Page 2 Vigor3900 Multi-WAN Security Appliance User’s Guide Version: 2.0 Firmware Version: V1.1.0 (For future update, please visit DrayTek website) Date: September 1, 2015 Vigor3900 Series User’s Guide...
Page 3 Web registration is preferred. You can register your Vigor router via Owner http://www.draytek.com. Firmware & Tools Due to the continuous evolution of DrayTek technology, all routers will be regularly Updates upgraded. Please consult the DrayTek web site for more information on newest firmware, tools and documents.
Page 4: Regulatory Information
No. 26, Fu Shing Road, HuKou Township, HsinChu Industrial Park, Hsin-Chu County, Taiwan Product: Vigor3900 DrayTek Corp. declares that Vigor3900 of routers are in compliance with the following essential requirements and other relevant provisions of EC, Directive 2004/108/EC. The product conforms to the requirements of Electro-Magnetic Compatibility (EMC) Directive 2004/108/EC by complying with the requirements set forth in EN55022/Class A and EN55024/Class A.
Page 5: Table Of Contents
Chapter 1: Introduction .....................1 1.1 LED Indicators and Connectors ....................2 1.2 Hardware Installation........................4 1.2.1 Network Connection ........................4 1.2.2 Rack-Mounted Installation .......................5 Chapter 2: Basic Setup......................7 2.1 Changing Password ........................7 2.2 Quick Start Wizard........................9 2.2.1 Step 1 - Specifying the WAN Profile..................9 2.2.2 Step 2 - Configuring the Selected Protocol ................11 2.3 Register Vigor Router.........................
Page 6 4.3.3 Policy Route.........................149 4.3.4 Default Route........................166 4.3.5 RIP Configuration ........................167 4.3.6 OSPF Configuration......................168 4.3.7 BGP Configuration.......................171 4.4 NAT............................176 4.4.1 Port Redirection ........................176 4.4.2 DMZ Host ..........................180 4.4.3 ALG ..........................182 4.4.4 Connection Timeout......................184 4.5 Firewall ............................. 185 4.5.1 Filter Setup ..........................185 4.5.2 DoS Defense ........................210 4.5.3 MAC Block ...........................213 4.6 Objects Setting .........................
Page 7 4.9.7 VPN Trunk Management .....................347 4.9.8 Connection Management ....................352 4.10 Certificate Management ......................354 4.10.1 Local Certificate .........................355 4.10.2 Trusted CA Certificate .......................360 4.10.3 Remote Certificate ......................363 4.11 SSL Proxy..........................364 4.11.1 SSL Web Proxy .........................364 4.11.2 SSL Application .........................366 4.11.3 Online User Status......................370 4.12 Central VPN Management .....................
Page 8 5.3 Pinging the Router from Your Computer .................. 449 5.4 Checking If the ISP Settings are OK or Not ................450 5.5 Backing to Factory Default Setting If Necessary..............451 5.6 Contacting DrayTek ........................452 Vigor3900 Series User’s Guide viii...
Page 9: Chapter 1: Introduction
Intranet. A VPN enables you to send data between two computers across a shared public Internet network in a manner that emulates the properties of a point-to-point private link. The DrayTek Vigor3900 Series VPN router supports Internet-industry standards technology to provide customers with open, interoperable VPN solutions such as X.509, DHCP over Internet Protocol Security (IPSec)
Page 10: Led Indicators And Connectors
Before you use the Vigor router, please get acquainted with the LED indicators and connectors first. The displays of LED indicators and connectors for the routers are different slightly. Status Explanation The router is powered on. The router is powered off. Blinking The system is active.
Page 11 Interface Description GigaLAN1 / 2 Connecter for local network devices. 3(SFP) Connecter for fiber cable. GigaWAN1/2/3/4 Connecter for remote network devices. 5(SFP) Connecter for fiber cable. Console Provided for technician use. USB1 / USB2 Connecter for the USB device. Factory Reset Used to restore the default settings.
Page 12: Hardware Installation
Before starting to configure the router, you have to connect your devices correctly. Connect one end of an Ethernet cable (RJ-45) to one of the LAN ports of Vigor3900s. Connect the other end of the cable (RJ-45) to the Ethernet port on your computer (that device also can connect to other computers to form a small area network).
Page 13: Rack-Mounted Installation
The Vigor3900 Series can be mounted on the wall by using standard brackets shown below. Attach the brackets to the chassis of a rack. The second bracket attaches the other side of the chassis. After the bracket installation, the Vigor3900 Series chassis can be installed in a rack by using four screws for each side of the rack.
Page 14 This page is left blank. Vigor3900 Series User’s Guide...
Page 15: Chapter 2: Basic Setup
For use the router properly, it is necessary for you to change the password of web configuration for security and adjust primary basic settings. This chapter explains how to setup a password for an administrator and how to adjust basic settings for accessing Internet successfully.
Page 16 Now, the Main Screen will pop up. Go to System Maintenance page and choose Administrator Password. Enter the login password (admin) on the field of Original Password. Type a new one in the field of New Password and retype it on the field of Confirm Password. Then click Apply to continue.
Page 17: Quick Start Wizard
Quick Start Wizard is a wizard which is designed for configuring your router accessing Internet with simply steps. In the Quick Start Wizard group, you can configure the router to access the Internet with different modes such as Static, DHCP, PPPoE, or PPTP modes. For most users, Internet access is the primary application.
Page 18 Item Description Static - If Static is selected, you can manually assign a static IP address to the WAN interface and complete the configuration by applying the settings. DHCP - It allows a user to obtain an IP address automatically from a DHCP server on the Internet.
Page 19: Step 2 - Configuring The Selected Protocol
This page will be changed according to the IPv4 Protocol Type selected on last page. If Static is selected, the following screen will appear. You can manually assign a static IP address to the WAN interface and complete the configuration by applying the settings. Available parameters are listed as follows: Item Description...
Page 20 Add – Click this button to display the IP address field for DNS Server IP adding a new IP address. Type the IP address on the tiny boxes Address one by one. Save – After finished the IP address configuration, click Save to save the setting onto the router.
Page 21 DHCP allows a user to obtain an IP address automatically from a DHCP server on the Internet. If you choose DHCP mode, the DHCP server of your ISP will assign a dynamic IP address for Vigor3900 automatically. It is not necessary for you to assign any setting. (Host Name is required for some ISPs).
Page 22 Available parameters are listed as follows: Item Description Username Type in the username provided by ISP in this field. Password Type in the password provided by ISP in this field. Previous Click it to return to previous setting page. Finish Click it to finish the configuration.
Page 23 This mode lets user get the IP group information by a DSL modem with PPTP service from ISP. Your service provider will give you user name, password, and authentication mode for a PPTP setting. Click PPTP as the protocol. Type in all the information that your ISP provides for this protocol.
Page 24 Server Address Type a remote IP address of PPTP server. Username Type in the username provided by ISP in this field. Type in the password provided by ISP in this field. Password Previous Click it to return to previous setting page. IP Address Type a public IP address for such WAN profile.
Page 25 When you finished the above settings, please click Finish. Later, you can surf the Internet at any time. When the following screen appears, it means you have finished the Quick Start Wizard configuration. Vigor3900 Series User’s Guide...
Page 26: Register Vigor Router
Please follow the steps below to register the router. Before using such function, please register your router online first. Log into the Web User Interface of Vigor3900 and click Product Registration. A Login page will be shown on the screen. Please type the account and password that you created previously.
Page 27 The following page will be displayed after you logging in MyVigor. From this page, please click Add. Note: Below the field of Your Device List, all the Vigor routers that you have registered to MyVigor website will be displayed in sequence. When the following page appears, please type in Nick Name (for the router) and choose the right registration date from the popup calendar (it appears when you click on the box of Registration Date).
Page 28 Now, your router information has been added to the database. Click OK to leave this web page and return to My Information web page. Take a look at the page of My Information, the new added Vigor3900 is listed under Your Device List.
Page 29: Chapter 3: Application And Tutorial
There are two different LANs configured in the following figure. One is for Sale (192.168.1.1/24) and the other is for FAE (192.168.2.1/24). Sale's LAN will be configured to go Internet always via WAN1. When WAN1 is down, Sale's LAN will automatically failover to WAN2.
Page 30 Click Add to open the following page. Type the information specified for LAN1 profile, then click Apply to save the settings and exit the screen. Click Add again to create a profile for LAN2 (192.168.2.1/24). Vigor3900 Series User’s Guide...
Page 31 Type the information specified for LAN2 profile, then click Apply to save the settings and exit the screen. Open WAN >> Load Balance and click the Pool tab. Vigor3900 Series User’s Guide...
Page 32 Click Add under the Pool tab to create a profile (e.g., WAN1WAN2) for automatic Load Balance between WAN1 and WAN2. Choose Load_Balance as the Mode option. Click Add to configure the interface. Setup the Weights (e.g, “1”) of WAN1 and WAN2 respectively as you want.
Page 33 wan1 for Load Balance Pool/WAN Profile and so on). Next, click Apply to save and exit. 10. Click Add again to create a profile for Rule2 accepting 192.168.2.0/24 which always goes Internet via WAN2 when WAN2 is up. 11. After clicking Apply, the created profiles will be shown on the screen. Vigor3900 Series User’s Guide...
Page 34 12. Next, open WAN >> Default Route. Choose the profile of “WAN1WAN2” as WAN Profile/Loadbalance Pool Name. Note: The priority of WAN >> Load Balance>>Rule is higher than WAN >> Default Route. Now, you have completed the configuration. Next time, when WAN1 is down, the connection for PCs behind Sale's LAN (192.168.1.1/24) will automatically failover to WAN2.
Page 35: How To Configure Ospf
OSPF (Open Shortest Path First) uses the algorithm of SPF (Shortest Path First) to calculate the route metric. It is suitable for large network and complicated data exchange. Both Vigor2960 and Vigor3900 support up to OSPF version 2(only for IPv4). The Autonomous System (AS) used in OSPF indicates the largest entity and can be divided into several areas.
Page 36 1. Open LAN >> General Setup to create a LAN (192.168.1.1/24) profile named lan1 with the settings shown below. 2. Next, continue to create a LAN (192.168.3.1/24) profile named lan2 with the settings shown below. 3. Open LAN >> Static Route and click the Inter-LAN Route tab to enable this profile. Vigor3900 Series User’s Guide...
Page 37 4. Open LAN >> OSPF Configuration to enable this profile. Click Add to make the LAN Profiles lan2 area setting as 11 and lan1 area as 11. (As shown in the topology diagram.) 1. Open LAN >> General Setup to create a LAN (192.168.2.1/24) profile named lan1 with the settings shown below.
Page 38 3. Open LAN >> Static Route and click the Inter-LAN Route tab to enable this profile. 4. Open LAN >> OSPF Configuration to enable this profile. Click Add to make the LAN Profiles lan2 area setting as 11 and lan1 area as 11. (As shown in the topology diagram.) 1.
Page 39 2. Next, continue to create a LAN (192.168.3.3/24) profile named lan2 with the settings shown below. 3. Open LAN >> Static Route and click the Inter-LAN Route tab to enable this profile. 4. Open LAN >> OSPF Configuration to enable this profile. Click Add to make the LAN Profiles lan2 area setting as 11 and lan1 area as 11.
Page 40 5. After setting, check the routing information (marked with red line) which is created by OSPF. Vigor3900 Series User’s Guide...
Page 41: How To Configure Lan To Lan Ipsec Tunnel Between Vigor3900 And Other Router (Main Mode)
Here provides an example about LAN to LAN IPSec tunnel established between Vigor3900 and Vigor2710. Access into the Web User Interface of Vigor3900 and open VPN and Remote Access >> LAN to LAN Profiles to add a new VPN configuration. Type the Pre-shared key and choose a WAN Profile.
Page 42 In Vigor2710, it is necessary to build two VPN connections (for two WANs) to connect with Vigor3900. Please open the Web User Interface of Vigor2710 and open VPN and Remote Access >> LAN to LAN.  First, please type the name of such VPN connection in the field of Profile Name (e.g., 3900).
Page 43 For the role of Vigor2710 is dialing-out, please skip Dial-In setting. Type the Remote Network IP and Remote Network Mask of Vigor3900 to complete configuration. Please check if the VPN connection is built successfully in both devices respectively. For Vigor3900, open VPN and Remote Access>>IPSec>>Status for viewing the result.
Page 44: How To Run Rdp Service In The Browser Via Logging In 3900'S Https Server
Remote Desktop Protocol (RDP) is a protocol designed for secure communications in networks using Microsoft Terminal Services. An easy way is provided to establish connection between the router and the RDP Server via any browser. Open the Web User Interface of Vigor3900. Enable the HTTPS service from System Maintenance >>...
Page 45 Open SSL VPN >> SSL Application and click the RDP tab to create a profile named “Win7”. Type IP address, Port number, and Screen Size as you want, then click Apply to save the settings. Open User Management >> User Profile to create a new profile named “7788”. Set the Password as 7788 and choose the profile of Win7 as SSL Application (RDP).
Page 46 Login Vigor3900 HTTPS Server with 7788 for both Username and Password. A screen like the following figure will appear. Simply click the SSL Application link. In the following screen, click Connect for connecting to Win7, the RDP server. Vigor3900 Series User’s Guide...
Page 47 After that, you can access into Windows 7 via a browser. Note the message below the window. In which, TLS means Transport Layer Security. Vigor3900 Series User’s Guide...
Page 48: Troubleshooting
Troubleshooting If you have installed Java Runtime Environment edition 6 but still cannot establish the connection, please make sure you have disabled “Use TLS 1.0” in the Java Control Panel as figure shown below. Then, try to connect again. Vigor3900 Series User’s Guide...
Page 49: How To Configure Vpn Load Balance Between Vigor3900 And Other Router
The staff in branch office can access into mail server/FTP server installed in the headquarters via VPN Load Balance tunnels. Refer to the following figure. Vigor3900 allows users to build VPN load balance connection between Vigor3900 and other router. Take Vigor2950 for an example. There are two WANs on Vigor2950 and two WANs on Vigor3900.
Page 50 Create a profile for WAN 1 (named 2950WAN1). Type the settings as shown below: Vigor3900 Series User’s Guide...
Page 51 Click Apply to save the settings and exit the dialog. Create a profile for WAN 2 (named 2950WAN2). Vigor3900 Series User’s Guide...
Page 52 Click Apply to save the settings and exit the dialog. Open VPN and Remove Access>>VPN Trunk Management and click the Load Balance Pool tab. Click Add to add a Load Balance Pool profile. The following window will pop up. Give a name for the profile. Click the Load Balance tab.
Page 53 Click the Load Balance Rule tab and click Add to add a Load Balance rule profile. 10. Enable this profile and input the following settings then click Apply. Type the local network IP address and Mask of Vigor3900 as Source IP Address and Source Mask;...
Page 54 In Vigor2950, it is necessary to build two VPN connections (for two WANs) to connect with Vigor3900. Please open the Web User Interface of Vigor2950 and open VPN and Remote Access >> LAN to LAN.  First, please type the name of such VPN connection in the field of Profile Name (e.g., 3900WAN1).
Page 55  Please type the network IP address and subnet of Vigor3900 in the field of Remote Network IP and Remote Network Mask. Type the network IP address and subnet of Vigor2950 in the field of Local Network IP and Local Network Mask. Continue to set the second VPN connection (profile name is 3900WAN2).
Page 56  Next, type the Network IP and Network Mask for both remote and local ends to complete the second VPN connection. After finished the settings on both VPN connections, please access the Web User Interface of Vigor2950 and open VPN and Remote Access > VPN Trunk Management to make these two VPN connections into one Load Balance group.
Page 57 As to Vigor2950, please open VPN and Remote Access>>Connection Management to confirm the result. Vigor3900 Series User’s Guide...
Page 58: How To Setup 50 Wans On Vigor3900
Vigor3900 has 5 physical WANs; however, it can be extended to 50 WANs at most by using VLAN Tagging technology. Below will show how to achieve 50 WANs setup by one Vigor3900 and two VigorSwitch2260s. Refer to the following application illustration: Change mode from Basic to Advance via WAN>>General Setup page.
Page 59 Click OK. Vigor3900 will ask you to re-login. Delete default wan profiles for wan3, wan4 and wan5 by selecting the wan profile then click Delete. Click Add to add new WANs. Vigor3900 Series User’s Guide...
Page 60 Create a new WAN profile named with wan1_1, and set VLAN ID named with 111 based on WAN Port 1(WAN1). Note that Untag must be set with Disable. It means wan1_1 can accept the packets tagged with VLAN ID 111. Next, click Apply to save the settings.
Page 61 Type VLAN name and VID with 111.  Suppose the physical WAN1 of Vigor3900 connects to Port 26 of VigorSwitch. Port 26 will receive untagged packets (based on profile wan1) and packets tagged with 111 to 134 (based on profiles wan1_1 to wan1_24). Therefore VigorSwitch Port 26 must be the member of VLAN Group ID 111 to 134.
Page 62 Go to VLAN>>PVID page to set up PVID for each port.  PVID means VigorSwitch2260 will check and add VLAN tags while receiving packets from Ports.  ISP modem 1 which connects to Port 1 doesn’t support VLAN Tag.  While the switch receives packets from Port 1, it will add VLAN Tag 111 to the packets Then Vigor3900 wan1_1 will receive the packets.
Page 63: Cvm Application - How To Manage The Cpe (Router) Through Vigor3900
To manage CPEs through Vigor3900, you have to set URL on CPE first and set username and password for Vigor3900. For this section, we use Vigor2830 series as the example. The firmware upgrade for the CPE can be done through Vigor2830 series. Access into the web user interface of Vigor3900.
Page 64 Click the General Setup tab. Check the Enable box. Specify the WAN interface from the WAN Profile drop down list. Type the values for Port, Username, and Password respectively. Remember the values configured in this page. Click Apply to save the settings. To manage CPEs through Vigor3900, you have to set ACS URL on CPE first and set username and password for Vigor3900.
Page 65 Login the web user interface of the CPE. Open System Maintenance>>Management Setup. Check Allow management from the Internet to set management access control. Vigor3900 Series User’s Guide...
Page 66 Login the web user interface of the CPE. Open WAN>>Internet Access. Use the drop down list of Access Mode on WAN1 to select MPoA (RFC1483/2684). Then, click Details Page. Click Specify an IP address. Type correct WAN IP address, subnet mask and gateway IP address for your CPE.
Page 67 Return to the web user interface of Vigor3900. Open Central VPN Management>>CPE Management. Now there is one CPE managed (Vigor2830) by Vigor3900 on the page of CPE Maintenance. Vigor3900 Series User’s Guide...
Page 68: Cvm Application - How To Build The Vpn Between Remote Devices And Vigor3900
When a remote device is managed by Vigor3900 series, it is easy to build VPN between these two devices. Access into the web user interface of Vigor3900 series. Open Central VPN Management>>CPE Management. The icons displayed on the screen means the remote devices are ready for building VPN with Vigor3900. Click the device icon (marked with ) and click the PPTP or IPsec button.
Page 69 Or click Advanced to open the following page for specified the CPE you want. Click Connect after finished the settings. A confirmation dialog will appear. Click OK and wait for a moment. If VPN is built successfully, related information will be displayed on Connected Devices.
Page 70 A LAN to LAN profile for such VPN will be generated automatically. You can access into VPN and Remote Access>>LAN to LAN of the remote device for viewing the detailed information. Note: The profile name is created automatically by the system. Do not modify any value in such page to avoid VPN error.
Page 71: Cvm Application - How To Upgrade Cpe Firmware Through Vigor3900
Suppose the newest firmware file is located on your PC. You can upload it from your PC to Vigor3900. Log into the web user interface of Vigor3900. Open System Maintenance>>Access Control. Check Enable for Web Allow and type the value for Web Port. Then click Apply to save the settings. Open Central VPN Management>>CPE Management.
Page 72 In the File Explorer dialog, click Upload. In the Upload dialog, click the Browse.. button to find out the firmware (e.g., 2830_0508 in this case) you want to upload from PC to Vigor3900. Then, click Upload. Vigor3900 Series User’s Guide...
Page 73 When the file is uploaded successfully, later you will find the one in the File Explorer dialog. Vigor3900 Series User’s Guide...
Page 74 To create a new firmware upgrade profile, one CPE (e.g., 2830 in this case) must be managed by Vigor3900 at least. Otherwise, the profile cannot be created successfully. Open Central VPN Management>>CPE Management. Click CPE Maintenance. In the Maintenance area, click Add. In the following dialog, type the name for the new profile;...
Page 75 When you finished the above settings, click Apply to save them. The new maintenance profile has been created and displayed on the Maintenance area. Now, the new firmware will be loaded into the CPE immediately (based on the schedule setting – now). Note that a red icon, will appear during the period of firmware upgrading.
Page 76 Please wait for a moment. Later, open Central VPN Management>>Log/Alert>>Log page to check the result. If [Finished] is displayed, it means the firmware upgrade of specified CPE has completed. Open Central VPN Management>>CPE Management. In the Managed Devices Status area, choose the router (representing Vigor2830) and click Detail. Check the software version field.
Page 77: How To Use High Availability For Vigor Routers
Note: Make sure the WAN interfaces for both Router A and Router B are well connected. Both routers can be used to access into Internet. Note: For advanced applications, please refer to FAQ/Application Notes on www.draytek.com. Vigor3900 Series User’s Guide...
Page 78 2. Open Applications >>High Availability. 3. In the tab of High Availability Global Setup, choose Hot-Standby as Redundant Method; choose Primary as Config Synchronization Rule; type draytek as Authentication Key; choose Automatic as Advance Preemption Mode. Click Apply to save the settings.
Page 79 3. In the tab of High Availability Global Setup, choose Hot-Standby as Redundant Method; choose Secondary as Config Synchronization Rule; type the lan1 IP address configured in router A; type draytek as Authentication Key; choose Automatic as Advance Preemption Mode. Click Apply to save the settings.
Page 80 4. Click the High Availability Profile Setup tab to create HA profile(s). Click Add. 5. Create an HA profile. Refer to the following figures. 6. Now, the configuration for router B has been finished. After finished the above settings, it is the time to activate HA function for both router A and router B.
Page 81: How To Configure Dns Inbound Load Balance On Vigor 3900
Vigor3900 can offer the mapped IP address to respond the DNS query coming from the remote end through the designate domain to reduce the loading of the network traffic. WAN1 IP Address: 1.1.1.1 WAN2 IP Address: 2.2.2.2 Inbound Load Balance allows Vigor3900 acting as a DNS Server to separate the traffic for each WAN interface according to the DNS query time.
Page 82 Add a profile named “yourdomain.com”. Define WAN1 weights 1 and WAN2 weights 2. It means the total DNS query time will be three, one will pass through WAN1; two will pass through WAN2. Click the Detail tab and locate Additional A Record. Type “www” as the name of the Host, and type “192.168.1.10”...
Page 83 Now, make a test for inbound load balance. Click Start>> Run and type cmd. Execute the command, nslookup, for DNS query test. First DNS query >www.yourdomain.com Server: [google-public-dns-a.google.com] Address: 8.8.8.8 Name: www. yourdomain.com Address: 1.1.1.1 Second DNS query > www.yourdomain.com Server: [google-public-dns-a.google.com] Address: 8.8.8.8 Name: www.yourdomain.com...
Page 84 This page is left blank. Vigor3900 Series User’s Guide...
Page 85: Chapter 4: Advanced Web Configuration
After finished basic configuration of the router, you can access Internet with ease. For the people who want to adjust more setting for suiting his/her request, please refer to this chapter for getting detailed information about the advanced configuration of this router. As for other examples of application, please refer to chapter 3.
Page 86: General Setup
via PAP or CHAP with RADIUS authentication system. And your IP address, DNS server, and other related information will usually be assigned by your ISP. This section will introduce some general settings of Internet and explain the connection modes for WAN profiles in details. This router supports multi-WAN function.
Page 87 Each item will be explained as follows: Item Description Add a new WAN profile. Such function is available in Advance mode only. Edit Modify the selected WAN profile. To edit a profile, simply select the one you want to modify and click the Edit button.
Page 88 How to add a new WAN profile: If the router is under Basic mode, you have to switch into Advance mode. If the router is under Advance mode, go to Step 4 directly. A confirmation dialog will appear. Click OK to apply the related settings for Advance mode.
Page 89 Available parameters are listed as follows: Item Description Profile (max Type a name (less than 7 characters) for such profile. length:7) Enable Check this box to enable such profile. Description Give the brief description for such profile. Port Choose the physical WAN interface for such profile. Default MAC Enable –...
Page 90 Reconnect network automatically within the time schedule. Disable – Click it to disable the schedule reconnect function. Schedule Time Choose the time object profile to be applied by such WAN. Object VLAN Tag Enable – Click it to enable the function of VLAN Tag. Data transmitted through the router will be tagged with specified number for identification.
Page 91 Available parameters are listed as follows: Item Description Type the IP address specified for such profile. IP Address Subnet Mask Use the drop down list to choose the subnet mask for such profile. Gateway IP Type the gateway address for such profile. Address DNS Server IP Type a public IP address as the primary DNS (Domain Name...
Page 92 Save – Click this button to save the setting. – click the icon to remove the selected entry. MTU/MRU Type the value of MTU/MRU. The default value is 1500. Connection Select a detecting mode for this WAN interface. There are Detection Mode three ways ARP, PING and HTTP supported in Vigor router for you to choose to send the request out.
Page 93 Cancel Click it to exit the dialog without saving the configuration.  If you choose DHCP as IPv4 protocol type, click the DHCP Tab to open the following page: Available parameters are listed as follows: Item Description Type a name as the host name for identification. Host Name (Optional) IP Alias...
Page 94 router for you to choose to send the request out. Connection Add – click this button to have a field for adding a new IP Detection Host address. Assign an IP address or Domain name as a destination to be detected whether the host is active (sending reply to the router) or not.
Page 95  If you choose PPPoE as IPv4 protocol type, click the PPPoE Tab to open the following page: Available parameters are listed as follows: Item Description Username Type the user name offered by your ISP. Type the password offered by your ISP. Password MTU/MRU Type the value of MTU/MRU.
Page 96 Add – Click this button to have a field for adding a new IP address. Assign an IP address or Domain name as a destination to be detected whether the host is active (sending reply to the router) or not. If not, the connection of WAN interface will be regarded as breaking down.
Page 97 Add – click this button to have a field for adding a new IP address. Save – click this button to save the setting. – click the icon to remove the selected entry. Apply Click it to save the configuration and exit the dialog. Cancel Click it to exit the dialog without saving the configuration.
Page 98 router will keep network connection all the time. Disable – Click it to disable the function of Always On. Connection Select a detecting mode for this WAN interface. There are Detection Mode two ways PING and HTTP supported in Vigor router for you to choose to send the request out.
Page 99  If you choose Static as IPv6 protocol type, click the StaticV6 tab to open the following page: Available parameters are listed as follows: Item Description Type the IP address for such protocol. IPv6 Address IPv6 Prefix Length Type your IPv6 address prefix length. IPv6 Gateway Type your IPv6 gateway address.
Page 100  If you choose DHCP-IA_NA as IPv6 protocol type, click the DHCPV6 Tab to open the following page: Available parameters are listed as follows: Item Description Type the gateway IP address for IPv6 DHCP IA_NA mode. DHCP (IA_NA) Gateway Address DHCP (IA_NA) Type your IPv6 primary DNS Server address.
Page 101 Open WAN>>General Setup and click the USB WAN tab. Each item will be explained as follows: Item Description Edit Modify the selected USB WAN profile. To edit a profile, simply select the one you want to modify and click the Edit button. The edit window will appear for you to modify the corresponding settings for the selected rule.
Page 102 The settings under Global tab are listed as below: Available parameters are listed as follows: Item Description Profile Display the name of the USB WAN profile. Enable Check it to enable the USB WAN profile. Description Give the brief description for such profile. Port Display the physical WAN interface for such profile.
Page 103 Available parameters are listed as follows: Item Description 3G/4G PPP SIM PIN code -Type PIN code of the SIM card that will be used to access Internet. Modem Initial String 1-Such value is used to initialize USB modem. Please use the default value. If you have any question, please contact to your ISP.
Page 104 command to restrict 3G band or do any special settings. APN -APN means Access Point Name which is provided and required by some ISPs. Type the name. Modem Dial String -Such value is used to dial through USB mode. Please use the default value. If you have any question, please contact to your ISP.
Page 105 Open WAN>>General Setup and click the Bridge VLAN tab. It can specify a VLAN ID for WAN port and offers more advanced environmental application for the users through the bridge technique in WAN port and LAN port. Each item will be explained as follows: Item Description Click to create a new profile.
Page 106: Inbound Load Balance
Click Add. The settings under Global tab are listed as below: Available parameters are listed as follows: Item Description Profile Type the name of the profile. WAN Profile Use the drop down list to choose the WAN interface. Choose a VLAN profile from the drop down list. VLAN/Member You have to open LAN>>Switch page and click 802.1Q VLAN for creating VLAN ID number bound with LAN port...
Page 107 Open WAN>>Load Balance and click the Inbound Load Balance tab. Each item will be explained as follows: Item Description Enable Check the box the enable inbound load balance function. Add a new WAN profile for inbound load balance. Edit Modify the selected WAN profile. To edit a profile, simply select the one you want to modify and click the Edit button.
Page 108 and click the Delete button. Refresh Renew current web page. Profile Number Limit Display the total number of the profiles to be created. Display the status of the profile. False means disabled; True Enable means enabled. Display the domain name used by the profile. Domain Name Display the mode (failover or load balance) applied by the Mode...
Page 109 profile for inbound load balance Priority Setting It is available only when Failover is selected as the Mode. There are five levels (Top, 2, 3, 4 and 5) which can be specified for WAN profiles (including default WAN profiles and user-defined WAN profiles). Interface The domain name will inform the remote end with the IP Mapping/Weight...
Page 110 After finished the settings on the Basic page, click the Detail Tab to open the following dialog. Available parameters are listed as follows: Item Description DNS Parameter To configure Vigor router as a DNS server, type the related information for applying the function of DNS. TTL –...
Page 111 address. Save – Click it to save the settings. Host –Type the name (URL) of the mail server. Mail Server – Type the name (URL) of the mail server. IP Address – Type the IP address of the mail server. Preference –...
Page 112: Switch
This page allows you to configure Mirroring Port, Mirrored Port, enable/disable WAN interface, and configure 802.1Q VLAN ID for different WAN interfaces, and so on. Packets passing through the WAN interface might be tagged or untagged with VLAN ID number. It depends on the setting configured in this page for VLAN ID configured in WAN >>General Setup>>Profile relates to the VLAN ID setting configured here.
Page 113 Each item will be explained as follows: Item Description Click it to reload this page. Refresh Display the VLAN ID number. VLAN ID Display number of the WAN interface for the packets Member tagged with such VLAN ID number to pass through. Display number of the WAN interface for the VLAN ID Untag will be untagged for packets passing through the WAN...
Page 114 Available parameters are listed as follows: Item Description Enable This Profile Check the box to enable the Mirror function for the switch. Mirroring Port Select a port for the administrator to use for viewing traffic sent from mirrored ports. Mirrored Port Select a port to make the packets passing through it monitored by the administrator.
Page 115 This page allows you to modify the status (enable / disable), duplex (Half/Full), speed, flow control and 802.3az for the WAN ports respectively. Each item will be explained as follows: Item Description Choose the interface listed below and click the Edit button Edit to modify the settings.
Page 116 802.3az – It is a function of energy-efficient Ethernet. It can detect the network traffic automatically to adjust the power output and let Vigor3900 save the energy during the period of low traffic. Click Enable to activate the power/energy saving function if required. Apply –...
Page 117: Lan
Local Area Network (LAN) is a group of subnets regulated and ruled by router. The design of network structure is related to what type of public IP addresses coming from your ISP. The most generic function of Vigor router is NAT. It creates a private subnet of your own. As mentioned previously, the router will talk to other public hosts on the Internet by using public IP address and talking to local hosts by using its private IP address.
Page 118 Edit Modify the selected LAN profile. To edit a profile, simply select the one you want to modify and click the Edit button. The edit window will appear for you to modify the corresponding settings for the selected rule. Delete Remove the selected LAN profile.
Page 119 Click the Add button to open the following dialog. Different protocol type selected will bring up different configuration web page. Available parameters are listed as follows: Item Description Type the name of the LAN profile. Profile (max length:7) Enable Check this box to enable such profile. Description Type the description for the new LAN profile.
Page 120 address manually with the format like “00:1d:aa:b2:69:80”. IPv4 Protocol Display the fixed type (static) for the IPv4 protocol for such profile. Mode Choose NAT or ROUTING as the operation mode for such profile. IP Address Type the IP address (with the format like 192.168.1.25) of the router for the LAN profile.
Page 121 DHCP IP Lease Set a lease time for the DHCP server. The time unit is minute. Time DHCP Routers In general, this box will be blank. It means Vigor3900 will be regarded as the gateway for the user. However, if you want to use other gateway, please assign the IP address in this field.
Page 122 Subnet Mask – Use the drop down list to choose the one you want. Mode – Specify NAT or Routing as the mode. DHCP – Click Enable to activate the DHCP function on such subnet. When it is enabled, you have to specify the IP range to be assigned by the DHCP server for such subnet.
Page 123 DHCP stands for Dynamic Host Configuration Protocol. The router by factory default acts a DHCP server for your network so it automatically dispatch related IP settings to any local user configured as a DHCP client. It is highly recommended that you leave the router enabled as a DHCP server if you do not have a DHCP server for your network.
Page 124 Available parameters are listed as follows: Item Description Profile Display the name of the LAN profile. Enable Check this box to enable this profile. DHCP Server Choose the interface for the DHCP server. Location Type the IP address of DHCP Server. DHCP Server IP DHCP Relay Agent Type the IP address of DHCP Relay Agent.
Page 125 To make the users in different LAN communicating with each other, please check the box to enable Inter-LAN route function. Vigor3900 Series User’s Guide...
Page 126 The router advertisement daemon (radvd) sends Router Advertisement messages, specified by RFC 2461, to a local Ethernet LAN periodically and when requested by a node sending a Router Solicitation message. These messages are required for IPv6 stateless auto-configuration. Each item will be explained as follows: Item Description Edit...
Page 127 Open LAN>>General Setup and click the RADVD tab. Choose one of the LAN profiles by clicking on it and click the Edit button to open the following dialog. Available parameters are listed as follows: Item Description Display the name of the LAN profile. Profile Enable Check this box to enable this profile.
Page 128 DHCP6 Server could assign IPv6 address to PC according to the Start/End IPv6 address configuration. Each item will be explained as follows: Item Description Edit Modify the selected LAN profile. To edit a profile, simply select the one you want to modify and click the Edit button.
Page 129 Open LAN>>General Setup and click the DHCPv6 tab. Choose one of the LAN profiles by clicking on it and click the Edit button to open the following dialog. Available parameters are listed as follows: Item Description Profile Display the name of the LAN profile. Enable Check this box to enable this profile.
Page 130 End IP Set the ending IP address of the IP address pool for DHCP server. The format the IP address shall be similar to the following example: 2000:0000:0000:0000:0000:0000:0000:10 or 2000::10. It is available when Manual Setting is selected as Mode. Set the private IP address for DNS server.
Page 131: Pppoe Server
This feature makes the router working like an ISP, providing PPPoE connections to LAN PCs. The only difference is that local PCs don't need an ADSL modem. There are several advantages of using PPPoE connections on the LAN. Firstly, the PPPoE server can secure the LAN PC connections with username/password authentication.
Page 132 This page displays general information for PPPoE server; allows you to disconnect the network connection to PPPoE server. Each item will be explained as follows: Item Description Refresh Renew current web page. Disconnect Click it to disconnect the profile connection. Auto Refresh Specify the interval of refresh time to obtain the latest status.
Page 133 Available parameters are listed as follows: Item Description PPPoE Server Disable – Click it to disable this function. Enable – Click it to enable the function of PPPoE server. PPPoE User Isolation Disable – Click it to disable this function. Enable –...
Page 134 User Authentication Users in LAN can access into Internet through Vigor router Type with RADIUS, LDAP or local authentication. Specify the type for the users. LDAP Profile It is available when LDAP is selected as User Authentication Type. If you choose LDAP as the authentication type, use the drop down list to specify the LDAP profile.
Page 135: Switch
Action Display the connection status (up or down) of the user account. Time Display the connection time. If the action is “Down”, such field will display the total connection time. If the action is “up”, such field will display the time point that the user account access into the PPPoE server.
Page 136 Each item will be explained as follows: Item Description Add a new VLAN ID setting. Modify the selected VLAN ID setting. Edit To edit VALN ID setting, simply select the one you want to modify and click the Edit button. The edit window will appear for you to modify the corresponding settings for the selected rule.
Page 137 If the icon appears in front of the drop down list, it means one of the selections has been chosen by other profile. You cannot choose it. If you want to specify that one for such profile, please exit this dialog to release that selection from its original VLAN profile, than return this page and make the selection again.
Page 138 Available parameters are listed as follows: Item Description Enable This Profile Check the box to enable the Mirror function for the switch. Select a port to view traffic sent from mirrored ports. Mirroring Port Select which port is necessary to be mirrored. Mirrored Port Refresh Renew current web page.
Page 139 This page allows you to modify the status (enable / disable), speed(Auto,10M,100M,1000M) and duplex (Half/Full) for the LAN ports respectively. Each item will be explained as follows: Item Description Edit Choose the interface listed below and click the Edit button to modify the settings.
Page 140 Open LAN>>Switch and click the Interface tab. Please select a profile and click the Edit button. The following dialog will appear. Available parameters are listed as follows: Item Description Interface Display the name of LAN interface profile. Enable Check the box to enable the Mirror function for the switch. Speed Use the drop down list to specify the transmission rate for such profile.
Page 141: Bind Ip To Mac
This function is used to bind the IP and MAC address in LAN to have a strengthen control in network. When this function is enabled, all the assigned IP and MAC address binding together cannot be changed. If you modified the binding IP or MAC address, it might cause you not access into the Internet.
Page 142 Add -It allows you to add one pair of IP/MAC address and display on the table of IP Bind List. Edit -It allows you to edit and modify the selected IP address and MAC address that you create before. Delete -You can remove any item listed in IP Bind List. Simply click and select the one, and click Delete.
Page 143 Click Add. The following dialog appears. Available parameters are listed as follows: Item Description Profile Type the name of the profile. IP Address Type the IP address that will be used for the specified MAC address. Type the MAC address that is used to bind with the assigned IP address.
Page 144: Lan Dns
LAN DNS is a simple version of DNS server. It is not necessary for the user to build another DNS server in LAN. With such feature, the user can configure some services (such as ftp, www or database) with domain name which is easy to be accessed. Each item will be explained as follows: Item Description...
Page 145 Delete Remove the selected VLAN ID setting. To delete a VLAN ID setting, simply select the one you want to delete and click the Delete button. Refresh Renew current web page. Profile Number Limit Display the total number of the profiles to be created. Profile Display the name of the profile.
Page 146 Type several domain names in this field. LAN DNS will redirect both Domain name and Alias Domain Name to an assigned IP. For example, Domain Name is set with “www.draytek.com”, and the Alias Domain Name is set as “www.dray.com”. If the IP address is set with “192.168.1.123”, then both “www.draytek.com”...
Page 147: Routing
This menu contains Static Route, RIP Configuration, OSPF Configuration and BGP Configurations. Vigor3900 supports a load balancing function. It can assign traffic with protocol type, IP address for specific host, a subnet of hosts, and port range to be allocated in WAN interface. User can assign traffic category and force it to go to dedicate network interface based on the following web page setup.
Page 148 To edit a profile, simply select the one you want to modify and click the Edit button. The edit window will appear for you to modify the corresponding settings for the selected rule. Delete Remove the selected rule profile. To delete a rule, simply select the one you want to delete and click the Delete button.
Page 149 Open Routing>>Load Balance Pool. Simply click the Add button to open the following dialog. Type a name (e.g., LB_1) for such profile. Available parameters are listed as follows: Item Description Profile Type the name of the profile. Choose Load Balance as the Mode selection. Mode Interface Click Add.
Page 150 Such page allows you to set a backup profile which will be activated when the primary profile is invalid by any reason. Open Routing >>Load Balance Pool.. Simply click the Add button to open the following dialog. Type a name (e.g., FL_1) for such profile.
Page 151: Static Route
When there are several subnets in LAN, a more effective and quicker way for connection is static route rather than other methods. Simply set rules to forward data from one specified subnet to another specified subnet. The router offers IPv4 and IPv6 for you to configure the static route. Both protocols bring different web pages.
Page 152 Gateway Display the gateway address for such static route profile. WAN/LAN Profile Display the subnet / LAN or WAN profile of the gateway. Metric Display the distance to the target. Open Routing>>Static Routing and click the Static Route tab. Click the Add button. The following dialog will appear.
Page 153 For IPv6 protocol, click the IPv6 Static Route tab to configure detailed settings. Each item will be explained as follows: Item Description Add a new static route setting. Edit Modify the selected static route setting. To edit static route setting, simply select the one you want to modify and click the Edit button.
Page 154 WAN / LAN Profile Display the subnet LAN or WAN profile of the gateway. Metric Display the distance to the target. Open Routing>>Static Route and click the IPv6 Static Route tab. Click the Add button. The following dialog will appear. Available parameters are listed as follows: Item Description...
Page 155 To make local device in LAN accessing into external network without passing NAT or let the remote device access into the local device without passing NAT behind the router, please use IP routing function to complete the work. Usually, the local device might be assigned with a public IP address or an IP address with the same subnet as certain WAN.
Page 156 Display the IP address used by such ARP profile. Mask Display the mask address used by such ARP profile. Open Routing>>Static Route and click the LAN/WAN Proxy ARP tab. Click the Add button. The following dialog will appear. Available parameters are listed as follows: Item Description Profile...
Page 157: Policy Route
 Other routing. Specify routing policy to determine the direction of the data transmission. Note: For more detailed information about using policy route, refer to Support >>FAQ/Application Notes on www.draytek.com. Each item will be explained as follows: Item Description Add a new rule profile.
Page 158 you to modify the corresponding settings for the selected rule. Delete Remove the selected rule profile. To delete a rule, simply select the one you want to delete and click the Delete button. Move the selected profile up or down. Move Up / Move Down Rename Allow to modify the selected profile name.
Page 159 Open Routing>>Policy Route. Simply click the Add button. The following dialog will appear. Available parameters are listed as follows: Item Description Profile Type the name of the rule. Enable Check this box to enable such profile. Choose the priority for such profile (top, high and normal). Priority Protocol Choose a protocol (ALL, TCP, UDP, TCP/UDP and ICMP)
Page 160 Each type will bring different settings for configuration. When Subnet is selected as Source Type  IP Address - Type an IP address here as the source IP address for such rule.  Subnet Mask - Use the drop down list on the right to choose a suitable mask for the source.
Page 161 Load Balance Pool –The incoming traffic will be forwarded to specified WAN interface or load balance pool. User Defined –The incoming traffic will be forwarded to the specified WAN or LAN interface with an user defined gateway. VPN Trunk LB Pool –The incoming traffic will be forwarded to specified VPN trunk profile.
Page 162 Out-going interface : wan1 Failover : Enable when target [8.8.8.8] ping [Fail] for [5] seconds Then, it means even if wan1 connects to network always, once the target cannot be detected by Vigor router for 5 seconds, Vigor router will use next matched rule to perform data transmission.
Page 163 Failover : Enable when target [8.8.8.8] ping [Fail] for [5] seconds Then, it means even if wan1 connects to network always, once the target cannot be detected by Vigor router for 5 seconds, Vigor router will use next matched rule to perform data transmission.
Page 164  Failback (Quick Recover) - When the specified interface re-connects, the traffic via other interface will be interrupted immediately. The router will use the specified interface for data transmission again. Click Enable to enable such function. Or, click Disable to disable such function. When PPTP selected as Out-going Rule ...
Page 165 will be used for such route rule.  Failover to the Next Rule - When the specified interface disconnects due to some reason, the router can use next route rule to perform data transmission automatically. Click Enable to enable such function. Or, click Disable to disable such function.
Page 166 Address mapping is used to map a specified private IP or a range of private IPs of NAT subnet into a specified WAN IP (or WAN IP alias IP). Refer to the following figure. Suppose the WAN settings for a router are configured as follows: WAN1: 202.211.100.10, WAN1 alias: 202.211.100.11 WAN2: 203.98.200.10 Without address mapping feature, when a NAT host with an IP say "192.168.1.10"...
Page 167 Open WAN>>General Setup. For WAN1, choose wan1 item and click Edit. Choose Static as the IPv4 Protocol. From the following page, set main WAN IP address as 202.211.100.10. Click Add on IP Alias to configure the other IP address which is 202.211.100.11. After finished configuration for WAN1, continue to configure WAN2.
Page 168 Open Objects Setting>>Object and click Add to create a new IP object profile. Type the required information as shown below. Click Apply to save the settings. Open Routing>> Policy Route and click Add to create a new profile. Vigor3900 Series User’s Guide...
Page 169 In the following page, check the box of Enable. Choose Object as the Source Type and choose IP range object profile from the drop down list of IP Object. Click Apply to save the settings. And, Upon completing the above configuration, you have specified the outgoing IP address(es) for some specific computers.
Page 170 The following figure shows a simple application of load balance. WAN1 and WAN2 can be used to access into Internet. The PC in LAN1 can send the data to the remote PC through the specified WAN1. 1. Access into web user interface of Vigor3900. Open Routing>>...
Page 171 In the following page, type a name for such profile; check Enable; choose Subnet as Destination Type; type 203.65.1.35 as IP address; choose Load Balance Pool as Out-going Rule; choose WAN1 as the Load Balance Rule; click Disable for Failover to Next Rule.
Page 172 A LAN to LAN VPN tunnel is built between DrayTek VPN router (e.g., Vigor3900) and the remote router. Enterprise firewall router (in Headquarter) can control the all of the traffic coming from the remote PC (in Branch) which wants to access into Internet.
Page 173 In the following page, type a name for such profile (e.g., Secure_route); choose Subnet as Source Type and type the source IP address with 172.16.3.25; choose User Defined as Out-going Rule; choose lan1 as the Out-going Interface; type 192.168.1.2 as the Out-going (Gateway);...
Page 174: Default Route
This page allows you to assign a WAN profile or a Load Balance profile as the default route. Available parameters are listed as follows: Item Description WAN Profile Display the WAN profiles for user to choose as a default /Load Balance Pool route.
Page 175: Rip Configuration
The Routing Information Protocol (RIP) is a dynamic routing protocol used in local and wide area networks. The routing information packet will be sent out by web server or router periodically, and can be used to communicate with other routers. It will calculate the number of network nodes on the route to ensure there is no obstruction on the network routine.
Page 176: Ospf Configuration
Available parameters are listed as follows: Item Description Enable Check the box to enable the Mirror function for the switch. Profile Choose the LAN/WAN profile(s). Click it to save the settings. Apply Cancel Click it to exit the dialog without saving anything. After finished the settings, click Apply to save them.
Page 177 Available parameters are listed as follows: Item Description Enable Check the box to enable the Mirror function for the switch. Profile Add- Click it to create a new profile. Profile - Choose a LAN/WAN profile from the drop down list to apply for such configuration. Area –...
Page 178 Use the drop down list of LAN Profile to choose the one you need. And specify the value of Area (either 0.0.0.0 ~ 255.255.255.255 or 0 ~ 4294967295) for that profile. If you are not satisfied the settings, simply click to remove the entry, and then re-type the settings.
Page 179: Bgp Configuration
BGP means Border Gateway Protocol. It is a standardized exterior gateway protocol which can exchange routing and reachability information between autonomous systems (AS) on Internet. The protocol TCP is used by two routers supporting BGP for data transmission. They can exchange the BGP routing information for each other.
Page 180 Available parameters are listed as follows: Item Description Refresh Renew current web page. Auto Refresh Specify the interval of refresh time to obtain the latest status. The information will update immediately when the Refresh button is clicked. BGP Neighbor Display the neighbor profile name configured successfully in the Neighbor tab in Routing >>BGP configuration.
Page 181 This page is used to configure the general settings for the host which is ready for using BGP. Available parameters are listed as follows: Item Description Check the box to enable BGP function. Enable Autonomous System Type the autonomous system number for the host in BGP number application.
Page 182 This page is used to configure the IP address and AS number for the neighbor which will exchange BGP routing information with your Vigor router. Available parameters are listed as follows: Item Description Add a new port redirect profile. Edit Modify the selected profile.
Page 183 Enable Display the status of the profile. False means disabled; True means enabled. Neighbor IP Address Display the IP address of the neighbor. Display the autonomous system number of the neighbor in Autonomous System BGP application. Number Open Routing>> BGP Configuration and click the Neighbor tab. Simply click the Add button.
Page 184: Nat
NAT (Network Address Translation) is a method of mapping one or more IP addresses and/or service ports into different specified services. It allows the internal IP addresses of many computers on a LAN to be translated to one public address to save costs and resources of multiple public IP addresses.
Page 185 Edit Modify the selected profile. To edit a profile, simply select the one you want to modify and click the Edit button. The edit window will appear for you to modify the corresponding settings for the selected rule. Delete Remove the selected profile. To delete a profile, simply select the one you want to delete and click the Delete button.
Page 186 The following dialog will appear. Available parameters are listed as follows: Item Description Profile Type the name of the profile. Enable Check the box to enable this profile. Specify the direction for the port to be redirected. Port Redirection Mode Specify the WAN profile for such profile.
Page 187 Alias WAN IP alias that can be selected and used for port redirection. Before using it, please go to WAN>>General Setup and enable the wan1 profile. Add several IP addresses under Static mode for wan1. Protocol Choose the protocol used for the entry. Public Port Start/ It is available when Range to One or Range to Range Public Port End...
Page 188: Dmz Host
In computer networks, a DMZ (De-Militarized Zone) is a computer host or small network inserted as a neutral zone between a company’s private network and the outside public network. It prevents outside users from getting direct access to company network. A DMZ is an optional and more secure approach to a firewall and effectively acts as a proxy server as well.
Page 189 Refresh Renew current web page. Profile Display the name of the profile. Display the status of the profile. False means disabled; True Enable means enabled. Outgoing WAN Profile Display the WAN profile that such DMZ host profile will be applied to. IP Alias Display the selected WAN IP address if Use IP Alias is enabled.
Page 190: Alg
Outgoing WAN Choose a WAN profile for such entry. Profile Use IP Alias Click Enable to invoke IP Alias function. IP Alias IP alias that can be selected and used for port redirection. Before using it, please go to WAN>>General Setup and enable the wan1 profile.
Page 191 Available parameters are listed as follows: Item Description Enable SIP ALG Check the box to enable the Mirror function for the switch. Refresh Renew current web page. Apply Click it to save the settings. Click Apply to save the settings. The H.323 ALG allows incoming and outgoing VoIP calls passing through NAT.
Page 192: Connection Timeout
This feature is used to configure timeout setting for sessions established by TCP/UDP. When a session is idle for a period of time, the connection will be terminated after reaching the time limit configured in such page. Available parameters are listed as follows: Item Description TCP Timeout...
Page 193: Firewall
The firewall controls the allowance and denial of packets through the router. Firewall Setup in the Vigor3900 Series mainly consists of packet filtering, Denial of Service (DoS) and URL (Universal Resource Locator) content filtering facilities. These firewall filters help to protect your local network against attack from outsiders. A firewall also provides a way of restricting users on the local network from accessing inappropriate Internet content and can filter out specific packets, which may trigger unexpected outgoing connection such as a Trojan.
Page 194 Item Description Add a new group profile for IP filter. Edit Modify the selected profile. To edit a profile, simply select the one you want to modify and click the Edit button. The edit window will appear for you to modify the corresponding settings for the selected rule.
Page 195 Enter all the settings and click Apply. A new filter group has been added. You can create filter rule by clicking on the left side of the selected IP filter group profile. A setting page will appear for you to add new IP filter rule profile. Move your mouse to click Add.
Page 196 The following page for configuration will appear. Available parameters are listed as follows: Item Description Profile Type the name of the IP filter rule. Enable Check the box to enable this profile. Block Action The action to be taken when packets match the rule. Block - Packets matching the rule will be dropped immediately Accept- Packets matching the rule will be passed...
Page 197 Limit Packets When you choose Connection Limit as Action, you have to configure limit packets number to determine how many packets per second will be passed through. Limit Mode When you choose Connection Limit as Action, you have to choose Share or Each in addition to the number of packets limits.
Page 198 the profile selection box. Choose one or more service type group profiles from the drop down list. The selected profile will be treated as service type. You can click to create another new service type group profile. Incoming Country Source Country Object (At most accept 15 countries) - Filter Click the triangle icon to display the profile selection...
Page 199 will be treated as destination target. You can click create another new IP group profile. Destination DNS Object- Click the triangle icon display the profile selection box. Choose one or more DNS object profiles from the drop down list. The selected profile will be treated as destination target.
Page 200 This page allows you to create new IPv6 filter group for your request. Each item will be explained as follows: Item Description Add a new group profile for IPv6 filter. Edit Modify the selected profile. To edit a profile, simply select the one you want to modify and click the Edit button.
Page 201 Simply click the Add button. The following dialog will appear. Available parameters are listed as follows: Item Description Group Type the name of the IP filter group. Enable Check the box to enable this profile. Comment Give a brief description for the profile. Apply Click it to save and exit the dialog.
Page 202 Move your mouse to click Add. Vigor3900 Series User’s Guide...
Page 203 The following page for configuration will appear. Available parameters are listed as follows: Item Description Profile Type the name of the IP filter rule. Enable Check the box to enable this profile. Action The action to be taken when packets match the rule. Block - Packets matching the rule will be dropped immediately Accept- Packets matching the rule will be passed...
Page 204 appearing on the System Maintenance >> Syslog/Mail Alert >> Syslog File. Input Interface Choose one of the LAN or WAN profiles as data receiving interface. Output Interface Choose one of the LAN or WAN profiles as data transmitting interface. Time Schedule Time Object - Click the triangle icon to display the profile selection box.
Page 205 Note: You can create multiple IPv6 filter rules under a certain IP Filter group. Vigor3900 Series User’s Guide...
Page 206 Application Filter can integrate several application objects within one profile for restricting the usage of application. For example, it can block people defined in IP object profile not using IM application, not using P2P for file sharing, and not downloading files via certain protocol.
Page 207 Item Description IP Object Display the IP object profile selected for such application profile. Display the IP group profile selected for such application IP Group profile. User Profile Display the user object profile selected for such application profile. User Group Display the user group profile selected for such application profile.
Page 208 Time Schedule Time Object - Click the triangle icon to display the profile selection box. Choose a schedule profile to be applied on such application filter profile. The router will perform the filtering job based on the time object selected. You can click to create another new time object profile, or you can click the edit icon to modify the existed object profile.
Page 209 new LDAP group profile. Action Policy APP Block - Click the triangle icon to display the profile selection box. Choose one or more APP object profiles from the drop down list which will be allowed / not be allowed to pass through the router.
Page 210 URL Filter can integrate URL, Keyword, File extension and WCF object profiles within one profile for restricting certain people accessing into Internet. Each item will be explained as follows: Item Description Add a new group profile for URL filter. Edit Modify the selected profile.
Page 211 Item Description Rename Allow to modify the selected profile name. Profile Number Limit Display the total number of the object profiles to be created. Profile Display the name of the application filter profile. Enable Display the status of the profile. False means disabled; True means enabled.
Page 212 Item Description Apply Click it to save and exit the dialog. Cancel Click it to discard the settings configured in this page. Open Firewall>>Filter Setup and click the URL/Web Category Filter tab. Simply click the Add button. The following dialog will appear. Available parameters are listed as follows: Item Description...
Page 213 Item Description Time Schedule Time Object - Click the triangle icon to display the profile selection box. Choose a schedule profile to be applied on such application filter profile. The router will perform the filtering job based on the time object selected. You can click to create another new time object profile, or you can click the edit icon to modify the existed object profile.
Page 214 Item Description treated as source target. You can click to create another new LDAP group profile. Action Policy File Extension Accept / File Extension Block - Click the triangle icon to display the profile selection box. Choose one or more File Extension object profiles from the drop down list which will be allowed / not be allowed to pass through the router.
Page 215 This page is designed for the user in China only. For people outside China, skip this section. Each item will be explained as follows: Item Description Add a new group profile for QQ filter. Edit Modify the selected profile. To edit a profile, simply select the one you want to modify and click the Edit button.
Page 216 Item Description QQ Account Block Display the account name which will be blocked if the selected QQ profile is enabled. Click it to save and exit the dialog. Apply Cancel Click it to discard the settings configured in this page. Open Firewall>>Filter Setup and click the QQ Filter tab.
Page 217 Item Description You can click to create another new QQ account. QQ Account Block Use the drop down list to specify a QQ account profile for such profile. The select account will be blocked by Vigor router. You can click to create another new QQ account.
Page 218: Dos Defense
Item Description query passing through Vigor router’s firewall.  Pass Reply of Port Redirection /DMZ – Check the box to make the outgoing packets processed by Port Redirection/DMZ passing through Vigor router’s firewall.  Enable Syslog – Check the box to make related information for the blocked packets being recorded in Syslog.
Page 219 Available parameters are listed as follows: Item Description Broadcast Storm Click Enable to block the packets attacks coming from Defense broadcast storm. Multicast Storm Defense Click Enable to block the packets attacks coming from multicast storm. Click Enable to block the packets attacks coming from Unknown Unicast Storm unknown unicast storm.
Page 220 Item Description the user-defined timeout period. SYN Flood Threshold The default setting for threshold is 2000 packets per second. SYN Flood Timeout The default setting for timeout is 10 seconds. Block ICMP Flood Click Enable to activate the ICMP flood defense function. If the amount of ICMP echo requests from the Internet exceeds the user-defined threshold value, the router will discard the subsequent echo requests within the user-defined...
Page 221: Mac Block
Item Description re-construct the packets. The routers will block any packets resembling this attacking activity. Block Ping of Death Click Enable to activate the Block Ping of Death function. Many machines may crash when receiving an ICMP datagram that exceeds the maximum length. The router will block any fragmented ICMP packets with a length greater than 1024 octets.
Page 222 Item Description rule. Delete Remove the selected profile. To delete a rule, simply select the one you want to delete and click the Delete button. Refresh Renew current web page. Rename Allow to modify the selected profile name. Profile Number Limit Display the total number of the object profiles to be created.
Page 223: Objects Setting
A new MAC Block profile has been created. Vigor3900 allows users to set different filter profiles based on IP, service type, keyword, file extension, instant message application, P2P application, protocol application, web category, QQ application, time setting, SMS service, mail service and notification. These objects setting profiles can be applied in Firewall.
Page 224: Ip Object
For IPs in a limited range usually will be applied in configuring router’s settings, we can define them with objects and bind them with groups for using conveniently. Later, we can select that object/group that can apply it. For example, all the IPs in the same department can be defined with an IP object (a range of IP address).
Page 225 Item Description Subnet Mask Display the subnet mask for such profile. Open Objects Setting>>IP Object. Simply click the Add button. The following dialog will appear. Available parameters are listed as follows: Item Description Profile Type the name of such profile. Choose the address type (Single / Range /Subnet) for such Address Type profile.
Page 226: Ip Group
To manage conveniently, several IP object profiles can be grouped under a group. Different IP group can contain different IP object profiles. Each item will be explained as follows: Item Description Add a new profile. Edit Modify the selected profile. To edit a profile, simply select the one you want to modify and click the Edit button.
Page 227 Open Objects Setting>>IP Group. Simply click the Add button. The following dialog will appear. Available parameters are listed as follows: Item Description Group Name Type the name of the object group. The number of the characters allowed to be typed here is 10. Description Make a brief explanation for such profile if the group name is set not clearly.
Page 228: Ipv6 Object
You can set up to 200 sets of IPv6 Objects with different conditions. Each item will be explained as follows: Item Description Add a new profile. Edit Modify the selected profile. To edit a profile, simply select the one you want to modify and click the Edit button.
Page 229 The following dialog will appear. Available parameters are listed as follows: Item Description Type the name of the object. Profile Address Type There are three types: List – Allow to specify IP address. Range – Allow to specify a range of IP addresses. Subnet –...
Page 230: Country Object
To country object profile can determine which country/countries shall be blocked by the Vigor router’s Firewall. Each item will be explained as follows: Item Description Add a new profile. Modify the selected profile. Edit To edit a profile, simply select the one you want to modify and click the Edit button.
Page 231 Available parameters are listed as follows: Item Description Profile Type a name for such profile. Countries Check the box(es) for the country/countries to be blocked by Firewall. Apply Click it to save the configuration. Click it to exit the dialog without saving anything. Cancel Enter all of the settings and click Apply.
Page 232: Service Type Object
TCP and UDP service with specified port range can be saved with different service type object profiles. Later, it can be applied to Firewall as a filter rule. In default, common used service type object profiles have been created in this page. Each item will be explained as follows: Item Description...
Page 233 Open Objects Setting>> Service Type Object. Simply click the Add button. The following dialog will appear. Available parameters are listed as follows: Item Description Type a name for such profile. The number of the characters Profile allowed to be typed here is 10. Protocol Specify one of the protocols for such profile.
Page 234: Service Type Group
This page allows you to bind several service types into one group. To manage conveniently, several service type profiles can be grouped under a service type group. Different service type group can contain different service type profiles. Each item will be explained as follows: Item Description Add a new profile.
Page 235 Open Objects Setting>> Service Type Group. Simply click the Add button. The following dialog will appear. Available parameters are listed as follows: Item Description Group Name Type the name of the service type object group. The number of the characters allowed to be typed here is 10. Description Type some words to describe such group.
Page 236: Keyword /Dns Object
Keyword can be set as a filter rule to be applied in Firewall. Vigor3900 allows users to set keyword profile with several keywords. Even, it allows users to group several keyword profiles within a keyword group. Each item will be explained as follows: Item Description Add a new profile.
Page 237 Open Objects Setting>> Keyword /DNS Object. Simply click the Add button. The following dialog will appear. Available parameters are listed as follows: Item Description Profile Type the name of the Keyword Object. Member Type the content for such profile. For example, type gambling as Contents.
Page 238 DNS can be set as a filter rule to be applied in Firewall. Each item will be explained as follows: Item Description Add a new profile. Edit Modify the selected profile. To edit a profile, simply select the one you want to modify and click the Edit button.
Page 239 Available parameters are listed as follows: Item Description Profile Type the name of the DNS object profile. Type the domain name of the DNS that you want to filter. Member Table Add – Type the word in the box of Member and click this button to add the new word as DNS object.
Page 240: File Extension Object
This page allows you to set file extension profiles which will be applied in Firewall. All the files with the extension names specified in these profiles will be processed according to the chosen action. Each item will be explained as follows: Item Description Add a new profile.
Page 241 Open Objects Setting>>File Extension Object. Simply click the Add button. The following dialog will appear. Available parameters are listed as follows: Item Description Profile Type the name of the File Extension Object group.. Several file extensions for Image offered for you to choose. Image Use the drop down list to check the box (es) to select the file extension you need.
Page 242: App Object
Item Description Apply Click it to save the configuration. Cancel Click it to exit the dialog without saving the configuration. Enter all the settings and click Apply. A new File Extension Object profile has been created. The IM, P2P, Protocol and Others types can be integrated as an APP object which can be used in Firewall to block certain applications.
Page 243 Item Description APP Signature Upgrade Click it to open System Maintenance>>APP Signature Upgrade configuration page. APP Support List will display all of the applications with APP Support List versions supported by Vigor router. They are separated with types of IM, P2P, Protocol and Others. Each tab will bring out different items with supported versions.
Page 244 Available parameters are listed as follows: Item Description Profile Type the name of the IM object group. The number of the characters allowed to be typed here is 10. IM Application Several IM applications offered for you to choose. Check the one(s) you want to add for such profile.
Page 245 Item Description Other P2P Several P2P applications offered for you to choose. Check Applications the one(s) you want to add for such profile. Click Protocol to get the following page. Network services, e.g., DNS, FTP, HTTP, POP3, for LAN users can be blocked by Vigor3900. Common services will be listed in this function and can be selected to be blocked by the router.
Page 246: Web Category Object
If you want to purchase a formal edition, simply contact with your DrayTek dealer. Note 1: Web Content Filter (WCF) is not a built-in service of Vigor router but a service powered by Commtouch.
Page 247 Note 3: fragFINN service will be terminated from 2015. Each item will be explained as follows: Item Description Add a new profile. Edit Modify the selected profile. To edit a profile, simply select the one you want to modify and click the Edit button. The edit window will appear for you to modify the corresponding settings for the selected rule.
Page 248 Item Description block. Open Objects Setting>> Web Category Object and click the Web Category Object tab. Simply click the Add button. The following dialog will appear. Available parameters are listed as follows: Item Description Profile Type the name of the web category object profile. The number of the characters allowed to be typed here is 10.
Page 249 Chatting Simply check the one(s) that you don’t want the user to use for gossip with remote people. Computer Simply check the one(s) that you don’t want the user to visit. Simply check the one(s) that you don’t want the user to visit. Other Apply Click it to save the configuration.
Page 250 MyVigor website. After finishing the activation for the trial version of WCF, remember to purchase “Silver Card” for WCF service from your DrayTek dealer or distributor. Note: This page is designed for Chinese IM "Tencent QQ" users (especially for China) only.
Page 251 Item Description To edit a profile, simply select the one you want to modify and click the Edit button. The edit window will appear for you to modify the corresponding settings for the selected rule. Delete Remove the selected profile. To delete a rule, simply select the one you want to delete and click the Delete button.
Page 252: Qq Object
Open Objects Setting>> QQ Object. Simply click the Add button. The following dialog will appear. Available parameters are listed as follows: Item Description Profile Type the name of the QQ object profile. The number of the characters allowed to be typed here is 10. Create the account name for such QQ object profile.
Page 253: Qq Group
This page allows you to group several QQ object profiles. Each item will be explained as follows: Item Description Add a new profile. Edit Modify the selected profile. To edit a profile, simply select the one you want to modify and click the Edit button.
Page 254 Available parameters are listed as follows: Item Description Profile Type the name of the time group. The number of the characters allowed to be typed here is 10. Description Make a brief explanation for such profile if the group name is set not clearly.
Page 255: Time Object
You restrict Internet access to certain hours so that users can connect to the Internet only during certain hours, say, business hours. The schedule is also applicable to other functions, e.g., Firewall. Each item will be explained as follows: Item Description Add a new profile.
Page 256 Open Objects Setting>> Time Object. Simply click the Add button. The following dialog will appear. Available parameters are listed as follows: Item Description Profile Type the name of the time object profile. The number of the characters allowed to be typed here is 10. Frequency Specify how often (Weekdays or Once) the schedule will be applied.
Page 257: Time Group
Apply Click it to save the configuration. Cancel Click it to exit the dialog without saving the configuration. Enter all the settings and click Apply. A new Time Object profile has been created. This page allows you to group several time object profiles. Each item will be explained as follows: Item Description...
Page 258 Open Objects Setting>> Time Group. Simply click the Add button. The following dialog will appear. Available parameters are listed as follows: Item Description Profile Type the name of the time group. The number of the characters allowed to be typed here is 10. Description Make a brief explanation for such profile if the group name is set not clearly.
Page 259: Sms Service Object
This page allows you to set ten profiles which will be applied in Application>>SMS/Mail Alert Service. Each item will be explained as follows: Item Description Add a new profile. Edit Modify the selected profile. To edit a profile, simply select the one you want to modify and click the Edit button.
Page 260 Open Objects Setting>> SMS Service Object. Simply click the Add button. The following dialog will appear. Available parameters are listed as follows: Item Description Profile Type a name for such SMS profile. The maximum length of the name you can set is 20 characters. Enable Check this box to enable such profile.
Page 261: Mail Service Object
Cancel Click it to exit the dialog without saving the configuration. Enter all the settings and click Apply. A new SMS object profile has been created. This page allows you to set ten profiles which will be applied in Application>>SMS/Mail Alert Service.
Page 262 Item Description SMTP Server Display the IP address of the SMTP Server SSL/TLS Display the status of SSL/TLS service. Authentication Enable means such profile must be authenticated by the server. Disable means such profile will not be authenticated by the server.
Page 263: Notification Object
Authentication The mail server must be authenticated with the correct username and password to have the right of sending message out. Click the Enable button to enable the function. User Name – Type a name for authentication. The maximum length of the name you can set is 31 characters. User Password –...
Page 264 Item Description Profile Number Limit Display the total number (8) of the object profiles to be created. Profile Display the name of the profile. WAN Disconnection Display if such function is enabled or disabled. WAN Reconnection Display if such function is enabled or disabled. VPN Disconnection Display if such function is enabled or disabled.
Page 265: User Management
VPN Disconnection Enable – When disconnection happened to a VPN tunnel, the router system will send the alert message to the recipient. VPN Reconnection Enable - When reconnection happened to a VPN tunnel, the router system will send the alert message to the recipient. Enable - When the temperature is out of range, the router Temperature system will send the alert message to the recipient.
Page 266: Web Portal
Web Portal is a gateway which organizes the network access of LAN hosts. The identity of LAN host can be recognized by web portal mechanism and then be managed for functions like firewall or load balance. This page can determine the general rule for the users controlled by User Management. The mode selected in this page will influence the contents of the filter rule(s) applied to every user.
Page 267 Item Description log-in user. Start Time Display the starting time of the network connection. End Time Display the ending time of the network connection. Rest Time Display the rest time of the network connection. Auth Type Display the authentication type (local, RADIUS, LDAP, Login Disable, Guest) used by such user.
Page 268 Item Description Web Portal Click Enable to enable such function. LDAP Profiles - It is available when LDAP is selected as Authentication Type. You have to specify one profile (defined in User Management>>LDAP/Active Directory) from the drop down list for LDAP authentication. Bulletin Board Disable –...
Page 269 Item Description Web Portal Click Enable to enable such function. web page that the hotel wants the user(s) to visit.  Custom URL – Type the URL of specified web page for redirection if Custom URL is selected as URL Redirection After Login. Daily Logout Enable - Force the online user logging out the web user interface of Vigor router everyday.
Page 270 Available parameters will be explained as follows: Item Description Welcome Message Type words or sentences here. The message will be displayed on the top of the login page. Upload Bulletin Message Upload Selected File - It is available when Enable is selected in Upload Bulletin Message.
Page 271: User Profile
Item Description Apply Click it to save the configuration. Cancel Click it to discard the settings configured in this page. After finished the above settings, click Apply to save the configuration. This function allows to configure all accounts (user profiles) in Vigor3900, including PPTP/L2TP/SSL/PPPoE, System user, and so on.
Page 272 Item Description To delete a rule, simply select the one you want to delete and click the Delete button. Refresh Renew current web page. Profile Number Limit Display the total number of the user profiles to be created. Username Display the name of the user. Enable Display the status of the profile.
Page 273 The following dialog will appear. Available parameters are listed as follows: Item Description Username Type a name for such user profile (e.g., LAN_User_Group_1, WLAN_User_Group_A, WLAN_User_Group_B, etc). When a user tries to access Internet through this router, an authentication step must be performed first.
Page 274 System User Only the user profile with privilege level has the right to operate the function of the router as the administrator of the router. False – Choose it to disable the function of System User. Such user profile does not have the right to operate the router’s function.
Page 275 Use mOTP Click Enable to make the authentication with mOTP function.  mOTP PIN Code - Type the code for authentication (e.g, 1234).  mOTP Secret - Use the 32 digit-secret number generated by mOTP in the mobile phone (e.g., e759bb6f0e94c7ab4fe6).
Page 276 MAC Binding Specify a MAC address which is limited and used for such PPPoE account. Enable – Click it to enable the function. MAC Address – If MAC Binding is enabled, simply type the MAC address of the router in this field. FTP User Setting Allow FTP Server Click Enable to allow the remote user accessing into...
Page 277 Modify Web Portal Check the box to configure detailed setting. Login Status Enable – Click it to enable the web portal login function for remote client. Modify Time Quota Check the box to configure detailed setting. Status Enable – Click it to enable the time quota function for all user profiles.
Page 278 Usage Restriction Time Quota (1~14400 minutes) Time Quota (1~14400 minutes) /Expired Time Validity Period (days) Authentication Max Simultaneous user Bind IP Open User Management >> User Profile, and click Add. Set up user profile as shown below. Type Username; check Enable and type Password.
Page 279 Open Objects Setting >> IP Object, and click Add. Set up IP Object for Executive. Type the name of the Profile (e.g., boss in this case); choose Single as the Address Type; and type 192.168.1.11 as Start IP Address. Click Apply to save the settings. Open User Management >>...
Page 280 Open User Management >> Guest Profile and click Guest Group to check the Mass User account Group. By clicking each account (e.g., choose 1001 and click Edit), we can check the information for this account, and we may also modify the account name and password manually.
Page 281 Note that Administrator is able to Export the information for the whole group to a .csv file, which is useful to redistribute the account and password combinations to guests. Vigor3900 Series User’s Guide...
Page 282 Open User Management >> Web Portal and click the General Setup tab to open the following page. Check Local and Guest as Authentication Type. Check IP object named of Boss to put it into the white list, and this will allow this IP address to access to the Internet without authentication.
Page 283 For Employees to access into Internet: For Room guest to access into Internet: Vigor3900 Series User’s Guide...
Page 284: Usergroup
The User Group can consist of several us er profiles, which help the administrator to manage a large number of users conveniently. Each item will be explained as follows: Item Description Add a new profile. Edit Modify the selected profile. To edit a profile, simply select the one you want to modify and click the Edit button.
Page 285 Open User Management>>User Group. Simply click the Add button. The following dialog will appear. Available parameters are listed as follows: Item Description Usergroup Type the name of such profile. Enable Check this box to enable such profile. Use the drop down list to check the user profile(s) under Member such group.
Page 286: Guest Profile
Guest Profile allows the users to access Internet within validity period and limit the user accessing into the specified URL configured by web portal. Available parameters are listed as follows: Item Description Add a new profile. Edit Modify the selected profile. To edit a profile, simply select the one you want to modify and click the Edit button.
Page 287 Item Description Start Time/ End Time Display the detailed time setting (starting and ending). Open User Management>>Guest Group. Click the Guest Group tab. Simply click the Add button. The following dialog will appear. Available parameters are listed as follows: Item Description Group Type the name of such profile.
Page 288 A new guest group profile has been created. You can create several guest names by clicking on the left side of the selected guest group profile. A setting page will appear for you to add new guest list. Move your mouse to click Add. The following page for configuration will appear.
Page 289 Portal portal. Disable – Click it to disable the option. Clean Deadline The guest profile can be unlocked to be used by other users. Enter all of the settings and click Apply. 10. A new guest has been added under the Guest Group (named Carrie in this case). Vigor3900 Series User’s Guide...
Page 290 This option is useful to create a lot of guest profiles with the most expeditious manner. Available parameters are listed as follows: Item Description Name Settings Group Name – Type the name of the guest group. Guest Name Prefix – The guest names created with such manner requires a prefix as the basis of name input.
Page 291 Item Description Usage Settings Usage Period –It determines the usage time for the guest accessing into Internet each time. Click Enable to enable such option.  Usage Time(min)-The default setting is 180 minutes. Validity Period –It determines the valid period for the guest accessing into Internet.
Page 292: Radius
Remote Authentication Dial-In User Service (RADIUS) is a security authentication client/server protocol that supports authentication, authorization and accounting, which is widely used by Internet service providers. It is the most common method of authenticating and authorizing dial-up and tunneled network users. The built-in RADIUS client feature enables the router to assist the remote dial-in user or a wireless station and the RADIUS server in performing mutual authentication.
Page 293 In addition to specifying an external RADIUS server for security authentication, Vigor router also can be treated as a RADIUS server for performing security authentication and offer the RADIUS service for wireless clients. Available parameters are listed as follows: Item Description Enable RADIUS Server Check this box to make Vigor router as a RADIUS server.
Page 294: Ldap/Active Directory
Lightweight Directory Access Protocol (LDAP) is a communication protocol for using in TCP/IP network. It defines the methods to access distributing directory server by clients, work on directory and share the information in the directory by clients. The LDAP standard is established by the work team of Internet Engineering Task Force (IETF).
Page 295 Item Description Port Display the port number set for such profile. Common Name Display the name for identification. Identifier Base DN Display the configured Base DN if Bind Type is set with Simple Mode. Group DN Display the configured Group DN if Bind Type is set with Simple Mode.
Page 296 Bind Type There are three types of bind type supported. Simple Mode – Just simply do the bind authentication without any search action. Anonymous – Perform a search action first with Anonymous account then do the bind authentication. Regular Mode– Mostly it is the same with anonymous mode.
Page 297: Application
Below shows the menu items for Applications. The ISP often provides you with a dynamic IP address when you connect to the Internet via your ISP. It means that the public IP address assigned to your router changes each time you access the Internet.
Page 298 This page displays the status for all the available DDNS profiles. Each item will be explained as follows: Item Description Refresh Renew current web page. Auto Refresh Specify the interval of refresh time to obtain the latest status. The information will update immediately when the Refresh button is clicked.
Page 299 This page allows you to configure DDNS profiles for your request. Each item will be explained as follows: Item Description Edit Modify the selected profile. To edit a profile, simply select the one you want to modify and click the Edit button. The edit window will appear for you to modify the corresponding settings for the selected rule.
Page 300 Open Applications>>Dynamic DNS and click the Setting tab. Choose one of the DDNS profiles and click the Edit button. Available parameters are listed as follows: Item Description Profile Display the name of the profile. Enable Check this box to enable such profile. WAN Profile Choose a WAN interface that such profile will apply to.
Page 301 Service Type Select a service type (Dynamic, Custom or Static). If you choose Custom, you can modify the domain that is chosen in the Domain Name field. Domain Name Type in one domain name that you applied previously. Use the drop down list to choose the desired domain. User Login Name Type in the login name that you set for applying domain.
Page 302: Gvrp
This page displays the information related to all DDNS. This function can define the method for the changing the VLAN information among devices. With supporting GVRP, the device can receive the VLAN information coming from other devices. Available parameters are listed as follows: Item Description Vigor3900 Series User’s Guide...
Page 303: Igmp Proxy
Item Description Enable Check this box to enable GVRP function. Interface Choose LAN and/or WAN profiles. To clear the selected one, click to remove current object selections. Join Time Define the time for the system to send GVRP packet to other device.
Page 304 Item Description IGMP via PPPoE Enable – In LAN, the PC which uses PPPoE connection to communicate with Vigor router can accept the packets transmitted from IGMP proxy. Disable –In LAN, the PC which uses PPPoE connection to communicate with Vigor router can NOT accept the packets transmitted from IGMP proxy.
Page 305: Upnp
The UPnP (Universal Plug and Play) protocol is supported to bring to network connected devices the ease of installation and configuration which is already available for directly connected PC peripherals with the existing Windows 'Plug and Play' system. For NAT routers, the major feature of UPnP on the router is “NAT Traversal”.
Page 306: High Availability
Enabling firewall applications on your PC may cause the UPnP function not working properly. This is because these applications will block the accessing ability of some network ports. Security Considerations Activating the UPnP function on your network may incur some security threats. You should consider carefully these risks before activating the UPnP function.
Page 307 Available parameters are listed as follows: Item Description Enable High Check this box to enable HA function. Availability Redundant Method Choose Hot-Standby or Active-Standby as the method for HA. Hot –Standby –Hot-Standby is a redundant method of having several secondary service nodes running standby with another identical primary service node.
Page 308 Item Description It is used for encrypting the HA session communication to prevent malicious attack. Advance Preemption Mode – Specify a mode for changing the Config Synchronization Role.  Automatic – The router will be restored to primary (master) router once the service is restored. ...
Page 309 Item Description (master) router once the service is restored.  Delayed – The router must wait for a period of time to restore to primary (master) router when the service is restored. Delayed Interval: Specify the time for waiting.  Manual –...
Page 310 Item Description "LAN Port Detection Mode" but will detect connection status of all enabled WAN profiles. If connection status of all enabled WAN profiles are down, the master router hands off its position. The hot-standby mechanism is that each secondary access point will be a backup device for the primary access point (router).
Page 311 Available parameters are listed as follows: Item Description Add a new HA profile. Edit Modify the selected HA profile. To edit the profile, simply select the one you want to modify and click the Edit button. The edit window will appear for you to modify the corresponding settings for the selected profile.
Page 312 Available parameters are listed as follows: Item Description Profile Type a name for such profile. Choose one of the LAN profiles that such function will be HA LAN Profile applied to. Virtual IP for Assign an IP address as a virtual IP. Gateway VHID It means Virtual Host ID.
Page 313 The active-standby Mechanism is that each access point in LAN will participate in different high availability sessions. All the WAN interfaces can be active which provide more flexible utilization of network service. When LAN1 in Router A fails, one of the available line connections (e.g., LAN1 in Router C) will be selected to offer the network service for all the connected PCs.
Page 314 The following page is used to create Active-Standby profiles. Available parameters are listed as follows: Item Description Add a new HA profile. Edit Modify the selected HA profile. To edit the profile, simply select the one you want to modify and click the Edit button.
Page 315 Simply click the Add button. The following dialog will appear. Available parameters are listed as follows: Item Description Profile Type a name for such profile. HA LAN Profile Choose one of the LAN profiles that such function will be applied to. Assign an IP address as a virtual IP.
Page 316: Wake On Lan
A PC client on LAN can be woken up by the router it connects. When a user wants to wake up a specified PC through the router, he/she must type correct MAC address of the specified PC on this web page of Wake on LAN of this router. In addition, such PC must have installed a network card supporting WOL function.
Page 317 This page is used to set profiles which will perform WOL based on the conditions specified by Bind Table profile, MAC address, LAN profile and time profile. Available parameters are listed as follows: Item Description Add a new schedule profile. Edit Modify the selected schedule profile.
Page 318 The following dialog will appear. Available parameters are listed as follows: Item Description Profile Type a name for such profile. Enable Check the box to enable such profile. Choose the type for data input, Bind Table or MAC Address. Mode Bind Table It is available when Bind Table is selected as Mode.
Page 319: Sms / Mail Alert Service
The function of SMS (Short Message Service)/Mail Alert is that Vigor router sends a message to user’s mobile or e-mail box through specified service provider to assist the user knowing the real-time abnormal situations. Vigor router allows you to set up to 10 SMS profiles which will be sent out according to different conditions.
Page 320 Open Applications>> SMS/Mail Alert Service and click the SMS Alert Service tab. Choose one of the index numbers and click the Edit button. The following dialog will appear. Available parameters are listed as follows: Item Description Enable Check this box to enable such profile. Choose the SMS provider object profile from the drop down SMS Provider list.
Page 321 This page allows you to specify Mail Server profile, who will get the notification e-mail, what the content is and when the message will be sent. Each item will be explained as follows: Item Description Edit Modify the selected profile. To edit a profile, simply select the one you want to modify and click the Edit button.
Page 322 Available parameters are listed as follows: Item Description Enable This Profile Check this box to enable such profile. Mail Profile Choose the mail service object profile from the drop down list. Such profiles can be created from Object Setting>>Mail Service Object. Recipient Type the e-mail address for receiving the mail.
Page 323: Vpn And Remote Access
A Virtual Private Network (VPN) is the extension of a private network that encompasses links across shared or public networks like the Internet. In short, by VPN technology, you can send data between two computers across a shared or public network in a manner that emulates the properties of a point-to-point private link.
Page 324 Open VPN and Remote Access >> VPN Client Wizard. The following dialog will appear. Available parameters are listed as follows: Item Description Type Specify which protocol (PPTP/IPsec/SSL) will be used for such VPN profile. VPN Settings Via Select From Current Settings – Current VPN LAN to LAN profiles will be listed below such setting.
Page 325 Specify the type. Click Create New VPN Profile and type the name of the profile. Then, click Next. If you choose PPTP as the Type, you will get the following screen: Available parameters are listed as follows: Item Description Profile Display the name of the VPN profile.
Page 326 Dial-Out Through Choose a wan profile to be used by such profile. Then, use the default WAN IP or specify a WAN Alias IP for VPN tunnel. Failover to Choose a wan profile which will lead the data passing through other WAN automatically when the selected WAN interface (in Dial-Out Through) is failover.
Page 327 If you choose IPSec as the Type, you will get the following screen: Available parameters are listed as follows: Item Description Profile Display the name of the VPN profile. Enable Check this box to enable such profile. Choose a WAN profile to be used by such profile. WAN Profile Local IP/Subnet Type the IP address and subnet mask of local host.
Page 328 data will be authenticated but not be encrypted. DPD Delay DPD means dead peer detection. It is a keep-alive timer. A Hello message will be emitted periodically when a tunnel is idle. Use the value 0 to disable this function. The recommended value is 30 seconds if enabled.
Page 329 SSL Password Type a password for authentication in SSL VPN connection. Local IP/Subnet Type the IP address and subnet mask of local host. Mask Type the LAN IP address and LAN subnet mask for the Remote IP/Subnet remote host. Mask Route/NAT Mode Specify the purpose for such profile.
Page 330: Vpn Server Wizard
Such wizard is used to configure VPN settings for VPN server. Such wizard will guide to set the LAN-to-LAN profile for VPN dial in connection step by step. Open VPN and Remote Access >> VPN Server Wizard. The following dialog will appear. Available parameters are listed as follows: Item Description...
Page 331 VPN Settings Via Select From Current Settings - Current VPN LAN to LAN profiles will be listed below such setting. Choose the one you need. Create New VPN Profile – It allows you to create a new VPN LAN to LAN profile. Simply type the name in the field of Profile Name.
Page 332 Netbios Naming Enable – Click it to have an inquiry for data transmission Packet between the hosts located on both sides of VPN Tunnel while connecting. Disable –When there is conflict occurred between the hosts on both sides of VPN Tunnel in connecting, such function can block data transmission of Netbios Naming Packet inside the tunnel.
Page 333 Remote Host Type the WAN IP address for the remote host. Remote IP / Subnet Type the LAN IP address and LAN subnet mask for the Mask remote host. Add more remote subnet in this field if required. More Remote Subnet Aggressive Mode The ultimate outcome is to exchange security proposals to...
Page 334 If you choose SSL as the Type in Step 1, you will get the following page: Item Description Profile Display the name of the profile. Enable Check this box to enable such profile. Choose a user for authentication in SSL connection. SSL User Name Such profile shall be created in User Management>>User Profile previously.
Page 335 packets via VPN connection.  Disable – Disable such function. It is default setting. Fill in the required information on this page and click Finish. A pop-up window will appear. Click OK. Then, return to VPN and Remote Access>>VPN Server Wizard. The new added VPN server profile will be displayed on the screen.
Page 336: Remote Access Control
Enable the necessary VPN service as you need. If you intend to run a VPN server inside your LAN, you should disable the VPN service (e.g., PPTP VPN, L2TP VPN, SSL VPN, IPsec etc.) of Vigor Router to allow VPN tunnel pass through. Available parameters are listed as follows: Item Description...
Page 337: Ppp General Setup
Remote users can connect to the site, host, server and etc. via VPN connection built between the router and the users by authentication procedure. This page display current status for VPN tunnel built with PPTP protocol. Available parameters are listed as follows: Item Description Authenticate Protocol...
Page 338 LDAP profiles Choose a LDAP profile for PPTP Server if LDAP is selected as user authentication type. To clear the selected one, click to remove current object selections. DHCP from Choose a LAN profile for PPTP Server if RADIUS is selected as user authentication type.
Page 339 This page display current status for VPN tunnel built with L2TP protocol. Available parameters are listed as follows: Item Description Authenticate Protocol The router will authenticate the dial-in user with the protocol selected here. PAP - It means the router will attempt to authenticate dial-in users with the PAP protocol.
Page 340 Disable - Let you manually assign IP address to every host in the LAN. DHCP Server Location It is available when DHCP Relay is enabled. Choose the WAN/LAN interface for the DHCP server. DHCP Server IP It is available when DHCP Relay is enabled. Set the IP address of the DHCP server you are going to use so the relay Address agent can help to forward the DHCP request to the DHCP...
Page 341: Ipsec General Setup
LAN. Disable - Let you manually assign IP address to every host in the LAN. DHCP Server Location It is available when DHCP Relay is enabled. Choose the WAN/LAN interface for the DHCP server. DHCP Server IP It is available when DHCP Relay is enabled. Set the IP Address address of the DHCP server you are going to use so the relay agent can help to forward the DHCP request to the DHCP...
Page 342: Vpn Profiles
DHCP LAN Profile Choose one of the LAN profiles for VPN. IKE Port Type the UDP port number for Internet Key Exchange (IKE) traffic to the VPN server. Type the UDP port number for IPSec network address NAT-Port translator traversal (NAT-T) traffic. IPSec MSS Type the port number for IPSec MSS.
Page 343 Refresh Renew current web page. IPSec Display the LAN to LAN profile with IPSec policy. PPTP Dial-out Display the LAN to LAN profile with PPTP Dial-out policy. PPTP Dial-in Display the LAN to LAN profile with PPTP Dial-in policy. Profile Number Limit Display the total number (500) of the object profiles to be created.
Page 344 The following dialog will appear. Click the Basic tab to configure the settings. Available parameters are listed as follows: Item Description Profile Type the name of the profile. Enable Check this box to enable this profile. Type There are three types offered here for you to choose. Please choose IPSec for this case.
Page 345 IKE Phase 1 - Select from Main mode and Aggressive mode. The ultimate outcome is to exchange security proposals to create a protected secure channel. Main mode is more secure than Aggressive mode since more exchanges are done in a secure channel to set up the IPsec session. However, the Aggressive mode is faster.
Page 346 After filling the required information for Basic, click the Advanced tab to open the following page. Available parameters are listed as follows: Item Description Phase 1 Key Life The rekey-renegotiated period of the IKE Phase1 keying Time channel of a connection. The acceptable range is from 5 to 480 minutes (8 hours).
Page 347 Ping to Keep Alive Enable – Click it to enable such function. Ping to the IP - If you enable the PING function, please specify the IP address for the system to PING it for keeping alive. Route/NAT Mode If the remote network only allows you to dial in with single IP, please choose this mode, otherwise please choose Route Mode.
Page 348 After filling the required information for Advanced, click the GRE tab to open the following page. Available parameters are listed as follows: Item Description Enable GRE Check the box to enable the function. Function Local GRE IP The virtual IP address of the router, specified for this tunnel. Remote GRE IP The virtual IP address of the remote client, specified for this tunnel.
Page 349 After filling the required information for GRE, click the Proposal tab to open the following page. Available parameters are listed as follows: Item Description IKE Phase1 Propose the local available authentication schemes and Proposal (Dial-Out) encryption algorithms to the VPN peers, and get its feedback to find a match.
Page 350 Enter all the settings and click Apply. A new IPSec LAN-to-LAN profile has been created. Display the name of LAN to LAN profile with PPTP dial-out/SSL dial-out tunnel. Each item will be explained as follows: Item Description Add a new profile. Edit Modify the selected profile.
Page 351 Local IP / Subnet Mask Display the LAN IP address with subnet mask of this profile. Remote IP / Subnet Display the WAN IP address with subnet mask of this Mask profile. Below will guide you to create a PPTP/SSL dial-out profile for VPN connection: Open VPN and Remote Access >>...
Page 352 Name PPTP User Name/ Type a user name for authentication in PPTP/SSL connection. SSL User Name Type a password for authentication in PPTP/SSL connection. PPTP Password/ SSL Password Local IP/Subnet Type the IP address and subnet mask of local host. Mask Remote IP / Subnet Type the LAN IP address and LAN subnet mask for the...
Page 353 Display the name of LAN to LAN profile with PPTP dial-in/SSL dial-in tunnel. Each item will be explained as follows: Item Description Add a new profile. Edit Modify the selected profile. To edit a profile, simply select the one you want to modify and click the Edit button.
Page 354 Below will guide you to create a PPTP dial-in profile for VPN connection: Open VPN and Remote Access >>VPN Profiles. Simply click the Add button. The following dialog will appear. Available parameters are listed as follows: Item Description Profile Display the name of the profile. Enable Check this box to enable this profile.
Page 355: Vpn Trunk Management
 RIP via VPN Enable – Click it to exchange routing information protocol packets via VPN connection.  Disable – Disable such function. This is default setting. Apply Click it to save the configuration. Cancel Click it to exit the page without saving the configuration. Enter all the settings and click Apply.
Page 356 Each item will be explained as follows: Item Description Add a new profile. Edit Modify the selected profile. To edit a profile, simply select the one you want to modify and click the Edit button. The edit window will appear for you to modify the corresponding settings for the selected profile.
Page 357 Item Description Profile Type the name of the profile (e.g., LB_Pool_1, within 10 characters including digit, letter, and underline). Choose Load Balance or Failover. Mode Load Balance  Interface – Choose VPN profile(s) as the interface. Note: Only the VPN profiles with GRE function enabled will be listed and selected as Interface setting.
Page 358 To build VPN load balance connection with other router, you can define the load balance rule in this page. Each item will be explained as follows: Item Description Add a new profile. Edit Modify the selected profile. To edit a profile, simply select the one you want to modify and click the Edit button.
Page 359 Destination Port Start Display the start point specified in the Dest Port Range for this entry. Destination Port End Display the end point specified in the Dest Port Range for this entry. Load Balance Pool Display the selection of load balance pool. Open VPN and Remote Access >>VPN TRUNK Management and click the Load Balance Rule tab.
Page 360: Connection Management
Load Balance Pool Use the drop down list to choose one profile configured in load balance pool. Then, such rule will be applied by the pool. Apply Click it to save the configuration. Click it to exit the page without saving the configuration. Cancel Enter all the settings and click Apply.
Page 361 Remote IP Display the remote IP configure by VPN profile. Virtual Network Display the virtual network established by such VPN profile. Up Time Display the connection time of this VPN tunnel. RX (Packets) Display the total received packets through this VPN. TX (Packets) Display the total transmitted packets through this VPN.
Page 362: Certificate Management
A digital certificate works as an electronic ID, which is issued by a certification authority (CA). It contains information such as your name, a serial number, expiration dates etc., and the digital signature of the certificate-issuing authority so that a recipient can verify that the certificate is real.
Page 363: Local Certificate
This page allows users to generate certificate based on different work requests. Local certificate can be signed by itself or signed by a root CA (e.g., root CA on Vigor3900). Each item will be explained as follows: Item Description Upload Click this button to open the following dialog to upload selected certificate onto the router.
Page 364 Delete Remove the selected item of Trusted CA listed below. Download Allow you to download an existing CA certificate to the router. Open another web page for generating the local certificate. Generate Name Display the name of trusted CA built. Subject Display the subject of the trusted CA built.
Page 365 ID Type The ID type for such certificate. There are four types: Domain Name: Certificated by domain name. IP: Certificated by IP address. Email: Certificated by email address. None: Do not enter an ID value. ID Value The ID value is determined by the ID Type selected for such certificate.
Page 366 If you have already gotten a certificate from a third party, you may import it directly. The supported types are PKCS12 Certificate and Certificate with a private key. Open Certificate Management>> Local Certificate. Specify a certificate and click the Download button. Click Save.
Page 367 Choose Local Certificate and click the Select button to open the follwoing dialog. From the above dialog, choose the certificate you want and click Open. The dialog box with the selected certificate file name will be shown as follows. Click Upload. The system will start to upload the selected file. Vigor3900 Series User’s Guide...
Page 368: Trusted Ca Certificate
This page allows you to build a RootCA certificate for Vigor3900. RootCA can be deleted but not edited. If you want to modify the settings for a RootCA, please delete the one and create another one by clicking Build RootCA. Each item will be explained as follows: Item Description...
Page 369 Vigor router. Delete Remove the selected item of trusted CA listed below. Download Allow you to download an existing trusted CA certificate to the router. Build RootCA Allow to create a new CA certificate as Root CA. Name Display the name of trusted certificate built. Subject Display the subject of trusted certificate built.
Page 370 Organization Type the name of the organization. Type the name of the city for such certificate. Locality (City) State/Province Type the name of the state / province for such certificate. Common Name Type the common name for such certificate. Email Address Type the e-mail address for such certificate.
Page 371: Remote Certificate
Vigor3900, as a Root CA, can sign any certificate coming from end users locally or remotely. The selected user-defined certificate must be uploaded to Root CA. Also, the processing result will be displayed on this page. Each item will be explained as follows: Item Description Upload...
Page 372: Ssl Proxy
The profiles configured under such menu will be applied by User Management>>User Profiles for performing SSL VPN. SSL Web Proxy will allow the remote users to access the internal web sites over SSL. Each item will be explained as follows: Item Description Add a new profile.
Page 373 Host IP Address Display the IP address for the Host. Open SSL Proxy >> SSL Web Proxy. Simply click the Add button. The following dialog will appear. Available parameters are listed as follows: Item Description Type name of the profile. Profile Type the address (function variation or IP address) or path of the proxy server.
Page 374: Ssl Application
It provides a secure and flexible solution for network resources, including VNC (Virtual Network Computer) /RDP (Remote Desktop Protocol), to any remote user with access to Internet and a web browser. VNC stands for Virtual Network Computing. It allows you to access and control a remote PC through VNC protocol.
Page 375 Simply click the Add button. The following dialog will appear. Available parameters are listed as follows: Item Description Profile Type the name of the profile that you create. IP Address Type the IP address for this protocol. Port Specify the port used for this protocol. The default setting is 5900.
Page 376 RDP stands for Remote Desktop Protocol. It allows you to access and control a remote PC through RDP protocol. Each item will be explained as follows: Item Description Add a new profile. Edit Modify the selected profile. To edit a profile, simply select the one you want to modify and click the Edit button.
Page 377 Available parameters are listed as follows: Item Description Profile Type the name of the profile that you create. IP Address Type the IP address for this protocol. Port Specify the port used for this protocol. Chose the screen size for such application. Screen Size Apply Click it to save the configuration.
Page 378: Online User Status
If you have finished the configuration of SSL Web Proxy (server), users can find out corresponding settings when they access into DrayTek SSL VPN portal interface. Each item will be explained as follows: Item Description Auto Refresh Specify the interval of refresh time to obtain the latest status.
Page 379: Central Vpn Management
Vigor3900 can build virtual private network (VPN) between itself and any other TR-069 CPE by the function of central VPN management. In addition, it can be treated as a server (called CVM server) which can manage TR-069 CPE for periodical firmware upgrade, configuration backup and restoring configuration.
Page 380 Password Type a password which will be used by any CPE tried to connect to Vigor router. Polling Status Enable – Click it to enable the polling function. Disable – Click it to disable the polling function. Polling Interval Type the time value (unit is second). The range is from 60 ~ 86400.
Page 381: Cpe Management
Apply Click it to save the configuration. Cancel Click it to discard the settings configured in this page. All the CPEs managed by Vigor3900 can be seen with icons from this page. This page allows you to manage the CPEs connected to Vigor3900. ...
Page 382 Managed Devices Status This area displays icons for the CPE managed by Vigor3900. Edit – To modify the name and location of specific CPE, click the one you want and click the Edit button. A pop up window will appear. Simply change the name (for identification) and/or location manually.
Page 383 Edit – To modify existed profile, choose the one you want to change and click this button to open the pop up window. Delete – To discard any existed profile, simply choose one you want and click this button to delete the profile. Refresh –...
Page 384 Filename – Display the filename of the firmware. Status – Display current status of the profile has been finished or not. Refer to sections “3.7 How to manage the CPE (router) through Vigor3900?” and “3.9 How to upgrade CPE firmware through Vigor3900?” for more detailed information. Follow the steps below to create a new maintenance profile.
Page 385 specify another name for the device additionally. Display the name (can be modified by the administrator) of Name the device. Action There are three actions for you to choose for such profile. Firmware Upgrade – It means such profile will be used for firmware upgrade.
Page 386 restore. Click it to save and exit the dialog. Apply Cancel Click it to exit the dialog without saving anything. Enter all the settings and click Apply. A new maintenance profile has been created. An easy method is offered to configure VPN settings for building VPN connection between Vigor3900 (treated as VPN server) and other Vigor router (treated as CPE device, i.e., VPN client).
Page 387 PPTP To build a quick VPN connection with PPTP, simply click the remote CPE (waiting for the icon to be bigger) first and then click it. If the connection is built successfully, a green line will appear. IPsec To build a quick VPN connection with IPsec, simply click the remote CPE (waiting for the icon to be bigger) first and then click it.
Page 388 Delete – Click it to delete the profile. The VPN between the router and the client might not be guaranteed. Refresh – Click it to refresh current page. Profile – Display of the profile used now. Device – Display the name of the CPE connected to Vigor router via VPN.
Page 389: Log/Alert
To display the location of the selected CPE with a bird’s eye view, open Central VPN Management>>CPE Management and click the tab of Map. The Log page offers brief information to identify the CPE connected to Vigor3900. Vigor3900 Series User’s Guide...
Page 390 The Alert page offers brief information to identify the CPE connected to Vigor3900. Vigor3900 Series User’s Guide...
Page 391: Bandwidth Management
Below shows the menu items for Bandwidth Management. The QoS (Quality of Service) guaranteed technology in the Vigor router allows the network administrator to monitor, analyze, and allocate bandwidth for various types of network traffic in real-time and/or for business-critical traffic. Thus, timing-sensitive applications will not be impacted by web surfing traffic or other non-critical applications, such as file transfer.
Page 392 This page displays current software QoS status and allows you to edit related settings, including bandwidth, queue (high, medium, normal and low) for each QoS WAN. Available parameters are listed as follows: Item Description Edit Modify the selected profile. To edit a profile, simply select the one you want to modify and click the Edit button.
Page 393 The QoS settings page appears. Available parameters are listed as follows: Item Description QoS WAN Use the drop down list to set WAN interface for QoS by choosing one of the WAN interfaces. Enable – Click it to enable such profile. Status Disable –...
Page 394 High/Medium/ There are several available outgoing queues. All queues in the data group to be initialized with weights of zero, Normal/Low resulting in a strict service to completion (STC) mechanism across all queues.0. Type the weight of queues in bytes, range from 0 to 1000000.
Page 395: Qos Rule
Normal/Low data group to be initialized with weights of zero, resulting in a strict service to completion (STC) mechanism across all queues.0. Type the weight of queues in bytes, range from 0 to 1000000. Apply Click it to save and exit the dialog. Cancel Click it to exit the dialog without saving anything.
Page 396 Enable Display the status of the profile. False means disabled; True means enabled. Local IP Object Display the source IP address for the filter. Display the destination IP address for the filter. Remote IP Object Service Type Display the service type (e.g., IKE, HTTP, AUTH and etc) for the filter.
Page 397 It is available when DSCP is selected as the Match type. DSCP It is available when TOS is selected as the Match type. Traffic Class Choose the traffic class to category the packets matching with the condition configured as above. High is the highest; Normal is the lowest.
Page 398  Profile – type a new name for such IP object.  Address Type –Choose the address type (Single or Range) for such rule. Each type will bring different settings for configuration.  Start IP Address - Type the IP address of the starting point for such profile.
Page 399 Type.  Subnet Mask – Choose the subnet mask from the drop down list if you choose Subnet as Address Type. Service Type Service Type - Choose one of the service types from the drop down list. If you want to create a new service type, simply click open the following dialog.
Page 400 When this feature is enabled, the VoIP SIP/UDP packets will be sent with highest priority during the process of data transmission. Each item will be explained as follows: Item Description Enable Enable - Click it to enable VoIP QoS function. SIP UDP Port Set a port number used for SIP.
Page 401 Packets coming from LAN IP can be retagged through QoS setting. When the packets sent out through WAN interface, all of them will be tagged with certain header and that will be easily to be identified by server on ISP. Each item will be explained as follows: Item Description...
Page 402: Sessions Limit
A PC with private IP address can access to the Internet via NAT router. The router will generate the records of NAT sessions for such connection. The P2P (Peer to Peer) applications (e.g., BitTorrent) always need many sessions for procession and also they will occupy over resources which might result in important accesses impacted.
Page 403 Source IP Object Display the source IP object profile name. Source IP Group Display the source IP group profile name. Time Object If no time schedule is set, None will be shown in this field. Time Group Display the Time group profile selected for such application profile.
Page 404 Available parameters are listed as follows: Item Description Profile Type the name of the profile. Enable Check this box to enable such profile. Max Sessions Defines the available session number for each host in the specific range of IP addresses. If you do not set the session number in this field, the system will use the default session limit for the specific limitation you set for each index.
Page 405: Bandwidth Limit
The downstream or upstream from FTP, HTTP or some P2P applications will occupy large of bandwidth and affect the applications for other programs. Please use Limit Bandwidth to make the bandwidth usage more efficient. In the Bandwidth Management menu, click Bandwidth Limit to open the web page. Each item will be explained as follows: Item Description...
Page 406 profile. Source IP Object Display the source IP object profile name. Source IP Group Display the source IP group profile name. Time Object If no time schedule is set, None will be shown in this field. Time Group Display the Time group profile selected for such application profile.
Page 407 Open Bandwidth Management>>Bandwidth Limit. Simply click the Add button. The following dialog will appear. Available parameters are listed as follows: Item Description Profile Type the name of the profile. Check this box to enable such profile. Enable TX Limit(Kbps) Define the limitation for the speed of the upstream. If you do not set the limit in this field, the system will use the default speed for the specific limitation you set for each index.
Page 408 general target Time Object - Click the triangle icon to display the profile selection box. Choose a schedule object profile to be applied on such rule. You can click to create another new time object profile. Time Group - Click the triangle icon to display the profile selection box.
Page 409: Usb Application
By way of Vigor router, clients on LAN can access, write and read data stored in USB storage disk with different applications. After setting the configuration in USB Application, you can type the IP address of the Vigor router and username/password created in User Management>>User Profile on the client software.
Page 410: Ftp Server
Size Display the total disk capacity of the USB device. Free Capacity Display the remaining disk space of the USB device. Status Display the status of the USB device. At present, FAT, EXT2, EXT3 USB format can be supported by Vigor router. If such USB is inserted into the (Remove Icon) USB slot, the Status field will display “In Use”...
Page 411: Temperature Sensor
IP and the FTP server. The default setting is “10”. A USB Thermometer is now available that complements your installed DrayTek router installations that will help you monitor the server or data communications room environment and notify you if the server room or data communications room is overheating.
Page 412 Below shows an example of temperature graph: Available settings are explained as follows: Item Description Enable Temperature Check this box to enable such function. Sensor Display Unit Choose Celsius or Fahrenheit as the display unit. Temperature Alert Lower Type the upper limit and lower limit for the system to limit / Temperature Alert send out temperature alert.
Page 413: Modem Support List
Interval temperature alert will be sent per minute. Apply Click it to save the configuration and exit the dialog. Cancel Click it to exit the dialog without saving the configuration. Enter all of the settings and click Apply. Such page provides the information about the brand name and model name of the USB modems which are supported by Vigor router.
Page 414: System Maintenance
For the system setup, there are several items that you have to know the way of configuration: Status, Administrator Password, Configuration Backup, Syslog/Mail Alert, Time and Date, Access Control, SNMP Setup, Reboot System, and Firmware Upgrade. Below shows the menu items for System Maintenance. This device supports TR-069 standard.
Page 415 WANs connection when the original WAN interface fails. ACS Server URL/ Such data must be typed according to the ACS (Auto ACS Server Username / Configuration Server) you want to link. Please refer to Auto ACS Server Password Configuration Server user’s manual for detailed information. Last Inform Response Display the response time informed by VigorACS.
Page 416: Administrator Password
This page allows you to set new password for accessing into the web user interface of the router. Each item will be explained as follows: Item Description Original Password Type the old password. New Password Type the new password. Confirm Password Re-type the new password for confirmation.
Page 417: Configuration Backup
Most of the settings can be saved locally as a configuration file, and can be applied to another router. The router supports functions of restore and backup for the configuration file. Each item will be explained as follows: Item Description Encrypt None –...
Page 418 Config File Name Display the default configuration file name. You can change the name if required. Backup Execute the file downloading job to the computer. Each item will be explained as follows: Item Description Decrypt Config Check this box to decrypt an encrypted configuration file. You can specify a password for decrypting the file for restoring it for use next time.
Page 419: Syslog / Mail Alert
SysLog function is provided for users to monitor router. There is no bother to directly get into the Web User Interface of the router or borrow debug equipments. This page displays all the operation logs for the router. Available parameters are listed as follows: Item Description Refresh...
Page 420 Available parameters are listed as follows: Item Description Status Choose one of the selections to determine current status for Syslog access. If you choose Local as Status, you don’t need to type any server IP and port. Just give a name for the router.
Page 421 Others Log Click Enable to make other logs recorded in the Syslog. Apply Click this button to save the configuration and exit the web page. Click it to discard the settings configured in this page. Cancel Enter all of the settings and click Apply. Available parameters are listed as follows: Item Description...
Page 422: Time And Date
page. Cancel Click it to discard the settings configured in this page. Enter all of the settings and click Apply. This page allows you to specify where the time of the router should be inquired from. As an NTP (Network Time Protocol) client, the router gets standard time from the time server.
Page 423: Access Control
This page allows you to open or close the Web User Interface of Vigor3900 by using Telnet, SSH, HTTP, HTTPS… and etc… Available parameters are listed as follows: Item Description Enable – Vigor router will auto logout based on the Default: Disable specified time setting (e.g., 1, 3, 5 and 10 minutes).
Page 424 HTTPS server and management the web page of the router. FTP Allow Click Enable to allow system administrator to login from the FTP server and management the web page of the router. Server Certificate Use the default setting. Access List Click Enable to allow system administrator to login from the user defined IP address and management the web page of the router.
Page 425 server. HTTPS Port Type the port number for the management through HTTPS server. FTP Port Type the port number for the management through FTP server. Apply Click this button to save the configuration and exit the web page. Cancel Click it to discard the settings configured in this page. Enter all of the settings and click Apply.
Page 426 is allowed to login into Vigor router again. Disable - Disable the function of Fail to Ban for Web UI/SSH/FTP/TELNET/PPTP/SSL. Apply Click this button to save the configuration. Click it to discard the settings configured in this page. Cancel This page is used to configure the access barrier to protect the system from brute-force attack and flooding attack, and ensure following protocols can run properly.
Page 427: Snmp Setup
This page allows you to manage the settings for SNMP setup. The SNMPv3 is more secure than SNMP through the encryption method (support AES and DES) and authentication method (support MD5 and SHA) for the management needs. Available parameters are listed as follows: Item Description Enable SNMP...
Page 428: Reboot System
Privacy Algorithm (Min. Choose one of the methods listed below as the privacy Length:8) algorithm. Type a password for privacy. The maximum length of the Privacy Password text is limited to 23 characters. Apply Click this button to save the configuration and exit the web page.
Page 429 Reboot with Customized Click it to reboot the router using the current configuration Configurations (only the configuration settings listed and selected below). If you choose this option, Select Config File will be available for you to select. After choosing the configuration files, click Reboot. Reboot Click this button to execute the rebooting job.
Page 430 and click the Edit button. The edit window will appear for you to modify the corresponding settings for the selected profile. Delete Remove the selected profile. To delete a rule, simply select the one you want to delete and click the Delete button. Refresh Renew current web page.
Page 431: Firmware Upgrade
The following web page will guide you to upgrade firmware by using such page. Download the newest firmware from DrayTek's web site or FTP site. The DrayTek web site is www.DrayTek.com (or local DrayTek's web site) and the FTP site is ftp.DrayTek.com.
Page 432 Use the Select button to locate and select the new firmware. Upgrade Click it to perform the firmware upgrade. By clicking Check Update/Install Update, Vigor router can download/upgrade firmware directly from website (http://www.draytek.com.tw/ftp) automatically. Available parameters are listed as follows: Item Description...
Page 433: App Signature Upgrade
The APP object profile adopted by Vigor router will be treated as the APP signature. DrayTek will periodically upgrade versions for all of the APPs supported by Vigor router. However, it might be inconvenient for users to upgrade the APP version one by one. This feature is specially designed to offer a quick method to execute APP version upgrade.
Page 434 (Vigor router) automatically. Install Update –If the signature information stored on MyVigor server (myvigor.draytek.com or myvigoreu.draytek.com) is newer than the version used by the host (Vigor router), then the system will install the newest signature version information automatically. Choose the condition to execute APP signature upgrade or Mode send a notification.
Page 435: App Support List
Server Choose a proper server for signature upgrade from the drop down list. At present, only two servers (myvigor.draytek.com or myvigoreu.draytek.com) are supported. Syslog Check the box to record related information on Syslog. APP Support List displays all of the applications with versions supported by Vigor router.
Page 436: Diagnostics
In some cases, a user may need to know some information about the router, such as static or dynamic databases, or other routing information. The Vigor3900 supports five functions, Routing Table, ARP Cache Table, DHCP Assignment Table, Sessions Table and Traffic Graph for the user to review such information.
Page 437 Destination Display the destination IP address for various routings. Gateway Display the default gateway. Genmask Display the subnet mask for various routings. Display the flag of the routing entry. Possible flags include: Flags U (route is up) H (target is a host) G (use gateway) R (reinstate route for dynamic routing) D (dynamically installed by daemon or redirect)
Page 438 Display the information for each route with IPv6 protocol. Each item will be explained as follows: Item Description Refresh Renew the web page. Search Move the mouse cursor onto the box of Search. Click the mouse button and type the keyword inside the box. The system will display the records relating to the keyword.
Page 439: Arp Cache Table
Metric Display the distance to the target (usually counted in hops). It may be needed by routing daemons. Iface Display the direction of such route represented with LAN/WAN profile (starting from LAN/WAN profile to LAN/WAN profile). Click Diagnostics and click ARP Cache Table to view the content of the ARP (Address Resolution Protocol) cache held in the router.
Page 440 Item Description HW type Display the hardware type of the address from RFC 826. MAC Address Display the MAC address for different ARP cache. Flags C means complete entry. M means permanent entries. P means published entries. Profile Display the direction of such route represented with LAN/WAN profile (starting from LAN/WAN profile to LAN/WAN profile).
Page 441 Item Description Profile Display the interface to which this neighbor is attached. MAC Address Display the MAC address of the neighbor. Status Display the status for such neighbor. INCOMPLETE - Address resolution is in progress and the link-layer address of the neighbor has not yet been determined.
Page 442: Dhcp Table
The facility provides information on IP address assignments. This information is helpful in diagnosing network problems, such as IP address conflicts, etc. Click Diagnostics and click DHCP Table to open the web page. Each item will be explained as follows: Item Description Refresh...
Page 443 Click DHCPv6 Table to open the web page. Each item will be explained as follows: Item Description Refresh Renew the web page. Search Move the mouse cursor onto the box of Search. Click the mouse button and type the keyword inside the box. The system will display the records relating to the keyword.
Page 444: Session Table
This table can display about 30000 sessions with 20 pages. Each item will be explained as follows: Item Description Refresh Renew the web page. Search Move the mouse cursor onto the box of Search. Click the mouse button and type the keyword inside the box. The system will display the records relating to the keyword.
Page 445: Traffic Graph
Click Diagnostics and click Traffic Graph to pen the web page. Choose the Setup tab to specify LAN and WAN profiles to display corresponding graphs for CPU, Memory, LAN, WAN configurations and session. Click Refresh to renew the graph at any time. Each item will be explained as follows: Item Description...
Page 446 Item Description Click the LAN tab. Network Interface – Display the information of LAN operation. There are three selections provided for you to specify. Recent 24 Hours – Display the information of LAN operation about recent 24 hours. Recent 7 Days – Display the information of LAN operation about recent 7 days.
Page 447: Web Console
Click Diagnostics and click Web Console to pen the web page for typing commands used in console connection. A remote user can operate Vigor3900 from this web page without installing and opening other connection utility. This page allows you to trace the routes from router to the host. Simply type the IP address of the host in the box and click Start.
Page 448: Data Flow Monitor
This page displays the running procedure for the IP address monitored and refreshes the data in an interval of several seconds. Each item will be explained as follows: Item Description Enable Dataflow Check this box to enable dataflow monitor performed by the Monitor router.
Page 449: User Status
IP Address Display the IP address of the monitored device. TX rate (kbps) Display the transmission speed of the monitored device. RX rate (kbps) Display the receiving speed of the monitored device. Sessions Display the session number that you specified in Limit Session web page.
Page 450: External Devices
You can change the device name if required or remove the information for off-line device whenever you want. Note: Only DrayTek products can be detected by this function. Vigor3900 Series User’s Guide...
Page 451: Product Registration
Please refer to section 2.3 Register Vigor Router for more detailed information. Vigor3900 Series User’s Guide...
Page 452 This page is left blank. Vigor3900 Series User’s Guide...
Page 453: Chapter 5: Trouble Shooting
This section will guide you to solve abnormal situations if you cannot access into the Internet after installing the router and finishing the web configuration. Please follow sections below to check your basic installation status stage by stage.  Checking if the hardware status is OK or not. ...
Page 454  The example is based on Windows XP. As to the examples for other operation systems, please refer to the similar steps or find support notes in www.draytek.com. Open All Programs>>Getting Started>>Control Panel. Click Network and Sharing Center. In the following window, click Change adapter settings.
Page 455 Select Internet Protocol Version 4 (TCP/IP) and then click Properties. Select Obtain an IP address automatically and Obtain DNS server address automatically. Finally, click OK. Vigor3900 Series User’s Guide...
Page 456 Double click on the current used Mac OS on the desktop. Open the Application folder and get into Network. On the Network screen, select Using DHCP from the drop down list of Configure IPv4. Vigor3900 Series User’s Guide...
Page 457: Pinging The Router From Your Computer
The default gateway IP address of the router is 192.168.1.1. For some reason, you might need to use “ping” command to check the link status of the router. The most important thing is that the computer will receive a reply from 192.168.1.1. If not, please check the IP address of your computer.
Page 458: Checking If The Isp Settings Are Ok Or Not
Open Online Status to check current network status. Be careful to check if the settings coming from your ISP have been typed correctly or not. Vigor3900 Series User’s Guide...
Page 459: Backing To Factory Default Setting If Necessary
If there is something wrong with the configuration, please go to WAN page and choose General Setup again to modify the WAN connection. Sometimes, a wrong connection can be improved by returning to the default settings. Try to reset the router by software or hardware. Warning: After pressing factory default setting, you will lose all settings you did before.
Page 460: Contacting Draytek
If the router settings are correct at all, and the router still does not connect to internet, please contact your ISP technical support representative to help you for configuration. Also, if the router still cannot work correctly, please contact your dealer for help. For any further questions, please send e-mail to support@draytek.com. Vigor3900 Series User’s Guide...

Draytek Vigor3900 User Manual

Chapter 1: Introduction

Chapter 2: Basic Setup

Chapter 3: Application and Tutorial

Chapter 4: Advanced Web Configuration

Chapter 5: Trouble Shooting

Quick Links

Troubleshooting

Related Manuals for Draytek Draytek Vigor3900

Summary of Contents for Draytek Draytek Vigor3900

Table of Contents