Page 1 Vigor C410/C510 Series VPN Router with WLAN/LTE/5G-NR User’s Guide Version: 1.0 Firmware Version: V5.3.1 Date: March 26, 2025...
Page 2 Web registration is preferred. You can register your Vigor router via https://myvigor.draytek.com. Owner Firmware & Tools Due to the continuous evolution of DrayTek technology, all modems will be regularly upgraded. Please consult the DrayTek web site for more information on newest firmware, tools and documents. Updates https://www.draytek.com...
Page 3 Table of Contents Chapter I Installation ..............................IX I-1 Introduction ....................................1 I-1-1 LED Indicators and Connectors for Vigor C410 ....................1 I-1-2 LED Indicators and Connectors for Vigor C510 ....................3 I-1-3 LED Indicators and Connectors for Vigor C410ax ....................4 I-1-4 LED Indicators and Connectors for Vigor C510ax ....................6 I-2 Hardware Installation ................................8 I-2-1 Network Connection ...............................8 I-2-2 Wall-Mounted Installation ............................9...
Page 4 II-1-6-1 Route Policy ..............................91 II-1-6-2 IPv4 Static Route ............................95 II-1-6-3 IPv6 Static Route ............................96 II-1-7 RIP ..................................98 II-1-7-1 General Setup .............................. 98 II-1-7-2 RIP Network ..............................100 II-1-7-3 RIPng Network ............................101 II-1-8 BGP ..................................103 II-1-8-1 General Setup ............................
Page 5 II-1-16-4 Webhook ..............................157 II-1-16-5 Notification ............................... 158 II-1-16-6 Backup & Restore ............................ 159 II-1-17 RADIUS/TACACS+ ............................161 II-1-17-1 External RADIUS............................161 II-1-17-2 Internal RADIUS ............................163 II-1-17-3 External TACACS+ ............................ 165 II-1-18 Certificates ............................... 167 II-1-18-1 Local Certificates............................167 II-1-18-2 Trusted CA ..............................
Page 6 II-4-1 General Setup ..............................235 II-4-1-1 Access Control ............................235 II-4-1-2 EasyVPN ..............................237 II-4-1-3 IPsec ................................238 II-4-1-4 WireGuard ..............................239 II-4-1-5 OpenVPN ..............................240 II-4-1-6 VPN MSS ..............................242 II-4-2 Site-to-Site VPN ..............................243 II-4-2-1 VPN Type - IPsec ............................243 II-4-2-2 VPN Type - WireGuard..........................
Page 7 V-3 Pinging the Device ................................338 V-3-1 For Windows ..............................338 V-3-2 For Mac Os (Terminal) ............................338 V-4 Backing to Factory Default Setting ........................... 340 V-4-1 Software Reset ..............................340 V-4-2 Hardware Reset ..............................341 V-5 Contacting DrayTek ................................342...
Page 8 VIII...
Page 9 Chapter I Installation...
Page 11 I-1 Introduction This is a generic International version of the user guide. Specification, compatibility and features vary by region. For specific user guides suitable for your region or product, please contact local distributor. I-1-1 LED Indicators and Connectors for Vigor C410 Before you use the Vigor modem, please get acquainted with the LED indicators and connectors first.
Page 12 Connectors Interface Explanation Factory Reset Restore the default settings. Usage: Turn on the router (ACT LED is blinking). Press the hole and keep for more than 5 seconds. When you see the ACT LED begins to blink rapidly than usual, release the button. Then the router will restart with the factory default configuration.
Page 13 I-1-2 LED Indicators and Connectors for Vigor C510 Before you use the Vigor modem, please get acquainted with the LED indicators and connectors first. Status Explanation Blinking The router is powered on and running normally. The router is powered off. Internet connection is ready.
Page 14 I-1-3 LED Indicators and Connectors for Vigor C410ax Before you use the Vigor modem, please get acquainted with the LED indicators and connectors first. Status Explanation Blinking The router is powered on and running normally. The router is powered off. Internet connection is ready.
Page 15 Factory Reset Restore the default settings. Usage: Turn on the router (ACT LED is blinking). Press the hole and keep for more than 5 seconds. When you see the ACT LED begins to blink rapidly than usual, release the button. Then the router will restart with the factory default configuration.
Page 16 I-1-4 LED Indicators and Connectors for Vigor C510ax Before you use the Vigor modem, please get acquainted with the LED indicators and connectors first. Status Explanation Blinking The router is powered on and running normally. The router is powered off. Internet connection is ready.
Page 17 WLAN On - Press the button and release it within 2 seconds. When the wireless function is ready, the green LED will be on. WLAN Off - Press the button and release it within 2 seconds to turn off the WLAN WLAN function.
Page 18 I-2 Hardware Installation This section will guide you to install the Vigor C410/C510 through a hardware connection and configure the device’s settings through the web browser. I-2-1 Network Connection Connect the cable Modem/DSL Modem/Media Converter to any WAN port of router with Ethernet cable (RJ-45).
Page 19 I-2-2 Wall-Mounted Installation Drill the holes on the wall according to the recommended instruction. The distance between the holes shall be 168mm. Fit screws into the wall using the appropriate type of wall plug. With the screws installed, the router can be slotted into place. Step 4 ...
Page 20 I-2-3 Antenna Installation Antenna must be installed on Vigor router correctly to obtain the transmission signal. For model with SIM installed For ax models There are two types of antennas provided for Vigor C410ax / C510ax, which must be installed in different locations carefully and correctly.
Page 21 Note: The antennas for Vigor C410 must be installed on both sides of the device. If only one antenna will be used, please install on the left side of Vigor router. Major signal transmission port For installing the SIM card into the card slot, (1) While installing the SIM card into the card slot, note that the back plate of the SIM card slot must be removed first.
Page 22 I-3 Accessing to Web User Interface All functions and settings of this access point must be configured via the web user interface. Please start your web browser (e.g., Firefox). Make sure your PC connects to the Vigor router correctly. Open a web browser on your PC and type http://192.168.1.1. A pop-up window will open to ask for a username and password.
Page 23 Next, the page will appear to guide you change the login password. You MUST change the login password before accessing the web user interface. Please set a new password for network security. After clicking Apply, the Main Screen will pop up.
Page 24 The web page can be logged out by clicking Log Out on the top right of the web page. Or, logout the web user interface according to the chosen condition. The default setting is Auto Logout, which means the web configuration system will log out after 5 minutes without any operation.
Page 25 I-4 Dashboard Dashboard shows port status, LAN status, system status, LAN/WAN Usage and DSL information. Click Dashboard from the main menu on the left side of the main page.  Note: Switch these two icons by click the mouse cursor on them. - means “Enable”.
Page 26 This page is left blank.
Page 27 Chapter II Connectivity...
Page 28 II-1 Configuration II-1-1 Physical Interface Configure the general settings for available interfaces. Open Configuration >> Physical Interface. Available settings are explained as follows: Item Description Ethernet Interface Displays the available interfaces of this device. Function Displays the type (WAN or LAN) of the interface. Except Ethernet WAN is fixed to WAN, Port 1 can be set as WAN or LAN to meet different requirements.
Page 29 Port speed capabilities: Auto negotiation - Auto speed with all capabilities. 10M half duplex - Force speed with 10M ability. 10M full duplex - Force speed with 10M ability. 100M half duplex - Force speed with 100M ability. 100M full duplex - Force speed with 100M ability. Selecting Auto (auto-negotiation) allows one port to negotiate with a peer port automatically to obtain the connection speed and duplex mode that both ends support.
Page 30 II-1-2 WAN II-1-2-1 WAN Connections This page is to configure the general settings for WAN connection. Available settings are explained as follows: Item Description Profile Name Displays the name of the interface. Enabled Displays if the WAN interface is enabled or disabled. Mode Displays if the WAN interface is primary or failover interface.
Page 31 For Physical Type with Ethernet Click the Edit link of WAN1 or WAN2 to open the following page. Available settings are explained as follows: Item Description Advanced Click to show or hide the advanced settings (IP Alias and WAN MAC Mode:ON/OFF Address) for the WAN interface.
Page 32 IP Version Set the protocol (IPv4 or IPv6 or both) that this WAN interface used. VLAN Settings Customer VLAN Switch the toggle to enable or disable the function of VLAN with tag. If enabled, enter the values for the tag and priority. Tag - Enter the value as the VLAN ID number.
Page 33 specified in the Ping IP field, to verify the WAN connection. If the remote host does not respond within 30 seconds, the WAN connection is deemed to have failed. If you choose Ping Detect as the detection mode, you have to enter required settings for the following items.
Page 34 Secret – Type a text (1 to 31 characters) as s a unique identifier for each client on each DHCP server. TSPC - Tunnel setup protocol client (TSPC) is an application which could help you to connect to IPv6 network easily. Please make sure your IPv4 WAN connection is OK and apply one free account from hexago (http://gogonet.gogo6.com/page/freenet6-account ) before you try to...
Page 35 maximum valid MTU value for PPPoE is 1492. WAN MAC Address Mode Default – Use the default MAC address for the WAN port. Customized - Select this option if your ISP authenticates by MAC addresses. MAC - Specify a MAC address for the WAN Ethernet port. ...
Page 36 For Physical Type with Wireless 2.4GHz When Wireless 2.4G is selected as Physical Type, WAN interface uses wireless station mode to access Internet. The Router acts as a 2.4GHz wireless station and connects to the specific Wireless Click the Edit link for WAN3 or WAN4 to open the following page. Available settings are explained as follows: Item Description...
Page 37 Security Mode There are several modes provided for you to choose from. Each mode will bring up different parameters (e.g., Pass Phrase) for you to configure. WPA3 Personal – The Router connects to the wireless AP as a WPA3 client and the encryption key should be entered in PSK. WPA2 Personal –...
Page 38 disconnection is judged. Maximum Transmission Unit, the size of the largest packet, in bytes, that can be transmitted to the WAN. The maximum value is 1500. For PPPoE connections, there is always an 8-byte overhead, so the maximum valid MTU value for PPPoE is 1492. WAN MAC Address Mode Default –...
Page 39 General Setup Physical Type Displays the physical type used by this interface. Bind to Physical At present, only Wireless 2.4GHz is available for WAN3 and Wireless Interface 5GHz for WAN4. Peer SSID Enter the identification of the wireless device. Channel Select the channel of frequency of the device.
Page 40 Ping Detect - The router sends an ICMP (Internet Control Message Protocol) echo request every second to the host, whose address is specified in the Ping IP field, to verify the WAN connection. If the remote host does not respond within 30 seconds, the WAN connection is deemed to have failed.
Page 41 Available settings are explained as follows: Item Description Advanced Click to show or hide the advanced settings (WAN MAC Address) for Mode:ON/OFF the WAN interface. Index Displays current WAN interface. Profile Name Displays the name of the profile. Enabled Switch the toggle to enable or disable the access mode. General Setup Physical Type Displays the physical type used by this interface.
Page 42 Username – Username provided by the ISP for authentication (optional). Password - Password provided by the ISP for authentication (optional). Auto APN Name Access Point Name to be used for the connection. Please contact your ISP or carrier for the appropriate value. Network Mode Force Vigor router to connect Internet with the mode specified here.
Page 43 Interval Enter the interval for the system to execute the PING operation. Timeout Maximum length of time, in seconds, of idling allowed (no traffic) before the connection is dropped. Vigor system will send a packet per “interval time” to the specified IP address. If the system does not receive any reply from that IP within specified (e.g., 10) seconds, Vigor system will reboot LTE module until successfully set LTE connection.
Page 44 The Vigor router will automatically connect to Ethernet WAN connection. Once connected and powered on, the router will run through a list of network connection settings (based on the autohunt profiles) to determine if it can establish a connection. If it is unable to connect, the mechanism will proceed to the next ISP setting until it receives an IP address.
Page 45 Advanced Click to show or hide the advanced settings (IP Alias and WAN MAC Mode:ON/OFF Address) for the WAN interface. Physical Type Displays the physical type used by this interface. IP Version Set the protocol (IPv4 or IPv6 or both) that this WAN interface used. VLAN Settings Customer VLAN Switch the toggle to enable or disable the function of VLAN with tag.
Page 46 IPv4 Secondary DNS - IP address of secondary DNS server. Static IP – Set the access mode as Static IP. IP Address – WAN IP address assigned by the ISP.  Subnet Mask – WAN subnet mask.  Gateway IP – IP address of the WAN Gateway. ...
Page 47 Reconfigure Key – During the connection process, DHCPv6 server will authenticate the client automatically. Delayed - During the connection process, DHCPv6 server will authenticate and identify the client based on the key ID, realm and secret information specified in these fields. Key ID –...
Page 48 to execute the PING operation. Ping Retry - Enter the number of times that the system is  allowed to execute the PING operation before WAN disconnection is judged. Maximum Transmission Unit, the size of the largest packet, in bytes, that can be transmitted to the WAN.
Page 49 Available settings are explained as follows: Item Description Advanced Mode: Click to show or hide the advanced settings for virtual WAN. ON/OFF Name Enter a name as the profile name. Enabled Switch the toggle to enable or disable the function. General WAN Type Displays the type (e.g., Ethernet) of the physical interface.
Page 50 Customer VLAN It is available when a WAN Type is selected. Switch the toggle to enable or disable the function of VLAN with tag. Tag - Enter the value as the VLAN ID number. The range is from 0 to 4094.
Page 51 II-1-2-4 Dynamic DNS Most ISPs assigns dynamic WAN IP addresses to their customers. Dynamic IP addresses presents challenges to users who would like to accept remote connections to their LANs from the Internet, as service could be disrupted due to the IP address changing without notice. By setting up service with a Dynamic DNS (DDNS) provider, and configuring Dynamic DNS updates on the Vigor router, you can have reliable access to your network by means of an easy-to-remember domain address that resolves to the most current WAN IP address.
Page 52 Available settings are explained as follows: Item Description Name Enter a name as the profile name. Enabled Switch the toggle to enable or disable the function. Service Provider Select the DDNS provider. If your DDNS provider is not listed, select User-Defined and manually configure the profile.
Page 53 Auth Type –Two types can be used for authentication. Basic – Username and password defined later can be shown  from the packets captured. URL - Username and password defined later can be shown in  URL. Enable ACME Client – Switch the toggle to generate a certificate issued by Let’s Encrypt for applying to such DDNS account.
Page 54 DrayDDNS Settings DrayDDNS, a DDNS service developed by DrayTek, can record multiple WAN IP (IPv4/IPv6) on single domain name. It is convenient for users to use and easily to set up with MyVigor. Each Vigor Router is available to register one domain name to MyVigor for one year license.
Page 55 II-1-2-5 WAN Budget This function is used to determine the data traffic volume for each WAN interface respectively to prevent overcharges for data transmission by the ISP. Please note that the Quota Limit and Billing cycle day of month settings will need to be configured correctly first in order for some period calculations to be performed correctly.
Page 56 Item Description Enabled Switch the toggle to enable or disable the profile. When enabled, the WAN Budget is enabled for this WAN. Quota Enter the data traffic quota allowed for such WAN interface. There are two unit (MB and GB) offered for you to specify. When quota exceed Shutdown WAN interface - All the outgoing traffic through such WAN interface will be halted when the traffic has exceeded the budget...
Page 57 II-1-2-6 DHCP Options DHCP packets can be processed by adding option number and data information when this function is enabled and configured. This page allows to configure additional DHCP client options. To add/edit a profile, click the +Add/Edit link to get the following page. Available settings are explained as follows: Item Description...
Page 58 Hexadecimal Digit: A hexadecimal string. Valid characters are from  0 to 9 and from a to f. Example: 2f70617468. Address List: One or more IPv4 addresses, delimited by commas.  Data Enter the content of the data to be processed by the function of DHCP option.
Page 59 II-1-2-7 Failover This page allows to configure settings for failover WAN. When the primary WAN of the router goes down the other available WAN interfaces will take over for network connection sequentially. Available settings are explained as follows: Item Description Primary WAN Interface –...
Page 60 WAN connection detection mode defined in the WAN Connections Profile. If enabled, the WAN connection detection defined in the WAN Connections Profile will be ignored. The router will measure the performance of interface members, and active interfaces will be determined using Link Health Check and Performance SLA. Interface Link Health &...
Page 61 To add/edit a profile, click the +Add/Edit link to get the following page. Available settings are explained as follows: Item Description Profile Name Enter a name as the Link Health Check profile. Detection Method Select the protocol for ping detection. HTTP Detect ...
Page 62 Secondary IPv6 Target Enter the second IPv6 address as the secondary target for health check. Interval Set the time interval (unit is second) for network detection or checking. Cancel Discard current settings and return to previous page. Apply Save the current settings and exit the page. II-1-2-9 Performance SLA This page allows you to set the thresholds for jitter, latency, and loss for Performance SLA (Service Level Agreement), which will be used for detecting the health status of the WAN connection.
Page 63 Available settings are explained as follows: Item Description Profile Name Enter a name as the Link Health Check profile. Jitter Switch the toggle to enable or disable the jitter function. Jitter Threshold - It defines the change rate of latency. For stable session, small jitter value will be better.
Page 64 II-1-2-10 PPPoE Pass Through The router offers PPPoE dial-up connection. Besides, you also can establish the PPPoE connection directly from local clients to your ISP via the Vigor router. According to the WAN Connection Type, this feature will encapsulate the PPPoE package of local clients and send it to the WAN Server. Thus, the PC can access Internet through such direction.
Page 65 II-1-3 LAN A LAN(Local Area Network) comprises a collection of LAN clients, which are networked devices on your premises. A LAN client can be a computer, a printer, a Voice-over-IP (VoIP) phone, a mobile phone, a gaming console, an Internet Protocol Television (IPTV), etc, and can have either a wired (using Ethernet cabling) or wireless (using Wi-Fi) network connection.
Page 66 DHCP clients, plus room for future expansion), and use addresses greater than 192.168.1.100 for static assignment.
Page 67 II-1-3-1 LANs This page provides you the general settings for LAN. Open Configuration>>LAN and click the LANs tab to open the following page. To add/edit a profile, click the +Add/Edit link to get the following page. Here, we take LAN1 as an example.
Page 68 General Setup IPv4 Display the status (enable/disable) of the profile. Usage Specify the IP forwarding method.  Routing  IPv6 Switch the toggle to configure / ignore the IPv6 settings. IPv4 IPv4 Address This is the IP address of the LAN interface (default: 192.168.1.1). Subnet Mask Select a subnet mask of the LAN interface.
Page 69 The DNS server converts the user-friendly name into its equivalent IP address. You must specify a DNS server IP address here because your ISP should provide you with usually more than one DNS Server. Secondary DNS - You can specify secondary DNS server IP address here because your ISP often provides you more than one DNS Server.
Page 70 DNS Configuration It is available when Stateless is selected as the IPv6 Assignment. DNS Assign Methods RA(RDNSS) – The DNS server used for hosts (e.g., PC) will be  configured via the Router Advertisement Configuration. Bit(DHCPv6) – The DNS server used for hosts will be configured ...
Page 71 Router IPv6 Address Enter IPv6 Address and Prefix length to be added, or click an existing Table IPv6 address to be deleted in the Current IPv6 Address Table below and the values will be automatically copied over. +Add – Click it to add a new entry. Max is 5. Static IP Address –...
Page 72 To add/edit a profile, click the +Add/Edit link to get the following page. Available settings are explained as follows: Item Description Comments Enter a brief comment to identify this IP Address–MAC Address pair. MAC Address Enter the MAC address of the LAN client’s network interface. IP Address Enter the IP address to be associated with a MAC address.
Page 73 II-1-3-3 DHCP Options DHCP packets can be processed by adding option number and data information when such function is enabled and configured. To add/edit a profile, click the +Add/Edit link to get the following page. Available settings are explained as follows: Item Description Option Number...
Page 74 Data Type Choose the type (ASCII or Hex or Address List) for the data to be stored. Data Enter the data in the Data field based on the data type selected. ASCII Character - A text string. Example: /path. Hexadecimal Digital - A hexadecimal string. Valid characters are from 0 to 9 and from a to f.
Page 75 Available settings are explained as follows: Item Description Group Name Display the name for identification. Change the name if required. Enabled Switch the toggle to enable the settings. Selected LANs Select the box to link two or more different subnets (LAN and LAN). Cancel Discard current settings and return to the previous page.
Page 76 II-1-3-5 VLAN List Virtual Local Area Networks (VLANs) allow you to subdivide your LAN to facilitate management or to improve network security. This page allows you to create up to 8 VLAN profiles. To add/edit a profile, click the +Add/Edit link to get the following page. Available settings are explained as follows: Item Description...
Page 77 VLAN ID Enter a number as the VLAN Identifier. Valid values are form 1 to 4094. VIDs must be unique. Name Enter a name of the VLAN profile. Display the physical LAN subnet on the router. Select the LAN subnet(s) to bind them under the selected VLAN. Cancel Discard current settings and return to the previous page.
Page 78 II-1-3-6 Interface VLAN Port-based VLAN uses physical ports (P1 ~ P4/P5) to separate the clients into different VLAN group. Virtual LAN function provides you a very convenient way to manage hosts by grouping them based on the physical port. The multi-subnet can let a small businesses have much better isolation for multi-occupancy applications.
Page 79 II-1-3-7 LAN Port 802.1x Wired 802.1X provides authentication for clients wishing to connect to the LAN by Ethernet. Only one client can be authenticated on each LAN port. Available settings are explained as follows: Item Description Enabled LAN 802.1X Switch the toggle to enable or disable LAN 802.1x function. Port Name Display the name of the physical LAN port.
Page 80 II-1-4 DNS DNS stands for Domain Name System. Every Internet host must have a unique IP address, also they may have a human-friendly, easy to remember name such as www.yahoo.com. The DNS server converts the user-friendly name into its equivalent IP address. This section offers settings for DNS security and LAN DNS/Forwarding.
Page 81 Item Description Select the WAN interface for which DNS security is to be configured. Enabled Switch the toggle to enable or disable DNS security for this WAN Interface. Bogus DNS Reply will be dropped when DNS security enabled. Primary DNS Shows the primary DNS server used by this WAN.
Page 82 II-1-4-2 LAN DNS/Forwarding LAN DNS is a simple version of DNS server. LAN DNS allows the network administrator to override standard DNS resolutions for selecting domain addresses. The router will respond to queries on matched domain addresses with custom IP addresses. It is not necessary for the user to build another DNS server in LAN.
Page 83 +Add – Enter the domain name for the router to look for in DNS queries to intercept and reply to. Wildcards in the form of asterisks (*) can be used to match a domain level. For example, *.draytek.com will match domain names such as www.draytek.com and ftp.draytek.com.
Page 84 II-1-5 Wireless LAN Wireless LAN enables high mobility so WLAN users can simultaneously access all LAN facilities just like on a wired LAN as well as Internet access. In recent years, the market for wireless communications has enjoyed tremendous growth. Wireless technology now reaches virtually every location on earth.
Page 85 WEP (Wired Equivalent Privacy) is a legacy method to encrypt each frame transmitted via radio using either a 64-bit or 128-bit key. Usually access point will preset a set of four keys and it will communicate with each station using only one out of the four keys. WPA (Wi-Fi Protected Access), the most dominating security mechanism in industry, is separated into two categories: WPA-personal or called WPA Pre-Share Key (WPA/PSK), and WPA-Enterprise or called WPA/802.1x.
Page 86 II-1-5-1 SSID On Wi-Fi-equipped models, you can set up SSID for use by internal users, who are allowed to access both the LAN and the WAN (Internet). This page also allows you to configure a guest SSID (for wireless clients that are restricted to Internet access only, typically used by visitors) with LAN VLAN settings.
Page 87 Available settings are explained as follows: Item Description SSID Service Set Identification (SSID), which shows up as the AP identifier. Maximum length is 32 characters. Modify the name if required. Enabled Switch the toggle to enable/disable the SSID profile. Security There are several modes provided for you to choose from.
Page 88 from the radio using the key which automatically negotiated via 802.1x authentication. WEP Personal - Accepts only WEP clients and the encryption  key should be entered in WEP Settings. None - The encryption mechanism is turned off.  Password Enter 8~63 ASCII characters, such as "012345678".
Page 89 Hide SSID Switch the toggle to enable(hide) /disable (show) the SSID. Select to keep SSIDs from showing up when scans are performed by wireless clients, which makes it harder for unauthorized clients or STAs to join your wireless LAN. Depending on the wireless client and software used, the user may see only an AP listed without the SSID, or the AP might not even show up.
Page 90 II-1-5-2 Radio Settings This page lets you configure the most basic settings of your wireless network, including mode, WLAN channels and channel bandwidth. Available settings are explained as follows: Item Description Advanced Click to show or hide the advanced settings for the Radio settings. Mode:ON/OFF 2.4GHz Radio Enabled...
Page 91 40 MHz – Vigor Router will utilize 40 MHz for data transmission and reception between the router and wireless stations. Auto 20/40 MHz – Vigor Router will utilize either 20 MHz or 40 MHz for data transmission and reception depending on the number of AP nearby the router.
Page 92 Band Steering Settings 5Ghz Client Minimum If it is enabled, Vigor router will detect if the wireless client is capable RSSI of dual-band or not within the time limit. The wireless station has the capability of a 5GHz network connection, yet the signal performance might not be satisfied.
Page 93 devices, thus allowing wireless devices to enter into power saving mode which reduces power consumption. Not all wireless clients support APSD properly, and the only way to find out if APSD is appropriate for your network is to experiment. The default setting is Disable. Airtime Fairness Switch the toggle to enable/disable the function.
Page 94 Assisted Roaming When the signal strength of the wireless station is below the value Signal Strength (dBm) set here and adjacent AP (must be DrayTek Router/AP and Threshold support such feature too) with higher signal strength value (defined in the field of Assist roaming when adjacent AP signal is better than) is detected by Vigor router, Vigor router will terminate the network connection for that wireless station.
Page 95 Available settings are explained as follows: Item Description Start AP Discovery Scan - It is used to discover all the nearby AP. The results will be shown on the box below this button. Radio Information Displays current information for 2.4GHz and 5GHz used by Vigor router.
Page 96 II-1-5-5 WPS WPS (Wi-Fi Protected Setup) provides an easy way to connect wireless to wireless access points and routers with WPA or WPA2 encryption. WPS works with wireless stations with WPA or WPA2 support. It does not work with WEP. It is the simplest way to build connection between wireless network clients and vigor router.
Page 97 Using a PIN code You may establish a wireless connection by entering a PIN code generated by a wireless client that supports WPS. Below shows Configuration>>Wireless LAN>>WPS web page:...
Page 98 Available settings are explained as follows: Item Description Reset Click to reset WPS with the default value. Refresh Click to refresh current page. Enabled Switch the toggle to enable/disable the function. Band Select the band (2.4GHz/5GHz) for this function. 2.4GHz SSID / 5GHz Displays the SSID used for 2.4GHz/5GHz.
Page 99 II-1-5-6 WDS Wireless Distribution System (WDS) is a protocol for linking access points (AP) wirelessly. Vigor C410/C510ax WDS only supports Repeater mode.  Repeater mode, which extends the coverage range of a WLAN. Below shows Configuration>>Wireless LAN>>WDS web page: Available settings are explained as follows: Item Description Reset...
Page 100 Enabled – Switch the toggle to enable/disable this WDS link. Security – Select the encryption method of this WDS link. Open - Security is disabled.  TKIP – Enter a string.  AES - Enter a string.  Password – Enter the key of the WDS link when Security is TKIP or AES.
Page 101 II-1-6 Routing Through the IP address and interface configuration, a route policy can be used to configure any routing rules to fit actual requests. The packets will be directed to the specified interface if they match one of the routing policies. The router offers IPv4 and IPv6 for you to configure the static route.
Page 102 Available settings are explained as follows: Item Description Policy Name Enter a name as the routing profile name. Enabled Switch the toggle to enable/disable the profile. Schedule Determine the valid time for the routing profile. Always On – The routing profile will be valid all the time if it is enabled.
Page 103 Subnet Mask - Use the drop down list to choose a suitable mask for the network. Source / Destination IP It is available when Source / Destination is set as IP Object. Object +Add – Click it to create a new object (containing different IP addresses).
Page 104 select a VPN profile. Primary Path LAN - It is available when the LAN is selected. +Add – Click +Add to create a new VPN path. Use the drop-down list to select a VPN profile. Secondary Path Disabled – Disable the function settings for the secondary path. Secondary Path WAN –...
Page 105 forwarding mechanism. VPN –Specify a VPN profile for the last resort path. Last Resort Path VPN – Click +Add. Select one of the VPN  profiles. LAN – Specify a LAN interface for the last resort path. Last Resort Path LAN – Click +Add. Then select a LAN interface ...
Page 106 Available settings are explained as follows: Item Description Name Enter a name as the profile name. Enabled Switch the toggle to enable or disable the function. Destination IP Address Enter the IP address as the destination IP address. Subnet Mask Select a subnet mask of this static route.
Page 107 To add a new IPv6 static route, click the +Add link to get the following page. Available settings are explained as follows: Item Description Name Enter a name as the profile name. Enabled Switch the toggle to enable or disable the function. Destination Enter the IPv6 address as the destination IP address.
Page 108 Cancel Discard current settings and return to the previous page. Apply Save the current settings and exit the page. After finishing this web page configuration, please click Apply to save the settings. II-1-7 RIP The Routing Information Protocol (RIP) and the RIPng (RIP next generation) are the most popular interior routing protocols.
Page 109 The information will be kept in the routing table temporarily. At the same time, the neighbors will be notified that the route has been dropped. Garbage Timer The route will be removed from the routing table upon the expiration set in Garbage Timer. Connected Switch the toggle to enable/disable the function.
Page 110 II-1-7-2 RIP Network This page allows you to configure up to eight neighboring routers for exchanging the routing information with the local router (Vigor C410/C510). To add a new RIP network profile, click the +Add link to get the following page. Available settings are explained as follows: Item Description...
Page 111 authentication. MD5 – Use MD5 authentication. Password – Enter characters as the password for MD5  authentication. Key ID – Enter a number (0~255). The ID will help Vigor router to  be identified in an autonomous system. Cancel Discard current settings and return to the previous page. Apply Save the current settings and exit the page.
Page 112 Available settings are explained as follows: Item Description Interface Select a LAN / WAN interface to apply the settings configured for this profile. Cancel Discard current settings and return to the previous page. Apply Save the current settings and exit the page. After finishing this web page configuration, please click Apply to save the settings.
Page 113 II-1-8 BGP Border Gateway Protocol (BGP) is a standardized protocol designed to exchange routing and reachability information among autonomous systems (AS) on the Internet. The protocol TCP is used by two routers supporting BGP for data transmission. They can exchange the BGP routing information for each other.
Page 114 Available settings are explained as follows: Item Description Enabled Switch the toggle to enable/disable the basic BGP function for local router. Local AS Set the AS number for local router. Router ID Specify the LAN subnet for the router. IPv4 Redistribute Connected All Networks –...
Page 115 To add a new IPv4 neighbors profile (up to 8), click the +Add link to get the following page. Available settings are explained as follows: Item Description Remote AS Number Specify the AS Number for neighboring router. IPv4 Address Enter the IP address specified for the neighboring profile. Authentication Select the authentication mechanism for this profile.
Page 116 Cancel Discard current settings and return to the previous page. Apply Save the current settings and exit the page. After finishing this web page configuration, please click Apply to save the settings.
Page 117 II-1-8-3 IPv4 Networks This page allows you to configure up to eight neighboring networks for exchanging the routing information with the local router (Vigor C410/C510). The IP address defined on this page will be used to declare which network will participate in the RIP protocol. To add a new IPv4 networks profile (up to 8), click the +Add link to get the following page.
Page 118 Cancel Discard current settings and return to the previous page. Apply Save the current settings and exit the page. After finishing this web page configuration, please click Apply to save the settings. II-1-8-4 IPv6 Neighbors Set general settings for local router and neighboring routers (based on IPv6 address).
Page 119 IPv6 Address Enter the IPv6 address of a neighboring router. Authentication Select the authentication mechanism for this profile. Disabled – No authentication mechanism will be used. MD5 – Use MD5 authentication. Password – Enter characters as the password for MD5 ...
Page 120 Available settings are explained as follows: Item Description IPv6 Address Enter the IPv6 address of a neighboring network (following CIDR format). Vigor router will exchange routing information (RIPng info) with the specified network. Prefix Length Enter the IPv6 prefix length for the IPv6 address. Cancel Discard current settings and return to the previous page.
Page 121 II-1-9 OSPF OSPF(Open Shortest Path First), running within the AS, is a routing protocol based on IP protocol. It uses the algorithm of SPF (Shortest Path First) to calculate the route metric. It is suitable for large network and complicated data exchange. Vigor router supports up to OSPF version 2(for IPv4) and OSPF version 3(for IPv6).
Page 122 information learned from the RIP protocol) or disable the function. Switch the toggle to enable (allow dynamically route traffic based on information learned from the BGP protocol) or disable the function. OSPFv3 Enabled Switch the toggle to enable/disable the OSPFv3 function. Router ID Specify the IPv6 address of the Vigor router for routing and neighbor discovery.
Page 123 Available settings are explained as follows: Item Description Interface Select a LAN / WAN interface to apply the settings configured for this profile. Area ID An AS will be divided into several areas. Each area must be assigned with a dedicated number. Please enter a number or IPv4 address as the area ID.
Page 124 II-1-9-3 OSPFv3 Networks This page allows you to set neighbors for OSPFv3 profile. To add a new OSPFv3 networks profile, click the +Add link to get the following page. Available settings are explained as follows: Item Description Interface Select a LAN / WAN interface to apply the settings configured for this profile.
Page 125 Please enter a number or IPv6 address as the area ID. Authentication Select the authentication mechanism for this profile. Disabled – No authentication mechanism will be used. Plain-Text – Only password will be used for authentication. Password –Enter characters as the password for MD5 ...
Page 126 II-1-10 Bandwidth Management When LAN clients share a common public IP address by means of Network Address Translation (NAT), the router must track NAT sessions so that traffic to and from the WAN can reach the intended destinations. There is an finite number of sessions that can be tracked by the router, and by setting session limits will ensure that the router does not run out of resources.
Page 127 Item Description Name Enter a name for identification. Enabled Switch the toggle to enable/disable the traffic shaping policy profile. Schedule Vigor router can perform the traffic shaping policy profile all the time or on a certain date and time. Always On - The function of traffic shaping policy profile is running all the time.
Page 128 Protocol Only the traffic passing through the selected protocol will be limited. Select one of the protocols from the drop-down menu. Any – All traffic will be limited. Service Type Object – Vigor system offers several service types set with different protocols. Service Type Object –...
Page 129 To add a new policy, click the +Add link to get the following page. Available settings are explained as follows: Item Description Profile Name Enter a string as the profile name. Enabled Switch the toggle to enable/disable this profile of bandwidth limit. Schedule Vigor router can perform the bandwidth limit all the time or on a certain date and time.
Page 130 Source Identify the object to which the bandwidth limit will be applied. Any - All the IPs within the range defined will be restricted by  bandwidth limit defined by TX Limit and RX Limit below. IPv4 Address  IPv4 Subnet ...
Page 131 Classification: Identifying low-latency or crucial applications and marking them for  high-priority service level enforcement throughout the network. Scheduling: Prioritizing packets by assigning them to different queues and service types  according to service levels. Available settings are explained as follows: Item Description Enabled...
Page 132 II-1-10-4 APP QoS APP QoS allows QoS to be applied to select protocols and applications. Available settings are explained as follows: Item Description +Add Apps – The drop-down menu displays various APPEs. Select the one you want. QoS – Select the class level (Class 1, Class 2, Class 3 and others) of bandwidth reserved for the Apps.
Page 133 II-1-10-5 Default Policy Default policy defines the bandwidth limit and the session limit for all traffic in default. Available settings are explained as follows: Item Description Session Limit Mode Disabled – Select to deactivate session limit function. Per Source IP Limit –Apply the session limit to the traffic. Max Sessions - The default maximum number of sessions ...
Page 134 II-1-11 NAT Most ISPs allocate one WAN IP address to each subscriber. In order to simultaneously connect multiple devices to the Internet, a technique called Network Address Translation is employed. Usually, the router serves as an NAT (Network Address Translation) router. NAT is a mechanism that one or more private IP addresses can be mapped into a single public one.
Page 135 Available settings are explained as follows: Item Description Name Enter a name that identifies the rule. Enabled Switch the toggle to enable or disable the function. Schedule Vigor router can perform the port forwarding all the time or on a certain date and time.
Page 136 IP Group - Use the drop down list to specify an IP group profile.  Private IP Specify a LAN IP address or a range of LAN IP addresses to which the traffic will be forwarded. Single – Specify a destination LAN IP address that will receive the forwarded traffic.
Page 137 II-1-11-2 DMZ Host Vigor router provides a facility DMZ Host that maps ALL unsolicited data on any protocol to a single host in the LAN. Regular web surfing and other such Internet activities from other clients will continue to work without inappropriate interruption. DMZ Host allows a defined internal user to be totally exposed to the Internet, which usually helps some special applications such as Netmeeting or Internet Games etc.
Page 138 Interface Allows WAN traffic to be sent to a specific LAN IP address. WAN IP Enable the function of applying WAN alias IP. Then, select a WAN alias IP from the available IPv4 alias settings set on Configuration >> WAN >>...
Page 139 Available settings are explained as follows: Item Description Add Service Select from list of predefined service, or manually configure triggering and incoming protocols and ports. Manually - If selected, self-define the service name. Service Name – Enter the name of the service. ...
Page 140 TCP/UDP - open port(s) to both TCP and UDP traffic.  Select the protocol (TCP, UDP or TCP/UDP) for the outgoing data of such triggering profile. Triggering Port Start / Triggering Port End - Outgoing traffic from the WAN destined for these port numbers be forwarded to the LAN client that triggered the rule.
Page 141 Available settings are explained as follows: Item Description Enabled Switch the toggle to enable or disable the function. Listen Port Enter a port number for SIP or RTSP protocol. Apply Save the current settings and exit the page. After finishing this web page configuration, please click Apply to save the settings. II-1-11-5 UPnP The Vigor supports UPnP (Universal Plug and Play), which is a suite of network protocols that simplifies network configuration.
Page 142 Available settings are explained as follows: Item Description UPnP Enabled Switch the toggle to enable or disable the function. UPnP is required for some applications such as PPS, Skype, eMule...and etc. If you are not familiar with UPnP, it is suggested to turn off this function for security.
Page 143 II-1-12 IGMP Internet Group Management Protocol (IGMP) is an IPv4 communication protocol for establishing multicast group memberships. II-1-12-1 General Setup This page offers the general setting for configuring the IGMP function. Available settings are explained as follows: Item Description IGMP Version Select v2 or v3 or Auto.
Page 144 Normally when the router receives a “leave” message from an IGMP host, it will send a last member query message to see if there are still members within the multicast group. When Fast Leave is enabled, multicast for a group is immediately terminated when the last host in that group sends a “leave”...
Page 145 II-1-13 Objects Vigor router system provides the object functions. Users can define various types of objects and groups, and then apply them at various scenarios, like Configuration>>NAT>> Port Forwarding, Security>>Firewall Filters. The advantage is that the user doesn’t have to set data repetitively and it significantly enhances efficiency.
Page 146 Available settings are explained as follows: Item Description Object Name Enter the name that identifies this profile. IP Version Select the IP version (IPv4, IPv6 or Both) for entering correct IP address. Address Type Select the type (IP or Subnet) of address. IPv4 Settings Start IP Address Enter the beginning IP address, if the Address Type is IP.
Page 147 Apply Save the current settings and exit the page. After finishing this web page configuration, please click Apply to save the settings. II-1-13-2 IP Group Multiple IPv4 Objects /IPv6 Objects can be placed into an IPv4 Group / IPv6 Group. To add a new IP group profile, click the +Add link to get the following page.
Page 148 Search Enter the IP object name or the IPv4/IPv6 Address to search related IP object(s). Select Objects Objects available for grouping will be displayed here. Select one or more objects to group under the current IP group. Object Name Display current existed IPv4/IPv6 object(s). To add an IP object to the current IP group, simply select the object(s) you want.
Page 149 II-1-13-3 MAC Object The MAC address of local or remote clients can be specified in the MAC Object page. To add a new MAC object profile, click the +Add link to get the following page. Available settings are explained as follows: Item Description Object Name...
Page 150 II-1-13-4 MAC Group Multiple MAC Objects can be placed into a MAC Group. To add a new MAC group profile, click the +Add link to get the following page. Available settings are explained as follows: Item Description Group Name Enter a name that identifies this profile. Selected Objects +Add - Click to open the page with available objects.
Page 151 The selected one will be shown under the Selected Objects on the left side. Cancel Discard current settings and return to the previous page. Apply Save the current settings and exit the page. After finishing this web page configuration, please click Apply to save the settings. II-1-13-5 Schedule Time schedules can be created and used with router features that support them, so that those features can be turned on and off automatically at preconfigured times.
Page 152 Item Description Name Enter the name of the schedule profile. Enabled Switch the toggle to enable or disable this schedule profile. Start Date Select the date when the entry comes into effect. Start Time Set the time when the schedule is triggered. End Time Set the time for the schedule to be ended.
Page 153 II-1-13-6 Service Type Object Up to 255 Service Type Objects can be created. To add/edit a service type profile, click the +Add / Edit link to get the following page. Available settings are explained as follows: Item Description Name Name that identifies this profile. Maximum length is 15 characters. Protocol Protocol(s) to which this profile applies.
Page 154 TCP – Transmission Control Protocol UDP – User Datagram Protocol TCP/UDP – Transmission Control Protocol and User Datagram Protocol Other – Other protocols not listed above. Enter protocol number in the textbox. Specify Source Port When protocol selected includes TCP or UDP, the source and destination ports can be specified.
Page 155 Available settings are explained as follows: Item Description Object Name Name that identifies this profile. Maximum length is 63 characters. Selected Countries +Add – Click to create an entry. A list of country codes will appear on the right side. Select up to 12 required codes for the new object. Cancel Discard current settings and return to the previous page.
Page 156 To add a keyword object profile, click the +Add link to get the following page. Available settings are explained as follows: Item Description Object Name Name that identifies this profile. Maximum length is 16 characters. Keywords Keywords to be matched. Enter the content for this profile. For example, type gambling as Contents.
Page 157 II-1-13-9 Backup & Restore The object settings can be backed up as a file. The backup file can be imported to the device to restore the configuration in the future if required. Available settings are explained as follows: Item Description Backup Usually, a user can create the objects through the web page under Objects.
Page 158 II-1-14 LTE II-1-14-1 SIM Inbox This page will list the received SMS messages in the LTE SIM card. The SMS Inbox table shows the received date, the phone number or sender ID where this message was from, and the beginning of the message content.
Page 159 The format can be an international phone number (+8869123455678) or a general phone number (0912345678). Message Enter the message content to send. The total number of characters that you can Enter this field is 160. Cancel Discard current settings and return to the previous page. Apply Save the current settings and exit the page.
Page 160 II-1-15 Wake on LAN Using the Wake on LAN (WoL) feature, LAN clients that support WoL can be powered on or resume from sleep over the network, without the need for physical access to the device. In order for LAN clients to be able to wake from sleep or off states, the network interface card must be configured to monitor Wake-on-LAN messages.
Page 161 on Configuration>>LAN>>Bind IP to MAC will be shown for you to choose one. Wake Up Click to send Wake-on-LAN message to the specified LAN client. Wake on LAN/WAN Device List +Add Click to specify a new device which will be awakened. Name –...
Page 162 II-1-16 Notification Services Generally, the notification service refers to notifying users via email or SMS. II-1-16-1 Services & Providers Before notifying the clients, the router’s system administrator needs to configure the server and provider used to send letters or SMS messages. Available settings are explained as follows: Item Description...
Page 163 II-1-16-2 SMTP Server Up to 2 SMTP server profiles can be set up for chosen by Services & Providers. To add a new profile, click the +Add link to get the following page. Available settings are explained as follows: Item Description Name Enter the name of the profile.
Page 164 Specify Port Switch the toggle to enable the port setting. Specify SMTP Port – Enter the port number of the SMTP server. Sender Address Enter the E-mail address of the sender. Connection Security There are three methods to enhance the connection security of SMTP server.
Page 165 II-1-16-3 SMS Provider Up to 2 SMS profiles can be set up as the SMS Providers. To add a new profile, click the +Add link to get the following page. Available settings are explained as follows: Item Description Name Enter the name of the profile. Enabled Switch the toggle to enable/disable this profile.
Page 166 function. This option allows you to set the IP address of the router which can be treated as a SMS gateway. Customized – Set the IP address or URL provided by the SMS provider. When Vigor Router SMS Gateway URL – Enter an identifier (domain name or IP address) SMS Gateway is for the service provider.
Page 167 II-1-16-4 Webhook Vigor router will send a report (webhook message) including WAN up, down, CPU usage, memory usage and etc. to a monitoring server periodically. Up to 10 webhook profiles can be set up. To add a new profile, click the +Add link to get the following page. Available settings are explained as follows: Item Description...
Page 168 Monitoring Server URL Enter the URL of a server. Cancel Discard current settings and return to the previous page. Apply Save the current settings and exit the page. After finishing this web page configuration, please click Apply to save the settings. II-1-16-5 Notification Up to 20 notification profiles can be created and applied with the provider notification services.
Page 169 Profile Name Enter the name of the service profile. Events Type Alarm – The Vigor system will send alert messages to recipients if an alert event occurs. Report – The Vigor system will periodically send reports to recipients when an alert event occurs. Report Period –...
Page 170 Password Protection Switch the toggle to enable or disable the function. If enabled, set a password. New Password – Enter a string as the password. Confirm New Password – Enter the string again. Back up – Click to perform the backup job. Restore from Backup Select the backup file you wish to restore.
Page 171 II-1-17 RADIUS/TACACS+ Remote Authentication Dial-In User Service (RADIUS) is a security authentication client/server protocol that supports authentication, authorization and accounting, which is widely used by Internet service providers. It is the most common method of authenticating and authorizing dial-up and tunneled network users. The router supports external TACACS+ and internal and external RADIUS servers for user authentication.
Page 172 Available settings are explained as follows: Item Description Name Enter the name of the profile. Authentication RADIUS Switch the toggle to enable/disable this profile. Authentication Authentication Server +Add – Click to add a server (up to 3). Server IP –Enter the IP address of RADIUS server. Secret –...
Page 173 Accounting Server +Add - Click to add a server (up to 3). Server IP - Enter the IP address of RADIUS server. Secret - The RADIUS server and client share a secret that is used to authenticate the messages sent between them. Both sides must be configured to use the same shared secret.
Page 174 Available settings are explained as follows: Item Description Enabled Switch the toggle to enable/disable settings for this RADIUS server. Authentication Port The UDP port number that the RADIUS server is using. The default value is 1812, based on RFC 2138. RADIUS Client Access List IPv4 Client List Only clients that meet the criteria configured in the access list are...
Page 175 PAP/CHAP/MS-CHAP/MS-CHAP2 - PAP, CHAP (Challenge-Handshake Authentication Protocol), and Microsoft versions of CHAP can be used to validate users. 802.1X Method Support 802.1X Method – The built in RADIUS server offered by Vigor router can act as the AAA server. Select to enable 802.1X support. Certificate Select the certificate (created by Configuration>>Certificates>>Local Certificates) for applying to Internal RADIUS.
Page 176 Authentication Port The UDP port number that the RADIUS server is using. The default value is 1812, based on RFC 2138. Primary Server/Secondary Server Server IP Address Enter the IP address of the TACACS+ server. Two external TACACS+ servers are allowed to set in this page. The secondary TACACS+ server will be used as a backup server when the primary TACACS+ server is down.
Page 177 II-1-18 Certificates A digital certificate is an electronic document issued by a certification authority (CA) to an entity to prove ownership of a public key. It contains identifying information including the issued-to party’s name, a serial number, expiration dates etc., and the digital signature of the certificate-issuing authority so that a recipient can verify that the certificate is real.
Page 178 To add a new certificate, click the +Add link to get the following page. Available settings are explained as follows: Item Description Certificate Name Enter the name that identifies the certificate. Method Generate CSR - Generate a new local certificate. Import Certificate &...
Page 179 Method - Generate CSR Key Type Displays the key type used by the certificate. Algorithm Displays the algorithm for generating the certificate. Type Select the type of Subject Alternative Name and enter its value. IP Address  Domain Name  ...
Page 180 CA to save time and provide convenience for general user. Later, such root CA generated by DrayTek server can perform the issuing of local certificate. To import a RootCA to the Vigor router, click +Add to upload one certificate.
Page 181 Available settings are explained as follows: Item Description Upload Certificate Choose a file - Select a local certificate file. Cancel Discard current settings and return to the previous page. Apply Click to import selected certificate file to the router. To create a new RootCA, click Create to get the following page. Available settings are explained as follows: Item Description...
Page 182 Organization Unit (OU) Enter the department within your organization that you wish to be associated with this certificate. Email (E) Enter the email address of the entry. Cancel Discard current settings and return to the previous page. Apply Click to submit generate request to the CA server. After finishing this web page configuration, please click Apply to save the settings.
Page 183 II-1-18-3 Local Services This page allows you to set different categories and services for the local certificate(s) to prevent security warning messages popped up due to using different browsers. Available settings are explained as follows: Item Description Local Certificate Select a local certificate (has been imported to Vigor device) with full key and authentication information.
Page 184 II-1-18-4 Backup & Restore You can back up or restore the Local and Trusted CA certificates on the router to a file. Available settings are explained as follows: Item Description Backup Selected Item Select the certification type (local, trusted or all certificates). Password Protection Enabled - Switch the toggle to enable or disable the function.
Page 185 II-2 Security II-2-1 Firewall Filters A network firewall monitors traffic travelling between networks, with the ability to selectively allow or block traffic using a predefined set of security rules. This helps to maintain the integrity of networks by stopping unauthorized access and the exchange of sensitive information. LAN users are provided with secured protection by the following firewall facilities: User-configurable IP filter (Data Filter).
Page 186 The below shows the attack types that DoS/DDoS defense function can detect: 1. SYN flood attack 9. SYN fragment 2. UDP flood attack 10. Fraggle attack 3. ICMP flood attack 11. TCP flag scan 4. Port Scan attack 12. Tear drop attack 5.
Page 187 Block when under Select the risk level. Once the risk for the packets (incoming/outgoing) reaches the threshold (20/40/60/80) defined here, Vigor system will block the IP immediately. The default setting is "Disabled," which means that no filtering will be performed. Log when under Select the risk level.
Page 188 II-2-1-2 IP Filters Users can create access control policies and set black & white lists. To add a new IP filter profile, click the +Add link to get the following page. Available settings are explained as follows: Item Description Name Enter a name to identify the rule.
Page 189 Clear Session when Schedule is On - Select this option to clear  existing sessions when the rule is changes is enabled by a schedule profile. All connections will be reset. Direction Specify the direction of traffic flow to which this filter rule applies. LAN to WAN ...
Page 190 Destination IPv6 Address – Click +Add to enter the IPv6 address.  IPv6 Subnet–Enter the IPv6 Address and the prefix length. Destination IPv6 Subnet Address - Click +Add to enter the IPv6  address with a subnet mask. IP Object–Allows selection of predefined IP Objects. Destination IP Object –...
Page 191 Action Action Action to be taken when packets match the rule. Pass - Packets matching the rule will be passed immediately. Block - Packets matching the rule will be dropped immediately. Bypass Content Filter Switch the toggle to enable the function. If enabled, Vigor router will perform the data transmission bypassing the content filter rules.
Page 192 II-2-1-3 Content Filters Content Filter includes APPE, URL Filter, and WCF services. APPE is filtered by defined pattern. URL and WCF filters filter the servers to connect to by examining the server name in DNS request packets or TLS client hello packets. This page allows you to configure up to 40 content filters profiles (including APPE, URL, and WCF) previously.
Page 193 Profile Name Enter a name to identify the filter profile. Enabled Switch the toggle to enable/disable this profile. Schedule Always On – This rule is enabled and active for always. Scheduled On - Select Schedule indexes to allow the rule to be enabled at specific times.
Page 194 keyword profile(s). If the session meets the keyword filter profile, the system will perform the action reversely. Enable Syslog Switch the toggle to enable the recording the filter log onto SysLog. Cancel Discard current settings and return to the previous page. Apply Save the current settings.
Page 195 If the outgoing traffic doesn't match any IP/content filter rule and the IP Filters Default Action is PASS, it will be checked with this rule additionally. If the outgoing traffic meets the above conditions but still doesn't meet the following Content Destination rules, the system will perform the action reversely.
Page 196 II-2-1-5 Backup & Restore This page allows the backup and restoration of router settings. In addition to restoring Vigor C410/C510’s own configuration backup, it is possible to restore backups from certain DrayTek routers on Vigor C410/C510. Available settings are explained as follows: Item...
Page 197 II-2-2 Defense Setup II-2-2-1 DoS Defense As a sub-functionality of IP Filter/Firewall, there are several types of detect / defense function in the DoS Defense setup. In default, the DoS Defense is disabled. Available settings are explained as follows: Item Description Defense Setup Enable DoS Defense...
Page 198 UDP Flood Packet Rate – The default values of threshold and  timeout are 5000 packets per second and 10 seconds, respectively. Port Scan – Switch the toggle to enable/disable the Port Scan detection. Port Scans attack your network by sending packets to a range of ports in an attempt to find services that would respond.
Page 199 detect and reject this kind of packets. ARP Spoofing Defense Block ARP replies with This feature can protect a network from ARP (Address Resolution Protocol) spoofing attacks. Inconsistent Source MAC addresses – If the sender’s MAC address in the ARP packets does not match the source MAC address from ARP packet's ethernet header, the Vigor system will block the packets immediately.
Page 200 Available settings are explained as follows: Item Description Enable Brute Force Switch the toggle to enable or disable the detection of brute force Protection login attempts. Login Protection for Service Service Server BFP can protect the Vigor router's login feature from hacker attacks attempting to crack accounts and passwords through protocols such as HTTPS/HTTP, SSH, Telnet, FTP, SNMP, TR-069, VPN, IAM, and more.
Page 201 Define the protection rules for VPN connection. Enable –Switch the toggle to enable or disable the defense setup settings for the VPN connection. Maximum Login Attempts – Specify the maximum number of failed login attempts before further login is blocked. The users who fail to log in multiple times by reaching the maximum login attempts will be penalized a period not to login Vigor system.
Page 202 II-2-2-3 Allow/Block List Define the white list and the black list for the clients. Available settings are explained as follows: Item Description DoS Defense Switch the toggle to enable or disable the DoS Defense function. Priority for Conflicts Define the processing order/priority for the conflicts. Allow List first-Pass –...
Page 203 II-2-2-4 Defense Syslog Display the type of Syslog provided by Vigor router. Corresponding information related to operation, status, and defense to Vigor router will be recorded to the Syslog server. Available settings are explained as follows: Item Description Enable Syslog Select the feature(s).
Page 204 To add a new profile, click +Add. Available settings are explained as follows: Item Description Name Enter a string as the profile name. Policy Disabled – Disable this policy. Allow List – Only allow wireless clients whose MAC addresses are listed in the Device list.
Page 205 MAC object will be allowed or blocked. MAC Group – Select the MAC group(s). All the MAC objects under the MAC group will be allowed or blocked. Device List +Add – Click to add a new device by entering the device name and the MAC address.
Page 206 II-2-4 IPv6 Address Security This page allows you to configure the IPv6 interface ID. Available settings are explained as follows: Item Description Generate Interface ID Select to use Random IIDs or EUI-64 IIDs as the interface ID. Random IIDs  EUI-64 ...
Page 207 II-2-5-1 BFP Status This page shows the status of Brute Force Protection. Available settings are explained as follows: Item Description IP Address Displays the IP addresses that have been blocked due to triggering the Penalty or User Account Lockout function when using a System Account (e.g., logging into HTTPS/HTTP, SSH, Telnet, SNMP, and TR-069 Service Account Name...
Page 208 II-2-5-2 IP Reputation This page displays the IP Reputation status for the Vigor router regarding both inbound and outbound traffic. Available settings are explained as follows: Item Description Seen at Displays the time when the packet matches the specified rule. Source IP Displays the IP address of the source of the threat.
Page 209 II-2-6 URL/IP Lookup This page allows you to view various score of specified IP or URL, click the Look Up button to see the relevant information. After analysis, the Vigor system will provide relevant information about the IP/URL, including risk level, reputation score, category, and more. Available settings are explained as follows: Item Description...
Page 210 Expired Date  Organization  Location  Below shows an example of look up IP/URL:...
Page 211 II-3 IAM Identity and Access Management (IAM) allows the network administrator to manage Internet access at the user level. After a user has been authenticated using a username and password, the user will be granted Internet access and additionally, optional firewall rules and LAN access policies can be applied.
Page 212 To add a new user account profile, click +Add. Available settings are explained as follows: Item Description Username Enter the Login name (e.g., LAN_User_Group_1, WLAN_User_Group_A, WLAN_User_Group_B, etc.) for this user profile. Usage Define the type of this user profile. IAM User – This profile can be used for VPN, RADIUS, 802.1X, USB and IAM (Identity and Access Management) authentication.
Page 213 New Password/ When a user tries to access the Internet, he or she must supply a valid user name and password combination for authentication. The profile Confirm New with matching user name and password will be applied to the session. Password General Status...
Page 214 In the filed of Validation Code, enter the one-time password and click Verify. Now, the configuration is finished. You will be asked to enter the 2FA code on the after passing the username and password authentication. SMS/Email – The password will be transferred via the SMS and/or Mail profiles selected from User Information above.
Page 215 Persistent Keepalive – Default is 60 seconds. If the peer is behind  a NAT or a firewall, use the default setting. Security Specify VPN Peer – Switch the toggle to enable/disable the security mechanism for the remote client. Remote Client IP – Enter the IP address of the remote peer if Specify VPN Peer is enabled.
Page 216 To add a new OpenVPN profile, click OpenVPN Config Generator. On this page, you can create configuration required for a remote OpenVPN client to connect to the router and then download it directly or send it to the user via email. Available settings are explained as follows: Item Description...
Page 217 Enable - The remote client can auto-dial to this Vigor router to build an OpenVPN tunnel. Disable - Disable the function. Cache password for Switch the toggle to enable/disable the function. auto reconnect Enable - OpenVPN will reconnect per hour. While reconnecting, the password is required.
Page 218 To add a new user group profile, click +Add. Available settings are explained as follows: Item Description Group Name Enter a name for identification. Selected Users +Add – Click to select user profiles to be grouped under the current group profile. Available Users It appears after clicking +Add.
Page 219 II-3-1-3 Authentication Server Vigor router can authenticate users using either a built-in (None) or external service (Radius or TACACS+) server. To create a new authentication server profile, click +Add. Available settings are explained as follows: Item Description Server Name Enter a name for identification. Authentication Type Select the authentication type (RADIUS or TACACS+).
Page 220 shown in this area. Select the one you need. Cancel Discard current settings and return to the previous page. Apply Save the current settings and exit the page. After finishing this web page configuration, please click Apply to save the settings. II-3-2 IAM Policies IAM Policy contains access policy, group policy and conditional access policy.
Page 221 Cancel Discard current settings. Apply Save the current settings. After finishing this web page configuration, please click Apply to save the settings.
Page 222 II-3-2-2 Access Policies Access Policies can be applied to LAN interface to determine how the users/clients access the Internet via identification authentication. This page is used for define different access policies for IAM application. To add a new access policy profile, click +Add. Available settings are explained as follows: Item Description...
Page 223 access to the network by the MAC address filter profile. Login with built-in User function – The clients will be authenticated before accessing the network. Guest Hotspot - Allow or deny the clients/user accounts access to the network based on the hotspot profile selected. If MAC Allow/Block List Only is selected as the Access Control Mode.
Page 224 II-3-2-3 Group Policies The traditional firewall generally provides a blocking mechanism with IP-based rules to permit or block traffic on designated ports. To more securely manage access privilege, Group Policies provide a better way to help administrators decide permission for specific users, which define limitations and configuration based on role behavior to authorize corresponding restrictions, such as Time and Date Limit, Resources, Firewall Policies, and Traffic Shaping Policies.
Page 225 Available settings are explained as follows: Item Description Name Enter a name for identification. Schedule Always On - The function of group policy is running all the time. Scheduled On - The function of group policy is activated based on the schedule profile.
Page 226 Destination IP End – Enter an IP address as the ending IP address. If only one static IP address will be filtered by this profile, enter the same IP address as the value in Destination IP Start. Protocol – Specify the protocol(s) which this filter rule will apply to. Dest Port Start –...
Page 227 Enable Syslog The filtering result can be recorded according to the setting selected for Syslog. Cancel Discard current settings and return to the previous page. Apply Save the current settings and exit the page. After finishing this web page configuration, please click Apply to save the settings.
Page 228 II-3-2-4 Conditional Access Policy Different from the Access Policies designed for setting Access Control Mode, this page provides a policy combination of time schedule, source IP, and multi-factor authentication (MFA). It can be used together with the resources. To add a new conditional policy profile, click +Add. Available settings are explained as follows: Item Description...
Page 229 Required Set the time period for re-authenticating the user when the user Reauthentication wants to access the other IP address (defined in IAM>>Resources). Select Everytime or When Login Session Lifetime expires within. Vigor system will perform the reauthentication job for users (clients). Source IP Source IP Condition To Permit or Deny Access if the source IP is from the designated...
Page 230 Available settings are explained as follows: Item Description Name Enter a name for identification. Resource Type Select IP or MAC as the resource type. Resource IP / MAC Enter the IP address or MAC address according to the resource type selected for this profile.
Page 231 Cancel Discard current settings and return to the previous page. Apply Save the current settings and exit the page. After finishing this web page configuration, please click Apply to save the settings.
Page 232 II-3-4 Hotspot Web Portal The Hotspot Web Portal, or the so-called captive portal allows you to control and manage access from LAN users. II-3-4-1 Profile Setup It is also a manner of IAM to identify, authenticate, and authorize any Access from the LAN or redirect to your appointed landing page.
Page 233 Available settings are explained as follows: Item Description Profile Name Enter a name for identification. Portal Method Click through – The user will be redirected to the landing page (defined in Captive Portal URL) and be granted access to the Internet. Skip Login, landing page only –...
Page 234 RADIUS MAC Authentication – Switch the toggle to enable/disable the function. If the RADIUS server supports authentication by MAC address, enable RADIUS MAC Authentication and select the MAC address format that is used by the RADIUS server. MAC Address Format - Select the MAC address format. RADIUS NAS-Identifier - Enter an ID.
Page 235 Cancel Discard current settings and return to the previous page. Apply Save the current settings and exit the page. After finishing this web page configuration, please click Apply to save the settings.
Page 236 Vigor router system. Custom Logo Set a logo displayed on the portal. None – DrayTek default logo will be used. Upload Image – Click to use another image as the logo. The file size must be less than 1MB.
Page 237 Box Opacity Set the opacity (0 – 100%) of the background image. Box Shadow Set the transparency (0 – 100%) of login column. Welcome Message Enter the text to be displayed as the welcome message. Terms and Conditions Select Internal Content or External Content. Content Internal Content - Enter the text to be displayed in the Terms and Conditions pop-up window.
Page 238 Available settings are explained as follows: Item Description Destination Domain/IP +Add Enabled – Switch the toggle to enable/disable the setting. Destination Domain/IP Whitelist – Please enter IP address or domain name without the 'http://' or 'https://' prefix. Option (Delete) – Remove current entry. Destination Port +Add Enabled –...
Page 239 In this step you can configure advanced options for the Hotspot Web Portal. Available settings are explained as follows: Item Description Quota Management Login Methods Show different login methods. Set individual quota policy profiles for each method. Quota Policy Profile Specify a quota policy profile for each login method.
Page 240 II-3-4-2 Quota Policy Profile The system administrator can set restrictions on valid time, idle time, reconnection time, bandwidth, and session quotas that apply only to the web portal clients. To add a new quota policy profile, click +Add. Available settings are explained as follows: Item Description Profile Name...
Page 241 client from accessing the network or the Internet. If the client wishes to log in again, they will need to be verified or authenticated by the Vigor router. Enable Idle Timeout When this option is enabled, Vigor router will terminate the network connection if the is no activity from the user after the specified idle time has passed.
Page 242 II-3-4-3 User Information This page provides details about users (web portal clients) connected to this router. Available settings are explained as follows: Item Description Online Users Display the number of online users connected to the Internet via the Vigor router. All Users Display the total number of users (both online and offline) connecting to the Internet through the Vigor router.
Page 243 II-3-5 Account Status This page displays the status of Brute Force Protection for the IAM user account (e.g., using FTP and IAM Service). Available settings are explained as follows: Item Description Hit Count Displays the number of times a IAM user has triggered the Penalty or User Account Lockout.
Page 244 II-3-6 Backup & Restore This page can be used to backup/restore the IAM configuration. Available settings are explained as follows: Item Description Backup Selected Item Select the policy or policies for the configuration backup. Password Protection For the sake of security, the configuration file for the access point can be encrypted.
Page 245 II-4 VPN A Virtual Private Network (VPN) is the extension of a private network that encompasses links across shared or public networks like the Internet. In short, by VPN technology, you can send data between two computers across a shared or public network in a manner that emulates the properties of a point-to-point private link.
Page 246 Available settings are explained as follows: Item Description Accept VPN It can filter trusted VPN connections by setting up IP object/group Connections on allow lists or block lists. Select the WAN interfaces to accept VPN connections. All Interfaces – Accept the VPN connections on all WAN interfaces. Specified Interface –...
Page 247 II-4-1-2 EasyVPN The Vigor router supports multiple VPN protocols, including IPsec, WireGuard, and OpenVPN. However, general users may find it challenging to choose the right protocol or may face difficulties during the VPN setup. Additionally, environmental factors can sometimes prevent a successful VPN connection.
Page 248 After finishing this web page configuration, please click Apply to save the settings. II-4-1-3 IPsec IPsec (Internet Protocol Security) encrypts and authenticates network traffic, ensuring secure data transmission over VPNs. It protects against unauthorized access, data tampering, and eavesdropping, making it ideal for remote work, site-to-site and teleworker connections, while safeguarding sensitive information across untrusted networks.
Page 249 II-4-1-4 WireGuard WireGuard is a secure, fast, and modern open-source VPN Protocol. This VPN connection can build a VPN by exchanging private and public keys between VPN servers (e.g., Vigor router) and VPN clients (e.g., WireGuard VPN Client). Available settings are explained as follows: Item Description Enabled...
Page 250 II-4-1-5 OpenVPN The OpenVPN protocol utilizes public keys, certificates, and usernames and passwords to authenticate the client. Traffic is carried over secure channels built upon industry-standard SSL/TLS encryption protocols. With integrating of OpenVPN, Vigor router can help users to achieve more robust, reliable and secure private connections for business needs.
Page 251 Cipher Algorithm Select the desired cipher algorithm. Two encryption algorithms are supported: AES128, AES192 and AES256. AES256 is more secure than AES128 but may result in lower performance because it incurs higher computational overhead. HMAC Algorithm HMAC stands for Hash-based Message Authentication Code. It is used to validate the data integrity and authenticity of the VPN data.
Page 252 II-4-1-6 VPN MSS MSS is the abbreviation of Maximum TCP segment size. This page is used to automatically adjust the TCP MSS value within a VPN tunnel. It optimizes packet size to prevent fragmentation and ensure the efficient data transmission over the network. Available settings are explained as follows: Item Description...
Page 253 II-4-2 Site-to-Site VPN The VPN means a connection between two router's LAN networks, which Allows employees in branch offices and head office to share the same network resources.  Configures the VPN server for inbound connections from other routers.  This page allows to configure the VPN server for inbound connections from other routers.
Page 254 Available settings are explained as follows: Item Description Advanced Click to show or hide the advanced settings for the site-to-site VPN. Mode:ON/OFF Profile Name Enter the name of the profile. Enabled Switch the toggle to enable/disable the settings. General Direction Specify the allowed call direction of this VPN profile.
Page 255 Dial-in Allowed Schedule  IPsec (with the direction on Both, Dial-Out)- IPsec Dial-Out Protocol  Remote IP/ Domain  Dial-Out Mode  IPsec Dial-In Protocol Select a protocol to trigger an IPsec VPN connection through the Internet. IKEv1/v2  XAuth. ...
Page 256 Negotiation It is available when IKEv1 is selected as IPsec Dial-Out Protocol. Select Main mode or Aggressive mode. The ultimate outcome is to exchange security proposals to create a protected secure channel. The default value in Vigor router is Main mode. Main Mode –...
Page 257 Aggressive Mode – Main mode is more secure than Aggressive mode since more exchanges are done in a secure channel to set up the IPsec session. However, the Aggressive mode is faster. Specify VPN Peer It is available when IKEv1/v2 is selected as IPsec Dial-In Protocol. This feature can restrict this IPsec to be initiated only by the specified peer IP address or domain name, and specify the private key to be used.
Page 258 600 and 86400 seconds. Perfect Forward Secret – Switch the toggle to enable/disable this function. PFS forces key exchange during Phase-2 periodic Rekey. Dead Peer Detection Dead Peer Detection (DPD) is the method to detect an IPsec connection. DPD Delay – It is a keep-alive timer. A Hello message will be emitted periodically when a tunnel is idle.
Page 259 Select the WAN connection for connections made using this profile. This setting is useful for dial-out only. Selected Interface First – While connecting, the router will use the selected WAN interface first for VPN connection. If selected WAN fails, the router will try to use other WAN(s). Selected Interface Only –...
Page 260 II-4-2-2 VPN Type - WireGuard WireGuard is a secure, fast, and modern open-source VPN Protocol. This VPN connection can build a VPN by exchanging private and public keys between VPN servers (e.g., Vigor router) and VPN clients (e.g., WireGuard VPN Client). To add a new resources profile (WireGuard VPN type), open VPN>>Site-to-Site VPN and click +Add.
Page 261 connection. Scheduled –Select this option to make the VPN connection based on the schedule. Drop the Active Tunnel when Schedule is Enforced – Switch  the toggle to enable/disable the function. VPN Schedule – Use the drop-down menu to specify one VPN ...
Page 262 IP address. A subnet mask of 255.255.255.0 (or /24 in CIDR notation) means that the first 24 bits of the IP address are for the network, and the remaining 8 bits are for hosts (devices) within the local network. Remote Network – Defines the IP address range of the remote network that you are connecting to.
Page 263 II-4-2-3 VPN Type - OpenVPN The OpenVPN protocol utilizes public keys, certificates, and usernames and passwords to authenticate the client. Traffic is carried over secure channels built upon industry-standard SSL/TLS encryption protocols. OpenVPN requires the use of certificates. Before establishing OpenVPN connection, general settings for OpenVPN service shall be configured first.
Page 264 Dial-In Allowed Connect and disconnect according to schedule profiles. Schedule Always Allow – Select this option to maintain an always on dial-in connection. Scheduled –Select this option to make the VPN connection based on the schedule. Drop the Active Tunnel when Schedule is Enforced – Switch ...
Page 265 shown in this field. More Subnets It is used to add more static routes for subnets destined for the remote network. Switch the toggle to enable/disable this function. +Add – If the function is enabled, click Add to add new static ...
Page 266 bandwidth usage while transferring the compressed packets. TLS Auth – Switch the toggle to use/close the TLS authentication method. If the OpenVPN configuration file contains TLS Key, they will be automatically imported. Cancel Discard current settings and return to the previous page. Apply Save the current settings and exit the page.
Page 267 II-4-3 Teleworker VPN The VPN means a connection between the remote host and router's LAN network. The host will use an IP address in the local subnet. It allows employees to access the company's internal resources when they are traveling. Open VPN>>Teleworker VPN to get the following page.
Page 268 Available settings are explained as follows: Item Description Enter the Login name (e.g., LAN_User_Group_1, WLAN_User_Group_A, Username WLAN_User_Group_B, etc.) for this user profile. Usage Define the type of this user profile. IAM User – This profile can be used for VPN, RADIUS, 802.1X, USB and IAM (AWS Identity and Access Management) authentication.
Page 269 Multi-factor authentication (MFA) can offer a more secure network connection. Enable MFA – Switch the toggle to enable/disable the MFA function. Allowed MFA Method - Select to require TOTP, Email, SMS and/or  mOTP authentication when logging in from the WAN. TOTP –...
Page 270 OpenVPN - Switch the toggle to enable OpenVPN protocol. WireGuard –Switch the toggle to enable WireGuard protocol. General Key Mode – Select Auto or Customized.  Select Auto and click Generate Key Pair to generate the key pair of the private key and the public key of the peer. Select Customized to enter the public key of the peer side.
Page 271 Choose LAN DHCP (the DNS IP will be assigned by Vigor router automatically) or Manually. If Static DNS is selected, Primary DNS – Enter the IPv4 address for Primary DNS server.  Secondary DNS – Enter another IPv4 address for DNS server if ...
Page 272 Set VPN as Default Switch the toggle to enable/disable the function. Gateway Enable - The Vigor router will be treated as a "default" gateway for OpenVPN clients. The OpenVPN client will redirect all the traffic to the Vigor router via the OpenVPN tunnel. Disable -Disable the function.
Page 273 II-4-4 VPN Connection Status This section displays various VPN connection status, including Site-to-Site VPN  Teleworker VPN  Connection History  Failed VPN Connection Attempts  Blocked by Brute Force Protection ...
Page 274 II-4-5 Backup & Restore This page can be used to backup/restore the VPN configuration. Available settings are explained as follows: Item Description Backup Selected Item Select the VPN type for the configuration backup. Password Protection For the sake of security, the configuration file for the access point can be encrypted.
Page 275 II-5 Virtual Controller - Wireless This feature allows users to establish and manage a network of DrayTek devices connected by Wireless or Wired links. The network consists of one Root and multiple Nodes. Root controls this network and syncs configurations to Nodes. Normally Root and Nodes use the same Wireless SSID/security, and Wireless clients can connect to any of them.
Page 276 The following figure shows how Vigor router runs as MESH ROOT: II-5-1 Role Setup This page can determine the role of the Vigor router connecting to the computer physically. And set up its Mesh function and AP Management function. Available settings are explained as follows: Item Description Advanced...
Page 277 Switch the toggle to enable or disable the mesh function. Mesh Protocol Select the mesh protocol to manage the mesh network. Vigor Mesh – A protocol developed by DrayTek. Group Name Displays the name of the current mesh group. Change the name if required.
Page 278 II-5-2 Device II-5-2-1 Device List This page displays general information about the devices grouped under Vigor C410/C510 series. Click Edit to modify the settings of the selected device. The settings for the APs are slightly different based on the role of the Root and Node. Available settings are explained as follows: Item Description...
Page 279 All Nodes immediately. Config Sync to All Full Config – Sync the full configuration to all nodes. Nodes Select Scope - Sync the selected configuration to all nodes. Sync Config Sync now –Click to execute the sync configuration. Cancel Discard current settings and return to the previous page. Apply Save the current settings and exit the page.
Page 280 II-5-2-2 Mesh Status Display general information of the Mesh network. This page is available only when Mesh is enabled (Virtual Controller>>Role Setup). Available settings are explained as follows: Item Description Name Displays the name of the device (for identification). MAC Address Displays the MAC address of the device.
Page 281 Optimize All Mesh Links - It is available only when VigorMesh is selected as Mesh Protocol and the device is a Root. Press the Optimize button to perform reselect to reconstruct the Mesh network. II-5-2-3 AP Adoption Search and add new Nodes to the device's Group. This page is available when current device role is Root.
Page 282 Model - Displays the model of the device. Signal Strength - Displays the signal strength of the device if it was found through the Wireless. Device Name - Insert the name of the device for identification. Tips for VigorMesh Network Setup VigorMesh supports auto uplink.
Page 283 The maximum of devices number is (ssid_num * device_num <= 56) -> device_num is the max  device number How to set up a VigorMesh group? The following steps will guide you how to setup a VigorMesh Group. Please access the web of the device which you want to use it as the Root. (Optional) Open Virtual Controller>>Wireless>>Role Setup.
Page 284 Refer to Virtual Controller>>Wireless>>Device>>Device List and Virtual Controller >> Wireless >> Device >>Mesh Status for viewing the result.
Page 285 VigorSwitch device, reboot the device or return to factory default settings of VigorSwitch at one time. This feature allows users to establish and manage a network of DrayTek devices connected by Wireless or Wired links.
Page 286 II-6-2 Device This page displays information, including Switch name, MAC address, IP address, Firmware Version, Model, Online Status, System Uptime, Port in Use, Clients, Last Process Status and Option of a VigorSwitch connected to the Vigor router. To add a new switch, click the Add New Switch link to open the following page. Click Scan and wait for a while Vigor router will scan and list the switch connecting to Vigor router.
Page 287 The selected switch, now, has been managed by the Vigor router. To edit the device information, set port profile or view the port status of the switch, click Edit. General This page shows a summary related to the VigorSwitch. Also, it offers Reboot Now and Factory Reset Now buttons to assist users in updating the switch.
Page 288 Port Profile This page configures the speed, duplex mode, and port profile for each GE port of the VigorSwitch. Available settings are explained as follows: Item Description Port Display the number of the GE port. Description If required, enter a brief description to explain the device connected to VigorSwitch via the LAN port.
Page 289 Auto(1000M): Auto speed with 1000M ability only.  Auto(10/100M): Auto speed with 10/100M ability.  10M: Force speed with 10M ability.  100M: Force speed with 100M ability.  1000M: Force speed with 1000M ability.  Selecting Auto (auto-negotiation) allows one port to negotiate with a peer port automatically to obtain the connection speed and duplex mode that both ends support.
Page 290 Port Status This page will display the current status of each GE port of the Vigor switch such as the transmission rate (TX/RX), port type, VLAN ID, applied port profile, etc.
Page 291 II-6-3 Port Profile This page allows you to configure profiles with general settings such as name, group, IP address, MAC address, model, and password required by VigorSwitch when it connects to this Vigor router. To add a new profile, click +Add. To modify an existing profile, select the one and click the +Edit link to open the setting page.
Page 292 Item Description Profile Name Enter a name for the Switch. The purpose of name is used for identification. It is useful when there are many VigorSwitch (same modes) devices connecting to Vigor router. Advanced Click to show or hide the advanced settings. Mode:ON/OFF PoE Port Enable Switch the toggle to enable/disable the port profile.
Page 293 VLAN This page allows a user to configure interface (GE) settings related to VLAN. Available settings are explained as follows: Item Description Profile Name Enter a name for the Switch. The purpose of name is used for identification. It is useful when there are many VigorSwitch (same modes) devices connecting to Vigor router.
Page 294 Tagged VLAN Select all VLAN profiles or independent VLAN profiles to be tagged in the VLAN. Options under the Advanced Mode Forbidden VLAN The GE port set in a VLAN profile allows default VLAN packet to pass through. Select the VLAN profile as forbidden VLAN. Cancel Discard current settings and return to the previous page.
Page 295 GE port. Fixed – The selected GE port only sends static VLAN information to neighboring device and allows static VLAN packet to pass through. Forbidden – The selected GE port only allows default VLAN packet to pass through. Cancel Discard current settings and return to the previous page. Apply Save the current settings and exit the page.
Page 296 of the IGMP group profiles (defined in Filtering Profile). Throttling Exceed VigorSwitch will perform the action defined below when the number Action of IGMP join reports for the specified interface exceeds the value defined in Max Group. Deny – It is default setting. The IGMP join report (for multicast service) received by such interface will be discarded.
Page 297 Available settings are explained as follows: Item Description Profile Name Enter a name for the Switch. The purpose of name is used for identification. It is useful when there are many VigorSwitch (same modes) devices connecting to Vigor router. BPDU Filter Switch the togglee to enable / disable the function of dropping all BPDU packets and no BPDU will be sent.
Page 298 This page is used to configure port settings for QoS. The configuration result for each port will be displayed on the table listed on the lower side of this web page. Available settings are explained as follows: Item Description Profile Name Enter a name for the Switch.
Page 299 Cancel Discard current settings and return to the previous page. Apply Save the current settings and exit the page. After finishing this web page configuration, please click Apply to save the settings. II-6-4 Maintenance Vigor router can backup, restore, reboot, or reset the managed Vigor switch devices. Available settings are explained as follows: Item Description...
Page 300 Reboot – Click to reboot the remote switch (managed by Vigor  router) with current configuration. For the Action Type set as Factory Rest: Reset – Click to reset the selected device(s) (listed on Existing  Device list) with the factory default switch settings.
Page 301 Chapter III Management...
Page 302 III-1 System Maintenance For the system setup, there are several items that you have to know the way of configuration: Device Settings, Management, Firmware, Backup & Restore, Accounts and Reboot System, and Firmware Upgrade. III-1-1 Device Settings The user can modify the time, device name, and Syslog for the device. III-1-1-1 Time Open System Maintenance>>Device Settings and click the Time tab.
Page 303 If Auto is selected, the Vigor system will renew the time through WAN or LAN. Test Time Server Connection – Test if the time server works well. Server Status - Displays last update time status. More Settings - Click to open advanced settings for the time server. Auto Update Interval - Select the time interval (30min or ...
Page 304 III-1-1-2 Device Name Display the router name. Change the name if you want. Open System Maintenance>>Device Settings and click the Device Name tab. III-1-1-3 Syslog SysLog function is provided for users to monitor the router. Open System Maintenance>>Device Settings and click the Syslog tab. Available parameters are explained as follows: Item Description...
Page 305 and system information to Syslog. Syslog Servers +Add Click to display new entry boxes for creating a new Syslog server profile. The maximum number of Syslog servers to be added is "3". Server IP Enter the IP address of the Syslog Server. Port Enter the port number of the Syslog Server.
Page 306 Specific Manager Host (IPv4/IPv6) is available when IPv4/IPv6 is  selected as the IP Type. Click +Add to have a new entry. Enter the IPv4 address with subnet mask / IPv6 address with specified prefix length of hosts that are allowed to issue SNMP commands. If these fields are left blank, any IPv4/IPv6 LAN host is allowed to issue SNMP commands.
Page 307 Community send unsolicited messages to the SNMP console must pass the correct Trap Community string. The maximum length of the text is 23 characters. Trap Port Enter the port number used for the Trap server. Notification Select the type of the notification host. Host IP Both ...
Page 308 Management Services Enforce HTTPS Access Switch the toggle to enable/disable the feature of allowing system administrators to login Vigor router via HTTPS. LLDP Switch the toggle to enable/disable the LLDP service. Port Specify user-defined port numbers for the HTTP, HTTPS, SSH, Telnet and SNMP servers.
Page 309 III-1-2-2 TR-069 Vigor device supports the TR-069 standard for remote management of customer-premises equipment (CPE) through an Auto Configuration Server, such as VigorACS. Available settings are explained as follows: Item Description TR-069 Switch the toggle to enable or disable the function. ACS Server ACS Server On Choose the interface for connecting the router to the Auto...
Page 310 parameters at intervals specified in the Interval Time field. Time Interval - Set interval time or schedule time for the router to send notification to CPE. (1-65535) STUN Settings Mode - The default is Auto. If select Enabled, please enter the relational settings listed below: Server Address - Enter the IP address of the STUN server.
Page 311 III-1-3-1 Firmware Before firmware upgrade, please download the newest firmware from the DrayTeks website or FTP site first. The DrayTek website is www.draytek.com (or local DrayTeks website) and the FTP site is ftp.draytek.com. Open System Maintenance>> System Upgrade. The following web page will guide you to upgrade firmware by using an example.
Page 312 Wait for a while until the system finishes the rebooting.
Page 313 III-1-3-2 Country Object Database GeoIP database provides information for Classless Inter-Domain Routing (CIDR) and location. Vigor router adopts the geographical distribution based on the GeoIP database offered by MaxMind. If required, update the GeoIP database. Available settings are explained as follows: Item Description Upgrade Now...
Page 314 III-1-4 Backup & Restore This function can be used to backup/restore the Vigor router settings. Available settings are explained as follows: Item Description Configuration Backup Password Protection For the sake of security, the configuration file for the access point can be encrypted.
Page 315 III-1-5 Accounts & Permission This page allows you to modify your current administration account and password. It allows the network administrator to manage Internet access at the user level. III-1-5-1 Local Admin Account This page allows you to create up to five local admin account profiles. Available settings are explained as follows: Item Description...
Page 316 Delete Remove the selected account profile. To modify an existing profile, select the one and click the +Edit link to open the setting page. To add a new profile, click +Add. Available settings are explained as follows: Item Description Local Admin Account Account Display the name of the account.
Page 317 Authentication (MFA). Allowed MFA Method - Select to require TOTP, Email, SMS or mOTP authentication when logging in to Vigor router. TOTP – For the Time-based One-time Password (TOTP) mechanism, please make sure the time zone of your router is correct. Then, install Google Authenticator APP on your cell phone.
Page 318 III-1-5-2 Role & Permission This page allows the creation of up to five roles which can be applied to the local admin account. The default roles are Administrator, Guest and Users. To create a new role profile, click +Add. A new role will be added on to the page. Available settings are explained as follows: Item Description...
Page 319 Left Menu Path Lists all of the features that a role can have. The role of Administrator has the highest authority for accessing Vigor router. The role of Guest/Users has the lowest authority for accessing Vigor router. The permissions for user-defined roles are based on read-only or read-write access granted to each menu path (such as dashboard, configuration, device menu, etc.) individually..
Page 320 III-1-6 System Reboot The Web user interface may be used to restart your router. Open System Maintenance >> System Reboot to get the following page. Available settings are explained as follows: Item Description Reboot With Select one of the following options, and press the Reboot button to reboot the router.
Page 321 Chapter IV Others...
Page 322 IV-1 Monitoring IV-1-1 Clients List Clients List displays the configuration status of the wireless clients that connect to the Vigor router via Wi-Fi connection. Besides, this page offers a quick method to add the wireless client to any existing MAC Filtering Profile.
Page 323 Update Client List Update – Click to renew the client list based on the actual wireless connection. Clients Displays the SSID name, MAC address, and IP address of the wireless clients. Add to MAC Filtering – Select to make the wireless client join the MAC Filtering Profile set above.
Page 324 IV-1-2 Log Center IV-1-2-1 Log Center Log related to setting configuration and/or actions performed by this device can be stored on web Syslog. Click Refresh to reload this page with the most up-to-date information. Available settings are explained as follows: Item Description Enabled Web Syslog...
Page 325 IV-1-2-2 DDNS Log This page displays the log (time, profile name and content) related to Dynamic DNS actions performed by this device. Click Refresh to reload this page with the most up-to-date information.
Page 326 IV-1-3 Wireless Information For viewing the SSIDs used by 2.4GHz/5GHz or real time throughput for 2.4GHz/5GHz, open Monitoring>>Wireless Information for detailed. IV-1-3-1 Wireless Information This page shows general information (e.g., 2.4GHz/5GHz enabled or not, MAC address, SSID name and etc.) for wireless connection. Click Refresh to reload this page with the most up-to-date information.
Page 327 IV-1-3-3 Real Time Throughput 2.4G The real-time throughput (2.4G) can be shown with line graphs. Click Refresh to reload this page with the most up-to-date information. IV-1-3-4 Real Time Throughput 5G The real-time throughput (5G) can be shown with line graphs. Click Refresh to reload this page with the most up-to-date information.
Page 328 IV-1-4 WAN This page can display the WAN connection status, including the connection interface, MAC address, connection type, connection IP address, connection gateway, primary DNS and secondary DNS server addresses, online Time, and so on. IV-1-4-1 WAN Utilization This page displays the utilization, including upload, download, and percentage of data transmission for each WAN interface.
Page 329 IPv6 Select the IPv6 tab to get the WAN connection information (e.g., name, IPv6 address, connection type, gateway and the uptime). Click Refresh to reload this page with the most up-to-date information. IV-1-5 ARP Table The table shows the contents of the ARP (Address Resolution Protocol) cache held in the router and shows the mappings between Ethernet hardware addresses (MAC Addresses) and IP addresses.
Page 330 IV-1-6 Route Table IV-1-6-1 IPv4 Click Refresh to reload this page with the most up-to-date IPv4 routing information.
Page 331 IV-1-6-2 IPv6 Click Refresh to reload this page with the most up-to-date IPv6 routing information.
Page 332 IV-1-7 DHCP Table This page provides information on IP address assignments. This information is helpful in diagnosing network problems, such as IP address conflicts, etc. Click Refresh to reload this page with the most up-to-date information. IV-1-7-1 IPv4 DHCP Subnet This page shows the DHCP server status, IP range, IP pool, Used IP, and percentage of utilization for each LAN interface.
Page 333 IV-1-7-3 IPv6 Assignment This page shows the remaining time of the IPv6 DHCP lease of the device. IV-1-8 IPv6 TSPC Status IPv6 TSPC (Tunnel Setup Protocol Client) status page could help you diagnose issues with IPv6 connections that utilize TSP. If TSPC is configured properly, the router will display the following when the router has connected to the tunnel broker successfully.
Page 334 IV-1-10 LLDP Neighbors Information...
Page 335 IV-1-11 DNS Cache Table The router can function as a DNS server which allows LAN clients to look up DNS information by sending DNS requests to the router. The DNS information is temporarily cached on the router and can be viewed on this page. IV-1-11-1 IPv4 Click Refresh to reload the most up-to-date information of the IPv4 DNS cache data.
Page 336 IV-1-12 LTE Status IV-1-13 Remote DSL Status IV-1-14 PPPoE Pass-Through The router offers PPPoE dial-up connection. Besides, you also can establish the PPPoE connection directly from local clients to your ISP via the Vigor router. When PPPoA protocol is selected, the PPPoE package transmitted by PC will be transformed into PPPoA package and sent to WAN server.
Page 337 IV-1-15 Session Table This screen shows the 200 newest entries in the NAT sessions table. Click Refresh to reload this page with the most up-to-date information.
Page 338 IV-2 Utility This section contains utilities (e.g., ping tool, traceroute, DNS and etc.) that can assist you in analyzing issues and failures during the setup and operation of the router. IV-2-1 Network Tools IV-2-1-1 Ping Tool The user can perform the ping job for specified IP (host) to diagnose if the data transmission via the Vigor system is well or not.
Page 339 IV-2-1-2 Traceroute The user can perform the traceroute job for specified IP (host) to diagnose if the data transmission via the Vigor system is well or not. Available settings are explained as follows: Item Description IP Version Select the IP version for entering correct IP address. Trace Through Trace through specific interface.
Page 340 IV-2-1-3 DNS The user can diagnose the router by query Domain Name System (DNS) servers to obtain domain name or IP address information. Available settings are explained as follows: Item Description Method Select a tool to query Domain Name System (DNS) servers to obtain domain name or IP address information.
Page 341 IV-2-2 Web CLI It is not necessary to use the telnet command via DOS prompt. The changes made by using web console have the same effects as modified through web user interface. The functions/settings modified under Web Console also can be reviewed on the web user interface. Click the Web Console icon on the top of the main screen to open the following screen.
Page 342 This page is left blank.
Page 343 Chapter V Troubleshooting...
Page 344 V-1 Checking the Hardware Status Follow the steps below to verify the hardware status. Check the power line and cable connections. Refer to “I-2 Hardware Installation” for details. Power on the modem. Make sure the POWER LED, ACT LED and LAN LED are bright. If not, it means that there is something wrong with the hardware status.
Page 345 Note: The example is based on Windows 7 (Professional Edition). As to the examples for other operation systems, please refer to the similar steps or find support notes in www.draytek.com. Open All Programs>>Getting Started>>Control Panel. Click Network and Sharing Center.
Page 346 Icons of the network connection will be shown on the window. Right-click on Local Area Connection and click on Properties. Select Internet Protocol Version 4 (TCP/IP) and then click Properties. Select Obtain an IP address automatically and Obtain DNS server address automatically.
Page 347 V-2-2 For Mac Os Double click on the current used Mac Os on the desktop. Open the Application folder and get into Network. On the Network screen, select Using DHCP from the drop-down list of Configure IPv4.
Page 348 V-3 Pinging the Device The default gateway IP address of the modem is 192.168.1.1. For some reason, you might need to use “ping” command to check the link status of the modem. The most important thing is that the computer will receive a reply from 192.168.1.1. If not, please check the IP address of your computer.
Page 350 V-4 Backing to Factory Default Setting Sometimes, a wrong connection can be improved by returning to the default settings. Try to reset the modem by software or hardware.  Warning: After using the factory default settings, you will lose all settings you did before. Make sure you have recorded all useful settings before you pressing.
Page 351 V-4-2 Hardware Reset While the modem is running, press the Factory Reset button and hold for more than 5 seconds. When you see the ACT LED blinks rapidly, please release the button. Then, the modem will restart with the default configuration. After restore the factory default setting, you can configure the settings for the modem again to fit your personal request.
Page 352 V-5 Contacting DrayTek If the modem still cannot work correctly after trying many efforts, please contact your dealer for further help right away. For any questions, please feel free to send an e-mail to support@draytek.com.

This manual is also suitable for:

Vigor c510 series Vigor c410ax Vigor c510ax

Draytek Vigor C410 Series User Manual

Quick Links

Need help?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for Draytek Vigor C410 Series

Summary of Contents for Draytek Vigor C410 Series

This manual is also suitable for: