Draytek Vigor2950 Series User Manual
  1. Manuals
  2. Brands
  3. Draytek Manuals
  4. Network Router
  5. VIGOR2950
  6. User manual
Draytek Vigor2950 Series User Manual

Draytek Vigor2950 Series User Manual

Security vpn router
Hide thumbs Also See for Vigor2950 Series:
Table of Contents

Advertisement

Quick Links

Download this manual See also: User Manual
Vigor2950
Security VPN Router
User's Guide
Version: 2.0
Date: 2006/10/03
Copyright 2006 All rights reserved.
This publication contains information that is protected by copyright. No part may be reproduced, transmitted,
transcribed, stored in a retrieval system, or translated into any language without written permission from the copyright
holders. The scope of delivery and other details are subject to change without prior notice.
Microsoft is a registered trademark of Microsoft Corp.
Windows, Windows 95, 98, Me, NT, 2000, XP and Explorer are trademarks of Microsoft Corp.
Apple and Mac OS are registered trademarks of Apple Computer Inc.
Other products may be trademarks or registered trademarks of their respective manufacturers.

Advertisement

Table of Contents
loading

Related Manuals for Draytek Vigor2950 Series

Summary of Contents for Draytek Vigor2950 Series

  • Page 1 Vigor2950 Security VPN Router User’s Guide Version: 2.0 Date: 2006/10/03 Copyright 2006 All rights reserved. This publication contains information that is protected by copyright. No part may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language without written permission from the copyright holders.

  • Page 2: Table Of Contents

    Preface .......................1 1.1 Web Configuration Buttons Explanation ................. 1 1.2 LED Indicators and Connectors ....................1 1.2.1 For Vigor2950 ........................2 1.2.2 For Vigor2950G ........................ 3 1.2.3 For Vigor2950i ........................4 1.2.4 For Vigor2950Gi ....................... 5 1.3 Hardware Installation ......................6 Configuring Basic Settings ................7...
  • Page 3 3.4.5 URL Content Filter ......................57 3.4.6 Web Content Filter......................60 3.5 Objects Settings ........................60 3.5.1 IP Object ......................... 61 3.5.2 IP Group ......................... 62 3.5.3 Service Type Object ....................... 64 3.5.4 Service Type Group......................65 3.5.5 CSM Profile........................66 3.6 Bandwidth Management .......................
  • Page 4 3.13.1 System Status......................134 3.13.2 Administrator Password....................135 3.13.3 Configuration Backup ....................135 3.13.4 Syslog/Mail Alert ......................137 3.13.5 Time and Date ......................139 3.13.6 Management....................... 140 3.13.7 Reboot System ......................141 3.13.8 Firmware Upgrade ...................... 142 3.14 Diagnostics........................143 3.14.1 Dial-out Trigger ......................

  • Page 5: Preface

    The Vigor2950 series router provides Dual-WAN interface (which is a configuration second WAN) for Internet access to make the Internet connection more reliable. The wireless LAN supports more secure features and the transmission speed is up to 108Mbps (SuperG Object-oriented firewall is flexible and allows your network be safe. In addition, through VoIP function, the communication fee for you and remote people can be reduced.

  • Page 6: For Vigor2950

    WAN(1/2) Connecter for remote networked devices. LAN/Monitor Connecter for local networked devices. LAN (1-4) Connecter for local networked devices. Connecter for a power cord with 100-240VAC (inlet). Power Switch. “1” is ON; “0” is OFF. Vigor2950 Series User’s Guide...

  • Page 7: For Vigor2950G

    WAN(1/2) Connecter for remote networked devices. LAN/Monitor Connecter for local networked devices. LAN (1-4) Connecter for local networked devices. Connecter for a power cord with 100-240VAC (inlet). Power Switch. “1” is ON; “0” is OFF. Vigor2950 Series User’s Guide...

  • Page 8: For Vigor2950I

    WAN(1/2) Connecter for remote networked devices. LAN/Monitor Connecter for local networked devices. LAN (1- 4) Connecter for local networked devices. Connecter for a power cord with 100-240VAC (inlet). Power Switch. “1” is ON; “0” is OFF. Vigor2950 Series User’s Guide...

  • Page 9: For Vigor2950Gi

    WAN(1/2) Connecter for remote networked devices. LAN/Monitor Connecter for local networked devices. LAN (1- 4) Connecter for local networked devices. Connecter for a power cord with 100-240VAC (inlet). Power Switch. “1” is ON; “0” is OFF. Vigor2950 Series User’s Guide...

  • Page 10: Hardware Installation

    WAN port of router with Ethernet cable (RJ-45). The WAN1/WAN2 LED (Left or Right) will light up according to the network card feature (100 or 10) of the device that it connected. (For the detailed information of LED status, please refer to section 1.1.) Vigor2950 Series User’s Guide...

  • Page 11: Configuring Basic Settings

    Please type default values (both username and password are Null) on the window for the first time accessing and click OK for next screen. Now, the Main Screen will pop up. Vigor2950 Series User’s Guide...
  • Page 12 New Password and retype it on the field of Retype New Password. Then click OK to continue. Now, the password has been changed. Next time, use the new password to access the Web Configurator for this router. Vigor2950 Series User’s Guide...

  • Page 13: Quick Start Wizard

    On the next page as shown below, please select the appropriate Internet access type according to the information from your ISP. For example, you should select PPPoE mode if the ISP provides you PPPoE interface. Then click Next for next step. Vigor2950 Series User’s Guide...

  • Page 14: Pppoe

    User Name Assign a specific valid user name provided by the ISP. Password Assign a valid password provided by the ISP. Retype Password Retype the password. Click Next for viewing summary of such connection. Vigor2950 Series User’s Guide...
  • Page 15 Click Finish. A page of Quick Start Wizard Setup OK!!! will appear. Then, the system status of this protocol will be shown. Vigor2950 Series User’s Guide...

  • Page 16: Pptp

    Click PPTP as the protocol. Type in all the information that your ISP provides for this protocol. Click Next for viewing summary of such connection. Click Finish. A page of Quick Start Wizard Setup OK!!! will appear. Then, the system status of this protocol will be shown. Vigor2950 Series User’s Guide...

  • Page 17: Static Ip

    After finishing the settings in this page, click Next to see the following page. Click Finish. A page of Quick Start Wizard Setup OK!!! will appear. Then, the system status of this protocol will be shown. Vigor2950 Series User’s Guide...

  • Page 18: Dhcp

    After finishing the settings in this page, click Next to see the following page. Click Finish. A page of Quick Start Wizard Setup OK!!! will appear. Then, the system status of this protocol will be shown. Vigor2950 Series User’s Guide...

  • Page 19: Online Status

    If you select PPPoE/PPTP as the protocol, you will find out a link of Dial PPPoE/PPPoA or Drop PPPoE/PPPoA in the Online Status web page. Online status for PPPoE Online status for PPTP (for WAN2) Online status for Static IP (for WAN1) Vigor2950 Series User’s Guide...
  • Page 20 Displays the total number of received packets at the ISDN interface. RX Rate Displays the speed of received octets at the ISDN interface. Up Time Displays the total uptime of the interface. Displays the charge information of the interface. Vigor2950 Series User’s Guide...

  • Page 21: Saving Configuration

    Each time you click OK on the web page for saving the configuration, you can find messages showing the system interaction with you. Ready indicates the system is ready for you to input settings. Settings Saved means your settings are saved once you click Finish or OK button. Vigor2950 Series User’s Guide...
  • Page 22 This page is left blank. Vigor2950 Series User’s Guide...

  • Page 23: Advanced Web Configuration

    Then a session will be created. Your user ID and password is authenticated via PAP or CHAP with RADIUS authentication system. And your IP address, DNS server, and other related information will usually be assigned by your ISP. Vigor2950 Series User’s Guide...

  • Page 24: General Setup

    Type the description for the WAN1/WAN2 interface. Physical Mode For WAN1, the physical connection is done through ADSL port; yet the physical connection for WAN2 is done through an Ethernet port (P1). You cannot change it. Vigor2950 Series User’s Guide...
  • Page 25 15 seconds. WAN1 Download speed exceed XX kbps– It means the connection for WAN2 will be activated when WAN1 Download speed exceed certain value that you set in this box for 15 seconds. Vigor2950 Series User’s Guide...

  • Page 26: Internet Access

    There are three access modes provided for PPPoE, Static or Dynamic IP and PPTP. Details Page This button will open different web page according to the access mode that you choose in WAN1 or WAN2. Vigor2950 Series User’s Guide...
  • Page 27 IP Address Usually ISP dynamically assigns IP address to you each time Assignment Method you connect to it and request. In some case, your ISP provides (IPCP) service to always assign you the same IP address whenever Vigor2950 Series User’s Guide...
  • Page 28 To use Static or Dynamic IP as the accessing protocol of the internet, please choose Internet Access from WAN menu. Then, select Static or Dynamic IP mode for WAN2. The following web page will be shown. Vigor2950 Series User’s Guide...
  • Page 29 WAN interface, please use WAN IP Alias. You can set up to 8 public IP addresses other than the current one you are using. Notice that this setting is available for Vigor2950 Series User’s Guide...
  • Page 30 MAC Address field. DNS Server IP Type in the primary IP address for the router if you want to use Address Static IP mode. If necessary, type in secondary IP address for necessity in the future. Vigor2950 Series User’s Guide...
  • Page 31 In this case, you can fill in this IP address in the Fixed IP field. Please contact your ISP before you want to use this function. Click Yes to use this function and type in a fixed IP address in the box. Vigor2950 Series User’s Guide...

  • Page 32: Load-Balance Policy

    WAN2 interface. The user can assign traffic category and force it to go to dedicate network interface based on the following web page setup. Twenty policies of load-balance are supported by this router. Note: Load-Balance Policy is running only when both WAN1 and WAN2 are activated. Vigor2950 Series User’s Guide...
  • Page 33 Displays the IP address for the start of the destination port. Dest Port End Displays the IP address for the end of the destination port. Click Index 1 to access into the following page for configuring load-balance policy. Vigor2950 Series User’s Guide...
  • Page 34 Type the destination port start for the destination IP. Dest Port End Type the destination port end for the destination IP. If this field is blank, it means that all the destination ports will be passed through the WAN interface. Vigor2950 Series User’s Guide...

  • Page 35: Lan

    IP address. As a part of the public subnet, the Vigor router will serve for IP routing to help hosts in the public subnet to communicate with other public hosts or servers outside. Therefore, the router should be set as the gateway for public hosts. Vigor2950 Series User’s Guide...
  • Page 36 You can group local hosts by physical ports and create up to 4 virtual LANs. To manage the communication between different groups, please set up rules in Virtual LAN (VLAN) function and the rate of each. Vigor2950 Series User’s Guide...

  • Page 37: General Setup

    Type in secondary IP address for connecting to a subnet. (Default: 192.168.2.1/ 24) Subnet Mask An address code that determines the size of the network. (Default: 255.255.255.0/ 24) DHCP Server You can configure the router to serve as a DHCP server for the 2nd subnet. Vigor2950 Series User’s Guide...
  • Page 38 DHCP server to assign IP addresses to. The default is 50 and the maximum is 253. Gateway IP Address - Enter a value of the gateway IP address for the DHCP server. The value is usually as same as the 1st IP address Vigor2950 Series User’s Guide...

  • Page 39: Static Route

    There are two common scenarios of LAN settings that stated in Chapter 4. For the configuration examples, please refer to that chapter to get more information for your necessity. Go to LAN to open setting page and choose Static Route. Vigor2950 Series User’s Guide...
  • Page 40 Before setting Static Route, user A cannot talk to user B for Router A can only forward recognized packets to its default gateway Main Router. Go to LAN page and click General Setup, select 1st Subnet as the RIP Protocol Control. Then click the OK button. Vigor2950 Series User’s Guide...
  • Page 41 Return to Static Route Setup page. Click on another Index Number to add another static route as show below, which regulates all packets destined to 211.100.88.0 will be forwarded to 192.168.1.3. Go to Diagnostics and choose Routing Table to verify current routing table. Vigor2950 Series User’s Guide...

  • Page 42: Bind Ip To Mac

    It is used to refresh the ARP table. When there is one new PC added to the LAN, you can click this link to obtain the newly ARP table information. IP Bind List It displays a list for the IP bind to MAC information. Vigor2950 Series User’s Guide...

  • Page 43: Nat

    192.168.1.0/24 subnet for the router. As stated before, the NAT facility can map one or more IP addresses and/or service ports into different specified services. In other words, the NAT function can be achieved by using port mapping methods. Below shows the menu items for NAT. Vigor2950 Series User’s Guide...

  • Page 44: Port Redirection

    The port redirection can only apply to incoming traffic. To use this function, please go to NAT page and choose Port Redirection web page. The Port Redirection Table provides 10 port-mapping entries for the internal hosts. Vigor2950 Series User’s Guide...
  • Page 45 80 to avoid conflict, such as 8080. This can be set in the System Maintenance >>Management Setup. You then will access the admin screen of by suffixing the IP address with 8080, e.g., http://192.168.1.1:8080 instead of port 80. Vigor2950 Series User’s Guide...

  • Page 46: Dmz Host

    We suggest you to add additional filter rules or a secondary firewall. Click DMZ Host to open the following page: If you previously have set up WAN Alias in Internet Access>>PPPoE/PPPoA or Internet Access>>MPoA, you will find them in Aux. WAN IP list for your selection. Vigor2950 Series User’s Guide...
  • Page 47 DMZ host. When you have selected one private IP from the above dialog, the IP address will be shown on the following screen. Click OK to save the setting. Vigor2950 Series User’s Guide...

  • Page 48: Open Ports

    Inactive or Active state. To add or edit port settings, click one index number on the page. The index entry setup page will pop up. In each index entry, you can specify 10 port ranges for diverse services. Vigor2950 Series User’s Guide...
  • Page 49 Specify the transport layer protocol. It could be TCP, UDP, or ----- (none) for selection. Start Port Specify the starting port number of the service offered by the local host. End Port Specify the ending port number of the service offered by the local host. Vigor2950 Series User’s Guide...

  • Page 50: Firewall

    The users on the LAN are provided with secured protection by the following firewall facilities: User-configurable IP filter (Call Filter/ Data Filter). Stateful Packet Inspection (SPI): tracks packets and denies unsolicited incoming data Selectable Denial of Service (DoS) /Distributed DoS (DDoS) attacks protection URL Content Filter Vigor2950 Series User’s Guide...
  • Page 51 The stateful firewall of Vigor router not just examine the header information also monitor the state of the connection. Vigor2950 Series User’s Guide...
  • Page 52 For example, an ActiveX control object is usually used for providing interactive web feature. If malicious code hides inside, it may occupy user’s system. Vigor2950 Series User’s Guide...

  • Page 53: General Setup

    So here you assign the Start Filter Set only. Also you can configure the Log Flag settings, Apply IP filter to VPN incoming packets, and Accept incoming fragmented UDP packets. Click Firewall and click General Setup to open the general setup page. Vigor2950 Series User’s Guide...

  • Page 54: Filter Setup

    Select Pass or Block for the packets that do not match with the filter rules. For troubleshooting needs you can specify the filter log and/or CSM log here by checking the box. The log will be displayed on Draytek Syslog window. Content Security Select a CSM profile for global IM/P2P application blocking.
  • Page 55 Data Filter only. For the Call Filter, this setting is not available since Call Filter is only applied to outgoing traffic. Source/Destination IP Click Edit to access into the following dialog to choose the source/destination IP or IP ranges. Vigor2950 Series User’s Guide...
  • Page 56 To set the service type manually, please choose User defined as the Service Type and type them in this dialog. In adition, if you want to use the service type from defined groups or objects, please Vigor2950 Series User’s Guide...
  • Page 57 For troubleshooting needs you can specify the filter log and/or CSM log here. Check the corresponding box to enable the log function. Then, the filter log and/or CSM log will be shown on Draytek Syslog window. Vigor2950 Series User’s Guide...
  • Page 58 Each filter set is composed by 7 filter rules, which can be further defined. After that, in General Setup you may specify one set for call filter and one set for data filter to execute first. Vigor2950 Series User’s Guide...

  • Page 59: Dos Defense

    Port Scan attacks the Vigor router by sending lots of packets to detection many ports in an attempt to find ignorant services would respond. Check the box to activate the Port Scan detection. Whenever detecting this malicious exploration behavior by monitoring the Vigor2950 Series User’s Guide...
  • Page 60 ICMP packets with more fragment bit set are dropped. Block Land Check the box to enforce the Vigor router to defense the Land attacks. The Land attack combines the SYN attack technology with IP spoofing. A Land attack occurs when an attacker sends spoofed Vigor2950 Series User’s Guide...

  • Page 61: Url Content Filter

    Based on the list of user defined keywords, the URL Content Filter facility in Vigor router inspects the URL string in every outgoing HTTP request. No matter the URL string is found full or partial matched with a keyword, the Vigor router will block the associated HTTP connection. Vigor2950 Series User’s Guide...
  • Page 62 It should be noticed that the more simplified the blocking keyword list, the more efficiently the Vigor router perform. Prevent web access Check the box to deny any web surfing activity using IP address, Vigor2950 Series User’s Guide...
  • Page 63 URL Access Control. To enable an entry, click on the empty checkbox, named as ACT, in front of the appropriate entry. Time Schedule Specify what time should perform the URL content filtering facility. Vigor2950 Series User’s Guide...

  • Page 64: Web Content Filter

    Later, we can select that object/group that can apply it. For example, all the IPs in the same department can be defined with an IP object (a range of IP address). Vigor2950 Series User’s Guide...

  • Page 65: Ip Object

    IP addresses specified with LAN interface will be opened for you to choose in Edit Filter Rule page. Address Type Determine the address type for the IP address. Select Single Address if this object contains one IP address Vigor2950 Series User’s Guide...

  • Page 66: Ip Group

    Below is an example of IP objects settings. This page allows you to bind several IP objects into one IP group. Set to Factory Default Clear all profiles. Click the number under Index column for settings in detail. Vigor2950 Series User’s Guide...
  • Page 67 Available IP Objects All the available IP objects with the specified interface chosen above will be shown in this box. Selected IP Objects Click >> button to add the selected IP objects in this box. Vigor2950 Series User’s Guide...

  • Page 68: Service Type Object

    The filter rule will filter out any port number. (=) – when the first and last value are the same, it indicates one port; when the first and last values are different, it indicates a range for the port and available for this profile. Vigor2950 Series User’s Guide...

  • Page 69: Service Type Group

    Below is an example of service type objects settings. This page allows you to bind several service types into one group. Set to Factory Default Clear all profiles. Click the number under Index column for settings in detail. Vigor2950 Series User’s Guide...

  • Page 70: Csm Profile

    You can define policy profiles for different policy of IM (Instant Messenger)/P2P (Peer to Peer) application. CSM profile can be used in Filter Setup page. Set to Factory Default Clear all profiles. Click the number under Index column for settings in detail. Vigor2950 Series User’s Guide...

  • Page 71: Bandwidth Management

    To solve the problem, you can use limit session to limit the session procession for specified Hosts. In the Bandwidth Management menu, click Sessions Limit to open the web page. Vigor2950 Series User’s Guide...
  • Page 72 You can type in four sets of time schedule for your request. Setup All the schedules can be set previously in Application – Schedule web page and you can use the number that you have set in that web page. Vigor2950 Series User’s Guide...

  • Page 73: Bandwidth Limit

    Define the limitation for the speed of the downstream. If you do not set the limit in this field, the system will use the default speed for the specific limitation you set for each index. Add the specific speed limitation onto the list above. Vigor2950 Series User’s Guide...

  • Page 74: Quality Of Service

    The core routers in the backbone will do the same checking before executing treatments in order to ensure service-level consistency throughout the whole QoS-enabled network. Vigor2950 Series User’s Guide...
  • Page 75 There are four queues allowed for QoS control. The first three (Class 1 to Class 3) class rules can be adjusted for your necessity. Yet, the last one is reseverd for the packets which are not suitable for the user-defined class rules. Vigor2950 Series User’s Guide...
  • Page 76 This is a protection of TCP application traffic since UDP application traffic such as streaming video will exhaust lots of bandwidth. Limited_bandwidth Ratio The ratio typed here is reserved for limited bandwidth of UDP application. Vigor2950 Series User’s Guide...
  • Page 77 Edit link of that one. After you click the Edit link, you will see the following page. Now you can define the name for that Class. In this case, “Test” is used as the name of Class Index #1. Vigor2950 Series User’s Guide...
  • Page 78 By the way, you can set up to 20 rules for one Class. If you want to edit an existed rule, please select the radio button of that one and click Edit to open the rule edit page for modification. Vigor2950 Series User’s Guide...
  • Page 79 To add a new service type, edit or delete an existed service type, please click the Edit link under Service Type field. After you click the Edit link, you will see the following page. For adding a new service type, click Add to open the following page. Vigor2950 Series User’s Guide...
  • Page 80 Range as the type. By the way, you can set up to 40 service types. If you want to edit/delete an existed service type, please select the radio button of that one and click Edit/Edit for modification. Vigor2950 Series User’s Guide...

  • Page 81: Applications

    Enable Dynamic DNS Setup Check this box to enable DDNS function. Index Click the number below Index to access into the setting page of DDNS setup to set account(s). WAN Interface Display current WAN interface used for accessing Internet. Vigor2950 Series User’s Guide...
  • Page 82 Disable the Function and Clear all Dynamic DNS Accounts In the DDNS setup menu, uncheck Enable Dynamic DNS Setup, and push Clear All button to disable the function and clear all accounts from the router. Delete a Dynamic DNS Account Vigor2950 Series User’s Guide...

  • Page 83: Schedule

    You can set up to 15 schedules. Then you can apply them to your Internet Access or VPN and Remote Access >> LAN-to-LAN settings. To add a schedule, please click any index, say Index No. 1. The detailed settings of the call schedule with index 1 are shown below. Vigor2950 Series User’s Guide...
  • Page 84 (Force Down). Office Hour: (Force On) Mon - Sun 9:00 am 6:00 pm Make sure the PPPoE connection and Time Setup is working properly. Configure the PPPoE always on from 9:00 to 18:00 for whole week. Vigor2950 Series User’s Guide...

  • Page 85: Radius

    The RADIUS server and client share a secret that is used to authenticate the messages sent between them. Both sides must be configured to use the same shared secret. Re-type Shared Secret Re-type the Shared Secret for confirmation. Vigor2950 Series User’s Guide...

  • Page 86: Upnp

    NAT router. The application will also learn the external IP address and configure port mappings on the router. Subsequently, such a facility forwards packets from the external ports of the router to the internal ports used by the application. Vigor2950 Series User’s Guide...

  • Page 87: Wake On Lan

    PC on this web page of Wake On LAN of this router. In addition, such PC must have installed a network card supporting WOL function. By the way, WOL function must be set as “Enable” on the BIOS setting. Vigor2950 Series User’s Guide...
  • Page 88 MAC Address Type any one of the MAC address of the binded PCs. Wake Up Click this button to wake up the selected IP. See the following figure. The result will be shown on the box. Vigor2950 Series User’s Guide...

  • Page 89: Vpn And Remote Access

    NAT settings, such as DMZ or open port. The Vigor router will not accept the ISDN dial-in connection if the box of Enable ISDN Dial-in is not checked. This submenu only applies to PPP-related VPN connections, such as PPTP, L2TP, L2TP over IPSec. Vigor2950 Series User’s Guide...
  • Page 90 For example, if the local private network is 192.168.1.0/255.255.255.0, you could choose 192.168.1.200 as the Start IP Address. But, you have to notice that the first two IP addresses of 192.168.1.200 and 192.168.1.201 are reserved for ISDN remote dial-in user. Vigor2950 Series User’s Guide...

  • Page 91: Ipsec General Setup

    Pre-Shared Key- Specify a key for IKE authentication Re-type Pre-Shared Key-Confirm the pre-shared key. IPSec Security Method Medium - Authentication Header (AH) means data will be authenticated, but not be encrypted. By default, this option is Vigor2950 Series User’s Guide...

  • Page 92: Ipsec Peer Identity

    Click each index to edit one peer digital certificate. There are three security levels of digital signature authentication: Fill each necessary field to authenticate the remote peer. The following explanation will guide you to fill all the necessary fields. Vigor2950 Series User’s Guide...
  • Page 93 Click to check the specific fields of digital signature to accept the peer with matching value. The field includes Country (C), State (ST), Location (L), Organization (O), Organization Unit (OU), Common Name (CN), and Email (E). Vigor2950 Series User’s Guide...

  • Page 94: Remote Dial-In User

    Click each index to edit one remote user profile. Each Dial-In Type requires you to fill the different corresponding fields on the right. If the fields gray out, it means you may leave it untouched. The following explanation will guide you to fill all the necessary fields. Vigor2950 Series User’s Guide...
  • Page 95 L2TP connection. Specify Remote Node Check the checkbox-You can specify the IP address of the remote dial-in user, ISDN number or peer ID (used in IKE aggressive mode). Uncheck the checkbox-This means the connection type you Vigor2950 Series User’s Guide...
  • Page 96 Once the callback budget has been exhausted, the callback mechanism will be disabled automatically. Callback Budget (Unit: minutes)- Specify the time budget for the dial-in user. The budget will be decreased automatically per callback connection. Vigor2950 Series User’s Guide...

  • Page 97: Lan To Lan

    4 subgroups. If the fields gray out, it means you may leave it untouched. The following explanations will guide you to fill all the necessary fields. For the web page is too long, we divide the page into several sections for explanation. Vigor2950 Series User’s Guide...
  • Page 98 VPN connection. Call Direction Specify the allowed call direction of this LAN-to-LAN profile. Both:-initiator/responder Dial-Out- initiator only Dial-In- responder only. Always On or Idle Timeout Always On-Check to enable router always keep VPN connection. Vigor2950 Series User’s Guide...
  • Page 99 This field is applicable when you select ISDN, PPTP or L2TP with or without IPSec policy above. PPP Authentication This field is applicable when you select ISDN, PPTP or L2TP with or without IPSec policy above. PAP/CHAP is the most common selection due to wild compatibility. Vigor2950 Series User’s Guide...
  • Page 100 Main mode is more secure than Aggressive mode since more exchanges are done in a secure channel to set up the IPSec session. However, the Aggressive mode is faster. The default value in Vigor router is Main mode. Vigor2950 Series User’s Guide...
  • Page 101 Vigor router to callback, the local ISDN number will be provided to the remote peer. Check here to allow the Vigor router to send the ISDN number to the remote router. This feature is useful for i model only. Vigor2950 Series User’s Guide...
  • Page 102 VPN Gateway peer ID (should be the same with the ID setting in dial-in type) by checking the box. Enter Peer ISDN number if you select ISDN above (This feature is useful for i model only.). Vigor2950 Series User’s Guide...
  • Page 103 My WAN IP This field is only applicable when you select ISDN, PPTP or L2TP with or without IPSec policy above. The default value is 0.0.0.0, which means the Vigor router will get a PPP IP Vigor2950 Series User’s Guide...
  • Page 104 Check this box to change the default route with this VPN tunnel. Be aware that this setting is available only for one this VPN tunnel WAN interface is enabled. It is not availabe when both WAN interfaces are enabled. Vigor2950 Series User’s Guide...

  • Page 105: Connection Management

    Tool and clicking Dial button. Dial Click this button to execute dial out function. Refresh Seconds Choose the time for refresh the dial information among 5, 10, and 30. Refresh Click this button to refresh the whole connection status. Vigor2950 Series User’s Guide...

  • Page 106: Certificate Management

    Remember to adjust the time of Vigor router before using the certificate so that you can get the correct valid period of certificate. Below shows the menu items for Certificate Management. Generate Click this button to open Generate Certificate Request window. Vigor2950 Series User’s Guide...
  • Page 107 Refresh Click this button to refresh the information listed below. View Click this button to view the detailed settings for certificate request. After clicking Generate, the generated information will be displayed on the window below: Vigor2950 Series User’s Guide...

  • Page 108: Trusted Ca Certificate

    For viewing each trusted CA certificate, click View to open the certificate detail information window. If you want to delete a CA certificate, choose the one and click Delete to remove all the certificate information. Vigor2950 Series User’s Guide...

  • Page 109: Certificate Backup

    Also, you can use Restore to retrieve these two settings to the router whenever you want. ISDN means integrated services digital network that is an international communications standard for sending voice, video, and data over digital telephone lines or normal telephone wires. Below shows the menu items for ISDN. Vigor2950 Series User’s Guide...

  • Page 110: General Settings

    50, 17 and 67 on the fields of 1,2 and 3 one by one without typing 12345. Blocked MSN Numbers for Enter the specified MSN number into the fields to prevent the router from dialing the specific MSN number the router Vigor2950 Series User’s Guide...

  • Page 111: Dial To Single/Dual Isps

    Idle Timeout - Idle timeout means the router will be disconnect after being idle for a preset amount of time. The default is 180 seconds. If you set the time to 0, the ISDN connection to the ISP will always remain on. Vigor2950 Series User’s Guide...
  • Page 112 Idle Timeout - Idle timeout means the router will be disconnect after being idle for a preset amount of time. The default is 180 seconds. If you set the time to 0, the ISDN connection to the ISP will always remain on. Vigor2950 Series User’s Guide...
  • Page 113 ISP Name - Enter your ISP name. Dial Number -Enter the ISDN access number provided by your ISP. Username - Enter the username provided by your ISP. Password - Enter the password provided by your ISP. IP Address Assignment Vigor2950 Series User’s Guide...

  • Page 114: Virtual Ta

    Before describing the configuration of Virtual TA in the Vigor routers, please heed the following limitations. The Virtual TA client only supports Microsoft Windows 98/SE/2000/XP platforms. The Virtual TA client only supports the CAPI 2.0 protocol and has no built-in FAX engine. Vigor2950 Series User’s Guide...
  • Page 115 RED, it means the client has lost the connection to the server. This time, please check the physical Ethernet connection. Since the Virtual TA application is a client/server network model, you must configure it on both ends to run properly your Virtual TA application. Vigor2950 Series User’s Guide...
  • Page 116 MSN number. When an incoming call arrives, the server will inform the appropriate client. Now we set an example to describe the configuration of the MSN number. Suppose that you could assign the MSN number 123 to the client “alan”. Vigor2950 Series User’s Guide...

  • Page 117: Call Control

    Note that Dialing to a Single ISP should be pre-configured properly. Basic Setup Link Type - Because ISDN has two B channels (64Kbps/per channel), you can specify whether you would like to have Vigor2950 Series User’s Guide...
  • Page 118 Low Water Mark and these two channels are being used over the High Water Time, the additional channel will be dropped. As a result, the total link speed will be 64kbps (one B channel). Vigor2950 Series User’s Guide...

  • Page 119: Wireless Lan

    Complete Security Standard Selection: To ensure the security and privacy of your wireless communication, we provide several prevailing standards on market. Vigor2950 Series User’s Guide...
  • Page 120 No matter which security suite you select, they all will enhance the over-the-air data protection and /or privacy on your wireless network. The Vigor wireless router is very flexible and can support multiple secure connections with both WEP and WPA at the same time. Example 1 Example 2 Vigor2950 Series User’s Guide...
  • Page 121 MAC addresses to isolate users’ access from wired LAN. Manage Wireless Stations - Station List will display all the station in your wireless network and the status of their connection. Below shows the menu items for Wireless LAN. Vigor2950 Series User’s Guide...

  • Page 122: General Setup

    It is the identification of the wireless LAN. SSID can be any text numbers or various special characters. Channel The channel of frequency of the wireless LAN. The default channel is 6. You may switch channel if the Vigor2950 Series User’s Guide...
  • Page 123 56 bit sync filed instead of long preamble with 128 bit sync field. However, some original 11b wireless network devices only support long preamble. Check it to use Long Preamble if needed to communicate with this kind of devices. Vigor2950 Series User’s Guide...

  • Page 124: Security

    PSK. Remember to select WPA type to define either Mixed or WPA2 only in the field below. WPA/802.1x Only - Accept WPA clients with 802.1x authentication. Remember to select WPA type to define Vigor2950 Series User’s Guide...
  • Page 125 Four keys can be entered here, but only one key can be selected at a time. The keys can be entered in ASCII or Hexadecimal. Check the key you wish to use. Vigor2950 Series User’s Guide...

  • Page 126: Access Control

    Add a new MAC address into the list. Remove Delete the selected MAC address in the list. Edit Edit the selected MAC address in the list. Cancel Give up the access control set up. Click it to save the access control list. Vigor2950 Series User’s Guide...

  • Page 127: Wds

    AP can be repeated to another peer AP through WDS links. Yet in Bridge mode, packets received from a WDS link will only be forwarded to local wired or wireless hosts. In other words, only Repeater mode can do WDS-to-WDS packet forwarding. Vigor2950 Series User’s Guide...
  • Page 128 Click WDS from Wireless LAN menu. The following page will be shown. Mode Choose the mode for WDS setting. Disable mode will not invoke any WDS setting. Bridge mode is designed to fulfill the first type of application. Repeater mode is for the second one. Vigor2950 Series User’s Guide...

  • Page 129: Ap Discovery

    This page is used to scan the existence of the APs on the wireless LAN. Yet, only the AP which is in the same channel of this router can be found. Please click Scan to discover all the connected APs. Vigor2950 Series User’s Guide...

  • Page 130: Station List

    There is a code summary below for explanation. For convenient Access Control, you can select a WLAN station and click Add to Access Control below. Refresh Click this button to refresh the status of station list. Click this button to add current selected MAC address into Access Control. Vigor2950 Series User’s Guide...

  • Page 131: Station Rate Control

    The VLAN >> Wired VALN allows you to configure VLAN settings through wired connection to achieve the above intention. Simply check P1 and P2 boxes on the line of VLAN0; and check P3 and P4 boxes on the line of VLAN1. Vigor2950 Series User’s Guide...

  • Page 132: Wireless Vlan

    PCs under the same groups can use same Login ID and password to access into Internet. For example, see the following graphic. Both A and B use the same login ID (City) and password (1234). Therefore, they are grouped in the same W_VLAN. Vigor2950 Series User’s Guide...
  • Page 133 Check this box to invoke wireless VLAN function. Login ID Type Login ID for different groups of W_VLAN with 1 to 11 characters. Password Type password for different groups of W_VLAN with 1 to 11 characters. Vigor2950 Series User’s Guide...
  • Page 134 After finishing the configuration of wireless VLAN, the wireless clients connecting to this router must do the following steps to access into Internet. 1. Open a browser and type http://www.draytek.vlan/login.htm or http://(vigor router’s IP address)/login.htm on the address line. 2. The following screen will appear.
  • Page 135 4. When the accessing is successful, the following screen will appear. Note: The floating window with connection time will be shown on the screen till you logout. 5. You can go to Diagnostics>>Wireless VLAN Online Station for viewing the connection status whenever you want. Vigor2950 Series User’s Guide...

  • Page 136: Vlan Cross Setup

    Wireless VLAN and wired VLAN. To achieve the intention of the above illustration, simply check the box under VLAN0 on the line of W_VLAN0. Enable Check this box to invoke VLAN Cross Setup function. Vigor2950 Series User’s Guide...

  • Page 137: Wireless Rate Control

    20,000kbps. Adjust the values according to your necessity. Download Rate It decides the rate of data transmission for input. The default setting is 300. The range must be between 100 kbps to 20,000kbps. Adjust the values according to your necessity. Vigor2950 Series User’s Guide...

  • Page 138: System Maintenance

    Display the IP address of the LAN interface. Subnet Mask Display the subnet mask address of the LAN interface. DHCP Server Display the current status of DHCP server of the LAN interface. MAC Address Display the MAC address of the WAN Interface. Vigor2950 Series User’s Guide...

  • Page 139: Administrator Password

    When you click OK, the login window will appear. Please use the new password to access into the web configurator again. Follow the steps below to backup your configuration. Go to System Maintenance >> Configuration Backup. The following windows will be popped-up, as shown below. Vigor2950 Series User’s Guide...
  • Page 140 The above example is using Windows platform for demonstrating examples. The Mac or Linux platform will appear different windows, but the backup function is still available. Note: Backup for Certification must be done independently. The Configuration Backup does not include information of Certificate. Vigor2950 Series User’s Guide...

  • Page 141: Syslog/Mail Alert

    Assign a mail address for sending mails out. Return-Path Assign a path for receiving the mail from outside. Authentication Check this box to activate this function while using e-mail application. User Name Type the user name for authentication. Vigor2950 Series User’s Guide...
  • Page 142 From the Syslog screen, select the router you want to monitor. Be reminded that in Network Information, select the network adapter used to connect to the router. Otherwise, you won’t succeed in retrieving information from the router. Vigor2950 Series User’s Guide...

  • Page 143: Time And Date

    Type the IP address of the time server. Time Zone Select the time zone where the router is located. Automatically Update Interval Select a time interval for updating from the NTP server. Click OK to save these settings. Vigor2950 Series User’s Guide...

  • Page 144: Management

    Check to specify user-defined port numbers for the Telnet and HTTP servers. Enable SNMP Agent Check it to enable this function. Get Community Set the name for getting community by typing a proper character. The default setting is public. Vigor2950 Series User’s Guide...

  • Page 145: Reboot System

    Note: When the system pops up Reboot System web page after you configure web settings, please click OK to reboot your router for ensuring normal operation and preventing unexpect errors of the router in the future. Vigor2950 Series User’s Guide...

  • Page 146: Firmware Upgrade

    Note that this example is running over Windows OS (Operating System). Download the newest firmware from DrayTek's web site or FTP site. The DrayTek web site is www.draytek.com (or local DrayTek's web site) and FTP site is ftp.draytek.com.

  • Page 147: Diagnostics

    (e.g., ISDN, PPPoE, PPPoA, etc) is triggered by a package sending from the source IP address. Decoded Format It shows the source IP address (local), destination IP (remote) address, the protocol and length of the package. Refresh Click it to reload the page. Vigor2950 Series User’s Guide...

  • Page 148: Routing Table

    Resolution Protocol) cache held in the router. The table shows a mapping between an Ethernet hardware address (MAC Address) and an IP address. Refresh Click it to reload the page. Clear Click it to clear the whole table. Vigor2950 Series User’s Guide...

  • Page 149: Dhcp Table

    It displays the host ID name of the specified PC. Refresh Click it to reload the page. Click Diagnostics and click NAT Sessions Table to open the setup page. Private IP:Port It indicates the source IP address and port of local PC. Vigor2950 Series User’s Guide...

  • Page 150: Wireless Vlan Online Station Table

    IP address, MAC address and Login ID information for all the Wireless VLAN stations. IP Address Display the IP address of the wireless station. MAC Address Display the MAC address of the wireless station. Login ID Display the login ID that the wireless station belongs to. Vigor2950 Series User’s Guide...

  • Page 151: Data Flow Monitor

    Use the drop down list to choose the order of data arranging. Refresh Seconds Use the drop down list to choose the time interval of refreshing data flow that will be done by the system automatically. Vigor2950 Series User’s Guide...

  • Page 152: Traffic Graph

    The horizontal axis represents time. Yet the vertical axis has different meanings. For WAN1/WAN2 Bandwidth chart, the numbers displayed on vertical axis represent the numbers of the transmitted and received packets in the past. Vigor2950 Series User’s Guide...

  • Page 153: Ping Diagnosis

    Type in the IP address of the Host/IP that you want to ping. Click this button to start the ping work. The result will be displayed on the screen. Clear Click this link to remove the result on the window. Vigor2950 Series User’s Guide...

  • Page 154: Trace Route

    Unspecified to be determined by the router automatically. Host/IP Address It indicates the IP address of the host. Click this button to start route tracing work. Clear Click this link to remove the result on the window. Vigor2950 Series User’s Guide...

  • Page 155: Application And Examples

    VPN service and click OK. Then, For using PPP based services, such as PPTP, L2TP, you have to set general settings in PPP General Setup. For using IPSec-based service, such as IPSec or L2TP with IPSec Policy, you have to Vigor2950 Series User’s Guide...
  • Page 156 Set Dial-Out Settings as shown below to dial to connect to Router B aggressively with the selected Dial-Out method. If an IPSec-based service is selected, you should further specify the remote peer IP Address, IKE Authentication Method and IPSec Security Method for this Dial-Out connection. Vigor2950 Series User’s Guide...
  • Page 157 Otherwise, it will apply the settings defined in IPSec General Setup above. If a PPP-based service is selected, you should further specify the remote peer IP Address, Username, Password, and VJ Compression for this Dial-In connection. Vigor2950 Series User’s Guide...
  • Page 158 PPP General Setup. For using IPSec-based service, such as IPSec or L2TP with IPSec Policy, you have to set general settings in IPSec General Setup, such as the pre-shared key that both parties have known. Vigor2950 Series User’s Guide...
  • Page 159 Address, IKE Authentication Method and IPSec Security Method for this Dial-Out connection. If a PPP-based service is selected, you should further specify the remote peer IP Address, Username, Password, PPP Authentication and VJ Compression for this Vigor2950 Series User’s Guide...
  • Page 160 Otherwise, it will apply the settings defined in IPSec General Setup above. If a PPP-based service is selected, you should further specify the remote peer IP Address, Username, Password, and VJ Compression for this Dial-In connection. Vigor2950 Series User’s Guide...
  • Page 161 At last, set the remote network IP/subnet in TCP/IP Network Settings so that Router B can direct the packets destined to the remote network to Router A via the VPN connection. Vigor2950 Series User’s Guide...

  • Page 162: Create A Remote Dial-In User Connection Between The Teleworker And Headquarter

    PPP General Setup. For using IPSec-based service, such as IPSec or L2TP with IPSec Policy, you have to set general settings in IKE/IPSec General Setup, such as the pre-shared key that both parties have known. Vigor2950 Series User’s Guide...
  • Page 163 Otherwise, it will apply the settings defined in IPSec General Setup above. If a PPP-based service is selected, you should further specify the remote peer IP Address, Username, Password, and VJ Compression for this Dial-In connection. Vigor2950 Series User’s Guide...
  • Page 164 For Win2000/XP, please use "Network and Dial-up connections" or “Smart VPN Client”, complimentary software to help you create PPTP, L2TP, and L2TP over IPSec tunnel. You can find it in CD-ROM in the package or go to www.draytek.com download center. Install as instructed.
  • Page 165 VPN router. To use default gateway on remote network means that all the packets of remote host will be directed to VPN server then forwarded to Internet. This will make the remote host seem to be working in the enterprise network. Vigor2950 Series User’s Guide...

  • Page 166: Qos Setting Example

    Make sure the QoS Control on the left corner is checked. And select BOTH in Direction. Enter the Name of Index Class 1 by clicking Edit link. In this index, the user will set reserve bandwidth for Email using protocol POP3 and SMTP. Vigor2950 Series User’s Guide...
  • Page 167 Class Name of Index 3. In this index, he will set reserve bandwidth for 1 VPN tunnel. Click edit to open a new window. First, check the ACT box. Then click SrcEdit to set a worker’s subnet address. Click DestEdit to set headquarter’s subnet address. Leave other fields and click OK. Vigor2950 Series User’s Guide...

  • Page 168: Lan - Created By Using Nat

    You can just set the settings wrapped inside the red rectangles to fit the request of NAT usage. To use another DHCP server in the network rather than the built-in one of Vigor Router, you have to change the settings as show below. Vigor2950 Series User’s Guide...
  • Page 169 You can just set the settings wrapped inside the red rectangles to fit the request of NAT usage. Vigor2950 Series User’s Guide...

  • Page 170: Upgrade Firmware For Your Router

    4. The file RTSxxx.exe will be asked to copy onto your computer. Remember the place of storing the execution file. 5. Go to www.draytek.com to find out the newly update firmware for your router. 6. Access into Support Center >> Downloads. Find out the model name of the router and click the firmware link.
  • Page 171 You will find out two files with different extension names, xxxx.all (keep the old custom settings) and xxxx.rst (reset all the custom settings to default settings). Choose any one of them that you need. Vigor2950 Series User’s Guide...

  • Page 172: Request A Certificate From A Ca Server On Windows Ca Server

    14. Click Send. 15. Now the firmware update is finished. Vigor2950 Series User’s Guide...
  • Page 173 You can click GENERATE button to start to edit a certificate request. Enter the information in the certificate request. Copy and save the X509 Local Certificate Requet as a text file and save it for later use. Vigor2950 Series User’s Guide...
  • Page 174 Select Submit a certificate request a base64 encoded PKCS #10 file or a renewal request using a base64 encoded PKCS #7 file Import the X509 Local Certificate Requet text file. Select Router (Offline request) or IPSec (Offline request) below. Vigor2950 Series User’s Guide...
  • Page 175 (.cer file) into Vigor router. When finished, click refresh and you will find the below window showing “------BEGINE CERTIFICATE------..” You may review the detail information of the certificate by clicking View button. Vigor2950 Series User’s Guide...

  • Page 176: Request A Ca Certificate And Set As Trusted On Windows Ca Server

    Use web browser connecting to the CA server that you would like to retrieve its CA certificate. Click Retrive the CA certificate or certificate recoring list. Vigor2950 Series User’s Guide...
  • Page 177 You may review the detail information of the certificate by clicking View button. Note: Before setting certificate configuration, please go to System Maintenance >> Time and Date to reset current time of the router first. Vigor2950 Series User’s Guide...
  • Page 178 This page is left blank. Vigor2950 Series User’s Guide...

  • Page 179: Trouble Shooting

    Sometimes the link failure occurs due to the wrong network connection settings. After trying the above section, if the link is stilled failed, please do the steps listed below to make sure the network connection settings is OK. Vigor2950 Series User’s Guide...
  • Page 180 Go to Control Panel and then double-click on Network Connections. Right-click on Local Area Connection and click on Properties. Select Internet Protocol (TCP/IP) and then click Properties. Vigor2950 Series User’s Guide...
  • Page 181 Select Obtain an IP address automatically and Obtain DNS server address automatically. Double click on the current used MacOs on the desktop. Open the Application folder and get into Network. On the Network screen, select Using DHCP from the drop down list of Configure IPv4. Vigor2950 Series User’s Guide...

  • Page 182: Pinging The Router From Your Computer

    Open the Application folder and get into Utilities. Double click Terminal. The Terminal window will appear. Type ping 192.168.1.1 and press [Enter]. It the link is OK, the line of “64 bytes from 192.168.1.1: icmp_seq=0 ttl=255 time=xxxx ms” will appear. Vigor2950 Series User’s Guide...
  • Page 183 Vigor2950 Series User’s Guide...
  • Page 184 Check if Username and Password are entered with correct values that you got from your ISP. Check if the Enable option is selected. Check if IP address, Subnet Mask and Gateway are entered with correct values that you got from your ISP. Vigor2950 Series User’s Guide...
  • Page 185 Check if the Enable option for PPTP Link is selected. Check if PPTP Server, Username, Password and WAN IP address are set correctly (must identify with the values from your ISP). Vigor2950 Series User’s Guide...

  • Page 186: Backing To Factory Default Setting If Necessary

    5 seconds. When you see the ACT LED blinks rapidly, please release the button. Then, the router will restart with the default configuration. After restore the factory default setting, you can configure the settings for the router again to fit your personal request. Vigor2950 Series User’s Guide...

  • Page 187: Contacting Your Dealer

    If the router still cannot work correctly after trying many efforts, please contact your dealer for further help right away. For any questions, please feel free to send e-mail to support@draytek.com. Vigor2950 Series User’s Guide...

This manual is also suitable for:

Vigor2950gVigor2950iVigor2950gi

Table of Contents