Page 1 Vigor2136 Series Gigabit Broadband Router User’s Guide Version: 1.0 Firmware Version: V5.3.0 Date: November 6, 2024...
Page 2 Web registration is preferred. You can register your Vigor router via https://myvigor.draytek.com. Owner Firmware & Tools Due to the continuous evolution of DrayTek technology, all modems will be regularly upgraded. Please consult the DrayTek web site for more information on newest firmware, tools and documents. Updates https://www.draytek.com...
Page 3 Table of Contents Chapter I Installation ................................. IX I-1 Introduction ....................................1 I-1-1 LED Indicators and Connectors for Vigor2136 ......................1 I-1-2 LED Indicators and Connectors for Vigor2136ax ....................3 I-2 Hardware Installation ................................... 5 I-2-1 Network Connection ..............................5 I-2-2 Wall-Mounted Installation ............................
Page 4 II-1-7-1 General Setup ..............................85 II-1-7-2 RIP Network ..............................87 II-1-7-3 RIPng Network ..............................88 II-1-8 BGP .................................... 90 II-1-8-1 General Setup ..............................90 II-1-8-2 IPv4 Neighbors ..............................91 II-1-8-3 IPv4 Networks ..............................93 II-1-8-4 IPv6 Neighbors ..............................94 II-1-8-5 IPv6 Networks ..............................95 II-1-9 OSPF ..................................
Page 5 II-1-17-3 External TACACS+ ............................149 II-1-18 Certificates ................................151 II-1-18-1 Local Certificates ............................151 II-1-18-2 Trusted CA ..............................154 II-1-18-3 Local Services ............................... 157 II-1-18-4 Backup & Restore ............................158 II-2 Security ..................................... 159 II-2-1 Firewall Filters ................................ 159 II-2-1-1 IP Filters................................160 II-2-1-2 Content Filters ..............................
Page 6 II-6-3 Port Profile ................................243 II-6-4 Maintenance ................................251 Chapter III Management ..............................253 III-1 System Maintenance ................................254 III-1-1 Device Settings ..............................254 III-1-1-1 Time ................................254 III-1-1-2 Device Name ..............................256 III-1-1-3 Syslog ................................256 III-1-1-4 SNMP ................................257 III-1-2 Management .................................
Page 7 V-3 Pinging the Device .................................. 300 V-3-1 For Windows ................................300 V-3-2 For Mac Os (Terminal) ............................300 V-4 Backing to Factory Default Setting ............................302 V-4-1 Software Reset ............................... 302 V-4-2 Hardware Reset ..............................303 V-5 Contacting DrayTek ................................304...
Page 8 VIII...
Page 9 Chapter I Installation...
Page 11 I-1 Introduction This is a generic International version of the user guide. Specification, compatibility and features vary by region. For specific user guides suitable for your region or product, please contact local distributor. I-1-1 LED Indicators and Connectors for Vigor2136 Before you use the Vigor modem, please get acquainted with the LED indicators and connectors first.
Page 12 Connectors Interface Explanation Factory Reset Restore the default settings. Usage: Turn on the router (ACT LED is blinking). Press the hole and keep for more than 5 seconds. When you see the ACT LED begins to blink rapidly than usual, release the button. Then the router will restart with the factory default configuration.
Page 13 I-1-2 LED Indicators and Connectors for Vigor2136ax Status Explanation Blinking The router is powered on and running normally. When both ACT and WLAN LEDs blink quickly, it means Blinking the WPS function is enabled and active. The system is (quickly) (Activity) waiting for a wireless station of connection.
Page 14 Connectors Interface Explanation Wireless LAN WLAN On - Press the button and release it within 2 seconds. When the ON/OFF/WPS wireless function is ready, the green LED will be on. WLAN Off - Press the button and release it within 2 seconds to turn off the WLAN function.
Page 15 I-2 Hardware Installation This section will guide you to install the Vigor2136 through a hardware connection and configure the device’s settings through the web browser. I-2-1 Network Connection Connect the cable Modem/DSL Modem/Media Converter to any WAN port of router with Ethernet cable (RJ-45).
Page 16 I-2-2 Wall-Mounted Installation Drill the holes on the wall according to the recommended instruction. Fit screws into the wall using the appropriate type of wall plug. Step 4  Note The recommended drill diameter shall be 6.5mm (1/4”). When you finished the above procedure, the modem has been mounted on the wall firmly.
Page 17 I-3 Accessing to Web User Interface All functions and settings of this access point must be configured via the web user interface. Please start your web browser (e.g., Firefox). Make sure your PC connects to the Vigor router correctly. Open a web browser on your PC and type http://192.168.1.1. A pop-up window will open to ask for a username and password.
Page 18 Next, the page will appear to guide you change the login password. You MUST change the login password before accessing the web user interface. Please set a new password for network security. After clicking Apply, the Main Screen will pop up. The web page can be logged out by clicking Log Out on the top right of the web page.
Page 19 Logout, which means the web configuration system will log out after 5 minutes without any operation. Change the setting of auto-logout if you want.  Note: For using the device properly, it is necessary for you to change the password of web configuration for security and adjust primary basic settings.
Page 20 I-4 Dashboard Dashboard shows port status, LAN status, system status, LAN/WAN Usage and DSL information. Click Dashboard from the main menu on the left side of the main page.  Note: Switch these two icons by click the mouse cursor on them. - means “Enable”.
Page 21 Chapter II Connectivity...
Page 22 II-1 Configuration II-1-1 Physical Interface Configure the general settings for available interfaces. Open Configuration >> Physical Interface. Available settings are explained as follows: Item Description Ethernet Interface Displays the available interfaces of this device. Function Displays the type (WAN or LAN) of the interface. Except Ethernet WAN is fixed to WAN, Port 1 can be set as WAN or LAN to meet different requirements.
Page 23 For Port 2 to Port 4 Port speed capabilities: Auto negotiation - Auto speed with all capabilities. 2.5G - Force speed with 2.5G ability. 1G - Force speed with 1G ability. 10M half duplex - Force speed with 10M ability. 10M full duplex - Force speed with 10M ability.
Page 24 II-1-2 WAN II-1-2-1 WAN Connections This page is to configure the general settings for WAN connection. Available settings are explained as follows: Item Description Name Displays the name of the interface. Enabled Displays if the WAN interface is enabled or disabled. Mode Displays if the WAN interface is primary or failover interface.
Page 25 For Physical Type with Ethernet Ethernet WAN and Port 1 can be configured as the WAN interfaces. WAN connections for these two ports can be configured separately. Click the Edit link for WAN1 or WAN2 (LAN port 1) to open the following page. Available settings are explained as follows: Item Description...
Page 26 VLAN Settings Customer VLAN Switch the toggle to enable or disable the function of VLAN with tag. If enabled, enter the values for the tag and priority. Tag - Enter the value as the VLAN ID number. The range is from 0 to 4094.
Page 27 connection is deemed to have failed. If you choose Ping Detect as the detection mode, you have to enter required settings for the following items. Ping Gateway IP - Switch the toggle to enable/ use the current  WAN gateway IP address for pinging. With the IP address(es) pinging, Vigor router can check if the WAN connection is on or off.
Page 28 use TSPC for network connection. TSPC would connect to tunnel broker and requests a tunnel according to the specifications inside the configuration file. It gets a public IPv6 IP address and an IPv6 prefix from the tunnel broker and then monitors the state of the tunnel in background.
Page 29 Displays the MAC address of this device. Cancel Discard current settings and return to previous page. Apply Save the current settings and exit the page. After finishing this web page configuration, please click Apply to save the settings.
Page 30 For Physical Type with Wireless 2.4GHz When Wireless 2.4G is selected as Physical Type, WAN interface uses wireless station mode to access Internet. The Router acts as a 2.4GHz wireless station and connects to the specific Wireless Click the Edit link for WAN3 or WAN4 to open the following page. Available settings are explained as follows: Item Description...
Page 31 configure. WPA3 Personal – The Router connects to the wireless AP as a WPA3 client and the encryption key should be entered in PSK. WPA2 Personal – The Router connects to the wireless AP as a WPA2 client and the encryption key should be entered in PSK. OPEN –...
Page 32 Maximum Transmission Unit, the size of the largest packet, in bytes, that can be transmitted to the WAN. The maximum value is 1500. For PPPoE connections, there is always an 8-byte overhead, so the maximum valid MTU value for PPPoE is 1492. WAN MAC Address Mode Default –...
Page 33 Interface 5GHz for WAN4. IPv4 IPv4 Connection Type It is available when Both or IPv4 is selected as IP Version. DHCP – The router receives IP configuration information from a DHCP server. WAN DNS - Select Auto or Manual.  If Manual is selected, specify the primary and secondary DNS servers.
Page 34 Maximum Transmission Unit, the size of the largest packet, in bytes, that can be transmitted to the WAN. The maximum value is 1500. For PPPoE connections, there is always an 8-byte overhead, so the maximum valid MTU value for PPPoE is 1492. WAN MAC Address Mode Default –...
Page 35 location of the modem connected. USB/LTE Settings USB Mode DHCP – Dynamic Host Configuration Protocol is used to establish a connection. PPP - Point-to-Point Protocol is used to establish a connection. USB/SIM1 PIN Code PIN code of the SIM card in the modem. The maximum length of the PIN is 15 characters.
Page 36 WAN gateway IP address for pinging. With the IP address(es) pinging, Vigor router can check if the WAN connection is on or off. TTL –Time To Live, the maximum allowed number of hops to the  ping destination. Valid values range from 1 to 255. Ping Interval (Sec, 10-3600) –...
Page 37 +Add Click to bring up the configuration page of the virtual WAN profile (max. 5). To add a new virtual WAN, click the +Add link to get the following page. Available settings are explained as follows: Item Description Advanced Mode: Click to show or hide the advanced settings for virtual WAN.
Page 38 multicast packet. The range is from 0 to 4094. Upstream IGMP VLAN Tag – Enter the value for tagging the IGMP packet. The range is from 0 to 4094. VLAN Settings Customer VLAN It is available when a WAN Type is selected. Switch the toggle to enable or disable the function of VLAN with tag.
Page 39 II-1-2-3 Dynamic DNS Most ISPs assigns dynamic WAN IP addresses to their customers. Dynamic IP addresses presents challenges to users who would like to accept remote connections to their LANs from the Internet, as service could be disrupted due to the IP address changing without notice. By setting up service with a Dynamic DNS (DDNS) provider, and configuring Dynamic DNS updates on the Vigor router, you can have reliable access to your network by means of an easy-to-remember domain address that resolves to the most current WAN IP address.
Page 40 Available settings are explained as follows: Item Description Name Enter a name as the profile name. Enabled Switch the toggle to enable or disable the function. Service Provider Select the DDNS provider. If your DDNS provider is not listed, select User-Defined and manually configure the profile.
Page 41 Save the current settings and exit the page. After finishing this web page configuration, please click Apply to save the settings. DrayDDNS Settings DrayDDNS, a DDNS service developed by DrayTek, can record multiple WAN IP (IPv4/IPv6) on single domain name. It is convenient for users to use and easily to set up with MyVigor.
Page 42 The online status of a WAN interface changes (going from online to offline or vice versa).  The DDNS function is changed from “disabled” to “enabled”.  A DDNS entry is modified and enabled.  The Auto Update Interval has elapsed. ...
Page 43 II-1-2-4 WAN Budget This function is used to determine the data traffic volume for each WAN interface respectively to prevent overcharges for data transmission by the ISP. Please note that the Quota Limit and Billing cycle day of month settings will need to be configured correctly first in order for some period calculations to be performed correctly.
Page 44 Available settings are explained as follows: Item Description Enabled Switch the toggle to enable or disable the profile. When enabled, the WAN Budget is enabled for this WAN. Quota Enter the data traffic quota allowed for such WAN interface. There are two unit (MB and GB) offered for you to specify.
Page 45 II-1-2-5 DHCP Options DHCP packets can be processed by adding option number and data information when this function is enabled and configured. This page allows to configure additional DHCP client options. To add/edit a profile, click the +Add/Edit link to get the following page. Available settings are explained as follows: Item Description...
Page 46 Hexadecimal Digit: A hexadecimal string. Valid characters are from  0 to 9 and from a to f. Example: 2f70617468. Address List: One or more IPv4 addresses, delimited by commas.  Data Enter the content of the data to be processed by the function of DHCP option.
Page 47 II-1-2-6 Failover This page allows to configure settings for failover WAN. When the primary WAN of the router goes down the other available WAN interfaces will take over for network connection sequentially. Available settings are explained as follows: Item Description Primary WAN Interface –...
Page 48 Profile. If enabled, the WAN connection detection defined in the WAN Connections Profile will be ignored. The router will measure the performance of interface members, and active interfaces will be determined using Link Health Check and Performance SLA. Interface Link Health & SLA – List the available WAN interfaces for setting different health check methods.
Page 49 By default, the system offers standard health check options such as Google DNS, CloudFlare DNS, and Quad9 DNS. Take Google DNS as an example. This profile indicates that primary/secondary IPv4 target (8.8.8.8/8.8.4.4) is used for checking IPv4 network connection, while primary/secondary IPv6 target (2001:4860:4860::8888, 2001:4860:4860::8844) is used for checking IPv6 network connection.
Page 50 HTTP Detect  Ping Detect  Primary IPv4 Target Enter the first IPv4 address as the primary target for health check. Secondary IPv4 Target Enter the second IPv4 address as the secondary target for health check. Primary IPv6 Target Enter the first IPv6 address as the primary target for health check. Secondary IPv6 Target Enter the second IPv6 address as the secondary target for health check.
Page 51 Available settings are explained as follows: Item Description Profile Name Enter a name as the Link Health Check profile. Jitter Switch the toggle to enable or disable the jitter function. Jitter Threshold - It defines the change rate of latency. For stable session, small jitter value will be better.
Page 52 II-1-2-9 PPPoE Pass Through The router offers PPPoE dial-up connection. Besides, you also can establish the PPPoE connection directly from local clients to your ISP via the Vigor router. According to the WAN Connection Type, this feature will encapsulate the PPPoE package of local clients and send it to the WAN Server. Thus, the PC can access Internet through such direction.
Page 53 II-1-3 LAN A LAN(Local Area Network) comprises a collection of LAN clients, which are networked devices on your premises. A LAN client can be a computer, a printer, a Voice-over-IP (VoIP) phone, a mobile phone, a gaming console, an Internet Protocol Television (IPTV), etc, and can have either a wired (using Ethernet cabling) or wireless (using Wi-Fi) network connection.
Page 54 DHCP clients, plus room for future expansion), and use addresses greater than 192.168.1.100 for static assignment.
Page 55 II-1-3-1 LANs This page provides you the general settings for LAN. Open Configuration>>LAN and click the LANs tab to open the following page. To add/edit a profile, click the +Add/Edit link to get the following page. Here, we take LAN1 as an example.
Page 56 IPv4 Display the status (enable/disable) of the profile. Usage Specify the IP forwarding method.  Routing  IPv6 Switch the toggle to configure / ignore the IPv6 settings. IPv4 IPv4 Address This is the IP address of the LAN interface (default: 192.168.1.1). Subnet Mask Select a subnet mask of the LAN interface.
Page 57 You must specify a DNS server IP address here because your ISP should provide you with usually more than one DNS Server. Secondary DNS - You can specify secondary DNS server IP address here because your ISP often provides you more than one DNS Server. DHCP Relay over WAN (Primary) –...
Page 58 DNS Configuration It is available when Stateless is selected as the IPv6 Assignment. DNS Assign Methods RA(RDNSS) – The DNS server used for hosts (e.g., PC) will be  configured via the Router Advertisement Configuration. Bit(DHCPv6) – The DNS server used for hosts will be configured ...
Page 59 Auto – LAN clients will be assigned ULAs using an  automatically-determined prefix. Manual – LAN clients will be assigned ULAs generated based on  the prefix manually entered. Router Advertisement The Advanced Settings page has additional settings for Router Configuration Advertisement and enabling multiple WANs for IPv6 traffic.
Page 60 To add/edit a profile, click the +Add/Edit link to get the following page. Available settings are explained as follows: Item Description Comments Enter a brief comment to identify this IP Address–MAC Address pair. MAC Address Enter the MAC address of the LAN client’s network interface. IP Address Enter the IP address to be associated with a MAC address.
Page 61 II-1-3-3 DHCP Options DHCP packets can be processed by adding option number and data information when such function is enabled and configured. To add/edit a profile, click the +Add/Edit link to get the following page. Available settings are explained as follows: Item Description Option Number...
Page 62 Data Enter the data in the Data field based on the data type selected. ASCII Character - A text string. Example: /path. Hexadecimal Digital - A hexadecimal string. Valid characters are from 0 to 9 and from a to f. Example: 2f70617468. Address List - One or more IPv4 addresses, delimited by commas.
Page 63 Available settings are explained as follows: Item Description Group Name Display the name for identification. Change the name if required. Enabled Switch the toggle to enable the settings. Selected LANs Select the box to link two or more different subnets (LAN and LAN). Cancel Discard current settings and return to the previous page.
Page 64 To add/edit a profile, click the +Add/Edit link to get the following page. Available settings are explained as follows: Item Description VLAN ID Enter a number as the VLAN Identifier. Valid values are form 0 to 4095. VIDs must be unique. Name Enter a name of the VLAN profile.
Page 65 II-1-3-6 Interface VLAN Port-based VLAN uses physical ports (P1 ~ P4) to separate the clients into different VLAN group. Virtual LAN function provides you a very convenient way to manage hosts by grouping them based on the physical port. The multi-subnet can let a small businesses have much better isolation for multi-occupancy applications.
Page 66 II-1-3-7 LAN Port 802.1x Wired 802.1X provides authentication for clients wishing to connect to the LAN by Ethernet. Only one client can be authenticated on each LAN port. Available settings are explained as follows: Item Description Enabled LAN 802.1X Switch the toggle to enable or disable LAN 802.1x function. Port Name Display the name of the physical LAN port.
Page 67 II-1-4 DNS DNS stands for Domain Name System. Every Internet host must have a unique IP address, also they may have a human-friendly, easy to remember name such as www.yahoo.com. The DNS server converts the user-friendly name into its equivalent IP address. This section offers settings for DNS security and LAN DNS/Forwarding.
Page 68 Available settings are explained as follows: Item Description Select the WAN interface for which DNS security is to be configured. Enabled Switch the toggle to enable or disable DNS security for this WAN Interface. Bogus DNS Reply will be dropped when DNS security enabled.
Page 69 II-1-4-2 LAN DNS/Forwarding LAN DNS is a simple version of DNS server. LAN DNS allows the network administrator to override standard DNS resolutions for selecting domain addresses. The router will respond to queries on matched domain addresses with custom IP addresses. It is not necessary for the user to build another DNS server in LAN.
Page 70 +Add – Enter the domain name for the router to look for in DNS queries to intercept and reply to. Wildcards in the form of asterisks (*) can be used to match a domain level. For example, *.draytek.com will match domain names such as www.draytek.com and ftp.draytek.com.
Page 71 Billions of people exchange information daily with wireless communication products. The Vigor2136 series of wireless routers (with “ax” in the model name), designed with maximum flexibility and efficiency in mind, is ideal for use in a small office or home.
Page 72 WEP (Wired Equivalent Privacy) is a legacy method to encrypt each frame transmitted via radio using either a 64-bit or 128-bit key. Usually access point will preset a set of four keys and it will communicate with each station using only one out of the four keys. WPA (Wi-Fi Protected Access), the most dominating security mechanism in industry, is separated into two categories: WPA-personal or called WPA Pre-Share Key (WPA/PSK), and WPA-Enterprise or called WPA/802.1x.
Page 73 II-1-5-1 SSID On Wi-Fi-equipped models, you can set up SSID for use by internal users, who are allowed to access both the LAN and the WAN (Internet). This page also allows you to configure a guest SSID (for wireless clients that are restricted to Internet access only, typically used by visitors) with LAN VLAN settings.
Page 74 Available settings are explained as follows: Item Description SSID Service Set Identification (SSID), which shows up as the AP identifier. Maximum length is 32 characters. Modify the name if required. Enabled Switch the toggle to enable/disable the SSID profile. Security There are several modes provided for you to choose from.
Page 75 from the radio using the key which automatically negotiated via 802.1x authentication. WEP Personal - Accepts only WEP clients and the encryption  key should be entered in WEP Settings. None - The encryption mechanism is turned off.  Password Enter 8~63 ASCII characters, such as "012345678".
Page 76 Hide SSID Switch the toggle to enable(hide) /disable (show) the SSID. Select to keep SSIDs from showing up when scans are performed by wireless clients, which makes it harder for unauthorized clients or STAs to join your wireless LAN. Depending on the wireless client and software used, the user may see only an AP listed without the SSID, or the AP might not even show up.
Page 77 II-1-5-2 Radio Settings This page lets you configure the most basic settings of your wireless network, including mode, WLAN channels and channel bandwidth. Available settings are explained as follows: Item Description Advanced Click to show or hide the advanced settings for the Radio settings. Mode:ON/OFF 2.4GHz Radio Enabled...
Page 78 reception between the router and wireless stations. Auto 20/40 MHz – Vigor Router will utilize either 20 MHz or 40 MHz for data transmission and reception depending on the number of AP nearby the router. 20MHz will be used when there are more than 10 wireless APs;...
Page 79 Band Steering Settings 5Ghz Client Minimum If it is enabled, Vigor router will detect if the wireless client is capable RSSI of dual-band or not within the time limit. The wireless station has the capability of a 5GHz network connection, yet the signal performance might not be satisfied.
Page 80 devices, thus allowing wireless devices to enter into power saving mode which reduces power consumption. Not all wireless clients support APSD properly, and the only way to find out if APSD is appropriate for your network is to experiment. The default setting is Disable. Airtime Fairness Switch the toggle to enable/disable the function.
Page 81 Assisted Roaming When the signal strength of the wireless station is below the value Signal Strength (dBm) set here and adjacent AP (must be DrayTek Router/AP and Threshold support such feature too) with higher signal strength value (defined in the field of Assist roaming when adjacent AP signal is better than) is detected by Vigor router, Vigor router will terminate the network connection for that wireless station.
Page 82 Available settings are explained as follows: Item Description Start AP Discovery Scan - It is used to discover all the nearby AP. The results will be shown on the box below this button. Radio Information Displays current information for 2.4GHz and 5GHz used by Vigor router.
Page 83 II-1-5-5 WPS WPS (Wi-Fi Protected Setup) provides an easy way to connect wireless to wireless access points and routers with WPA or WPA2 encryption. WPS works with wireless stations with WPA or WPA2 support. It does not work with WEP. It is the simplest way to build connection between wireless network clients and vigor router.
Page 84 Using a PIN code You may establish a wireless connection by entering a PIN code generated by a wireless client that supports WPS. Below shows Configuration>>Wireless LAN>>WPS web page:...
Page 85 Available settings are explained as follows: Item Description Reset Click to reset WPS with the default value. Refresh Click to refresh current page. Enabled Switch the toggle to enable/disable the function. Band Select the band (2.4GHz/5GHz) for this function. 2.4GHz SSID / 5GHz Displays the SSID used for 2.4GHz/5GHz.
Page 86 II-1-5-6 WDS Wireless Distribution System (WDS) is a protocol for linking access points (AP) wirelessly. Vigor2136ax WDS only supports Repeater mode.  Repeater mode, which extends the coverage range of a WLAN. Below shows Configuration>>Wireless LAN>>WDS web page: Available settings are explained as follows: Item Description Reset...
Page 87 Enabled – Switch the toggle to enable/disable this WDS link. Security – Select the encryption method of this WDS link. Open - Security is disabled.  TKIP – Enter a string.  AES - Enter a string.  Password – Enter the key of the WDS link when Security is TKIP or AES.
Page 88 II-1-6 Routing Through the IP address and interface configuration, a route policy can be used to configure any routing rules to fit actual requests. The packets will be directed to the specified interface if they match one of the routing policies. The router offers IPv4 and IPv6 for you to configure the static route.
Page 89 Available settings are explained as follows: Item Description Policy Name Enter a name as the routing profile name. Enabled Switch the toggle to enable/disable the profile. Schedule Determine the valid time for the routing profile. Always On – The routing profile will be valid all the time if it is enabled.
Page 90 the network. Source / Destination IP It is available when Source / Destination is set as IP Object. Object +Add – Click it to create a new object (containing different IP addresses). Up to 12 objects can be created. Select Object – Check to select an object or objects. Source / Destination IP It is available when Source / Destination is set as IP Group.
Page 91 Primary Path LAN - It is available when the LAN is selected. +Add – Click +Add to create a new VPN path. Use the drop-down list to select a VPN profile. Secondary Path Disabled – Disable the function settings for the secondary path. Secondary Path WAN –...
Page 92 VPN –Specify a VPN profile for the last resort path. Last Resort Path VPN – Click +Add. Select one of the VPN  profiles. LAN – Specify a LAN interface for the last resort path. Last Resort Path LAN – Click +Add. Then select a LAN interface ...
Page 93 Available settings are explained as follows: Item Description Name Enter a name as the profile name. Enabled Switch the toggle to enable or disable the function. Destination IP Address Enter the IP address as the destination IP address. Subnet Mask Select a subnet mask of this static route.
Page 94 To add a new IPv6 static route, click the +Add link to get the following page. Available settings are explained as follows: Item Description Name Enter a name as the profile name. Enabled Switch the toggle to enable or disable the function. Destination Enter the IPv6 address as the destination IP address.
Page 95 Interface Use the drop-down list to specify an interface for this static route. Cancel Discard current settings and return to the previous page. Apply Save the current settings and exit the page. After finishing this web page configuration, please click Apply to save the settings. II-1-7 RIP The Routing Information Protocol (RIP) and the RIPng (RIP next generation) are the most popular interior routing protocols.
Page 96 expiration set in this field. The information will be kept in the routing table temporarily. At the same time, the neighbors will be notified that the route has been dropped. Garbage Timer The route will be removed from the routing table upon the expiration set in Garbage Timer.
Page 97 II-1-7-2 RIP Network This page allows you to configure up to eight neighboring routers for exchanging the routing information with the local router (Vigor2136). To add a new RIP network profile, click the +Add link to get the following page. Available settings are explained as follows: Item Description...
Page 98 Authentication Select the authentication mechanism for this profile. Disabled – No authentication mechanism will be used. Plain-Text – Only password will be used for authentication. Password –Enter characters as the password for MD5  authentication. MD5 – Use MD5 authentication. Password –...
Page 99 Available settings are explained as follows: Item Description Interface Select a LAN / WAN interface to apply the settings configured for this profile. Cancel Discard current settings and return to the previous page. Apply Save the current settings and exit the page. After finishing this web page configuration, please click Apply to save the settings.
Page 100 II-1-8 BGP Border Gateway Protocol (BGP) is a standardized protocol designed to exchange routing and reachability information among autonomous systems (AS) on the Internet. The protocol TCP is used by two routers supporting BGP for data transmission. They can exchange the BGP routing information for each other.
Page 101 Item Description Enabled Switch the toggle to enable/disable the basic BGP function for local router. Local AS Set the AS number for local router. Router ID Specify the LAN subnet for the router. IPv4 Redistribute Connected All Networks – Apply the BGP profile to all the LAN interfaces. Exclude NAT Networks - Apply the BGP profile to all the LAN interfaces except for NAT network.
Page 102 To add a new IPv4 neighbors profile (up to 8), click the +Add link to get the following page. Available settings are explained as follows: Item Description Remote AS Number Specify the AS Number for neighboring router. IPv4 Address Enter the IP address specified for the neighboring profile. Authentication Select the authentication mechanism for this profile.
Page 103 II-1-8-3 IPv4 Networks This page allows you to configure up to eight neighboring networks for exchanging the routing information with the local router (Vigor2136). The IP address defined on this page will be used to declare which network will participate in the RIP protocol. To add a new IPv4 networks profile (up to 8), click the +Add link to get the following page.
Page 104 info) with the specified network. Subnet Mask Select the mask value for the IPv4 address specified above. Cancel Discard current settings and return to the previous page. Apply Save the current settings and exit the page. After finishing this web page configuration, please click Apply to save the settings. II-1-8-4 IPv6 Neighbors Set general settings for local router and neighboring routers (based on IPv6 address).
Page 105 Item Description Remote AS Number Specify the AS Number for neighboring router. IPv6 Address Enter the IPv6 address of a neighboring router. Authentication Select the authentication mechanism for this profile. Disabled – No authentication mechanism will be used. MD5 – Use MD5 authentication. Password –...
Page 106 Available settings are explained as follows: Item Description IPv6 Address Enter the IPv6 address of a neighboring network (following CIDR format). Vigor router (e.g., 2136 series) will exchange routing information (RIPng info) with the specified network. Prefix Length Enter the IPv6 prefix length for the IPv6 address. Cancel Discard current settings and return to the previous page.
Page 107 II-1-9 OSPF OSPF(Open Shortest Path First), running within the AS, is a routing protocol based on IP protocol. It uses the algorithm of SPF (Shortest Path First) to calculate the route metric. It is suitable for large network and complicated data exchange. Vigor router supports up to OSPF version 2(for IPv4) and OSPF version 3(for IPv6).
Page 108 Switch the toggle to enable (allow dynamically route traffic based on information learned from the BGP protocol) or disable the function. OSPFv3 Enabled Switch the toggle to enable/disable the OSPFv3 function. Router ID Specify the IPv6 address of the Vigor router for routing and neighbor discovery.
Page 109 Available settings are explained as follows: Item Description Interface Select a LAN / WAN interface to apply the settings configured for this profile. Area ID An AS will be divided into several areas. Each area must be assigned with a dedicated number. Please enter a number or IPv4 address as the area ID.
Page 110 II-1-9-3 OSPFv3 Networks This page allows you to set neighbors for OSPFv3 profile. To add a new OSPFv3 networks profile, click the +Add link to get the following page. Available settings are explained as follows: Item Description Interface Select a LAN / WAN interface to apply the settings configured for this profile.
Page 111 Area ID An AS will be divided into several areas. Each area must be assigned with a dedicated number. Please enter a number or IPv6 address as the area ID. Authentication Select the authentication mechanism for this profile. Disabled – No authentication mechanism will be used. Plain-Text –...
Page 112 II-1-10 Bandwidth Management When LAN clients share a common public IP address by means of Network Address Translation (NAT), the router must track NAT sessions so that traffic to and from the WAN can reach the intended destinations. There is an finite number of sessions that can be tracked by the router, and by setting session limits will ensure that the router does not run out of resources.
Page 113 Name Enter a name for identification. Enabled Switch the toggle to enable/disable the traffic shaping policy profile. Schedule Vigor router can perform the traffic shaping policy profile all the time or on a certain date and time. Always On - The function of traffic shaping policy profile is running all the time.
Page 114 with different protocols. Service Type Object – Click +Add to create a new object. Up to 12  objects can be created. TCP/UDP – Select Transmission Control Protocol/User Datagram Protocol. Specify Source Port – Switch the toggle to enable the setting of ...
Page 115 To add a new policy, click the +Add link to get the following page. Available settings are explained as follows: Item Description Profile Name Enter a string as the profile name. Enabled Switch the toggle to enable/disable this profile of bandwidth limit. Schedule Vigor router can perform the bandwidth limit all the time or on a certain date and time.
Page 116 IPv4 Address  IPv4 Subnet  IP Object  IP Group  Source IPv4 Address It is available when IPv4 Address is selected as the Source. Click +Add to add a new entry. IPv4 Address Start - The beginning IP address for this limit entry. ...
Page 117 Scheduling: Prioritizing packets by assigning them to different queues and service types  according to service levels. Available settings are explained as follows: Item Description Enabled Switch the toggle to enable/disable the WAN interface settings. Direction At present, only Upload (for outgoing traffic) is available. Upload Speed(Mbps) Set the outbound bandwidth (default is 2500) of the WAN/LAN.
Page 118 II-1-10-4 APP QoS APP QoS allows QoS to be applied to select protocols and applications. Available settings are explained as follows: Item Description +Add Apps – The drop-down menu displays various APPEs. Select the one you want. QoS – Select the class level (Class 1, Class 2, Class 3 and others) of bandwidth reserved for the Apps.
Page 119 II-1-10-5 Default Policy Default policy defines the bandwidth limit and the session limit for all traffics in default. Available settings are explained as follows: Item Description Bandwidth Limit Mode Disabled – Select to deactivate bandwidth limit function. Per Source IP Limit – Apply the bandwidth limit to the traffic. Upload Limit - Default upstream speed limit for each LAN client.
Page 120 II-1-11 NAT Most ISPs allocate one WAN IP address to each subscriber. In order to simultaneously connect multiple devices to the Internet, a technique called Network Address Translation is employed. Usually, the router serves as an NAT (Network Address Translation) router. NAT is a mechanism that one or more private IP addresses can be mapped into a single public one.
Page 121 Available settings are explained as follows: Item Description Name Enter a name that identifies the rule. Enabled Switch the toggle to enable or disable the function. Network WAN Interface The WAN port(s) whose incoming traffic will be forwarded to a LAN client.
Page 122 Single – Specify a destination LAN IP address that will receive the forwarded traffic. Range – Specify a range of destination LAN IP addresses that will receive the forwarded traffic. Port Forwarding +Add Click to set port numbers for the specified protocol (TCP, UDP, or TCP/UDP) for a port forwarding profile.
Page 123 II-1-11-2 DMZ Host Vigor router provides a facility DMZ Host that maps ALL unsolicited data on any protocol to a single host in the LAN. Regular web surfing and other such Internet activities from other clients will continue to work without inappropriate interruption. DMZ Host allows a defined internal user to be totally exposed to the Internet, which usually helps some special applications such as Netmeeting or Internet Games etc.
Page 124 WAN IP Enable the function of applying WAN alias IP. Then, select a WAN alias IP from the available IPv4 alias settings set on Configuration >> WAN >> WAN Connections. Private IP Select one private IP address in the list to be the DMZ host. Cancel Discard current settings and return to the previous page.
Page 125 Available settings are explained as follows: Item Description Add Service Select from list of predefined service, or manually configure triggering and incoming protocols and ports. Manually - If selected, self-define the service name. Preset - If selected, various services will be offered for you to choose as the service name.
Page 126 Triggering Port Start / Triggering Port End - Outgoing traffic from the WAN destined for these port numbers be forwarded to the LAN client that triggered the rule. Enter the port or port range for the outgoing packets. Incoming Services Protocol &...
Page 127 Item Description Enabled Switch the toggle to enable or disable the function. Listen Port Enter a port number for SIP or RTSP protocol. Apply Save the current settings and exit the page. After finishing this web page configuration, please click Apply to save the settings. II-1-11-5 UPnP The Vigor supports UPnP (Universal Plug and Play), which is a suite of network protocols that simplifies network configuration.
Page 128 After finishing this web page configuration, please click Apply to save the settings. II-1-12 IGMP Internet Group Management Protocol (IGMP) is an IPv4 communication protocol for establishing multicast group memberships. II-1-12-1 General Setup This page offers the general setting for configuring the IGMP function. Available settings are explained as follows: Item Description...
Page 129 enable IGMP Fast Leave. Normally when the router receives a “leave” message from an IGMP host, it will send a last member query message to see if there are still members within the multicast group. When Fast Leave is enabled, multicast for a group is immediately terminated when the last host in that group sends a “leave”...
Page 130 II-1-13 Objects Vigor router system provides the object functions. Users can define various types of objects and groups, and then apply them at various scenarios, like Configuration>>NAT>> Port Forwarding, Security>>Firewall Filters. The advantage is that the user doesn’t have to set data repetitively and it significantly enhances efficiency.
Page 131 Available settings are explained as follows: Item Description Object Name Enter the name that identifies this profile. IP Version Select the IP version (IPv4, IPv6 or Both) for entering correct IP address. Address Type Select the type (IP or Subnet) of address. IPv4 Settings Start IP Address Enter the beginning IP address, if the Address Type is IP.
Page 132 Cancel Discard current settings and return to the previous page. Apply Save the current settings and exit the page. After finishing this web page configuration, please click Apply to save the settings. II-1-13-2 IP Group Multiple IPv4 Objects /IPv6 Objects can be placed into an IPv4 Group / IPv6 Group. To add a new IP group profile, click the +Add link to get the following page.
Page 133 Search Enter the IP object name or the IPv4/IPv6 Address to search related IP object(s). Selected Objects Objects available for grouping will be displayed here. Select one or more objects to group under the current IP group. Object Name Display current existed IPv4/IPv6 object(s). To add an IP object to the current IP group, simply select the object(s) you want.
Page 134 II-1-13-3 MAC Object The MAC address of local or remote clients can be specified in the MAC Object page. To add a new MAC object profile, click the +Add link to get the following page. Available settings are explained as follows: Item Description Object Name...
Page 135 II-1-13-4 MAC Group Multiple MAC Objects can be placed into a MAC Group. To add a new MAC group profile, click the +Add link to get the following page. Available settings are explained as follows: Item Description Group Name Enter a name that identifies this profile. Selected Objects +Add - Click to open the page with available objects.
Page 136 Cancel Discard current settings and return to the previous page. Apply Save the current settings and exit the page. After finishing this web page configuration, please click Apply to save the settings. II-1-13-5 Schedule Time schedules can be created and used with router features that support them, so that those features can be turned on and off automatically at preconfigured times.
Page 137 Name Enter the name of the schedule profile. Enabled Switch the toggle to enable or disable this schedule profile. Start Date Select the date when the entry comes into effect. Start Time Set the time when the schedule is triggered. End Time Set the time for the schedule to be ended.
Page 138 II-1-13-6 Service Type Object Up to 255 Service Type Objects can be created. To add/edit a service type profile, click the +Add / Edit link to get the following page. Available settings are explained as follows: Item Description Name Name that identifies this profile. Maximum length is 15 characters. Protocol Protocol(s) to which this profile applies.
Page 139 UDP – User Datagram Protocol TCP/UDP – Transmission Control Protocol and User Datagram Protocol Other – Other protocols not listed above. Enter protocol number in the textbox. Specify Source Port When protocol selected includes TCP or UDP, the source and destination ports can be specified.
Page 140 Available settings are explained as follows: Item Description Name Name that identifies this profile. Maximum length is 16 characters. Keywords Keywords to be matched. Enter the content for this profile. For example, type gambling as Contents. When you browse the webpage, the page with gambling information will be watched out and be passed/blocked based on the configuration on Firewall settings.
Page 141 II-1-13-8 Backup & Restore The object settings can be backed up as a file. The backup file can be imported to the device to restore the configuration in the future if required. Available settings are explained as follows: Item Description Backup Usually, a user can create the objects through the web page under Objects.
Page 142 II-1-14 USB Application II-1-14-1 General Setup This page allows you to configure the file sharing feature of the Vigor router, where USB mass storage devices such as thumb drives and hard drives can be made accessible to LAN clients. Available settings are explained as follows: Item Description Simultaneous FTP...
Page 143 To add a USB user profile, click the +Add link to get the following page. Available settings are explained as follows: Item Description Enabled Switch the toggle to enable / disable this profile. Users Use the drop-down list to select an existed user account. Home Folder Enter the folder name which will be the root folder for FTP and SMB sessions established using the credentials of this user profile.
Page 144 specified here. File Access Rule – Check the items (Read, Write and Delete) for such profile. Directory Access Rule – Check the items (List, Create and Remove) for such profile. Cancel Discard current settings and return to the previous page. Apply Save the current settings and exit the page.
Page 145 II-1-14-4 Temperature Sensor Settings A USB Thermometer is now available. It complements your installed DrayTek router installations which will help you monitor the server or data communications room environment and notify you if the server room or data communications room is overheating.
Page 146 Apply Save the current settings and exit the page. II-1-14-5 Modem Support List This page lists the brands and models of USB modems that are supported by the Vigor router. It is subject to change between different versions of firmware as support for new modems are added.
Page 147 II-1-15 Wake on LAN Using the Wake on LAN (WoL) feature, LAN clients that support WoL can be powered on or resume from sleep over the network, without the need for physical access to the device. In order for LAN clients to be able to wake from sleep or off states, the network interface card must be configured to monitor Wake-on-LAN messages.
Page 148 on Configuration>>LAN>>Bind IP to MAC will be shown for you to choose one. Wake Up Click to send Wake-on-LAN message to the specified LAN client. Wake on LAN/WAN Device List +Add Click to specify a new device which will be awakened. Name –...
Page 149 II-1-16 Notification Services Generally, the notification service refers to notifying users via email or SMS. II-1-16-1 Services & Providers Before notifying the clients, the router’s system administrator needs to configure the server and provider used to send letters or SMS messages. Available settings are explained as follows: Item Description...
Page 150 II-1-16-2 SMTP Server Up to 2 SMTP server profiles can be set up for chosen by Services & Providers. To add a new profile, click the +Add link to get the following page. Available settings are explained as follows: Item Description Name Enter the name of the profile.
Page 151 Connection Security There are three methods to enhance the connection security of SMTP server. None - No SSL. Packets will be transferred without encryption. SSL - Packets will be transferred with encrypted connection. Select to use SMTPS (SMTP over SSL) to communicate with the SMTP server. Note that the port number used for SMTPS server is 465.
Page 152 II-1-16-3 SMS Provider Up to 2 SMS profiles can be set up for chosen by Services & Providers. To add a new profile, click the +Add link to get the following page.
Page 153 Available settings are explained as follows: Item Description Name Enter the name of the profile. Enabled Switch the toggle to enable/disable this profile. Connecting Sender Specify the WAN interface for connecting the sender. Through Service Provider Vigor Router SMS Gateway – Not all Vigor routers support the SMS function.
Page 154 Username - Used for being authenticated by the Service Provider. Maximum length is 31 characters. Password - Used for being authenticated by the Service Provider. Maximum length is 31 characters. When Customized is SMS Provider API URL – Enter the URL for the SMS service. Maximum selected as the Service length is 255 characters.
Page 155 II-1-17 RADIUS/TACACS+ Remote Authentication Dial-In User Service (RADIUS) is a security authentication client/server protocol that supports authentication, authorization and accounting, which is widely used by Internet service providers. It is the most common method of authenticating and authorizing dial-up and tunneled network users. The router supports external TACACS+ and internal and external RADIUS servers for user authentication.
Page 156 Available settings are explained as follows: Item Description Name Enter the name of the profile. Authentication RADIUS Switch the toggle to enable/disable this profile. Authentication Authentication Server +Add – Click to add a server (up to 3). Server IP –Enter the IP address of RADIUS server. Secret –...
Page 157 Secret - The RADIUS server and client share a secret that is used to authenticate the messages sent between them. Both sides must be configured to use the same shared secret. The maximum length of the shared secret you can set is 36 characters. Authentication Port - Set the UDP port number (1813 in default) as the accounting port.
Page 158 Available settings are explained as follows: Item Description Enabled Switch the toggle to enable/disable this profile. Authentication Port The UDP port number that the RADIUS server is using. The default value is 1812, based on RFC 2138. RADIUS Client Access List IPv4 Client List Only clients that meet the criteria configured in the access list are allowed to access the RADIUS server.
Page 159 to validate users. 802.1X Method Support 802.1X Method – The built in RADIUS server offered by Vigor router can act as the AAA server. Select to enable 802.1X support. Certificate Select the certificate (created by Configuration>>Certificates>>Local Certificates) for applying to Internal RADIUS. User Profile User During the process of security authentication, user account and user...
Page 160 Server IP Address Enter the IP address of the TACACS+ server. Two external TACACS+ servers are allowed to set in this page. The secondary TACACS+ server will be used as a backup server when the primary TACACS+ server is down. Destination Port Enter the port used by the TACACS+ server.
Page 161 II-1-18 Certificates A digital certificate is an electronic document issued by a certification authority (CA) to an entity to prove ownership of a public key. It contains identifying information including the issued-to party’s name, a serial number, expiration dates etc., and the digital signature of the certificate-issuing authority so that a recipient can verify that the certificate is real.
Page 162 To add a new certificate, click the +Add link to get the following page. Available settings are explained as follows: Item Description Certificate Name Enter the name that identifies the certificate. Method Generate CSR - Generate a new local certificate. Import Certificate &...
Page 163 and Certificate with a private key. Method - Generate CSR Key Type Displays the key type used by the certificate. Algorithm Displays the algorithm for generating the certificate. Type Select the type of Subject Alternative Name and enter its value. IP Address ...
Page 164 CA to save time and provide convenience for general user. Later, such root CA generated by DrayTek server can perform the issuing of local certificate. To import a RootCA to the Vigor router, click +Add to upload one certificate.
Page 165 Available settings are explained as follows: Item Description Upload Certificate Choose a file - Select a local certificate file. Cancel Discard current settings and return to the previous page. Apply Click to import selected certificate file to the router. To create a new RootCA, click Create to get the following page. Available settings are explained as follows: Item Description...
Page 166 Algorithm Displays the algorithm. Subject Alternative Name Type Vigor router accepts the type and value of the specified subject alternative name as valid authentication. Supported subject alternative types are IP Address, Domain Name and E-Mail. Select the type of Subject Alternative Name and enter its value. Subject Name Country (C) Enter the country name (code) in which your organization is located.
Page 167 II-1-18-3 Local Services This page allows you to set different categories and services for the local certificate(s) to prevent security warning messages popped up due to using different browsers. Available settings are explained as follows: Item Description Local Certificate Select a local certificate (has been imported to Vigor device) with full key and authentication information.
Page 168 II-1-18-4 Backup & Restore You can back up or restore the Local and Trusted CA certificates on the router to a file. Available settings are explained as follows: Item Description Backup Selected Item Select the certification type (local, trusted or all certificates). Password Protection Enabled - Switch the toggle to enable or disable the function.
Page 169 II-2 Security II-2-1 Firewall Filters A network firewall monitors traffic travelling between networks, with the ability to selectively allow or block traffic using a predefined set of security rules. This helps to maintain the integrity of networks by stopping unauthorized access and the exchange of sensitive information. LAN users are provided with secured protection by the following firewall facilities: User-configurable IP filter (Data Filter).
Page 170 The below shows the attack types that DoS/DDoS defense function can detect: 1. SYN flood attack 9. SYN fragment 2. UDP flood attack 10. Fraggle attack 3. ICMP flood attack 11. TCP flag scan 4. Port Scan attack 12. Tear drop attack 5.
Page 171 Item Description Name Enter a name to identify the rule. Enabled Switch the toggle to enable/disable this profile. Schedule Always On – This rule is enabled and active for always. Scheduled On - Select Schedule indexes to allow the rule to be enabled at specific times.
Page 172 IPv4 Subnet / IPv6 Address / IPv6 Subnet / IP Object / IP Group as the destination and enter required information. Any – All IP addresses IPv4 Address–Enter one IPv4 address. Destination IPv4 Address – Click +Add to enter the IP address. ...
Page 173 Don’t care –No action will be taken towards fragmented  packets. Unfragmented –Apply the rule to unfragmented packets.  Fragmented – Apply the rule to fragmented packets.  Too Short – Apply the rule only to packets that are too short to ...
Page 174 II-2-1-2 Content Filters Content Filter includes APPE, URL Filter, and WCF servers. APPE is filtered by defined pattern. URL and WCF filters filter the servers to connect to by examining the server name in DNS request packets or TLS client hello packets. This page allows you to configure up to 40 content filters profiles (including APPE, URL, and WCF) previously.
Page 175 Enabled Switch the toggle to enable/disable this profile. Schedule Always On – This rule is enabled and active for always. Scheduled On - Select Schedule indexes to allow the rule to be enabled at specific times. You may choose up to 4 out of the 20 schedules in Configurations>>Objects>>Schedule.
Page 176 keyword profile(s). If the session meets the keyword filter profile, the system will perform the action reversely. Enable Syslog Switch the toggle to enable the recording the filter log onto SysLog. Cancel Discard current settings and return to the previous page. Apply Save the current settings.
Page 177 will be passed. Block – The outgoing traffic that does not match any Content filter rule will be blocked. Content Destination Select specific WCF and/or APPE and/or UCF(keyword object) profile to be included in the filter. Inbound Traffic (WAN to LAN) Fragmented Large Certain games and video streaming service use fragmented UDP Packets...
Page 178 II-2-1-4 Backup & Restore This page allows the backup and restoration of router settings. In addition to restoring Vigor2136’s own configuration backup, it is possible to restore backups from certain DrayTek routers on Vigor2136. Available settings are explained as follows: Item...
Page 179 II-2-2 Defense Setup As a sub-functionality of IP Filter/Firewall, there are several types of detect / defense function in the DoS Defense setup. In default, the DoS Defense is disabled. Available settings are explained as follows: Item Description Defense Setup Enable DoS Defense Switch the toggle to enable/disable the DoS Defense.
Page 180 Port Scan – Switch the toggle to enable/disable the Port Scan detection. Port Scans attack your network by sending packets to a range of ports in an attempt to find services that would respond. When Port Scan detection is enabled, the router sends warning messages when it detects port scanning activities that exceed the Threshold rate.
Page 181 Block ARP replies with This feature can protect a network from ARP (Address Resolution Protocol) spoofing attacks. Inconsistent Source MAC addresses – If the sender’s MAC address in the ARP packets does not match the source MAC address from ARP packet's ethernet header, the Vigor system will block the packets immediately.
Page 182 To add a new profile, click +Add. Available settings are explained as follows: Item Description Name Enter a string as the profile name. Policy Disabled – Disable this policy. Allow List – Only allow wireless clients whose MAC addresses are listed in the Device list.
Page 183 Device List +Add – Click to add a new device by entering the device name and the MAC address. Cancel Discard current settings and return to the previous page. Apply Save the current settings and exit the page. After finishing this web page configuration, please click Apply to save the settings. II-2-3-2 Backup &...
Page 184 II-2-4 IPv6 Address Security This page allows you to configure the IPv6 interface ID. Available settings are explained as follows: Item Description Generate Interface ID Select to use Random IIDs or EUI-64 IIDs as the interface ID. Random IIDs  EUI-64 ...
Page 185 II-3 IAM Identity and Access Management (IAM) allows the network administrator to manage Internet access at the user level. After a user has been authenticated using a username and password, the user will be granted Internet access and additionally, optional firewall rules and LAN access policies can be applied.
Page 186 To add a new user account profile, click +Add. Available settings are explained as follows: Item Description Username Enter the Login name (e.g., LAN_User_Group_1, WLAN_User_Group_A, WLAN_User_Group_B, etc.) for this user profile. Usage Define the type of this user profile. IAM User – This profile can be used for VPN, RADIUS, 802.1X, USB and IAM (Identity and Access Management) authentication.
Page 187 New Password/ user name and password combination for authentication. The profile with matching user name and password will be applied to the session. Confirm New Password General Status Active – Enable the general settings in this page. Inactive – Disable the general settings in this page. Group Policy It is available if "IAM User"...
Page 188 In the filed of Validation Code, enter the one-time password and click Verify. Now, the configuration is finished. You will be asked to enter the 2FA code on the after passing the username and password authentication. SMS/Email – The password will be transferred via the SMS and/or Mail profiles selected from User Information above.
Page 189 Enable OpenVPN - Switch the toggle to enable OpenVPN protocol. Security Specify VPN Peer – Switch the toggle to enable/disable the security mechanism for the remote client. Remote Client IP – Enter the IP address of the remote peer. Pre-Shared Key – "Specify VPN Peer" can restrict this IPsec to be initiated only by the specified peer IP address or domain name, and specify the private key to be used.
Page 190 To add a new OpenVPN profile, click OpenVPN Config Generator. On this page, you can create configuration required for a remote OpenVPN client to connect to the router and then download it directly or send it to the user via email. Available settings are explained as follows: Item Description...
Page 191 Disable - Disable the function. Cache password for Switch the toggle to enable/disable the function. auto reconnect Enable - OpenVPN will reconnect per hour. While reconnecting, the password is required. If the function is enabled, the password for OpenVPN connection will be kept and used by the Vigor system for reconnection every time.
Page 192 Available settings are explained as follows: Item Description Group Name Enter a name for identification. Selected Users +Add – Click to select user profiles to be grouped under the current group profile. Available Users It appears after clicking +Add. Selected Users – Select the member from available user profiles. Cancel Discard current settings and return to the previous page.
Page 193 II-3-1-3 Authentication Server Vigor router can authenticate users using either a built-in (None) or external service (Radius or TACACS+) server. To create a new authentication server profile, click +Add. Available settings are explained as follows: Item Description Server Name Enter a name for identification. Authentication Type Select the authentication type (RADIUS or TACACS+).
Page 194 shown in this area. Select the one you need. Cancel Discard current settings and return to the previous page. Apply Save the current settings and exit the page. After finishing this web page configuration, please click Apply to save the settings. II-3-1-4 User &...
Page 195 The purpose of this setting is to obstruct outside automated attacks (attempting to speculate passwords, authentication codes or others through repeated trials). Enable User Account Switch the toggle to enable or disable the user account lockout Lockout function. Login Attempts – Specify the maximum number of failed login attempts for all user accounts.
Page 196 Cancel Discard current settings. Apply Save the current settings. After finishing this web page configuration, please click Apply to save the settings.
Page 197 II-3-2-2 Access Policies Access Policies can be applied to LAN interface to determine how the users/clients access the Internet via identification authentication. This page is used for define different access policies for IAM application. To add a new access policy profile, click +Add. Available settings are explained as follows: Item Description...
Page 198 before accessing the network. Guest Hotspot - Allow or deny the clients/user accounts access to the network based on the hotspot profile selected. If MAC Allow/Block List Only is selected as the Access Control Mode. MAC Address Filter Set up MAC Address Selecting from Profile –...
Page 199 None – There will be no user group applied. Login Session Lifetime Login Session Lifetime Control the session time for users/clients. After the session's lifetime, the users/clients must log in to access the network, again. Specify the number of days, hours, and minutes. If Guest Hotspot is selected as the Access Control Mode Login Session Lifetime Hotspot Profile...
Page 200  Note: Once Group Policies are applied to user account/VLAN profile, even if the firewall filter setting has been setup, Group Policies will override rules set at the firewall filter. To add a new group policy profile, click +Add. Available settings are explained as follows: Item Description Name...
Page 201 Schedule Always On - The function of group policy is running all the time. Scheduled On - The function of group policy is activated based on the schedule profile. Allowed Resources Allowed Resources Select resources profile(s) and apply to this policy profile. +Add –...
Page 202 object) profile to be included in the filter. Action – Select Pass to allow access to the Destination; select Block to disallow access to the Destination. Enable Keyword Exception – Switch the toggle to enable/disable the function. Keyword Exceptions - Display selected keyword objects. The system will check the sessions additionally with the selected keyword profile(s).
Page 203 II-3-2-4 Conditional Access Policy Different from the Access Policies designed for setting Access Control Mode, this page provides a policy combination of time schedule, source IP, and multi-factor authentication (MFA). It can be used together with the resources. To add a new conditional policy profile, click +Add. Available settings are explained as follows: Item Description...
Page 204 Select Everytime or When Login Session Lifetime expires within. Vigor system will perform the reauthentication job for users (clients). Source IP Source IP Condition To Permit or Deny Access if the source IP is from the designated VLAN/IP. Source IP Specify the action (Permit or Deny) for the source IP.
Page 205 Available settings are explained as follows: Item Description Name Enter a name for identification. Resource Type Select IP or MAC as the resource type. Resource IP / MAC Enter the IP address or MAC address according to the resource type selected for this profile.
Page 206 Cancel Discard current settings and return to the previous page. Apply Save the current settings and exit the page. After finishing this web page configuration, please click Apply to save the settings.
Page 207 II-3-4 Hotspot Web Portal The Hotspot Web Portal, or the so-called captive portal allows you to control and manage access from LAN users. It is also a manner of IAM to identify, authenticate, and authorize any Access from the LAN or redirect to your appointed landing page.
Page 208 Available settings are explained as follows: Item Description Profile Name Enter a name for identification. Portal Method Click through – The user will be redirected to the landing page (defined in Captive Portal URL) and be granted access to the Internet. Skip Login, landing page only –...
Page 209 Vigor router system. Custom Logo Set a logo displayed on the portal. None – DrayTek default logo will be used. Upload Image – Click to use another image as the logo. The file size must be less than 1MB.
Page 210 Whitelist Setting In this page you can configure the whitelist settings. Users are allowed to send and receive traffic that satisfies whitelist settings. Available settings are explained as follows: Item Description Destination Domain/IP +Add Enabled – Switch the toggle to enable/disable the setting. Destination Domain/IP Whitelist –...
Page 211 More Options In this step you can configure advanced options for the Hotspot Web Portal. Available settings are explained as follows: Item Description Landing Page After Authentication Landing Page After Fixed URL – Specifies the webpage that will be displayed after the Auth user has successfully authenticated.
Page 212 II-3-5 Backup & Restore This page can be used to backup/restore the IAM configuration. Available settings are explained as follows: Item Description Backup Selected Item Select the policy or policies for the configuration backup. Password Protection For the sake of security, the configuration file for the access point can be encrypted.
Page 213 II-4-1-1 IPsec This is a network protocol that encrypts traffic between two network locations. Windows, by means of Windows Firewall, natively supports IPsec tunnels between endpoints with static IP addresses. For computers with dynamically-assigned IP addresses, DrayTek provides the SmartVPN client.
Page 214 Available settings are explained as follows: Item Description Enabled Switch the toggle to enable/disable the settings. Authentication Settings for Dynamic Peer Certificate It usually applies to those teleworkers or VPN sites that use dynamic IP addresses and IPsec-related VPN connections. There are two methods to authenticate IPsec connections - Certificate (X.509) and Pre-Shared Key(PSK).
Page 215 Specified Interface – Customize the WAN interface, IP address, and VPN protocols which allow the VPN connections. +Add – Click to have a new entry setting.  VPN Access List VPN Access Control It can filter trusted VPN connections by setting up IP object/group Mode allow lists or block lists.
Page 216 Available settings are explained as follows: Item Description Enabled Switch the toggle to enable/disable the settings. Listen Port Enter a port number for WireGuard VPN server. The default number is 51820. Default Key Pairs Private Key Displays the private key generated. Generate Private Key Generate –...
Page 217 VPN Access Control It can filter trusted VPN connections by setting up IP object/group Mode allow lists or block lists. Allow All Connections – Accept the VPN connections from all clients. Allow List – Accept VPN connections from users within the IP object/group settings selected below.
Page 218 II-4-1-3 OpenVPN The OpenVPN protocol utilizes public keys, certificates, and usernames and passwords to authenticate the client. Traffic is carried over secure channels built upon industry-standard SSL/TLS encryption protocols. With integrating of OpenVPN, Vigor router can help users to achieve more robust, reliable and secure private connections for business needs.
Page 219 Cipher Algorithm Select the desired cipher algorithm. Two encryption algorithms are supported: AES128 and AES256. AES256 is more secure than AES128 but may result in lower performance because it incurs higher computational overhead. HMAC Algorithm HMAC stands for Hash-based Message Authentication Code. It is used to validate the data integrity and authenticity of the VPN data.
Page 220 Allow List – Accept VPN connections from users within the IP object/group settings selected below. +Add - Click to have a new entry setting.  Block List – Deny VPN connections from users within the IP object/group settings selected below. +Add - Click to have a new entry setting.
Page 221 II-4-2 Site-to-Site VPN The VPN means a connection between two router's LAN networks, which Allows employees in branch offices and head office to share the same network resources.  Configures the VPN server for inbound connections from other routers.  This page allows to configure the VPN server for inbound connections from other routers.
Page 222 Available settings are explained as follows: Item Description Advanced Click to show or hide the advanced settings for the site-to-site VPN. Mode:ON/OFF Profile Name Enter the name of the profile. Enabled Switch the toggle to enable/disable the settings. General Direction Specify the allowed call direction of this VPN profile.
Page 223 Schedule Always Allow – Select this option to maintain an always on dial-in connection. Scheduled –Select this option to make the VPN connection based on the schedule. Drop the Active Tunnel when Schedule is Enforced – Switch  the toggle to enable/disable the function. VPN Schedule –...
Page 224 Certificate –Select as the authentication method. Local Certificate – Select one of the profiles set in  Configuration>>Certificates Local Certificates. Local ID – Select Subject Name or Subject Alternative Name.  Peer ID – Select Accept Subject Alternative Name, Peer Certificate, ...
Page 225 formats of Peer ID are acceptable, including IP Address, Domain Name, and Email. Peer Certificate - Select a peer certificate that has been pre-obtained and stored in Configuration>>Certificates Local Certificates. Accept Subject Name – Enter the complete certificate subject name. Accept Any - Any certificate signed by a trusted CA in Configuration>>Certificates Trusted CA will be considered valid.
Page 226 Username and It is available when Dial-Out/Dial-In is selected as the Direction and Password OpenVPN is selected as VPN Type. Username - Used by the remote LAN to establish a VPN connection. Password - Used by the remote LAN to establish a VPN connection. OpenVPN Settings It is available when Dial-Out is selected as the Direction and OpenVPN is selected as VPN Type.
Page 227 Generate PSK. Generate PSK - Click Generate to generate the pre-shared key. For NAT Client Address (Optional) – It is for Dial-In only. Enter the IP address of the remote peer. Keepalive - Default is 60 seconds. Network Network Specify that traffic from the local subnet and remote subnet can pass through the VPN connection.
Page 228 route. Default WAN IP / IP Address – Use the drop-down list to specify one WAN IP address for this VPN profile. Idle Timeout The tunnel will be disconnected when no traffic is detected within Idle Timeout. Disable this feature by setting the value to 0. GRE Over IPsec Switch the toggle to enable/disable the function.
Page 229 II-4-3 Teleworker VPN The VPN means a connection between the remote host and router's LAN network. The host will use an IP address in the local subnet. It allows employees to access the company's internal resources when they are traveling. Open VPN>>Teleworker VPN to get the following page.
Page 230 Item Description Enter the Login name (e.g., LAN_User_Group_1, WLAN_User_Group_A, Username WLAN_User_Group_B, etc.) for this user profile. Usage Define the type of this user profile. IAM User – This profile can be used for VPN, RADIUS, 802.1X, USB and IAM (AWS Identity and Access Management) authentication. Router Management –...
Page 231 Multi-factor authentication (MFA) can offer a more secure network connection. Enable MFA – Switch the toggle to enable/disable the MFA function. Allowed MFA Method - Select to require TOTP, Email, SMS and/or  mOTP authentication when logging in from the WAN. TOTP –...
Page 232 IPsec protocol. Enable WireGuard –Switch the toggle to enable WireGuard protocol. Public Key – Enter the string offered by the remote WireGuard  VPN client. Pre-Shared Key – Displays the private key generated by clicking  Generate PSK. Generate PSK – Click the Generate button to generate a ...
Page 233 required. Assign IP from – Select a LAN interface for IP assignment. Cancel Discard current settings and return to the previous page. Apply Save the current settings and exit the page. After finishing this web page configuration, please click Apply to save the settings. To add a new OpenVPN profile, click OpenVPN Config Generator.
Page 234 Disable -Disable the function. Transport Protocol TCP/UDP - Select UDP or TCP for the protocol to be used by the OpenVPN client to connect to the router. Auto Dial Out Switch the toggle to enable/disable the function. Enable - The remote client can auto-dial to this Vigor router to build an OpenVPN tunnel.
Page 235 II-4-4 VPN Connection Status This section displays various VPN connection status, including Site-to-Site VPN  Teleworker VPN  Connection History  Failed VPN Connection Attempts  Blocked by Brute Force Protection ...
Page 236 II-4-5 Backup & Restore This page can be used to backup/restore the VPN configuration. Available settings are explained as follows: Item Description Backup Selected Item Select the VPN type for the configuration backup. Password Protection For the sake of security, the configuration file for the access point can be encrypted.
Page 237 II-5 Virtual Controller - Wireless This feature allows users to establish and manage a network of DrayTek devices connected by Wireless or Wired links. The network consists of one Root and multiple Nodes. Root controls this network and syncs configurations to Nodes. Normally Root and Nodes use the same Wireless SSID/security, and Wireless clients can connect to any of them.
Page 238 The following figure shows how Vigor router runs as MESH ROOT: II-5-1 Role Setup This page can determine the role of the Vigor router connecting to the computer physically. And set up its Mesh function and AP Management function. Available settings are explained as follows: Item Description Advanced...
Page 239 Switch the toggle to enable or disable the mesh function. Mesh Protocol Select the mesh protocol to manage the mesh network. Vigor Mesh – A protocol developed by DrayTek. Group Name Displays the name of the current mesh group. Change the name if required.
Page 240 II-5-2 Device II-5-2-1 Device List This page displays general information about the devices grouped under Vigor2136. Click Edit to modify the settings of the selected device. The settings for the APs are slightly different based on the role of the Root and Node. Available settings are explained as follows: Item Description...
Page 241 Device Factory Reset Factory Reset Now - Click to reset all nodes with factory settings All Nodes immediately. Config Sync to All Full Config – Sync the full configuration to all nodes. Nodes Select Scope - Sync the selected configuration to all nodes. Sync Config Sync now –Click to execute the sync configuration.
Page 242 II-5-2-2 Mesh Status Display general information of the Mesh network. This page is available only when Mesh is enabled (Virtual Controller>>Role Setup). Available settings are explained as follows: Item Description Name Displays the name of the device (for identification). MAC Address Displays the MAC address of the device.
Page 243 Optimize All Mesh Links - It is available only when VigorMesh is selected as Mesh Protocol and the device is a Root. Press the Optimize button to perform reselect to reconstruct the Mesh network. II-5-2-3 AP Adoption Search and add new Nodes to the device's Group. This page is available when current device role is Root.
Page 244 MAC - Displays the MAC address of the device. Model - Displays the model of the device. Signal Strength - Displays the signal strength of the device if it was found through the Wireless. Device Name - Insert the name of the device for identification. Tips for VigorMesh Network Setup VigorMesh supports auto uplink.
Page 245 EasyMesh is not suggested to join existing VigorMesh Environment.  The maximum of devices number is (ssid_num * device_num <= 56) -> device_num is the max  device number How to set up a VigorMesh group? The following steps will guide you how to setup a VigorMesh Group. Please access the web of the device which you want to use it as the Root.
Page 246 Refer to Virtual Controller>>Wireless>>Device>>Device List and Virtual Controller >> Wireless >> Device >>Mesh Status for viewing the result.
Page 247 VigorSwitch device, reboot the device or return to factory default settings of VigorSwitch at one time. This feature allows users to establish and manage a network of DrayTek devices connected by Wireless or Wired links.
Page 248 II-6-2 Device This page displays information, including Switch name, MAC address, IP address, Firmware Version, Model, Online Status, System Uptime, Port in Use, Clients, Last Process Status and Option of a VigorSwitch connected to the Vigor router. To add a new switch, click the Add New Switch link to open the following page. Click Scan and wait for a while Vigor router will scan and list the switch connecting to Vigor router.
Page 249 The selected switch, now, has been managed by the Vigor router. To edit the device information, set port profile or view the port status of the switch, click Edit. General This page shows a summary related to the VigorSwitch. Also, it offers Reboot Now and Factory Reset Now buttons to assist users in updating the switch.
Page 250 Port Profile This page configures the speed, duplex mode, and port profile for each GE port of the VigorSwitch. Available settings are explained as follows: Item Description Port Display the number of the GE port. Description If required, enter a brief description to explain the device connected to VigorSwitch via the LAN port.
Page 251 Auto(1000M): Auto speed with 1000M ability only.  Auto(10/100M): Auto speed with 10/100M ability.  10M: Force speed with 10M ability.  100M: Force speed with 100M ability.  1000M: Force speed with 1000M ability.  Selecting Auto (auto-negotiation) allows one port to negotiate with a peer port automatically to obtain the connection speed and duplex mode that both ends support.
Page 252 Port Status This page will display the current status of each GE port of the Vigor switch such as the transmission rate (TX/RX), port type, VLAN ID, applied port profile, etc.
Page 253 II-6-3 Port Profile This page allows you to configure profiles with general settings such as name, group, IP address, MAC address, model, and password required by VigorSwitch when it connects to this Vigor router. To add a new profile, click +Add. To modify an existing profile, select the one and click the +Edit link to open the setting page.
Page 254 Item Description Profile Name Enter a name for the Switch. The purpose of name is used for identification. It is useful when there are many VigorSwitch (same modes) devices connecting to Vigor router. Advanced Click to show or hide the advanced settings. Mode:ON/OFF PoE Port Enable Switch the toggle to enable/disable the port profile.
Page 255 VLAN This page allows a user to configure interface (GE) settings related to VLAN. Available settings are explained as follows: Item Description Profile Name Enter a name for the Switch. The purpose of name is used for identification. It is useful when there are many VigorSwitch (same modes) devices connecting to Vigor router.
Page 256 Tagged VLAN Select all VLAN profiles or independent VLAN profiles to be tagged in the VLAN. Options under the Advanced Mode Forbidden VLAN The GE port set in a VLAN profile allows default VLAN packet to pass through. Select the VLAN profile as forbidden VLAN. Cancel Discard current settings and return to the previous page.
Page 257 GE port. Fixed – The selected GE port only sends static VLAN information to neighboring device and allows static VLAN packet to pass through. Forbidden – The selected GE port only allows default VLAN packet to pass through. Cancel Discard current settings and return to the previous page. Apply Save the current settings and exit the page.
Page 258 of the IGMP group profiles (defined in Filtering Profile). Throttling Exceed VigorSwitch will perform the action defined below when the number Action of IGMP join reports for the specified interface exceeds the value defined in Max Group. Deny – It is default setting. The IGMP join report (for multicast service) received by such interface will be discarded.
Page 259 Available settings are explained as follows: Item Description Profile Name Enter a name for the Switch. The purpose of name is used for identification. It is useful when there are many VigorSwitch (same modes) devices connecting to Vigor router. BPDU Filter Switch the togglee to enable / disable the function of dropping all BPDU packets and no BPDU will be sent.
Page 260 This page is used to configure port settings for QoS. The configuration result for each port will be displayed on the table listed on the lower side of this web page. Available settings are explained as follows: Item Description Profile Name Enter a name for the Switch.
Page 261 Cancel Discard current settings and return to the previous page. Apply Save the current settings and exit the page. After finishing this web page configuration, please click Apply to save the settings. II-6-4 Maintenance Vigor router can backup, restore, reboot, or reset the managed Vigor switch devices. Available settings are explained as follows: Item Description...
Page 262 Reboot – Click to reboot the remote switch (managed by Vigor  router) with current configuration. For the Action Type set as Factory Rest: Reset – Click to reset the selected device(s) (listed on Existing  Device list) with the factory default switch settings.
Page 263 Chapter III Management...
Page 264 III-1 System Maintenance For the system setup, there are several items that you have to know the way of configuration: Device Settings, Management, Firmware, Backup & Restore, Accounts and Reboot System, and Firmware Upgrade. III-1-1 Device Settings The user can modify the time, device name, and Syslog for the device. III-1-1-1 Time Open System Maintenance>>Device Settings and click the Time tab.
Page 265 If Auto is selected, the Vigor system will renew the time through WAN or LAN. Daylight Saving - Enable Daylight Saving Time (DST) if it is applicable to your location Test Time Server Connection – Test if the time server works well. Server Status - Displays last update time status.
Page 266 III-1-1-2 Device Name Display the router name. Change the name if you want. Open System Maintenance>>Device Settings and click the Device Name tab. III-1-1-3 Syslog SysLog function is provided for users to monitor the router. Open System Maintenance>>Device Settings and click the Syslog tab. Available parameters are explained as follows: Item Description...
Page 267 Logging Destinations Select External Server to display Log Message and Syslog Servers for detailed configuration. Log Message Select to send the corresponding message of user access, interface, and system information to Syslog. Syslog Servers +Add Click to display new entry boxes for creating a new Syslog server profile.
Page 268 Manager Manager Host Any - Any IP can be set as the manager host. Specific Host - Specify a host (IPv4 or IPv6) or hosts (both IPv4 and IPv6). IP Type – Select Both, IPv4 or IPv6.  Specific Manager Host (IPv4/IPv6) is available when IPv4/IPv6 ...
Page 269 Trap Version Select the trap version.    Trap Community Enter the Trap Community string. The default setting is public. Devices that send unsolicited messages to the SNMP console must pass the correct Trap Community string. The maximum length of the text is 23 characters. Trap Port Enter the port number used for the Trap server.
Page 270 General Auto Logout If "off" is selected, the function of auto-logout for the web user interface will be disabled. The web user interface will be open until you click the Logout icon manually. Management Services Enforce HTTPS Access Enable the checkbox to allow system administrators to login Vigor router via HTTPS.
Page 271 Apply Save the current settings and exit the page.
Page 272 III-1-2-2 TR-069 Vigor device supports the TR-069 standard for remote management of customer-premises equipment (CPE) through an Auto Configuration Server, such as VigorACS. Available settings are explained as follows: Item Description TR-069 Switch the toggle to enable or disable the function. ACS Server ACS Server On Choose the interface for connecting the router to the Auto...
Page 273 parameters at intervals specified in the Interval Time field. Time Interval - Set interval time or schedule time for the router to send notification to CPE. STUN Settings Mode - The default is Auto. If select Enabled, please enter the relational settings listed below: Server Address - Enter the IP address of the STUN server.
Page 274 III-1-3 Firmware Before firmware upgrade, please download the newest firmware from the DrayTeks website or FTP site first. The DrayTek website is www.draytek.com (or local DrayTeks website) and the FTP site is ftp.draytek.com. Open System Maintenance>>Firmware. The following web page will guide you to upgrade firmware by using an example.
Page 275 Wait for a while until the system finishes the rebooting.
Page 276 III-1-4 Backup & Restore This function can be used to backup/restore the Vigor router settings. Available settings are explained as follows: Item Description Configuration Backup Password Protection For the sake of security, the configuration file for the access point can be encrypted.
Page 277 III-1-5 Accounts & Permission This page allows you to modify your current administration account and password. It allows the network administrator to manage Internet access at the user level. III-1-5-1 Local Admin Account This page allows you to create up to five local admin account profiles. Available settings are explained as follows: Item Description...
Page 278 To modify an existing profile, select the one and click the +Edit link to open the setting page. To add a new profile, click +Add. Available settings are explained as follows: Item Description Local Admin Account Account Display the name of the account. New Password Enter a new password in this field.
Page 279 TOTP – For the Time-based One-time Password (TOTP) mechanism, please make sure the time zone of your router is correct. Then, install Google Authenticator APP on your cell phone. Open the APP to scan the QR code on this page. A one-time password will be shown on your phone.
Page 280 III-1-5-2 Role & Permission This page allows the creation of up to five roles which can be applied to the local admin account. The default roles are Administrator, Guest and Users. To create a new role profile, click +Add. A new role will be added on to the page. Available settings are explained as follows: Item Description...
Page 281 Left Menu Path Lists all of the features that a role can have. The role of Administrator has the highest authority for accessing Vigor router. The role of Guest/Users has the lowest authority for accessing Vigor router. The permissions for user-defined roles are based on read-only or read-write access granted to each menu path (such as dashboard, configuration, device menu, etc.) individually..
Page 282 III-1-5-3 User & MFA Security Multi-Factor Authentication (MFA) is a security mechanism that offers an extra protection beyond a username and password, making it more difficult for unauthorized users to gain access. Any client trying to access into Internet via Vigor router will be asked for passing through user authentication.
Page 283 III-1-6 System Reboot The Web user interface may be used to restart your router. Open System Maintenance >> System Reboot to get the following page. Available settings are explained as follows: Item Description Reboot With Select one of the following options, and press the Reboot button to reboot the router.
Page 284 This page is left blank.
Page 285 Chapter IV Others...
Page 286 IV-1 Monitoring IV-1-1 Clients List Clients List displays the configuration status of the wireless clients that connect to the Vigor router via Wi-Fi connection. Besides, this page offers a quick method to add the wireless client to any existing MAC Filtering Profile.
Page 287 connection. Clients Displays the SSID name, MAC address, and IP address of the wireless clients. Add to MAC Filtering – Select to make the wireless client join the MAC Filtering Profile set above. Name – Enter a name for identification. Close Discard current settings and return to the previous page.
Page 288 IV-1-2 Log Center IV-1-2-1 Log Center Log related to setting configuration and/or actions performed by this device can be stored on web Syslog. Click Refresh to reload this page with the most up-to-date information. Available settings are explained as follows: Item Description Enabled Web Syslog...
Page 289 IV-1-2-2 DDNS Log This page displays the log (time, profile name and content) related to Dynamic DNS actions performed by this device. Click Refresh to reload this page with the most up-to-date information.
Page 290 IV-1-3 Wireless Information For viewing the SSIDs used by 2.4GHz/5GHz or real time throughput for 2.4GHz/5GHz, open Monitoring>>Wireless Information for detailed. IV-1-3-1 Wireless Information This page shows general information (e.g., 2.4GHz/5GHz enabled or not, MAC address, SSID name and etc.) for wireless connection. Click Refresh to reload this page with the most up-to-date information.
Page 291 Click Refresh to reload this page with the most up-to-date information. IV-1-3-3 Real Time Throughput 2.4G The real-time throughput (2.4G) can be shown with line graphs. Click Refresh to reload this page with the most up-to-date information. IV-1-3-4 Real Time Throughput 5G The real-time throughput (5G) can be shown with line graphs.
Page 292 IV-1-4 WAN This page can display the WAN connection status, including the connection interface, MAC address, connection type, connection IP address, connection gateway, primary DNS and secondary DNS server addresses, online Time, and so on. IV-1-4-1 WAN Utilization This page displays the utilization, including upload, download, and percentage of data transmission for each WAN interface.
Page 293 Click Refresh to reload this page with the most up-to-date information. IPv6 Select the IPv6 tab to get the WAN connection information (e.g., name, IPv6 address, connection type, gateway and the uptime). Click Refresh to reload this page with the most up-to-date information. IV-1-5 ARP Table The table shows the contents of the ARP (Address Resolution Protocol) cache held in the router and shows the mappings between Ethernet hardware addresses (MAC Addresses) and IP addresses.
Page 294 IV-1-5-2 WAN Click Refresh to reload this page with the most up-to-date information of WAN Ethernet ARP table. IV-1-6 Route Table IV-1-6-1 IPv4 Click Refresh to reload this page with the most up-to-date IPv4 routing information.
Page 295 IV-1-6-2 IPv6 Click Refresh to reload this page with the most up-to-date IPv6 routing information.
Page 296 IV-1-7 DHCP Table This page provides information on IP address assignments. This information is helpful in diagnosing network problems, such as IP address conflicts, etc. Click Refresh to reload this page with the most up-to-date information. IV-1-7-1 IPv4 DHCP Subnet This page shows the DHCP server status, IP range, IP pool, Used IP, and percentage of utilization for each LAN interface.
Page 297 IV-1-7-3 IPv6 Assignment This page shows the remaining time of the IPv6 DHCP lease of the device. IV-1-8 IPv6 TSPC Status IPv6 TSPC (Tunnel Setup Protocol Client) status page could help you diagnose issues with IPv6 connections that utilize TSP. If TSPC is configured properly, the router will display the following when the router has connected to the tunnel broker successfully.
Page 298 IV-1-9 IPv6 Neighbor Table This page displays the mapping between Ethernet hardware addresses (MAC addresses) and the IPv6 addresses. This information is helpful in diagnosing network problems, such as IP address conflicts. IV-1-10 DNS Cache Table The router can function as a DNS server which allows LAN clients to look up DNS information by sending DNS requests to the router.
Page 299 IV-1-10-2 IPv6 Click Refresh to reload the most up-to-date information of the IPv6 DNS cache data. IV-1-11 PPPoE Pass-Through The router offers PPPoE dial-up connection. Besides, you also can establish the PPPoE connection directly from local clients to your ISP via the Vigor router. When PPPoA protocol is selected, the PPPoE package transmitted by PC will be transformed into PPPoA package and sent to WAN server.
Page 300 IV-1-12 Session Table This screen shows the 200 newest entries in the NAT sessions table. Click Refresh to reload this page with the most up-to-date information.
Page 301 IV-2 Utility This section contains utilities (e.g., ping tool, traceroute, DNS and etc.) that can assist you in analyzing issues and failures during the setup and operation of the router. IV-2-1 Network Tools IV-2-1-1 Ping Tool The user can perform the ping job for specified IP (host) to diagnose if the data transmission via the Vigor system is well or not.
Page 302 IV-2-1-2 Traceroute The user can perform the traceroute job for specified IP (host) to diagnose if the data transmission via the Vigor system is well or not. Available settings are explained as follows: Item Description IP Version Select the IP version for entering correct IP address. Trace Through Trace through specific interface.
Page 303 IV-2-1-3 DNS The user can diagnose the router by query Domain Name System (DNS) servers to obtain domain name or IP address information. Available settings are explained as follows: Item Description Method Select a tool to query Domain Name System (DNS) servers to obtain domain name or IP address information.
Page 304 IV-2-2 Web CLI It is not necessary to use the telnet command via DOS prompt. The changes made by using web console have the same effects as modified through web user interface. The functions/settings modified under Web Console also can be reviewed on the web user interface. Click the Web Console icon on the top of the main screen to open the following screen.
Page 305 Chapter V Troubleshooting...
Page 306 V-1 Checking the Hardware Status Follow the steps below to verify the hardware status. Check the power line and cable connections. Refer to “I-2 Hardware Installation” for details. Power on the modem. Make sure the POWER LED, ACT LED and LAN LED are bright. If not, it means that there is something wrong with the hardware status.
Page 307 Note: The example is based on Windows 7 (Professional Edition). As to the examples for other operation systems, please refer to the similar steps or find support notes in www.draytek.com. Open All Programs>>Getting Started>>Control Panel. Click Network and Sharing Center.
Page 308 Icons of the network connection will be shown on the window. Right-click on Local Area Connection and click on Properties. Select Internet Protocol Version 4 (TCP/IP) and then click Properties. Select Obtain an IP address automatically and Obtain DNS server address automatically.
Page 309 V-2-2 For Mac Os Double click on the current used Mac Os on the desktop. Open the Application folder and get into Network. On the Network screen, select Using DHCP from the drop-down list of Configure IPv4.
Page 310 V-3 Pinging the Device The default gateway IP address of the modem is 192.168.1.1. For some reason, you might need to use “ping” command to check the link status of the modem. The most important thing is that the computer will receive a reply from 192.168.1.1. If not, please check the IP address of your computer.
Page 312 V-4 Backing to Factory Default Setting Sometimes, a wrong connection can be improved by returning to the default settings. Try to reset the modem by software or hardware.  Warning: After using the factory default settings, you will lose all settings you did before. Make sure you have recorded all useful settings before you pressing.
Page 313 V-4-2 Hardware Reset While the modem is running, press the Factory Reset button and hold for more than 5 seconds. When you see the ACT LED blinks rapidly, please release the button. Then, the modem will restart with the default configuration. After restore the factory default setting, you can configure the settings for the modem again to fit your personal request.
Page 314 V-5 Contacting DrayTek If the modem still cannot work correctly after trying many efforts, please contact your dealer for further help right away. For any questions, please feel free to send an e-mail to support@draytek.com.

This manual is also suitable for:

Vigor2136Vigor2136ax

Draytek Vigor2136 Series User Manual

Quick Links

Need help?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for Draytek Vigor2136 Series

Summary of Contents for Draytek Vigor2136 Series

This manual is also suitable for: