Draytek 2912 Series Router Overview. Part One
Today, various models of multifunction devices are widely represented on the market, which are designed to provide the smallest or medium-sized office with network services based on a single device. But among them, Draytek products stand out , just like a few years ago.This is due to the fact that the products of this particular vendor set the bar for easy-to-configure, reliable and functional networked "combines" for the office. The Draytek 2912 series of routers, which will be discussed, is the golden mean, which is where the level of functionality and performance of the carrier-level routers is required, but the usual home or home + router is not enough for solving office network tasks. In addition, the use of a single device is more economical than holding several devices for different tasks, if they are typical, for example, routing, firewall, VPN server, and so on. Another key feature of Dryatek routers that made them popular all over the world is the quality and reliability that the company has invested in devices starting with the quality of case materials, microcircuits and components and ending with the quality of embedded software. Another feature of Draytek routers is ease of setup and intuitive interface, so many administrators and engineers like working with Dryatek. By the way, with regard to documentation, there is also an order here, besides official manuals, there are many examples of configuring routers and integrating them with equipment from other manufacturers on the Internet and on Draytek sites.
This review will help to get acquainted in detail with the Draytek 2912 series of routers using the example of the 2912n model and includes two parts.
In the first part we will get acquainted with the diagrams of using the router as a whole and its individual functions, then we will look at its characteristics in detail, look at the appearance and equipment, interfaces and connectors, then test the device bandwidth.
The second part will be devoted to a review of the web interface, its features and an example of setting up such functions and interfaces as WAN and LAN, Load-balancing, wireless network, VPN, firewall, NAT bandwidth control, as well as USB functions, diagnostics and monitoring of the router.
The Draytek 2912 series of routers is currently represented by two models 2912 and 2912n. The models differ in the presence of support for the 802.11n wireless network (speed up to 300Mbps @ c @ 2.4 GHz) in the Draytek 2912n model, otherwise both models are the same. Next, I will look at the Draytek 2912n model.
The Model 2912 is primarily an office router with the maximum set of features that may be required to create a transparent and efficient network infrastructure for a small office. This example demonstrates the combined usage pattern of the router.
Fig. 2
So, the first location is the head office, it has a powerful Draytek 3900 router, it also has a unified management and monitoring system for all Draytek routers used by a company called VigorACS SI, with which you can easily configure, update and monitor all routers in network, from one place, with devices on the network can be hundreds. With the help of VPN tunnels, all offices are united with each other, in our example it is the head office, offices A and B, we installed Draytek 2912 and 2912n in them, offices are small and the performance of these routers is enough. In office A, the router is connected to two Internet providers, via two WAN ports via Ethernet. Traffic balancing between WAN interfaces has been configured, so if one of the operators has a failure, Internet access will be preserved. All employees' workplaces are connected via Wi-Fi, and several independent wireless networks with their SSID are configured, in the example this is the Wireless network for the office staff, and the Guest network is Guest, with limited access and limits on the number of simultaneous sessions from the device and the maximum bandwidth so that guests do not interfere with the work of staff. With the help of CSM content security, employees are blocked from accessing social networks, using an online web content filter, the router checks for websites that employees want to access, and blocks unwanted ones. A printer is connected via the USB port of the router, and the employees' PCs “see” it as a print server. Remote employees can connect to the company's local network via VPN clients on their home computers using PPTP or IPSec. In office B, the main provider is connected via Ethernet to WAN 1 of the Dryatek 2912 port, and via the USB port a 3G modem is connected, which is configured as WAN 3 and in case of a failure on the WAN 1 channel, the traffic will go through the 3G modem. Employees' PCs, IP phones and servers are in different VLANs, QoS is configured, as the office uses IP phones. For monitoring and analyzing network activity of users, the Draytek Smart Monitor solution is used, with which it is easy to understand how much traffic people consume and which web resources they visit.
Now take a closer look at the key functions of the router.
Powerful office router with Internet connection redundancy, traffic balancing
Fig. 3
The 2912 series routers have two WAN Fast Ethernet interfaces — the main WAN port (W1 in the figure), 1 LAN port (W2 / P1 in the figure) can be configured as the second WAN2 port. Between interfaces, traffic balancing and redundancy are configured; if two Internet providers are used in the event of an accident on the channel of one of them, the Internet will work in the office. In addition to the redundancy of Ethernet providers, you can connect an Internet channel reservation via a 3G / 4G modem, which is inserted into the USB port of the router and becomes the WAN3 port.
In addition, you can create routing rules (or address-based NAT translation) to specific WAN / LAN / VPN interfaces, for traffic from sources and for destinations such as a host or subnet with optional indication of the protocol and port range. The rule additionally indicates the backup interface to which traffic should be sent in case of failure of the main one.
Each rule has a priority in the list, so if the first rule did not work, the next rule below the priority, if it is in the list, will apply.
Building a secure VPN network between offices or connecting remote workstations
Fig. 4 The
router supports up to 16 VPN * LAN-to-LAN tunnels to securely connect the organization's networks via the Internet or create VPN connections from remote workstations for homeworkers using the PPTP / IPSec / L2P / L2TPover IPSec protocols. AES / DES / 3DES encryption and IKE authentication provide enhanced security. Using a dual WAN connection allows you to use not only a load balancing scheme, but also redundancy. Therefore, if the main channel of the VPN channel becomes unavailable, it will replace the backup VPN channel.
By the way, the VPN functions in Draytek are very easy to configure. In just a couple of clicks, you can configure both LAN-to-LAN connections and access from remote workstations. Dryatek has its own VPN client to simplify connectivity from workstations, it is called Draytek Smart VPN Client. The application is available for free download on the draytek.com website.
* In the official deliveries of routers to the territory of the Russian Federation, all encryption software that does not support GOSTs has been removed, therefore such firmware can only find PPTP support without encryption. This can be circumvented by installing full-time software that can be downloaded from draytek.com.
Secure networking for the office
Fig. 5 The
router supports the 802.11n wireless network and has two omni-directional antennas. The settings of the wireless network functions in the router are large.
The device supports up to 4 independent wireless networks with their own settings, and each of the networks can limit the maximum bandwidth for outgoing and incoming traffic, as well as enable the schedule according to which these restrictions will work. For each of the 4x wireless networks, their own security settings are configured, including MAC address filters. For each network, you can enable the Wi-Fi usage quota based on the MAC address and the timeout for re-quota provisioning.
Fig. 6
You can also enable the web portal function to redirect to the desired web page of the user connecting to the Internet, as a company advertisement.
Fig. 7
Another important advantage: any of the four wireless networks and LAN subnet can be combined and isolated from other networks, which increases security. There can be 2 LAN subnets on the Draytek 2912 router.
Fig. 8
Powerful firewall with content filtering at the application level
Fig. 9
The 2912 Series routers support firewall with invisible inspection of SPI (Stateful Packet Inspection) packets based on Object-based objects, such as a user (he gets a certain IP when authorizing), an IP address or groups of IP addresses, a protocol and port range and their groups, keywords and keyword groups, file extension profiles. These objects can be used to create firewall rules that can be turned on and off on a schedule.
The CSM content security system (Content Security Management) is an application-level firewall subsystem that allows you to block UR links by keywords and content type, for example, Java Applet, Cookies, Active X, you can also block various network applications, for example , IM / P2P or application level protocols, for example, MySQL, SMB, SSH, UltraVPN, the list of services and protocols is quite impressive. It is also possible to block DNS by keywords.
Another powerful tool that contains CSM is the GlobalView Web Content Filter system. It is designed to filter unwanted content at the thematic level, that is, for example, sites with the theme of porn, crime, gambling, and more. The administrator creates profiles where he specifies the theme of the sites and assigns them to the firewall rules, then indicates what to do if the rule matches, for example, block. Web Content Filter is licensed, but a trial license for testing can be obtained free of charge.
The router implements detection and automatic protection against DoS attacks, and the traffic threshold metrics, after which the event is considered an attack, can be configured manually. Also provides for sending notifications about the attack. In general, a firewall can operate in one of two global modes:
“Rule-Based, that is, based on rules, where objects, for example, the IP addresses of user stations, the administrator sets the rules based on different IP addresses.
»User-Based, that is, management based on user profiles, the administrator sets the rules for different user profiles. Before this, users must log in.
Bandwidth Management and QoS Quality Assurance
The router has a wide range of QoS QoS settings, to solve a typical situation — the correct prioritization of delay-critical traffic over the traffic of services that require such priorities. Moreover, the router, by default, automatically detects real-time traffic, and gives it priority over other types of traffic. For example, VoIP calls. In addition to the QoS settings, there are ample opportunities to control the bandwidth and set the limit of traffic expenditure for both individual IP addresses and groups of IP addresses. You can specify how much traffic and for how long will be given to one or another user at full speed, after the limit is exhausted, the speed will be reduced to a certain threshold.
To enable and disable rules, it is possible to create a seven-day schedule, up to 15 intervals.
Fig. 10
Possibility of multi-purpose use of the USB port in the print server, file storage, 3G / 4G modem connection
modes. The router has a USB port that can be used in one of the three modes. First, connect a USB 3G / 4G modem to reserve an Internet connection or as a basic Internet connection, if there is no other way to connect to the Internet.
Secondly, connect the USB printer to the router, which becomes the print server and users will be able to use it by setting up access to it over the network.
Third, connect a USB drive and share files with FTP or NetBios / SMB.
Fig. 11
Smart Monitor Traffic Analysis System
Fig. 12
Smart Monitor was created primarily to solve network problems by monitoring and analyzing network traffic, the application helps administrators to find and solve problems with network applications. For example, monitor traffic of various types, create detailed reports on the use of traffic by users to export them and even send by e-mail, there is a TOP10 ranking for maximum use of network resources, for example, TOP10 for using IM messengers or file downloads, you can also rank the use of various network connections. protocols and take this information into account when configuring the router so that users feel comfortable working. For illustration below are several screenshots.
Fig. 13 The
application helps to solve the problems of misuse of working time and unwanted leakage of confidential information. For example, monitor the abuse of IM messengers and the transfer of confidential information outside the company, the time spent on social networks, find users who download channels by downloading large files or streaming video, etc. Using SmartMonitor, you can monitor user activity: read e-mail, chat in IM messengers, view the files they have downloaded.
For illustration below are some screenshots.
Fig. 14
The interception function is useful for recovering data in the event that it is lost by the user or resolving disputable situations. For example, listening to VoIP-conversations or recovering accidentally deleted emails. Naturally, you can view the addresses of sites that were visited by specific users. With regard to the division of rights: in the application, you can create accounts with privileges to view information only for certain users, for example, only sales staff.
The Smart Monitor application captures and analyzes traffic that is mirrored from the specified LAN ports of the router to the Mirror port. The port of the server on which the Smart Monitor application is installed is connected to the Mirror port, traffic from this port is saved, and then “disassembled” by the application. Therefore, there can be two ports on the server: one for mirroring the traffic for the second for control. The important point is that only the traffic of the LAN pots is mirrored from the router, the wireless traffic is not mirrored, therefore, it is not processed.
The application consists of several components, such as Apahe web server with PHP, WinPcap, installed on your computer in a few clicks. The Smart Monitor interface works through a web browser. To do this, open the server's IP in the browser, then enter the login and password to access the system. The minimum hardware requirements for a system of 30 hosts are modest: Intel P4 1.4GHz / AMD CPU, 20 GB for HDD and 1GB of RAM. Supported OS Windows XP / 7, Linux.
By the way, the application is free software. For more information, I recommend to use the online demo at http://eu.draytek.com Curve 50000/Logon.php
Fig. 15
VigorACS SI centralized management and monitoring
system The Draytek VigorACS SI centralized system is designed to manage, configure and monitor the fleet of Draytek devices for large enterprises, operators and service providers who need to simplify and automate the installation and maintenance of equipment. The use of the VigorACS SI system significantly reduces equipment maintenance costs by the service provider (operator) or system integrator. In general, the system deserves a separate review as it is very functional.
The following advantages of using the Draytek VigorACS SI system can be highlighted:
Centralized management. The VigorACS SI architecture allows you to centrally manage various types of Draytek devices, such as routers, even if the devices are behind NAT. Management of any device is made from a single interface. Management can be as a group of devices, as well as a separate device.
Reduced support costs. One of the main tasks of the VigorACS SI system is to reduce the number of calls to the technical support service and the time needed to eliminate problems that arise. The system allows administrators to easily find and fix problems thanks to a simple intuitive interface, the ability to differentiate access rights and audit settings made by other users. The system provides detailed statistics on the operation of all devices, notification of events, and alarm notifications, the ability to remotely control devices.
Automation of the entire cycle of setting and operating equipment. The system can be useful both to service providers and system integrators who want to simplify and automate the installation and maintenance of equipment as much as possible.
Save time. Automatic configuration allows you to significantly reduce the time spent on installing new devices and reconfiguring existing ones, and as a result - save money.
Monitoring and analysis. The system allows you to monitor and analyze the status of all devices on the network and notify about events, such as accidents or device unavailability, overload or errors. This allows you to take action or prevent an accident until the moment when the client finds it and contacts the technical support service.
Fig. 16
Key features of the system:
The VigorACS SI system uses the standard TR-069 protocol to control devices.
Fig. 17
The system is licensed and is a commercial product. The system is accessed via Internet Explorer / Firefox / Safari / Opera web browser, which must support Adobe Flash Player 9.0.
Server OS requirements:
Minimum hardware requirements:
The demo interface of the system can be viewed at http://acstest.draytek.com:8001/web/ACS.html using an account
Below are detailed technical specifications of the Draytek 2912 series
WAN interface for connecting to the Internet.
Firewall
VPN functions
There is a small remark: in accordance with the legislation of the Russian Federation, software and hardware supporting encryption means imported into the Russian Federation must comply with the standards established by control and supervisory authorities, therefore, in the case of this router, all encryption functions are removed. This can be circumvented by installing regular software that can be downloaded from draytek.com.
USB functions
- Support FAT32
- Support sharing via FTP
- Support sharing via Samba
Detailed list of technical characteristics of Draytek Series 2912
Bandwidth Management:
Network management
Content Security Management
Network characteristics
- Static Routing
- RIP V2
Wireless network (only for the Draytek 2912n model)
- WEP 64/128 bit
- WPA-TKIP / WPA2-AES / Mixed Mode (WPA + WPA2)
- 802.1x Authentication
Package, appearance and packaging
The device comes in a box with marketing elements, such as images of the router, information about its key functions, as well as a detailed description of the possibilities. The type of packaging indicates that the device, including, is sold in stores, where a potential buyer must first be attracted by beautiful and high-quality packaging.
Fig. 18
On one of the sides of the box is a diagram of using VPN tunnels on the device's WAN interfaces, and this is not accidental, since the device has a broad VPN functionality, which the manufacturer demonstrates. The second picture shows the difference between the models of the series - wireless network support.
Fig. 19
It is enough to pick up the package and read what is written on it in order to fully understand what the device can be in the package. The lists of functions shown on the package have been described in detail above.
Fig. 20
Fig. 21
On the side, on the box, is the EAC symbol, indicating that the products marked with this sign have passed all the assessment procedures set forth in the technical regulations of the Customs Union. Also information about the distributor of equipment - LLC Digital Angel. As before, all Draytek equipment is manufactured in Taiwan.
On the other side of the package, information about the model of the device - in our case, model 2912n, serial number, firmware version installed at the factory, information about the region to use - Russia.
Figure 22
Figure 23
When you first open the box, the first thing that strikes you is the quality of the packaging. Everything is well and neatly packed. By the way - a remarkable fact that often the device will work as well or as bad as it was packed. From experience, I can say that this is how it usually happens. And it concerns not only routers.
Pic 24
Figure 25
After extracting the contents of each item is in its own packaging. Package standard for the router. On the image below is the Draytek 2912n, there are no antennas in the Draytek 2912 configuration, as this modification does not support a wireless network.
Fig. 26
The image below is a kit without packaging materials.
Fig. 27
The package includes the following items:
Draytek 2912 router - 1 pc.
Antenna (only for model 2912n) - 2 pcs.
RJ-45 patch cord - 1 pc.
AC adapter - 1 pc.
Set for wall mounting - 1 pc.
Brochures - 2 pcs.
Technical description in Russian - 1 pc.
As for the network adapter, its input voltage is from 100 to 240 volts, input current 0.35 A, power 12 Watt. At the output of the network adapter produces 12 volts and 1 A DC. The adapter is very compact. His image is presented below.
Fig. 28
The router “carcass” itself has a strict rectangular design and hidden ventilation holes in the upper, side and lower parts of the case. In general, the router body is heated moderately. Ventilation is passive, so the device does not make noise during operation.
Fig. 29
The top panel has a number of indicators of the status and control of the router subsystems
Fig. 30
Let us describe these indicators.
ACT (Activity) - If the diode is flickering, the router is operating normally, if it is turned off, the router is turned off.
WCF - if the diode is on, the Web Content Filtering function is active
QoS - if the diode is on, QoS provisioning function
DoS - if the diode is on, DoS attack protection is active, if the diode is flickering then the DoS attack is active.
LAN (P4 ~ P1) - if the diode is on, the port is active, if it is turned off, the port is turned off, and if it is flashing, data is transmitted through the port.
WAN (W2 ~ W1) - if the diode is on, the port is active, if it is turned off, the port is disabled, if it is flashing, data is transmitted through the port.
VPN- if the diode is on, the VPN tunnel is active.
USB - if the diode is on, the device is connected to the port and ready to work, if the diode is flickering, data is transmitted through the port.
WLAN (for model 2912n only) - if the diode is on, the wireless network is ready, if the diode is blinking slowly, traffic is transmitted through the wireless network. If the ACT and WLAN diodes blink simultaneously and quickly, then the WPS (Wi-Fi Protected Setup) function works, it will automatically stop working after two 2 minutes.
The display is quite simple, but it is useful for the initial diagnosis and assessment of the state of the router. The following image shows the bottom panel of the router.
Fig. 31
Over the entire area there are ventilation holes for the heat sink, in the middle there is a sticker with the exact indication of the model of the device, the power consumption - in our case up to 9 watts. The output consumed constant voltage and current are 12-15 V and 0.8-0.6 A, respectively. It is noteworthy that the label has an e-mail technical support Draytek, where you can ask for help. The antenna mounting thread is covered with silicone caps. For mounting the router on the wall or ceiling in the kit there are two screws and two dowels. On the bottom panel there are two holes for fixing the case on the heads of the self-tapping screws.
Interfaces and connectors of the router (photos with description)
Now consider the interfaces and buttons of the router. All of them are in one place - on the side panel of the router. For model 2912n, on the edges, under silicone caps, there are two connectors of wireless antennas with a thread, where the omni-directional antennas from the router kit are screwed.
Fig. 32
From left to right is a socket for connecting a PWR network adapter . Nearby is a switch to turn on or turn off power to the router. Next is the USB 2.0 port for connecting a drive, printer or 3G / 4G modem. Further, the block of Ethernet ports, W1 and W2 / P1 ports are used to connect the device to Internet providers, and the W2 / P1 port can be used either as a second WAN port or a LAN port. Ports W2 / P1 - P4 are used to connect to the local network. Multifunctional Wireless LAN ON / OFF / WPS Button(only for model 2912n) serves to enable or disable the wireless network on the device, to do this, press the button, twice if the WLAN diode goes out, the wireless network is disabled, if it lights up, the network is turned on. If you press the button once, the router will wait for two minutes to configure it using the WPS function.
The Factory Reset button resets the device to the factory settings, to reset the router, turn it on and hold the button pressed for more than 5 seconds, when you see that the ACT diode flashes quickly, release the button. The router will reboot with the factory settings.
The following several photos show the view of the router with the antennas installed. The design of the device is strict, obviously it emphasizes the orientation of the device to the business of users, network engineers and system administrators, and not home users. The device does not catch the eye with its unusual appearance and will fit into the interior of any office. The relatively compact size of the router allows you to put or hang it almost anywhere, besides passive cooling, and as a consequence the lack of noise at work, allow you to use it anywhere.
Fig. 33
Fig. 34
Fig. 35
Below is a view of the router with the cables connected.
Fig. 36
Additionally, it is worth noting the quality of plastic and materials, it is at a good level. The parts fit well together, there is no squeak and backlash when compressing the case, the cables fit tightly into the connectors and do not fall out, the antennas can be fixed at the right angle, and they do not “roll” to the sides.
Device Bandwidth Testing
Testing the maximum bandwidth of the Draytek 2912n. The IxChariot 6.7 software was used for testing as end points for laptops with the good old WindowsXP 32-bit operating system. The scheme is simple: on one host is the IxChariot server, on the second endpoint is IxChariot. Of course, the tests cannot be called reference since the old hardware and old software were used, but since the router has 100 megabit Ethernet ports, this equipment is enough for tests. For testing, the standard script High_Performance_Throughput was used in all cases.
Wired network test, LAN-WAN with NAT, LAN scheme → Draytek 2912n → WAN, duration 00:01:26. The average speed is 93.622 Mbit / s, which is a very good indicator.
Fig. 37
Test wireless network, Wireless LAN-WAN, Wireless LAN scheme → Draytek 2912n → WAN, the wireless network adapter on the laptop worked in 802.11n mode, WPA2 / PSK security.
I used a regular laptop with a wireless controller Intel Wireless WiFi Link 4965AGN, because in reality, the average user will use such equipment. The test duration is about 3 minutes, the average real speed is 40.731 Mbit / s, at a speed of connecting a laptop adapter to a wireless network about 104 Mbit / s.
The connection speed of the wireless adapter can be 300 Mbit \ s, at this speed the test Wireless LAN -> WAN will show a speed of about 90 Mbit \ s, since the wired WAN interface has a maximum connection speed of 100 Mbit \ s.
Fig. 38
But the same test of a wireless network, but without encryption, the difference in bandwidth is not significant, despite the lack of encryption.
Fig. 39
VPN testing, VPN scheme PPTP client (without encryption) → Draytek 2912n → WAN.
Fig. 40
Average speed was 87.986 Mbit / s.
Now encryption, VPN scheme IPSec client (with DES encryption) → Draytek 2912 → WAN
The average speed is 82.978 Mbit / s, the result is very good.
Fig. 41
So, in this part of the review, we examined in detail the Draytek 2912 / 2912n series router from such aspects as positioning the device on the market, a diagram of using the router, its key functions and examples of using them, got acquainted with the detailed technical specification of the device, looked at the configuration and appearance of the router. dismantled the functions of the indicators and interfaces of the device. Everything we see clearly demonstrates that the device has very wide capabilities that an enterprise of the SMB / SOHO level or a small branch of a large company may need and therefore the device has great potential for use in corporate networks. Load testing showed good results, I did not expect other results, because the device is far from the initial level,
In the next part of the review, we will look at the device’s web interface.
This review will help to get acquainted in detail with the Draytek 2912 series of routers using the example of the 2912n model and includes two parts.
In the first part we will get acquainted with the diagrams of using the router as a whole and its individual functions, then we will look at its characteristics in detail, look at the appearance and equipment, interfaces and connectors, then test the device bandwidth.
The second part will be devoted to a review of the web interface, its features and an example of setting up such functions and interfaces as WAN and LAN, Load-balancing, wireless network, VPN, firewall, NAT bandwidth control, as well as USB functions, diagnostics and monitoring of the router.
The Draytek 2912 series of routers is currently represented by two models 2912 and 2912n. The models differ in the presence of support for the 802.11n wireless network (speed up to 300Mbps @ c @ 2.4 GHz) in the Draytek 2912n model, otherwise both models are the same. Next, I will look at the Draytek 2912n model.
Key features of the device
- The Draytek 2912 series is ideal for the SOHO segment.
- All-in-One Network Harvester
- Powerful high-capacity office router
- Powerful Surge Filter
- CSM (Content Security Management) security management system
- WAN interface with redundancy and balancing of traffic between multiple WAN interfaces
- 802.11n wireless network up to 300 Mbps (only for model 2912n) with the ability to create multiple wireless networks on one device
- VLAN support by port and tag-based.
- Support up to 16 VPN tunnels (using PPTP / L2TP / IPsec protocols) with hardware encryption and the ability to back up VPN connections (equipment officially imported into the Russian Federation only supports PPTP without encryption)
- Multifunctional USB port for connecting a printer or sharing files
- Possibility to connect 3G / 4G USB modems as WAN 3 via USB port
- Bandwidth Management with Intelligent VoIP QoS Mode
- IPv4 and IPv6 support
- Extensive web-based management or CLI command line
- Ability to use with the server for centralized management and monitoring of VigorACS SI
- TR-69 control protocol support
- Ability to connect to the Smart Monitor traffic analyzer and monitor up to 30 hosts.
Draytek 2912 Usage Scheme
The Model 2912 is primarily an office router with the maximum set of features that may be required to create a transparent and efficient network infrastructure for a small office. This example demonstrates the combined usage pattern of the router.
Fig. 2
So, the first location is the head office, it has a powerful Draytek 3900 router, it also has a unified management and monitoring system for all Draytek routers used by a company called VigorACS SI, with which you can easily configure, update and monitor all routers in network, from one place, with devices on the network can be hundreds. With the help of VPN tunnels, all offices are united with each other, in our example it is the head office, offices A and B, we installed Draytek 2912 and 2912n in them, offices are small and the performance of these routers is enough. In office A, the router is connected to two Internet providers, via two WAN ports via Ethernet. Traffic balancing between WAN interfaces has been configured, so if one of the operators has a failure, Internet access will be preserved. All employees' workplaces are connected via Wi-Fi, and several independent wireless networks with their SSID are configured, in the example this is the Wireless network for the office staff, and the Guest network is Guest, with limited access and limits on the number of simultaneous sessions from the device and the maximum bandwidth so that guests do not interfere with the work of staff. With the help of CSM content security, employees are blocked from accessing social networks, using an online web content filter, the router checks for websites that employees want to access, and blocks unwanted ones. A printer is connected via the USB port of the router, and the employees' PCs “see” it as a print server. Remote employees can connect to the company's local network via VPN clients on their home computers using PPTP or IPSec. In office B, the main provider is connected via Ethernet to WAN 1 of the Dryatek 2912 port, and via the USB port a 3G modem is connected, which is configured as WAN 3 and in case of a failure on the WAN 1 channel, the traffic will go through the 3G modem. Employees' PCs, IP phones and servers are in different VLANs, QoS is configured, as the office uses IP phones. For monitoring and analyzing network activity of users, the Draytek Smart Monitor solution is used, with which it is easy to understand how much traffic people consume and which web resources they visit.
Now take a closer look at the key functions of the router.
Powerful office router with Internet connection redundancy, traffic balancing
Fig. 3
The 2912 series routers have two WAN Fast Ethernet interfaces — the main WAN port (W1 in the figure), 1 LAN port (W2 / P1 in the figure) can be configured as the second WAN2 port. Between interfaces, traffic balancing and redundancy are configured; if two Internet providers are used in the event of an accident on the channel of one of them, the Internet will work in the office. In addition to the redundancy of Ethernet providers, you can connect an Internet channel reservation via a 3G / 4G modem, which is inserted into the USB port of the router and becomes the WAN3 port.
In addition, you can create routing rules (or address-based NAT translation) to specific WAN / LAN / VPN interfaces, for traffic from sources and for destinations such as a host or subnet with optional indication of the protocol and port range. The rule additionally indicates the backup interface to which traffic should be sent in case of failure of the main one.
Each rule has a priority in the list, so if the first rule did not work, the next rule below the priority, if it is in the list, will apply.
Building a secure VPN network between offices or connecting remote workstations
Fig. 4 The
router supports up to 16 VPN * LAN-to-LAN tunnels to securely connect the organization's networks via the Internet or create VPN connections from remote workstations for homeworkers using the PPTP / IPSec / L2P / L2TPover IPSec protocols. AES / DES / 3DES encryption and IKE authentication provide enhanced security. Using a dual WAN connection allows you to use not only a load balancing scheme, but also redundancy. Therefore, if the main channel of the VPN channel becomes unavailable, it will replace the backup VPN channel.
By the way, the VPN functions in Draytek are very easy to configure. In just a couple of clicks, you can configure both LAN-to-LAN connections and access from remote workstations. Dryatek has its own VPN client to simplify connectivity from workstations, it is called Draytek Smart VPN Client. The application is available for free download on the draytek.com website.
* In the official deliveries of routers to the territory of the Russian Federation, all encryption software that does not support GOSTs has been removed, therefore such firmware can only find PPTP support without encryption. This can be circumvented by installing full-time software that can be downloaded from draytek.com.
Secure networking for the office
Fig. 5 The
router supports the 802.11n wireless network and has two omni-directional antennas. The settings of the wireless network functions in the router are large.
The device supports up to 4 independent wireless networks with their own settings, and each of the networks can limit the maximum bandwidth for outgoing and incoming traffic, as well as enable the schedule according to which these restrictions will work. For each of the 4x wireless networks, their own security settings are configured, including MAC address filters. For each network, you can enable the Wi-Fi usage quota based on the MAC address and the timeout for re-quota provisioning.
Fig. 6
You can also enable the web portal function to redirect to the desired web page of the user connecting to the Internet, as a company advertisement.
Fig. 7
Another important advantage: any of the four wireless networks and LAN subnet can be combined and isolated from other networks, which increases security. There can be 2 LAN subnets on the Draytek 2912 router.
Fig. 8
Powerful firewall with content filtering at the application level
Fig. 9
The 2912 Series routers support firewall with invisible inspection of SPI (Stateful Packet Inspection) packets based on Object-based objects, such as a user (he gets a certain IP when authorizing), an IP address or groups of IP addresses, a protocol and port range and their groups, keywords and keyword groups, file extension profiles. These objects can be used to create firewall rules that can be turned on and off on a schedule.
The CSM content security system (Content Security Management) is an application-level firewall subsystem that allows you to block UR links by keywords and content type, for example, Java Applet, Cookies, Active X, you can also block various network applications, for example , IM / P2P or application level protocols, for example, MySQL, SMB, SSH, UltraVPN, the list of services and protocols is quite impressive. It is also possible to block DNS by keywords.
Another powerful tool that contains CSM is the GlobalView Web Content Filter system. It is designed to filter unwanted content at the thematic level, that is, for example, sites with the theme of porn, crime, gambling, and more. The administrator creates profiles where he specifies the theme of the sites and assigns them to the firewall rules, then indicates what to do if the rule matches, for example, block. Web Content Filter is licensed, but a trial license for testing can be obtained free of charge.
The router implements detection and automatic protection against DoS attacks, and the traffic threshold metrics, after which the event is considered an attack, can be configured manually. Also provides for sending notifications about the attack. In general, a firewall can operate in one of two global modes:
“Rule-Based, that is, based on rules, where objects, for example, the IP addresses of user stations, the administrator sets the rules based on different IP addresses.
»User-Based, that is, management based on user profiles, the administrator sets the rules for different user profiles. Before this, users must log in.
Bandwidth Management and QoS Quality Assurance
The router has a wide range of QoS QoS settings, to solve a typical situation — the correct prioritization of delay-critical traffic over the traffic of services that require such priorities. Moreover, the router, by default, automatically detects real-time traffic, and gives it priority over other types of traffic. For example, VoIP calls. In addition to the QoS settings, there are ample opportunities to control the bandwidth and set the limit of traffic expenditure for both individual IP addresses and groups of IP addresses. You can specify how much traffic and for how long will be given to one or another user at full speed, after the limit is exhausted, the speed will be reduced to a certain threshold.
To enable and disable rules, it is possible to create a seven-day schedule, up to 15 intervals.
Fig. 10
Possibility of multi-purpose use of the USB port in the print server, file storage, 3G / 4G modem connection
modes. The router has a USB port that can be used in one of the three modes. First, connect a USB 3G / 4G modem to reserve an Internet connection or as a basic Internet connection, if there is no other way to connect to the Internet.
Secondly, connect the USB printer to the router, which becomes the print server and users will be able to use it by setting up access to it over the network.
Third, connect a USB drive and share files with FTP or NetBios / SMB.
Fig. 11
Smart Monitor Traffic Analysis System
Fig. 12
Smart Monitor was created primarily to solve network problems by monitoring and analyzing network traffic, the application helps administrators to find and solve problems with network applications. For example, monitor traffic of various types, create detailed reports on the use of traffic by users to export them and even send by e-mail, there is a TOP10 ranking for maximum use of network resources, for example, TOP10 for using IM messengers or file downloads, you can also rank the use of various network connections. protocols and take this information into account when configuring the router so that users feel comfortable working. For illustration below are several screenshots.
Fig. 13 The
application helps to solve the problems of misuse of working time and unwanted leakage of confidential information. For example, monitor the abuse of IM messengers and the transfer of confidential information outside the company, the time spent on social networks, find users who download channels by downloading large files or streaming video, etc. Using SmartMonitor, you can monitor user activity: read e-mail, chat in IM messengers, view the files they have downloaded.
For illustration below are some screenshots.
Fig. 14
The interception function is useful for recovering data in the event that it is lost by the user or resolving disputable situations. For example, listening to VoIP-conversations or recovering accidentally deleted emails. Naturally, you can view the addresses of sites that were visited by specific users. With regard to the division of rights: in the application, you can create accounts with privileges to view information only for certain users, for example, only sales staff.
The Smart Monitor application captures and analyzes traffic that is mirrored from the specified LAN ports of the router to the Mirror port. The port of the server on which the Smart Monitor application is installed is connected to the Mirror port, traffic from this port is saved, and then “disassembled” by the application. Therefore, there can be two ports on the server: one for mirroring the traffic for the second for control. The important point is that only the traffic of the LAN pots is mirrored from the router, the wireless traffic is not mirrored, therefore, it is not processed.
The application consists of several components, such as Apahe web server with PHP, WinPcap, installed on your computer in a few clicks. The Smart Monitor interface works through a web browser. To do this, open the server's IP in the browser, then enter the login and password to access the system. The minimum hardware requirements for a system of 30 hosts are modest: Intel P4 1.4GHz / AMD CPU, 20 GB for HDD and 1GB of RAM. Supported OS Windows XP / 7, Linux.
By the way, the application is free software. For more information, I recommend to use the online demo at http://eu.draytek.com Curve 50000/Logon.php
Login:guestPass:guestFig. 15
VigorACS SI centralized management and monitoring
system The Draytek VigorACS SI centralized system is designed to manage, configure and monitor the fleet of Draytek devices for large enterprises, operators and service providers who need to simplify and automate the installation and maintenance of equipment. The use of the VigorACS SI system significantly reduces equipment maintenance costs by the service provider (operator) or system integrator. In general, the system deserves a separate review as it is very functional.
The following advantages of using the Draytek VigorACS SI system can be highlighted:
Centralized management. The VigorACS SI architecture allows you to centrally manage various types of Draytek devices, such as routers, even if the devices are behind NAT. Management of any device is made from a single interface. Management can be as a group of devices, as well as a separate device.
Reduced support costs. One of the main tasks of the VigorACS SI system is to reduce the number of calls to the technical support service and the time needed to eliminate problems that arise. The system allows administrators to easily find and fix problems thanks to a simple intuitive interface, the ability to differentiate access rights and audit settings made by other users. The system provides detailed statistics on the operation of all devices, notification of events, and alarm notifications, the ability to remotely control devices.
Automation of the entire cycle of setting and operating equipment. The system can be useful both to service providers and system integrators who want to simplify and automate the installation and maintenance of equipment as much as possible.
Save time. Automatic configuration allows you to significantly reduce the time spent on installing new devices and reconfiguring existing ones, and as a result - save money.
Monitoring and analysis. The system allows you to monitor and analyze the status of all devices on the network and notify about events, such as accidents or device unavailability, overload or errors. This allows you to take action or prevent an accident until the moment when the client finds it and contacts the technical support service.
Fig. 16
Key features of the system:
- TR-69 protocol support
- Compatible with Draytek devices supporting TR-69
- Remote auto setup and device status monitoring
- Dynamic and scheduled customization of services
- VPN Configuration Wizard to easily create secure connections
- Daily reports and performance review
- Real-time alarm notifications
- Topology management with device connectivity rendering.
- Device Firmware Management
- Multi-user rights sharing
The VigorACS SI system uses the standard TR-069 protocol to control devices.
Fig. 17
The system is licensed and is a commercial product. The system is accessed via Internet Explorer / Firefox / Safari / Opera web browser, which must support Adobe Flash Player 9.0.
Server OS requirements:
- Microsoft Windows 2003 / XP / Vista / 7
- 32/64-bit openSUSE or other Linux distributions with Java v1.5 / Mariadb (MySQL) v5.5 is recommended, for large installations over 5000 nodes, it is not recommended to use WindowsMicroSoft Windows 2003 / XP / Vista
Minimum hardware requirements:
- Intel Pentium 4 CPU 1.0 GHz and higher
- 2 GB DDR2 RAM
- Hard disk: 80GB and more
The demo interface of the system can be viewed at http://acstest.draytek.com:8001/web/ACS.html using an account
sername:guest
password:guestDetailed functional specification Draytek 2912 / 2912n
Below are detailed technical specifications of the Draytek 2912 series
WAN interface for connecting to the Internet.
- IPv4- DHCP Client, Static IP, PPPoE, PPTP, L2TP, 802.1p / q Multi-VLAN Tagging
- IPv6- Tunnel mode: PPP, TSPC, AICCU, 6in4, 6rd
- Dual stack: DHCPv6 Client, Static IPv6, DSLite
- USB WAN via 3G / 4G modem
- PPP
- Policy based outbound balancing
- WAN Interface Redundancy
- Supports up to 30,000 NAT sessions
Firewall
- Multi-NAT, DMZ Host, Port Forwarding
- Object-based Firewall
- MAC address filtering
- Invisible State Packing Inspection (SPI) Packet Inspection (Flow Track)
- DoS / DDoS Prevention
- Anti-spoofing IPs
- Email notifications and logging via Syslog
- Binding IP address to MAC address
- Scheduled Management
- IPv6 Firewall
- user management
VPN functions
There is a small remark: in accordance with the legislation of the Russian Federation, software and hardware supporting encryption means imported into the Russian Federation must comply with the standards established by control and supervisory authorities, therefore, in the case of this router, all encryption functions are removed. This can be circumvented by installing regular software that can be downloaded from draytek.com.
- Up to 16 VPN tunnels
- Protocols: PPTP, IPSec, L2TP, L2TP over IPSec
- Encryption: MPPE and AES / DES / 3DES hardware
- Authentication: MD5, SHA-1
- IKE authentication: Pre-shared key and digital signature (X.509)
- Work and control in LAN-to-LAN, Host-to-LAN modes
- IPsec NAT-traversal (NAT-T)
- Detection of disabled peers Dead Peer Detection (DPD)
- Backup Mode VPN Backup Mode
- DHCP over IPSec
- Pass-through VPN Pass-through
- VPN Configuration Wizard
- mOTP
USB functions
- Sharing a printer
- File Sharing:
- Support FAT32
- Support sharing via FTP
- Support sharing via Samba
- 3.5G (HSDPA) / 4G (LTE) modem connections as WAN3 interface
Detailed list of technical characteristics of Draytek Series 2912
Bandwidth Management:
- QoS provisioning features:
- Guaranteed band for VoIP traffic
- Class-based guaranteed band for user
- defined traffic categories - DSCP label support
- 4 levels of prioritization for each type of traffic - Band reservation
- Reassigning QoS Labels for LOS TOS / DSCP Protocols
- Intelligent bandwidth limiting
Network management
- Web Based Management
- Router Quick Setup Wizard
- Console CLI management interface via telnet / ssh
- Administrative Access Control
- Backup and restore configuration
- Built-in diagnostic functions
- Firmware update via TFTP / FTP / HTTP / TR-069 protocols
- Syslog Logging
- SNMP V2 / V3 support
- Control session timeout setting
- Two-level restriction of management rights: administrator and user
- TR069 protocol support
- Smart Monitor support up to 30 terminals
Content Security Management
- IM / P2P applications
- Filter by content URL:
- Filter by keywords in (White and black lists)
- Block content by types (extensions): Java applets, Kukki, Active X, Compressed, Executable, Multimedia
- Ability to specify networks for which the rules do not apply - GlobalView Global Content Filter (using CYREN technology)
Network characteristics
- DHCP Client / Relay / Server
- RADVD for IPv6
- DHCPv6 Server
- Static IPv6 Addressing
- IGMP Proxy V2 / V3
- IGMP snooping
- Dynamic DNS
- NTP Client
- RADIUS Client
- DNS Caching / Proxy
- UPnP 30 Sessions
- Routing protocols:
- Static Routing
- RIP V2
- Tagged VLAN (802.1q) on LAN
Wireless network (only for the Draytek 2912n model)
- IEEE802.11n standard (2.4GHz) up to 300 megabit \ s
- View a list of wireless clients
- Wireless isolation
- Wireless security
- WEP 64/128 bit
- WPA-TKIP / WPA2-AES / Mixed Mode (WPA + WPA2)
- 802.1x Authentication
- Wireless SSID hiding
- Multiple SSID Configuration
- MAC Address Filter
- Access Point Detection
- Integration of access points using WDS (Wireless Distribution System)
- SSID VLAN grouping with LAN port
- Network bandwidth control
- WMM
- WPS
Package, appearance and packaging
The device comes in a box with marketing elements, such as images of the router, information about its key functions, as well as a detailed description of the possibilities. The type of packaging indicates that the device, including, is sold in stores, where a potential buyer must first be attracted by beautiful and high-quality packaging.
Fig. 18
On one of the sides of the box is a diagram of using VPN tunnels on the device's WAN interfaces, and this is not accidental, since the device has a broad VPN functionality, which the manufacturer demonstrates. The second picture shows the difference between the models of the series - wireless network support.
Fig. 19
It is enough to pick up the package and read what is written on it in order to fully understand what the device can be in the package. The lists of functions shown on the package have been described in detail above.
Fig. 20
Fig. 21
On the side, on the box, is the EAC symbol, indicating that the products marked with this sign have passed all the assessment procedures set forth in the technical regulations of the Customs Union. Also information about the distributor of equipment - LLC Digital Angel. As before, all Draytek equipment is manufactured in Taiwan.
On the other side of the package, information about the model of the device - in our case, model 2912n, serial number, firmware version installed at the factory, information about the region to use - Russia.
Figure 22
Figure 23
When you first open the box, the first thing that strikes you is the quality of the packaging. Everything is well and neatly packed. By the way - a remarkable fact that often the device will work as well or as bad as it was packed. From experience, I can say that this is how it usually happens. And it concerns not only routers.
Pic 24
Figure 25
After extracting the contents of each item is in its own packaging. Package standard for the router. On the image below is the Draytek 2912n, there are no antennas in the Draytek 2912 configuration, as this modification does not support a wireless network.
Fig. 26
The image below is a kit without packaging materials.
Fig. 27
The package includes the following items:
Draytek 2912 router - 1 pc.
Antenna (only for model 2912n) - 2 pcs.
RJ-45 patch cord - 1 pc.
AC adapter - 1 pc.
Set for wall mounting - 1 pc.
Brochures - 2 pcs.
Technical description in Russian - 1 pc.
As for the network adapter, its input voltage is from 100 to 240 volts, input current 0.35 A, power 12 Watt. At the output of the network adapter produces 12 volts and 1 A DC. The adapter is very compact. His image is presented below.
Fig. 28
The router “carcass” itself has a strict rectangular design and hidden ventilation holes in the upper, side and lower parts of the case. In general, the router body is heated moderately. Ventilation is passive, so the device does not make noise during operation.
Fig. 29
The top panel has a number of indicators of the status and control of the router subsystems
Fig. 30
Let us describe these indicators.
ACT (Activity) - If the diode is flickering, the router is operating normally, if it is turned off, the router is turned off.
WCF - if the diode is on, the Web Content Filtering function is active
QoS - if the diode is on, QoS provisioning function
DoS - if the diode is on, DoS attack protection is active, if the diode is flickering then the DoS attack is active.
LAN (P4 ~ P1) - if the diode is on, the port is active, if it is turned off, the port is turned off, and if it is flashing, data is transmitted through the port.
WAN (W2 ~ W1) - if the diode is on, the port is active, if it is turned off, the port is disabled, if it is flashing, data is transmitted through the port.
VPN- if the diode is on, the VPN tunnel is active.
USB - if the diode is on, the device is connected to the port and ready to work, if the diode is flickering, data is transmitted through the port.
WLAN (for model 2912n only) - if the diode is on, the wireless network is ready, if the diode is blinking slowly, traffic is transmitted through the wireless network. If the ACT and WLAN diodes blink simultaneously and quickly, then the WPS (Wi-Fi Protected Setup) function works, it will automatically stop working after two 2 minutes.
The display is quite simple, but it is useful for the initial diagnosis and assessment of the state of the router. The following image shows the bottom panel of the router.
Fig. 31
Over the entire area there are ventilation holes for the heat sink, in the middle there is a sticker with the exact indication of the model of the device, the power consumption - in our case up to 9 watts. The output consumed constant voltage and current are 12-15 V and 0.8-0.6 A, respectively. It is noteworthy that the label has an e-mail technical support Draytek, where you can ask for help. The antenna mounting thread is covered with silicone caps. For mounting the router on the wall or ceiling in the kit there are two screws and two dowels. On the bottom panel there are two holes for fixing the case on the heads of the self-tapping screws.
Interfaces and connectors of the router (photos with description)
Now consider the interfaces and buttons of the router. All of them are in one place - on the side panel of the router. For model 2912n, on the edges, under silicone caps, there are two connectors of wireless antennas with a thread, where the omni-directional antennas from the router kit are screwed.
Fig. 32
From left to right is a socket for connecting a PWR network adapter . Nearby is a switch to turn on or turn off power to the router. Next is the USB 2.0 port for connecting a drive, printer or 3G / 4G modem. Further, the block of Ethernet ports, W1 and W2 / P1 ports are used to connect the device to Internet providers, and the W2 / P1 port can be used either as a second WAN port or a LAN port. Ports W2 / P1 - P4 are used to connect to the local network. Multifunctional Wireless LAN ON / OFF / WPS Button(only for model 2912n) serves to enable or disable the wireless network on the device, to do this, press the button, twice if the WLAN diode goes out, the wireless network is disabled, if it lights up, the network is turned on. If you press the button once, the router will wait for two minutes to configure it using the WPS function.
The Factory Reset button resets the device to the factory settings, to reset the router, turn it on and hold the button pressed for more than 5 seconds, when you see that the ACT diode flashes quickly, release the button. The router will reboot with the factory settings.
The following several photos show the view of the router with the antennas installed. The design of the device is strict, obviously it emphasizes the orientation of the device to the business of users, network engineers and system administrators, and not home users. The device does not catch the eye with its unusual appearance and will fit into the interior of any office. The relatively compact size of the router allows you to put or hang it almost anywhere, besides passive cooling, and as a consequence the lack of noise at work, allow you to use it anywhere.
Fig. 33
Fig. 34
Fig. 35
Below is a view of the router with the cables connected.
Fig. 36
Additionally, it is worth noting the quality of plastic and materials, it is at a good level. The parts fit well together, there is no squeak and backlash when compressing the case, the cables fit tightly into the connectors and do not fall out, the antennas can be fixed at the right angle, and they do not “roll” to the sides.
Device Bandwidth Testing
Testing the maximum bandwidth of the Draytek 2912n. The IxChariot 6.7 software was used for testing as end points for laptops with the good old WindowsXP 32-bit operating system. The scheme is simple: on one host is the IxChariot server, on the second endpoint is IxChariot. Of course, the tests cannot be called reference since the old hardware and old software were used, but since the router has 100 megabit Ethernet ports, this equipment is enough for tests. For testing, the standard script High_Performance_Throughput was used in all cases.
Wired network test, LAN-WAN with NAT, LAN scheme → Draytek 2912n → WAN, duration 00:01:26. The average speed is 93.622 Mbit / s, which is a very good indicator.
Fig. 37
Test wireless network, Wireless LAN-WAN, Wireless LAN scheme → Draytek 2912n → WAN, the wireless network adapter on the laptop worked in 802.11n mode, WPA2 / PSK security.
I used a regular laptop with a wireless controller Intel Wireless WiFi Link 4965AGN, because in reality, the average user will use such equipment. The test duration is about 3 minutes, the average real speed is 40.731 Mbit / s, at a speed of connecting a laptop adapter to a wireless network about 104 Mbit / s.
The connection speed of the wireless adapter can be 300 Mbit \ s, at this speed the test Wireless LAN -> WAN will show a speed of about 90 Mbit \ s, since the wired WAN interface has a maximum connection speed of 100 Mbit \ s.
Fig. 38
But the same test of a wireless network, but without encryption, the difference in bandwidth is not significant, despite the lack of encryption.
Fig. 39
VPN testing, VPN scheme PPTP client (without encryption) → Draytek 2912n → WAN.
Fig. 40
Average speed was 87.986 Mbit / s.
Now encryption, VPN scheme IPSec client (with DES encryption) → Draytek 2912 → WAN
The average speed is 82.978 Mbit / s, the result is very good.
Fig. 41
So, in this part of the review, we examined in detail the Draytek 2912 / 2912n series router from such aspects as positioning the device on the market, a diagram of using the router, its key functions and examples of using them, got acquainted with the detailed technical specification of the device, looked at the configuration and appearance of the router. dismantled the functions of the indicators and interfaces of the device. Everything we see clearly demonstrates that the device has very wide capabilities that an enterprise of the SMB / SOHO level or a small branch of a large company may need and therefore the device has great potential for use in corporate networks. Load testing showed good results, I did not expect other results, because the device is far from the initial level,
In the next part of the review, we will look at the device’s web interface.