Non aviation content. Play nice – No religion, no politics and no axe grinding please.
User avatar
By stevelup
#1737727
I have approx 80 Vigor 130's sat on a shelf here gathering dust. So either way, send yours back to Amazon...!

I only have 2860's here - we didn't use the 27xx series because we needed the second WAN port. But the firmware was essentially the same hence me selecting it for the test.

Anyway, for now, follow the instructions in my previous post and you will definitely be up and running.

We can look at swapping your modem out afterwards.
By Colonel Panic
#1737729
stevelup wrote:OK, I've got a 2860 but no USG, so let's just forget about using True DMZ and do it another way.

That has worked - many thanks. Both the Draytek and the USG are accessible and showing up as connected.

AIUI, the Draytek is now invisible to the outside world (passing traffic straight through to the USG), and so I can now sort out port forwarding etc for the CCTV on the USG.
User avatar
By stevelup
#1737731
Only thing to watch out for is if you have any of the 'management' ports enabled externally on the Draytek (you probably shouldn't anyway) - they will take precedence over the DMZ stuff.
#1737751
Colonel Panic wrote:With the enormous risk of incurring the ire of some on here, can anyone explain what I am doing wrong here ...
>>snip<<
... but the system did work but now it doesn't. :oops:


Guess what ... it now works !!!!! 8) 8) 8)

Many many thanks to all (and @stevelup gets a mention in Dispatches) for your help, patience and skills. :thumleft:
#1737849
Quick question: does Port Forwarding (ie externalIP:port_number > internalIP:port_number_of_a_specific_device) within a router / firewall pose a security risk within a domestic network environment? Other than, perhaps, the intrinsic security of the specific device? Presumably such a Port Forwarding rule is much safer than merely "opening" the port.

Or is this why it is worth putting IoT devices within their own VLAN, so at least any issues get contained within the VLAN.

Quite a few devices (hassio, Node-RED, cctv to name a few) seem to need port access.

TIA
User avatar
By stevelup
#1737850
From a technical point of view, port forwarding and opening the port are exactly the same thing.

The only practical difference is that with port forwarding, you are optionally redirecting the port number, so you may, for example, open 8888 externally and forward it to 80 internally. Or another way of looking at it is that an 'open port' is just a 'port forward' where the source and destination ports are the same. Most high end kit doesn't even differentiate.

There is an element of 'security by obfuscation' by using non-standard ports, but it's the benefits are extremely marginal.

The main advantage of putting IoT stuff in its own VLAN is that if you either don't trust it, or if it becomes compromised, then it can't access other stuff on your LAN.
Colonel Panic liked this
#1739422
stevelup wrote:OK, I've got a 2860 but no USG, so let's just forget about using True DMZ and do it another way.

1) Go to LAN > Bind IP to MAC, and enable it.
2) Double click the 192.168.1.11 entry to add it to the list
3) Click OK at the bottom
4) Go to NAT> DMZ Host
5) This time, choose 'Private IP' from the dropdown instead of 'Active True IP'
6) Enter 192.168.1.11 in the box
7) Click OK at the bottom.

This will now place your USG in the DMZ of the Draytek (so in other words, all external traffic will pass to the USG).

On basis that this workaround worked, am I right to assume that the WAN IP of my USG is my static IP as given to me by PlusNet ? Do I need to add a port number or anything else after a ":" ?

I'm trying to get an L2TP VPN working, but it keeps failing to connect, so I'm wondering whether I've got the "Server" address right. Within the USG Control Panel it shows the USG WAN1 IP address as 192.168.1.11 (ie what the Draytek gave out), but I'm not sure whether or not I need to forward a port within the Draytek, and if so which one and to where ...

(I am using 3G to try to connect).
User avatar
By stevelup
#1739424
Your external IP address is the address your ISP gave you.

You shouldn't need to do anything on the Draytek because of the DMZ.

I really think you should get rid of it though and use a modem.
By Colonel Panic
#1740839
Sometimes I just want to curl up and conk out as what should be so easy is proving so difficult ...

I now have a new modem (sans router), with the aim of making it easier to set up VPNs etc easier. The new modem comes pre-configured as 192.168.1.1 - but I can't connect to it, presumably due to either an IP conflict or perhaps more likely a subnet issue. I have tried via both wifi and ethernet.

I have tried wiring it directly to the laptop (disabling wi-fi) and changing my laptop to 192.168.1.2, but that doesn't work.

    My existing modem/router is accessed on my LAN via 192.168.1.1:8080
    My laptop is 192.168.2.32
    My USG is 192.168.2.1
    My LAN is based around 192.168.2.xxxx
    Within the existing modem/routers' control panel / LAN1 is 192.168.1.1
    My firewall & DCHP server (my Unifi USG) has a Bind IP to MAC of 192.168.1.11 within the modem/routers' CP

How can I access the new modem so that I can set up the ISP details etc? :oops:
User avatar
By Sjoram
#1740913
*Edit* I missed the reference to 192.168.1.11 in your original post. That should equate to 192.168.2.10 in my example. Ideally (in my opinion), you would make that address static, not issued by DHCP from the modem.

I haven't seen or used the USG interface, so I have no idea whether it will allow you to configure things in this way, however, my setup is as follows:

Modem: Vigor 130 - 192.168.2.1/24
Router: RouterBoard hex
ether1 - Modem - IP 192.168.2.10/24
ether2 - LAN switch, multiple VLANs, one of which is 10.5.0.254/24 (It's actually a larger subnet but for example's sake..)
PPPoE Client interface, bound to ether1 - Public IP assigned by PPP session to ISP - dynamically creates a default route to the Internet

Firewall rules permitting 10.5.0.0/24 to connect to 192.168.2.1/24 port 80 & 23 (HTTP & telnet)

RouterOS automatically knows to reach 192.168.2.0/24 via ether1
Static route applied to Vigor 130 for 10.5.0.0/24 via 192.168.2.10

I was able to connect to the modem via telnet through the router's management interface, otherwise you would need to connect a PC directly to the modem to configure this.

I also have a Vigor 120 on another network and the static route for some reason (bug?) does not survive a reboot of the modem. It's not a problem to me, as I usually access the modem via the router's management application anyway.
Colonel Panic liked this
User avatar
By stevelup
#1740988
The Draytek modem automatically deals with PPPoE to PPPoA conversion. It should be totally plug and play. Any settings that need changing would only usually need changing on the USG.

Before you do anything else, can you confirm you've changed your WAN port on the USG to PPPoE, and that you've entered your ISP credentials into the USG.

It should just work. If it doesn't, I have a likely explanation.

I am 100% certain you are wrong about the default IP address of the Draytek.

The Vigor 130 comes from the factory on 192.168.2.1, not 192.168.1.1, so you may have a problem in that you have the same network as your USG which it might not like.

To fix this, you'll need to connect the Vigor 130 directly to a laptop.

Whilst you're doing this, check the other settings are correct for your ISP (VLAN ID etc). I repeat the point I made earlier - that you do not put your ISP credentials into the Draytek. They go into the USG, and you need to change the USG to use PPPoE on the WAN port.

You can get these settings off your old router, but unless your ISP is weird, you will want the VDSL VLAN tag setting to 101 (which is the Draytek default in the UK).

I've never seen a Vigor 130 not work as soon as it is connected though. As long as the USG is correctly configured, everything should be fine. I have concerns about the IP range though.

Incidentally, if you want to test the Vigor 130 directly connected to a laptop, the same as above applies. You need to add a PPPoE interface. On a Mac, go into the network settings page, hit +, choose PPPoE, then choose 'Ethernet' from the list of interfaces Next, fill in the 'Account name' and 'Password' (Leave service name blank). Tick the 'show PPPoE status on menu bar'. Click 'Connect' and watch what happens on the menu bar.

So just to clarify the fundamental difference between using something like a Vigor130 and a router is that the device that is connected to it is the one that initiates the connection. So that's why the credentials go into the USG or the laptop if you have one directly connected.

If you've fiddled with any of the settings in the Draytek, I suggest you do a factory reset on it and start again as all the factory settings are sane for pretty much any standard use case in the UK.
Colonel Panic liked this
By Colonel Panic
#1741019
Thanks both.

In my (weak) defence I had used the online User Guide pdf to find the default IP address of the Vigor 130 as 192.168.1.1 & not the manual that came in the box (which shows 192.168.2.1). Sorry.

Due to the (potential) conflict on the 192.168.2.1 address, I connected the 130 to my laptop and changed its address to a spare 192.168.2.19 & rebooted; after changing the USG to PPPoE & entering my ISPs details I am able to connect to the internet on the 130. Result.

However, I now can’d find the 130 on my LAN (either within SysPref/Network or within the Unifi CP or via Ping– or by just typing 192.168.2.19 . I want to change the username and password from admin/admin, and I also need to deselect it from being the DHCP server (as I want the USG to be the server).
User avatar
By stevelup
#1741030
You needed to change the subnet of the 130, not just the last digit.

Put it on 192.168.3.x or something.

Because it's on the same 'network' as your USG, your USG can't route to it.

That said, you may not be able to connect to the Vigor anyway if the USG is in PPPoE mode. Usually you'd need additional config to do that.

If it's working, just leave it alone is my advice. There's little need to ever connect to the Vigor130