Review – DrayTek Vigor 2820 ADSL Router Firewall and Load Balancer

06Aug10

The arrival of my EFM connection meant that I needed to find some way of balancing load (and failing over) between the new EFM and the existing ADSL. Thankfully there’s a healthy market in low end load balancers, and after digging through some reviews I went for the DrayTek Vigor 2820n.

ADSL

The device is basically an ADSL router with additional functionality. Getting it configured to use ADSL was a breeze, and since setting it up it seemed pretty solid (though to be honest it’s hard to tell given how awful our ADSL connection is anyway). Subjectively I’d say that this device trades a bit of top end speed for greater connection reliability, but I’ve no hard data to back that up.

WiFi

Since I was replacing an integrated ADSL/WiFi router I went for the ‘n’ variant that also has WiFi. Coverage from the same corner of the office that the previous 2Wire box inhabited seems better than before – connections in the meeting rooms on the opposite side of the floor are clearly more reliable.

Since this is used entirely for Internet access (and our Internet pipe is the thinnest part of the plumbing) I’ve been unable to discern any difference between 802.11n and 802.11g.

One disappointment is that although this device supports multiple SSIDs is seems almost impossible to do anything useful with them. What I want to do here is create a guest WiFi hotspot with different security credentials to the corporate SSID (it does that) but then I don’t want those guests on our network. I just haven’t figured out how to do anything meaningful with the SSIDs from a local network point of view. In an ideal world I’d like to have three configurations:

  1. A corporate SSID for staff.
  2. A guest SSID for visitors that just allows for access to the internet
  3. A guest+ SSID for visitors that allows for internet access and access to specific devices such as printers

I’m sure that the box contains everything that it needs to support that kind of configuration, it’s just that the software doesn’t present the right controls (or I’m too dumb to use it right).

[update 25 Nov] It turns out that I was too dumb, and that selecting the ‘Member’ option allows for a guest WiFi. Sadly there isn’t much in the way of controls over what can be connected to. The Member option stops connection between machines on different WiFi SSIDs, but anything connected on WiFi can connect to anything connected by a wire; so this remains an area where some better software and config controls could provide more like what I want.

Load balancing

This is the reason I bought it, and it does a competent enough job. The load balancing policy controls feel a bit clumsy to me, but having put some rules in for SIP and SSL (to favour the EFM connection) on WAN2 it seems to do a good enough job. Thankfully I’ve not yet seen any EFM failures that would cause us to fall back to ADSL (though I have pulled the plug to confirm that things do keep going). Whilst the regular documentation seems little more than a list of configuration options, the much better (but well hidden) application notes are pretty helpful at explaining how to do load balancing.

3G

One of the features I like on this device is the ability to fail over to a 3G WWAN connection. Sadly this isn’t an option if you have a fixed line WAN2, so I’ve not done any further investigation. If the dark day comes that our ADSL and EFM both fail at once, and 3G is still working (and I’m in the office to do something about it) then my guess is that we’ll get back up and running quicker on MiFi and laptops with WWAN and Connectify than we would be reconfiguring the router to use a 3G dongle. I expect that trying to run SIP over 3G isn’t likely to work that well anyway – so the phones don’t matter.

VPN

As a no servers company I wasn’t expecting to use the VPN functionality, but it dawned on me that it would be handy to be able to have remote access to printers, SIP phones and the router itself. It supports IPSEC, L2TP and PPTP. My attempts to configure IPSEC and L2TP with Windows 7 failed (the Vista application notes just didn’t get me across the line)[1]. I’m happy to say that I do have PPTP working reliably, and whilst this feels like a lowest common denominator solution it’s perfectly satisfactory for the task in hand.

Firewall

No servers mans no services, which means no need for fancy firewall configuration.

Voice

I didn’t get a 2820 with any SIP capabilities (which are available on the ‘V’ models), but I wish I’d known that such things existed before setting up the office VOIP system [2].

Niggles

DHCP – The previous 2Wire router was pretty good at handing out the same IP to the same MAC. The 2820 seems to pretty much insist on handing about the next IP in the availability stack for each lease request. Yes, I could define static mappings for every device in the office (as I’ve done already for the printers, and may still do for the phones), but this is just annoying.

Web admin – definitely a feel of designed by engineer rather than UI expert. It’s functional, but could be more intuitive.

Conclusion

The 2820n does what I bought it for, and maybe a little more besides, so I’m happy with it. Administration could be made a bit easier, but now that it’s working that shouldn’t really be an issue. I expect it to just sit in the corner and do its job.

[1] One of the issues here is that I didn’t want to specify a fixed end point IP for the remote device. Even though I have static IP at home I wanted the VPN to work from wherever I might be.

[2] Though to be honest the VOIP stuff on the 2820V is pretty limited, and if I wanted SIP trunking etc. I’d have probably waited for the newer 2930 if I had decided to get a device with VOIP support (and that has SSL VPN too).



6 Responses to “Review – DrayTek Vigor 2820 ADSL Router Firewall and Load Balancer”

  1. 1 Stuart Lee

    Hey Chris, can you tell me how you connected your EFM box to the Draytek router? We have just had EFM installed and I am not sure how to do this.

    Cheers
    Stuart

  2. 3 Simon Keen

    One little funny to be aware of with these boxes is their behaviour under power fluctuation.

    When you get a noisy mains supply that finds its way through the device power supply, like a damaged main junction in the street(my case) the router can end up rebooting but coming up in a state that suggest it couldn’t read its configuration so it uses the factory default. Your own configuration is not lost and a simple good power down will get the router back in the correct state. But if you are away and trying to VPN in but can’t get there (which is where i was both times) it can be annoying. Had to watch Spanish TV instead of streaming the BBC to my laptop.

  3. 4 higster

    Hi Chris,

    I think we may have crossed paths in a former life!

    Just stumbled upon this blog and whilst this post is now a bit old, thought I would throw in my 10 cents worth.

    The Public / Private WAP features you were after are easily achieved by using the VLAN feature. You simply add the Physical Ports and Private SSID into one VLAN, and the Public SSID into a separate VLAN. Each VLAN can access the Internet, but they cannot communicate with each other. You can assign both Ports and SSIDs to multiple VLANs so your idea of a Public + Printers connection is possible.

    DHCP Reservations are also easily achieved by using the LAN / Bind IP to MAC feature, but in my experience once a device has been issued an IP from the DHCP pool, it tends to get it every time.

    These devices have been my router of preference for a while now, especially when using with on premise VoIP systems.

    You should always ensure you have the latest firmware, and if using with VoIP ensure that SIP ALG is Disabled!

  4. 5 Syed

    I have 2 WAN CONNECTIONS…WAN 1 and WAN 2….I want to send traffic of LAN 1 through WAN 1 and LAN 2 through WAN 2…

    any one know how to do it…?

    • I don’t work at the place where I put in this router any more, but I’d expect that you can achieve what you want by having routing tables that send the traffic from each (V)LAN to different WAN gateways.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


Follow

Get every new post delivered to your Inbox.

Join 93 other followers

%d bloggers like this: