Draytek Vigor 2820 Firewall Router with WAN Backup

Vigor 2820 Series ADSL Router Firewall

Compatible with all variants of ADSL (including ADSLMax, ADSL2+ and Annex M) the Vigor 2820 can also be used for cable-modem and leased line applications thanks to its additional WAN port (Ethernet). A Gigabit Ethernet port on the LAN side provides high speed connectivity for your server (or uplink to a larger Ethernet Switch). Security features include content filtering, web application controls and a new object based firewall management system.

Robust & Comprehensive Firewall

Security is taken seriously on the Vigor 2820 Series. The firewall features measures for protection against attacks including DoS (Denial of Service) attacks, IP-based attacks and access by unauthorised remote systems. Wireless, Ethernet and VPN are also protected by various protection systems (see later). The object-based firewall allows even more setup flexibility, enabling you to create combinations of users, rules and restrictions to suit multi-departmental organisations.

Content control features of the firewall allow you to set restrictions on web site access, blocking download of certain file or data types, blocking specific web sites, blocking IM/P2P applications or other potentially harmful or wasteful content. Using DrayTek's new GlobalView service, you can block whole categories of web sites (e.g. gambling, adult sites etc.), subject to an annual subscription to the Globalview server, which is continuously updated with new or changed site categorisations or sites which have become compromised (such as infected with Malware). Learn more about DrayTek Web Content Filtering here. A 30-Day free trial of Globalview can be activated on your router.

Dual-WAN Load Balancing & Backup As well as the primary ADSL interface, the Vigor 2820 features a secondary WAN port for Internet access. This is an Ethernet interface and can connect to a second ADSL modem, cable modem or any other Ethernet-based Internet feed. The secondary interface can be used either for WAN-Backup or load balancing. WAN-Backup provides contingency (redunancy) in case of your primary ADSL line or ISP suffering temporary outage). Internet Traffic will be temporarily routed via the secondary Internet access. When normal services is restored to your primary ADSL line, all traffic is switch back to that. If you don't have ADSL, the Ethernet WAN port can instead be used as your primary/only Internet connection (using NAT) so the same router can be used for either ADSL or Ethernet Internet connections. The USB port provides an alternative connection method for Internet backup by connecting to a compatible USB modem (or cellphone) for access to the high speed 3G cellular networks from UK providers such as Vodafone, Orange, 3 and T-Mobile. If you don't have ADSL at all, the USB/3G access method can be used as your primary/only Internet connection, ideal for temporary locations, mobile applications or where broadband access is not available. In addition you can instead connect a compatible analogue modem to use analogue dial-up connections for failover in the event of your broadband failing. See seaprates page for more details on both 3G and analogue dial-up. On the ISDN-equipped model (Vigor2820VSn) you can instead use ISDN for dial-in or dial-out connectivity and backup. Note : For WAN failover you can use only one method at a time, e.g. Ethernet, 3G or analogue connections.

Vigor 2820 Series - Technical Specification

• Physical Interfaces:
  • LAN Ports (Switch)
    • 1 X Gigabit Ethernet (1000Mb/s) Ports
    • 3 X Megabit (100Mb/s) Ports
    • Port-Based VLAN (Inclusive/Exclusive Groups)
  • WAN Ports:
    • ADSL Port Compliant with:
      • ANSI T1.413 Issue2
      • ITU-T G.992.1 G.dmt (ADSL)
      • ITU-T G.992.2 G.lite
      • ITU-T G.992.3 ADSL2
      • ITU-T G.992.5 ADSL2+
      • Annex L (READSL)
      • Annex A
      • Annex M
      • ANFP Issue 3 Compliant/Certified (for Annex A & Annex M)
    • Secondary WAN Port : 10/100 Base-TX Ethernet for load balance and WAN failover
    • USB Port for 3G Cellular Modem or Printer
  • VoIP: 2-port FXS Phone Ports (Vigor2820Vn / VSn only)
  • Load Balance/Failover Features:
    • Outbound Policy-Based Load-Balance
    • WAN Connection Fail-over
    • BoD (Bandwidth on Demand)
  • Vigor 2820 ATM Protocols (DSL):
    • RFC-2684/RFC-1483 Multiple Protocol over AAL5
    • RFC-2516 PPP over Ethernet
    • RFC-2364 PPP over AAL5
    • PPPoE pass through LAN/WLAN
    • PPPoE/PPPoA Relay (ADSL Bridge; feature due Autumn 2009 ETA)
    • Transparent bridge for MPoA
    • Multiple PVC support for Triple Play Applications (up to 8 simultaneous)
  • Wireless LAN Features ('n' Models Only):
    • 802.11n Compliant
    • Latest 'MIMO' Technology with three aerials (2T3R)
    • Multiple SSID : Create up to 4 virtual wireless LANs (independent or joined)
    • Packet Aggregation and Channel Bonding
    • Optional Higher Gain or directional aerials available
    • Compatible with 802.11b and 802.11g Standards
    • Active Client list in Web Interface
    • Wireless LAN Isolation (from VLAN groups and wired Ethernet interfaces)
    • 64/128-bit WEP Encryption
    • WPA/WPA2 Encryption
    • Switchable Hidden SSID
    • Restricted access list for clients (by MAC address)
    • Time Scheduling (WLAN can be disabled at certain times of day)
    • Access Point Discovery
    • WDS (Wireless Distribution system) for WLAN Bridging and Repeating (Firmware Upgradable)
    • 802.1x Radius Authentication
    • Wireless Rate-Control
    • Automatic Power Management
    • 802.11e WMM (Wi-Fi Multimedia)
  • VoIP Features (Vigor2820 'V' Models only):
    • Protocols: SIP, RTP / RTCP
    • 12 SIP Registrar Accounts (for up to 12 VoIP providers)
    • Line port for PSTN Passthrough (integrates POTS line)
    • Auto-fallback to PSTN under power/Internet failure
    • G.168 Line Echo-cancellation
    • Automatic Gain Control
    • Jitter Buffer ( 125ms )
    • Voice Codecs:
      • G.711 A / µ Law
      • G.723.1
      • G.726
      • G.729 A / B
    • VAD / CNG
    • Tone Generation: DTMF , Dial , Busy , Ring Back , Call Progress
    • DTMF Transmission: In Band / Out Band ( RFC-2833 ) / SIP info
    • FAX / Modem Support G.711 Pass-through
    • T.38 for FAX
    • Supplemental Services:
      • Caller ID
      • Call Hold / Retrieve
      • Call Waiting
      • Call Waiting with Caller ID
      • Call Transfer
      • Call Forwarding ( Always , On Busy and On No Answer )
      • DND (Do not Disturb)
      • Call Barring ( Incoming / Outgoing )
      • MWI ( Message Waiting Indicator ) ( RFC-3842 )
      • Hotline (Dial preset number when handset lifted)
  • WAN Protocols (Ethernet):
    • DHCP Client
    • Static IP
    • PPPoE
    • PPTP
    • L2TP *
    • BPA
  • Firewall & Security Features:
    • CSM (Content Security Management):
      • URL Keyword Filtering - Whitelist or Blacklist specific sites or keywords in URLs
      • Block Web sites by category (e.g. Adult, Gambling etc. Subject to subscription)
      • Prevent accessing of web sites by using their direct IP address (thus URLs only)
      • Blocking automatic download of Java applets and ActiveX controls
      • Blocking of web site cookies
      • Block http downloads of file types :
        • Binary Executable : .EXE / .COM / .BAT / .SCR / .PIF
        • Compressed : .ZIP / .SIT / .ARC / .CAB/. ARJ / .RAR
        • Multimedia : .MOV / .MP3 / .MPEG / .MPG / .WMV / .WAV / .RAM / .RA / .RM / .AVI / .AU
      • Time Schedules for enabling/disabling the restrictions
      • Block P2P (Peer-to-Peer) file sharing programs (e.g. Kazza, WinMX etc. )
      • Block Instant Messaging programs (e.g. IRC, MSN/Yahoo Messenger etc.)
    • Multi-NAT, DMZ Host
    • Port Redirection and Open Port Configuration
    • Policy-Based Firewall
    • MAC Address Filter
    • SPI ( Stateful Packet Inspection ) with new FlowTrack Mechanism
    • DoS / DDoS Protection
    • IP Address Anti-spoofing
    • E-Mail Alert and Logging via Syslog
    • Bind IP to MAC Address
  • Bandwidth Management:
    • QoS
    • Guaranteed Bandwidth for VoIP
    • Class-based Bandwidth Guarantee by User-Defined Traffic Categories
    • DiffServ Code Point Classifying
    • 4-level Priority for each Direction (Inbound / Outbound)
    • Bandwidth Borrowed
    • Temporary (5 minute) Quick Blocking of any LAN Client
    • Bandwidth / Session Limitation
  • Network/Router Management:
    • Web-Based User Interface (HTTP / HTTPS)
    • CLI ( Command Line Interface ) / Telnet / SSH*
    • Administration Access Control
    • Configuration Backup / Restore
    • Built-in Diagnostic Function
    • Firmware Upgrade via TFTP / FTP
    • Logging via Syslog
    • SNMP Management with MIB-II
    • TR-069
    • TR-104
  • VPN Facilities:
    • Up to 32 Concurrent VPN Tunnels (incoming or outgoing)
    • Tunnelling Protocols: PPTP, IPSec, L2TP, L2TP over IPSec
    • IPSec Main and Agressive modes
    • Encryption : MPPE and Hardware-Based AES / DES / 3DES
    • Authentication : Hardware-Based MD5 and SHA-1
    • IKE Authentication : Pre-shared Key and X.509 Digital Signature
    • LAN-to-LAN & Teleworker-to-LAN connectivity
    • DHCP over IPSec
    • NAT-Traversal ( NAT-T )
    • Dead Peer Detection (DPD)
    • VPN Pass-Through
  • Network Features:
    • DHCP Client / Relay / Server
    • Dynamic DNS
    • NTP Client (Syncrhonise Router Time)
    • Call Scheduling (Enable/Trigger Internet Access by Time)
    • RADIUS Client
    • DNS Cache / Proxy
    • Microsoft™ UPnP Support
  • Routing Protocols:
    • Static Routing
    • RIP V2
  • Operating Requirements:
    • Rack Mountable (Optional Vigor 2820 mounting bracket required)
    • Wall Mountable
    • Temperature Operating : 0°C ~ 45°C
    • Storage : -25°C ~ 70°C
    • Humidity 10% ~ 90% (non-condensing)
    • Power Consumption: 18 Watt Max.
    • Dimensions: L240.96 * W165.07 * H43.96 ( mm )
    • Operating Power: DC 15V (via external PSU, supplied)
    • Warranty : Two (2) Years RTB
    • Power Requirements : 220-240VAC

Wireless LAN ('n' models only)

The Vigor 2820 Series features 802.11n wireless LAN specification and has been certified by the WiFi alliance for cross compatibility and WiFi compliance (including WPA/WPA2 and WMM).

802.11n provides a total wireless bandwidth of up to 300Mb/s using new methods such as packet aggregation and channel bonding. Throughput depends on your own environment (factors such as obstructions, number of hosts and distance all make a significant difference), but actual transfer speeds of 100Mb/s are achievable (based on our real world tests). In addition, 802.11n provides greater coverage and resilience to interference compared to previous wireless standards thanks to the MIMO technology and the Vigor's triple-antennae diversity arrangement. This offset arrangement of aerials provides offset paths between hosts so that interference can be overcome.

Wireless Security is comprehensive too; the Vigor 2820 Series provides several independent levels of security including encryption (up to WPA2), authentication (802.11x) and methods such as MAC address locking and DHCP fixing to restrict access to authorised users only. The Web interface lets you see how many and which clients are currently connected as well as their current bandwidth usage. An 'instant' block lets you disconnect a wireless user temporarily in case of query. The Wireless VLAN facility allows you to isolate wireless clients from each other or from the 'wired' LAN.

The Multiple SSID features enables you to have up to four distinct or common virtual wireless access points. For example, you could have one for company usage, with access to your company LAN and another for public access which allows internet surfing only. Setting up wireless security is made easier thanks to the WPS feature (WiFi protected setup) whereby your client PC can get it's security keys by pressing a button on the front of the router.

If your laptop PC's built-in wireless doesn't support 802.11n wireless, you can use the optional Vigor N61 USB adaptor. Click on 'accessories' for details.

For specialist or more demanding coverage applications, optional aerials can be used with the Vigor 2820 to potentially increase the range of wireless coverage (depending on enviroment) or provide directional coverage in order that your wireless transmission is focussed and concentrated into one direction only, for example into a room or across open space. With the increasing popularity of wireless LANs, you will want to choose the least congested wireless channel (Nos. 1-13) for yours. The Vigor can scan and provide a list of all devices in the vicinity so that you can choose the best channel (see screenshot below).

802.11n Compliant WiFi Alliance Approved Latest 'MIMO' Technology with three aerials (2T3R) Packet Aggregation and Channel Bonding Optional Higher Gain or directional aerials available Also Compatible with 802.11b and 802.11g Standards Active Client list in Web Interface Wireless LAN Isolation (from each other and/or wired LAN) 64/128-bit WEP Encryption WPA/WPA2 Encryption WPS - WiFi Protected Setup for client security setup Switchable Hidden SSID Restricted access list for clients (by MAC address) Time Scheduling (WLAN can be disabled at certain times of day) Access Point Discovery WDS (Wireless Distribution system) for Bridging and Repeating 802.1x Radius Authentication Wireless Rate-Control Automatic Power Management 802.11e WMM (Wi-Fi Multimedia)

Above : The Vigor2820n provides a local survey of other access points so that you can choose the least congested channel.

Wireless LAN WDS Facility

Vigor 2820 'n' models support WDS (Wireless Distribution System) which enables you to use the wireless capability to bridge to another network, within wireless range. You need an additional compatible wireless router for this of course. Here is a simple example:

With WDS bridging, both networks should be within the same logical IP subnet (IP address range). Once set up, all of the PCs on both sides of the link can access each other, across the wireless bridge. Local wireless devices such as a laptop can continue to use their local access point.

An additional mode, as shown above, called 'repeating', allows you to set up a third station. In the diagram below, the router at 'B' is set up in repeating mode, relaying traffic between LANs at A and C. Therefore, all three physical networks can communicate with each other over the wireless links.

Important Note : Wireless performance (speed and range) always depends on your specific environment and will vary considerably. Factors affecting performance include wireless traffic, other networks nearby, site construction, walls, ceilings and other electronic equipment nearby. Speeds quoted are the maximum wireless capacity, including RX/TX capacity, protocol overheads and all clients/hosts connected.

Voice-over-IP Features ('V' Models Only)

The Vigor 2820 Series 'V' models build on the established DrayTek VoIP pedigree by adding even more new feaures. Twin analogue phone ports and an analogue line port provide full PSTN and VoIP integration on the same phones, via both the Internet and your regular analogue line. The two phones can be used independently and simultaneously for both incoming and outgoing calls.

As well as the two telephone ports, a third port, the Analogue Line port, connects into your regular analogue line (PSTN/POTS*). This then gives the telephones access to your analogue line to allow you to make calls as well as your VoIP facility (you can select the PSTN line instead of VoIP by dialling #0). Incoming calls are automatically switched through to your telephone(s) (either one or both) so that each phone can be used for both VoIP and POTS calls. Both telephones plugged into your router have access to VoIP and your analogue line. In addition, using the 'Digit-Map' facility you can set rules about particular call destinations using either the POTS line or your SIP/VoIP service. For example, local calls can be routed via your PSTN line (if you have a free calls package for example) whereas international calls can go via your preferred VoIP provider; there is flexibility to have several digit-map rules.

The above diagram should be used as a working schematic only, rather than an exact representation of the unit's connectivity and should be viewed with these notes: ISDN is not currently available on this model. The USB port can be used for a compatible 3G modem or a shared compatible printer connection. The secondary WAN Port ('WAN2') can be used for connection to any Ethernet feed for load balancing or Internet backup. You cannot use both WAN2(Ethernet) and USB for 3G at the same time. The LAN Ports are not shown on this diagram.

*POTS = Plain Old Telephone Service - The traditional analogue phone voice line in your home/office, e.g. B.T. That line may also be carrying your ADSL data signal.

• VoIP Features ('V' Models only):
  • Two 'FXS' Phone Ports
  • One Analogue Line Port for connection to analogue (POTS) line
  • Automatic phone switch-over for incoming calls on either PSTN or VoIP
  • Hotline (Dial preset number when handset lifted)
  • Digit-Map facility for LCR selection
  • Protocols: SIP, RTP / RTCP
  • 12 SIP Registrar Accounts (for up to 12 VoIP providers/Trunks)
  • G.168 Line Echo-cancellation
  • Automatic Gain Control
  • Jitter Buffer ( 125ms )
  • Voice Codecs:
    • G.711 A / µ Law
    • G.723.1
    • G.726
    • G.729 A / B
  • VAD / CNG
  • Tone Generation: DTMF , Dial , Busy , Ring Back , Call Progress
  • DTMF Transmission: In Band / Out Band ( RFC-2833 ) / SIP info
  • FAX / Modem Support G.711 Pass-through
  • T.38 for FAX
  • Supplemental Services (Dependent on ITSP):
    • Caller ID
    • Call Hold / Retrieve
    • Call Waiting
    • Call Waiting with Caller ID
    • Call Transfer
    • Call Forwarding ( Always , On Busy and On No Answer )
    • DND (Do not Disturb)
    • Call Barring ( Incoming / Outgoing )
    • MWI ( Message Waiting Indicator ) ( RFC-3842 )