Earth Notes: On the Vigor 2862ac VDSL2 Router and WiFi: Setup How-ToUpdated 2019-05-23 06:59 GMT.
The DrayTek Vigor 2862ac VDSL2 Security Firewall arrived from the ISP a little early afternoon 2019-05-02. I powered it up and measured power consumption (~9W) but did not plug it into the VDSL2/FTTC BT socket.
(The TG582n+ECI used ~12W between them. I'd like to reduce networking power load so that I can have the networking kit powered off-grid more of the time. I was attempting to eliminate the 8W of the TG582n with the RPi3 by folding networking functions into the server itself. I still hope to get there at some point soon. I hope that the Vigor is not too power-hungry in the interim.)
On the dispatch note the device was described as set up for TR-069 remote configuration, so rather than attempt to (re-/de-)configure it all myself, I called the ISP and asked a few questions:
- The Vigor can be plugged directly into the BT master socket from the DSL port, or into the ECI VDSL modem Ethernet from the WAN2 port. Which should I do?
- What password should I used to log in with to do any residual configuration such as setting the WiFi SSID and key? (I don't want to assume that the defaults listed in the manual are the right thing to use with TR-069 in place.)
- Which port or ports should I plug the RPi 2 into that uses my static IP block? With the TG582n as last provisioned by the ISP, one specific port was designated 'DMZ' and used for this, with everything else being NATted/DHCP, wired or WiFi.
The answer to the first was to go directly from Vigor to the FTTC line, the ECI now being considered obsolete.
Beyond that, no further visible progress was made today, and I am not around tomorrow. So I have to stick with my current flaky arrangement through the long weekend at least...
2019-05-07: False Start
The old router survived the long weekend relatively well, with even WiFi being sensible. Possibly due to me balancing the router upside down on its edge for better cooling. Possibly the cooler weather. Possibly whichever bad actor is paid to break remote systems taking the weekend off also...
After un unhelpful email and a couple of calls I finally got someone to start helping me set up the router enough for them to take over the main configuration at ~16:00. (The ISP had failed to set it up for remote provisioning before dispatch, again, I am told.) I left it plugged into the VDSL2 line for them to remotely footle. (My sites, etc, are down while this happens.)
By 17:30-ish when I called to check progress they had decided to defer it until tomorrow and to their third-line support, though say that they will restart at 07:30 if I plug it back in, so I can leave for a meeting in good time tomorrow morning.
(I almost certainly could now configure it myself faster, given that the basic outbound connection was working, ie I could get email and browse over the Vigor's WiFi, but I didn't want to wade into whatever configuration they might have had in place or in mind...)
2019-05-12: How To: Config from Scratch
More interaction with the ISP's support team resulted in a semi-bricked unit, which needed a factory reset to be able to do anything with it again. Setting up IPv4 routing for a static subnet is as the ISP's CTO says is "a dying art", and it will almost certainly be easier all round if I do it.
This will be a quick how-to highlights, and does not cover all the bells and whistles. It'll help remind me when I need to revisit it!
How To Minimally Configure Vigor2862ac for FTTC/VDSL2 and Static Public IP Block
Time (including initial write-up):
(Note: some screenshots were taken after the configuration was largely complete.)
- Vigor2862ac modem/router
- Laptop (MacBook running macOS 10.14.4 Mojave)
- Ethernet cable and adaptor for MacBook
- Factory-reset the Vigor if needed.
- (Starting from scratch rather than fiddling around with some existing half-baked config is likely to be easier and more secure.)
- Set the laptop's wired Ethernet to 'manual' configuration, NOT DHCP.
- Set the laptop wired port to be 192.168.1.10 (subnet mask 255.255.255.0), ie within the Vigor's LAN address space, and clear the 'Router' box.
- On the Mac's Network Preferences, click on the cog, select service order, and drag the wired interface below WiFi.
- (These steps should avoid the Vigor grabbing routing and DNS lookups, which it then can't usefully handle.)
- Connect the Vigor's LAN 1 port (192.168.1.X is routed to that port), and power up the Vigor if not already done.
Point your browser at 192.168.1.1 and log in as
Change the Vigor's
adminpassword to something sensible and unguessable. Now. (Under "System Maintenance" in the main (left-hand-side) menu.)
Under WAN >> Internet Access >> Details Page, set the (RADIUS/CHAP) Username and Password as supplied by the ISP, and set the MTU to 1460.
Routing the public static IP range
Under LAN >> General Setup >> IP Routed Subnet >> Details Page, follow the DrayTek instructions to
Use a Public IP on LAN by IP Routed Subnet...
- ... Enable IP Routed Subnet.
- ... Enter the IP Address for the router. Note that this could be the same as router's WAN IP. (It is for me, at X.X.X.65, and where the RPi3 got stuck)
- ... Enter the Subnet Mask according to ISP.
- ... Enter the Subnet Mask according to ISP.
- ... Set up DHCP IP Pool, enable Use LAN Port... (For this use a chunk of the static space for DHCP leaving the perm hosts IPs free, and use a shortish (2h) lease time since there are not many available addresses. Enable these routes to LAN P1 and LAN P2.)
- (I could now, after the Vigor reboots, switch the Mac to talk to it from a fixed addess in the static range, preferably neither in DHCP nor the fixed allocation used by the servers. But everything seems to still be happy with the 192.168.1.10 address for now.)
- Under LAN >> General Setup >> IP Routed Subnet >> Details Page, follow the DrayTek instructions to
[Non-critical] Under System Maintenance >> Time and Date, I have changed the NTP server to be one of my own.
5GHz WiFi setup
- Under Wireless LAN(5G) >> General Setup, set local SSID.
- Under Wireless LAN(5G) >> Security Settings, set SSID 1 and local pre-shared key (PSK).
- Under Wireless LAN(5G) >> Access Point Discovery, do a scan to see what else is out there. (For me, 5 other APs.)
Under System Maintenance >> Panel Control, enable sleep mode for the LED, and turn off one USB port leaving the other potentially to power my Loop network dongle.
Under LAN >> Bind IP to MAC, enable, and set any fixed MAC addresses required. (Such as for my Enphase Envoy for simplicity in polling it from the RPi.) The Vigor has to be handling the appropriate address range to accept a binding.
Shut down the Vigor, shut down and unplug the old router, plug in the Vigor to DSL and power up, and see if routing vis 5G WiFi and to the static Web/DNS/etc IPs appears to be working. (If not, revert to old router and scratch head.)
2.4GHz WiFi setup
- Under Wireless LAN(2.4G) >> General Setup, set local SSID.
- Under Wireless LAN(2.4G) >> Security Settings, set SSID 1 and local pre-shared key (PSK).
- Under Wireless LAN(2.4G) >> Access Point Discovery, do a scan to see what else is out there. (For me, 14 other APs.)
Under LAN >> General Setup, set LAN address to 192.168.0.1 to match previous router. (Requires subsequent access at 192.168.0.1.)
- Under Firewall >> General Setup, periodically review settings.
- Under System Maintenance >> Firmware Upgrade, periodically check that firmware is up to date, and upgrade if not. Note that my Firefox 66.0.5 / NoScript 10.6.1 prevented the "Check Firmware" popup from displaying the available upgrade; I switched briefly to Chrome (74).
Largely done after ~4h. A few loose ends to tie up, probably.
Seeing download speed of over 70Mbps, upload 16Mbps, ping 23ms, measured from my laptop connecting to the Vigor on 5G WiFi. (A matching test late at night gave a speed of 76/18Mbps.)
Power consumption from mains seems to be a fairly steady 9.2W. So lower than the TG+ECI combination.
Allow RPi to talk to LAN
TO DO: allow RPi on static/public addresses to talk to Envoy on its NATted IP.
A laptop on another NATted/DHCP IP is already able to do so.
(Possibly just camp on an uncontended 192.168.0.X address statically,
and see if the Vigor can su=ort routing; client will have to bind to that
LAN address explicitly somehow, eg
Restricted Guest Hotspot
TO DO: allow (restricted) guest access to the hotspot. Limit bandwidth, length of time, and block outgoing SPAMmy connections such as to a SMTP port directly.
Measure Power Supply Voltage
TO DO: measure power-supply voltage to the Vigor with a view to being able to supply/'dump' from off-grid power (eg via ideal-diode) arrangement. Measure open-circuit and under typical (~9W) load. (Compare with existing 12V on-/off- grid supply also.)
12:28Z and all net traffic just stopped. Logging into the Vigor revealed an uptime of under a minute, ie it had just crashed and restarted. Not so good.
Other users have reported a number of outages today so far (by mid-afternoon).
I have turned back on remote status monitoring with SMSes, which I hope will now not gobble up all my credits!
I have also loaded the latest available firmware release for the Vigor.
2019-05-14: PPP Restart!
12:30Z: connectivity has been slow or lost (at Windows 10 client dropped the WiFi and refused to reconnect). Logging in to the Vigor shows that the VDSL2/PPPoE connection had restarted.
13:10Z: link down again.
I spoke to the ISP, and the ISP called back at the end of the day. I attempted a "quiet line test" as requested (17070 option 2), but my available handset is ancient and crackly, so hardly definitive. We have arranged for a BT Openreach visit.
I asked the ISP what it could see in terms of line drops from its side for the only full Vigor day so far (yesterday, Monday). Starting at about 13:30 BST the ISP saw nine drops in total. One of those was probably me trying to get some life back into the connection at ~10pm when a five minute job was being stretched to a two hour job by the rotten throughput, but most of the rest weren't!
Coming up to 100h with the DSL connection not restarted, and over 160h of the Vigor not restarted, and line error metrics fairly low and hardly moving, it looks like the FTTC connection is 'fixed' for now.
The fix took several weeks and two routers (I haven't had a returns number from the ISP for the first one yet!) and many hours, and three engineer site visits. Eeek.