) as the security method.
  • Page 292 Open VPN and Remote Access>>Connection Management to check the dial-in connection status (from head office). Vigor2952 Series User’s Guide...

  • Page 293: Ssl Vpn

    An SSL VPN (Secure Sockets Layer virtual private network) is a form of VPN that can be used with a standard Web browser. There are two benefits that SSL VPN provides:  It is not necessary for users to preinstall VPN client software for executing SSL VPN connection.

  • Page 294: Web User Interface

    This page determines the general configuration for SSL VPN Server and SSL Tunnel. Available settings are explained as follows: Item Description Bind to WAN Choose and check WAN interface(s) for SSL VPN tunnel establishement. Port Such port is set for SSL VPN server. It will not affect the HTTPS Port configuration set in System Maintenance>>Management.

  • Page 295: Iv-2-2 Ssl Web Proxy

    SSL Web Proxy will allow the remote users to access the internal web sites over SSL. Each item is explained as follows: Item Description Name Display the name of the profile that you create. Display the URL. Active Display current status (active or inactive) of such profile. Click number link under Index filed to set detailed configuration.
  • Page 296 Host IP Address If you type function variation as URL, you have to type corresponding IP address in this filed. Such field must match with URL setting. Access Method There are three modes for you to choose. Disable – The profile will be inactive. If you choose Disable, all the web proxy profile appeared under VPN remote dial-in web page will disappear.

  • Page 297: Iv-2-3 Ssl Application

    It provides a secure and flexible solution for network resources, including VNC (Virtual Network Computer) /RDP (Remote Desktop Protocol), to any remote user with access to Internet and a web browser. Each item is explained as follows: Item Description Name Display the application name of the profile that you create.
  • Page 298 Server Application Name Type a name for such application. The length of the name is limited to 23 characters. Application There are two types offered for you to create an application profile. Virtual Network Computing (VNC) – It allows you to access and control a remote PC through VNC protocol.

  • Page 299: Iv-2-4 User Account

    With SSL VPN, Vigor2952 Series let teleworkers have convenient and simple remote access to central site VPN. The teleworkers do not need to install any VPN software manually. From regular web browser, you can establish VPN connection back to your main office even in a guest network or web cafe.
  • Page 300 Click each index to edit one remote user profile. Available settings are explained as follows: Item Description User account and Enable this account - Check the box to enable this function. Authentication Idle Timeout- If the dial-in user is idle over the limitation of the timer, the router will drop this connection.
  • Page 301 Item Description L2TP with IPSec Policy - Allow the remote dial-in user to make a L2TP VPN connection through the Internet. You can select to use L2TP alone or with IPSec. Select from below:  None - Do not apply the IPSec policy. Accordingly, the VPN connection employed the L2TP without IPSec policy can be viewed as one pure L2TP connection.
  • Page 302 Item Description Medium, DES, 3DES or AES box as the security method. Medium-Authentication Header (AH) means data will be authenticated, but not be encrypted. By default, this option is invoked. You can uncheck it to disable it. High-Encapsulating Security Payload (ESP) means payload (data) will be encrypted and authenticated.

  • Page 303: Iv-2-5 User Group

    There are 10 user group profiles which can be created for authentication by LDAP server. Such profiles will be used by applications such as User Management, VPN and etc. Each item is explained as follows: Item Description Set to Factory Default Click to clear all indexes.
  • Page 304 Available settings are explained as follows: Item Description Enable Check this box to enable such profile. Group Name Type a name for such profile. The length of the name is limited to 23 characters. Access Authority Specify the authority for such profile. At present, Vigor router allows you to create SSL Web Proxy and SSL Application profiles used for SSL VPN.

  • Page 305: Iv-2-6 Online User Status

    If you have finished the configuration of SSL Web Proxy (server), users can find out corresponding settings when they access into DrayTek SSL VPN portal interface. Next, users can open SSL VPN>> Online Status to view logging status of SSL VPN. Available settings are explained as follows: Item Description...

  • Page 306: Certificate Management

    A digital certificate works as an electronic ID, which is issued by a certification authority (CA). It contains information such as your name, a serial number, expiration dates etc., and the digital signature of the certificate-issuing authority so that a recipient can verify that the certificate is real.

  • Page 307: Web User Interface

    Available settings are explained as follows: Item Description Generate Click this button to open Generate Certificate Request window. Type in all the information that the window requests. Then click Generate again. Import Click this button to import a saved file as the certification information.
  • Page 308 Info Please be noted that “Common Name” must be configured with rotuer’s WAN IP or domain name. After clicking GENERATE, the generated information will be displayed on the window below: Vigor router allows you to generate a certificate request and submit it the CA server, then import it as “Local Certificate”.
  • Page 309 Available settings are explained as follows: Item Description Upload Local Certificate It allows users to import the certificate which is generated by Vigor router and signed by CA server. If you have done well in certificate generation, the Status of the certificate will be shown as “OK”.
  • Page 310 Click this button to refresh the information listed below. Click this button to view the detailed settings for certificate request. Info You have to copy the certificate request information from above window. Next, access your CA server and enter the page of certificate request, copy the information into it and submit a request.

  • Page 311: Iv-3-2 Trusted Ca Certificate

    Trusted CA certificate lists three sets of trusted CA certificate. In addition, you can build a RootCA certificate if required. When the local client and remote client are required to make certificate authentication (e.g., IPsec X.509) for data passing through SSL tunnel and avoiding the attack of MITM, a trusted root certificate authority (Root CA) will be used to authenticate the digital certificates offered by both ends.
  • Page 312 Click Create to open the following page. Type in all the information that the window request such as certifcate name (used for identifying different certificate), subject alternative name type and relational settings for subject name. Then click GENERATE again. To import a pre-saved trusted CA certificate, please click IMPORT to open the following window.

  • Page 313: Iv-3-3 Certificate Backup

    Local certificate and Trusted CA certificate for this router can be saved within one file. Please click Backup on the following screen to save them. If you want to set encryption password for these certificates, please type characters in both fields of Encrypt password and Confirm password.
  • Page 314 This page is left blank. Vigor2952 Series User’s Guide...

  • Page 315: Part V Security

    While the broadband users demand more bandwidth for multimedia, interactive applications, or distance learning, security has been always the most concerned. The firewall of the Vigor router helps to protect your local network against attack from unauthorized outsiders. It also restricts users in the local network from accessing the Internet.
  • Page 316 While the broadband users demand more bandwidth for multimedia, interactive applications, or distance learning, security has been always the most concerned. The firewall of the Vigor router helps to protect your local network against attack from unauthorized outsiders. It also restricts users in the local network from accessing the Internet.
  • Page 317 Stateful inspection is a firewall architecture that works at the network layer. Unlike legacy static packet filtering, which examines a packet based on the information in its header, stateful inspection builds up a state machine to track each connection traversing all interfaces of the firewall and makes sure they are valid.

  • Page 318: Web User Interface

    Below shows the menu items for Firewall. General Setup allows you to adjust settings of IP Filter and common options. Here you can enable or disable the Call Filter or Data Filter. Under some circumstance, your filter set can be linked to work in a serial manner. So here you assign the Start Filter Set only. Also you can configure the Log Flag settings, Apply IP filter to VPN incoming packets, and Accept incoming fragmented UDP packets.

  • Page 319: Firewall

    Available settings are explained as follows: Item Description Call Filter Check Enable to activate the Call Filter function. Assign a start filter set for the Call Filter. Data Filter Check Enable to activate the Data Filter function. Assign a start filter set for the Data Filter. Accept large incoming…...
  • Page 320 Such page allows you to choose filtering profiles including QoS, Load-Balance policy, WCF, APP Enforcement, URL Content Filter, and DNS Filter for data transmission via Vigor router. Available settings are explained as follows: Item Description Filter Select Pass or Block for the packets that do not match with the filter rules.
  • Page 321 selected here. For detailed information, refer to the section of APP Enforcement profile setup. For troubleshooting needs, you can specify to record information for IM/P2P by checking the Log box. It will be sent to Syslog server. Please refer to section Syslog/Mail Alert for more detailed information.
  • Page 322 Window size – It determines the size of TCP protocol (0~65535). The more the value is, the better the performance will be. However, if the network is not stable, small value will be proper. Session timeout – Setting timeout for sessions can make the best utilization of network resources.

  • Page 323: V-1-2 Filter Setup

    Click Firewall and click Filter Setup to open the setup page. To edit or add a filter, click on the set number to edit the individual set. The following page will be shown. Each filter set contains up to 7 rules. Click on the rule number button to edit each rule.
  • Page 324 Action Display the packets to be passed /blocked. Display the content security managed Move Up/Down Use Up or Down link to move the order of the filter rules. Next Filter Set Set the link to the next filter set to be executed after the current filter run.
  • Page 325 Source/Destination IP Click Edit to access into the following dialog to choose the source/destination IP or IP ranges. To set the IP address manually, please choose Any Address/Single Address/Range Address/Subnet Address as the Address Type and type them in this dialog. In addition, if you want to use the IP range from defined groups or objects, please choose Group and Objects as the Address Type.
  • Page 326 3. Click Next to get the following page. Available settings are explained as follows: Item Description Pass Immediately Packets matching the rule will be passed immediately. APP Enforcement - Select an APP Enforcement profile for global IM/P2P application blocking. If there is no profile for you to select, please choose [Create New] from the drop down list in this page to create a new profile.
  • Page 327 4. After choosing the mechanism, click Next to get the summary page for reference. 5. If there is no error, click Finish to complete wizard setting. Vigor2952 Series User’s Guide...
  • Page 328 To use Advance Mode, do the following steps: 1. Click the Advance Mode radio button. 2. Click Index 1 to access into the following page. Available settings are explained as follows: Item Description Check to enable the Check this box to enable the filter rule. Filter Rule Comments Enter filter set comments/description.
  • Page 329 Note that RT means routing domain for 2nd subnet or other LAN. Source/Destination IP Click Edit to access into the following dialog to choose the source/destination IP or IP ranges. To set the IP address manually, please choose Any Address/Single Address/Range Address/Subnet Address as the Address Type and type them in this dialog.
  • Page 330 Service Type. Protocol - Specify the protocol(s) which this filter rule will apply to. Source/Destination Port – (=) – when the first and last value are the same, it indicates one port; when the first and last values are different, it indicates a range for the port and available for this service type.
  • Page 331 Quality of Service Choose one of the QoS rules to be applied as firewall rule. For detailed information of setting QoS, please refer to the related section later. User Management Such item is available only when Rule-Based is selected in User Management>>General Setup.
  • Page 332 first. Or click the DNS Filter link from the drop down list in this page to create a new profile. Advance Setting Click Edit to open the following window. However, it is strongly recommended to use the default settings here. Codepage - This function is used to compare the characters among different languages.
  • Page 333 Strict Security Checking - All the packets, while transmitting through Vigor router, will be filtered by firewall settings configured by Vigor router. When the resource is inadequate, the packets will be blocked if Strict Security Checking is enabled. If Strict Security Checking is not enabled, then the packets will pass through the router.

  • Page 334: V-1-3 Dos Defense

    As a sub-functionality of IP Filter/Firewall, there are 15 types of detect/ defense function in the DoS Defense setup. The DoS Defense functionality is disabled for default. Click Firewall and click DoS Defense to open the setup page. Available settings are explained as follows: Item Description Enable Dos Defense...
  • Page 335 for a period defined in Timeout. The default setting for threshold and timeout are 2000 packets per second and 10 seconds, respectively. That means, when 2000 packets per second received, they will be regarded as “attack event” and the session will be paused for 10 seconds.
  • Page 336 from the Internet might be dropped. Block TCP flag scan Check the box to activate the Block TCP flag scan function. Any TCP packet with anomaly flag setting is dropped. Those scanning activities include no flag scan, FIN without ACK scan, SYN FINscan, Xmas scan and full Xmas scan.
  • Page 337 Vigor2952 Series User’s Guide...

  • Page 338: V-1-4 Diagnose

    The purpose of this function is to test when the router receiving incoming packet, which firewall rule will be applied to that packet. The test result, including firewall rule profile, IP address translation in packet transmission, state of the firewall fuctions and etc., also will be shown on this page.
  • Page 339 Dst IP Type the IPv4/IPv6 address of the packet’s destination. Dst Port Type the port number of the packet’s destination. Packet & Payload In firewall diagnose, two packets belong to one connection. In general, two packets are enough for Vigor router to perform this test.
  • Page 340 The following figure shows the test result after clicking Analyze. Processing state for the fuctions (MAC Filter, QoS, User management, etc.,) related to the firewall will be displayed by green or red LED. Vigor2952 Series User’s Guide...

  • Page 341: Application Notes

    We can specify certain computers (e.g., 192.168.1.10 ~ 192.168.1.20) accessing to Internet through Vigor router. Others (e.g., 192.168.1.31 and 192.168.1.32) outside the range can get the source from LAN only. The way we can use is to set two rules under Firewall. For Rule 1 of Set 2 under Firewall>>Filter Setup is used as the default setting, we have to create a new rule starting from Filter Rule 2 of Set 2.
  • Page 342 Check the box of Check to enable the Filter Rule. Type the comments (e.g., block_all). Choose Block If No Further Match for the Filter setting. Then, click OK. Info In default, the router will check the packets starting with Set 2, Filter Rule 2 to Filter Rule 7.
  • Page 343 A dialog box will be popped up. Choose Range Address as Address Type by using the drop down list. Type 192.168.1.10 in the field of Start IP, and type 192.168.1.20 in the field of End IP. Then, click OK to save the settings. The computers within the range can access into the Internet.
  • Page 344 Both filter rules have been created. Click OK. Now, all the settings are configured well. Only the computers with the IP addresses within 192.168.1.10 ~ 192.168.1.20 can access to Internet. Vigor2952 Series User’s Guide...

  • Page 345: Central Security Management (Csm)

    CSM is an abbreviation of Central Security Management which is used to control IM/P2P usage, filter the web content and URL content to reach a goal of security management. As the popularity of all kinds of instant messenger application arises, communication cannot become much easier.

  • Page 346: Web User Interface

    You can define policy profiles for IM (Instant Messenger)/P2P (Peer to Peer)/Protocol/Misc application. This page allows you to set 32 profiles for different requirements. The APP Enforcement Profile will be applied in Default Rule of Firewall>>General Setup for filtering. Available settings are explained as follows: Item Description Set to Factory Default...
  • Page 347 Below shows the items which are categorized under IM. Available settings are explained as follows: Item Description Profile Name Type a name for the CSM profile. The maximum length of the name you can set is 15 characters. Select All Click it to choose all of the items in this page.

  • Page 348: V-2-2 Appe Signature Upgrade

    The APPE Enforcement Profile adopted by Vigor router will be treated as the APPE signature. DrayTek will periodically upgrade versions for all of the APPs supported by Vigor router. However, it might be inconvenient for users to upgrade the APP version one by one. This feature is specially designed to offer a quick method to execute APP version upgrade.

  • Page 349: V-2-3 Url Content Filter Profile

    from MyVigor portal or FTP server previously. Then, click Upgrade and wait for the system completing the process. Upgrade Automatically Scheduled Update - Check the box to make Vigor router upgrading the APPE signature based on the schedule configured here. After finishing all the settings, please click OK to save the configuration.
  • Page 350 Each item is explained as follows: Item Description Set to Factory Default Clear all profiles. Profile Display the number of the profile which allows you to click to set different policy. Name Display the name of the URL Content Filter Profile. Administration Message You can type the message manually for your necessity.
  • Page 351 name you can set is 15 characters. Priority It determines the action that this router will apply. Both: Pass – The router will let all the packages that match with the conditions specified in URL Access Control and Web Feature below passing through. When you choose this setting, both configuration set in this page for URL Access Control and Web Feature will be inactive.
  • Page 352  Pass - Allow accessing into the corresponding webpage with the keywords listed on the box below.  Block - Restrict accessing into the corresponding webpage with the keywords listed on the box below. If the web pages do not match with the keyword set here, it will be processed with reverse action.

  • Page 353: V-2-4 Web Content Filter Profile

    great value to provide the blocking mechanism that filters out the multimedia files downloading from web pages. Upload – Check the box to block the file upload by way of web page. File Extension Profile – Choose one of the profiles that you configured in Object Setting>>...
  • Page 354 the service of formal edition, please contact with your dealer/distributor for detailed information. Info 2 Commtouch is merged by Cyren, and GlobalView services will be continued to deliver powerful cloud-based information security solutions! Refer to: http://www.prnewswire.com/news-releases/commtouch-is-now-cyren-239 025151.html Available settings are explained as follows: Item Description Activate...
  • Page 355 matching. L1 – the router will check the URL that the user wants to access via WCF. If the URL has been accessed previously, it will be stored in the router to be accessed quickly if required. Such item can provide accurate URL matching with faster rate.
  • Page 356 Block – Only the log about Block will be recorded in Syslog. All – All the actions (Pass and Block) will be recorded in Syslog. Black/White List Enable – Activate white/black list function for such profile. Group/Object Selections – Click Edit to choose the group or object profile as the content of white/black list.

  • Page 357: V-2-5 Dns Filter Profile

    The DNS Filter monitors DNS queries on UDP port 53 and will pass the DNS query information to the WCF to help with categorizing HTTPS URL's. DNS can be specified in LAN>>General Setup by using the server (e.g., 168.95.1.1) on router or external DNS server (e.g., 8.8.8.8).
  • Page 358 setting selected for Syslog.  None – There is no log file will be recorded for this profile.  Pass – Only the log about Pass will be recorded in Syslog.  Block – Only the log about Block will be recorded in Syslog.

  • Page 359: Application Notes

    The website of MyVigor (a server located on http://myvigor.draytek.com) provides several useful services (such as Anti-Spam, Web Content Filter, Anti-Intrusion, and etc.) to filtering the web pages for the sake of protecting your system. To access into MyVigor for getting more information, please create an account for MyVigor. 1.
  • Page 360 2. Click the Activate link. A login page for MyVigor web site will pop up automatically. 3. Click the link of Create an account now. 4. Check to confirm that you accept the Agreement and click Accept. Vigor2952 Series User’s Guide...
  • Page 361 5. Type your personal information in this page and then click Continue. 6. Choose proper selection for your computer and click Continue. Vigor2952 Series User’s Guide...
  • Page 362 7. Now you have created an account successfully. Click START. 8. Check to see the confirmation email with the title of New Account Confirmation Letter from myvigor.draytek.com 9. Click the Activate my Account link to enable the account that you created. The following screen will be shown to verify the register process is finished.
  • Page 363 10. When you see the following page, please type in the account and password (that you just created) in the fields of UserName and Password. 11. Now, click Login. Your account has been activated. You can access into MyVigor server to activate the service (e.g., WCF) that you want.
  • Page 364 2. Check to confirm that you accept the Agreement and click Accept. 3. Type your personal information in this page and then click Continue. 4. Choose proper selection for your computer and click Continue. 5. Now you have created an account successfully. Click START. Vigor2952 Series User’s Guide...
  • Page 365 6. Check to see the confirmation email with the title of New Account Confirmation Letter from myvigor.draytek.com. 7. Click the Activate my Account link to enable the account that you created. The following screen will be shown to verify the register process is finished. Please click Login. Vigor2952 Series User’s Guide...
  • Page 366 8. When you see the following page, please type in the account and password (that you just created) in the fields of UserName and Password. Then type the code in the box of Auth Code according to the value displayed on the right side of it. Now, click Login.

  • Page 367: How To Block Facebook Service Accessed By The Users Via Web Content Filter / Url Content Filter

    There are two ways to block the facebook service, Web Content Filter and URL Content Filter. Web Content Filter, Benefits: Easily and quickly implement the category/website that you want to block. Note: License is required. URL Content Filter, Benefits: Free, flexible for customize webpage. Note: Manual setting (e.g., one keyword for one website.) Make sure the Web Content Filter (powered by Commtouch) license is valid.
  • Page 368 Enable this profile in Firewall>>General Setup>>Default Rule. Next time when someone accesses facebook via this router, the web page would be blocked and the following message would be displayed instead. II. Via URL Content Filter A. Block the web page containing the word of “Facebook” Open Object Settings>>Keyword Object.
  • Page 369 Open CSM>>URL Content Filter Profile. Click an index number to open the setting page. Configure the settings as the following figure. When you finished the above steps, click OK. Then, open Firewall>>General Setup. Vigor2952 Series User’s Guide...
  • Page 370 Click the Default Rule tab. Choose the profile just configured from the drop down list in the field of URL Content Filter. Now, users cannot open any web page with the word “facebook” inside. B. Disallow users to play games on Facebook Open Object Settings>>Keyword Object.
  • Page 371 Open CSM>>URL Content Filter Profile. Click an index number to open the setting page. Configure the settings as the following figure. When you finished the above steps, please open Firewall>>General Setup. Click the Default Rule tab. Choose the profile just configured from the drop down list in the field of URL Content Filter.
  • Page 372 This page is left blank. Vigor2952 Series User’s Guide...

  • Page 373: Part Vi Management

    There are several items offered for the Vigor router system setup: System Status, TR-069, Administrator Password, User Password, Login Page Greeting, Configuration Backup, Syslog /Mail Alert, Time and Date, Management, Reboot System, Firmware Upgrade and Activation. It is used to control the bandwith of data transmission through configuration of Sessions Limit, Bandwidth Limit, and Quality of Servie (QoS).

  • Page 374: System Maintenance

    For the system setup, there are several items that you have to know the way of configuration: System Status, TR-069, Administrator Password, User Password, Login Page Greeting, Configuration Backup, Syslog /Mail Alert, Time and Date, Management, Reboot System, Firmware Upgrade, Activation and Internal Service User List. Below shows the menu items for System Maintenance.

  • Page 375: Web User Interface

    The System Status provides basic network settings of Vigor router. It includes LAN and WAN interface information. Also, you could get the current running firmware version or firmware related information from this presentation. Available settings are explained as follows: Item Description Model Name Display the model name of the router.
  • Page 376 - Display the assigned IP address of the primary DNS. Link Status - Display current connection status. MAC Address - Display the MAC address of the WAN Interface. Connection - Display the connection type. IP Address - Display the IP address of the WAN interface. Default Gateway - Display the assigned IP address of the default gateway.
  • Page 377 This device supports TR-069 standard. It is very convenient for an administrator to manage a TR-069 device through an Auto Configuration Server e.g., VigorACS. Available settings are explained as follows: Item Description ACS Server On Choose the interface for the router connecting to ACS server. ACS Server URL/Username/Password –...
  • Page 378 Event Code – Use the drop down menu to specify an event to perform the test. Last Inform Response Time – Display the time that VigorACS server made a response while receiving Inform message from CPE last time. CPE Client Such information is useful for Auto Configuration Server.

  • Page 379: Vi-1-3 Admininstrator Password

    This page allows you to set new password for administrator. Available settings are explained as follows: Item Description Administrator Password Old Password - Type in the old password. The factory default setting for password is “admin”. New Password -Type in new password in this field. The length of the password is limited to 23 characters.
  • Page 380 confirmation. Add – After typing the user name and password above, simply click it to create a new local user. The new one will be shown on the Local User List immediately. Edit – If the username listed on the box above is not satisfied, simply click the username and modify it on the field of User Name.

  • Page 381: Vi-1-4 User Password

    This page allows you to set new password for user operation. Available settings are explained as follows: Item Description Enable User Mode for After checking this box, you can access into the web user simple web configuration interface with the password typed here for simple web configuration.
  • Page 382 3. The following screen will appear. Simply click OK. 4. Log out Vigor router web user interface by clicking the Logout button. 5. The following window will be open to ask for username and password. Type the new user password in the filed of Password and click Login. Vigor2952 Series User’s Guide...
  • Page 383 6. The main screen with User Mode will be shown as follows. Settings to be configured in User Mode will be less than settings in Admin Mode. Only basic configuration settings will be available in User Mode. Info Setting in User Mode can be configured as same as in Admin Mode. Vigor2952 Series User’s Guide...

  • Page 384: Vi-1-5 Login

    When you want to access into the web user interface of Vigor router, the system will ask you to offer username and password first. At that moment, the background of the web page is blank and no heading will be displayed on the Login window. This page allows you to specify login URL and the heading on the Login window if you have such requirement.
  • Page 385 Vigor2952 Series User’s Guide...

  • Page 386: Vi-1-6 Configuration Backup

    Such function can be used to apply the router settings configured by Vigor2820/ Vigor2830/ Vigor2850 to Vigor2952. Follow the steps below to backup your configuration. Go to System Maintenance >> Configuration Backup. The following page will be popped-up, as shown below. Available settings are explained as follows: Item Description...
  • Page 387 This field displays model name(s) and firmware which web configuration file saved can be used by such router. Click Backup button to get into the following dialog. Click Save button. The configuration will download automatically to your computer. The above example is using Windows platform for demonstrating examples. The Mac or Linux platform will appear different windows, but the backup function is still available.

  • Page 388: Vi-1-7 Syslog/Mail Alert

    SysLog function is provided for users to monitor router. Available settings are explained as follows: Item Description SysLog Access Setup Enable - Check Enable to activate function of syslog. Syslog Save to – Check Syslog Server to save the log to Syslog server.
  • Page 389 address is available or not. SMTP Server/SMTP Port - The IP address/Port number of the SMTP server. Mail To - Assign a mail address for sending mails out. Return-Path - Assign a path for receiving the mail from outside. Use SSL - Check this box to use port 465 for SMTP server for some e-mail server uses https as the transmission method.
  • Page 390 From the Syslog screen, select the router you want to monitor. Be reminded that in Network Information, select the network adapter used to connect to the router. Otherwise, you won’t succeed in retrieving information from the router. Vigor2952 Series User’s Guide...

  • Page 391: Vi-1-8 Time And Date

    It allows you to specify where the time of the router should be inquired from. Available settings are explained as follows: Item Description Current System Time Click Inquire Time to get the current time. Use Browser Time Select this option to use the browser time from the remote administrator PC host as router’s system time.

  • Page 392: Vi-1-9 Snmp

    Through synchronization. Click OK to save these settings. This page allows you to configure settings for SNMP and SNMPV3 services. The SNMPv3 is more secure than SNMP through the encryption method (support AES and DES) and authentication method (support MD5 and SHA) for the management needs. Available settings are explained as follows: Item Description...
  • Page 393 Trap Community Set trap community by typing a proper name. The default setting is public. The maximum length of the text is limited to 23 characters. Notification Host IP (IPv4) Set the IPv4 address of the host that will receive the trap community.

  • Page 394: Vi-1-10 Management

    This page allows you to manage the settings for Internet/LAN Access Control, Access List from Internet, Management Port Setup, TLS/SSL Encryption Setup, and Device Management. The management pages for IPv4 and IPv6 protocols are different. Available settings are explained as follows: Item Description Router Name...
  • Page 395 Enable Validation Code in If it is enabled, the mechanism of validation code will be Internet/LAN Access offered by Vigor router. That is, the client must type validation code while accessing into Internet or web user interface of Vigor router. Internet Access Control Allow management from the Internet - Enable the checkbox to allow system administrators to login from the Internet.
  • Page 396 Available settings are explained as follows: Item Description Management Access Allow management from the Internet - Enable the checkbox Control to allow system administrators to login from the Internet. There are several servers provided by the system to allow you managing the router from Internet. Check the box(es) to specify.
  • Page 397 Available settings are explained as follows: Item Description Allow management from Enable the checkbox to allow system administrators to login from LAN interface. There are several servers provided by the system which allow you to manage the router from LAN interface.

  • Page 398: Vii-1-11 Self-Signed Certificate

    A self-signed certificate is a unique identification for the device (e.g., Vigor router) which generates the certificate by itself to ensure the router security. Such self-signed certificate is signed with its own private key. The self-signed certificate will be applied in SSL VPN, HTTPS, and so on. Click Regeneration to open Regenerate Self-Signed Certificate window.
  • Page 399 Type in required information for subject name and subject alternative name that you need for this certificate. Then click Generate. Vigor2952 Series User’s Guide...

  • Page 400: Vi-1-12 Reboot System

    The Web user interface may be used to restart your router. Click Reboot System from System Maintenance to open the following page. Index (1-15) in Schedule Setup - You can type in four sets of time schedule for performing system reboot. All the schedules can be set previously in Applications >> Schedule web page and you can use the number that you have set in that web page.

  • Page 401: Vi-1-13 Firmware Upgrade

    Download the newest firmware from DrayTek's web site or FTP site. The DrayTek web site is www.DrayTek.com (or local DrayTek's web site) and FTP site is ftp.DrayTek.com. Click System Maintenance>> Firmware Upgrade to launch the Firmware Upgrade Utility. Choose the right firmware by clicking Select. Then, click Upgrade. The system will upgrade the firmware of the router automatically.

  • Page 402: Vi-1-14 Activation

    There are three ways to activate WCF on vigor router, using Service Activation Wizard, by means of CSM>>Web Content Filter Profile or via System Maintenance>>Activation. After you have finished the setting profiles for WCF (refer to Web Content Filter Profile), it is the time to activate the mechanism for your computer.

  • Page 403: Vi-1-15 Internal Service User List

    User profiles (clients) defined and enabled in User Management>>User Profile will be displayed in this page. Such page allows you to turn on or turn off security authentication service (offered by inernal RADIUS and/or Local 802.1X) for each user profile without accessing into the User Management configuration page.
  • Page 404 enabled; vice versa. Info For the detailed setting (such as IP address, port number) configuration of internal RADIUS, refer to Applications>>RADIUS/TACACS+. For the detailed setting (such as IP address, port number) configuration of Local 802.1X, refer to LAN>>Wired 802.1X and Wireless LAN>>Security. Vigor2952 Series User’s Guide...

  • Page 405: Bandwidth Management

    A PC with private IP address can access to the Internet via NAT router. The router will generate the records of NAT sessions for such connection. The P2P (Peer to Peer) applications (e.g., BitTorrent) always need many sessions for procession and also they will occupy over resources which might result in important accesses impacted.
  • Page 406 Vigor routers as edge routers of DS domain shall check the marked DSCP value in the IP header of bypassing traffic, to allocate certain amount of resource execute appropriate policing, classification or scheduling. The core routers in the backbone will do the same checking before executing treatments in order to ensure service-level consistency throughout the whole QoS-enabled network.

  • Page 407: Web User Interface

    Below shows the menu items for Bandwidth Management. In the Bandwidth Management menu, click Sessions Limit to open the web page. Vigor2952 Series User’s Guide...
  • Page 408 To activate the function of limit session, simply click Enable and set the default session limit. Available settings are explained as follows: Item Description IPv4 Session Limit Enable - Click this button to activate the function of limit session. Disable - Click this button to close the function of limit IPv6 Session Limit session.

  • Page 409: Vi-2-2 Bandwidth Limit

    In the Bandwidth Management menu, click Bandwidth Limit to open the web page. To activate the function of limit bandwidth, simply click Enable and set the default upstream and downstream limit. Available settings are explained as follows: Item Description Vigor2952 Series User’s Guide...
  • Page 410 IPv4 Bandwidth Limit Enable - Click this button to activate the function of limit bandwidth.  IP Routed Subnet – Check this box to apply the IPv6 Bandwidth Limit bandwidth limit to the second subnet specified in LAN>>General Setup. Disable - Click this button to close the function of limit bandwidth.

  • Page 411: Vi-2-3 Quality Of Service

    In the Bandwidth Management menu, click Quality of Service to open the web page. Available settings are explained as follows: Item Description General Setup Index – Display the WAN interface number that you can edit. Status – Display if the WAN interface is available for such function or not.
  • Page 412 This page displays the QoS settings result of the WAN interface. Click the Setup link to access into next page for the general setup of WAN interface. As to class rule, simply click the Edit link to access into next for configuration. You can configure general setup for the WAN interface, edit the Class Rule, and edit the Service Type for the Class Rule for your request.
  • Page 413 When you click Setup, you can configure the bandwidth ratio for QoS of the WAN interface. There are four queues allowed for QoS control. The first three (Class 1 to Class 3) class rules can be adjusted for your necessity. Yet, the last one is reserved for the packets which are not suitable for the user-defined class rules.
  • Page 414 Prioritize are great in ADSL2+ environment. For the download speed might be impacted by the uploading TCP ACK, you can check this box to push ACK of upload faster to speed the network traffic. Limited_bandwidth Ratio The ratio typed here is reserved for limited bandwidth of UDP application.
  • Page 415 For adding a new rule, click Add to open the following page. Available settings are explained as follows: Item Description Check this box to invoke these settings. Hardware Check this box to enable the hardware acceleration when Acceleration such rule is applied. Ethernet Type Please specify which protocol (IPv4 or IPv6) will be used for this rule.
  • Page 416 By the way, you can set up to 20 rules for one Class. If you want to edit an existed rule, please select the radio button of that one and click Edit to open the rule edit page for modification. To add a new service type, edit or delete an existed service type, please click the Edit link under Service Type field.
  • Page 417 For adding a new service type, click Add to open the following page. Available settings are explained as follows: Item Description Service Name Type in a new service for your request. The maximum length of the name you can set is 11 characters. Service Type Choose the type (TCP, UDP or TCP/UDP or other) for the new service.

  • Page 418: Vi-2-4 App Qos

    The QoS function is used to do bandwidth management for the services with certain IP or port number. However, there is no effect of bandwidth management on the service such as VNC or PPTV without fixed IP or port number. APP QoS employs the function of APP Enforcement to detect the types of software in application layer.
  • Page 419 Apply to all Choose one of the actions from the drop down list. It is prepared for applying to all protocols. Apply – Click it to make the selected action be applied all of the selected protocols immediately. Action There are many protocols which can be specified with different QoS Class.

  • Page 420: Application Notes

    Have you ever gotten any problems in uploading/downloading files (Voice, video or email/data only) with the narrow/districted bandwidth you may share from the common Internet connection line? The advanced bandwidth management technology-QoS (Quality of Service) helps you to well allocate the bandwidth upon your demand of Voice, Video, or Data transferring.
  • Page 421 Check the box of ACT. Click Edit to specify the local address. In the pop-up window, choose Range Address as the Address Type and type the start IP address and end IP address in relational fields. Click OK to save the settings and exit the window.
  • Page 422 The class rule for VoIP has been set. Click OK to return to previous page. Do the same steps to add class rules for IPTV and Data/Email with IP addresses as shown below. Vigor2952 Series User’s Guide...
  • Page 423 Assuming you get 2MB/512Kb Internet line. You can click the Setup link of WAN1 to set up the bandwidth for different groups among VoIP, IPTV and Data/Email. 10. In the Setup page, check the box of Enable the QoS Control. Type 30, 50 and 15 in the boxes for VoIP, IPTV and Data/Email respectively.

  • Page 424: Qos Setting Example

    Assume a teleworker sometimes works at home and takes care of children. When working time, he would use Vigor router at home to connect to the server in the headquarter office downtown via either HTTPS or V PN to check email and access internal database. Meanwhile, children may chat on Skype in the restroom.
  • Page 425 Return to previous page. Enter the Name of Index Class #1 by clicking Edit link. Type the name “E-mail” for Class 1. Click OK to save the settings. Click the Setup link for WAN2. The user can set reserved bandwidth (e.g., 25%) for E-mail using protocol POP3 and SMTP.
  • Page 426 Click Setup link for WAN2. Check Enable UDP Bandwidth Control on the bottom to prevent enormous UDP traffic influence other application. Click OK. Vigor2952 Series User’s Guide...
  • Page 427 If the worker has connected to the headquarter using host to host VPN tunnel. (Please refer to Chapter 3 VPN for detail instruction), he may set up an index for it. Enter the Class Name of Index 3. In this index, he will set reserved bandwidth for 1 VPN tunnel. 10.
  • Page 428 12. Then click Edit of Local Address to set a worker’s subnet address. Click Edit of Remote Address to set headquarter’s IP address. Leave other fields and click OK. Vigor2952 Series User’s Guide...

  • Page 429: User Management

    User Management is a security feature which disallows any IP traffic (except DHCP-related packets) from a particular host until that host has correctly supplied a valid username and password. Instead of managing with IP address/MAC address, User Management function manages hosts with user account. Network administrator can give different firewall policies or rules for different hosts with different User Management accounts.

  • Page 430: Web User Interface

    General Setup can determine the standard (rule-based or user-based) for the users controlled by User Management. The mode (standard) selected here will influence the contents of the filter rule(s) applied to every user. Available settings are explained as follows: Item Description Mode There are two modes offered here for you to choose.
  • Page 431 Profile to the users. Rule-Based –If you choose such mode, the router will apply the filter rules configured in Firewall>>General Setup and Filter Rule to the users. Authentication page Web Authentication - Choose the protocol for web authentication. Login Page Logo – A logo which can be used as an identification of enterprise can be uploaded and displayed on the login page.

  • Page 432: Vi-3-2 User Profile

    This page allows you to set customized profiles (up to 200) which will be applied for users controlled under User Management. Simply open User Management>>User Profile. To set the user profile, please click any index number link to open the following page. Notice that profile 1 (admin) and profile 2 (Dial-In User) are factory default settings.
  • Page 433 Available settings are explained as follows: Item Description Common Settings Enable this account - Check this box to enable such user profile. Username - Type a name for such user profile (e.g., LAN_User_Group_1, WLAN_User_Group_A, WLAN_User_Group_B, etc). When a user tries to access Internet through this router, an authentication step must be performed first.
  • Page 434 characters. Confirm Password - Type the password again for confirmation. Web login Setting Idle Timeout - If the user is idle over the limitation of the timer, the network connection will be stopped for such user. By default, the Idle Timeout is set to 10 minutes. Max User Login - Such profile can be used by many users.
  • Page 435 authenticated by the router first. There are three ways offered by the router for the user to choose for authentication.  Web – If it is selected, the user can type the URL of the router from any browser. Then, a login window will be popped up and ask the user to type the user name and password for authentication.
  • Page 436 When the time is up, all the connection jobs including network, IM, social media, facebook, and etc. will be terminated. Enable Data Quota - Data Quota means the total amount for data transmission allowed for the user. The unit is MB/GB. –...

  • Page 437: Vi-3-3 User Group

    This page allows you to bind several user profiles into one group. These groups will be used in Firewall>>General Setup as part of filter rules. Please click any index number link to open the following page. Default object – 1 and 2 User defined object –...

  • Page 438: Vi-3-4 User Online Status

    Selected Keyword Objects Click button to add the selected user objects in this box. After finishing all the settings here, please click OK to save the configuration. User Online Status displays connection information (including user profile, IP address, authority, expired time, data quota, idle time, and so on) about the user accessing into web user interface of Vigor router.

  • Page 439: Vi-3-5 Pppoe User Online Status

    Action Block - can avoid specified user accessing into Internet. Unblock – allow the user to access into Internet. Logout – the user will be logged out forcefully. PPPoE User Online Status displays connection information (including IP address, MAC address,user name, transmitted bytes, received bytes, up time and so on) for the LAN client who accesses Internet via the built-in PPPoE server of Vigor router.

  • Page 440: Application Notes

    Before using the function of User Management, please make sure User-Based has been selected as the Mode in the User Management>>General Setup page. With User Management authentication function, before a valid username and password have been correctly supplied, a particular client will not be allowed to access Internet through the router.
  • Page 441  If a LAN client who hasn’t passed the authentication opens an external web site in his browser, he will be redirected to the router’s Web authentication interface first. Then, the client is trying to access http://www.draytek.com and but brought to the Vigor router.
  • Page 442 With Mozilla Firefox, you may get the following warning message. Select I  Understand the Risks. With Chrome browser, you may get the following warning. Click Proceed  anyway. After that, the web authentication window will appear. Input the user name and the password for your account (defined in User Management) and click Login.
  • Page 443 If the authentication is successful, the client will be redirected to the original web site that he tried to access. In this example, it is http://www.draytek.com . Furthermore, you will get a popped up window as the following. Then you can access the Internet. Note, if you block the web browser to pop up any window, you will not see such window.
  • Page 444 In above description, you access an external web site to trigger the authentication. You  may also directly access the router’s Web UI for authentication. Both HTTP and HTTPS are supported, for example http://192.168.1.1 or https://192.168.1.1 . Replace 192.168.1.1 with your router’s real IP address, and add the port number if the default management port has been modified.
  • Page 445 http://www.draytek.com . You may change it if you want. For example, you will get the following welcome message if you enter Login Successful in the Welcome Message table. Also you will get a Tracking Window if you don’t block the pop-up window. Don’t setup a user profile in User Management and a VPN Remote Dial-in user profile ...
  • Page 446 If SSL Tunnel or SSL Web Proxy is disabled in the VPN profile, a User  Management account and a remote dial-in VPN profile can use the same Username, even with different passwords. However, we recommend you to use different usernames for different user profiles in User Management and VPN profiles.
  • Page 447 In the Web interface of router, the configuration page of Time Quota is shown as below. If the Time Quota is set with “0” minute, you will get the following message which means this account has no time quota. If the Time Quota is enabled and time is not 0 minute, You will get the following message.
  • Page 448 After you run out the available time, you can’t use this account any more until the administrator manually adds additional time for you. Authentication via Web or Telnet is convenient for users; however, it has some limitations. The most advantage with VigorPro Alert Notice Tool to operate the authentication is the ability to do auto login.

  • Page 449: How To Use Landing

    Landing Page is a special feature configured under User Management. It can specify the message, content to be seen or specify which website to be accessed into when users try to access into the Internet by passing the authentication. Here, we take Vigor2952 Series router as an example.
  • Page 450 In the following page, check the box of Landing page and click OK to save the settings. Open any browser (e.g., FireFox, Internet Explorer). The logging page will appear and asks for username and password. Please type the correct username and password. Vigor2952 Series User’s Guide...
  • Page 451 Click Login. If the logging is successful, you will see the message of Login Success from the browser you use. Vigor2952 Series User’s Guide...
  • Page 452 : : In the field of Landing Page, please type the words as below: “<body stats=1><script language='javascript'> window.location='http://www.draytek.com'</script></body>” Next, enable the Landing Page function. Open User Management -> User Profile and click one of the index number (e.g., index number 3) links. Vigor2952 Series User’s Guide...
  • Page 453 In the following page, check the box of Landing page and click OK to save the settings. Open any browser (e.g., FireFox, Internet Explorer). The logging page will appear and asks for username and password. Please type the correct username and password. Vigor2952 Series User’s Guide...
  • Page 454 Click Login. If the logging is successful, you will be directed into the website of www.draytek.com. Vigor2952 Series User’s Guide...

  • Page 455: Application Notes

    The new web portal feature support social login as authentication method, and allows network administrator to authenticate LAN clients by their Google or Facebook account. This document introduces how to create Facebook APP, and generate the APP ID and APP secret that can be used in Web Portal setup.
  • Page 456 6. Add a New App. Click on My Apps > Add a New App. Choose Website platform. 7. Click Skip and Create App ID on first use. Type Display Name. Choose Category. Click Create App ID. Vigor2952 Series User’s Guide...
  • Page 457 8. Pops up security check window, select the answer, and then click Submit to finish the process. Vigor2952 Series User’s Guide...
  • Page 458 9. On Dashboard, user can get App ID and App Secret, these information will be used in Vigor Router's Web Portal Setup. 10. Add Platform on My Apps. Go to Settings then click Add Platform. 11. Choose Website in Select Platform window. 12.
  • Page 459 13. Set up Client OAuth. Go to Settings >> Advanced >>Client OAuth Settings, enter "http://portal.draytek.com" in Valid OAuth redirect URIs, and save changes. 14. Go to My Apps>>Status & Review, and switch available status to YES to activate the APP. Vigor2952 Series User’s Guide...
  • Page 460 Vigor2952 Series User’s Guide...

  • Page 461: How To Create Google App For Web Portal Authentication

    The new web portal feature support social login as authentication method, and allows network administrator to authenticate LAN clients by their Google or Facebook account. This document introduces how to create Facebook APP, and generate the APP ID and APP secret that can be used in Web Portal setup.
  • Page 462 4. Create Client ID. Click Credentials and Click Add credentials > OAuth2.0 client ID. 5. Choose Web application as Application Type, then enter name. Set Authorized JavaScript origins and Authorized redirect URLs as http://portal.draytek.com, and click Create. (Note: If you change http port in the vigor, please add http port in URLs. For example, we use 8080 as http port and we'll put http://portal.draytek.com:8080).

  • Page 463: Central Management (Vpn)

    Vigor2952 can build virtual private network (VPN) between itself and any other TR-069 CPE by the function of central VPN management. In addition, it can be treated as a server (called CVM server) which can manage TR-069 CPE for periodical firmware upgrade, configuration backup and restoring configuration.

  • Page 464: Web User Interface

    Central VPN Management menu can manage the CPE connected through WAN only. General Setup is used to configure settings which will be used by the clients to register to such Vigor router. Click the tabs of General Settings and IPsec VPN Settings to configure the basic settings for CVM mechanism.

  • Page 465: Vi-4-1-2 Ipsec Vpn Settings

    to specify WAN IP address. Username Type a username which will be used by any CPE trying to connect to Vigor router. Password Type the password for the user. Polling Interval Type the time value (unit is second). The range is from 60 ~ 86400.

  • Page 466: Vi-4-2-1 Managed Device List

    All the CPEs managed by Vigor2952 Series can be seen with icons from this page. Before using such feature, make sure the CVM port has been enabled and configured properly. This page allows you to manage the CPEs connected to Vigor2952 Series. Vigor2952 Series User’s Guide...
  • Page 467 Available settings are explained as follows: Item Description Managed Devices List This area displays device icons (up to 8) for the CPE managed by Vigor2952 Series. Edit – To modify the name and location of specific CPE, click the one you want and click the Edit button. A pop up window will appear.

  • Page 468: Vi-4-2 Cpe Management

    Add – Move the selected device from Unmanaged Devices List to Managed Devices List. IP Address – Display the IP address of the remote device. Mac Address – Display the MAC address of the remote device. Device Model – Display the model name of the remote device. Description Name –...
  • Page 469 USB disk connecting to Vigor2952, such message will be displayed in this field. Click the icon to see the content inside the USB disk. Set to Factory Default Click to clear all indexes. Index Display the number of the profile that you can edit. Enable Check the box to enable such index profile.
  • Page 470 Profile Name Type the name of the maintenance profile. Enable Check it to enable such profile. Only Run Once Check the box to make such maintenance profile be disabled after running. It can prevent the profile from being executed continuously. Device Name The drop down list will display all the CPE devices detected by Vigor2952 Series.

  • Page 471: Vi-4-2-3 Google Map

    To display the location of the managed CPE with a bird’s eye view, open Central VPN Management>>CPE Management and click the tab of Google Map. Vigor2952 Series User’s Guide...

  • Page 472: Vi-4-3 Vpn Management

    An easy and quick method is offered to configure VPN settings for building VPN connection automatically between Vigor2952 Series (treated as VPN server) and other Vigor router (treated as CPE device, i.e., VPN client). Available parameters are listed as follows: Item Description VPN Management...

  • Page 473: Vi-4-4 Log & Alert

    & & This page offers brief information to identify the CPE connected to Vigor2952 Series. Available settings are explained as follows: Item Description Display Mode Choose the mode you want to display the related information on the following table. Stop record when fulls – when the capacity of CVM log is ...

  • Page 474: Application Notes

    To manage CPEs through Vigor2952 Series, you have to set URL on CPE first and set username and password for Vigor2952 Series. All the CPE configuration will be done through Vigor2952 series. Access into the web user interface of Vigor2952 Series. Open Central VPN Management>>General Setup.
  • Page 475 In the end of the CPE, access into the web user interface of the CPE (e.g., Vigor2850 series in this case). Open a web browser (for example, IE, Mozilla Firefox or Netscape) and type http://192.168.1.1. Open System Maintenance >> TR-069. In the field of ACS Server, type the URL (IP address with port number) of Vigor2952 Series and type the same Username and Password defined on the page of Central VPN Management>>General Setup in Vigor2952 Series.
  • Page 476 Check Allow management from the Internet to set management access control and click OK. Open WAN>>Internet Access. Use the drop down list of Access Mode on WAN1 to select MPoA (RFC1483/2684). Then, click Details Page. Click Specify an IP address. Type correct WAN IP address, subnet mask and gateway IP address for your CPE.
  • Page 477 Info Reboot the CPE device and re-log into Vigor2952 Series. CPE which has registered to Vigor2952 Series will be captured and displayed on the page of Central VPN Management>>CPE Management. Return to the web user interface of Vigor2952 Series. Open Central VPN Management>>VPN Management. Now there is one CPE displayed on the field of Unmanaged Devices List.

  • Page 478: Series

    When a remote device is managed by Vigor2952 Series, it is easy to build VPN between these two devices. Access into the web user interface of Vigor2952 Series. Open Central VPN Management>>CPE Management. Click the device icon (marked with ) and click the PPTP/IPsec button. Wait for a moment.
  • Page 479 A LAN to LAN profile for such VPN will be generated automatically. You can access into VPN and Remote Access>>LAN to LAN of the remote device for viewing the detailed information. Info The profile name is created automatically by the system. Do not modify any value in such page to avoid VPN error.

  • Page 480: Cvm Application - How To Upgrade Cpe Firmware Through Vigor2952 Series

    Download the newest firmware from your Draytek website to USB Storage Disk for the device (e.g., Vigor2850) managed by Vigor2952 Series. Vigor2850, as an example, is chosen for Vigor2952 to perform the CPE firmware upgrade remotely in this case. Plug in USB storage disk onto Vigor2952 Series via USB interface. Make sure the USB disk has been installed correctly, otherwise, the firmware upgrade will not be successful.
  • Page 481 The Maintenance profile dialog appears. In the field of Profile Name, type a name for such maintenance profile; check Enable; and choose the one you want to perform firmware upgrade from Device Name drop down list. From the Action Type, choose Firmware Upgrade. Type the file/path of the newest firmware or click Select to locate it.
  • Page 482 Then check the device information for the managed device if the firmware upgrade is successful or not. Click Managed Devices List. Click the icon of Vigor2850 and click Edit and view the software version. Another way to check if the firmware upgrade is completed or not, simply open Central VPN Management>>Log &...

  • Page 483: Central Management (Ap)

    Vigor2952 can manage the access points supporting AP management via Central AP Management. AP Map is helpful to determine the best location for VigorAP in a room. A floor plan of a room is required to be uploaded first. By dragging and dropping available VigorAP icon from the list to the floor plan, the placement with the best wireless coverage will be clearly indicated through simulated signal strength Vigor router can execute configuration backup, configuration restoration, firmware upgrade...

  • Page 484: Web User Interface

    This page shows VigorAP’s information about Status, Event Log, Total Traffic or Station Number by displaying VigorAP icon, text and histogram. Just move and click your mouse cursor on Status, Event Log, Total Traffic or Station Number. Corresponding web pages will be open immediately.

  • Page 485: Vi-5-2 Status

    This page displays current status (online, offline or SSID hidden, IP address, encryption, channel, version, password and etc.) of the access points managed by Vigor router. Please open Central AP Management>>Function Support List to check what AP Models are supported. Available settings are explained as follows: Item Description...

  • Page 486: Vi-5-3 Wlan Profile

    WLAN profile is used to apply to a selected access point. It is very convenient for the administrator to configure the setting for access point without opening the web user interface of the access point. Check the box on the left side of the selected profile to modify the content of the profile. The Clone, Edit and Apply To Device buttons will be available then.
  • Page 487 Third, choose the profile index to accept the settings from the original profile. Forth, type a new name in the field of Renamed as. Last, click Apply to save the settings on this dialog. The new profile has been created with the settings coming from the original profile.
  • Page 488 1. Check the box on the left side of the selected profile. 2. Click the Edit button to display the following page. Info The function of Auto Provision is available for the default WLAN profile. Vigor2952 Series User’s Guide...
  • Page 489 3. After finished the general settings configuration, click Next to open the following page for 2.4G wireless security settings. Vigor2952 Series User’s Guide...
  • Page 490 4. After finished the above web page configuration, click Next to open the following page for 5G wireless security settings. 5. When you finished the above web page configuration, click Finish to exit and return to the first page. The modified WLAN profile will be shown on the web page. Vigor2952 Series User’s Guide...

  • Page 491: Vi-5-4 Ap Maintenance

    Vigor router can execute configuration backup, configuration restoration, firmware upgrade and remote reboot for the APs managed by the router. It is very convenient for the administrator to process maintenance without accessing into the web user interface of the access point. Info Config Backup can be performed to one AP at one time.

  • Page 492: Vi-5-5 Ap Map

    Selected Device Display the access points that will be applied by such function after clicking OK. After finishing all the settings here, please click OK to perform the action. This function is helpful to determine the best location for VigorAP in a room. A floor plan of a room is required to be uploaded first.
  • Page 493 Select a number index and click Edit to open the following web page. Available settings are explained as follows: Item Description Location (Profile Name) Type a name (e.g., groudfloor) for the AP map profile. Upload Map Click the Select button to choose an image file (only JPG and PNG are supported) for floor plan.
  • Page 494 Drag and drop an AP icon from Compatible AP List to the map on the left side. Choose the signal strength (e.g., 30% in this case) from User Define drop down list. Click Apply. Adjust the AP on the map to find out which place can have the best wireless coverage. At last, click Save.

  • Page 495: Vi-5-6 Traffic Graph

    Click Traffic Graph to open the web page. Choose one of the managed Access Points, LAN-A or LAN-B, daily or weekly for viewing data transmission chart. Click Refresh to renew the graph at any time. The horizontal axis represents time; the vertical axis represents the transmission rate (in kbps).

  • Page 496: Vi-5-7 Temperature Sensor

    Many VigorAPs and Vigor routers can be installed with temperature sensor. If VigorAP (e.g., VigorAP 910C) is managed under Vigor router (e.g, Vigor2952), then Vigor router can obtain the temperature change graph of the USB temperature sensor installed onto VigorAP. This page displays data including current temperature, maximum temperature, minimum temperature and average temperature.

  • Page 497: Vi-5-9 Total Traffic

    Such page will display the total traffic of data receiving and data transmitting for VigorAPs managed by Vigor router. The total number of the wireless clients will be shown on this page, no matter what mode of wireless connection (2.4G WLAN or 5G WLAN) used by wireless clients to access into Internet through VigorAP.

  • Page 498: Vi-5-11 Load Balance

    The parameters configured for Load Balance can help to distribute the traffic for all of the access points registered to Vigor router. Thus, the bandwidth will not be occupied by certain access points. Available settings are explained as follows: Item Description Enable Check the box to enable such function.

  • Page 499: Vi-5-12 Function Support List

    After finishing all the settings here, please click OK to save the configuration. Click the Client tab to list the AP management functions that the Access Points support under different firmware versions. Click the Server tab to list the AP management functions that Vigor router supports under different firmware versions.

  • Page 500: Application Notes

    The administrator can manage the access points linked to Vigor2952. Open Central AP Management>>Access Point Devices. Vigor2952 will detect the AP connecting to the router automatically and display as below: In this case, a device named with AP810_001DAA9D362C has been detected by Vigor router.
  • Page 501 When the following configuration page appears, make the changes you want and check Apply to All APs. Then, click Next to access into the next page. Info Auto Provision can automatically apply the settings on Default profile to all of the access points registered to Vigor2952 later. Hence, it is not necessary for you to manually apply wireless profiles for APs respectively.
  • Page 502 The following page allows you to modify related settings for 2.4G SSID of managed AP. Make the changes you want for 2.4G SSID. Click Next for next page. Vigor2952 Series User’s Guide...
  • Page 503 The following page is offered for you to modify related settings for 5G SSID of managed AP. Continue to make any changes you want. After finished all of the changes, simply click Finish. Now, the AP (represented with AP810_001DAA9D362C) detected by Vigor router will be applied with the settings modified by Vigor router.

  • Page 504: Central Management (Switch)

    Vigor router can manage lots of VigorSwitch devices connected to it. Through profile and group settings, the administrator can execute firmware/configuration backup, restore for VigorSwitch device, reboot the device or return to factory default settings of VigorSwitch at one time. Such page displays information, including Group, Switch name, IP address, model, System Up Time, Port in Use, Clients, and Firmware Version of VigorSwitch connected to Vigor2952 series.
  • Page 505 Item Description Group Display the name link of the group. You can click the link to modify the group settings if required. Switch Name Display the name link of VigorSwitch. You can click the name link to access into the switch profile. IP Address Display the IP address of VigorSwitch.

  • Page 506: Vi-6-1-2 Switch Hierarchy

    Such page displays the hierarchy of VigorSwitch(es) managed under Vigor2952. Please note that, Shutdown Port is available for LAN port of VigorSwitch connects to a LAN device. When it is checked, after clicking OK, the network connection between that device and VigorSwitch will be terminated.

  • Page 507: Vi-6-2 Profile

    This page will show general information, such as name, group, IP address, MAC address, model and password of VigorSwitch only when it connects to Vigor2952 series. By clicking the index number link, a profile setting page for that switch will be shown. Note that each profile represents one VigorSwitch.
  • Page 508 Item Description Switch Name Type a name for the Switch. The purpose of name is used for identification. It is useful when there are many VigorSwitch (same modes) devices connecting to Vigor2952 seres. Comment Type the text in such field if additional explanation for the switch is required.
  • Page 509 Setting page with LAN>>VLAN configured previously: Click OK to save VLAN configuration. Then, click Port tab to access the following page: Vigor2952 Series User’s Guide...

  • Page 510: Vi-6-3 Group

    Available settings are explained as follows: Item Description Description If required, type a brief description to explain the device connected to VigorSwitch via the LAN port. Shutdown Port Shutdown – The port (e.g, Port 10 in this case) which is used to connect VigorSwitch and Vigor2952 will not be shutdown by Vigor2952 series.
  • Page 511 Available settings are explained as follows: Item Description Group Name Type a name as the group name. Different switches can be classified within a group. Group Password Type a password that administrator can use to access into the managed VigorSwitch connecting to Vigor2952 series. All of the switches under the same group can be accessed into via such group password.

  • Page 512: Vi-6-4 Maintenance

    Such feature can execute configuration backup, restore of selected VigorSwitch device(s) or reboot the VigorSwitch devices remotely or reset the VigorSwitch devices with factory default settings, without accessing into the web user interface of VigorSwitch respectively. It is convenient for system administrator to manage VigorSwitch devices. Available settings are explained as follows: Item Description...

  • Page 513: Vi-6-5 Support List

    This page lists all models of VigorSwitch which can be managed by Vigor2952 via Central Management>>Switch. Vigor2952 Series User’s Guide...

  • Page 514: Central Management (External Devices)

    Vigor router can be used to connect with many types of external devices. In order to control or manage the external devices conveniently, open External Devices to make detailed configuration. Available settings are explained as follows: Item Description External Device Syslog Check this box to display information of the detected device on Syslog.

  • Page 515: Part Vii Others

    Define objects such as IP address, service type, keyword, file extension and others. These pre-defined objects can be applied in CSM. USB device connected on Vigor router can be regarded as a server or WAN interface. By way of Vigor router, clients on LAN can access, write and read data stored in USB storage disk with different applications.

  • Page 516: Objects Settings

    For IPs in a range and service ports in a limited range usually will be applied in configuring router’s settings, therefore we can define them with objects and bind them with groups for using conveniently. Later, we can select that object/group that can apply it. For example, all the IPs in the same department can be defined with an IP object (a range of IP address).

  • Page 517: Web User Interface

    You can set up to 192 sets of IP Objects with different conditions. Available settings are explained as follows: Vigor2952 Series User’s Guide...
  • Page 518 Item Description Create from ARP Table It is a quick method to create an IP object profile. Simply click such link to create the IP object profile from ARP Table. The profile name will be given automatically by Vigor router. Change it if required. Create from Routing Table It is a quick method to create an IP object profile.
  • Page 519 1. Click the number (e.g., #1) under Index column for configuration in details. 2. The configuration page will be shown as follows: Available settings are explained as follows: Item Description Name Type a name for this profile. Maximum 15 characters are allowed.
  • Page 520 End IP Address Type the end IP address if the Range Address type is selected. Subnet Mask Type the subnet mask if the Subnet Address type is selected. Invert Selection If it is checked, all the IP addresses except the ones listed above will be applied later while it is chosen.

  • Page 521: Vii-1-2 Ip Group

    This page allows you to bind several IP objects into one IP group. Available settings are explained as follows: Item Description Set to Factory Default Clear all profiles. Index Display the profile number that you can configure. Name Display the name of the group profile. To set a new profile, please do the steps listed below: 1.

  • Page 522: Vii-1-3 Ipv6 Object

    Available settings are explained as follows: Item Description Name Type a name for this profile. Maximum 15 characters are allowed. Interface Choose WAN, LAN or Any to display all the available IP objects with the specified interface. Available IP Objects All the available IP objects with the specified interface chosen above will be shown in this box.
  • Page 523 To set a new profile, please do the steps listed below: 1. Click the number (e.g., #1) under Index column for configuration in details. 2. The configuration page will be shown as follows: Available settings are explained as follows: Item Description Name Type a name for this profile.

  • Page 524: Vii-1-4 Ipv6 Group

    End IP Address Type the end IP address if the Range Address type is selected. Prefix Length Type the number (e.g., 64) for the prefix length of IPv6 address. Invert Selection If it is checked, all the IPv6 addresses except the ones listed above will be applied later while it is chosen.
  • Page 525 Available settings are explained as follows: Item Description Name Type a name for this profile. Maximum 15 characters are allowed. Available IPv6 All the available IPv6 objects with the specified interface Objects chosen above will be shown in this box. Selected IPv6 Objects Click >>...

  • Page 526: Vii-1-5 Service Type Object

    You can set up to 96 sets of Service Type Objects with different conditions. Available settings are explained as follows: Item Description Set to Factory Default Clear all profiles. Index Display the profile number that you can configure. Name Display the name of the object profile. Vigor2952 Series User’s Guide...
  • Page 527 To set a new profile, please do the steps listed below: 1. Click the number (e.g., #1) under Index column for configuration in details. 2. The configuration page will be shown as follows: Available settings are explained as follows: Item Description Name Type a name for this profile.

  • Page 528: Vii-1-6 Service Type Group

    After finishing all the settings, please click OK to save the configuration. This page allows you to bind several service types into one group. Available settings are explained as follows: Item Description Set to Factory Default Clear all profiles. Index Display the profile number that you can configure.
  • Page 529 To set a new profile, please do the steps listed below: 1. Click the number (e.g., #1) under Group column for configuration in details. 2. The configuration page will be shown as follows: Available settings are explained as follows: Item Description Name Type a name for this profile.

  • Page 530: Vii-1-7 Keyword Object

    You can set 200 keyword object profiles for choosing as black /white list in CSM >>URL Web Content Filter Profile. Available settings are explained as follows: Item Description Set to Factory Default Clear all profiles. Index Display the profile number that you can configure. Name Display the name of the object profile.
  • Page 531 To set a new profile, please do the steps listed below: 1. Click the number (e.g., #1) under Index column for configuration in details. 2. The configuration page will be shown as follows: Available settings are explained as follows: Item Description Name Type a name for this profile, e.g., game.

  • Page 532: Vii-1-8 Keyword Group

    This page allows you to bind several keyword objects into one group. The keyword groups set here will be chosen as black /white list in CSM >>URL /Web Content Filter Profile. Available settings are explained as follows: Item Description Set to Factory Default Clear all profiles.

  • Page 533: Vii-1-9 File Extension Object

    Name Type a name for this group. Maximum 15 characters are allowed. Available Keyword You can gather keyword objects from Keyword Object page Objects within one keyword group. All the available Keyword objects that you have created will be shown in this box. Selected Keyword Click button to add the selected Keyword objects in...
  • Page 534 To set a new profile, please do the steps listed below: 1. Click the number (e.g., #1) under Profile column for configuration in details. 2. The configuration page will be shown as follows: Available settings are explained as follows: Item Description Profile Name Type a name for this profile.

  • Page 535: Vii-1-10 Sms/Mail Service Object

    This page allows you to set ten profiles which will be applied in Application>>SMS/Mail Alert Service. Each item is explained as follows: Item Description Set to Factory Default Clear all of the settings and return to factory default settings. Index Display the profile number that you can configure.
  • Page 536 the name you can set is 31 characters. Service Provider Use the drop down list to specify the service provider which offers SMS service. Username Type a user name that the sender can use to register to selected SMS provider. The maximum length of the name you can set is 31 characters.
  • Page 537 Vigor router offers several SMS service provider to offer the SMS service. However, if your service provider cannot be found from the service provider list, simply use Index 9 and Index 10 to make customized SMS service. The profile name for Index 9 and Index 10 are fixed. You can click the number (e.g., #9) under Index column for configuration in details.
  • Page 538 Password Type a password that the sender can use to register to selected SMS provider. The maximum length of the password you can set is 31 characters. Quota Type the total number of the messages that the router will send out. Sending Interval Type the shortest time interval for the system to send SMS.
  • Page 539 To set a new profile, please do the steps listed below: 1. Click the Mail Server tab, and click the number (e.g., #1) under Index column for configuration in details. 2. The configuration page will be shown as follows: Available settings are explained as follows: Item Description Profile Name...

  • Page 540: Vii-1-11 Notification Object

    This page allows you to set ten profiles which will be applied in Application>>SMS/Mail Alert Service. You can set an object with different monitoring situation. To set a new profile, please do the steps listed below: 1. Open Object Setting>>Notification Object, and click the number (e.g., #1) under Index column for configuration in details.
  • Page 541 Status Display the status for the category. You can check the box you want to be monitored. 3. After finishing all the settings here, please click OK to save the configuration. Info When Failover Occurred of High Availability is enabled, "Sending Interval" of SMS Provider profile should be set to 0.

  • Page 542: Vii-1-12 String Object

    This page allows you to set string profiles which will be applied in route policy (domain name selection for destination), hotspot web portal and etc. Available settings are explained as follows: Item Description Click it to open the following page for adding a new string object.

  • Page 543: Application Notes

    Follow the steps listed below: Log into the web user interface of Vigor router. Configure relational objects first. Open Object Settings>>SMS/Mail Server Object to get the following page. Index 1 to Index 8 allows you to choose the built-in SMS service provider. If the SMS service provider is not on the list, you can configure Index 9 and Index 10 to add the new service provider to Vigor router.
  • Page 544 After finished the settings, click OK to return to previous page. Now you have finished the configuration of the SMS Provider profile setting. Open Object Settings>>Notification Object to configure the event conditions of the notification. Choose any index number (e.g., Index 1 in this case) to configure conditions for sending the SMS.
  • Page 545 After finished the settings, click OK to return to previous page. You have finished the configuration of the notification object profile setting. Now, open Application >> SMS / Mail Alert Service. Use the drop down list to choose SMS Provider and the Notify Profile (specify the time of sending SMS). Then, type the phone number in the field of Recipient (the one who will receive the SMS).
  • Page 546 Choose one of the Index numbers (9 or 10) allowing you to customize the SMS Provider. In the web page, type the URL string of the SMS provider and type the username and password. After clicking OK, the new added SMS provider will be added and will be available for you to specify for sending SMS out.

  • Page 547: Usb Application

    USB device connected on Vigor router can be regarded as a server or WAN interface. By way of Vigor router, clients on LAN can access, write and read data stored in USB storage disk with different applications. After setting the configuration in USB Application, you can type the IP address of the Vigor router and username/password created in USB Application>>USB User Management on the client software.

  • Page 548: Web User Interface

    This page will determine the number of concurrent FTP connection, default charset for FTP server and enable SMB service. At present, the Vigor router can support USB storage disk with formats of FAT16 and FAT32 only. Therefore, before connecting the USB storage disk into the Vigor router, please make sure the memory format for the USB storage disk is FAT16 or FAT32.

  • Page 549: Vii-2-2 Usb User Management

    types of character sets. Default Charset is for English based file name. SMB File Sharing Service Click Enable to invoke SMB file sharing service via the router. Access Mode LAN Only – Users coming from internet cannot connect to the SMB server of the router.
  • Page 550 Available settings are explained as follows: Item Description FTP/SMB User Enable – Click this button to activate this profile (account) for FTP service or SMB file sharing service. Later, the user can use the username specified in this page to login into FTP server.

  • Page 551: Vii-2-3 File Explorer

    Access Rule It determines the authority for such profile. Any user, who uses such profile for accessing into USB storage disk, must follow the rule specified here. File – Check the items (Read, Write and Delete) for such profile. Directory –Check the items (List, Create and Remove) for such profile.

  • Page 552: Vii-2-4 Usb Device Status

    storage disk. The uploaded file in the USB diskette can be shared for other user through FTP. This page is to monitor the status for USB device connecting to Vigor router. In addition, the status of the USB modem or USB printer or USB sensor connecting to Vigor router can be checked from such page.

  • Page 553: Viii-2-5 Temperature Sensor

    A USB Thermometer is now available. It complements your installed DrayTek router installations which will help you monitor the server or data communications room environment and notify you if the server room or data communications room is overheating. During summer in particular, it is important to ensure that your server or data communications equipment are not overheating due to cooling system failures.
  • Page 554 Available settings are explained as follows: Item Description Display Settings Temperature Calibration - Type a value used for correcting the temperature error. Temperature Unit - Choose the display unit of the temperature. There are two types for you to choose. Alarm Settings Enable Syslog Alarm - The temperature log will be recorded on Syslog if it is enabled.

  • Page 555: Vii-2-6 Modem Support List

    Such page provides the information about the brand name and model name of the USB modems which are supported by Vigor router. Vigor2952 Series User’s Guide...

  • Page 556: Vii-2-7 Smb Client Support List

    SMB Client Support List provides the test status information for applications with file sharing operated under different platforms. Vigor2952 Series User’s Guide...

  • Page 557: Application Notes

    Files on USB storage device can be reviewed by opening USB Applicaiton>>File Explorer. If it is necessary for you to delete, copy files on the device or write, paste files to the devcie, it must be done through SMB server or FTP server. SMB service is based on the original USB FTP service.
  • Page 558 Setup a user account for the FTP service by using USB Application >>USB User Management. Click index #1 link, and click Enable to enable FTP/SMB User account. Here we add a new account "user1" and assign authorities “Read”, “Write” and “List” to Click OK to save the configuration.
  • Page 559 When the following screen appears, it means the FTP service is running properly. Return to USB Application >> USB Disk Status. The information for FTP server will be shown as below. Now, users in LAN of Vigor2952 can access into the USB storage device by typing ftp://192.168.1.1 on any browser.
  • Page 560 This page is left blank. Vigor2952 Series User’s Guide...

  • Page 561: Part Viii Troubleshooting

    This part will guide you to solve abnormal situations if you cannot access into the Internet after installing the router and finishing the web configuration Vigor2952 Series User’s Guide...

  • Page 562: Viii-1Diagnostics

    This section will guide you to solve abnormal situations if you cannot access into the Internet after installing the router and finishing the web configuration. Please follow sections below to check your basic installation status stage by stage. Checking if the hardware status is OK or not. ...

  • Page 563: Web User Interface

    Fisrt, take a look at the menu items under Diagnostics. Diagnostic Tools provide a useful way to view or diagnose the status of your Vigor router. Click Diagnostics and click Dial-out Triggering to open the web page. The internet connection (e.g., PPPoE) is triggered by a package sending from the source IP address. Available settings are explained as follows: Item Description...

  • Page 564: Viii-1-2 Routing Table

    Click Diagnostics and click Routing Table to open the web page. Available settings are explained as follows: Item Description Refresh Click it to reload the page. Vigor2952 Series User’s Guide...

  • Page 565: Viii-1-3 Arp Cache Table

    Click Diagnostics and click ARP Cache Table to view the content of the ARP (Address Resolution Protocol) cache held in the router. The table shows a mapping between an Ethernet hardware address (MAC Address) and an IP address. Available settings are explained as follows: Item Description Refresh...

  • Page 566: Viii-1-4 Ipv6 Neighbour Table

    The table shows a mapping between an Ethernet hardware address (MAC Address) and an IPv6 address. This information is helpful in diagnosing network problems, such as IP address conflicts, etc. Click Diagnostics and click IPv6 Neighbour Table to open the web page. Available settings are explained as follows: Item Description...

  • Page 567: Viii-1-5 Dhcp Table

    The facility provides information on IP address assignments. This information is helpful in diagnosing network problems, such as IP address conflicts, etc. Click Diagnostics and click DHCP Table to open the web page. Available settings are explained as follows: Item Description Index It displays the connection item number.

  • Page 568: Viii-1-6 Nat Sessions Table

    Click Diagnostics and click NAT Sessions Table to open the list page. Available settings are explained as follows: Item Description Private IP:Port It indicates the source IP address and port of local PC. #Pseudo Port It indicates the temporary port of the router used for NAT. Peer IP:Port It indicates the destination IP address and port of remote host.

  • Page 569: Viii-1-7 Dns Cache Table

    Click Diagnostics and click DNS Cache Table to open the web page. The record of domain Name and the mapping IP address for answering the DNS query from LAN will be stored on Vigor router’s Cache temporarily and displayed on Diagnostics >> DNS Cache Table.

  • Page 570: Viii-1-8 Ping Diagnosis

    Click Diagnostics and click Ping Diagnosis to open the web page. Available settings are explained as follows: Item Description IPV4 /IPV6 Choose the interface for such function. Ping through Use the drop down list to choose the WAN interface that you want to ping through or choose Unspecified to be determined by the router automatically.
  • Page 571 want to ping. IP Address Type the IP address of the Host/IP that you want to ping. Ping IPv6 Address Type the IPv6 address that you want to ping. Click this button to start the ping work. The result will be displayed on the screen.

  • Page 572: Viii-1-9 Data Flow Monitor

    This page displays the running procedure for the IP address monitored and refreshes the data in an interval of several seconds. The IP address listed here is configured in Bandwidth Management. You have to enable IP bandwidth limit and IP session limit before invoking Data Flow Monitor.
  • Page 573 refreshing data flow that will be done by the system automatically. Refresh Click this link to refresh this page manually. Index Display the number of the data flow. IP Address Display the IP address of the monitored device. TX rate (kbps) Display the transmission speed of the monitored device.

  • Page 574: Viii-1-10 Traffic Graph

    Click Diagnostics and click Traffic Graph to open the web page. Choose WAN1/WAN2/WAN3/WAN4 Bandwidth, Sessions, Ping Detect, daily or weekly for viewing different traffic graph. Click Reset to zero the accumulated RX/TX (received and transmitted) data of WAN. Click Refresh to renew the graph at any time. The horizontal axis represents time.

  • Page 575: Viii-1-11 Trace Route

    Click Diagnostics and click Trace Route to open the web page. This page allows you to trace the routes from router to the host. Simply type the IP address of the host in the box and click Run. The result of route trace will be shown on the screen. Available settings are explained as follows: Item Description...

  • Page 576: Viii-1-12 Syslog Explorer

    Protocol Use the drop down list to choose the protocol that you want to ping through. Host/IP Address It indicates the IP address of the host. Trace Host/IP Address It indicates the IPv6 address of the host. Click this button to start route tracing work. Clear Click this link to remove the result on the window.

  • Page 577: Viii-1-13 Ipv6 Tspc Status

    This page displays the syslog recorded on the USB storage disk. Available settings are explained as follows: Item Description Time Display the time of the event occurred. Log Type Display the type of the record. Message Display the information for each event. IPv6 TSPC status web page could help you to diagnose the connection status of TSPC.

  • Page 578: Viii-1-14 High Availability Status

    All of the routers under the same DARP (DrayTek Address resolution Protocol) group can be viewed in such page. However, only partial information of the router status will be displayed. Vigor routers with the following condtions will be treated as the same DARP group: ...
  • Page 579 “All WANs Down” means that no WAN interface connects to Internet. Config Sync Status “Not Ready” means configuration synchronization is unable to execute, or configuration synchronization is disabled, or synchronization initialization executes but fails. “Ready” means configuration synchronization is ready to execute.

  • Page 580: Viii-1-15 Authentication Information

    Such page displays authentication jobs made by Internal RADIUS or Local 802.1X. When the mouse cursor moves to the name link under User Name, the connection message (including authentication failed information) about internal RADIUS or local 802.1X service will be shown by a popped up dialog box. This page will display the complete authentication log information.

  • Page 581: Viii-1-16 Dos Flood Table

    This page can display content of IP connection detected by DoS Flooding Defense mechanism. It is useful and convenient for network engineers (e.g., MIS engineer) to inspect the network environment to find out if there is any abnormal connection. Information of IP traced and destination port used for SYN Flood, UDP Flood and ICMP Flood attacks will be detected and shown respectively on different pages.
  • Page 582 However, if an IP address is comfirmed to be blocked due to its abnormal behavior, click the Blocking IP List tab to block it forever. For example, IP address “192.168.1.123” (displayed on the following web page) will be blocked forever. Available settings are explained as follows: Item Description...

  • Page 583: Viii-2 Checking If The Hardware Status Is Ok Or Not

    Follow the steps below to verify the hardware status. Check the power line and WLAN/LAN cable connections. Refer to “I-2 Hardware Installation” for details. Turn on the router. Make sure the ACT LED blink once per second and the correspondent LAN LED is bright.

  • Page 584: Viii-3 Checking If The Network Connection Settings On Your Computer Is Ok Or Not

    Sometimes the link failure occurs due to the wrong network connection settings. After trying the above section, if the link is stilled failed, please do the steps listed below to make sure the network connection settings is OK. Info The example is based on Windows 7. As to the examples for other operation systems, please refer to the similar steps or find support notes in www.DrayTek.com.
  • Page 585 Select Internet Protocol Version 4 (TCP/IP) and then click Properties. Select Obtain an IP address automatically and Obtain DNS server address automatically. Finally, click OK. Vigor2952 Series User’s Guide...
  • Page 586 Double click on the current used Mac OS on the desktop. Open the Application folder and get into Network. On the Network screen, select Using DHCP from the drop down list of Configure IPv4. Vigor2952 Series User’s Guide...

  • Page 587: Viii-4 Pinging The Router From Your Computer

    The default gateway IP address of the router is 192.168.1.1. For some reason, you might need to use “ping” command to check the link status of the router. The most important thing is that the computer will receive a reply from 192.168.1.1. If not, please check the IP address of your computer.
  • Page 588 Vigor2952 Series User’s Guide...

  • Page 589: Viii-5 Checking If The Isp Settings Are Ok Or Not

    If WAN connection cannot be up, check if the LEDs (according to the LED explanations listed on section I-1) are correct or not. If the LEDs are off, please:  Change the Physical Type from Auto negotiation to other values (e.g., 100M full duplex). ...

  • Page 590: Viii-6 Problems For 3G/4G Network Connection

    When you have trouble in using 3G/4G network transmission, please check the following: You have to wait about 15 seconds after inserting 3G/4G USB Modem into your Vigor2952. Later, the USB LED will light on which means the installation of USB Modem is successful. If the USB LED does not light on, please remove and reinsert the modem again.

  • Page 591: Viii-7 Backing To Factory Default Setting If Necessary

    Sometimes, a wrong connection can be improved by returning to the default settings. Try to reset the router by software or hardware. Such function is available in Admin Mode only. Info After pressing factory default setting, you will loose all settings you did before.

  • Page 592: Viii-8 Contacting Draytek

    While the router is running (ACT LED blinking), press the Factory Reset button and hold for more than 5 seconds. When you see the ACT LED blinks rapidly, please release the button. Then, the router will restart with the default configuration. After restore the factory default setting, you can configure the settings for the router again to fit your personal request.

  • Page 593: Appendix I: Vlan Applications On Vigor Router

    Virtual Local Area Network is so-called VLAN. It offers the logical grouping technique to separate the physical ports of Ethernet switches, thus we can manage our local network easier, more flexible and secure. For instance, you’re a networking administrator in your company and you’re planning to isolate the visitors’...
  • Page 594 [Note] Vigor routers support Tag-based feature both on LAN and WAN interfaces. The next we’ll demonstrate our web design and how to configure the settings by introducing the functionalities of Vigor router. [Note] Broadband router: Vigor2920/Vigor3200/Vigor2925/Vigo2960/Vigor3900 Modem router: Vigor2850/Vigor2952 Trunk mode of LAN Trunk Port can carry the packets with VID but replace the Non-VID packet as the VID of Trunk port while forwarding the packets to another switch.
  • Page 595 Vigor2952 Series User’s Guide...
  • Page 596  Multi Subnet (VLAN of LAN) Vigor2952 Series User’s Guide...
  • Page 597 Port-based mode Tag-based mode By above settings, there are four private networks will be created and computers attached with each of LAN ports or SSIDs which are able to obtain a private IP address from each DHCP server (LAN1/LAN2/LAN3/LAN4). However, the traffics of the LAN port or SSID that are NOT being grouped in the same VLAN are unable to forward to each other.
  • Page 598 Port-based mode Tag-based mode To deploy a guest network, which serves your guests the internet accessibility, but the traffics have to be isolated from your private network due to the security considerations, it can be done by above settings. However, a switch support VLAN function is need if VLAN Tag enabled.
  • Page 599 Vigor2952 Series User’s Guide...
  • Page 600 Bridge mode with VLAN Set-top box (STB) or the other kinds of media devices are able to attach with Port4 or Port5 of LAN. Those devices that attached with Port4 or Port5 are able to access the services network directly which your ISP provided. Vigor2952 Series User’s Guide...

  • Page 601: Part Ix Draytek Tools

    Vigor2952 Series User’s Guide...

  • Page 602: Smartvpn Client

    DrayTek has been the world-leading company to integrate VPN with Vigor SOHO routers to serve professionals and business customers with secure data transactions over Internet. The facilities of VPN let businesses are able to receive and send data over Internet with secure tunnels.

  • Page 603: Ix-1-2 How To Use Smartvpn Android App To Establish Ssl Vpn Tunnel

    SmartVPN APP for Android is now available on Google play. This document demonstrates how to use the APP to establish a SSL VPN tunnel. On VPN server, create a SSL user account. Please refer to “How to Set up SSL VPN” on www.draytek.com for detailed instructions.
  • Page 604 Edit the profile. a. Enter description of this profile. b. Enter VPN Server's IP in Server. c. Enter Port as the port which VPN server uses for SSL VPN; for Vigor Routers, it is 443 by default. d. Tap SAVE to save the profile or “<” to cancel. Info Installation of relevant Root CA is required to enable server certificate authentication.
  • Page 605 When the tunnel is up, the profile will turn green. Tap the bar again will disconnect the tunnel. Tap the pencil icon to edit or remove the profile. Vigor2952 Series User’s Guide...
  • Page 606 This page is left blank. Vigor2952 Series User’s Guide...

  • Page 607: Part X Telnet Commands

    Vigor2952 Series User’s Guide...

  • Page 608: Accessing Telnet Of Vigor2952

    This chapter also gives you a general description for accessing telnet and describes the firmware versions for the routers explained in this manual. Info For Windows 7 user, please make sure the Windows Features of Telnet Client has been turned on under Control Panel>>Programs. Type cmd and press Enter.
  • Page 609 For users using previous Windows system (e.g., 2000/XP), simply click Start >> Run and type Telnet 192.168.1.1 in the Open box as below. Next, type admin/admin for Account/Password. And, type ? to get a list of valid/common commands. Vigor2952 Series User’s Guide...
  • Page 610 This command allows to configure a network setting specified for Australia’s ISP. bpa m [-<command> <parameter> | ... ] Parameter Description Available settings are 1 and 2. -a <enable> 1/0 to enable/disable this entry -n <UserName> contact UserName(max. 24 characters) -p <PassWord>...
  • Page 611 INDEX Specify the index number of CSM profile, from 1 to 32. View the configuration of the CSM profile. Set a name for the CSM profile. NAME Specify a name for the CSM profile, less then 15 characters. setdefault Reset to default settings. >...
  • Page 612 csm appe show [-a|-i|-p|-t|-m] Parameter Description View the configuration status for All groups. View the configuration status of IM group. View the configuration status of P2P group. View the configuration status of protocol group. View the configuration status of Others group. >csm appe show -t Type Index...
  • Page 613 OTHERS TUNNEL HTTP Tunnel Disable OTHERS TUNNEL Hamachi Disable OTHERS TUNNEL Hotspot Shield Disable OTHERS TUNNEL MS Teredo Disable OTHERS TUNNEL PGPNet Disable OTHERS TUNNEL Ping Tunnel Disable ------------------------------------------------------------------ Total 66 APPs > It is used to configure APPE signature download interface. csm appe interface [AUTO/WAN#] AUTO Vigor router specifies WAN interface automatically.
  • Page 614 It is used to configure settings for URL control filter profile. csm ucf show csm ucf setdefault csm ucf msg MSG csm ucf obj INDEX [-n PROFILE_NAME | -l [P|B|A|N] | uac | wf ] csm ucf obj INDEX -n PROFILE_NAME csm ucf obj INDEX -p VALUE csm ucf obj INDEX -l P|B|A|N csm ucf obj INDEX uac...
  • Page 615 Log:[none] Priority Select : [Bundle : Pass] [ ]Enable URL Access Control Action:[pass] [ ]Prevent web access from IP address. No Obj NO. Object Name --- -------- --------------------------------- No Grp NO. Group Name --- -------- --------------------------------- It means to configure the settings regarding to URL Access Control (uac). csm ucf obj INDEX uac -v csm ucf obj INDEX uac -e csm ucf obj INDEX uac -d...
  • Page 616 Profile Index: 1 Profile Name:[game] Log:[none] Priority Select : [Bundle : Pass] [ ]Enable URL Access Control Action:[pass] [v]Prevent web access from IP address. No Obj NO. Object Name --- -------- --------------------------------- No Grp NO. Group Name --- -------- --------------------------------- >...
  • Page 617 It means to configure the settings regarding to Web Feature (wf). csm ucf obj INDEX wf -v csm ucf obj INDEX wf -e csm ucf obj INDEX wf -d csm ucf obj INDEX wf -a P|B csm ucf obj INDEX wf -s WEB_FEATURE csm ucf obj INDEX wf -u WEB_FEATURE csm ucf obj INDEX wf -f File_Extension_Object_index Parameter...
  • Page 618 [ ]Enable Restrict Web Feature Action:[pass] File Extension Object Index : [0] Profile Name : [] [V] Cookie [ ] Proxy [ ] Upload It means to configure the settings regarding to web control filter (wcf). csm wcf show csm wcf look csm wcf cache csm wcf server WCF_SERVER csm wcf msg MSG...
  • Page 619 B: Block, A: All, N: None Set the keyword object. KEY_WORD_Object_Index Specify the index number of the object profile. Set the keyword group. KEY_WORD_Group_Index Specify the index number of the group profile. Set the action for the black and white list. E:Enable, D:Disable, P:Pass,...
  • Page 620 > csm wcf obj 1 -n test_wcf Profile Index: 1 Profile Name:[test_wcf] []White/Black list Action:[block] No Obj NO. Object Name --- -------- --------------------------------- No Grp NO. Group Name --- -------- --------------------------------- Action:[block] Log:[block] ------------------------------------------------------------------ ------------- child Protection Group: [v]Alcohol & Tobacco [v]Criminal &...
  • Page 621 csm dnsf profile_edit INDEX -w WCF_PROFILE csm dnsf profile_edit INDEX -u UCF_PROFILE csm dnsf profile_edit INDEX -c CACHE_TIME Parameter Description Enable ON|OFF Enable or disable DNS Filter. ON: enable. OFF: disable. syslog N|P|B|A Determine the content of records transmitting to Syslog. P: Pass.
  • Page 622 >csm dnsf service 3 wcf profile 3 is empty..>csm dnsf cachetime 1 dns cache time set up!!! Displays the DDNS log. >ddns log > Sets and displays the DDNS time. ddns time <update in minutes> Parameter Description Update in minutes Type the value as DDNS time.
  • Page 623 Enable the defense function for a specific attack and set its parameter(s). ATTACK_F Specify the name of flooding attack(s) or portscan, e.g., synflood, udpflood, icmpflood, or postscan. THRESHOLD It means the packet rate (packet/second) that a flooding attack will be detected. Set a value larger than 20. TIMEOUT It means the time (seconds) that a flooding attack will be blocked.
  • Page 624 -P <on/off> Enable PPPoE Service. -u <username> Set username (max. 49 characters) for Internet accessing. -p <password> Set password (max. 49 characters) for Internet accessing. -a n It means to set PPP Authentication Type and n means different types (represented by 0-1). n=0: PAP/CHAP (this is default setting) n=1: PAP Only -t n...
  • Page 625 -L n Set (PPP mode) WAN Connection Detection TTL (1-255) value. -E <sim pin code> Set (DHCP mode) SIM PIN code (max. 19 characters). -G <mode> Set (DHCP mode) Network Mode. <mode> 0: 4G/3G/2G; 1: 4G Only; 2: 3G Only; 3: 2G Only -N <apn name>...
  • Page 626 public subnet enabled! This command allows to set the IP routed subnet for the router. ip pubaddr ? ip pubaddr <public subnet IP address> Parameter Description Display an IP address which allows users set as the public subnet IP address. public subnet IP address Specify an IP address.
  • Page 627 This command is used for configuring WAN IP Alias. ip aux add [IP] [Join to NAT Pool][wanX] ip aux remove [index] Parameter Description Create a new WAN IP address. remove Delete an existed WAN IP address. It means the auxiliary WAN IP address. Join to NAT Pool 0 (disable) or 1 (enable).
  • Page 628 segment), the IP address of the PC must be fixed with the same LAN IP address (network segment) set by this command for accessing into the web user interface of the router. Later, modify the start addresses for the DHCP server.
  • Page 629 5: Accept VRRP mac into arp table status: display the setting status. Time Available settings will be 10, 20, 30,..2550 seconds. > ip arp status [ARP Table] Index IP Address MAC Address Netbios Name Interface VLAN Port 192.168.1.5 00-05-5D-E4-D8-EE LAN1 VLAN0 >...
  • Page 630 >ip dhcpc status I/F#3 DHCP Client Status: DHCP Server IP : 172.16.3.7 WAN Ipm : 172.16.3.40 WAN Netmask : 255.255.255.0 WAN Gateway : 172.16.3.1 Primary DNS : 168.95.192.1 Secondary DNS : 0.0.0.0 Leased Time : 259200 Leased Time T1 : 129600 Leased Time T2 : 226800 Leased Elapsed...
  • Page 631 >ip tracert 22.128.2.62 WAN1 Traceroute to 22.128.2.62, 30 hops max 172.16.3.7 10ms 172.16.1.2 10ms Request Time out. 168.95.90.66 50ms 211.22.38.134 50ms 220.128.2.62 50ms Trace complete This command allows users to access specified device by telnet. ip telnet [IP address][Port] Parameter Description IP address Type the WAN or LAN IP address of the remote device.
  • Page 632 ip wanrip [ifno] -e [0/1] Parameter Description ifno It means the connection interface. 1: WAN1,2: WAN2, 3: PVC3,4: PVC4,5: PVC5 Note: PVC3 ~PVC5 are virtual WANs. It means to disable or enable RIP setting for specified WAN interface. 1: Enable the function of setting RIP of WAN IP. 0: Disable the function.
  • Page 633 ip route clean [1/0] Parameter Description It means to add an IP address as static route. It means to delete specified IP address. status It means current status of static route. It means the IP address of the destination. netmask It means the netmask of the specified IP address.
  • Page 634 It means to specify WAN interface for IGMP service. query It means to set IGMP general query interval. The default value is 125000 ms. 0 – No need to set IGMP with PPP header. 1 – Set IGMP with PPP header. status It means to display current status for proxy server.
  • Page 635 > Vigor2952 Series User’s Guide...
  • Page 636 Specify MAC address of certain device as the DMZ host. ip dmz [mac] Parameter Description It means the MAC address of the device that you want to specify. >ip dmz ? % ip dmz <mac>, now : 00-00-00-00-00-00 > ip dmz 11-22-33-44-55-66 >...
  • Page 637 ip session on ip session off ip session default [num] ip session defaultp2p [num] ip session status ip session show ip session timer [num] ip session [block/unblock][IP] ip session [add/del][IP1-IP2][num][p2pnum] Parameter Description Turn on session limit for each IP. Turn off session limit for each IP. default [num] Set the default number of session num limit.
  • Page 638 This command allows users to set maximum bandwidth limit number for the specified IP. ip bandwidth on ip bandwidth off ip bandwidth default [tx_rate][rx_rate] ip bandwidth status ip bandwidth show ip bandwidth [add/del] [IP1-IP2][tx][rx][shared] Parameter Description Turn on the IP bandwidth limit. Turn off the IP bandwidth limit.
  • Page 639 ip bindmac off ip bindmac strict_on ip bindmac show ip bindmac add [IP][MAC][Comment] ip bindmac del [IP]/all Parameter Description Turn on IP bandmac policy. Even the IP is not in the policy table, it can still access into network. Turn off all the bindmac policy. strict_on It means that only those IP address in IP bindmac policy table can access into network.
  • Page 640 This command is used to set the maximum number of NAT users. ip maxnatuser user no Parameter Description User no A number specified here means the total NAT users that Vigor router supports. 0 – It means no limitation. > ip maxnatuser 100 % Max NAT user = 100 This command is used to set the IP policy route profile.
  • Page 641 Any: It means any port number can be used as destination port. -G [default/specific] Specify the gateway mode. -L [default/specific] Specify the failover gateway mode. -s [value] Indicate the source IP start. Value: The type format shall be “xxx.xxx.xxx.xxx”. (e.g, 192.168.1.0) -S [value] Indicate the source IP end.
  • Page 642 Value: Available settings include, 0: Disable the function of “failback”. 1: Enable the function of “failback”. -v: View current failback setting. Diagnose for Policy Route -s [value] It means “source IP”. Value: Available settings include: Any: It indicates any IP address can be used as source IP address. “xxx.xxx.xxx.xxx”: The type format (e.g, 192.168.1.0).
  • Page 643 -e <0/1> 0: disable the selected LAN DNS profile. 1: enable the selected LAN DNS profile. -i <profile setting index Type the index number of the profile. number> List the content of LAN DNS profile (including domain name, IP address and message). -n <domain name>...
  • Page 644 > ip dnsforward -i 1 -n ftp.drayTek.com % Configure Set1's DomainName:ftp.drayTek.com > ip dnsforward -i 1 -a 172.16.1.1 % Configure Set1's IP:172.16.1.1 > ip dnsforward -i 1 -l % Idx: 1 % State: Disable % Profile: test % Domain Name: ftp.drayTek.com % DNS Server IP: 172.16.1.1 >...
  • Page 645 Parameter Description req_opt It means option-request. LAN|WAN1|WAN2|iface# It means to specify LAN or WAN interface for such address. [<command> The available commands with parameters are listed below. <parameter>|…] […] means that you can type in several commands in one line. It means to show current DHCPv6 status.
  • Page 646 Address. -c [parameter] It means to send rapid commit to server. -i [parameter] It means to send information request to server. -e[parameter] It means to enable or disable the DHCPv6 client. 1: Enable 0: Disable > ip6 dhcp client WAN2 –p 2008::1 >...
  • Page 647 > ip6 dhcp server -a % Interface LAN has following DHCPv6 server settings: DHCPv6 server disabled maximum address of the pool: FF02::3 minimum address of the pool: FF02::1 1st DNS IPv6 Addr: FF02::1 Vigor2952 Series User’s Guide...
  • Page 648 This command allows you to configure settings for accessing Internet. ip6 internet -W n -M n [-<command> <parameter> | ... ] Parameter Description -W n W means to set WAN interface and n means different selections. Default is WAN1. n=1: WAN1 n=2: WAN2 n=3: WAN3 n=X: WANx...
  • Page 649 -p [prefix] Set Subnet Prefix (AICCU). -l n Subnet Prefix length (AICCU). -o [0/1] Set AICCU always on. On = 1, Off = 0. Set AICCU tunnel ID. For Static -w [addr] Set Default Gateway. Addr= IPv6 address. For others -d <server>...
  • Page 650 Parameter Description It means to add a neighbour. It means to delete a neighbour. It means to show neighbour status. inet6_addr Type an IPv6 address eth_addr Type submask address. LAN|WAN1|WAN2 Specify an interface for the neighbor. > ip6 neigh -s 2001:2222:3333::1111 00:50:7F:11:ac:22:WAN2 Neighbour 2001:2222:3333::1111 successfully added! >...
  • Page 651 This command allows you to add a proxy neighbour. ip6 pneigh -s inet6_addr [LAN1|LAN2|...|LAN4|WAN1|WAN2|USB1|USB2] ip6 pneigh -d inet6_addr [LAN1|LAN2|...|LAN4|WAN1|WAN2|USB1|USB2] ip6 pneigh -a [inet6_addr] [-N LAN1|LAN2|...|LAN4|WAN1|WAN2|USB1|USB2] Parameter Description It means to add a proxy neighbour. It means to delete a proxy neighbour. It means to show proxy neighbour status.
  • Page 652 > ip6 route -s FE80::250:7FFF:FE12:500 16 FE80::250:7FFF:FE12:100 LAN Route FE80::250:7FFF:FE12:500/16 successfully added! > ip6 route -a LAN PREFIX/PREFIX-LEN _EXPIRES_ _NEXT-HOP_ I/F METRIC STATE FLAGS ------------------------------------------------------------------------- ------ FE80::/128 UNICAST FE80::250:7FFF:FE00:0/128 UNICAST FE80::/64 UNICAST FE80::/16 1024 UNICAST FE80::250:7FFF:FE12:100 FF02::1/128 UNICAST FF02::1 FF00::/8 UNICAST ::/0 UNREACHABLE !
  • Page 653 This command allows you to trace the routes from the router to the host. ip6 tracert [IPV6 address/Host] [LAN1|LAN2|...|LAN4|WAN1|WAN2|USB1|USB2] Parameter Description IPV6 address/Host It means to specify the IPv6 address or host for ping. LAN1|LAN2|...|LAN4|WAN1 It means to specify LAN or WAN interface for such address. |WAN2|USB1|USB2 >...
  • Page 654 Tunnel Broker: Amsterdam.freenet.net Status: Connected > This command allows you to enable or disable RADVD server. Ip6 radvd [LAN1|LAN2|...|LAN4] [-<command> <parameter>| ... ] ip6 radvd [R|u] Parameter Description LAN1|LAN2|...|LAN4 It means to specify LAN interface for such address. <command> <parameter> It means to enable or disable the default lifetime of the RADVD server.
  • Page 655 > ip6 radvd LAN1 -v % [LAN1] setting ! Status : Enable RDNSS : Enable Default Lifetime : 1800 seconds min interval time: 200 seconds MAX interval time: 600 seconds Hop limit : 64 : auto Reachable time Retransmit time : 0 Preference : Medium Prefix valid lifetime...
  • Page 656 > ip6 mngt list % IPv6 Access List : Index IPv6 Prefix Prefix Length ======================================== FE80::250:7FFF:FE12:1010 FE80::250:7FFF:FE12:1020 FE80::250:7FFF:FE12:2080 > ip6 mngt status % IPv6 Remote Management : telnet : off, http : off, ping : off This command allows you to check the online status of IPv6 LAN /WAN. ip6 online [WAN1|WAN2|USB1|USB2] Parameter Description...
  • Page 657 ifno=x, WANx Show the interface status. > ip6 aiccu -i 1 -r reset AICCU Retry Account OK! > This command allows you to set IPv6 settings for NTP (Network Time Protocols) server. ip6 ntp –h ip6 ntp –v ip6 ntp –p [0/1] Parameter Description –h...
  • Page 658 -D <server Set secondd DNS Server IP. <server>= IPv6 Addrress. -m n Set IPv6 LAN management. Default is SLAAC. n = 0: OFF n = 1: SLAAC n = 2: DHCPv6. -o n Enable Other option(O-bit) flag. (O-bit is redundant when management is DHCPv6) n= 0: Disable n= 1: Enable.
  • Page 659 > ipf view -V -c -d ipf: IP Filter: v3.3.1 (1824) Kernel: IP Filter: v3.3.1 Running: yes Log Flags: 0x80947278 = nonip Default: pass all, Logging: available This command is used to set general rule for firewall. ipf set [Options] ipf set [SET_NO] rule [RULE_NO] [Options] Parameter Description...
  • Page 660 matching with any rule, e.g., -U 1 Type “0” to let all the packets pass; Type “1” to block all the packets. -W [WEB_NO] Setup WEB Content Filter for packet not matching any rule. -D[ DNS_NO] Setup DNS Filter for packet not matching any rule. -g [VALUE] Setup DNS Filter syslog.
  • Page 661 This command is used to set filter rule for firewall. ipf rule s r [-<command> <parameter> | ... ipf rule s r -v Parameter Description Such word means Filter Set, range form 1~12. Such word means Filter Rule, range from 1~7. <Command><parameter>...

  • Page 662: Index

    o – indicates “object”. g – indicates “group” <obj>– indicates index number of object or index number of group. Available settings range from 1-192. For example, “-d g 1" means the first destination IP group profile. -S o:g <obj> It means to specify Service Type object and IP group. o –...
  • Page 663 log flag - 0 means disable to save and display in Syslog; 1 means enable to save and display in Syslog. -u <index> <Log Flag> It means to specify which URL Content Filter profile will be applied. <index> – Available settings range from 0 ~ 8. “0” means no profile will be applied.
  • Page 664 Filter Set 2 Rule 1: Status : Enable Comments: Your Index(1-15) in Schedule Setup: <null>, <null>, <null>, <null> Direction : LAN -> WAN Source IP : Object1, Destination IP: Object2, Service Type : TCP/UDPObject1, Fragments : Don't Care Pass or Block : Block Immediately Branch to Other Filter Set: None Max Sessions Limit...
  • Page 665 specify any IP address, then all the session state of flowtrack will be displayed. It means to show all of IP sessions state. - i [IP address] It means to specify IP address (e.g,, -i 192.168.2.55). -p[value] It means to type a port number (e.g., -p 1024). Available settings are 0 ~ 65535.
  • Page 666 It means to show all logs saved in the log buffer. It means to show WAN log. It means to show packet body hex dump. > log -w 25:36:25.580 ---->DHCP (WAN-5) Len = 548XID = 0x7880fdd4 Client IP = 0.0.0.0 Your IP = 0.0.0.0 Next server IP = 0.0.0.0...
  • Page 667 >ldap user 1 -n LD_user_test1 Profile Name has been updated! > ldap user 1 -v Profile Index:1 Profile Name:LD_user_test1 Common Name Identifier: Base Distinguished Name: Additional Filter: Group distinguished Name: This command is used to check current status of LDAP settings configuration. ldap view >...
  • Page 668 Please use "sys reboot" command to reboot the router. > tacacsplus view TACACS+ Enable:Enable. TACACS+ Server IP:192.168.1.59 TACACS+ Server Port:49 TACACS+ Type:ASCII TACACS+ Shared Secret: This command allows users to check the general settings for TACACS+ server tacacspluse view > tacacsplus view TACACS+ Enable:Enable.
  • Page 669 > mngt httpport 80 % Set web server port to 80 done. This command allows users to set HTTPS port for management. mngt httpsport [Https port] Parameter Description Https port It means to type the number for HTTPS port. The default setting is 443.
  • Page 670 % Set ssh port to 23 done. This command is used to pass or block Ping from LAN PC to the internet. mngt noping [on] mngt noping [off] mngt noping [viewlog] mngt noping [clearlog] Parameter Description All PING packets will be forwarded from LAN PC to Internet. All PING packets will be blocked from LAN PC to Internet.
  • Page 671 This command can block specified port for passing through the router. mngt defenseworm [on] mngt defenseworm [off] mngt defenseworm [add port] mngt defenseworm [del port] mngt defenseworm [viewlog] mngt defenseworm [clearlog] Parameter Description It means to activate the function of defense worm packet out. It means to inactivate the function of defense worm packet out.
  • Page 672 Internet. http/https/ftp/telnet/ssh/t It means to specify one of the servers/protocols for enabling or r069 disabling. on/off on – enable the function. off – disable the function. > mngt rmtcfg ftp on Enable server fail Remote configure function has been disabled please enable by enter mngt rmtcfg enable >...
  • Page 673 > mngt lanaccess -i LAN3 > > mngt lanaccess -v Current LAN Access Control Setting: * Enable:Yes * Service: - FTP:Yes - HTTP:No - HTTPS:No - TELNET:Yes - SSH:No * Subnet: - LAN 2: disabled - LAN 3: enabled - LAN 4: disabled - LAN 5: disabled - LAN 6: disabled - DMZ: disabled...
  • Page 674 Parameter Description list It can display current setting for your reference. It means adding a new entry. index It means to specify the number of the entry. ip addr It means to specify an IP address. mask It means to specify the subnet mask for the IP address. remove It means to delete the selected item.
  • Page 675 -T 88 SNMP Agent Turn on!!! Get Community set to draytek Set Community set to DK Manager Host IP set to 192.168.1.1 Trap Community set to trapcom Notification Host IP set to 10.20.3.40 Trap Timeout set to 88 seconds This command is used to configure multi-subnet. msubnet switch [2/3/4/5/6/7/8][On/Off] Parameter Description...
  • Page 676 This command is used to configure net mask address for the specified LAN interface. msubnet nmask [2/3/4/5/6/7/8][IP address] Parameter Description 2/3/4/5/6/7/8 It means LAN interface. 2=LAN2, 3=LAN3, 4=LAN4, 5=LAN5, 6=LAN6, 7=LAN7, 8=LAN8 IP address Type the subnet mask address for the specified LAN interface. >...
  • Page 677 On/Off On means enabling the DHCP server for the specified LAN interface. Off means disabling the DHCP server. > msubnet dhcps 3 off % LAN3 Subnet DHCP Server disabled! This setting will take effect after rebooting. Please use "sys reboot" command to reboot the router. This command is used to configure the subnet for NAT or Routing usage.
  • Page 678 % Set LAN2 Dhcp Gateway IP done !!! This setting will take effect after rebooting. Please use "sys reboot" command to reboot the router. This command is used to defined the total number allowed for each LAN interface. msubnet ipcnt [2/3/4/5/6/7/8] [IP counts] Parameter Description 2/3/4/5/6/7/8...
  • Page 679 LAN1 LAN2 LAN3 LAN4 LAN5 LAN6 LAN7 LAN8 % LAN1 % LAN2 % LAN3 % LAN4 % LAN5 % LAN6 % LAN7 % LAN8 This command is used to configure a starting IP address for DCHP. msubnet startip [2/3/4/5/6/7/8] [Gateway IP] Parameter Description 2/3/4/5/6/7/8...
  • Page 680 This setting will take effect after rebooting. Please use "sys reboot" command to reboot the router. > msubnet pppip ? % msubnet pppip <2/3/4> <Start IP> % Now: LAN2 192.168.2.250; LAN3 192.168.3.200; LAN4 192.168.4.200 This command is used to specify the type for node which is required by DHCP option. msubnet nodetype [2/3/4/5/6/7/8][count] Parameter Description...
  • Page 681 2/3/4/5/6/7/8 It means LAN interface. 2=LAN2, 3=LAN3, 4=LAN4, 5=LAN5, 6=LAN6, 7=LAN7, 8=LAN8 WINS IP Type the IP address as the WINS IP. > > msubnet primWINS ? % msubnet primWINS <2/3/4> <WINS IP> % Now: LAN2 0.0.0.0; LAN3 0.0.0.0; LAN4 0.0.0.0 >...
  • Page 682 This command is used to set TFTP server for multi-subnet. msubnet tftp [2/3/4/5/6/7/8] [TFTP server name] Parameter Description 2/3/4/5/6/7/8 It means LAN interface. 2=LAN2, 3=LAN3, 4=LAN4, 5=LAN5, 6=LAN6, 7=LAN7, 8=LAN8 TFTP server name Type a name to indicate the TFTP server. >...
  • Page 683 > msubnet mtu LAN1 1492% Set LAN1 subnet mtu as 1492 > msubnet mtu ? Usage: >msubnet mtu <interface> <value> <interface>: LAN1~LAN4,IP_Routed_Subnet, <value>: 1000 ~ 1496 (Bytes), de fault: 1500 (Bytes) e.x: >msubnet mtu LAN1 1492 Current Settings: LAN1 MTU: 1492 (Bytes) LAN2 MTU: 1500 (Bytes)
  • Page 684 -s INVERT It means to set invert seletion for the object profile. INVERT=0, means disableing the function. INVERT=1, means enabling the function. Example: object ip obj 3 -s 1 -a TYPE It means to set the address type and IP for the IP object profile. TYPE=0, means Mask TYPE=1, means Single TYPE=2, means Any...
  • Page 685 INTERFACE=0, means any INTERFACE=1, means LAN INTERFACE=2, means WAN Example: object ip grp 3 -i 0 -a IP_OBJ_INDEX It means to specify IP object profiles for the group profile. Example: :object ip grp 3 -a 1 2 3 4 5 The IP object profiles with index number 1,2,3,4 and 5 will be group under such profile.
  • Page 686 This comman is used to create an IP object profile. object ip obj setdefault object ip obj INDEX -v object ip obj INDEX -n NAME object ip obj INDEX -i INTERFACE object ip obj INDEX -s INVERT object ip obj INDEX -a TYPE [START_IP] [END/MASK_IP] Parameter Description setdefault...
  • Page 687 Interface:[Any] Address type:[single] Start ip address:[192.168.1.45] End/Mask ip address:[0.0.0.0] Invert Selection:[0] This command is used to integrate several IP objects under an IP group profile. object ip grp setdefault object ip grp INDEX -v object ip grp INDEX -n NAME object ip grp INDEX -i INTERFACE object ip grp INDEX -a IP_OBJ_INDEX Parameter...
  • Page 688 [7:][0] > object ip grp 2 -i 1 > object ip grp 2 -a 1 2 IP Group Profile 2 Name :[First] Interface:[Lan] Included ip object index: [0:][1] [1:][2] [2:][0] [3:][0] [4:][0] [5:][0] [6:][0] [7:][0] This command is used to create service object profile. object service obj setdefault object service obj INDEX -v object service obj INDEX -n NAME...
  • Page 689 same, it indicates one port; when the starting port and ending port values are different, it indicates a range for the port and available for this service type. 1=not equal(!=), when the starting port and ending port values are the same, it indicates all the ports except the port defined here; when the starting port and ending port values are different, it indicates that all the ports except the range defined here are available for this service type.
  • Page 690 NAME: Type a name with less than 15 characters. Example: object service grp 8 -n bruce -a SER_OBJ_INDEX It means to specify service object profiles for the group profile. Example: :object service grp 3 -a 1 2 3 4 5 The service object profiles with index number 1,2,3,4 and 5 will be group under such profile.
  • Page 691 PAGE: type the page number. show It means to show the contents for all of the profiles. INDEX It means the index number of the specified keyword profile. It means to view the information of the specified keyword profile. -n NAME It means to define a name for the keyword profile.
  • Page 692 It means to disable the specific CATEGORY or FILE_EXTENSION CATEGORY|FILE_EXTENSION CATEGORY: Image, Video, Audio, Java, ActiveX, Compression, Executation Example: object fe obj 1 -e Image FILE_EXTENSION: ".bmp", ".dib", ".gif", ".jpeg", ".jpg", ".jpg2", ".jp2", ".pct", ".pcx", ".pic", ".pict", ".png", ".tif", ".tiff", ".asf", ".avi", ".mov", ".mpe", ".mpeg", ".mpg", ".mp4", ".qt", ".rm", ".wmv", ".3gp", ".3gpp", ".3gpp2", ".3g2", ".aac", ".aiff", ".au", ".mp3", ".m4a", ".m4p", ".ogg", ".ra", ".ram", ".vox", ".wav", ".wma",...
  • Page 693 ------------------------------------------------------------------------- ------ Executation category: [ ].bas [ ].bat [ ].com [ ].exe [ ].inf [ ].pif [ ].reg [ ].scr Vigor2952 Series User’s Guide...
  • Page 694 This command allows users to set the speed for specific port of the router. port [1, 2, 3, 4, wan2, all] [AN, 1000F, 100F, 100H, 10F, 10H, status] port wan1 fiber [AUTO, 1000M, 100M, status] port wan1 ethernet [AN, 1000F, 100F, 100H, 10F, 10H, status] port status port sniff [on,off,port,txrx,restart,status] port 802.1x[enable,disable,status,addport,delport]...
  • Page 695 <sec>: Type a number to set the UDP session timeout. -i <sec> It means “IGMP” protocol. <sec>: Type a number to set the IGMP session timeout. -w <sec> It means “TCP WWW” protocol. <sec>: Type a number to set the TCP WWW session timeout. -s <sec>...
  • Page 696 -e <end port> Specify an ending port number for Specific Host mode > ppa -m 1 -p 1 -b 0 Set ok! The PPA mode is Auto % You need to set the Manual mode first ! %TWO way accleration is disable >...
  • Page 697 This command allows user to set general settings for QoS. qos setup [-<command> <parameter> | ... ] Parameter Description [<command> The available commands with parameters are listed below. <parameter>|…] […] means that you can type in several commands in one line. Type it to display the usage of this command.
  • Page 698 This command allows user to set QoS class. qos class -c [no] –[a|e|d] [no][-<command> <parameter> | ... ] Parameter Description [<command> The available commands with parameters are listed below. <parameter>|…] […] means that you can type in several commands in one line. Type it to display the usage of this command.
  • Page 699 -u <Service type> Set a number to make user defined service type. Available number is: 1 ~ 40. -S <d/s> Show the content for specified DSCP ID/Service type. -V <1/2/3> Show the rule in the specified class. […] It means that you can type in several commands in one line. >...
  • Page 700 > qos type -a draytek -t 6 -p 510:1330 service name set to draytek service type set to 6:TCP Port type set to Range Service Port set to 510 ~ 1330 > This command allows user to enable or disable the QoS for VoIP and RTP. qos voip [on/off] Parameter Description...
  • Page 701 [X]Route 192.168.0.1 255.255.255.0 0.0.0.0 192.168.0.1 This command displays current status of DMZ host. > show dmz WAN1 DMZ mapping status: Index Status WAN1 aux IP Private IP ---------------------------------------------------- Disable 0.0.0.0 Disable 202.211.100.11 WAN2 DMZ mapping status: Index Status WAN2 aux IP Private IP ---------------------------------------------------- Disable 0.0.0.0...
  • Page 702 % LAN6 Secondary DNS: [Not set] % LAN7 Primary DNS: [Not set] % LAN7 Secondary DNS: [Not set] % LAN8 Primary DNS: [Not set] % LAN8 Secondary DNS: [Not set] This command displays current status of open port setting. > show openport Openport settings: Index Status Comment...
  • Page 703 This command displays the table of NAT Active Sessions. > show portmap ------------------------------------------------------------------------- Private_IP:Port Pseudo_IP:Port Peer_IP:Port [Timeout/Protocol/Flag] ------------------------------------------------------------------------- This command displays the reuse time of NAT session. Level0: It is the default setting. Level1: It will be applied when the NAT sessions are smaller than 25% of the default setting. Level2: It will be applied when the NAT sessions are smaller than the eighth of the default setting.
  • Page 704 WAN 1 Status: Disconnected Enable:Yes Line:xDSL Name: Mode:PPPoE Up Time:0:00:00 IP:--- GW IP:--- TX Packets:0 TX Rate:0 RX Packets:0 RX Rate:0 WAN 2 Status: Disconnected Enable:Yes Line:Ethernet Name: Mode:--- Up Time:0:00:00 IP:--- GW IP:--- TX Packets:0 TX Rate:0 RX Packets:0 RX Rate:0 WAN 3 Status: Disconnected Enable:Yes...
  • Page 705 This command is used to configure file sharing settings for SMB server. smb setting [enable/disable] smb setting show status smb setting set workgroup [Workgroup name] smb setting set host [host name] smb setting set access [LAN or LANWAN] Parameter Description enable/disable Enable or disable the SMB service.
  • Page 706 > srv dhcp dhcp2 -v 2nd DHCP server flag status -- Server works on specified MAC address: ON Server works on specified LAN port: OFF Port 1 flag: ON Port 2 flag: ON Port 3 flag: ON Port 4 flag: OFF This command allows users to configure DHCP server for second subnet.
  • Page 707 This command allows users to set Primary IP Address for DNS Server in LAN. srv dhcp dns1 [lan1/lan2/lan3/lan4/lan5/lan6/lan7/lan8][DNS IP address] Parameter Description lan1/lan2/lan3/lan4/lan5/la It means the LAN port number. n6/lan7/lan8 DNS IP address It means the IP address that you want to use as DNS1. Note: The IP Routed Subnet DNS must be the same as NAT Subnet DNS).
  • Page 708 This command can force the router to invoke DNS Server IP address. srv dhcp frcdnsmanl [on] srv dhcp frcdnsmanl [off] Parameter Description It means to display the current status. It means to use manual setting for DNS setting. It means to use auto settings acquired from ISP. >...
  • Page 709 This command allows users to specify IP counts for DHCP server. srv dhcp ipcnt [IP counts] Parameter Description IP counts It means the number that you have to specify for the DHCP server. > srv dhcp ipcnt ? % srv dhcp ipcnt <IP counts> % Now: 150 This function allows users to turn off DHCP server.
  • Page 710 Parameter Description IP address It means the IP address that you can specify for the DHCP server as the starting point. > srv dhcp startip 192.168.1.53 This setting will take effect after rebooting. Please use "sys reboot" command to reboot the router. This command can display general information for the DHCP server, such as IP address, MAC address, leased time, host ID and so on.
  • Page 711 This command can set the lease time for the DHCP server. srv dhcp leasetime [Lease Time (sec)] Parameter Description Lease Time (sec) It means the lease time that DHCP server can use. The unit is second. > srv dhcp leasetime ? % srv dhcp leasetime <Lease Time (sec.)>...
  • Page 712 This command can set the primary IP address for the DHCP server. srv dhcp primWINS [WINS IP address] srv dhcp primWINS clear Parameter Description WINS IP address It means the IP address of primary WINS server. clear It means to remove the IP address settings of primary WINS server. >...
  • Page 713 This command can set the time to check if the IP address can be assigned again by DHCP server or not. srv dhcp expRecycleIP <sec time> Parameter Description sec time It means to set the time (5~300 seconds) for checking if the IP can be assigned again or not.
  • Page 714 This command can set the custom option for the DHCP server. srv dhcp option -h srv dhcp option -l srv dhcp option -d [idx] srv dhcp option -e [1 or 0] -i [lan number] -s [Next Server IP Address] srv dhcp option -e [1 or 0] -i [lan number] -c [option number] -v [option value] srv dhcp option -e [1 or 0] -i [lan number] -c [option number] -x [option value] srv dhcp option -e [1 or 0] -i [lan number] -c [option number] -a [option value] srv dhcp option -u [idx unmber]...
  • Page 715 This command allows users to set DMZ host. Before using this command, please set WAN IP Alias first. srv nat dmz n m [-<command> <parameter> | … ] Parameter Description It means to map selected WAN IP to certain host. 1: wan1 2: wan2 It means the index number of the DMZ host.
  • Page 716 status It means to display current status for checking. > srv nat ipsecpass status %% Status: IPsec ESP pass-thru and IKE src_port:500 preservation is OFF. This command allows users to set open port settings for NAT server. srv nat openport n m [-<command> <parameter> | … ] Parameter Description It means the index number for the profiles.
  • Page 717 %% Status: Enable %% Comment: games %% Private IP address: 192.168.1.100 Index Protocal Start Port End Port ***************************************************************** %% Status: Disable %% Comment: %% Private IP address: 0.0.0.0 Index Protocal Start Port End Port ***************************************************************** %% Status: Disable %% Comment: %% Private IP address: 0.0.0.0 Index Protocal...
  • Page 718 table It means to display Port Redirection Configuration Table. > srv nat portmap add 1 game tcp 80 192.168.1.11 100 wan1 > srv nat portmap table NAT Port Redirection Configuration Table: Index Service Name Protocol Public Port Private IP Private Port ifno game 192.168.1.11...
  • Page 719 “n” means the rule number. <command><parameter>|…] The available commands with parameters are listed below. […] means that you can type in several commands in one line. -c[XXX] Type a comment for such rule if required. -e [0/1] Enable (1) or disable (0) a rule (specified with rule number). -p [1/2/3] Specify the protocol for such trigger rule.
  • Page 720 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 --- MORE --- ['q': Quit, 'Enter': New Lines, 'Space Bar': Next Page] This command allows users to view a summary of NAT port redirection setting, open port and DMZ settings.
  • Page 721 -d [delete] Delete the selected trigger rule. -f [flush] Set all of the rules back to factory default settings. > srv nat closeffp 1 -e 1 -p UDP -n 6500 > srv nat closeffp -v % Status: Enable % Protocal: udp % Index: 1 % Port Number: 6500 % Range: 0...
  • Page 722 switch not_respond 0 switch not_respond 1 Parameter Description Disable the option of "No Respond to External Device packets". Enable the option of "No Respond to External Device packets". > switch not_respond 1 slave not respond! > This command is used to turn on the auto discovery for external devices. >...
  • Page 723 Parameter Description It means the index number of each item shown on the table. The range is from 1 to 8. It means to clear all of the data. > switch clear 1 Switch Data clear successful > switch clear -f Switch Data clear successful This command is used to enable or disable the switch query.
  • Page 724 delete [INDEX] Delete a local user account. view [INDEX] Show the user account/password detail information. > > sys adminuser Local 1 Local User has enabled! > sys adminuser LDAP 1 LDAP has enabled! >> sys adminuser edit 1 carrie test123 Updated! >>...
  • Page 725 This command reset the router with factory default settings. When a user types this command, all the configuration will be reset to default setting. sys cfg default sys cfg status Parameter Description default It means to reset current settings with default values. status It means to display current profile version and status.
  • Page 726 This command can set and remove the domain name of the system when DHCP mode is selected for WAN. sys domainname [wan1/wan2] [Domain Name Suffix] sys domainname [wan1/wan2] clear Parameter Description wan1/wan2 It means to specify WAN interface for assigning a name for it. Domain Name Suffix It means the name for the domain of the system.
  • Page 727 Interface 7 Ethernet: Status: DOWN IP Address: 0.0.0.0 Netmask: 0x00000000 MAC: 00-50-7F-00-00-05 Interface 8 Ethernet: Status: DOWN IP Address: 0.0.0.0 Netmask: 0x00000000 MAC: 00-50-7F-00-00-06 Interface 9 Ethernet: Status: DOWN IP Address: 0.0.0.0 Netmask: 0x00000000 MAC: 00-50-7F-00-00-07 --- MORE --- ['q': Quit, 'Enter': New Lines, 'Space Bar': Next Page] >...
  • Page 728 > sys passwd admin123 > This command allows users to restart the router immediately. > sys reboot > This command allows users to restart the router automatically within a certain time. sys autoreboot [on/off/hour(s)] Parameter Description on/off On – It means to enable the function of auto-reboot. Off –...
  • Page 729 This command can display current country code and wireless region of this device. > sys cc Country Code : 0x 0 [International] Wireless Region Code: 0x30 > This command can display current version for the system. > sys version Router Model: Vigor2952n Version: 3.8.2_RC8 English Profile version: 3.0.0 Status: 1 (0x39a1563a)
  • Page 730 This command can turn on or turn off polling buffer for the router. sys pollbuf [on] sys pollbuf [off] Parameter Description It means to turn on pulling buffer. It means to turn off pulling buffer. > sys pollbuf on % Buffer polling is on! >...
  • Page 731 save It means to save the parameters to the flash memory of the router. Inform [event code] It means to inform parameters for tr069 with different event codes. [event code] includes: 0-"0 BOOTSTRAP", 1-"1 BOOT", 2-"2 PERIODIC", 3-"3 SCHEDULED", 4-"4 VALUE CHANGE", 5-"5 KICKED", 6-"6 CONNECTION REQUEST", 7-"7 TRANSFER COMPLETE",...
  • Page 732 sys sip_alg [1] sys sip_alg [0] Parameter Description It means to turn on SIP ALG. It means to turn off SIP ALG. > sys sip_alg ? usage: sys sip_alg [value] 0 - disable SIP ALG 1 - enable SIP ALG current SIP ALG is disabled This command can process the system license.
  • Page 733 > sys license licifno License and Signature download interface setting: licifno [AUTO/WAN#] Ex: licifno wan1 Download interface is "auto-selected" now. This command is used to configure daylight save setting. sys daylightsave [-<command> <parameter> | ... ] Parameter Description [<command><parameter>|… The available commands with parameters are listed below. […] means that you can type in several commands in one line.
  • Page 734 e.g, sys daylightsave -z 3 1 6 14 > sys daylightsave -y 9 1 0 14 % Start: Yearly on Sep 1th Sun 14:00 This command is used to configure TTL settings which will be displayed in DNS Cache table. sys dnsCacheTbl [<command><parameter>|…] Parameter Description...
  • Page 735 -d <port number> Define the port number (1 ~ 65535) as the destination port. -u <1/0> Enable (1) or disable (0) Syslog Save to USB Disk. -m <1/0> Enable (1) or disable (0) Mail Syslog. -f <1/0> Enable (1) or disable (0) Filewall Log. -v <1/0>...
  • Page 736 24 - GMT Edinburgh, Lisbon, London 25 - GMT Casablanca, Monrovia 26 - GMT+01:00 Belgrade, Bratislava 27 - GMT+01:00 Budapest, Ljubljana, Prague 28 - GMT+01:00 Sarajevo, Skopje, Sofija 29 - GMT+01:00 Warsaw, Zagreb 30 - GMT+01:00 Brussels, Copenhagen 31 - GMT+01:00 Madrid, Paris, Vilnius 32 - GMT+01:00 Amsterdam, Berlin, Bern 33 - GMT+01:00 Rome, Stockholm, Vienna 34 - GMT+02:00 Bucharest...
  • Page 737 This command is used to disable or enable EAP-TLS. You might have to enable EAP-TLS compatibility to avoid compatibility issues with some operating systems. But, please note that enabling EAP-TLS compatibility will lower down the connection security level. sys eap_tls set [0/1] Parameter Description Disable EAP-TLS compatibility!
  • Page 738 This command can display IGD NAT status. > upnp nat ? ****************** IGD NAT Status **************** ((0)) InternalClient >>192.168.1.10<<, RemoteHost >>0.0.0.0<< InternalPort >>21<<, ExternalPort >>21<< PortMapProtocol >>TCP<< The tmpvirtual server index >>0<< PortMapLeaseDuration >>0<<, PortMapEnabled >>0<< Ftp Example [MICROSOFT] ((1)) InternalClient >>0.0.0.0<<, RemoteHost >>0.0.0.0<<...
  • Page 739 This command can show all UPnP services subscribed. > upnp on UPNP start. > upnp subscribe Vigor> upnp subscribe >>>> (1) serviceType urn:schemas-microsoft-com:service:OSInfo:1 ----- Subscribtion1 ------- sid = 7a2bbdd0-0047-4fc8-b870-4597b34da7fb eventKey =1, ToSendEventKey = 1 expireTime =6926 active =1 DeliveryURLs =<http://192.168.1.113:2869/upnp/eventing/twtnpnsiun> >>>>...
  • Page 740 time >>0<< ((1)) real_addr >>0.0.0.0<<, pseudo_addr >>0.0.0.0<< real_port >>0<<, pseudo_port >>0<< hit_portmap_index >>0<< The protocol >>0<< time >>0<< --- MORE --- ['q': Quit, 'Enter': New Lines, 'Space Bar': Next Page] This command is used to specify WAN interface to apply UPnP. upnp wan [n] Parameter Description...
  • Page 741 TP-LINK TP-LINK MA180 3.5G TP-LINK TP-LINK MA260 3.5G Vodafone Vodafone K3765-Z 3.5G Vodafone Vodafone K4605 3.5G ZTE MF626 3.5G ZTE MF627 plus 3.5G ZTE MF633 3.5G ZTE MF636 3.5G SpinCom SpinCom GPRS Modem 3.5G - MORE - ['q': Quit, 'Enter': New Lines, 'Space Bar': Next Page] - This command is used to set profiles for FTP/SMB users.
  • Page 742 vigbrg set -v [IP version] -w [WAN_idx] -l [LAN_idx] -e [0/1] -f [0/1] Parameter Description -v [IP version] Indicate the IP version for the IP address. 4 – IPv4. 6 – IPv6. -w [WAN_idx] WAN_idx – Indicate the WAN interface. 1 –...
  • Page 743 This command allows users to transfer a bridge modem into ADSL router by accessing into and adjusting specified IP address. Users can access into Web UI of the router to manage the router through the IP address configured here. vigbrg cfgip [IP Address] Parameter Description IP Address...
  • Page 744 Parameter Description It means the group 0 to 7 for VLAN. It indicates each port can join more than one VLAN group. set_ex It indicates each port can join one VLAN group at one time. p1/p2/p3/p4 It indicates LAN port 1 to LAN port 4. To group LAN1, LAN2, LAN3 and/or LAN4 under one VLAN group, please type the port number(s) you want.
  • Page 745 n=VLAN ID number (from 0 to 7). pri_no It means the priority of VLAN profile. pri_no=0 ~7 (from none to highest priority). > vlan pri 1 2 VLAN1: Priority=2 This command can make VLAN settings restarted with newest configuration. vlan restart >...
  • Page 746 Parameter Description [1/2/3/4/5/6/7/8] It means interfaces, LAN1 ~ LAN8. > vlan subnet group_id 2 % Vlan Group-0 using LAN2 This setting will take effect after rebooting. Please use "sys reboot" command to reboot the router. This command changes the VLAN encapsulation mechanisms in the LAN driver. vlan submode [on|off|status] Parameter Description...
  • Page 747 [unlimited] [on/off] unlimited on: It allows the incoming of untagged packets even all VLAN are tagged. unlimited off: It does not allows the incoming of untagged packets. [p1_untag] [on/off] P1_untag on: It allows the incoming of untagged packets form LAN port 1.
  • Page 748 You have set system VLAN ID to range: 200 ~ 263, We recommend that you reboot the system now. > vlan sysvid show The system VLAN ID is in range: 200 ~ 263 This command allows users to set advanced parameters for LAN to LAN function. vpn l2lset [list index] peerid [peerid] vpn l2lset [list index] localid [localid] vpn l2lset [list index]main [auto/proposal index]...
  • Page 749 Parameter Description <list index> It means the index number of the profile. <on/off> It means to enable or disable the profile. on – Enable. off – Disable. motp <on/off> It means to enable or disable the authentication with mOTP function. on –...
  • Page 750 This command allows users to specify a subnet selection for the specified remote dial-in VPN profile. vpn subnet [index] [1/2/3/4/5/6] Parameter Description <index> It means the index number of the VPN profile. <1/2/3/4/5/6> 1 – it means LAN1 2 – it means LAN2. 3 –...
  • Page 751 For IPsec Dial-Out <index> It means the index number of the profile. <name> It means the name of the profile. <ip> It means the IP address to dial to. <key> It means the value of IPsec Pre-Shared Key. <nip> <nmask> It means the remote network IP and the mask.
  • Page 752 This command allows users to configure settings for LAN to LAN profile. vpn option <index> <cmd1>=<param1> [<cmd2>=<para2> | ... ] Parameter Description <index> It means the index number of the profile. Available index numbers: 1 ~ 32 For Common Settings <index>...
  • Page 753 ltype It means Link Type. “ltype=0” means “Disable”. “ltype=1” means “64kbps”. “ltype=2” means “128kbps”. “ltype=3” means “BOD”. oname It means Dial-Out Username. “oname=admin” means to set Username = admin. opwd It means Dial-Out Password “opwd=1234” means to set Password = 1234. pauth It means PPP Authentication.
  • Page 754 ikey It means IKE Pre-Shared Key. “ikey=abcd” means to set IKE Pre-Shared Key = abcd. imeth It means IPSec Security Method “imeth=h” means “Allow AH”. “imeth=d” means “Allow DES”. “imeth=3” means “Allow 3DES”. “imeth=a” means “Allow AES. For TCP/IP Settings mywip It means My WAN IP.
  • Page 755 list It means to display all of the route settings. It means to add a new route. It means to delete specified route. <index> It means the index number of the profile. Available index numbers: 1 ~ 32 <network ip>/<mask> Type the IP address with the network mask address.
  • Page 756 % Type of Server : PPTP % Link Type: : 64k bps % Username : ??? % Password % PPP Authentication : PAP/CHAP % VJ Compression : on % Pre-Shared Key % IPSec Security Method : AH % Schedule : 0,0,0,0 % Remote Callback : off % Provide ISDN Number...
  • Page 757 vpn 2ndsubnet on vpn 2ndsubnet off Parameter Description on/off It means to enable or disable second subnet. > vpn 2ndsubnet on %Enable second subnet IP as VPN server IP! This command allows users to configure VPN Backup, VPN load balance, GRE over IPsec, and Binding tunnel policy.
  • Page 758 <Member#1> <Member#2> add/del - Add or delete a profile for used in VPN Trunk. name – Specify the name of the VPN trunk. Member#1 – Inidcate the first LAN to LAN profile. Member#2 – Indicate the second LAN to LAN proifle. backup ERD <name>...
  • Page 759 DstI p:A~B - Specify the destination IP range (e.g., 192.168.1.0~192.168.1.255. DstPort:A~B – Specify the destination port range (1~65535). Proto – Specify the protocol. 0 – any 1 – ICMP 2 – IGMP 6 – TCP 17 – UDP 255 – TCP/UDP Frag –...
  • Page 760 GRE_PeerIP –Type the virtual IP of peer host for verified by router. Logical_Traffic - Specify the action for RFC2890. “y” means active; “n” means inactive. An_Gre GreIPsecAnalyze These commands are used for RD debug. <ON/OFF> This command allows users to enable or disable NetBios for Remote Access User Accounts or LAN-to-LAN Profile.
  • Page 761 1 – PPTP 2 – L2TP 3 – IPSec 4 – L2TP over IPSec <TCP maximum segment size Each type has different segment size range. range> PPTP – 1 ~ 1412 L2TP – 1 ~ 1408 IPSec – 1 ~ 1381 L2TP over IPSec –...
  • Page 762 <H2l/L2l> H2l means Host to LAN (Remote Access User Accounts). L2l means LAN-to-LAN Profile. <index> The index number of the profile. <Block/Pass> Set Block/Pass the Multicast Packets. The default is Block. > vpn Multicast set L2l 1 Pass % Lan to Lan Profile Index [1] : % Status Block/Pass: [PASS] This command allows users to determine if the packets coming from the second subnet passing through current used VPN tunnel.
  • Page 763 This command allows users to adjust the size of PPP LCP MRU. It is used for specific network. wan ppp_mru <WAN interface number> <MRU size > Parameter Description <WAN interface number> Type a number to represent the physical interface. For Vigor130, the number is 1 (which means WAN1).
  • Page 764 This command allows you to enable or disable the function of DF (Don’t fragment) wan DF_check [on] wan DF_check [off] Parameter Description on/off It means to enable or disable DF. > wan DF_check on %DF bit check enable! This command allows you to disable WAN connection. >...
  • Page 765 > wan forward on %WAN forwarding is enable! This command allows you to display the status of WAN connection, including connection mode, TX/RX packets, DNS settings and IP address. > wan status WAN1: Offline, stall=N Mode: ---, Up Time=00:00:00 IP=---, GW IP=--- TX Packets=0, TX Rate(Bps)=0, RX Packets=0, RX Rate(Bps)=0 Primary DNS=0.0.0.0, Secondary DNS=0.0.0.0 PVC_WAN3: Offline, stall=N...
  • Page 766 It means to set the ping TTL value (work as trace route) If you do not set any value for ttl here or just type 0 here, the system will use default setting (255) as the ttl value. status It means to show the current status. >...
  • Page 767 This command allows you to configure multi-VLAN for WAN and LAN. It supports pure bridge mode (modem mode) between Ethernet WAN and LAN port 2~4. wan mvlan [pvc_no/status/save/enable/disable] [on/off/clear/tag tag_no] [service type/vlan priority] [px ... ][ Keep Tag] Parameter Description pvc_no It means index number of PVC.
  • Page 768 Parameter Description channel # There are 4 (?) channels including VLAN and PVC. Available settings are: 1=Channel 1 3=Channel 3 4=Channel 4 5=Channel 5 WAN interface # Type a number to indicate the WAN interface. 1=WAN1 status It means to display current bridge status. >...
  • Page 769 > wan vlan stat %Interface Enabled %====================================== % WAN1 (ADSL) % WAN1 (VDSL) %WAN2 This command allows you determine the data traffic volume for each WAN interface respectively to prevent from overcharges for data transmission by the ISP. wan budget wan [#] rdate [day] [hour] wan budget wan [#] [enable|disable] wan budget wan [#] thres [budget limit (MB)] wan budget wan [#] gthres [budget limit (GB)]...
  • Page 770 status Display current configuration status of WAN budget. > wan budget wan 1 action 5 % WAN 1 budget action set to 5 > wan budget wan 1 gthres 10 % WAN 1 budget limit set to 10 GB This command allows you to run a WAN MTU Discovery. The user can specify an IPv4 target to ping and find the suitable MTU size of the WAN interface.
  • Page 771 > wan detect_mtu6 -w 1 -i 2404:6800:4008:c06::5e -s 1500 > This command is used to specify an URL for accessing into or display a message when a wireless user connects to Internet through this router. wptl -p <profile> [-l <lan>] [-s <ssid>] [-m <message> | -u <url> | -f <url>] [-e | -d] Parameter Description profile...
  • Page 772 wl acl add [MAC] [ssid1 ssid2 ssid3 ssid4] [isolate] wl acl del [MAC] wl acl mode [ssid1 ssid2 ssid3 ssid4] [white/black] wl acl show wl acl showmode wl acl clean Parameter Description enable [ssid1 ssid2 ssid3 It means to enable the settings for SSID1, SSID2, SSID3 and SSID4. ssid4] disable [ssid1 ssid2 ssid3 It means to disable the settings for SSID1, SSID2, SSID3 and SSID4.
  • Page 773 This command allows users to configure general settings and security settings for wireless connection. wl config mode [value] wl config mode show wl config channel [number] wl config preamble [enable] wl config txburst [enable] wl config ssid [ssid_num enable ssid_name [hidden_ssid]] wl config security [SSID_NUMBER] [mode] wl config ratectl [ssid_num enable upload download ] wl config isolate [ssid_num lan member]...
  • Page 774 wpamix1x: Mixed (WPA+WPA2/802.1x only) wep1x: WEP/802.1x Only wpapsk: WPA/PSK wpa2psk: WPA2/PSK wpamixpsk: Mixed (WPA+WPA2)/PSK wep: key, index: Moreover, you have to add keys for wpapsk, wpa2psk, wpamixpsk and wep, and specify index number of schedule profiles to be followed by the wireless connection. WEP keys must be in 5/13 ASCII text string or 10/26 Hexadecimal digit format;...
  • Page 775 wl set txburst [enable] Parameter Description SSID It means to type the SSID for the router. The maximum character that you can use is 32. CHAN[En] It means to specify required channel for the router. CHAN: The range for the number is between 1 ~ 13. En: type on to enable the function;...
  • Page 776 1: SSID1 2: SSID2 3: SSID3 4: SSID4 It means to enable or disable the function of VPN isolation. 0: disable 1: enable > wl iso_vpn 1 on % ssid: 1 isolate vpn on :1 This command allows you to configure WPA wireless settings. wl wpa 1/2/3 Parameter Description...
  • Page 777 enable It means to enable the WMM for each SSID. 0: disable 1: enable Apsd [value] It means to enable / disable the ASPD(automatic power-save delivery) function. 0: disable 1: enable show It displays current status of WMM. QueIdx It means the number of the queue which the WMM settings will be applied to.
  • Page 778 wl ht msdu value wl ht txpower value wl ht antenna value wl ht greenfield value Parameter Description wl ht bw value The value you can type is 0 (for BW_20) and 1 (for BW_40). wl ht gi value The value you can type is 0 (for GI_800) and 1 (for GI_4001) wl ht badecline value The value you can type is 0 (for disabling) and 1 (for enabling).
  • Page 779 wl wds mac [value] wl wds flush Parameter Description mode [value] It means to specify connection mode for WDS. [value]: Available settings are : d: Disable b: Bridge r: Repeapter security [value] It means to configure security mode with encrypted keys for WDS. mode: Available settings are: disable: No security.
  • Page 780 This command allows you to enable or disable wireless button control. wl btnctl [value] Parameter Description value 0: disable 1: enable > wl btnctl 1 Enable wireless botton control Current wireless botton control is on > This command is reserved for RD debug. Do not use them. This command allows you to configure the external or internal server used by Vigor router for wireless authentication.
  • Page 781 radius authport [port_number] radius set_auth_method [method idx] radius client [add] [idx] -i [address] -m [mask] -p [prefix] -l [length] -s [secret] radius client [del] [idx] radius show radius auth [0/1] radius enable_dot1x [0/1] radius set_dot1x_phase1 -e [method_idx] radius set_dot1x_phase1 -d [method_idx] radius set_dot1x_phase2 -e [method_idx] radius set_dot1x_phase2 -d [method_idx] Parameter...
  • Page 782 This command allows you to set the white list of WAN IP addresses/Subnets, that the magic packet from these IP addresses/Subnets will be eligible to pass through NAT and wake up the LAN client. You also need to set NAT rule for LAN client. wol up [MAC Address]/[IP Address] wol fromWan [on/off/any] wol fromWan_Setting [idx][ip address][mask]...
  • Page 783 account It means to set user account. User Set -a[Profile idx][User It means to pass an IP Address. name][IP_Address] Profile idx- type the index number of the selected profile. User name- type the user name that you want it to pass. IP_Address- type the IP address that you want it to pass.
  • Page 784 e.g.,-n fortest -p [Param] It means to configure user password. e.g., -p 60fortest -q [Param] It means to set time quota (1 ~ 65535) of the user profile. e.g., -q 200 -r [Param] It means to set data quota (1 ~ 65535) of the user profile. e.g., -r 1000 -s [Param] It means to set schedule index .
  • Page 785 e.g., -q 200 -r [Param] It means to set account data quota. e.g., -r 1000 -t [Param] It means to enable /disable time quota limitation for user account. 0:Disable 1:Enable -w [Param] It means to set data quota unit (MB/GB). setdefault Setup all of the user profiles to factory default configuration.
  • Page 786 APP QoS set to Enable. > appqos traceable -e 68 2 TELNET: ENABLED, QoS Class 2. “NAND usage” is used to display NAND Flash usage; “nand bad” is used to display NAND Flash bad blocks. nand bad nand usage >nand usage Show NAND Flash Usage: Partition Total...
  • Page 787 > apm clear ? Clear all clients ... done This command allows to configure wireless profiles to be used in Central AP Management. apm profile clone [from index][to index][[new name] apm profile del [index] apm profile reset apm profile summary apm profile [show [profile index]] apm profile apply [profile index] [client index1 [index2 ..
  • Page 788 This command is used to display or remove the information of registered VigorAP, including MAC address, name, and authentication. Up to 30 entries of registered information can be stored and displayed. apm cache [show] apm cache clear Parameter Description show It means to display the information related to VigorAP registered Vigor3220.
  • Page 789 [4] – The forth number means the limit num of station. Available range is 3~64. [5] – The fifth number means the upload limit function. Type 1 – enable upload limit, 0 – disable upload limit. [6] – The sixth number means the download limit function. Type 1 –...
  • Page 790 10.Traffic limit unit (download) : 1 flag : 49 This command can be used to configure HA settings for Vigor routers. ha set [-<command> <parameter>| ... ] Parameter Description [<command> The available commands with parameters are listed below. <parameter>|…] […] means that you can type in several parameters in one line. -e <1/0>...
  • Page 791 > ha set -h LAN1 192.168.1.5 % Enable Virtual IP on LAN1 % Set Virtual IP 192.168.1.5 OK!! > This command can be used to show the settings information about config sync and general setup. ha show –c ha show –g Parameter Description Show the settings of config sync.
  • Page 792 Parameter Description Show the status for all of the routers in HA group. Show the status of local router only. Detail Level 0: Basic information. 1: Basic information with more data (e.g., firmware version, model, HTTPs port. MAC address and etc). 2: Basic information with some HA settings.
  • Page 793 This command is used to display general setting of of VigorSwitch which connecting to Vigor router in LAN. swm show [LAN_port] Parameter Description LAN_port Specify the LAN port number (1 to 4). > swm show ** If you connected a VigorSwitch but does not display here. ** Please check the LLDP is enabled and VLAN ID is matched on VigorSwitch.
  • Page 794 swm post [MAC] Parameter Description Specify the MAC address of the switch. > swm post 00507ff0c33c Start post cfg to 00507ff0c33c external switch with correct settings. Please wait a few seconds... Result: [OK]. This command is used to display or remove the authentication record for external switch. swm auth [show/clear] Parameter Description...
  • Page 795 > swm extvlan 2 1 10 Set OK System will cover the original VLAN settings on your VigorSwitch. Please backup the configuration file before you run this function. System also will select the physical connect port as trunk port and let it join each VLAN group. Before using such command, please use [swm show] to check valid VLAN index firstly.
  • Page 796 Name IP Address ---------------- ---------------- ------------ P2261 192.168.1.226 00507ff0c33c > This command is used to set switch profile for adding it to be managed by Vigor router, or removing it from Vigor router. swm profile add/delete [MAC] swm profile show swm profile enable_all/disable_all [MAC] Parameter Description...
  • Page 797 swm detail port show [MAC] swm detail port [MAC][PORT][FLAG][SCHED1][SCHED2][DESCRIPTION] Parameter Description [MAC][COMMENT] Modify the comment of VigorSwitch. MAC - Type the MAC address of the switch. COMMENT – Type a description for the switch. [MAC]{NAME} Modify the name of VigorSwitch. MAC - Type the MAC address of the switch.
  • Page 798 Preparing to reset. Please wait for few minutes and do not turn off power. This command is used to display information about SNMP. swm snmp sys [MAC] swm snmp iftbl [MAC][port_num] Parameter Description sys [MAC] Type the MAC address of the VigorSwitch to display the SNMP system information.
  • Page 799 This command is used to configure PoE settings for LAN PoE port poe set mode [0/1/2] poe set syslog [0/1] poe set PORT –e [0/1] poe set PORT –p [15/30] poe set PORT –s [1-15][1-15] poe set PORT –P [1] poe set PORT –E [0/1] poe set PORT –v [ip_addr_v4] poe set PORT –V [ip_addr_v6]...
  • Page 800 > poe set 1 -e 1 % Wrong operation!! % Not in manual mode cannot enable/disable Port!! > poe set mode 1 % Set PoE mode: Manual > poe set 1 -e 1 % Enable PoE Port 1 > poe set 1 -v 192.168.1.250 -I 30 -r 3 % Set Port 1 Ping IPv4 Address: 192.168.1.250 OK!! % Set Port 1 ping interval: 30 % Set Port 1 ping retry time: 3...
  • Page 801 This command is used to return to default settings for PoE. poe setdefault > poe setdefault setdefault! > Vigor2952 Series User’s Guide...
  • Page 802 This page is left blank. Vigor2952 Series User’s Guide...
  • Page 803 AP Maintenance, 473, 481 AP Map, 473, 482 3G /4G USB Modem (PPP mode), 67 APN Name, 39, 40, 68, 70 3G/4G USB Modem, 48 APP Enforcement Filter, 335 3G/4G USB Modem (DHCP mode), 69 APP Enforcement Profile, 336 3G/4G USB Modem (PPP mode), 39 APP QoS, 408 APPE Signature Upgrade, 338 Applied Interfaces, 127...
  • Page 804 Destination IP, 190 Destination IP Address, 187 Cache, 344 Destination IPv6 Address, 188 Call Direction, 259 Destination Port, 158, 517 Central Management (AP), 473 Details Page, 57 Central Management (Switch), 494 Details Page for 3G/4G USB Modem (DHCP mode), 69 Central Management (VPN), 453 Details Page for 3G/4G USB Modem (PPP mode), 67 Certificate Backup, 303...
  • Page 805 Domain Diagnose, 155 Get Community, 382 Domain Name, 149 Google Map, 461 DoS Defense, 324 GRE over IPsec, 264 DoS Flood Table, 571 Group Distinguished Name, 164 Download Limit, 233 Group ID, 166, 175 DrayTek Banner, 322 Group Name, 294 Dst IP, 194 Guard Interval, 227 Dynamic DNS, 146, 148...
  • Page 806 IP Group, 511 Load Balance for AP, 473 IP Object, 507 Load Balance Mode, 50 IPsec General Setup, 251 Load-Balance /Route Policy, 189 IPsec Peer Identity, 252 Local 802.1X, 393, 426 IPsec Security Method, 242, 252 Local 802.1X General Setup, 179 IPsec Tunnel, 255, 262 Local Address, 405 IPSec Tunnel, 290...
  • Page 807 Ping Diagnosis, 560 Ping Interval, 68, 70 NAT, 133 PING Interval, 61 NAT Sessions Table, 558 Ping IP, 59, 61 NetBios Name Service, 539 Ping IP/Hostname, 81 Netbios Naming Packet, 255, 290 Ping Retry, 68, 70 Network Interface, 187 PING to the IP, 61, 259 Network Mode, 40, 69 PoE, 4, 129 Next Server IP Address, 107...
  • Page 808 Privacy Password, 383 Root CA, 301 Private IP, 136, 142 Round Robin, 273 Private IP Address, 48 Router Advertisement Configuration, 113 Private Port, 136 Router Name, 378, 384 Product Registration, 45 Routing, 184 Protocol, 142, 207, 517 Routing Table, 508, 554 PSK, 211 RTS Threshold, 229 Public IP Address, 48...
  • Page 809 Smart Bandwidth Limit, 400 Switch Maintenance, 502 SMB Client Support List, 546 Switch Name, 495 SMS / Mail Alert Service, 168 Switch Profile, 497 SMS Alert, 168 Switch Status, 494 SMS Provider, 168 Sync User Profile, 179 SMS Service Object, 525 Syslog Explorer, 566 SMTP, 378 Syslog Type, 570...
  • Page 810 ULA Prefix, 112 VPN Dial-Out Through, 241, 259 Unblock, 563 VPN Load Balance Mechanism, 267 Unique Local Address (ULA) configuration, 112 VPN Load Balance Policy, 273 Untraceable, 408 VPN Management, 462 Upload Limit, 233 VPN Server Wizard, 244 UPnP, 147, 165 VPN Trunk Management, 267 Uptime, 475 URL Access Control, 341...
  • Page 811 WLAN, 210 WLAN Profile, 476 WLAN ACL, 476 WMM Capable, 228 WLAN Advanced Setting, 227 WPA, 211, 219 WLAN Isolation, 211 WPS, 221 Vigor2952 Series User’s Guide...

Table of Contents