Piece of crap Vigor 2830!

Not sure, but will add what info I can. One trend with them that I notice is that while they are very feature rich, some of the more esoteric capabilities are not always that well tested and proven, or alternatively don't always work in the way you might expect.

At times its frustrating, but then again, they also do stuff that is difficult to find elsewhere (multi wan, load balancing, good control over VPN endpoints etc).

With respect to running new firmwares, one suggestion if you are getting strange results, is to use the .rst version of the firmware to overwrite the settings as well as the rom image. Opinion seems divided on if its always reliable to reload config files from different versions.

Not sure I can help specifically since I don't use tagged VLANs - about the closest I do is use the VLAN capability to split the wifi into two SSIDs, were one has full access to the LAN clients, and the other guest wifi only has visibility of the internet, and is also rate limited. (both sets of clients get allocated IPs in the same subnet)

I am aware of a DHCP problem relating to DNS configuration where it will hand one of the WAN DNS server IPs directly to clients rather than supplying its own IP as a proxy. Hence if that WAN fail, and it failover or load balance to the other the client finds it then can't access the DNS. The workround here is to specify a DNS in the router setup (e.g. google's opendns etc) and then it does hand that to the clients.

Not exactly sure what you have configured here - but I have met similar sounding problems in older versions of the firmware where access to your own WAN IP was not possible from the LAN side - but they seemed to fix that some time into the 2820 lifespan.

(I noted at the time that clients running a VNC-SC image that would "phone home" to my WAN IP would work fine - being routed to the appropriate machine via forwarding rules. However if you ran the client inside the LAN it could not get routing out and back in again).

Not seen that. What about the command line?

What is on the ADSL port?

LAN4 could be integrated into LAN1 and still maintain the partitioning... (not sure if that would change anything - but sometimes simpler is better)

Alas never tried it with a public netblock. My typical applications use either a pair of business class ADSL services (with a V120 on the WAN port) or one ADSL and one FTTC with the BT openreach PPPoE modem on the WAN port. All clients on the LAN exclusively use the internal NAT.

I have not found it yet - there are supposedly some similar capability level D-Link and Netgear products, but I don't have enough experience with them to make a recommendation.

Beyond that you are probably into Cisco money...

On Sunday 16 February 2014 12:38 John Rumm wrote in uk.d-i-y:

That's certainly what I'm seeing.

Thanks John - I will try that now.

That does seem to be very much what I'm seeing - makes the feature rather useless :(

Good point - I'll try that next time.

81.2.78.28 - that works OK.

It does seem to be the case simpler is more likely to work with the cheap stuff (I don't have any of these sort of problems with pro-gear at work needless to say!)

I'm in two monds - I will give tagging one more try, then flatten. Not sure if I can flatten LAN4 to LAN1 as it's a TP_link WIFI box mapping ESSIDs to VLAN-IDs. Have not tried mutli-essid without vlans.

My Netgear GS108T switches are extremely well behaved - so +1 for Netgear.

Thank you sir -

I notice A&A push the Firebricks quite hard - that's serious money (£500) for starters.

The version of the problem I was seeing was certainly fixed some years ago though (in fact possibly before the 2830)

What are you using at work OOI?

I run multi SSIDs on the internal wifi of the 2830, and that seems to work well.

I use the VLAN dialogue to allocate P1, p3 & 4 + SSID1 to VLAN0, and then P2 + SSID2, 3, & 4 to VLAN1 (both as subnets of LAN1)

The TP-Link managed switch I have seems ok as well - but then again I don't push its capabilities in any sense of the word!

In article , Tim Watts scribeth thus

Can't help you with those problems but

If you want I'll take it off your hands if you want to dispose of it and trade up mail me off group.. ...

[...]

Another possibility is the range of MikroTik switches and routers, from Latvia, for which the UK agent is LinITX. There is a very large range of configurable factors in their own "RouterOS" software, *BUT* I suggest that you take a careful look in MikroTik's forum at some of the esoteric issues reported with different iterations of their OS. You will also need to explore the MikroTik Wiki for detailed information on how to configure them, via either a GUI or the command line.

I believe that their OS does permit NAT Loopback but, again, I suggest you look into the wiki first.

Despite some of the reported difficulties, I've found that when it works as expected (as happened in my case - I have a RB951G-2HnD router/AP) their router is very stable with high throughput. The added value is in the ability to tune so many diverse parameters, according to need. Sold at reasonable prices from about £30 upwards depending upon the requirement for number/speed of ports, etc.

Obviously, I am recommending these routers based solely upon my user experience count of one. ^)

On Sunday 16 February 2014 13:55 John Rumm wrote in uk.d-i-y:

Previous - Extreme Networks. Now, Dell PowerConnects (and CISCO, but I own the PowerConnects and the college owns the CISCOs). I have a pair of PowerConnects holding my VMWare cluster together (iSCSI, VMWare management and vMotion interlinks).

However, next time around I would not get the PowerConects - even they have a weird problem, though Dell think it's a hardware issue: thye are in a stack configuration with proprietry interlinks on the backplane (they are supoosed to behave as a single logical switch with redunadancy). However, if they boot in the wrong order, all the ports on the other offline. I could swap it out, but on a live system I'd rather live with it (it's hosting 170 VMs). However, the things do otherwise behave as the (extensive) documentation suggests.

I will look at HP and Nortel next time, and maybe Extreme and possibly CISCO (due to teh academic discount on the last one). The rest of the Dell kit (EqualLogic SAN and PowerEdge R610 servers) is however absolutely outstanding. I'd be happy to have similar kit again.

Ah - I have the WIFI-less 2830.

OK

I keep mine simple as it can only offer DHCPd on it's main subnet (where its managemnet IP is). So it is set up on LAN4 but passes LAN1 via VLAD tag through on a separate essid.

The idea is if only that and the router work, I can get basic internet connectivity.

On Sunday 16 February 2014 15:34 DaverN wrote in uk.d-i-y:

I've seen those - did not realise they were Latvian!

All in, I'd be most confortable running a pure linux router.

However, weedy embedded are no good as I want good throughput. And "homebrew PC" is also out as mentioned before, this is too critical to be breaking randomly.

Here's what I'd really like:

Minimum parts hardware with 2-4 gigabit ports with 2-4 real NICS (no dodgey switch-on-a-chip). Enough speed to firewall at a few hundred Mbit/sec.

Nice Linux OS that's properly maintained. Fancy GUIs not necessary.

I did try with a Mini-ITX setup plus SSD and no fans and 4 port NIC card. That broke due to SSD failure. It also got rather hot.

It's running again with 2 40mm fans and a new decent make SSD. However, I'd really want 2 identical ones if I were going down that route again.

Are the PowerConnects actually Dell, or rebadged something else?

We've got a mix of Cisco and HP, which led to an amusement when we got some new HP stuff - it turned out to be rebadged 3Com, with a different interface to the others.

Dell do seem to be ahead of the game on 10GbE, but we're not allowed to use them.

That is not good.

The R620/R720s are on a par with the HP DL360/380s - I'd happily have either. The Cisco networking kit has always worked well IME, as has the HP for the smaller environments.

Their low-end MD3xx0i storage isn't too bad either - cheaper than the EqualLogic, and suitable for less-stressed environments.

On Sunday 16 February 2014 19:17 Clive George wrote in uk.d-i-y:

They have a slight CISCO CLI dialect, but not completely - I don;t recognise them as being like anything else I've seen.

The EQL gives me 5000 IOPS in RAID-10 with all SATA disks :) The PS6500E with 48x1TB SATA is a surprising bit of equipment and the management is a dream too.

I can't wait to get a 2nd one and put them in a group!

On Sunday 16 February 2014 12:38 John Rumm wrote in uk.d-i-y:

OK - some success. I tried this (Thanks John) and started from scratch.

I now have LAN1,2,3 (main private plus 2 publics) present "flat" on the ports (untagged) and LAN4 (guest WIFI) tagged.

This more or less emulates my old Zyxel modem which was (probably) getting DOSed to death (lots of dropouts, known issue). So no other systems changes needed to make this work.

At the mo, my linux server (mini-ITX one) is acting as firewall, gateway and NAT.

I will take a backup of the Vigor and add one incremental change at a time.

1) NAT at the modem. 2) Firewall 3) VLAN tagging and see if I can clean this up. 4) Selective content blocking (I really want this for the kids and is one of the reasons I chose the Vigor). 5) 3G dongle (like Bob) backup as AAISP can route your static IP blocks over this route and it uses (I believe) Three as the carrier so it will work here (or will when the fix the bloody cell tower that's been broken for nearly 2 weeks that carries Three and EE/TMobile/Orange).

Cheers -

Tim

On Sunday 16 February 2014 12:01 Tim Watts wrote in uk.d-i-y:

Well - I do not know what is going on here:

10.0.0.1 is the Vigor... 64 bytes from 10.0.0.1: icmp_req=74 ttl=255 time=3.11 ms 64 bytes from 10.0.0.1: icmp_req=75 ttl=255 time=3.11 ms 64 bytes from 10.0.0.1: icmp_req=76 ttl=255 time=6.31 ms 64 bytes from 10.0.0.1: icmp_req=77 ttl=255 time=42.6 ms 64 bytes from 10.0.0.1: icmp_req=78 ttl=255 time=2928 ms 64 bytes from 10.0.0.1: icmp_req=79 ttl=255 time=4915 ms 64 bytes from 10.0.0.1: icmp_req=80 ttl=255 time=15928 ms 64 bytes from 10.0.0.1: icmp_req=81 ttl=255 time=29946 ms 64 bytes from 10.0.0.1: icmp_req=82 ttl=255 time=43956 ms 64 bytes from 10.0.0.1: icmp_req=83 ttl=255 time=57971 ms 64 bytes from 10.0.0.1: icmp_req=84 ttl=255 time=59974 ms 64 bytes from 10.0.0.1: icmp_req=85 ttl=255 time=76993 ms

At the same time, the ADSL drops out and the router's interface becomes unresponsive.

I'd better hardwire my laptop to eliminate WIFI and then do a support call to Draytek.

This 2830 is a complete lemon - NOT impressed!

On Monday 17 February 2014 17:24 Tim Watts wrote in uk.d-i-y:

No response from Draytek yet - but I chanced my arm with one of the alternative firmwares (3.6.4db build 232201) and it has been stable all night - no reboots. Basied on lots of other complaint sabout frequest rebooting.

I wonder if this is one of those cases where the same model has different revisions...

There are several versions of it anyway (with and without wifi, dual band, VoIP etc) - and that's before you get to minor hardware revisions etc. (I get the impression that the same basic software stack is used in many products though

OK

I found another bug!

If you have LAN1 and LAN4 as NAT-ed subnets and LAN2 and LAN3 as public IP routed subnets - guess what:

clients on LAN1 and LAN4 can ping each other.

LAN2 and LAN3 can ping each other and be pinged from the Internet.

LAN1/4 clients cannot see LAN2/3 clients and vice versa (but can ping the IPs on the Vigor for each LAN (the gateway address).

If LAN2,3 are made NAT'd the all LANs can ping each other but LAN2,3 are no longer visible from the Internet.

Yes - I made sure InterLAN routing boxes were all ticked.

Bloody hell - the inconsistency in this thing!!!

So plan B (which was originally Plan A but did not work the first time I tried it):

Stick all my public IPs on WAN1 as WAN alaises and use DMZ to map them to the targets on LAN1 (LAN4 is a guest LAN and will never have public IPs on it).

Works well enough - but not as well as 1-1 IP NAT in Linux. Specifically the WAN IP alias is always pingable even if the client is down and one or two ports belonging to services on the Vigor overlay the WAN IP aliases (meaning it grabs them before the client). Mostly seems to appear if VPN services are enabled.

The other weirdism is that whilst WAN IP aliases are available in WAN1 (DSL) and WAN2 (PPPoE for VDSL etc) they are NOT available in WAN3 (USB/3G) which rather spoils Andrews and Arnold's ability to offer full

3G backup with re-routed IP blocks.

I'll think I will start looking for something a little less broken-arsed but keep this as a pure DSL-PPPoE modem (think it'll do that).

Firebricks look interesting but are bloody expensive. I'll have a look again at LinITX and see what the offerings of fanless ITX ready-mades are with a couple of gig ports. Technically I only need 1 gig port (VLAN tagging/1-armed router) but a second one could be useful.

For less than the cost of a firebrick, I could buy 2 such devices and keep a configured and tested one in a drawer as a spare.

I will admit to one good thing on the Vigor (about the only good thing!) is that it holds an ADSL line up extremely well at high speed. I have manually set a TalkTalk 6dB interleaved profile on my AAISP link (they let you tweak it) and my line is sync'd at 19.6Mbit/s down with a practical download of 16.55Mbit/s (speedtest.net)

a £50 V120 will do that though...

Have you taken this up with Draytek in the UK at all?...

I had one of those once - it died...

Not the Dongle bit. What I have taken up:

1) DHCP server does not work on tagged VLANs properly.

2) Random reboots with the stock default firmware.

They are probably sick of me. I do tend to be good at finding the edge case failures - mostly because I want to use them!

And the 1-1 NAT has broken MIT Kerberos kprop/kpropd as it seems kprop embeds the source IP in the transfer protocol and kpropd at the receiving end does not like kprop coming from a public Ip when it says it's coming from a private IP! No matter - worked around and not actually Draytek's fault as this would happen with any 1-1 NAT system.